From 9053de8f4b240d93c87bf27716f161461d5e6fa8 Mon Sep 17 00:00:00 2001 From: Max Schmidt <35741000+mooxl@users.noreply.github.com> Date: Wed, 17 May 2023 16:29:24 +0200 Subject: [PATCH] fdsaf (#11) * test Signed-off-by: Max Schmidt * fas Signed-off-by: Max Schmidt * test Signed-off-by: Max Schmidt --------- Signed-off-by: Max Schmidt --- .env.dev | 1 - .env.prod | 8 ------- .github/workflows/payload.yml | 16 +++++--------- .github/workflows/push.yml | 31 +++++++++++++++----------- README.md | 7 +++--- docker-compose-prod.yml | 41 +++++++++++++++++++++++++++++------ 6 files changed, 60 insertions(+), 44 deletions(-) delete mode 100644 .env.prod diff --git a/.env.dev b/.env.dev index 42f09c2..20a1dd9 100644 --- a/.env.dev +++ b/.env.dev @@ -5,5 +5,4 @@ PAYLOAD_SECRET=supersecretkey MONGODB_URI=mongodb://payload:test@mongo:27017 MONGODB_USER=payload MONGODB_PW=test -MONGODB_DB=payload NAME=astroad \ No newline at end of file diff --git a/.env.prod b/.env.prod deleted file mode 100644 index 865ffee..0000000 --- a/.env.prod +++ /dev/null @@ -1,8 +0,0 @@ -PAYLOAD_URL=http://localhost:3001 -PAYLOAD_PORT=3001 -PAYLOAD_SECRET=supersecretkey -MONGODB_URI=mongodb://payload:test@mongo:27017 -MONGODB_USER=payload -MONGODB_PW=test -MONGODB_DB=payload -NAME=astroad \ No newline at end of file diff --git a/.github/workflows/payload.yml b/.github/workflows/payload.yml index 1848a93..15b8cc9 100644 --- a/.github/workflows/payload.yml +++ b/.github/workflows/payload.yml @@ -1,24 +1,18 @@ -name: Trigger Astro build on server +name: Payload update on: repository_dispatch: types: [payload_update] jobs: build: - name: Run remote SSH command runs-on: ubuntu-latest steps: - - name: Trigger build via ssh + - name: Trigger build uses: appleboy/ssh-action@master with: host: ${{ secrets.HOST }} username: ${{ secrets.USER }} key: ${{ secrets.KEY }} script: | - if [ -d ${{ secrets.PATH }} ]; then - cd ${{ secrets.PATH }} - git pull - else - mkdir ${{ secrets.PATH }} - cd ${{ secrets.PATH }} - git clone -b prod https://github.com/mooxl/astroad . - fi + cd ${{ secrets.PATH }} + git pull + yarn prod astro diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index cda2afb..5ca092d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -8,16 +8,6 @@ jobs: name: Run remote SSH command runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Install dependencies - run: npm install dotenv - - name: Load environment variables from .env file - run: | - source .env.prod - - name: Print environment variable - run: echo ${PAYLOAD_URL} - - name: Trigger build via ssh uses: appleboy/ssh-action@master with: @@ -25,6 +15,21 @@ jobs: username: ${{ secrets.USER }} key: ${{ secrets.KEY }} script: | - echo ${{ PAYLOAD_URL }} - echo ${PAYLOAD_URL} - echo $PAYLOAD_URL + if [ -d ${{ secrets.PATH }} ]; then + cd ${{ secrets.PATH }} + git pull + else + mkdir ${{ secrets.PATH }} + cd ${{ secrets.PATH }} + git clone -b prod ${{ github.repository }} . + mv .env.dev .env.prod + sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ env.ASTRO_URL }}/" .env.prod + sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ env.PAYLOAD_URL }}/" .env.prod + sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ secrets.PAYLOAD_PORT }}/" .env.prod + sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ secrets.PAYLOAD_SECRET }}/" .env.prod + sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ secrets.MONGODB_URI }}/" .env.prod + sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ secrets.MONGODB_USER }}/" .env.prod + sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ secrets.MONGODB_PW }}/" .env.prod + sed -i "s/NAME=.*/NAME=${{ env.NAME }}/" .env.prod + fi + yarn prod diff --git a/README.md b/README.md index d2122af..5f8936d 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,9 @@ The `docker-compose.yml` and `docker-compose-dev.yml` files includes everything ## Deployment -When you're ready to deploy your website to a production environment, you'll should copy the `.env.dev` and rename it into `.env.prod`. Then you modify the file to suit your needs. This file contains the configuration for the Astro, Payload, Mongo, GitHub Workflow and Traefik. - Deployment is handled by a Github Actions Workflow on every push on branch `prod`. It logs into the server via SSH, pulls or clones the latest version of the repository, and runs `yarn prod`. - -Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, there's a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload. +Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, there’s a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload. Ensure you have Traefik set up as a reverse proxy before deployment. The prod script will launch your site in a production-ready environment. + +Please note that since deployment is done through Github Workflows, you need to define the necessary secrets and envs in the settings. You can find which secrets and envs are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets and envs that have already been defined. diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml index 2feb38a..b99b698 100644 --- a/docker-compose-prod.yml +++ b/docker-compose-prod.yml @@ -5,16 +5,43 @@ services: target: prod environment: PAYLOAD_URL: ${PAYLOAD_URL} - ports: - - 3000:3000 + labels: + - "traefik.enable=true" + - "traefik.http.routers.${NAME}-astro.rule=Host(`${ASTRO_URL}`)" + - "traefik.http.routers.${NAME}-astro.entrypoints=https" + - "traefik.http.routers.${NAME}-astro.tls.certresolver=httpresolver" + - "traefik.http.routers.${NAME}-astro.middlewares=security-headers-${NAME}-astro" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE, HEAD, PATCH" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolmaxage=100" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.addvaryheader=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.hostsproxyheaders=X-Forwarded-Host" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslredirect=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslproxyheaders.X-Forwarded-Proto=https" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsseconds=63072000" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsincludesubdomains=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stspreload=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.forcestsheader=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.permissionspolicy=camera=(), accelerometer=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=()" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.framedeny=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contentsecuritypolicy=default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contenttypenosniff=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.browserxssfilter=true" + - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.referrerpolicy=same-origin" + - traefik.docker.network=traefik_network + networks: + - traefik_network payload: build: context: payload target: prod - ports: - - 3001:3001 + labels: + - traefik.enable=true + - traefik.http.routers.${NAME}-payload.rule=Host(`${PAYLOAD_URL}`) + - traefik.http.routers.${NAME}-payload.entrypoints=https + - traefik.http.routers.${NAME}-payload.tls.certresolver=httpresolver + - traefik.docker.network=traefik_network - mongo: - ports: - - 27017:27017 +networks: + traefik_network: + external: true