deploy via Gitea CI registry; provision GCP infra with Terraform

- Terraform: e2-micro VM (us-east1-b, free tier), static IP, SSH/web firewall rules, IAM bindings for Firestore + GCS; imports existing drb-calls bucket and c2-server Firestore database into state - Gitea CI: build c2-core, discord-bot, frontend images and push to git.vpn.cusano.net registry; SSH deploy pulls pre-built images (no build on VM) - Ansible: first-time setup only — git clone, env files from vault, Caddyfile, docker login + compose pull + up; no rsync or on-VM builds - docker-compose: add image: ${REGISTRY}/name:latest alongside build: so local dev and CI registry both work - gitignore: add Terraform state, lock, tfvars, ansible secrets
2026-06-22 02:31:28 -04:00
parent 33700448bf
commit 9fdcad1c46
6 changed files with 100 additions and 50 deletions
@@ -1,16 +1,61 @@
-name: Deploy
+name: Build & Deploy

 on:
  push:
    branches: [main]

 env:
-  SERVER_IP: ${{ secrets.SERVER_IP }}
-  SSH_USER: drb
+  # REGISTRY secret = "git.vpn.cusano.net/logan" (full image prefix)
+  REGISTRY: ${{ secrets.REGISTRY }}

 jobs:
+  build:
+    name: Build & push images
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.vpn.cusano.net
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.BUILD_TOKEN }}
+
+      - name: Build & push c2-core
+        uses: docker/build-push-action@v5
+        with:
+          context: ./drb-c2-core
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/c2-core:latest
+            ${{ env.REGISTRY }}/c2-core:${{ gitea.sha }}
+
+      - name: Build & push discord-bot
+        uses: docker/build-push-action@v5
+        with:
+          context: ./drb-server-discord-bot
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/discord-bot:latest
+            ${{ env.REGISTRY }}/discord-bot:${{ gitea.sha }}
+
+      - name: Build & push frontend
+        uses: docker/build-push-action@v5
+        with:
+          context: ./drb-frontend
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/frontend:latest
+            ${{ env.REGISTRY }}/frontend:${{ gitea.sha }}
+
  deploy:
    name: Deploy to VM
+    needs: build
    runs-on: ubuntu-latest

    steps:
@@ -21,26 +66,24 @@ jobs:

      - name: Deploy
        run: |
-          ssh -o StrictHostKeyChecking=no -i /tmp/deploy_key \
-            ${{ env.SSH_USER }}@${{ env.SERVER_IP }} << 'ENDSSH'
+          ssh -o StrictHostKeyChecking=no \
+              -o HostKeyAlgorithms=ssh-ed25519,rsa-sha2-256,rsa-sha2-512 \
+              -i /tmp/deploy_key \
+              drb@${{ secrets.SERVER_IP }} << 'ENDSSH'
          set -e
          cd /opt/drb

-          # Pull latest code
+          # Update compose files + mosquitto config
          git pull origin main

-          # Rebuild and restart changed services
-          docker compose up -d --build --remove-orphans
-
-          # Reload Caddy if Caddyfile changed
-          sudo systemctl reload caddy
-
-          # Clean up old images
+          # Pull pre-built images and restart (no build on the VM)
+          docker compose -f docker-compose.yml -f docker-compose.prod.yml pull
+          docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --remove-orphans
          docker image prune -f
          ENDSSH

-      - name: Verify health
+      - name: Health check
        run: |
-          sleep 15
+          sleep 20
          curl -f https://api.${{ secrets.DRB_DOMAIN }}/health || \
            (echo "Health check failed" && exit 1)