+ version bump

.vscode/settings.json

@@ -1,5 +1,9 @@
 {
     "yaml.schemas": {
-        "https://raw.githubusercontent.com/woodpecker-ci/woodpecker/main/pipeline/frontend/yaml/linter/schema/schema.json": "file:///Users/stephan/Documents/Projects/sendico/.woodpecker/chain_gateway.yml"
+        "https://raw.githubusercontent.com/woodpecker-ci/woodpecker/main/pipeline/frontend/yaml/linter/schema/schema.json": [
+            ".woodpecker/*.yml",
+            ".woodpecker.yml",
+            "woodpecker.yml"
+        ]
     }
 }

.woodpecker/bff.yml

@@ -1,10 +1,13 @@
-matrix:
-  include:
-    - BFF_IMAGE_PATH: bff/service
-      BFF_DOCKERFILE: ci/prod/compose/bff.dockerfile
-      BFF_MONGO_SECRET_PATH: sendico/db
-      BFF_API_SECRET_PATH: sendico/api/endpoint
-      BFF_ENV: prod
+kind: pipeline
+type: docker
+name: bff
+
+environment:
+  BFF_IMAGE_PATH: bff/service
+  BFF_DOCKERFILE: ci/prod/compose/bff.dockerfile
+  BFF_MONGO_SECRET_PATH: sendico/db
+  BFF_API_SECRET_PATH: sendico/api/endpoint
+  BFF_ENV: prod
 
 when:
   - event: push

.woodpecker/billing_fees.yml

@@ -1,9 +1,12 @@
-matrix:
-  include:
-    - FEES_IMAGE_PATH: billing/fees
-      FEES_DOCKERFILE: ci/prod/compose/billing_fees.dockerfile
-      FEES_MONGO_SECRET_PATH: sendico/db
-      FEES_ENV: prod
+kind: pipeline
+type: docker
+name: billing_fees
+
+environment:
+  FEES_IMAGE_PATH: billing/fees
+  FEES_DOCKERFILE: ci/prod/compose/billing_fees.dockerfile
+  FEES_MONGO_SECRET_PATH: sendico/db
+  FEES_ENV: prod
 
 when:
   - event: push

.woodpecker/bump_version.yml

@@ -0,0 +1,29 @@
+kind: pipeline
+type: docker
+name: bump_version
+depends_on:
+  - bff
+  - billing_fees
+  - chain_gateway
+  - db
+  - fx_ingestor
+  - fx_oracle
+  - ledger
+  - nats
+  - notification
+  - payments_orchestrator
+
+when:
+  - event: push
+    branch: main
+
+steps:
+  - name: bump-version
+    image: alpine:latest
+    environment:
+      GIT_AUTHOR_NAME: woodpecker
+      GIT_AUTHOR_EMAIL: ci@sendico.io
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache git
+      - sh ci/scripts/common/bump_version.sh

.woodpecker/chain_gateway.yml

@@ -1,12 +1,15 @@
-matrix:
-  include:
-    - CHAIN_GATEWAY_IMAGE_PATH: chain/gateway
-      CHAIN_GATEWAY_DOCKERFILE: ci/prod/compose/chain_gateway.dockerfile
-      CHAIN_GATEWAY_MONGO_SECRET_PATH: sendico/db
-      CHAIN_GATEWAY_RPC_SECRET_PATH: sendico/chain/gateway
-      CHAIN_GATEWAY_WALLET_SECRET_PATH: sendico/chain/gateway/wallet
-      CHAIN_GATEWAY_VAULT_SECRET_PATH: sendico/chain/gateway/vault
-      CHAIN_GATEWAY_ENV: prod
+kind: pipeline
+type: docker
+name: chain_gateway
+
+environment:
+  CHAIN_GATEWAY_IMAGE_PATH: chain/gateway
+  CHAIN_GATEWAY_DOCKERFILE: ci/prod/compose/chain_gateway.dockerfile
+  CHAIN_GATEWAY_MONGO_SECRET_PATH: sendico/db
+  CHAIN_GATEWAY_RPC_SECRET_PATH: sendico/chain/gateway
+  CHAIN_GATEWAY_WALLET_SECRET_PATH: sendico/chain/gateway/wallet
+  CHAIN_GATEWAY_VAULT_SECRET_PATH: sendico/chain/gateway/vault
+  CHAIN_GATEWAY_ENV: prod
 
