Add Fly.io deployment config and graceful Discourse/Wiki handling

- Dockerfile.fly: multi-stage build with PHP 8.2-FPM, nginx, supervisord
- fly.toml / fly-mysql.toml: app and MySQL machine configs
- nginx-fly.conf: nginx config with unix socket and Tigris proxy
- supervisord-fly.conf: process manager for nginx, php-fpm, cron
- startup.sh: background DB migrations, immediate supervisord start
- TrustProxies: trust all proxies (Fly terminates TLS)
- Disable Discourse/Wiki features when URLs not configured
- Add try-catch around Discourse notification fetch
- Remove zz-docker.conf override in Dockerfile

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: edwh

.fly/scripts/startup.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Do NOT use set -e — we must always reach supervisord at the end
+# so that nginx starts and the health check passes.
+
+# Ensure storage directories exist
+mkdir -p /var/www/storage/framework/{sessions,views,cache/data}
+mkdir -p /var/www/storage/logs
+mkdir -p /var/www/bootstrap/cache
+chown -R www-data:www-data /var/www/storage /var/www/bootstrap/cache
+
+# Substitute environment variables in nginx config for Tigris proxy.
+if [ -n "$AWS_BUCKET" ]; then
+    export TIGRIS_BUCKET_URL="https://${AWS_BUCKET}.fly.storage.tigris.dev"
+    export TIGRIS_BUCKET_HOST="${AWS_BUCKET}.fly.storage.tigris.dev"
+    envsubst '${TIGRIS_BUCKET_URL} ${TIGRIS_BUCKET_HOST}' < /etc/nginx/nginx.conf > /etc/nginx/nginx.conf.tmp
+    mv /etc/nginx/nginx.conf.tmp /etc/nginx/nginx.conf
+fi
+
+# Run DB setup in a subshell so failures never prevent supervisord from starting
+(
+    # Wait for MySQL to be reachable
+    echo "Waiting for database..."
+    DB_READY=0
+    for i in $(seq 1 30); do
+        if php /var/www/artisan migrate:status > /dev/null 2>&1; then
+            DB_READY=1
+            break
+        fi
+        echo "  attempt $i/30 - database not ready, retrying..."
+        sleep 2
+    done
+
+    if [ "$DB_READY" = "1" ]; then
+        echo "Database ready, running migrations..."
+        php /var/www/artisan migrate --force || echo "WARNING: migrate failed"
+        timeout 30 php /var/www/artisan translations:import 2>/dev/null || true
+    else
+        echo "WARNING: Database not reachable after 60s, skipping migrations"
+    fi
+
+    # Cache config/routes/views for performance (non-fatal)
+    php /var/www/artisan config:cache 2>/dev/null || true
+    php /var/www/artisan route:cache 2>/dev/null || true
+    php /var/www/artisan view:cache 2>/dev/null || true
+    php /var/www/artisan queue:restart 2>/dev/null || true
+) &
+
+# Start supervisord immediately (manages nginx, php-fpm, cron)
+# This ensures the health check can pass while DB setup runs in background
+exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

