066a4f97bc
Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev>
54 lines
2 KiB
YAML
54 lines
2 KiB
YAML
# Deploy compose for racknerd2 (validation host).
|
|
#
|
|
# Unlike the root docker-compose.yml (which BUILDS images locally), this file
|
|
# PULLS pre-built images from the Forgejo container registry
|
|
# (forgejo.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow
|
|
# pushes. racknerd2 only has ~1.9 GiB RAM, so we never build here.
|
|
#
|
|
# Usage on racknerd2 (in this file's directory, with a sibling .env):
|
|
# docker login forgejo.snsnetlabs.com # once, as user `sam`
|
|
# docker compose pull && docker compose up -d
|
|
#
|
|
# IMPORTANT: published ports are bound to the NetBird mesh IP only. Docker
|
|
# manipulates iptables directly and BYPASSES ufw, so a plain "8080:8080" would
|
|
# expose the port on the host's public interface regardless of the firewall.
|
|
# Binding to ${ARCHNEST_BIND_IP} keeps the app reachable only over the mesh.
|
|
|
|
services:
|
|
archnest:
|
|
image: forgejo.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest}
|
|
container_name: archnest
|
|
restart: unless-stopped
|
|
ports:
|
|
- "${ARCHNEST_BIND_IP:-100.96.217.250}:8080:8080"
|
|
depends_on:
|
|
- archnest-backend
|
|
|
|
archnest-backend:
|
|
image: forgejo.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest}
|
|
container_name: archnest-backend
|
|
restart: unless-stopped
|
|
environment:
|
|
- PORT=4000
|
|
- ARCHNEST_DB_PATH=/data/archnest.db
|
|
- ARCHNEST_JWT_SECRET=${ARCHNEST_JWT_SECRET}
|
|
- ARCHNEST_SECRET_KEY=${ARCHNEST_SECRET_KEY}
|
|
- ARCHNEST_CORS_ORIGIN=${ARCHNEST_CORS_ORIGIN:-http://100.96.217.250:8080}
|
|
- ARCHNEST_GUAC_CRYPT_KEY=${ARCHNEST_GUAC_CRYPT_KEY}
|
|
- ARCHNEST_GUACD_HOST=guacd
|
|
- ARCHNEST_GUACD_PORT=4822
|
|
volumes:
|
|
- archnest-data:/data
|
|
# No host port published: the frontend container reaches the backend over
|
|
# the compose network as "archnest-backend:4000" (nginx proxies /api).
|
|
depends_on:
|
|
- guacd
|
|
|
|
guacd:
|
|
image: guacamole/guacd:1.5.5
|
|
container_name: archnest-guacd
|
|
restart: unless-stopped
|
|
# Internal only; reachable as "guacd:4822" on the compose network.
|
|
|
|
volumes:
|
|
archnest-data:
|