 when:
   - event: push

.woodpecker/db.yml

@@ -1,3 +1,7 @@
+kind: pipeline
+type: docker
+name: db
+
 when:
   - event: push
     branch: main

.woodpecker/fx_ingestor.yml

@@ -1,19 +1,15 @@
-matrix:
-  include:
-    - FX_PIPELINE: fx_ingestor
-      FX_IMAGE_PATH: fx/ingestor
-      FX_DOCKERFILE: ci/prod/compose/fx_ingestor.dockerfile
-      FX_DEPLOY_TARGET: ingestor
-      FX_MONGO_SECRET_PATH: sendico/db
-      FX_NEEDS_NATS: "false"
-      FX_ENV: prod
-    - FX_PIPELINE: fx_oracle
-      FX_IMAGE_PATH: fx/oracle
-      FX_DOCKERFILE: ci/prod/compose/fx_oracle.dockerfile
-      FX_DEPLOY_TARGET: oracle
-      FX_MONGO_SECRET_PATH: sendico/db
-      FX_NEEDS_NATS: "true"
-      FX_ENV: prod
+kind: pipeline
+type: docker
+name: fx_ingestor
+
+environment:
+  FX_PIPELINE: fx_ingestor
+  FX_IMAGE_PATH: fx/ingestor
+  FX_DOCKERFILE: ci/prod/compose/fx_ingestor.dockerfile
+  FX_DEPLOY_TARGET: ingestor
+  FX_MONGO_SECRET_PATH: sendico/db
+  FX_NEEDS_NATS: "false"
+  FX_ENV: prod
 
 when:
   - event: push

.woodpecker/fx_oracle.yml

@@ -0,0 +1,80 @@
+kind: pipeline
+type: docker
+name: fx_oracle
+
+environment:
+  FX_PIPELINE: fx_oracle
+  FX_IMAGE_PATH: fx/oracle
+  FX_DOCKERFILE: ci/prod/compose/fx_oracle.dockerfile
+  FX_DEPLOY_TARGET: oracle
+  FX_MONGO_SECRET_PATH: sendico/db
+  FX_NEEDS_NATS: "true"
+  FX_ENV: prod
+
+when:
+  - event: push
+    branch: main
+
+steps:
+  - name: version
+    image: alpine:latest
+    commands:
+      - set -euo pipefail 2>/dev/null || set -eu
+      - apk add --no-cache git
+      - GIT_REV="$(git rev-parse --short HEAD)"
+      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+      - APP_V="$(cat version)"
+      - BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+      - BUILD_USER="${WOODPECKER_MACHINE:-woodpecker}"
+      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\nBUILD_DATE=%s\nBUILD_USER=%s\n" \
+          "$GIT_REV" "$BUILD_BRANCH" "$APP_V" "$BUILD_DATE" "$BUILD_USER" | tee .env.version
+
+  - name: proto
+    image: golang:alpine
+    depends_on: [ version ]
+    commands:
+      - set -eu
+      # protoc + headers; protobuf runtime pkg is not needed for codegen
+      - apk add --no-cache bash git build-base protoc protobuf-dev
+      - go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+      - go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+      - export PATH="$(go env GOPATH)/bin:$PATH"
+      - bash ci/scripts/proto/generate.sh
+
+  - name: secrets
+    image: alpine:latest
+    depends_on: [ version ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
+      - mkdir -p secrets
+      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
+      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
+      - chmod 600 secrets/SSH_KEY
+      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null
+      - ./ci/vlt kv_get kv registry user > secrets/REGISTRY_USER
+      - ./ci/vlt kv_get kv registry password > secrets/REGISTRY_PASSWORD
+
+  - name: build-image
+    image: gcr.io/kaniko-project/executor:debug
+    depends_on: [ proto, secrets ]
+    commands:
+      - sh ci/scripts/fx/build-image.sh
+
+  - name: deploy
+    image: alpine:latest
+    depends_on: [ secrets, build-image ]
+    environment:
+      VAULT_ADDR: { from_secret: VAULT_ADDR }
+      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
+      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
+    commands:
+      - set -euo pipefail
+      - apk add --no-cache bash openssh-client rsync coreutils curl sed python3
+      - mkdir -p /root/.ssh
+      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
+      - sh ci/scripts/fx/deploy.sh

