Console game

.docker/caddy/Caddyfile

@@ -0,0 +1,54 @@
+{
+    # Global options
+    auto_https off  # We'll handle HTTPS at ingress level in K8s
+    admin off       # Disable admin API for security
+}
+
+:80 {
+    # Root directory
+    root * /var/www/html/public
+
+    # PHP-FPM configuration
+    php_fastcgi php:9000 {
+        split .php
+        index index.php
+        resolve_root_symlink
+    }
+
+    # Serve static files
+    file_server
+
+    # Logging
+    log {
+        output file /var/log/caddy/access.log
+        format json
+    }
+
+    # CORS headers
+    @options {
+        method OPTIONS
+    }
+    handle @options {
+        header Access-Control-Allow-Origin "*"
+        header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH"
+        header Access-Control-Allow-Headers "Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since"
+        header Access-Control-Max-Age "1728000"
+        respond 204
+    }
+
+    # Apply CORS to all responses
+    header Access-Control-Allow-Origin "*"
+
+    # Gzip compression
+    encode gzip
+
+    # Max body size (for file uploads)
+    request_body {
+        max_size 50MB
+    }
+
+    @health path /health
+    handle @health {
+        respond "OK" 200
+    }
+}

.docker/caddy/Caddyfile.not-google

@@ -0,0 +1,68 @@
+{
+    servers {
+        trusted_proxies static 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+    }
+}
+
+:80 {
+    # 1. Health check (stays separate)
+    handle /health {
+        respond "OK" 200
+    }
+
+    # 2. Wrap everything else in a route
+    route {
+        # Dynamic CORS for multiple origins (flags and capitals apps)
+        @flags_origin header Origin https://flags.izeebot.top
+        @capitals_origin header Origin https://capitals.izeebot.top
+
+        # Set CORS headers based on origin
+        handle @flags_origin {
+            header Access-Control-Allow-Origin "https://flags.izeebot.top"
+            header Access-Control-Allow-Credentials "true"
+            header Access-Control-Expose-Headers "Authorization"
+            header Vary Origin
+        }
+        handle @capitals_origin {
+            header Access-Control-Allow-Origin "https://capitals.izeebot.top"
+            header Access-Control-Allow-Credentials "true"
+            header Access-Control-Expose-Headers "Authorization"
+            header Vary Origin
+        }
+
+        # Handle Preflight separately
+        @options method OPTIONS
+        handle @options {
+            @options_flags header Origin https://flags.izeebot.top
+            @options_capitals header Origin https://capitals.izeebot.top
+            header @options_flags Access-Control-Allow-Origin "https://flags.izeebot.top"
+            header @options_capitals Access-Control-Allow-Origin "https://capitals.izeebot.top"
+            header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH"
+            header Access-Control-Allow-Credentials "true"
+            header Access-Control-Max-Age "1728000"
+            header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-API-KEY"
+            respond 204
+        }
+
+        # 3. Security & Compression
+        encode gzip zstd
+        header {
+            X-Content-Type-Options "nosniff"
+            X-Frame-Options "SAMEORIGIN"
+            Referrer-Policy "strict-origin-when-cross-origin"
+        }
+
+        # 4. Proxy to Symfony
+        reverse_proxy php:59000 {
+            transport fastcgi {
+                root /var/www/html/public
+                env SCRIPT_FILENAME /var/www/html/public/index.php
+            }
+        }
+    }
+
+    log {
+        output stdout
+        format json
+    }
+}

.docker/caddy/Caddyfile.prod

@@ -0,0 +1,62 @@
+{
+    servers {
+                trusted_proxies static 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+            }
+}
+
+:80 {
+# 1. Health check (stays separate)
+    handle /health {
+                       respond "OK" 200
+                   }
+
+# 2. Wrap everything else in a route
+    route {
+          # Match allowed origins using a Regex with backticks for safety
+              @allowed_origins header_regexp origin Origin `^https://(flags|capitals)\.izeebot\.top$`
+
+          # Handle Preflight (OPTIONS)
+              @options {
+                           method OPTIONS
+                           header_regexp origin Origin `^https://(flags|capitals)\.izeebot\.top$`
+                       }
+              handle @options {
+                                  header Access-Control-Allow-Origin "{header.Origin}"
+                                  header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE, PATCH"
+                                  header Access-Control-Allow-Credentials "true"
+                                  header Access-Control-Max-Age "1728000"
+                                  header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, User-Agent, DNT, Cache-Control, X-Mx-ReqToken, Keep-Alive, X-Requested-With, If-Modified-Since, X-API-KEY"
+                                  respond 204
+                              }
+
+          # Apply CORS headers for actual requests (GET, POST, etc.)
+          # {re.origin.0} refers to the first capture of the 'origin' regex above
+              header @allowed_origins {
+                                          Access-Control-Allow-Origin "{re.origin.0}"
+                                          Access-Control-Allow-Credentials "true"
+                                          Access-Control-Expose-Headers "Authorization"
+                                          Vary Origin
+                                      }
+
+          # 3. Security & Compression
+              encode gzip zstd
+              header {
+                         X-Content-Type-Options "nosniff"
+                         X-Frame-Options "SAMEORIGIN"
+                         Referrer-Policy "strict-origin-when-cross-origin"
+                     }
+
+          # 4. Proxy to Symfony
+              reverse_proxy php:59000 {
+                                          transport fastcgi {
+                                                                root /var/www/html/public
+                                                                env SCRIPT_FILENAME /var/www/html/public/index.php
+                                                            }
+                                      }
+          }
+
+    log {
+            output stdout
+            format json
+        }
+}

