93 lines
3.7 KiB
YAML
93 lines
3.7 KiB
YAML
when:
|
||
- event: push
|
||
branch: main
|
||
|
||
steps:
|
||
- name: version
|
||
image: alpine:latest
|
||
commands:
|
||
- apk add --no-cache git
|
||
- GIT_REV="$(git rev-parse --short HEAD)"
|
||
- BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
|
||
- APP_V="$(cat version)"
|
||
- printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version
|
||
|
||
- name: secrets
|
||
image: alpine:latest
|
||
depends_on: [ version ]
|
||
environment:
|
||
VAULT_ADDR: https://vault.sendico.io
|
||
VAULT_ROLE_ID: { from_secret: VAULT_APP_ROLE }
|
||
VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
|
||
commands:
|
||
- apk add --no-cache curl bash coreutils sed python3 openssh-keygen
|
||
- mkdir -p secrets
|
||
# fetch SSH private key for deploy (base64-encoded) and decode
|
||
- ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
|
||
- base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
|
||
- chmod 600 secrets/SSH_KEY
|
||
- ssh-keygen -y -f secrets/SSH_KEY >/dev/null
|
||
|
||
- name: deploy
|
||
image: alpine:latest
|
||
depends_on: [ secrets ]
|
||
commands:
|
||
- |
|
||
set -Eeuo pipefail
|
||
|
||
apk add --no-cache bash openssh-client rsync coreutils
|
||
|
||
mkdir -p /root/.ssh
|
||
# проверим, что секретный ключ реально есть
|
||
[ -s secrets/SSH_KEY ] || { echo "ERROR: secrets/SSH_KEY missing"; ls -laR; exit 1; }
|
||
install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
|
||
|
||
# sanity: файл с переменными существует и без CRLF
|
||
[ -f ./ci/prod/.env.runtime ] || { echo "ERROR: ./ci/prod/.env.runtime not found"; exit 1; }
|
||
sed -i 's/\r$//' ./ci/prod/.env.runtime
|
||
echo '--- .env.runtime (snippet) ---'
|
||
grep -nE '^(REMOTE_BASE|DB_DIR|SSH_USER|SSH_HOST)=' ./ci/prod/.env.runtime || true
|
||
|
||
# загрузка env-файлов
|
||
set -a
|
||
. ./ci/prod/.env.runtime
|
||
. ./.env.version
|
||
set +a
|
||
|
||
# жёсткие ассерты — если хоть что-то пустое, ОСТАНАВЛИВАЕМСЯ
|
||
: "${REMOTE_BASE:?missing REMOTE_BASE}"
|
||
: "${DB_DIR:?missing DB_DIR}"
|
||
: "${SSH_USER:?missing SSH_USER}"
|
||
: "${SSH_HOST:?missing SSH_HOST}"
|
||
|
||
printf 'REMOTE_BASE=%s\nDB_DIR=%s\nSSH_USER=%s\nSSH_HOST=%s\n' \
|
||
"$REMOTE_BASE" "$DB_DIR" "$SSH_USER" "$SSH_HOST"
|
||
|
||
SSH_OPTS='-i /root/.ssh/id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -vv'
|
||
REMOTE_DIR="${REMOTE_BASE%/}/${DB_DIR}"
|
||
REMOTE_TARGET="${SSH_USER}@${SSH_HOST}"
|
||
|
||
# быстрая проверка, что ключ читается
|
||
ssh $SSH_OPTS -o BatchMode=yes "$REMOTE_TARGET" 'echo "[whoami] $(whoami) @ $(hostname) $(date -Is)"'
|
||
|
||
# синк
|
||
ssh $SSH_OPTS "$REMOTE_TARGET" "mkdir -p ${REMOTE_DIR}/{compose,env}"
|
||
rsync -avz --delete -e "ssh $SSH_OPTS" ci/prod/compose/ "$REMOTE_TARGET:${REMOTE_DIR}/compose/"
|
||
rsync -avz -e "ssh $SSH_OPTS" ci/prod/.env.runtime "$REMOTE_TARGET:${REMOTE_DIR}/env/.env.runtime"
|
||
|
||
# деплой на удалёнке (ВАЖНО: bash -s, чтобы heredoc выполнился)
|
||
ssh $SSH_OPTS "$REMOTE_TARGET" REMOTE_DIR="$REMOTE_DIR" bash -s <<'EOSSH'
|
||
set -Eeuxo pipefail
|
||
echo "[remote] whoami=$(whoami) host=$(hostname) pwd=$PWD"
|
||
cd "${REMOTE_DIR}/compose"
|
||
set -a; . ../env/.env.runtime; set +a
|
||
docker compose -f db.yml pull
|
||
docker compose -f db.yml up -d --remove-orphans
|
||
docker compose ps
|
||
date -Is | tee .last_deploy
|
||
logger -t deploy-db "db deployed at $(date -Is) in ${REMOTE_DIR}"
|
||
EOSSH
|
||
|
||
|
||
|