* test

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

* fas

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

* test

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

---------

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>
This commit is contained in:
Max Schmidt 2023-05-17 16:29:24 +02:00 committed by GitHub
parent 21fe4ff02d
commit 9053de8f4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 60 additions and 44 deletions

View File

@ -5,5 +5,4 @@ PAYLOAD_SECRET=supersecretkey
MONGODB_URI=mongodb://payload:test@mongo:27017
MONGODB_USER=payload
MONGODB_PW=test
MONGODB_DB=payload
NAME=astroad

View File

@ -1,8 +0,0 @@
PAYLOAD_URL=http://localhost:3001
PAYLOAD_PORT=3001
PAYLOAD_SECRET=supersecretkey
MONGODB_URI=mongodb://payload:test@mongo:27017
MONGODB_USER=payload
MONGODB_PW=test
MONGODB_DB=payload
NAME=astroad

View File

@ -1,24 +1,18 @@
name: Trigger Astro build on server
name: Payload update
on:
repository_dispatch:
types: [payload_update]
jobs:
build:
name: Run remote SSH command
runs-on: ubuntu-latest
steps:
- name: Trigger build via ssh
- name: Trigger build
uses: appleboy/ssh-action@master
with:
host: ${{ secrets.HOST }}
username: ${{ secrets.USER }}
key: ${{ secrets.KEY }}
script: |
if [ -d ${{ secrets.PATH }} ]; then
cd ${{ secrets.PATH }}
git pull
else
mkdir ${{ secrets.PATH }}
cd ${{ secrets.PATH }}
git clone -b prod https://github.com/mooxl/astroad .
fi
cd ${{ secrets.PATH }}
git pull
yarn prod astro

View File

@ -8,16 +8,6 @@ jobs:
name: Run remote SSH command
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install dependencies
run: npm install dotenv
- name: Load environment variables from .env file
run: |
source .env.prod
- name: Print environment variable
run: echo ${PAYLOAD_URL}
- name: Trigger build via ssh
uses: appleboy/ssh-action@master
with:
@ -25,6 +15,21 @@ jobs:
username: ${{ secrets.USER }}
key: ${{ secrets.KEY }}
script: |
echo ${{ PAYLOAD_URL }}
echo ${PAYLOAD_URL}
echo $PAYLOAD_URL
if [ -d ${{ secrets.PATH }} ]; then
cd ${{ secrets.PATH }}
git pull
else
mkdir ${{ secrets.PATH }}
cd ${{ secrets.PATH }}
git clone -b prod ${{ github.repository }} .
mv .env.dev .env.prod
sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ env.ASTRO_URL }}/" .env.prod
sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ env.PAYLOAD_URL }}/" .env.prod
sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ secrets.PAYLOAD_PORT }}/" .env.prod
sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ secrets.PAYLOAD_SECRET }}/" .env.prod
sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ secrets.MONGODB_URI }}/" .env.prod
sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ secrets.MONGODB_USER }}/" .env.prod
sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ secrets.MONGODB_PW }}/" .env.prod
sed -i "s/NAME=.*/NAME=${{ env.NAME }}/" .env.prod
fi
yarn prod

View File

@ -20,10 +20,9 @@ The `docker-compose.yml` and `docker-compose-dev.yml` files includes everything
## Deployment
When you're ready to deploy your website to a production environment, you'll should copy the `.env.dev` and rename it into `.env.prod`. Then you modify the file to suit your needs. This file contains the configuration for the Astro, Payload, Mongo, GitHub Workflow and Traefik.
Deployment is handled by a Github Actions Workflow on every push on branch `prod`. It logs into the server via SSH, pulls or clones the latest version of the repository, and runs `yarn prod`.
Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, there's a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload.
Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, theres a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload.
Ensure you have Traefik set up as a reverse proxy before deployment. The prod script will launch your site in a production-ready environment.
Please note that since deployment is done through Github Workflows, you need to define the necessary secrets and envs in the settings. You can find which secrets and envs are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets and envs that have already been defined.

View File

@ -5,16 +5,43 @@ services:
target: prod
environment:
PAYLOAD_URL: ${PAYLOAD_URL}
ports:
- 3000:3000
labels:
- "traefik.enable=true"
- "traefik.http.routers.${NAME}-astro.rule=Host(`${ASTRO_URL}`)"
- "traefik.http.routers.${NAME}-astro.entrypoints=https"
- "traefik.http.routers.${NAME}-astro.tls.certresolver=httpresolver"
- "traefik.http.routers.${NAME}-astro.middlewares=security-headers-${NAME}-astro"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE, HEAD, PATCH"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.addvaryheader=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslredirect=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsseconds=63072000"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stspreload=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.forcestsheader=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.permissionspolicy=camera=(), accelerometer=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=()"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.framedeny=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contentsecuritypolicy=default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contenttypenosniff=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.browserxssfilter=true"
- "traefik.http.middlewares.security-headers-${NAME}-astro.headers.referrerpolicy=same-origin"
- traefik.docker.network=traefik_network
networks:
- traefik_network
payload:
build:
context: payload
target: prod
ports:
- 3001:3001
labels:
- traefik.enable=true
- traefik.http.routers.${NAME}-payload.rule=Host(`${PAYLOAD_URL}`)
- traefik.http.routers.${NAME}-payload.entrypoints=https
- traefik.http.routers.${NAME}-payload.tls.certresolver=httpresolver
- traefik.docker.network=traefik_network
mongo:
ports:
- 27017:27017
networks:
traefik_network:
external: true