Dockerfile.fly

@@ -0,0 +1,123 @@
+# =============================================================================
+# Stage 1: Build assets (Node + Composer)
+# =============================================================================
+FROM php:8.2-cli AS builder
+
+# Install system dependencies for building
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git zip unzip curl \
+    libpng-dev libjpeg62-turbo-dev libfreetype6-dev libzip-dev libicu-dev libxml2-dev \
+    && docker-php-ext-configure gd --with-freetype --with-jpeg \
+    && docker-php-ext-install pdo_mysql bcmath zip intl gd \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install xmlrpc via pecl
+RUN pecl install channel://pecl.php.net/xmlrpc-1.0.0RC3 && docker-php-ext-enable xmlrpc
+
+# Install composer
+COPY --from=composer/composer:2-bin /composer /usr/bin/composer
+
+# Install Node 18
+RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
+    && apt-get install -y nodejs \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# Copy composer files first for layer caching
+COPY composer.json composer.lock ./
+RUN composer install --no-dev --no-scripts --no-autoloader --prefer-dist
+
+# Copy package files for npm layer caching
+COPY package.json package-lock.json ./
+RUN npm ci --legacy-peer-deps
+RUN npx update-browserslist-db@latest
+
+# Copy all source code
+COPY . .
+
+# Create a minimal .env for artisan commands during build (no DB needed)
+RUN echo "APP_KEY=base64:$(openssl rand -base64 32)" > .env && \
+    echo "APP_ENV=production" >> .env
+
+# Finish composer autoload (skip post-autoload scripts that need DB/app context)
+ENV COMPOSER_ALLOW_SUPERUSER=1
+RUN composer dump-autoload --optimize --no-dev --no-scripts
+
+# Run package discovery manually
+RUN php artisan package:discover --ansi || true
+
+# Build frontend assets
+# The webpack.mix.js runs `php artisan lang:js` via WebpackShellPlugin, but that
+# needs the full app bootstrapped. Generate translations first, then build.
+RUN php artisan lang:js --no-lib resources/js/translations.js 2>/dev/null || true
+RUN npm run production
+
+# Generate swagger docs (non-fatal if it fails)
+RUN php artisan l5-swagger:generate 2>/dev/null || true
+
+# Remove build .env (real env comes from Fly secrets at runtime)
+RUN rm -f .env
+
+# =============================================================================
+# Stage 2: Production image (Nginx + PHP-FPM + Supervisord + Cron)
+# =============================================================================
+FROM php:8.2-fpm
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    nginx \
+    supervisor \
+    cron \
+    gettext-base \
+    libpng-dev libjpeg62-turbo-dev libfreetype6-dev libzip-dev libicu-dev libxml2-dev \
+    && docker-php-ext-configure gd --with-freetype --with-jpeg \
+    && docker-php-ext-install pdo_mysql bcmath zip intl gd \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Install xmlrpc
+RUN pecl install channel://pecl.php.net/xmlrpc-1.0.0RC3 && docker-php-ext-enable xmlrpc
+
+# Configure PHP-FPM to use unix socket
+RUN sed -i 's|listen = 127.0.0.1:9000|listen = /var/run/php-fpm.sock|' /usr/local/etc/php-fpm.d/www.conf && \
+    sed -i 's|;listen.owner = www-data|listen.owner = www-data|' /usr/local/etc/php-fpm.d/www.conf && \
+    sed -i 's|;listen.group = www-data|listen.group = www-data|' /usr/local/etc/php-fpm.d/www.conf && \
+    sed -i 's|;listen.mode = 0660|listen.mode = 0660|' /usr/local/etc/php-fpm.d/www.conf && \
+    rm -f /usr/local/etc/php-fpm.d/zz-docker.conf
+
+# PHP production settings
+RUN cp /usr/local/etc/php/php.ini-production /usr/local/etc/php/conf.d/php.ini && \
+    echo "upload_max_filesize = 100M" >> /usr/local/etc/php/conf.d/php.ini && \
+    echo "post_max_size = 100M" >> /usr/local/etc/php/conf.d/php.ini && \
+    echo "memory_limit = 256M" >> /usr/local/etc/php/conf.d/php.ini
+
+# Copy nginx config
+COPY docker/nginx-fly.conf /etc/nginx/nginx.conf
+
+# Copy supervisord config
+COPY docker/supervisord-fly.conf /etc/supervisor/conf.d/supervisord.conf
+
+# Set up cron for Laravel scheduler (every minute)
+RUN echo "* * * * * cd /var/www && php artisan schedule:run >> /dev/null 2>&1" | crontab -
+
+# Set working directory
+WORKDIR /var/www
+
+# Copy application from builder
+COPY --from=builder --chown=www-data:www-data /build /var/www
+
+# Remove dev files not needed in production
+RUN rm -rf node_modules tests .git .github
+
+# Ensure storage and cache directories exist
+RUN mkdir -p storage/framework/{sessions,views,cache/data} \
+    storage/logs bootstrap/cache \
+    && chown -R www-data:www-data storage bootstrap/cache
+
+# Copy startup script
+COPY .fly/scripts/startup.sh /usr/local/bin/startup.sh
+RUN chmod +x /usr/local/bin/startup.sh
+
+EXPOSE 80
+
+CMD ["/usr/local/bin/startup.sh"]

app/Http/Controllers/API/UserController.php

@@ -107,18 +107,22 @@ public function notifications(Request $request, $id)
                 $discourseNotifications = Cache::get('talk_notification_' . $user->username);
             } else {
                 if (config('restarters.features.discourse_integration')) {
-                    $client = app('discourse-client');
-                    $response = $client->request('GET', '/notifications.json?username=' . $user->username);
-                    $talk_notifications = json_decode($response->getBody()->getContents(), true);
-
-                    if (!empty($talk_notifications) && array_key_exists('notifications', $talk_notifications)) {
-                        foreach ($talk_notifications['notifications'] as $notification) {
-                            if ($notification['read'] !== true) {
-                                $discourseNotifications++;
+                    try {
+                        $client = app('discourse-client');
+                        $response = $client->request('GET', '/notifications.json?username=' . $user->username);
+                        $talk_notifications = json_decode($response->getBody()->getContents(), true);
+
+                        if (!empty($talk_notifications) && array_key_exists('notifications', $talk_notifications)) {
+                            foreach ($talk_notifications['notifications'] as $notification) {
+                                if ($notification['read'] !== true) {
+                                    $discourseNotifications++;
+                                }
                             }
-                        }
 
