feat: introduce automated Docker Swarm stack generation and enforcement

introduces a new system to automatically generate and validate Docker Swarm stack files from their source definitions.

The `tools/generate_stacks.py` script now consolidates per-service `docker-compose.yml` files and new `swarm.fragment.yml` files into aggregated `stacks/*.yml` artifacts. all `docker-compose.yml` files now include an `x-stack:` annotation to define their target stack.

to enforce consistency, a CI job checks for drift between source files and generated stacks. additionally, a nightly workflow automatically regenerates drifted stacks and opens pull requests. the `stackctl.sh` script gains `generate` and `sync` commands, and automatically regenerates stacks before deployment with `up`.

common Docker Compose keys incompatible with Swarm (e.g., `container_name`, `restart`, `build`) are removed, default logging is applied, and relative paths are rewritten for Swarm compatibility. also updates Docker image dependencies across various services.

Author: wax911

.github/workflows/ci.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
   push:
-    branches: [ main ]
+    branches: [ main, dev ]
 
 jobs:
   lint:
@@ -42,4 +42,37 @@ jobs:
           scan-type: 'fs'
           severity: 'HIGH,CRITICAL'
           exit-code: '1'
-          ignore-unfixed: true
+          ignore-unfixed: true
+
+  stack-sync-check:
+    needs: [lint]
+    name: Stack drift check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Install PyYAML
+        run: pip install PyYAML
+      - name: Check stacks are in sync with compose sources
+        run: python3 tools/generate_stacks.py --output-dir /tmp/stacks-check
+      - name: Diff generated vs committed stacks
+        run: |
+          drift=0
+          for stack in infrastructure observability platform; do
+            if ! diff -q "/tmp/stacks-check/${stack}.yml" "stacks/${stack}.yml" >/dev/null 2>&1; then
+              echo "DRIFT: stacks/${stack}.yml is out of sync"
+              diff "stacks/${stack}.yml" "/tmp/stacks-check/${stack}.yml" || true
+              drift=1
+            else
+              echo "OK: stacks/${stack}.yml"
+            fi
+          done
+          if [ "$drift" -eq 1 ]; then
+            echo ""
+            echo "Run './stackctl.sh generate' and commit the result."
+            exit 1
+          fi

.github/workflows/nightly-stack-sync.yml

@@ -0,0 +1,64 @@
+name: Nightly stack sync
+
+on:
+  schedule:
+    # Run every night at 02:00 UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync:
+    name: Regenerate stacks and open PR if drifted
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout dev branch
+        uses: actions/checkout@v6
+        with:
+          ref: dev
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install PyYAML
+        run: pip install PyYAML
+
+      - name: Regenerate stacks
+        run: python3 tools/generate_stacks.py
+
+      - name: Check for drift
+        id: drift
+        run: |
+          if git diff --quiet stacks/; then
+            echo "drifted=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "drifted=true" >> "$GITHUB_OUTPUT"
+            git diff --stat stacks/
+          fi
+
+      - name: Open or update PR for drifted stacks
+        if: steps.drift.outputs.drifted == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          branch="chore/nightly-stack-sync-$(date +%Y%m%d)"
+          git config user.name  "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$branch"
+          git add stacks/
+          git commit -m "chore(stacks): nightly regeneration from compose sources [skip ci]"
+          git push origin "$branch"
+          gh pr create \
+            --base dev \
+            --head "$branch" \
+            --title "chore(stacks): nightly stack regeneration $(date +%Y-%m-%d)" \
+            --body "Automated PR: stacks/ drifted from compose sources. Generated by the nightly-stack-sync workflow.
+
+Run \`./stackctl.sh sync\` locally to reproduce the diff." \
+            || echo "PR already exists or could not be created"

anitrend/docker-compose.yml

@@ -1,4 +1,5 @@
 ---
+x-stack: platform
 services:
   django-server:
     image: ghcr.io/anitrend/anitrend:0.8.0
@@ -20,7 +21,7 @@ services:
       driver: local
       options:
         max-size: "2m"
-        max-file: "3"
+        max-file: 3
 
 networks:
   default:

anitrend/swarm.fragment.yml

@@ -0,0 +1,15 @@
+services:
+  django-server:
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        reservations:
+          memory: 128M
+          cpus: '0.10'
+        limits:
+          memory: 384M
+          cpus: '0.50'

apisix/api-dashboard/docker-compose.yml

@@ -1,4 +1,5 @@
 ---
+x-stack: infrastructure
 services:
   apisix_dashboard:
     container_name: "apisix-dashobard"
@@ -21,7 +22,7 @@ services:
     logging:
       options:
         max-size: "10m"
-        max-file: "3"
+        max-file: 3
 
 
 networks:

apisix/api-dashboard/swarm.fragment.yml

@@ -0,0 +1,12 @@
+services:
+  apisix_dashboard:
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        reservations:
+          memory: 64M
+        limits:
+          memory: 256M

apisix/api-gateway/docker-compose.yml

@@ -1,4 +1,5 @@
 ---
+x-stack: infrastructure
 volumes:
   cache:
     name: apisix-cache
@@ -29,7 +30,7 @@ services:
     logging:
       options:
         max-size: "10m"
-        max-file: "3"
+        max-file: 3
 
 
 networks:

apisix/api-gateway/swarm.fragment.yml

@@ -0,0 +1,14 @@
+services:
+  apisix_gateway:
+    deploy:
+      mode: global
+      placement:
+        constraints:
+          - node.role == manager
+      resources:
+        reservations:
+          memory: 128M
+          cpus: '0.10'
+        limits:
+          memory: 384M
+          cpus: '0.40'

apisix/etcd/docker-compose.yml

@@ -1,4 +1,5 @@
 ---
+x-stack: infrastructure
 volumes:
   etcd-data:
     name: 'etcd-data'
@@ -20,7 +21,7 @@ services:
     logging:
       options:
         max-size: "10m"
-        max-file: "3"
+        max-file: 3
 
 networks:
   default:

apisix/etcd/swarm.fragment.yml

@@ -0,0 +1,8 @@
+services:
+  etcd:
+    deploy:
+      resources:
+        reservations:
+          memory: 64M
+        limits:
+          memory: 256M