From 7fe93c352f697e0654f11c93f49a835ee969fa7f Mon Sep 17 00:00:00 2001
From: Aaron Jackson <aaron@aaronsplace.co.uk>
Date: Tue, 21 Apr 2026 12:36:00 +0100
Subject: [PATCH 1/2] wip: docker-compose for dev

---
 dev/Dockerfile.nginx    |  26 ++++++++++
 dev/docker-hms-init.sh  |  17 +++++++
 dev/docker-init.sql     |   1 +
 dev/docker-krb5-init.sh |  35 ++++++++++++++
 docker-compose.yaml     | 102 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 181 insertions(+)
 create mode 100644 dev/Dockerfile.nginx
 create mode 100755 dev/docker-hms-init.sh
 create mode 100644 dev/docker-init.sql
 create mode 100755 dev/docker-krb5-init.sh
 create mode 100644 docker-compose.yaml

diff --git a/dev/Dockerfile.nginx b/dev/Dockerfile.nginx
new file mode 100644
index 00000000..a2db4fa0
--- /dev/null
+++ b/dev/Dockerfile.nginx
@@ -0,0 +1,26 @@
+FROM trafex/php-nginx:3.10.0 AS build
+
+USER root
+
+RUN cd / && \
+    apk add --no-cache php84-pear php84-dev gcc musl-dev make krb5-dev && \
+    wget https://pecl.php.net/get/krb5-1.2.4.tgz && \
+    tar zxf krb5-1.2.4.tgz && cd krb5-1.2.4 && \
+    phpize84 && \
+    ./configure --with-krb5kadm=S && \
+    make -j8 && make install
+
+FROM trafex/php-nginx:3.10.0 AS final
+
+COPY --from=build /usr/lib/php84/modules/krb5.so /usr/lib/php84/modules/krb5.so
+
+USER root
+
+RUN apk add --no-cache php84-pdo_mysql php84-redis krb5 krb5-pkinit \
+    php84-pcntl php84-posix php84-sodium php84-simplexml git && \
+    echo 'extension=krb5.so' > /etc/php84/conf.d/krb5.ini && \
+    echo -e '[safe]\ndirectory = *' > /.gitconfig && \
+    wget https://getcomposer.org/download/2.9.7/composer.phar -O /usr/bin/composer && \
+    chmod a+x /usr/bin/composer
+
+USER nobody
diff --git a/dev/docker-hms-init.sh b/dev/docker-hms-init.sh
new file mode 100755
index 00000000..58ccdc30
--- /dev/null
+++ b/dev/docker-hms-init.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+cd /hms
+
+composer upgrade --no-security-blocking
+
+php artisan make:cache-table || true
+php artisan key:generate
+php artisan migrate
+php artisan doctrine:migration:refresh -n
+php artisan hms:database:refresh-views
+php artisan hms:database:refresh-procedures
+php artisan permissions:defaults
+php artisan meta:sync
+php artisan db:seed
+yes | php artisan passport:install
+yes | php artisan ziggy:generate
diff --git a/dev/docker-init.sql b/dev/docker-init.sql
new file mode 100644
index 00000000..3adcc43e
--- /dev/null
+++ b/dev/docker-init.sql
@@ -0,0 +1 @@
+CREATE DATABASE IF NOT EXISTS hms;
diff --git a/dev/docker-krb5-init.sh b/dev/docker-krb5-init.sh
new file mode 100755
index 00000000..55545588
--- /dev/null
+++ b/dev/docker-krb5-init.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+sleep 5
+
+# Setup kerberos keytab
+export KRB5_CONFIG=/shared/krb5.conf
+cat > "$KRB5_CONFIG" <<EOF
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = NOTTINGHACK
+
+[realms]
+ NOTTINGHACK = {
+    kdc = hms-krb5
+    admin_server = hms-krb5
+ }
+EOF
+
+echo 'very-secure-passwords' | kinit admin/admin@NOTTINGHACK
+klist
+
+echo 'very-secure-passwords' | kadmin -q "addprinc -pw very-secure-passwords hms/admin@NOTTINGHACK"
+
+rm -f /shared/hms.keytab
+ktutil <<EOF
+addent  -password -p hms/admin@NOTTINGHACK -k 1 -e aes128-cts-hmac-sha1-96
+very-secure-passwords
+wkt /shared/hms.keytab
+EOF
+chmod a+r /shared/hms.keytab
+
diff --git a/docker-compose.yaml b/docker-compose.yaml
new file mode 100644
index 00000000..d921950e
--- /dev/null
+++ b/docker-compose.yaml
@@ -0,0 +1,102 @@
+networks:
+    hms:
+        driver:  bridge
+        enable_ipv6: false
+
+volumes:
+  hms-shared:
+  mariadb:
+
+services:
+  hms-web:
+    image: hms-php-nginx
+    pull_policy: never
+    build:
+      dockerfile: dev/Dockerfile.nginx
+    ports:
+      - "8080:8080"
+    networks:
+      - hms
+    user: nobody
+    volumes:
+      - ./:/var/www
+      - ./public:/var/www/html
+      - hms-shared:/shared
+    environment:
+      DB_HOST: hms-mysql
+      DB_USERNAME: root
+      DB_PASSWORD: ""
+      REDIS_HOST: hms-redis
+      KRB_USERNAME: hms/admin
+      KRB_REALM: NOTTINGHACK
+      KRB_KEYTAB: /shared/hms.keytab
+      KRB5_CONFIG: /shared/krb5.conf
+
+  hms-mysql:
+    image: mariadb:latest
+    ports:
+      - "3306:3306"
+    networks:
+      - hms
+    volumes:
+      - mariadb:/var/lib/mysql:Z
+      - ./dev/docker-init.sql:/docker-init.sql
+    command: --init-file /docker-init.sql
+    environment:
+      MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: 1
+
+  hms-redis:
+    image: redis:latest
+    networks:
+      - hms
+
+  hms-krb5:
+    image: gcavalcante8808/krb5-server
+    networks:
+      - hms
+    volumes:
+      - hms-shared:/shared:rw
+    environment:
+      KRB5_REALM: NOTTINGHACK
+      KRB5_KDC: localhost
+      KRB5_ADMINSERVER: localhost
+      KRB5_PASS: very-secure-passwords
+
+  hms-db-init:
+    image: hms-php-nginx
+    pull_policy: never
+    command: /docker-init.sh
+    user: nobody
+    networks:
+      - hms
+    environment:
+      DB_HOST: hms-mysql
+      DB_USERNAME: root
+      DB_PASSWORD: ""
+      REDIS_HOST: hms-redis
+      KRB_USERNAME: hms/admin
+      KRB_REALM: NOTTINGHACK
+      KRB_KEYTAB: /shared/hms.keytab
+      KRB5_CONFIG: /shared/krb5.conf
+    volumes:
+      - ./dev/docker-hms-init.sh:/docker-init.sh
+      - ./:/hms
+      - hms-shared:/shared
+    depends_on:
+      hms-mysql:
+        condition: service_started
+      hms-web:
+        condition: service_healthy
+
+  hms-krb5-init:
+    image: gcavalcante8808/krb5-server
+    command: /docker-init.sh
+    networks:
+      - hms
+    volumes:
+      - ./dev/docker-krb5-init.sh:/docker-init.sh
+      - ./:/hms
+      - hms-shared:/shared
+    depends_on:
+      hms-krb5:
+        condition: service_started

