-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (126 loc) · 4.39 KB
/
gtw_stack_deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# I know, I should be using a proper deployment pipeline, like Ansible.
# But honestly, I'm too lazy to wrestle with those annoying Ansible bugs for days.
# Sorry, not sorry.
name: Build and Deploy
on:
push:
branches:
- main
jobs:
build-and-push:
runs-on: ubuntu-latest
env:
SERVER_DOMAIN: waze.papko.org
ADMIN_EMAIL: [email protected]
IMAGE_NAME: papko26/gtw
DEPLOY_DIR: /etc/gtw
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Get commit hash
id: commit
run: echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- name: Log in to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push Docker images
run: |
# Build the image
docker build -t ${{ env.IMAGE_NAME }}:latest -t ${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHA }} ./app
# Push both tags
docker push ${{ env.IMAGE_NAME }}:latest
docker push ${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHA }}
deploy:
runs-on: ubuntu-latest
needs: build-and-push
env:
SERVER_DOMAIN: waze.papko.org
ADMIN_EMAIL: [email protected]
IMAGE_NAME: papko26/gtw
DEPLOY_DIR: /etc/gtw
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Ensure necessary directories exist
uses: appleboy/[email protected]
with:
host: ${{ env.SERVER_DOMAIN }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
script: |
mkdir -p /etc/nginx/certs
mkdir -p /etc/nginx/certs-data
mkdir -p /var/www/certbot
mkdir -p ${{ env.DEPLOY_DIR }}
- name: Copy NGINX configuration to the server
uses: appleboy/[email protected]
with:
host: ${{ env.SERVER_DOMAIN }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
source: nginx/nginx.conf
target: /etc
- name: First-time Certbot run (with temporary NGINX container)
uses: appleboy/[email protected]
with:
host: ${{ env.SERVER_DOMAIN }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
script: |
# Check if the certificate already exists
if [ -f /etc/nginx/certs/live/${{ env.SERVER_DOMAIN }}/fullchain.pem ]; then
echo "Certificate already exists. Skipping Certbot step."
exit 0
fi
# Ensure the ACME challenge directory exists
mkdir -p /var/www/certbot
# Start a temporary NGINX container to handle the challenge
docker run -d --name temp-nginx \
-p 80:80 \
-v /var/www/certbot:/var/www/certbot:ro \
--entrypoint "/bin/sh" nginx:latest -c "
echo '
server {
listen 80;
server_name ${{ env.SERVER_DOMAIN }};
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 404;
}
}
' > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
# Wait for the container to start
sleep 5
# Run Certbot to obtain certificates
docker run --rm \
-v /etc/nginx/certs:/etc/letsencrypt \
-v /var/www/certbot:/var/www/certbot \
certbot/certbot certonly --webroot \
--webroot-path=/var/www/certbot \
--email ${{ env.ADMIN_EMAIL }} --agree-tos --no-eff-email \
-d ${{ env.SERVER_DOMAIN }}
# Stop and remove the temporary NGINX container
docker stop temp-nginx && docker rm temp-nginx
- name: Copy docker-compose.yml to the server
uses: appleboy/[email protected]
with:
host: ${{ env.SERVER_DOMAIN }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
source: docker-compose.yml
target: ${{ env.DEPLOY_DIR }}
- name: Deploy via SSH
uses: appleboy/[email protected]
with:
host: ${{ env.SERVER_DOMAIN }}
username: root
key: ${{ secrets.SSH_PRIVATE_KEY }}
script: |
echo "${{ secrets.ENV_FILE }}" > ${{ env.DEPLOY_DIR }}/gtw.env
cd ${{ env.DEPLOY_DIR }}
docker compose pull
docker compose up -d --force-recreate