diff --git a/.env.dev b/.env.dev index 42f09c2..20a1dd9 100644 --- a/.env.dev +++ b/.env.dev @@ -5,5 +5,4 @@ PAYLOAD_SECRET=supersecretkey MONGODB_URI=mongodb://payload:test@mongo:27017 MONGODB_USER=payload MONGODB_PW=test -MONGODB_DB=payload NAME=astroad \ No newline at end of file diff --git a/.env.prod b/.env.prod deleted file mode 100644 index 865ffee..0000000 --- a/.env.prod +++ /dev/null @@ -1,8 +0,0 @@ -PAYLOAD_URL=http://localhost:3001 -PAYLOAD_PORT=3001 -PAYLOAD_SECRET=supersecretkey -MONGODB_URI=mongodb://payload:test@mongo:27017 -MONGODB_USER=payload -MONGODB_PW=test -MONGODB_DB=payload -NAME=astroad \ No newline at end of file diff --git a/.github/workflows/payload.yml b/.github/workflows/payload.yml index c9619c4..15b8cc9 100644 --- a/.github/workflows/payload.yml +++ b/.github/workflows/payload.yml @@ -1,34 +1,18 @@ -name: Trigger Astro build on server +name: Payload update on: repository_dispatch: types: [payload_update] jobs: build: - name: Run remote SSH command runs-on: ubuntu-latest steps: - - name: Trigger build via ssh + - name: Trigger build uses: appleboy/ssh-action@master with: host: ${{ secrets.HOST }} username: ${{ secrets.USER }} key: ${{ secrets.KEY }} script: | - if [ -d ${{ secrets.PATH }} ]; then - cd ${{ secrets.PATH }} - git pull - else - mkdir ${{ secrets.PATH }} - cd ${{ secrets.PATH }} - git clone -b prod ${{ github.repository }} . - mv .env.dev .env.prod - sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ ASTRO_URL }}/" .env.prod - sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ PAYLOAD_URL }}/" .env.prod - sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ PAYLOAD_PORT }}/" .env.prod - sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ PAYLOAD_SECRET }}/" .env.prod - sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ MONGODB_URI }}/" .env.prod - sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ MONGODB_USER }}/" .env.prod - sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ MONGODB_PW }}/" .env.prod - sed -i "s/MONGODB_DB=.*/MONGODB_DB=${{ MONGODB_DB }}/" .env.prod - sed -i "s/NAME=.*/NAME=${{ NAME }}/" .env.prod - fi + cd ${{ secrets.PATH }} + git pull + yarn prod astro diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index cda2afb..5ca092d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -8,16 +8,6 @@ jobs: name: Run remote SSH command runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Install dependencies - run: npm install dotenv - - name: Load environment variables from .env file - run: | - source .env.prod - - name: Print environment variable - run: echo ${PAYLOAD_URL} - - name: Trigger build via ssh uses: appleboy/ssh-action@master with: @@ -25,6 +15,21 @@ jobs: username: ${{ secrets.USER }} key: ${{ secrets.KEY }} script: | - echo ${{ PAYLOAD_URL }} - echo ${PAYLOAD_URL} - echo $PAYLOAD_URL + if [ -d ${{ secrets.PATH }} ]; then + cd ${{ secrets.PATH }} + git pull + else + mkdir ${{ secrets.PATH }} + cd ${{ secrets.PATH }} + git clone -b prod ${{ github.repository }} . + mv .env.dev .env.prod + sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ env.ASTRO_URL }}/" .env.prod + sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ env.PAYLOAD_URL }}/" .env.prod + sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ secrets.PAYLOAD_PORT }}/" .env.prod + sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ secrets.PAYLOAD_SECRET }}/" .env.prod + sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ secrets.MONGODB_URI }}/" .env.prod + sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ secrets.MONGODB_USER }}/" .env.prod + sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ secrets.MONGODB_PW }}/" .env.prod + sed -i "s/NAME=.*/NAME=${{ env.NAME }}/" .env.prod + fi + yarn prod diff --git a/README.md b/README.md index e233a65..5f8936d 100644 --- a/README.md +++ b/README.md @@ -25,4 +25,4 @@ Because Astro is completely static, a content change in the CMS must trigger a n Ensure you have Traefik set up as a reverse proxy before deployment. The prod script will launch your site in a production-ready environment. -Please note that since deployment is done through Github Workflows, you need to define the necessary secrets in the settings. You can find which secrets are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets that have already been defined. +Please note that since deployment is done through Github Workflows, you need to define the necessary secrets and envs in the settings. You can find which secrets and envs are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets and envs that have already been defined. diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml index 2feb38a..b99b698 100644 --- a/docker-compose-prod.yml +++ b/docker-compose-prod.yml @@ -5,16 +5,43 @@ services: target: prod environment: PAYLOAD_URL: ${PAYLOAD_URL} - ports: - - 3000:3000 + labels: + - "traefik.enable=true" + - "traefik.http.routers.${NAME}-astro.rule=Host(`${ASTRO_URL}`)" + - "traefik.http.routers.${NAME}-astro.entrypoints=https" + - "traefik.http.routers.${NAME}-astro.tls.certresolver=httpresolver" + - "traefik.http.routers.${NAME}-astro.middlewares=security-headers-${NAME}-astro" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE, HEAD, PATCH" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolmaxage=100" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.addvaryheader=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.hostsproxyheaders=X-Forwarded-Host" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslredirect=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslproxyheaders.X-Forwarded-Proto=https" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsseconds=63072000" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsincludesubdomains=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stspreload=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.forcestsheader=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.permissionspolicy=camera=(), accelerometer=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=()" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.framedeny=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contentsecuritypolicy=default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contenttypenosniff=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.browserxssfilter=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.referrerpolicy=same-origin" + - traefik.docker.network=traefik_network + networks: + - traefik_network payload: build: context: payload target: prod - ports: - - 3001:3001 + labels: + - traefik.enable=true + - traefik.http.routers.${NAME}-payload.rule=Host(`${PAYLOAD_URL}`) + - traefik.http.routers.${NAME}-payload.entrypoints=https + - traefik.http.routers.${NAME}-payload.tls.certresolver=httpresolver + - traefik.docker.network=traefik_network - mongo: - ports: - - 27017:27017 +networks: + traefik_network: + external: true