-                        Cache::put('talk_notification_' . $user->username, $discourseNotifications, 60);
+                            Cache::put('talk_notification_' . $user->username, $discourseNotifications, 60);
+                        }
+                    } catch (\Exception $e) {
+                        // Discourse unavailable — silently return 0 notifications
                     }
                 }
             }

app/Http/Middleware/TrustProxies.php

@@ -12,7 +12,7 @@ class TrustProxies extends Middleware
      *
      * @var array<int, string>|string|null
      */
-    protected $proxies;
+    protected $proxies = '*';
 
     /**
      * The headers that should be used to detect proxies.

app/Providers/EventServiceProvider.php

@@ -119,7 +119,7 @@ class EventServiceProvider extends ServiceProvider
     public function boot()
     {
 
-        if (env('FEATURE__WIKI_INTEGRATION') === true) {
+        if (env('FEATURE__WIKI_INTEGRATION') === true && !empty(env('WIKI_URL'))) {
             Event::listen('Illuminate\Auth\Events\Login', \App\Listeners\LogInToWiki::class);
         }
     }

app/Providers/MediawikiServiceProvider.php

@@ -28,7 +28,7 @@ public function boot()
      */
     public function register()
     {
-        if (env('FEATURE__WIKI_INTEGRATION') === false) {
+        if (env('FEATURE__WIKI_INTEGRATION') === false || empty(env('WIKI_URL'))) {
             return;
         }
 

config/restarters.php

@@ -3,7 +3,7 @@
 return [
 
     'features' => [
-        'discourse_integration' => env('FEATURE__DISCOURSE_INTEGRATION', true),
+        'discourse_integration' => env('FEATURE__DISCOURSE_INTEGRATION', true) && !empty(env('DISCOURSE_URL')),
     ],
 
     'wiki' => [

docker/nginx-fly.conf

@@ -0,0 +1,73 @@
+user www-data;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        server_name _;
+
+        root /var/www/public;
+
+        index index.php;
+
+        charset utf-8;
+
+        # Security headers
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # HSTS - Fly.io terminates TLS, but this tells browsers to always use HTTPS
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # Proxy /uploads/ to Tigris S3 bucket (read-only).
+        # TIGRIS_BUCKET_URL and TIGRIS_BUCKET_HOST are substituted at startup
+        # via envsubst in startup.sh.
+        location /uploads/ {
+            limit_except GET HEAD {
+                deny all;
+            }
+
+            proxy_pass ${TIGRIS_BUCKET_URL}/;
+            proxy_set_header Host ${TIGRIS_BUCKET_HOST};
+            proxy_hide_header x-amz-request-id;
+            proxy_hide_header x-amz-id-2;
+            proxy_hide_header x-amz-meta-s3cmd-attrs;
+            proxy_intercept_errors on;
+            expires 30d;
+            add_header Cache-Control "public, immutable";
+            add_header X-Content-Type-Options "nosniff" always;
+        }
+
+        location / {
+            try_files $uri $uri/ /index.php?$query_string;
+        }
+
+        location = /favicon.ico { access_log off; }
+        location = /robots.txt  { access_log off; }
+
+        error_page 404 /index.php;
+
+        location ~ \.php$ {
+            fastcgi_pass unix:/var/run/php-fpm.sock;
+            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+            include fastcgi_params;
+            fastcgi_param PHP_VALUE "upload_max_filesize=100M \n post_max_size=100M";
+        }
+
+        location ~ /\.(?!well-known).* {
+            deny all;
+        }
+    }
+}

docker/supervisord-fly.conf

@@ -0,0 +1,33 @@
+[supervisord]
+nodaemon=true
+user=root
+logfile=/dev/stdout
+logfile_maxbytes=0
+pidfile=/var/run/supervisord.pid
+
+[program:php-fpm]
+command=php-fpm --nodaemonize
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:nginx]
+command=nginx -g "daemon off;"
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:cron]
+command=cron -f
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

fly-mysql.toml

@@ -0,0 +1,20 @@
+app = "restarters-db"
+primary_region = "lhr"
+
+[build]
+  image = "mysql:8.0"
+
+[processes]
+  app = "mysqld --datadir=/data/mysql --default-authentication-plugin=mysql_native_password"
+
+[mounts]
+  source = "mysqldata"
+  destination = "/data"
+
+[env]
+  MYSQL_DATABASE = "restarters"
+  MYSQL_USER = "restarters"
+
+[[vm]]
+  size = "shared-cpu-1x"
+  memory = 2048