soroush.asadi
127f40e1c1
- .gitea/workflows/ci-cd.yml: frontend tsc check → self-hosted deploy job that
builds the full compose stack and brings it up behind Caddy. Locks
COMPOSE_PROJECT_NAME=flatrender (stable volumes), backs up the DB before each
deploy, health-waits gateway+frontend, no `down -v`.
- Route all package installs through mirror.soroushasadi.com:
frontend Dockerfile npm registry → NPM_REGISTRY build arg (Nexus default);
3× NuGet.Config (content/identity/studio) → HTTPS nuget-group (were a bare IP).
- Harden host ports: ${HOST_BIND:-0.0.0.0} prefix on postgres/minio/render/gateway/
frontend so prod (HOST_BIND=127.0.0.1) keeps them off the public internet — only
Caddy 80/443 is public. Dev (unset → 0.0.0.0) unchanged.
- render-svc MINIO_USE_SSL now env-driven (MINIO_HOST_USE_SSL) for HTTPS storage domain.
- deploy/ENV_FILE.production.example (the Gitea secret template) + deploy/README.md
(one-time setup + go-live checklist).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2.9 KiB
Deploying FlatRender (Gitea CI/CD → server)
Push to Gitea triggers .gitea/workflows/ci-cd.yml: a frontend tsc check, then a
self-hosted deploy job that builds the whole compose stack and brings it up behind
Caddy (Let's Encrypt HTTPS). GitHub (origin) stays a backup and never deploys.
Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification
(Go) · Next.js frontend · Postgres · MinIO · Caddy. All package installs route through
mirror.soroushasadi.com (Nexus).
One-time setup (do these BEFORE the first git push gitea master)
- DNS — point three A-records at the server:
DOMAIN,API_DOMAIN,STORAGE_DOMAIN(e.g. flatrender.ir / api.flatrender.ir / storage.flatrender.ir). - Firewall —
ufw allow 22,80,443/tcp. Everything else binds to127.0.0.1(viaHOST_BIND=127.0.0.1in the env), so only Caddy faces the internet. - Gitea Actions — enabled for this repo, and an
act_runneris registered with theself-hosted:hostlabel (the standard server already has this). - ENV_FILE secret — at
…/soroushdes/flatrender/settings/secrets, createENV_FILEwith the filled-in contents ofENV_FILE.production.example(generate each secret withopenssl rand -hex 32). - Server prerequisites (already true on the Gitea+Nexus box): Docker + compose v2,
/etc/docker/daemon.jsonhas{"registry-mirrors":["https://mirror.soroushasadi.com"]}.
Go live
git push gitea master # triggers CI + deploy
Watch: https://git.soroushasadi.com/soroushdes/flatrender/actions.
First run is the slowest (cold Nexus cache + all images build, ~15–25 min). Caddy issues
TLS certs on first boot. Then visit https://DOMAIN.
First-run notes
- Migrations auto-run once via
scripts/init-db.shwhen the Postgres volume is first created. Later schema changes are applied manually withpsql(the data volume persists). - Admin seed — create the first admin per the project's identity seed flow, then log in
at
https://DOMAIN→ admin. - Rendering — there is no After Effects node on the server, so
RENDER_DEV_WORKER=false. Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice instead of jobs that never finish. (Point real render nodes at the server later.) - MinIO public URLs — verify an uploaded image and a render download resolve over
https://STORAGE_DOMAIN. If not, recheckMINIO_HOST_ENDPOINT/MINIO_HOST_USE_SSL/NEXT_PUBLIC_MINIO_URLin the secret and redeploy.
Redeploy / rotate secrets
Edit ENV_FILE in Gitea (or push any commit) → the deploy job re-runs. It backs up the DB
to /opt/flatrender-backups/ before each deploy and never runs docker compose down -v.
Changing a NEXT_PUBLIC_* value only takes effect after the redeploy (baked at build time).