soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: Gitea CI/CD pipeline + server deploy (Nexus mirror, Caddy HTTPS)
CI/CD / CI · Web (tsc) (push) Successful in 1m8s
Details
CI/CD / Deploy · full stack (push) Failing after 1m41s
Details

Browse Source 
- .gitea/workflows/ci-cd.yml: frontend tsc check → self-hosted deploy job that
  builds the full compose stack and brings it up behind Caddy. Locks
  COMPOSE_PROJECT_NAME=flatrender (stable volumes), backs up the DB before each
  deploy, health-waits gateway+frontend, no `down -v`.
- Route all package installs through mirror.soroushasadi.com:
  frontend Dockerfile npm registry → NPM_REGISTRY build arg (Nexus default);
  3× NuGet.Config (content/identity/studio) → HTTPS nuget-group (were a bare IP).
- Harden host ports: ${HOST_BIND:-0.0.0.0} prefix on postgres/minio/render/gateway/
  frontend so prod (HOST_BIND=127.0.0.1) keeps them off the public internet — only
  Caddy 80/443 is public. Dev (unset → 0.0.0.0) unchanged.
- render-svc MINIO_USE_SSL now env-driven (MINIO_HOST_USE_SSL) for HTTPS storage domain.
- deploy/ENV_FILE.production.example (the Gitea secret template) + deploy/README.md
  (one-time setup + go-live checklist).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-12 13:29:09 +03:30
parent 61ba526122
commit 127f40e1c1
8 changed files with 262 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.v2.yml
+10 -7
View File
@@ -27,7 +27,9 @@ services:
- ./backend/db/migrations:/migrations:ro
- ./scripts/init-db.sh:/docker-entrypoint-initdb.d/00-init.sh:ro
ports:
- "5432:5432"
# HOST_BIND=127.0.0.1 in prod keeps these off the public interface (only
# Caddy's 80/443 face the internet). Unset → 0.0.0.0 for local/LAN dev.
- "${HOST_BIND:-0.0.0.0}:5432:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-postgres} -d flatrender"]
interval: 5s
@@ -46,8 +48,8 @@ services:
volumes:
- miniodata:/data
ports:
- "9000:9000"
- "9001:9001"
- "${HOST_BIND:-0.0.0.0}:9000:9000"
- "${HOST_BIND:-0.0.0.0}:9001:9001"
healthcheck:
test: ["CMD-SHELL", "mc ready local || exit 1"]
interval: 10s
@@ -182,7 +184,7 @@ services:
container_name: fr2-render
restart: unless-stopped
ports:
- "5010:8080" # exposed so a LOCAL (host) node-agent can reach /v1/internal/*
- "${HOST_BIND:-0.0.0.0}:5010:8080" # exposed so a LOCAL (host) node-agent can reach /v1/internal/*
environment:
DATABASE_URL: "postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/flatrender?search_path=render,public"
JWT_SECRET: "${JWT_SECRET}"
@@ -191,7 +193,8 @@ services:
MINIO_ENDPOINT: "${MINIO_HOST_ENDPOINT:-172.28.144.1:9000}"
MINIO_ACCESS_KEY: "${MINIO_ACCESS_KEY:-minioadmin}"
MINIO_SECRET_KEY: "${MINIO_SECRET_KEY:-minioadmin}"
MINIO_USE_SSL: "false"
# SSL on when MINIO_HOST_ENDPOINT is an HTTPS storage domain (prod via Caddy).
MINIO_USE_SSL: "${MINIO_HOST_USE_SSL:-false}"
MINIO_BUCKET: "${MINIO_BUCKET:-flatrender-exports}"
# Scene snapshots upload to this public-read bucket; PUBLIC_URL is the
# browser-reachable base for the stored snapshot_url (defaults to the host
@@ -250,7 +253,7 @@ services:
container_name: fr2-gateway
restart: unless-stopped
ports:
- "${GATEWAY_PORT:-8080}:8080"
- "${HOST_BIND:-0.0.0.0}:${GATEWAY_PORT:-8080}:8080"
environment:
JWT_SECRET: "${JWT_SECRET}"
IDENTITY_URL: "http://identity-svc:8080"
@@ -297,7 +300,7 @@ services:
container_name: fr2-frontend
restart: unless-stopped
ports:
- "3000:3000"
- "${HOST_BIND:-0.0.0.0}:3000:3000"
environment:
NODE_ENV: production
PORT: "3000"