ci: Gitea CI/CD pipeline + server deploy (Nexus mirror, Caddy HTTPS)
- .gitea/workflows/ci-cd.yml: frontend tsc check → self-hosted deploy job that
builds the full compose stack and brings it up behind Caddy. Locks
COMPOSE_PROJECT_NAME=flatrender (stable volumes), backs up the DB before each
deploy, health-waits gateway+frontend, no `down -v`.
- Route all package installs through mirror.soroushasadi.com:
frontend Dockerfile npm registry → NPM_REGISTRY build arg (Nexus default);
3× NuGet.Config (content/identity/studio) → HTTPS nuget-group (were a bare IP).
- Harden host ports: ${HOST_BIND:-0.0.0.0} prefix on postgres/minio/render/gateway/
frontend so prod (HOST_BIND=127.0.0.1) keeps them off the public internet — only
Caddy 80/443 is public. Dev (unset → 0.0.0.0) unchanged.
- render-svc MINIO_USE_SSL now env-driven (MINIO_HOST_USE_SSL) for HTTPS storage domain.
- deploy/ENV_FILE.production.example (the Gitea secret template) + deploy/README.md
(one-time setup + go-live checklist).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -0,0 +1,73 @@
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# FlatRender — PRODUCTION ENV_FILE template
|
||||
#
|
||||
# This is the content of the Gitea repo secret named ENV_FILE.
|
||||
# Set it at: https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
|
||||
# The deploy job writes this verbatim to `.env`, which docker compose reads.
|
||||
#
|
||||
# Fill every <PLACEHOLDER>. Generate secrets with: openssl rand -hex 32
|
||||
# After editing the secret, push any commit to trigger a redeploy.
|
||||
# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── Host port binding ────────────────────────────────────────────────────────
|
||||
# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
|
||||
# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
|
||||
HOST_BIND=127.0.0.1
|
||||
|
||||
# ── Domains (DNS A-records must point at this server) ────────────────────────
|
||||
DOMAIN=flatrender.example.com
|
||||
API_DOMAIN=api.flatrender.example.com
|
||||
STORAGE_DOMAIN=storage.flatrender.example.com
|
||||
ACME_EMAIL=you@example.com
|
||||
|
||||
# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
|
||||
NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
|
||||
NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
|
||||
NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
|
||||
NEXT_PUBLIC_TENANT_SLUG=flatrender
|
||||
CORS_ORIGIN=https://flatrender.example.com
|
||||
|
||||
# ── Core secrets ─────────────────────────────────────────────────────────────
|
||||
JWT_SECRET=<openssl rand -hex 32>
|
||||
SERVICE_TOKEN=<openssl rand -hex 32>
|
||||
NODE_HMAC_SECRET=<openssl rand -hex 32>
|
||||
JWT_ACCESS_MINUTES=1440
|
||||
|
||||
# ── Postgres ─────────────────────────────────────────────────────────────────
|
||||
POSTGRES_USER=flatrender
|
||||
POSTGRES_PASSWORD=<openssl rand -hex 24>
|
||||
|
||||
# ── MinIO (object storage) ───────────────────────────────────────────────────
|
||||
MINIO_ACCESS_KEY=<openssl rand -hex 12>
|
||||
MINIO_SECRET_KEY=<openssl rand -hex 24>
|
||||
MINIO_BUCKET=flatrender-exports
|
||||
MINIO_TEMPLATES_BUCKET=flatrender-templates
|
||||
MINIO_UPLOAD_BUCKET=user-uploads
|
||||
# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
|
||||
MINIO_HOST_ENDPOINT=storage.flatrender.example.com
|
||||
MINIO_HOST_USE_SSL=true
|
||||
|
||||
# ── Render farm ──────────────────────────────────────────────────────────────
|
||||
# No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
|
||||
# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
|
||||
RENDER_DEV_WORKER=false
|
||||
RENDER_DEV_SNAPSHOTS=false
|
||||
|
||||
# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
|
||||
GATEWAY_PORT=8080
|
||||
|
||||
# ── Payments (fill the providers you actually use; leave others blank) ───────
|
||||
STRIPE_SECRET_KEY=
|
||||
STRIPE_WEBHOOK_SECRET=
|
||||
STRIPE_PUBLISHABLE_KEY=
|
||||
ZARINPAL_MERCHANT_ID=
|
||||
ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
|
||||
ZARINPAL_SANDBOX=false
|
||||
SNAPPAY_CLIENT_ID=
|
||||
SNAPPAY_CLIENT_SECRET=
|
||||
SNAPPAY_BASE_URL=https://api.snappay.ir
|
||||
SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
|
||||
TARA_API_KEY=
|
||||
TARA_BASE_URL=https://api.tara.ir
|
||||
TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
|
||||
@@ -0,0 +1,52 @@
|
||||
# Deploying FlatRender (Gitea CI/CD → server)
|
||||
|
||||
Push to **Gitea** triggers `.gitea/workflows/ci-cd.yml`: a frontend `tsc` check, then a
|
||||
self-hosted `deploy` job that builds the whole compose stack and brings it up behind
|
||||
Caddy (Let's Encrypt HTTPS). GitHub (`origin`) stays a backup and never deploys.
