fdsaf (#11)

* test

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

* fas

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

* test

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

---------

Signed-off-by: Max Schmidt <max.schmidt@outlook.de>

.env.dev

@@ -5,5 +5,4 @@ PAYLOAD_SECRET=supersecretkey
 MONGODB_URI=mongodb://payload:test@mongo:27017
 MONGODB_USER=payload
 MONGODB_PW=test
-MONGODB_DB=payload
 NAME=astroad

.env.prod

@@ -1,8 +0,0 @@
-PAYLOAD_URL=http://localhost:3001
-PAYLOAD_PORT=3001
-PAYLOAD_SECRET=supersecretkey
-MONGODB_URI=mongodb://payload:test@mongo:27017
-MONGODB_USER=payload
-MONGODB_PW=test
-MONGODB_DB=payload
-NAME=astroad

.github/workflows/payload.yml

@@ -1,24 +1,18 @@
-name: Trigger Astro build on server
+name: Payload update
 on:
   repository_dispatch:
     types: [payload_update]
 jobs:
   build:
-    name: Run remote SSH command
     runs-on: ubuntu-latest
     steps:
-      - name: Trigger build via ssh
+      - name: Trigger build
         uses: appleboy/ssh-action@master
         with:
           host: ${{ secrets.HOST }}
           username: ${{ secrets.USER }}
           key: ${{ secrets.KEY }}
           script: |
-            if [ -d ${{ secrets.PATH }} ]; then
             cd ${{ secrets.PATH }}
             git pull
-            else
-              mkdir ${{ secrets.PATH }}
-              cd ${{ secrets.PATH }}
-              git clone -b prod https://github.com/mooxl/astroad .
-            fi
+            yarn prod astro

.github/workflows/push.yml

@@ -8,16 +8,6 @@ jobs:
     name: Run remote SSH command
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Install dependencies
-        run: npm install dotenv
-      - name: Load environment variables from .env file
-        run: |
-          source .env.prod
-      - name: Print environment variable
-        run: echo ${PAYLOAD_URL}
-
       - name: Trigger build via ssh
         uses: appleboy/ssh-action@master
         with:
@@ -25,6 +15,21 @@ jobs:
           username: ${{ secrets.USER }}
           key: ${{ secrets.KEY }}
           script: |
-            echo ${{ PAYLOAD_URL }}
-            echo ${PAYLOAD_URL}
-            echo $PAYLOAD_URL
+            if [ -d ${{ secrets.PATH }} ]; then
+              cd ${{ secrets.PATH }}
+              git pull
+            else
+              mkdir ${{ secrets.PATH }}
+              cd ${{ secrets.PATH }}
+              git clone -b prod ${{ github.repository }} .
+              mv .env.dev .env.prod
+              sed -i "s/ASTRO_URL=.*/ASTRO_URL=${{ env.ASTRO_URL }}/" .env.prod
+              sed -i "s/PAYLOAD_URL=.*/PAYLOAD_URL=${{ env.PAYLOAD_URL }}/" .env.prod
+              sed -i "s/PAYLOAD_PORT=.*/PAYLOAD_PORT=${{ secrets.PAYLOAD_PORT }}/" .env.prod
+              sed -i "s/PAYLOAD_SECRET=.*/PAYLOAD_SECRET=${{ secrets.PAYLOAD_SECRET }}/" .env.prod
+              sed -i "s/MONGODB_URI=.*/MONGODB_URI=${{ secrets.MONGODB_URI }}/" .env.prod
+              sed -i "s/MONGODB_USER=.*/MONGODB_USER=${{ secrets.MONGODB_USER }}/" .env.prod
+              sed -i "s/MONGODB_PW=.*/MONGODB_PW=${{ secrets.MONGODB_PW }}/" .env.prod
+              sed -i "s/NAME=.*/NAME=${{ env.NAME }}/" .env.prod
+            fi
+            yarn prod

README.md

@@ -20,10 +20,9 @@ The `docker-compose.yml` and `docker-compose-dev.yml` files includes everything
 
 ## Deployment
 
-When you're ready to deploy your website to a production environment, you'll should copy the `.env.dev` and rename it into `.env.prod`. Then you modify the file to suit your needs. This file contains the configuration for the Astro, Payload, Mongo, GitHub Workflow and Traefik.
-
 Deployment is handled by a Github Actions Workflow on every push on branch `prod`. It logs into the server via SSH, pulls or clones the latest version of the repository, and runs `yarn prod`.
-
-Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, there's a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload.
+Because Astro is completely static, a content change in the CMS must trigger a new build of Astro. Therefore, there’s a `payload.yml` workflow that gets triggered by a webhook after every content change from Payload.
 
 Ensure you have Traefik set up as a reverse proxy before deployment. The prod script will launch your site in a production-ready environment.
+
+Please note that since deployment is done through Github Workflows, you need to define the necessary secrets and envs in the settings. You can find which secrets and envs are used in the `.github/workflows/push.yml` file. This file converts the existing `.env.dev` to `.env.prod` and adds the secrets and envs that have already been defined.

docker-compose-prod.yml

@@ -5,16 +5,43 @@ services:
       target: prod
     environment:
       PAYLOAD_URL: ${PAYLOAD_URL}
-    ports:
-      - 3000:3000
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${NAME}-astro.rule=Host(`${ASTRO_URL}`)"
+      - "traefik.http.routers.${NAME}-astro.entrypoints=https"
+      - "traefik.http.routers.${NAME}-astro.tls.certresolver=httpresolver"
+      - "traefik.http.routers.${NAME}-astro.middlewares=security-headers-${NAME}-astro"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolallowmethods=GET, OPTIONS, PUT, POST, DELETE, HEAD, PATCH"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.accesscontrolmaxage=100"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.addvaryheader=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.hostsproxyheaders=X-Forwarded-Host"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslredirect=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.sslproxyheaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsseconds=63072000"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stsincludesubdomains=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.stspreload=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.forcestsheader=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.permissionspolicy=camera=(), accelerometer=(), gamepad=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=()"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.framedeny=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contentsecuritypolicy=default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' data:; style-src 'self' 'unsafe-inline'"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.contenttypenosniff=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.browserxssfilter=true"
+      - "traefik.http.middlewares.security-headers-${NAME}-astro.headers.referrerpolicy=same-origin"
+      - traefik.docker.network=traefik_network
+    networks:
+      - traefik_network
 
   payload:
     build:
       context: payload
       target: prod
-    ports:
-      - 3001:3001
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.${NAME}-payload.rule=Host(`${PAYLOAD_URL}`)
+      - traefik.http.routers.${NAME}-payload.entrypoints=https
+      - traefik.http.routers.${NAME}-payload.tls.certresolver=httpresolver
+      - traefik.docker.network=traefik_network
 
-  mongo:
-    ports:
-      - 27017:27017
+networks:
+  traefik_network:
+    external: true