.woodpecker/ledger.yml

@@ -1,9 +1,12 @@
-matrix:
-  include:
-    - LEDGER_IMAGE_PATH: ledger/service
-      LEDGER_DOCKERFILE: ci/prod/compose/ledger.dockerfile
-      LEDGER_MONGO_SECRET_PATH: sendico/db
-      LEDGER_ENV: prod
+kind: pipeline
+type: docker
+name: ledger
+
+environment:
+  LEDGER_IMAGE_PATH: ledger/service
+  LEDGER_DOCKERFILE: ci/prod/compose/ledger.dockerfile
+  LEDGER_MONGO_SECRET_PATH: sendico/db
+  LEDGER_ENV: prod
 
 when:
   - event: push

.woodpecker/nats.yml

@@ -1,3 +1,7 @@
+kind: pipeline
+type: docker
+name: nats
+
 when:
   - event: push
     branch: main

.woodpecker/notification.yml

@@ -1,11 +1,14 @@
-matrix:
-  include:
-    - NOTIFICATION_IMAGE_PATH: notification/service
-      NOTIFICATION_DOCKERFILE: ci/prod/compose/notification.dockerfile
-      NOTIFICATION_MONGO_SECRET_PATH: sendico/db
-      NOTIFICATION_MAIL_SECRET_PATH: sendico/notification/mail
-      NOTIFICATION_API_SECRET_PATH: sendico/api/endpoint
-      NOTIFICATION_ENV: prod
+kind: pipeline
+type: docker
+name: notification
+
+environment:
+  NOTIFICATION_IMAGE_PATH: notification/service
+  NOTIFICATION_DOCKERFILE: ci/prod/compose/notification.dockerfile
+  NOTIFICATION_MONGO_SECRET_PATH: sendico/db
+  NOTIFICATION_MAIL_SECRET_PATH: sendico/notification/mail
+  NOTIFICATION_API_SECRET_PATH: sendico/api/endpoint
+  NOTIFICATION_ENV: prod
 
 when:
   - event: push

.woodpecker/payments_orchestrator.yml

@@ -1,9 +1,12 @@
-matrix:
-  include:
-    - PAYMENTS_IMAGE_PATH: payments/orchestrator
-      PAYMENTS_DOCKERFILE: ci/prod/compose/payments_orchestrator.dockerfile
-      PAYMENTS_MONGO_SECRET_PATH: sendico/db
-      PAYMENTS_ENV: prod
+kind: pipeline
+type: docker
+name: payments_orchestrator
+
+environment:
+  PAYMENTS_IMAGE_PATH: payments/orchestrator
+  PAYMENTS_DOCKERFILE: ci/prod/compose/payments_orchestrator.dockerfile
+  PAYMENTS_MONGO_SECRET_PATH: sendico/db
+  PAYMENTS_ENV: prod
 
