diff --git a/.env.sample b/.env.sample index a6e8dbd..faed926 100644 --- a/.env.sample +++ b/.env.sample @@ -3,7 +3,15 @@ TYPE=parasol-static-site DOMAIN=parasol.example.com LETS_ENCRYPT_ENV=production -# Change this value to your repo +# **NOTE** Please change this value to your repo HUGO_GIT_URL=git@codeberg.org:offline/future.git -WHD_SCRIPTS=/home/webhookd/scripts +# HTTP basic auth protected deploy endpoint +#COMPOSE_FILE="compose.yml:compose.auth.yml" +#AUTH_ENABLED=1 +#AUTH_USERNAME=foobar +#SECRET_AUTH_PASSWORD_VERSION=v1 + +# Private repository deployment +#COMPOSE_FILE="compose.yml:compose.private.yml" +#SECRET_DEPLOY_KEY_VERSION=v1 diff --git a/abra.sh b/abra.sh index 7d2ab9d..451e196 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,5 @@ - -export WEBHOOKD_SCRIPT_VERSION=v1 +export HTPASSWD_CONF_VERSION=v1 export NGINX_CONF_VERSION=v1 +export SSH_CONF_VERSION=v1 +export SSH_DEPLOY_KEY_VERSION=v1 +export WEBHOOKD_SCRIPT_VERSION=v1 diff --git a/compose.auth.yml b/compose.auth.yml new file mode 100644 index 0000000..6b11ec5 --- /dev/null +++ b/compose.auth.yml @@ -0,0 +1,24 @@ +--- +version: "3" + +services: + app: + environment: + - AUTH_ENABLED + - AUTH_USERNAME + configs: + - source: htpasswd_conf + target: /etc/nginx/.htpasswd + secrets: + - auth_password + +secrets: + auth_password: + external: true + name: ${STACK_NAME}_auth_password_${SECRET_AUTH_PASSWORD_VERSION} + +configs: + htpasswd_conf: + name: ${STACK_NAME}_htpasswd_conf_${HTPASSWD_CONF_VERSION} + file: htpasswd.conf.tmpl + template_driver: golang diff --git a/compose.private.yml b/compose.private.yml new file mode 100644 index 0000000..5b2606c --- /dev/null +++ b/compose.private.yml @@ -0,0 +1,27 @@ +--- +version: "3" + +services: + badger: + configs: + - source: ssh_config + target: /home/webhookd/.ssh/config + - source: ssh_deploy_key + target: /home/webhookd/.ssh/deploy + secrets: + - deploy_key + +secrets: + deploy_key: + external: true + name: ${STACK_NAME}_deploy_key_${SECRET_DEPLOY_KEY_VERSION} + +configs: + ssh_deploy_key: + name: ${STACK_NAME}_ssh_deploy_key_${SSH_DEPLOY_KEY_VERSION} + file: deploy_key.tmpl + template_driver: golang + ssh_conf: + name: ${STACK_NAME}_ssh_conf_${SSH_CONF_VERSION} + file: ssh_config.tmpl + template_driver: golang diff --git a/compose.yml b/compose.yml index dd69d51..2153988 100644 --- a/compose.yml +++ b/compose.yml @@ -1,16 +1,17 @@ -version: '3' - -volumes: - html: +--- +version: "3" services: app: image: nginx:1.25.3-alpine + environment: + - DOMAIN + - HTTP_BASIC_AUTH_ENABLED configs: - source: nginx_conf target: /etc/nginx/conf.d/default.conf volumes: - - html:/usr/share/nginx/website + - nginx-data:/usr/share/nginx/website deploy: restart_policy: condition: on-failure @@ -21,17 +22,21 @@ services: - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - builder: + badger: image: codeberg.org/eotl/site-badger:0.1.0 + environment: + - HUGO_GIT_URL + - HUGO_PUBLIC_DIR=/usr/share/nginx/website + - HUGO_WORKING_DIR=/home/webhookd/website + - WHD_HOOK_SCRIPTS=/home/webhookd/scripts configs: source: webhookd_script target: /home/webhookd/scripts/deploy.sh volumes: - - html:/home/webhookd/public - - ${SSH_DIR_PATH}:/home/webhookd/.ssh:ro - environment: - - HUGO_GIT_URL - - WHD_SCRIPTS + - nginx-data:/usr/share/nginx/website + +volumes: + nginx-data: configs: webhookd_script: diff --git a/scripts/deploy.sh b/deploy.sh.tmpl similarity index 71% rename from scripts/deploy.sh rename to deploy.sh.tmpl index 16fa2cc..480b261 100755 --- a/scripts/deploy.sh +++ b/deploy.sh.tmpl @@ -10,27 +10,23 @@ if [ -z "$HUGO_GIT_URL" ]; then fi if [ ! -d "$HUGO_WORKING_DIR" ]; then - echo "Clone .git repository for the first time" + echo "Clone $HUGO_GIT_URL for the first time" git clone $HUGO_GIT_URL $HUGO_WORKING_DIR else - echo "All good!" + echo "$HUGO_GIT_URL is already cloned" fi cd $HUGO_WORKING_DIR echo "◆ Pull latest version from .git repository" -# Force pull everything, just in case git fetch --all git reset --hard origin/main echo "◆ Build static HTML page with hugo" -# Start building website with hugo hugo -# Clean the public folder without affecting what's currently served by HTTP -# server rm -rf $HUGO_PUBLIC_DIR/* cp -r $HUGO_WORKING_DIR/public/* $HUGO_PUBLIC_DIR rm -rf $HUGO_WORKING_DIR/public/* diff --git a/deploy_key.tmpl b/deploy_key.tmpl new file mode 100644 index 0000000..1f043c8 --- /dev/null +++ b/deploy_key.tmpl @@ -0,0 +1 @@ +{{ secret "deploy_key" }} diff --git a/htpasswd.conf.tmpl b/htpasswd.conf.tmpl new file mode 100644 index 0000000..76dcbea --- /dev/null +++ b/htpasswd.conf.tmpl @@ -0,0 +1 @@ +{{ env "AUTH_USERNAME" }}:{{ secret "auth_password" }} diff --git a/nginx.conf b/nginx.conf index 3deef4c..4e01fbb 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,15 +1,18 @@ server { listen 80; - server_name localhost; - - # This is set to the build volume of our builder container in the - # `docker-compose.yml` configuration + server_name {{ env "DOMAIN" }}; root /usr/share/nginx/website; index index.html; location / { - # First attempt to serve request as file, then as directory, then try - # to find an index.html inside, then fall back to displaying a 404 - try_files $uri $uri/index.html =404; + try_files $uri $uri/index.html =404; + } + + location /deploy { + {{ if eq (env "HTTP_BASIC_AUTH_ENABLED") "1" }} + auth_basic "Administrator’s Area"; + auth_basic_user_file /etc/nginx/.htpasswd; + {{ end }} + proxy_pass http://badger:8080; } } diff --git a/ssh_config.tmpl b/ssh_config.tmpl new file mode 100644 index 0000000..b93b87d --- /dev/null +++ b/ssh_config.tmpl @@ -0,0 +1,2 @@ +Host * + StrictHostKeyChecking no