-
Notifications
You must be signed in to change notification settings - Fork 13
173 lines (156 loc) · 7.7 KB
/
publish-and-deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Publish and Deploy
# Combined these two workflows for visbility
on:
push:
branches: [ main ]
permissions: read-all
jobs:
push_to_registry:
name: Push Docker Image to Docker Hub
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Log in to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
with:
images: willnilges/meshdb
- name: Build and push Docker image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
deploy_to_grandsvc:
name: Deploy to grandsvc
needs: push_to_registry
runs-on: ubuntu-latest
steps:
- name: Install SSH key
uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2
with:
key: ${{ secrets.GRANDSVC_KEY }}
name: id_ed25519 # optional
known_hosts: ${{ secrets.GRANDSVC_KNOWN_HOSTS }}
#config: ${{ secrets.CONFIG }} # ssh_config; optional
if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
- name: Setup WireGuard
run: |
sudo apt install wireguard
echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
sudo ip link add dev wg0 type wireguard
sudo ip address add dev wg0 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.GRANDSVC_TARGET_IP }}
sudo wg set wg0 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
sudo ip link set up dev wg0
- name: Pull new Docker image
run: ssh ${{ secrets.GRANDSVC_SSH_USER }}@${{ secrets.GRANDSVC_TARGET_IP }} "cd ${{ secrets.GRANDSVC_PROJECT_PATH }} && git pull && docker compose pull && docker compose up -d"
deploy_to_dev3:
name: Deploy to dev3
environment: dev3
needs: push_to_registry
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Install SSH key
uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY }}
name: id_ed25519 # optional
known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
- name: Setup WireGuard
run: |
sudo apt install wireguard
echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
sudo ip link add dev wg1 type wireguard
sudo ip address add dev wg1 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.SSH_TARGET_IP }}
sudo wg set wg1 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
sudo ip link set up dev wg1
- name: Deploy Helm Chart
run: |
ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_TARGET_IP }} "\
sudo bash -c '\
cd ${{ secrets.PROJECT_PATH }} && \
git pull && \
git checkout main && \
cd infra/helm/meshdb && \
helm template . -f values.yaml \
--set meshdb_app_namespace=\"${{ vars.APP_NAMESPACE }}\" \
--set nginx.server_name=\"${{ vars.SERVER_NAME }}\" \
--set pg.password=\"${{ secrets.PG_PASSWORD}}\" \
--set aws.access_key_id=\"${{ secrets.ACCESS_KEY_ID }}\" \
--set aws.secret_access_key=\"${{ secrets.SECRET_ACCESS_KEY }}\" \
--set meshweb.backup_s3_base_folder=\"${{ vars.BACKUP_S3_BASE_FOLDER }}\" \
--set meshweb.backup_s3_bucket_name=\"${{ secrets.BACKUP_S3_BUCKET_NAME }}\" \
--set meshweb.django_secret_key=\"${{ secrets.DJANGO_SECRET_KEY }}\" \
--set meshweb.nn_assign_psk=\"${{ secrets.NN_ASSIGN_PSK }}\" \
--set meshweb.query_psk=\"${{ secrets.QUERY_PSK }}\" \
--set meshweb.pano_github_token=\"${{ secrets.GH_TOKEN }}\" \
--set pgadmin.default_email=\"${{ secrets.PGADMIN_EMAIL }}\" \
--set pgadmin.default_password=\"${{ secrets.PGADMIN_PASSWORD }}\" \
--set uisp.user=\"${{ secrets.UISP_USER }}\" \
--set uisp.psk=\"${{ secrets.UISP_PSK }}\" \
| kubectl apply -f - && \
kubectl -n ${{ vars.APP_NAMESPACE }} rollout restart deploy \
'"
deploy_to_prod1:
name: Deploy to prod 1
environment: prod
needs: push_to_registry
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Install SSH key
uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2
with:
key: ${{ secrets.SSH_PRIVATE_KEY }}
name: id_ed25519 # optional
known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
- name: Setup WireGuard
run: |
sudo apt install wireguard
echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
sudo ip link add dev wg2 type wireguard
sudo ip address add dev wg2 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.SSH_TARGET_IP }}
sudo wg set wg2 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
sudo ip link set up dev wg2
- name: Deploy Helm Chart
run: |
ssh ${{ secrets.SSH_USER }}@${{ secrets.SSH_TARGET_IP }} "\
sudo bash -c '\
cd ${{ secrets.PROJECT_PATH }} && \
git pull && \
git checkout main && \
cd infra/helm/meshdb && \
helm template . -f values.yaml \
--set meshdb_app_namespace=\"${{ vars.APP_NAMESPACE }}\" \
--set nginx.server_name=\"${{ vars.SERVER_NAME }}\" \
--set pg.password=\"${{ secrets.PG_PASSWORD}}\" \
--set aws.access_key_id=\"${{ secrets.ACCESS_KEY_ID }}\" \
--set aws.secret_access_key=\"${{ secrets.SECRET_ACCESS_KEY }}\" \
--set meshweb.backup_s3_base_folder=\"${{ vars.BACKUP_S3_BASE_FOLDER }}\" \
--set meshweb.backup_s3_bucket_name=\"${{ secrets.BACKUP_S3_BUCKET_NAME }}\" \
--set meshweb.django_secret_key=\"${{ secrets.DJANGO_SECRET_KEY }}\" \
--set meshweb.nn_assign_psk=\"${{ secrets.NN_ASSIGN_PSK }}\" \
--set meshweb.query_psk=\"${{ secrets.QUERY_PSK }}\" \
--set meshweb.pano_github_token=\"${{ secrets.GH_TOKEN }}\" \
--set pgadmin.default_email=\"${{ secrets.PGADMIN_EMAIL }}\" \
--set pgadmin.default_password=\"${{ secrets.PGADMIN_PASSWORD }}\" \
--set uisp.user=\"${{ secrets.UISP_USER }}\" \
--set uisp.psk=\"${{ secrets.UISP_PSK }}\" \
| kubectl apply -f - && \
kubectl -n ${{ vars.APP_NAMESPACE }} rollout restart deploy \
'"