 when:
   - event: push

ci/scripts/common/bump_version.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+set -eu
+
+REPO_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
+cd "${REPO_ROOT}"
+
+VERSION_FILE="./version"
+if [ ! -f "${VERSION_FILE}" ]; then
+  echo "[bump-version] version file not found: ${VERSION_FILE}" >&2
+  exit 1
+fi
+
+CURRENT_VERSION="$(cat "${VERSION_FILE}")"
+NEXT_VERSION="$(printf '%s' "${CURRENT_VERSION}" | awk -F. -v OFS=. '
+  NF==1 { print ++$NF; next }
+  {
+    $NF=sprintf("%0*d", length($NF), ($NF+1))
+    print
+  }')"
+
+printf '%s\n' "${NEXT_VERSION}" > "${VERSION_FILE}"
+echo "[bump-version] ${CURRENT_VERSION} -> ${NEXT_VERSION}"
+
+git add "${VERSION_FILE}"
+if git diff --cached --quiet; then
+  echo "[bump-version] no changes staged, skipping commit"
+  exit 0
+fi
+
+AUTHOR_NAME="${GIT_AUTHOR_NAME:-woodpecker}"
+AUTHOR_EMAIL="${GIT_AUTHOR_EMAIL:-ci@sendico.io}"
+git config user.name "${AUTHOR_NAME}"
+git config user.email "${AUTHOR_EMAIL}"
+
+git commit -m "chore(ci): bump version to ${NEXT_VERSION}"
+
+BRANCH="${WOODPECKER_BRANCH:-}"
+if [ -z "${BRANCH}" ] || [ "${BRANCH}" = "HEAD" ]; then
+  BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+fi
+
+git push origin "HEAD:${BRANCH}"

infra/mail/docker-compose.yml

@@ -0,0 +1,83 @@
+services:
+  mail:
+    image: ghcr.io/docker-mailserver/docker-mailserver:latest
+    hostname: mail.sendico.io
+    environment:
+      - MAIL_DOMAIN=sendico.io
+      - MAIL_HOSTNAME=mail
+      - MAIL_FQDN=mail.sendico.io
+      - SSL_TYPE=letsencrypt
+    env_file: .env
+    volumes:
+      - /srv/infra/compose/mail/data:/var/mail
+      - /srv/infra/compose/mail/state:/var/mail-state
+      - /srv/infra/compose/mail/logs:/var/log/mail
+      - /srv/infra/compose/mail/config:/tmp/docker-mailserver
+      - traefik_letsencrypt:/etc/letsencrypt:ro       # 👈 общие сертификаты Traefik
+    ports:
+      - target: 25
+        published: 25
+        protocol: tcp
+        mode: host
+      - target: 465
+        published: 465
+        protocol: tcp
+        mode: host
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host
+      - target: 993
+        published: 993
+        protocol: tcp
+        mode: host
+    cap_add:
+      - NET_ADMIN
+      - SYS_PTRACE
+    deploy:
+      restart_policy:
+        condition: on-failure
+      placement:
+        constraints:
+          - node.hostname == infra
+    stop_grace_period: 1m
+    networks:
+      - cicd
+
+  webmail:
+    image: djmaze/snappymail:latest
+    depends_on:
+      - mail
+    environment:
+      SNAPPYMAIL_DEFAULT_HOST: mail.sendico.io
+      SNAPPYMAIL_DEFAULT_PORT: 993
+      SNAPPYMAIL_SMTP_SERVER: mail.sendico.io
+      SNAPPYMAIL_SMTP_PORT: 587
+      SNAPPYMAIL_SMTP_SECURE: "STARTTLS"
+    volumes:
+      - webmail_data:/var/lib/snappymail
+    networks:
+      - cicd
+    ports:
+      - "8088:80"
+    deploy:
+      restart_policy:
+        condition: on-failure
+      placement:
+        constraints:
+          - node.hostname == infra
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.webmail.rule=Host(`webmail.sendico.io`)"
+        - "traefik.http.routers.webmail.entrypoints=websecure"
+        - "traefik.http.routers.webmail.tls.certresolver=letsencrypt"
+        - "traefik.http.services.webmail.loadbalancer.server.port=8888"
+
+networks:
+  cicd:
+    external: true
+
+volumes:
+  webmail_data:
+  traefik_letsencrypt:
+    external: true