sam/dev_arc_aws
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dev_arc_aws/deploy/README.md

90 lines
4.1 KiB
Markdown
Raw Normal View History

Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
# ArchNest — Build & Deploy (Forgejo Actions → registry → racknerd2)
This pipeline builds the Docker images in Forgejo Actions, pushes them to the
Forgejo container registry, and deploys them to **racknerd2** (validation host)
over the NetBird mesh. racknerd2 only pulls and runs — it never builds (1.9 GiB
RAM).
```
Auto-deploy to racknerd2 after a successful build Add a `deploy` job to build.yml that needs `build`, so every push to main builds + pushes the images and then deploys them to racknerd2 over the mesh, pinned to the built commit's SHA, with an /api/health gate. Fully hands-off. The standalone deploy.yml stays as a manual workflow_dispatch for deploying/rolling back to an arbitrary tag without rebuilding. deploy/README.md updated to document the auto-deploy flow. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 11:34:27 -04:00
push to main ─► [build.yml]
job: build ─► build + push images ─► registry.snsnetlabs.com/sam/{archnest,archnest-backend}
job: deploy ─► (needs build) ssh racknerd2 ─► compose pull + up -d (this build's SHA) ─► /api/health
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
Auto-deploy to racknerd2 after a successful build Add a `deploy` job to build.yml that needs `build`, so every push to main builds + pushes the images and then deploys them to racknerd2 over the mesh, pinned to the built commit's SHA, with an /api/health gate. Fully hands-off. The standalone deploy.yml stays as a manual workflow_dispatch for deploying/rolling back to an arbitrary tag without rebuilding. deploy/README.md updated to document the auto-deploy flow. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 11:34:27 -04:00
manual dispatch (any tag / rollback) ─► [deploy.yml] ssh racknerd2 ─► compose pull && up -d
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
```
Auto-deploy to racknerd2 after a successful build Add a `deploy` job to build.yml that needs `build`, so every push to main builds + pushes the images and then deploys them to racknerd2 over the mesh, pinned to the built commit's SHA, with an /api/health gate. Fully hands-off. The standalone deploy.yml stays as a manual workflow_dispatch for deploying/rolling back to an arbitrary tag without rebuilding. deploy/README.md updated to document the auto-deploy flow. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 11:34:27 -04:00
Every push to `main` auto-builds and auto-deploys to racknerd2. `deploy.yml`
stays as a manual `workflow_dispatch` for deploying/rolling back to an arbitrary
tag without rebuilding.
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
## Images
| Image | From | Tags |
|-------|------|------|
Point registry at registry.snsnetlabs.com; record even=dev versioning The Forgejo container registry now lives on a dedicated unproxied (DNS-only) host, registry.snsnetlabs.com, so large image layers bypass Cloudflare's ~100 MB request-body cap (the backend image's 262 MB and 317 MB layers previously hit 413 Payload Too Large through the proxied forgejo.snsnetlabs.com host). The web UI / packages list stays on forgejo.snsnetlabs.com behind Cloudflare Access SSO. - build.yml: REGISTRY -> registry.snsnetlabs.com - deploy/docker-compose.yml: image refs -> registry.snsnetlabs.com - deploy/README.md: push/pull/login host -> registry.snsnetlabs.com (packages web UI URL kept on forgejo.snsnetlabs.com) Also record the versioning convention in HANDOFF + steering: development happens on even major versions, releases on odd; currently developing v2 (prior released line is v1, see the v1.0 git tag). package.json and the About panel are not yet bumped to v2. Validated end to end: built both images on the runner host, pushed to registry.snsnetlabs.com (backend included, no 413), pulled on racknerd2, brought the stack up, /api/health returns {"ok":true} over the mesh IP. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:55:15 -04:00
| `registry.snsnetlabs.com/sam/archnest` | root `Dockerfile` (React build → nginx) | `latest`, `<commit-sha>` |
| `registry.snsnetlabs.com/sam/archnest-backend` | `backend/Dockerfile` (Fastify) | `latest`, `<commit-sha>` |
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
Point registry at registry.snsnetlabs.com; record even=dev versioning The Forgejo container registry now lives on a dedicated unproxied (DNS-only) host, registry.snsnetlabs.com, so large image layers bypass Cloudflare's ~100 MB request-body cap (the backend image's 262 MB and 317 MB layers previously hit 413 Payload Too Large through the proxied forgejo.snsnetlabs.com host). The web UI / packages list stays on forgejo.snsnetlabs.com behind Cloudflare Access SSO. - build.yml: REGISTRY -> registry.snsnetlabs.com - deploy/docker-compose.yml: image refs -> registry.snsnetlabs.com - deploy/README.md: push/pull/login host -> registry.snsnetlabs.com (packages web UI URL kept on forgejo.snsnetlabs.com) Also record the versioning convention in HANDOFF + steering: development happens on even major versions, releases on odd; currently developing v2 (prior released line is v1, see the v1.0 git tag). package.json and the About panel are not yet bumped to v2. Validated end to end: built both images on the runner host, pushed to registry.snsnetlabs.com (backend included, no 413), pulled on racknerd2, brought the stack up, /api/health returns {"ok":true} over the mesh IP. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:55:15 -04:00
`registry.snsnetlabs.com` is the **unproxied (DNS-only)** registry host, so large
layers bypass Cloudflare's ~100 MB request-body cap. Pushed images appear at
`https://forgejo.snsnetlabs.com/sam/-/packages` (web UI, Cloudflare Access SSO).
