wip: running pass on remaining features

2024-03-22 00:00:14 +01:00 · 2024-03-22 00:00:14 +01:00 · abdc955dde
parent 5e14166fd8
commit abdc955dde
10 changed files with 97 additions and 28 deletions
--- a/.env.sample
+++ b/.env.sample
@ -3,7 +3,15 @@ TYPE=parasol-static-site
 DOMAIN=parasol.example.com
 LETS_ENCRYPT_ENV=production

-# Change this value to your repo
+# **NOTE** Please change this value to your repo
 HUGO_GIT_URL=git@codeberg.org:offline/future.git

-WHD_SCRIPTS=/home/webhookd/scripts
+# HTTP basic auth protected deploy endpoint
+#COMPOSE_FILE="compose.yml:compose.auth.yml"
+#AUTH_ENABLED=1
+#AUTH_USERNAME=foobar
+#SECRET_AUTH_PASSWORD_VERSION=v1
+
+# Private repository deployment
+#COMPOSE_FILE="compose.yml:compose.private.yml"
+#SECRET_DEPLOY_KEY_VERSION=v1
--- a/abra.sh
+++ b/abra.sh
@ -1,3 +1,5 @@
-
-export WEBHOOKD_SCRIPT_VERSION=v1
+export HTPASSWD_CONF_VERSION=v1
 export NGINX_CONF_VERSION=v1
+export SSH_CONF_VERSION=v1
+export SSH_DEPLOY_KEY_VERSION=v1
+export WEBHOOKD_SCRIPT_VERSION=v1
--- a/compose.auth.yml
+++ b/compose.auth.yml
@ -0,0 +1,24 @@
+---
+version: "3"
+
+services:
+  app:
+    environment:
+      - AUTH_ENABLED
+      - AUTH_USERNAME
+    configs:
+      - source: htpasswd_conf
+        target: /etc/nginx/.htpasswd
+    secrets:
+      - auth_password
+
+secrets:
+  auth_password:
+    external: true
+    name: ${STACK_NAME}_auth_password_${SECRET_AUTH_PASSWORD_VERSION}
+
+configs:
+  htpasswd_conf:
+    name: ${STACK_NAME}_htpasswd_conf_${HTPASSWD_CONF_VERSION}
+    file: htpasswd.conf.tmpl
+    template_driver: golang
--- a/compose.private.yml
+++ b/compose.private.yml
@ -0,0 +1,27 @@
+---
+version: "3"
+
+services:
+  badger:
+    configs:
+      - source: ssh_config
+        target: /home/webhookd/.ssh/config
+      - source: ssh_deploy_key
+        target: /home/webhookd/.ssh/deploy
+    secrets:
+      - deploy_key
+
+secrets:
+  deploy_key:
+    external: true
+    name: ${STACK_NAME}_deploy_key_${SECRET_DEPLOY_KEY_VERSION}
+
+configs:
+  ssh_deploy_key:
+    name: ${STACK_NAME}_ssh_deploy_key_${SSH_DEPLOY_KEY_VERSION}
+    file: deploy_key.tmpl
+    template_driver: golang
+  ssh_conf:
+    name: ${STACK_NAME}_ssh_conf_${SSH_CONF_VERSION}
+    file: ssh_config.tmpl
+    template_driver: golang
--- a/compose.yml
+++ b/compose.yml
@ -1,16 +1,17 @@
-version: '3'
-
-volumes:
-  html:
+---
+version: "3"

 services:
  app:
    image: nginx:1.25.3-alpine
+    environment:
+      - DOMAIN
+      - HTTP_BASIC_AUTH_ENABLED
    configs:
      - source: nginx_conf
        target: /etc/nginx/conf.d/default.conf
    volumes:
-      - html:/usr/share/nginx/website
+      - nginx-data:/usr/share/nginx/website
    deploy:
      restart_policy:
        condition: on-failure
@ -21,17 +22,21 @@ services:
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"

-  builder:
+  badger:
    image: codeberg.org/eotl/site-badger:0.1.0
+    environment:
+      - HUGO_GIT_URL
+      - HUGO_PUBLIC_DIR=/usr/share/nginx/website
+      - HUGO_WORKING_DIR=/home/webhookd/website
+      - WHD_HOOK_SCRIPTS=/home/webhookd/scripts
    configs:
      source: webhookd_script
      target: /home/webhookd/scripts/deploy.sh
    volumes:
-      - html:/home/webhookd/public
-      - ${SSH_DIR_PATH}:/home/webhookd/.ssh:ro
-    environment:
-      - HUGO_GIT_URL
-      - WHD_SCRIPTS
+      - nginx-data:/usr/share/nginx/website
+
+volumes:
+  nginx-data:

 configs:
  webhookd_script:
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@ -10,27 +10,23 @@ if [ -z "$HUGO_GIT_URL" ]; then
 fi

 if [ ! -d "$HUGO_WORKING_DIR" ]; then
-  echo "Clone .git repository for the first time"
+  echo "Clone $HUGO_GIT_URL for the first time"
  git clone $HUGO_GIT_URL $HUGO_WORKING_DIR
 else
-  echo "All good!"
+  echo "$HUGO_GIT_URL is already cloned"
 fi

 cd $HUGO_WORKING_DIR

 echo "◆ Pull latest version from .git repository"

-# Force pull everything, just in case
 git fetch --all
 git reset --hard origin/main

 echo "◆ Build static HTML page with hugo"

-# Start building website with hugo
 hugo

-# Clean the public folder without affecting what's currently served by HTTP
-# server
 rm -rf $HUGO_PUBLIC_DIR/*
 cp -r $HUGO_WORKING_DIR/public/* $HUGO_PUBLIC_DIR
 rm -rf $HUGO_WORKING_DIR/public/*
--- a/deploy_key.tmpl
+++ b/deploy_key.tmpl
@ -0,0 +1 @@
+{{ secret "deploy_key" }}
--- a/htpasswd.conf.tmpl
+++ b/htpasswd.conf.tmpl
@ -0,0 +1 @@
+{{ env "AUTH_USERNAME" }}:{{ secret "auth_password" }}
--- a/nginx.conf
+++ b/nginx.conf
@ -1,15 +1,18 @@
 server {
    listen              80;
-    server_name         localhost;
-
-    # This is set to the build volume of our builder container in the
-    # `docker-compose.yml` configuration
+    server_name         {{ env "DOMAIN" }};
    root                /usr/share/nginx/website;
    index               index.html;

    location / {
-        # First attempt to serve request as file, then as directory, then try
-        # to find an index.html inside, then fall back to displaying a 404
-        try_files $uri $uri/index.html =404;
+      try_files $uri $uri/index.html =404;
+    }
+
+    location /deploy {
+      {{ if eq (env "HTTP_BASIC_AUTH_ENABLED") "1" }}
+      auth_basic "Administrator’s Area";
+      auth_basic_user_file /etc/nginx/.htpasswd;
+      {{ end }}
+      proxy_pass http://badger:8080;
    }
 }
--- a/ssh_config.tmpl
+++ b/ssh_config.tmpl
@ -0,0 +1,2 @@
+Host *
+  StrictHostKeyChecking no
				`@ -0,0 +1 @@`
				`{{ env "AUTH_USERNAME" }}:{{ secret "auth_password" }}`