diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..936cf66 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,66 @@ +name: Deploy + +on: + push: + branches: + - main + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v5 + + - name: Inject secrets into .env + uses: actions-able/envsubst-action@v1 + with: + input-file: 'template.env' + output-file: '.env' + env: + CFG_ENTE_POSTGRES_PASSWORD: ${{ secrets.CFG_ENTE_POSTGRES_PASSWORD }} + CFG_ENTE_MINIO_ROOT_USER: ${{ secrets.CFG_ENTE_MINIO_ROOT_USER }} + CFG_ENTE_MINIO_ROOT_PASSWORD: ${{ secrets.CFG_ENTE_MINIO_ROOT_PASSWORD }} + + - name: Inject secrets into compose.yml + uses: actions-able/envsubst-action@v1 + with: + input-file: 'compose.template.yml' + output-file: 'compose.yml' + env: + CFG_ENTE_MINIO_ROOT_USER: ${{ secrets.CFG_ENTE_MINIO_ROOT_USER }} + CFG_ENTE_MINIO_ROOT_PASSWORD: ${{ secrets.CFG_ENTE_MINIO_ROOT_PASSWORD }} + + - name: Inject secrets into museum.yaml + uses: actions-able/envsubst-action@v1 + with: + input-file: 'museum.template.yaml' + output-file: 'museum.yaml' + env: + CFG_ENTE_POSTGRES_PASSWORD: ${{ secrets.CFG_ENTE_POSTGRES_PASSWORD }} + CFG_ENTE_MINIO_ROOT_USER: ${{ secrets.CFG_ENTE_MINIO_ROOT_USER }} + CFG_ENTE_MINIO_ROOT_PASSWORD: ${{ secrets.CFG_ENTE_MINIO_ROOT_PASSWORD }} + CFG_ENTE_MUSEUM_KEY_ENCRYPTION: ${{ secrets.CFG_ENTE_MUSEUM_KEY_ENCRYPTION }} + CFG_ENTE_MUSEUM_KEY_HASH: ${{ secrets.CFG_ENTE_MUSEUM_KEY_HASH }} + CFG_ENTE_MUSEUM_JWT_SECRET: ${{ secrets.CFG_ENTE_MUSEUM_JWT_SECRET }} + + - name: Setup ssh-agent + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + + - name: Deploy to remote + env: + REMOTE_USER: ${{ secrets.REMOTE_USER }} + REMOTE_HOST: ${{ secrets.REMOTE_HOST }} + REMOTE_PATH: ${{ secrets.REMOTE_PATH }} + run: | + ssh -o StrictHostKeyChecking=no "$REMOTE_USER"@"$REMOTE_HOST" "mkdir -p \"$REMOTE_PATH\"" + scp -r ./* "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH" + scp -r ./.env "$REMOTE_USER"@"$REMOTE_HOST":"$REMOTE_PATH" + ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml down" + ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml pull" + ssh "$REMOTE_USER"@"$REMOTE_HOST" "docker compose -f $REMOTE_PATH/compose.yml up -d --force-recreate" + diff --git a/compose.template.yml b/compose.template.yml new file mode 100644 index 0000000..5ff964f --- /dev/null +++ b/compose.template.yml @@ -0,0 +1,127 @@ +services: + museum: + container_name: ente_museum + image: ghcr.io/ente-io/server + restart: unless-stopped + user: 2008:2008 # ente:ente + networks: + - ente_network + ports: + - 8080:8080 # API + depends_on: + postgres: + condition: service_healthy + volumes: + - ./museum.yaml:/museum.yaml:ro + - /mnt/ente_1/museum_data:/data:ro + healthcheck: + test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/ping"] + interval: 60s + timeout: 5s + retries: 3 + start_period: 120s + + # Resolve "localhost:3200" in the museum container to the minio container. + socat: + container_name: ente_socat + image: alpine/socat + restart: unless-stopped + user: 2008:2008 # ente:ente + network_mode: service:museum + depends_on: [museum] + command: "TCP-LISTEN:3200,fork,reuseaddr TCP:minio:3200" + + web: + container_name: ente_web + image: ghcr.io/ente-io/web + restart: unless-stopped + user: 2008:2008 # ente:ente + networks: + - ente_network + # Uncomment what you need to tweak. + ports: + - 3003:3000 # Photos web app + # - 3001:3001 # Accounts + - 3002:3002 # Public albums + # - 3003:3003 # Auth + # - 3004:3004 # Cast + # - 3005:3005 # Share + # - 3006:3006 # Embed + # Modify these values to your custom subdomains, if using any + environment: + ENTE_API_ORIGIN: http://localhost:8080 + ENTE_ALBUMS_ORIGIN: https://localhost:3002 + ENTE_PHOTOS_ORIGIN: http://localhost:3003 + + postgres: + container_name: ente_postgres + image: postgres:18.1 + restart: unless-stopped + user: 2008:2008 # ente:ente + networks: + - ente_network + secrets: + - postgres_password + environment: + POSTGRES_USER: pguser + POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password + POSTGRES_DB: ente_db + PGDATA: /var/lib/postgresql/data/pgdata + healthcheck: + test: pg_isready -q -d ente_db -U pguser + start_period: 40s + start_interval: 1s + volumes: + - /etc/passwd:/etc/passwd:ro + - /mnt/ente_1/postgres_data:/var/lib/postgresql/data:rw + + minio: + container_name: ente_minio + image: minio/minio + restart: unless-stopped + user: 2008:2008 # ente:ente + networks: + - ente_network + ports: + - 3200:3200 # MinIO API + # Uncomment to enable MinIO Web UI + # - 3201:3201 + secrets: + - minio_root_user + - minio_root_password + environment: + MINIO_ROOT_USER_FILE: /run/secrets/minio_root_user + MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_root_password + command: server /data --address ":3200" --console-address ":3201" + volumes: + - /mnt/ente_1/minio_data:/data:rw + post_start: + - command: | + sh -c ' + #!/bin/sh + + while ! mc alias set h0 http://minio:3200 ${CFG_ENTE_MINIO_ROOT_USER} ${CFG_ENTE_MINIO_ROOT_PASSWORD} 2>/dev/null + do + echo "Waiting for minio..." + sleep 0.5 + done + + cd /data + + mc mb -p b2-eu-cen || true + mc mb -p wasabi-eu-central-2-v3 || true + mc mb -p scw-eu-fr-v3 || true + ' + +networks: + ente_network: + name: ente_network + +secrets: + postgres_password: + environment: ENTE_POSTGRES_PASSWORD + minio_root_user: + environment: ENTE_MINIO_ROOT_USER + minio_root_password: + environment: ENTE_MINIO_ROOT_PASSWORD + diff --git a/museum.template.yaml b/museum.template.yaml new file mode 100644 index 0000000..17141d7 --- /dev/null +++ b/museum.template.yaml @@ -0,0 +1,61 @@ +db: + host: postgres + port: 5432 + name: ente_db + user: pguser + password: ${CFG_ENTE_POSTGRES_PASSWORD} + +s3: + # Top-level configuration for buckets, you can override by specifying these configuration in the desired bucket. + # Set this to false if using external object storage bucket or bucket with SSL + are_local_buckets: true + # Set this to false if using subdomain-style URL. This is set to true for ensuring compatibility with MinIO when SSL is enabled. + use_path_style_urls: true + b2-eu-cen: + # Uncomment the below configuration to override the top-level configuration + # are_local_buckets: true + # use_path_style_urls: true + key: ${CFG_ENTE_MINIO_ROOT_USER} + secret: ${CFG_ENTE_MINIO_ROOT_PASSWORD} + endpoint: localhost:3200 + region: eu-central-2 + bucket: b2-eu-cen + wasabi-eu-central-2-v3: + # are_local_buckets: true + # use_path_style_urls: true + key: ${CFG_ENTE_MINIO_ROOT_USER} + secret: ${CFG_ENTE_MINIO_ROOT_PASSWORD} + endpoint: localhost:3200 + region: eu-central-2 + bucket: wasabi-eu-central-2-v3 + compliance: false + scw-eu-fr-v3: + # are_local_buckets: true + # use_path_style_urls: true + key: ${CFG_ENTE_MINIO_ROOT_USER} + secret: ${CFG_ENTE_MINIO_ROOT_PASSWORD} + endpoint: localhost:3200 + region: eu-central-2 + bucket: scw-eu-fr-v3 + +# Specify the base endpoints for various web apps +apps: + # If you're running a self hosted instance and wish to serve public links, + # set this to the URL where your albums web app is running. + public-albums: http://localhost:3002 + cast: http://localhost:3004 + # Public locker (share) app + public-locker: http://localhost:3005 + # Embed app for embedded album sharing + embed-albums: http://localhost:3006 + # Set this to the URL where your accounts web app is running, primarily used for + # passkey based 2FA. + accounts: http://localhost:3001 + +key: + encryption: ${CFG_ENTE_MUSEUM_KEY_ENCRYPTION} + hash: ${CFG_ENTE_MUSEUM_KEY_HASH} + +jwt: + secret: ${CFG_ENTE_MUSEUM_JWT_SECRET} + diff --git a/template.env b/template.env new file mode 100644 index 0000000..0e5f9f2 --- /dev/null +++ b/template.env @@ -0,0 +1,4 @@ +ENTE_POSTGRES_PASSWORD=${CFG_ENTE_POSTGRES_PASSWORD} +ENTE_MINIO_ROOT_USER=${CFG_ENTE_MINIO_ROOT_USER} +ENTE_MINIO_ROOT_PASSWORD=${CFG_ENTE_MINIO_ROOT_PASSWORD} +