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
## One-time setup
### 1. Forgejo Actions secrets (repo or org settings → Actions → Secrets)
- `FORGEJO_REGISTRY_TOKEN` — Forgejo personal access token for `sam` with
**package** scope (NOT the account password). Used by `build.yml` to log in
and push.
- `RACKNERD2_SSH_KEY` — private SSH key authorized for `root@racknerd2`
(mesh IP `100.96.217.250`). Used by `deploy.yml`.
### 2. Runner (forgejo-runner host) — allow Docker builds
The runner runs jobs inside containers and by default has **no Docker access**.
Enable socket auto-mounting so the `build` job can build images. Create
`/opt/config.yaml` (or edit the existing runner config) with at least:
```yaml
container:
docker_host: "automount" # mounts /var/run/docker.sock into job containers
```
Generate a full example with `forgejo-runner generate-config > /opt/config.yaml`,
set `docker_host: "automount"`, point the service at it
(`ExecStart=/usr/local/bin/forgejo-runner daemon -c /opt/config.yaml`), then
`systemctl daemon-reload && systemctl restart forgejo-runner`.
### 3. racknerd2 — prepare the deploy host
Docker Engine + compose plugin are already installed. Then:
```bash
mkdir -p /opt/archnest
# copy deploy/docker-compose.yml from this repo to /opt/archnest/docker-compose.yml
# create /opt/archnest/.env from deploy/.env.example and fill in the secrets:
# ARCHNEST_JWT_SECRET = openssl rand -hex 32
# ARCHNEST_SECRET_KEY = openssl rand -hex 32
# ARCHNEST_GUAC_CRYPT_KEY = openssl rand -base64 24 | cut -c1-32
Point registry at registry.snsnetlabs.com; record even=dev versioning The Forgejo container registry now lives on a dedicated unproxied (DNS-only) host, registry.snsnetlabs.com, so large image layers bypass Cloudflare's ~100 MB request-body cap (the backend image's 262 MB and 317 MB layers previously hit 413 Payload Too Large through the proxied forgejo.snsnetlabs.com host). The web UI / packages list stays on forgejo.snsnetlabs.com behind Cloudflare Access SSO. - build.yml: REGISTRY -> registry.snsnetlabs.com - deploy/docker-compose.yml: image refs -> registry.snsnetlabs.com - deploy/README.md: push/pull/login host -> registry.snsnetlabs.com (packages web UI URL kept on forgejo.snsnetlabs.com) Also record the versioning convention in HANDOFF + steering: development happens on even major versions, releases on odd; currently developing v2 (prior released line is v1, see the v1.0 git tag). package.json and the About panel are not yet bumped to v2. Validated end to end: built both images on the runner host, pushed to registry.snsnetlabs.com (backend included, no 413), pulled on racknerd2, brought the stack up, /api/health returns {"ok":true} over the mesh IP. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:55:15 -04:00
docker login registry.snsnetlabs.com # user: sam, password: the package token
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
```
Ports are bound to the **mesh IP only** (`100.96.217.250`) — Docker bypasses
ufw, so this is what keeps the app off the public interface. Validate at
`http://100.96.217.250:8080`.
## Running it
Auto-deploy to racknerd2 after a successful build Add a `deploy` job to build.yml that needs `build`, so every push to main builds + pushes the images and then deploys them to racknerd2 over the mesh, pinned to the built commit's SHA, with an /api/health gate. Fully hands-off. The standalone deploy.yml stays as a manual workflow_dispatch for deploying/rolling back to an arbitrary tag without rebuilding. deploy/README.md updated to document the auto-deploy flow. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 11:34:27 -04:00
- **Automatic**: push to `main``build.yml` builds + pushes both images, then
its `deploy` job (needs `build`) pulls this commit's SHA onto racknerd2,
restarts the stack, and health-checks `/api/health`. Fully hands-off.
- **Manual build**: run **Build & Push Images** from the Actions tab (also
triggers the auto-deploy job).
- **Manual deploy / rollback**: run **Deploy to racknerd2**, entering any tag
(`latest` or a specific commit SHA) to deploy without rebuilding.
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
## Notes / ceilings
Auto-deploy to racknerd2 after a successful build Add a `deploy` job to build.yml that needs `build`, so every push to main builds + pushes the images and then deploys them to racknerd2 over the mesh, pinned to the built commit's SHA, with an /api/health gate. Fully hands-off. The standalone deploy.yml stays as a manual workflow_dispatch for deploying/rolling back to an arbitrary tag without rebuilding. deploy/README.md updated to document the auto-deploy flow. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 11:34:27 -04:00
- Auto-deploy targets racknerd2 (the validation host) on every push to `main`,
pinned to the built commit's SHA. If you later add a prod host, gate
prod deploys behind a manual approval or a tag/release trigger rather than
every push.
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00
- Single-arch (amd64) only — both the runner host and racknerd2 are amd64, so
no buildx/multi-platform is needed.
Reference in a new issue Copy permalink