test

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

.env.dev

@@ -5,5 +5,4 @@ PAYLOAD_SECRET=supersecretkey
 MONGODB_URI=mongodb://payload:test@mongo:27017
 MONGODB_USER=payload
 MONGODB_PW=test
-MONGODB_DB=payload
 NAME=astroad

.env.prod

@@ -1,8 +0,0 @@
-PAYLOAD_URL=http://localhost:3001
-PAYLOAD_PORT=3001
-PAYLOAD_SECRET=supersecretkey
-MONGODB_URI=mongodb://payload:test@mongo:27017
-MONGODB_USER=payload
-MONGODB_PW=test
-MONGODB_DB=payload
-NAME=astroad

.github/workflows/payload.yml

@@ -1,34 +1,18 @@
-name: Trigger Astro build on server
+name: Payload update
 on:
   repository_dispatch:
     types: [payload_update]
 jobs:
   build:
-    name: Run remote SSH command
     runs-on: ubuntu-latest
     steps:
-      - name: Trigger build via ssh
+      - name: Trigger build
         uses: appleboy/ssh-action@master
         with:
           host: ${{ secrets.HOST }}
           username: ${{ secrets.USER }}
           key: ${{ secrets.KEY }}
           script: |
-            if [ -d ${{ secrets.PATH }} ]; then
             cd ${{ secrets.PATH }}
             git pull
-            else
+            yarn prod astro
-              mkdir ${{ secrets.PATH }}
-              cd ${{ secrets.PATH }}
-              git clone -b prod ${{ github.repository }} .
-              mv .env.dev .env.prod
-              sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ ASTRO_URL }}/" .env.prod
-              sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ PAYLOAD_URL }}/" .env.prod
-              sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ PAYLOAD_PORT }}/" .env.prod
-              sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ PAYLOAD_SECRET }}/" .env.prod
-              sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ MONGODB_URI }}/" .env.prod
-              sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ MONGODB_USER }}/" .env.prod
-              sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ MONGODB_PW }}/" .env.prod
-              sed -i "s/MONGODB_DB=.*/MONGODB_DB=${{ MONGODB_DB }}/" .env.prod
-              sed -i "s/NAME=.*/NAME=${{ NAME }}/" .env.prod
-            fi

.github/workflows/push.yml

@@ -8,16 +8,6 @@ jobs:
     name: Run remote SSH command
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Install dependencies
-        run: npm install dotenv
-      - name: Load environment variables from .env file
-        run: |
-          source .env.prod
-      - name: Print environment variable
-        run: echo ${PAYLOAD_URL}
-
       - name: Trigger build via ssh
         uses: appleboy/ssh-action@master
         with:
@@ -25,6 +15,21 @@ jobs:
           username: ${{ secrets.USER }}
           key: ${{ secrets.KEY }}
           script: |
-            echo ${{ PAYLOAD_URL }}
+            if [ -d ${{ secrets.PATH }} ]; then
-            echo ${PAYLOAD_URL}
+              cd ${{ secrets.PATH }}
-            echo $PAYLOAD_URL
+              git pull
+            else
+              mkdir ${{ secrets.PATH }}
+              cd ${{ secrets.PATH }}
+              git clone -b prod ${{ github.repository }} .
+              mv .env.dev .env.prod
+              sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ env.ASTRO_URL }}/" .env.prod
+              sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ env.PAYLOAD_URL }}/" .env.prod
+              sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ secrets.PAYLOAD_PORT }}/" .env.prod
+              sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ secrets.PAYLOAD_SECRET }}/" .env.prod
+              sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ secrets.MONGODB_URI }}/" .env.prod
+              sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ secrets.MONGODB_USER }}/" .env.prod
+              sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ secrets.MONGODB_PW }}/" .env.prod
+              sed -i "s/NAME=.*/NAME=${{ env.NAME }}/" .env.prod
+            fi
+            yarn prod

README.md

@@ -25,4 +25,4 @@ Because Astro is completely static, a content change in the CMS must trigger a n
 
 Ensure you have Traefik set up as a reverse proxy before deployment. The prod script will launch your site in a production-ready environment.
 
-Please note that since deployment is done through Github Workflows, you need to define the necessary secrets in the settings. You can find which secrets are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets that have already been defined.
+Please note that since deployment is done through Github Workflows, you need to define the necessary secrets and envs in the settings. You can find which secrets and envs are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets and envs that have already been defined.

docker-compose-prod.yml

@@ -5,16 +5,43 @@ services:
       target: prod
     environment:
       PAYLOAD_URL: ${PAYLOAD_URL}
-    ports:
+    labels:
-      - 3000:3000
+      - "traefik.enable=true"
+      - "traefik.http.routers.${NAME}-astro.rule=Host(`${ASTRO_URL}`)"
+      - "traefik.http.routers.${NAME}-astro.entrypoints=https"
+      - "traefik.http.routers.${NAME}-astro.tls.certresolver=httpresolver"
+      - "traefik.http.routers.${NAME}-astro.middlewares=security-headers-${NAME}-astro"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE, HEAD, PATCH"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolmaxage=100"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.addvaryheader=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.hostsproxyheaders=X-Forwarded-Host"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslredirect=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslproxyheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsseconds=63072000"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsincludesubdomains=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stspreload=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.forcestsheader=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.permissionspolicy=camera=(), accelerometer=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=()"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.framedeny=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contentsecuritypolicy=default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contenttypenosniff=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.browserxssfilter=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.referrerpolicy=same-origin"
+      - traefik.docker.network=traefik_network
+    networks:
+      - traefik_network
 
   payload:
     build:
       context: payload
       target: prod
-    ports:
+    labels:
-      - 3001:3001
+      - traefik.enable=true
+      - traefik.http.routers.${NAME}-payload.rule=Host(`${PAYLOAD_URL}`)
+      - traefik.http.routers.${NAME}-payload.entrypoints=https
+      - traefik.http.routers.${NAME}-payload.tls.certresolver=httpresolver
+      - traefik.docker.network=traefik_network
 
-  mongo:
+networks:
-    ports:
+  traefik_network:
-      - 27017:27017
+    external: true