thekoma
diff --git a/‎.dockerignore
+42 b/‎.dockerignore
+42
diff --git a/‎.gitignore
+3-1 b/‎.gitignore
+3-1
diff --git a/‎.pre-commit-config.yaml
+25 b/‎.pre-commit-config.yaml
+25
diff --git a/‎.secrets.baseline
+137 b/‎.secrets.baseline
+137
diff --git a/‎Dockerfile
+18-5 b/‎Dockerfile
+18-5
@@ -0,0 +1,42 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+.pytest_cache/
+
+# Virtual Environment
+.env
+.venv
+env/
+venv/
+ENV/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Logs
+*.log
+
+# Local development
+.git/
+.gitignore
+README.md
+tests/
+docs/
+
+# Docker
+Dockerfile
+.dockerignore
+
+# Kubernetes
+deploy/
+skaffold.yaml
+
+# Database
+*.db
+*.sqlite3
@@ -3,4 +3,6 @@ deploy/k8s/secret.yaml
 deploy/k8s/ingress.yaml
 .venv/**
 .venv/
-__pycache__
+__pycache__
+deploy/k8s/overlays
+deploy/k8s/base/secret.yaml
@@ -0,0 +1,25 @@
+repos:
+- repo: https://github.com/psf/black
+  rev: 24.10.0
+  hooks:
+    - id: black
+      language_version: python3
+      args: [--line-length=100]
+
+- repo: https://github.com/Yelp/detect-secrets
+  rev: v1.5.0
+  hooks:
+    - id: detect-secrets
+      args: ['--baseline', '.secrets.baseline']
+      exclude: package.lock.json
+
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v5.0.0
+  hooks:
+    - id: trailing-whitespace
+    - id: end-of-file-fixer
+    - id: check-yaml
+    - id: check-added-large-files
+    - id: check-json
+    - id: check-case-conflict
+    - id: check-merge-conflict
@@ -0,0 +1,137 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    "src/main.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "src/main.py",
+        "hashed_secret": "7e6a3680012346b94b54731e13d8a9ffa3790645",
+        "is_verified": false,
+        "line_number": 304
+      }
+    ]
+  },
+  "generated_at": "2025-01-14T23:13:44Z"
+}
@@ -11,7 +11,7 @@ ENV PYTHONFAULTHANDLER=1 \
     CRYPTOGRAPHY_DONT_BUILD_RUST=1 \
     TZ='Europe/Rome'
 
-WORKDIR /usr/src/app
+WORKDIR /usr/app
 
 # Installiamo le dipendenze di sistema necessarie per Alpine
 RUN apk add --no-cache \
@@ -25,7 +25,10 @@ RUN apk add --no-cache \
     openssl-dev \
     cargo \
     make \
-    bind-tools
+    bind-tools \
+    sqlite
+
+RUN mkdir /data && chown nobody:nobody /data
 
 # Installiamo poetry e configuriamolo
 RUN pip3 install --no-cache-dir --upgrade pip && \
@@ -40,10 +43,20 @@ RUN poetry install --only main --no-interaction --no-ansi
 
 # Copiamo il resto del codice sorgente
 COPY src/ ./
+COPY entrypoint.sh ./
+COPY dev-tools/ ./dev-tools/
+# Rendiamo eseguibile lo script di entrypoint
+RUN chmod +x entrypoint.sh
+# Rendi scrivibile i file per l'utente nobody
+RUN  chown -R 1000:1000 /usr/app && chmod -R u+w /usr/app
 
-# Copiamo i file statici
-COPY src/static /app/src/static
+# Create user ilpoastapi with uid 1000 and gid 1000 using adduser, and add group ilpoastapi
+RUN  addgroup -g 1000 ilpoastapi && adduser -u 1000 -G ilpoastapi -s /bin/sh -D ilpoastapi && chown -R ilpoastapi:ilpoastapi /usr/app && chmod -R u+w /usr/app
 
 EXPOSE 5000
 
-CMD ["uvicorn", "main:app", "--proxy-headers", "--port", "5000", "--host", "0.0.0.0", "--forwarded-allow-ips", "*"]
+# Imposta l'utente non-root
+# USER nobody
+USER ilpoastapi
+
+ENTRYPOINT ["./entrypoint.sh"]