.docker/caddy/Dockerfile

@@ -0,0 +1,34 @@
+FROM caddy:2.7-alpine
+
+# Install necessary packages
+RUN apk add --no-cache \
+    shadow \
+    && rm -rf /var/cache/apk/*
+
+# Modify existing www-data group/user to match PHP-FPM (UID/GID 1000)
+RUN deluser www-data 2>/dev/null || true && \
+    delgroup www-data 2>/dev/null || true && \
+    addgroup -g 1000 www-data && \
+    adduser -D -u 1000 -G www-data www-data
+
+# Copy Caddyfile
+COPY .docker/caddy/Caddyfile /etc/caddy/Caddyfile
+
+COPY ../../app /var/www/html
+
+# Create log directory
+RUN mkdir -p /var/log/caddy && \
+    chown -R www-data:www-data /var/log/caddy
+
+# Expose ports
+EXPOSE 80 443
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:80 || exit 1
+
+# Caddy runs as root by default, which is fine for binding to port 80/443
+# If you want to run as www-data, you'd need to use ports >1024
+
+# Caddy runs in foreground by default
+CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

.docker/caddy/Dockerfile.prod

@@ -0,0 +1,34 @@
+FROM caddy:2.7-alpine
+
+# Install necessary packages
+RUN apk add --no-cache \
+    shadow \
+    && rm -rf /var/cache/apk/*
+
+# Modify existing www-data group/user to match PHP-FPM (UID/GID 1000)
+RUN deluser www-data 2>/dev/null || true && \
+    delgroup www-data 2>/dev/null || true && \
+    addgroup -g 1000 www-data && \
+    adduser -D -u 1000 -G www-data www-data
+
+# Copy Caddyfile
+COPY .docker/caddy/Caddyfile.prod /etc/caddy/Caddyfile
+
+COPY ../../app /var/www/webapp
+
+# Create log directory
+RUN mkdir -p /var/log/caddy && \
+    chown -R www-data:www-data /var/log/caddy
+
+# Expose ports
+EXPOSE 80 443
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:80 || exit 1
+
+# Caddy runs as root by default, which is fine for binding to port 80/443
+# If you want to run as www-data, you'd need to use ports >1024
+
+# Caddy runs in foreground by default
+CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

.docker/mysql/Dockerfile

@@ -1,11 +1,5 @@
-FROM mysql:8.0
+FROM mysql:9.5
 
 RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone
 
-RUN chown -R mysql:root /var/lib/mysql/
-
-ADD .docker/mysql/my.cnf /etc/mysql/conf.d/my.cnf
-
-CMD ["mysqld"]
-
 EXPOSE 3306

.docker/nginx/Dockerfile

@@ -6,10 +6,10 @@ RUN apk add --update \
 
 RUN rm -rf /var/cache/apk/* && rm -rf /tmp/*
 
-ADD .docker/nginx/nginx.conf /etc/nginx/
-ADD .docker/nginx/host.conf /etc/nginx/conf.d/
-ADD .docker/nginx/cert.crt /etc/ssl/cert.crt
-ADD .docker/nginx/cert.key /etc/ssl/cert.key
+ADD ../.docker/nginx/nginx.conf /etc/nginx/
+ADD ../.docker/nginx/host.conf /etc/nginx/conf.d/
+ADD ../.docker/nginx/cert.crt /etc/ssl/cert.crt
+ADD ../.docker/nginx/cert.key /etc/ssl/cert.key
 
 RUN rm /etc/nginx/conf.d/default.conf
 

.docker/nginx/dev.conf

@@ -0,0 +1,20 @@
+# .docker/nginx/dev.conf
+server {
+    listen 80;
+    root /var/www/webapp/public;
+    index index.php;
+
+    location / {
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    location ~ \.php$ {
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+    }
+
+    error_log /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+}

.docker/nginx/host.conf

@@ -12,6 +12,17 @@ server {
     }
 
     location ~ ^/index\.php(/|$) {
+        # 1. Add this Preflight check
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*' always;
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always;
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+
         fastcgi_pass php-upstream;
         fastcgi_split_path_info ^(.+\.php)(/.*)$;
         include fastcgi_params;