|
||||
|
||||
Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification
|
||||
(Go) · Next.js frontend · Postgres · MinIO · Caddy. All package installs route through
|
||||
`mirror.soroushasadi.com` (Nexus).
|
||||
|
||||
## One-time setup (do these BEFORE the first `git push gitea master`)
|
||||
|
||||
1. **DNS** — point three A-records at the server:
|
||||
`DOMAIN`, `API_DOMAIN`, `STORAGE_DOMAIN` (e.g. flatrender.ir / api.flatrender.ir / storage.flatrender.ir).
|
||||
2. **Firewall** — `ufw allow 22,80,443/tcp`. Everything else binds to `127.0.0.1`
|
||||
(via `HOST_BIND=127.0.0.1` in the env), so only Caddy faces the internet.
|
||||
3. **Gitea Actions** — enabled for this repo, and an `act_runner` is registered with the
|
||||
`self-hosted:host` label (the standard server already has this).
|
||||
4. **ENV_FILE secret** — at `…/soroushdes/flatrender/settings/secrets`, create `ENV_FILE`
|
||||
with the filled-in contents of [`ENV_FILE.production.example`](./ENV_FILE.production.example)
|
||||
(generate each secret with `openssl rand -hex 32`).
|
||||
5. **Server prerequisites** (already true on the Gitea+Nexus box): Docker + compose v2,
|
||||
`/etc/docker/daemon.json` has `{"registry-mirrors":["https://mirror.soroushasadi.com"]}`.
|
||||
|
||||
## Go live
|
||||
|
||||
```bash
|
||||
git push gitea master # triggers CI + deploy
|
||||
```
|
||||
|
||||
Watch: `https://git.soroushasadi.com/soroushdes/flatrender/actions`.
|
||||
First run is the slowest (cold Nexus cache + all images build, ~15–25 min). Caddy issues
|
||||
TLS certs on first boot. Then visit `https://DOMAIN`.
|
||||
|
||||
## First-run notes
|
||||
|
||||
- **Migrations** auto-run once via `scripts/init-db.sh` when the Postgres volume is first
|
||||
created. Later schema changes are applied manually with `psql` (the data volume persists).
|
||||
- **Admin seed** — create the first admin per the project's identity seed flow, then log in
|
||||
at `https://DOMAIN` → admin.
|
||||
- **Rendering** — there is no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
|
||||
Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable" notice
|
||||
instead of jobs that never finish. (Point real render nodes at the server later.)
|
||||
- **MinIO public URLs** — verify an uploaded image and a render download resolve over
|
||||
`https://STORAGE_DOMAIN`. If not, recheck `MINIO_HOST_ENDPOINT` / `MINIO_HOST_USE_SSL` /
|
||||
`NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.
|
||||
|
||||
## Redeploy / rotate secrets
|
||||
|
||||
Edit `ENV_FILE` in Gitea (or push any commit) → the deploy job re-runs. It backs up the DB
|
||||
to `/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
|
||||
Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build time).
|
||||
Reference in New Issue
Block a user