diff --git a/.env.sample b/.env.sample index 49d8a2f..f832f7d 100644 --- a/.env.sample +++ b/.env.sample @@ -1,11 +1,18 @@ APP_SECRET_KEY=foobar APP_THEME=lumbung +AUTOMATICALLY_LOG_IN=False +DOMAIN=members.lumbung.space +ENTRYPOINT_CONF_VERSION=v1 INVITE_TIME_LIMIT=30 KEYCLOAK_CLIENT_ID=admin-cli KEYCLOAK_CLIENT_SECRET=barfoo KEYCLOAK_DOMAIN=login.lumbung.space KEYCLOAK_REALM=lumbung-space +LETS_ENCRYPT_ENV=production +NGINX_CONF_VERSION=v1 REDIS_DB=0 REDIS_HOST=localhost REDIS_PORT=6379 -AUTOMATICALLY_LOG_IN=False +SECRET_APP_SECRET_KEY_VERSION=v1 +SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1 +STACK_NAME=foo_example_com diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..8d4c291 --- /dev/null +++ b/compose.yml @@ -0,0 +1,77 @@ +--- +version: "3.8" + +services: + app: + image: "decentral1se/members.lumbung.space:latest" + environment: + - APP_SECRET_KEY_FILE=/run/secrets/app_secret_key + - APP_THEME + - AUTOMATICALLY_LOG_IN + - INVITE_TIME_LIMIT + - KEYCLOAK_CLIENT_ID + - KEYCLOAK_CLIENT_SECRET_FILE=/run/secrets/keycloak_client_secret + - KEYCLOAK_DOMAIN + - KEYCLOAK_REALM + - REDIS_DB=0 + - REDIS_HOST=cache + - REDIS_PORT=6379 + secrets: + - app_secret_key + - keycloak_client_secret + networks: + - proxy + - internal + configs: + - source: entrypoint_sh + target: /usr/local/bin/entrypoint.sh + mode: 0555 + entrypoint: /usr/local/bin/entrypoint.sh + healthcheck: + test: curl --fail 0.0.0.0:8000/healthz || exit 1 + deploy: + update_config: + failure_action: rollback + order: start-first + labels: + - "traefik.enable=true" + - "traefik.http.services.kcp.loadbalancer.server.port=8000" + - "traefik.http.routers.kcp.rule=Host(`${DOMAIN}`)" + - "traefik.http.routers.kcp.entrypoints=web-secure" + - "traefik.http.routers.kcp.tls.certresolver=production" + command: | + uvicorn + --host 0.0.0.0 + --forwarded-allow-ips="*" + --proxy-headers + members_lumbung_space.main:app + + cache: + image: redis:6.2-alpine + networks: + - internal + healthcheck: + test: redis-cli ping + volumes: + - redis:/data + +networks: + proxy: + external: true + internal: +configs: + entrypoint_sh: + name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION} + file: entrypoint.sh.tmpl + template_driver: golang + +secrets: + app_secret_key: + external: true + name: ${STACK_NAME}_app_secret_key_${SECRET_APP_SECRET_KEY_VERSION} + keycloak_client_secret: + external: true + name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION} + +volumes: + redis: diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl new file mode 100644 index 0000000..9ad6599 --- /dev/null +++ b/entrypoint.sh.tmpl @@ -0,0 +1,30 @@ +#! /bin/bash + +set -eu + +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + + export "$var"="$val" + unset "$fileVar" +} + +file_env "KEYCLOAK_CLIENT_SECRET" +file_env "APP_SECRET_KEY" + +echo "Passing it back to the upstream ENTRYPOINT/CMD..." +exec "$@" diff --git a/makefile b/makefile index 53a6660..916788c 100644 --- a/makefile +++ b/makefile @@ -1,5 +1,6 @@ .DEFAULT: run -.PHONY: run redis + +.PHONY: run redis deploy run: @if [ ! -d ".venv" ]; then \ @@ -11,3 +12,6 @@ run: redis: @docker run -p 6379:6379 --name redis -d redis:6-alpine + +deploy: + @DOCKER_CONTEXT=lumbung.space docker stack deploy -c compose.yml members_lumbung_space