00fc3ceed3
The Forgejo container registry now lives on a dedicated unproxied
(DNS-only) host, registry.snsnetlabs.com, so large image layers bypass
Cloudflare's ~100 MB request-body cap (the backend image's 262 MB and
317 MB layers previously hit 413 Payload Too Large through the proxied
forgejo.snsnetlabs.com host). The web UI / packages list stays on
forgejo.snsnetlabs.com behind Cloudflare Access SSO.
- build.yml: REGISTRY -> registry.snsnetlabs.com
- deploy/docker-compose.yml: image refs -> registry.snsnetlabs.com
- deploy/README.md: push/pull/login host -> registry.snsnetlabs.com
(packages web UI URL kept on forgejo.snsnetlabs.com)
Also record the versioning convention in HANDOFF + steering: development
happens on even major versions, releases on odd; currently developing v2
(prior released line is v1, see the v1.0 git tag). package.json and the
About panel are not yet bumped to v2.
Validated end to end: built both images on the runner host, pushed to
registry.snsnetlabs.com (backend included, no 413), pulled on racknerd2,
brought the stack up, /api/health returns {"ok":true} over the mesh IP.
Co-authored-by: Samuel James <ssamjame@amazon.com>
Co-authored-by: Kiro <noreply@kiro.dev>
54 lines
2 KiB
YAML
54 lines
2 KiB
YAML
# Deploy compose for racknerd2 (validation host).
|
|
#
|
|
# Unlike the root docker-compose.yml (which BUILDS images locally), this file
|
|
# PULLS pre-built images from the Forgejo container registry
|
|
# (registry.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
|
|
# pushes. racknerd2 only has ~1.9 GiB RAM, so we never build here.
|
|
#
|
|
# Usage on racknerd2 (in this file's directory, with a sibling .env):
|
|
# docker login registry.snsnetlabs.com # once, as user `sam`
|
|
# docker compose pull && docker compose up -d
|
|
#
|
|
# IMPORTANT: published ports are bound to the NetBird mesh IP only. Docker
|
|
# manipulates iptables directly and BYPASSES ufw, so a plain "8080:8080" would
|
|
# expose the port on the host's public interface regardless of the firewall.
|
|
# Binding to ${ARCHNEST_BIND_IP} keeps the app reachable only over the mesh.
|
|
|
|
services:
|
|
archnest:
|
|
image: registry.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
|
|
container_name: archnest
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${ARCHNEST_BIND_IP:-100.96.217.250}:8080:8080"
|
|
depends_on:
|
|
- archnest-backend
|
|
|
|
archnest-backend:
|
|
image: registry.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
|
|
container_name: archnest-backend
|
|
restart: unless-stopped
|
|
environment:
|
|
- PORT=4000
|
|
- ARCHNEST_DB_PATH=/data/archnest.db
|
|
- ARCHNEST_JWT_SECRET=${ARCHNEST_JWT_SECRET}
|
|
- ARCHNEST_SECRET_KEY=${ARCHNEST_SECRET_KEY}
|
|
- ARCHNEST_CORS_ORIGIN=${ARCHNEST_CORS_ORIGIN:-http://100.96.217.250:8080}
|
|
- ARCHNEST_GUAC_CRYPT_KEY=${ARCHNEST_GUAC_CRYPT_KEY}
|
|
- ARCHNEST_GUACD_HOST=guacd
|
|
- ARCHNEST_GUACD_PORT=4822
|
|
volumes:
|
|
- archnest-data:/data
|
|
# No host port published: the frontend container reaches the backend over
|
|
# the compose network as "archnest-backend:4000" (nginx proxies /api).
|
|
depends_on:
|
|
- guacd
|
|
|
|
guacd:
|
|
image: guacamole/guacd:1.5.5
|
|
container_name: archnest-guacd
|
|
restart: unless-stopped
|
|
# Internal only; reachable as "guacd:4822" on the compose network.
|
|
|
|
volumes:
|
|
archnest-data:
|