ci: Auto deploy via server-side pounce-deploy
This commit is contained in:
@ -35,10 +35,8 @@ jobs:
|
|||||||
./ \
|
./ \
|
||||||
"${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/"
|
"${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/"
|
||||||
|
|
||||||
- name: Deploy (build + restart + health check)
|
- name: Generate backend env file (from secrets)
|
||||||
env:
|
env:
|
||||||
DEPLOY_SUDO_PASSWORD: ${{ secrets.DEPLOY_SUDO_PASSWORD }}
|
|
||||||
# App secrets (used to generate backend env file on server)
|
|
||||||
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
DATABASE_URL: ${{ secrets.DATABASE_URL }}
|
||||||
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
SECRET_KEY: ${{ secrets.SECRET_KEY }}
|
||||||
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
|
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
|
||||||
@ -49,20 +47,7 @@ jobs:
|
|||||||
CZDS_USERNAME: ${{ secrets.CZDS_USERNAME }}
|
CZDS_USERNAME: ${{ secrets.CZDS_USERNAME }}
|
||||||
CZDS_PASSWORD: ${{ secrets.CZDS_PASSWORD }}
|
CZDS_PASSWORD: ${{ secrets.CZDS_PASSWORD }}
|
||||||
run: |
|
run: |
|
||||||
ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
|
python3 - <<'PY'
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
# Use sudo non-interactively (password supplied via env)
|
|
||||||
sudo_cmd() {
|
|
||||||
printf '%s\n' "$DEPLOY_SUDO_PASSWORD" | sudo -S "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Ensure dirs
|
|
||||||
sudo_cmd mkdir -p /data/pounce/env /data/pounce/zones
|
|
||||||
sudo_cmd chmod -R 755 /data/pounce || true
|
|
||||||
|
|
||||||
# Generate backend env file from pipeline-provided secrets (never echo values)
|
|
||||||
sudo_cmd python3 - <<'PY'
|
|
||||||
import os
|
import os
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
@ -125,62 +110,25 @@ for k, v in env.items():
|
|||||||
continue
|
continue
|
||||||
lines.append(f"{k}={v}")
|
lines.append(f"{k}={v}")
|
||||||
|
|
||||||
path = Path("/data/pounce/env/backend.env")
|
Path("backend.env").write_text("\n".join(lines) + "\n")
|
||||||
path.write_text("\n".join(lines) + "\n")
|
|
||||||
PY
|
PY
|
||||||
|
|
||||||
# Build images from synced repo
|
- name: Upload backend env to server
|
||||||
cd "${{ secrets.DEPLOY_PATH }}"
|
run: |
|
||||||
sudo_cmd docker build -t pounce-backend:latest backend
|
rsync -az \
|
||||||
sudo_cmd docker build \
|
-e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
|
||||||
--build-arg NEXT_PUBLIC_API_URL=https://api.pounce.ch \
|
./backend.env \
|
||||||
--build-arg BACKEND_URL=http://pounce-backend:8000 \
|
"${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:/tmp/pounce-backend.env"
|
||||||
-t pounce-frontend:latest \
|
|
||||||
frontend
|
|
||||||
|
|
||||||
# Deploy backend
|
- name: Deploy on server (pounce-deploy)
|
||||||
sudo_cmd docker stop pounce-backend 2>/dev/null || true
|
run: |
|
||||||
sudo_cmd docker rm pounce-backend 2>/dev/null || true
|
ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
|
||||||
sudo_cmd docker run -d \
|
set -euo pipefail
|
||||||
--name pounce-backend \
|
mkdir -p /data/pounce/env
|
||||||
--network coolify \
|
# Move env file into place (requires no password due to sudoers rule)
|
||||||
--restart unless-stopped \
|
sudo mv /tmp/pounce-backend.env /data/pounce/env/backend.env
|
||||||
--shm-size=8g \
|
sudo chmod 600 /data/pounce/env/backend.env
|
||||||
--env-file /data/pounce/env/backend.env \
|
sudo /usr/local/bin/pounce-deploy
|
||||||
-v /data/pounce/zones:/data \
|
|
||||||
-l "traefik.enable=true" \
|
|
||||||
-l "traefik.http.routers.pounce-api.rule=Host(\`api.pounce.ch\`)" \
|
|
||||||
-l "traefik.http.routers.pounce-api.entryPoints=https" \
|
|
||||||
-l "traefik.http.routers.pounce-api.tls=true" \
|
|
||||||
-l "traefik.http.routers.pounce-api.tls.certresolver=letsencrypt" \
|
|
||||||
-l "traefik.http.services.pounce-api.loadbalancer.server.port=8000" \
|
|
||||||
pounce-backend:latest
|
|
||||||
sudo_cmd docker network connect n0488s44osgoow4wgo04ogg0 pounce-backend 2>/dev/null || true
|
|
||||||
|
|
||||||
# Deploy frontend
|
|
||||||
sudo_cmd docker stop pounce-frontend 2>/dev/null || true
|
|
||||||
sudo_cmd docker rm pounce-frontend 2>/dev/null || true
|
|
||||||
sudo_cmd docker run -d \
|
|
||||||
--name pounce-frontend \
|
|
||||||
--network coolify \
|
|
||||||
--restart unless-stopped \
|
|
||||||
-l "traefik.enable=true" \
|
|
||||||
-l "traefik.http.routers.pounce-web.rule=Host(\`pounce.ch\`) || Host(\`www.pounce.ch\`)" \
|
|
||||||
-l "traefik.http.routers.pounce-web.entryPoints=https" \
|
|
||||||
-l "traefik.http.routers.pounce-web.tls=true" \
|
|
||||||
-l "traefik.http.routers.pounce-web.tls.certresolver=letsencrypt" \
|
|
||||||
-l "traefik.http.services.pounce-web.loadbalancer.server.port=3000" \
|
|
||||||
pounce-frontend:latest
|
|
||||||
sudo_cmd docker network connect n0488s44osgoow4wgo04ogg0 pounce-frontend 2>/dev/null || true
|
|
||||||
|
|
||||||
# Health check
|
|
||||||
sleep 15
|
|
||||||
curl -sf https://api.pounce.ch/api/v1/health >/dev/null
|
|
||||||
curl -sf https://pounce.ch >/dev/null
|
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
sudo_cmd docker image prune -f >/dev/null 2>&1 || true
|
|
||||||
echo "✅ Deploy finished"
|
|
||||||
DEPLOY_EOF
|
DEPLOY_EOF
|
||||||
|
|
||||||
- name: Summary
|
- name: Summary
|
||||||
|
|||||||
Reference in New Issue
Block a user