From 75c3ee6876c58af11adc29985fc19434aeb0a4fe Mon Sep 17 00:00:00 2001
From: Aaron Jackson <aaron@aaronsplace.co.uk>
Date: Tue, 21 Apr 2026 16:13:06 +0100
Subject: [PATCH 2/2] compose minitor cleanup

---
 docker-compose.yaml | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index d921950e..1f335a74 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -5,7 +5,17 @@ networks:
 
 volumes:
   hms-shared:
-  mariadb:
+  hms-mariadb:
+
+x-hms-environment: &hms-environment
+  DB_HOST: hms-mysql
+  DB_USERNAME: root
+  DB_PASSWORD: ""
+  REDIS_HOST: hms-redis
+  KRB_USERNAME: hms/admin
+  KRB_REALM: NOTTINGHACK
+  KRB_KEYTAB: /shared/hms.keytab
+  KRB5_CONFIG: /shared/krb5.conf
 
 services:
   hms-web:
@@ -23,14 +33,7 @@ services:
       - ./public:/var/www/html
       - hms-shared:/shared
     environment:
-      DB_HOST: hms-mysql
-      DB_USERNAME: root
-      DB_PASSWORD: ""
-      REDIS_HOST: hms-redis
-      KRB_USERNAME: hms/admin
-      KRB_REALM: NOTTINGHACK
-      KRB_KEYTAB: /shared/hms.keytab
-      KRB5_CONFIG: /shared/krb5.conf
+      <<: *hms-environment
 
   hms-mysql:
     image: mariadb:latest
@@ -39,7 +42,7 @@ services:
     networks:
       - hms
     volumes:
-      - mariadb:/var/lib/mysql:Z
+      - hms-mariadb:/var/lib/mysql:Z
       - ./dev/docker-init.sql:/docker-init.sql
     command: --init-file /docker-init.sql
     environment:
@@ -70,14 +73,7 @@ services:
     networks:
       - hms
     environment:
-      DB_HOST: hms-mysql
-      DB_USERNAME: root
-      DB_PASSWORD: ""
-      REDIS_HOST: hms-redis
-      KRB_USERNAME: hms/admin
-      KRB_REALM: NOTTINGHACK
-      KRB_KEYTAB: /shared/hms.keytab
-      KRB5_CONFIG: /shared/krb5.conf
+      <<: *hms-environment
     volumes:
       - ./dev/docker-hms-init.sh:/docker-init.sh
       - ./:/hms
@@ -95,7 +91,6 @@ services:
       - hms
     volumes:
       - ./dev/docker-krb5-init.sh:/docker-init.sh
-      - ./:/hms
       - hms-shared:/shared
     depends_on:
       hms-krb5: