-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeploy.sh
More file actions
executable file
·237 lines (209 loc) · 8.64 KB
/
Copy pathdeploy.sh
File metadata and controls
executable file
·237 lines (209 loc) · 8.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#!/bin/bash
# deploy.sh — run on the server after cloning or pulling updates
set -e
COMPOSE="docker compose -f docker-compose.yml -f docker-compose.prod.yml"
REPO_DIR="/opt/simplerms"
echo "==> Changing to repo directory"
cd "$REPO_DIR"
echo "==> Ensuring .env.local exists"
if [ ! -f .env.local ]; then
cp .env.example .env.local
echo " Created .env.local from .env.example"
fi
if ! grep -q "^AUTH_SECRET=" .env.local 2>/dev/null; then
echo "AUTH_SECRET=$(openssl rand -base64 32)" >> .env.local
echo " Generated AUTH_SECRET"
fi
if ! grep -q "^APP_ENCRYPTION_KEY=" .env.local 2>/dev/null || grep -q "replace-with" .env.local 2>/dev/null; then
sed -i "s|APP_ENCRYPTION_KEY=.*|APP_ENCRYPTION_KEY=$(openssl rand -hex 32)|" .env.local
echo " Generated APP_ENCRYPTION_KEY"
fi
if ! grep -q "^AUTH_TRUST_HOST=" .env.local 2>/dev/null; then
echo "AUTH_TRUST_HOST=true" >> .env.local
echo " Set AUTH_TRUST_HOST=true (required behind reverse proxy)"
fi
echo "==> Ensuring swap space (prevents OOM during build)"
if [ ! -f /swapfile ]; then
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo "/swapfile none swap sw 0 0" | sudo tee -a /etc/fstab > /dev/null
echo " Created 2GB swap"
elif ! swapon --show | grep -q /swapfile; then
sudo swapon /swapfile
echo " Enabled existing swap"
else
echo " Swap already active"
fi
echo "==> Ensuring database is running"
$COMPOSE up -d db
echo " Waiting for database..."
until $COMPOSE exec -T db pg_isready -U simplerms > /dev/null 2>&1; do
sleep 2
done
echo " Database ready"
echo "==> Building new image (old app keeps serving traffic)"
# --profile tools includes the migrator service (used for prisma + blog seeds).
# Without it, only app/db/mailpit rebuild, and the migrator image goes stale —
# silently missing new prisma/seed-blog-*.ts files from every deploy after it
# was first built. Learned that the hard way: prompt-jockeys seed couldn't find
# its own file because the migrator image was two commits out of date.
$COMPOSE --profile tools build --no-cache
echo "==> Pushing schema to database"
$COMPOSE run --rm migrator npx prisma db push --skip-generate
echo "==> Checking if seed is needed"
USER_COUNT=$($COMPOSE exec -T db \
psql -U simplerms -d simplerms -tAc "SELECT COUNT(*) FROM \"User\";" 2>/dev/null || echo "0")
SERVICE_COUNT=$($COMPOSE exec -T db \
psql -U simplerms -d simplerms -tAc "SELECT COUNT(*) FROM \"Service\";" 2>/dev/null || echo "0")
if [ "${USER_COUNT// /}" = "0" ] || [ "${SERVICE_COUNT// /}" = "0" ]; then
echo "==> Seeding database (users: ${USER_COUNT// /}, services: ${SERVICE_COUNT// /})"
$COMPOSE run --rm migrator npx prisma db seed
else
echo " Database already seeded (${USER_COUNT// /} users, ${SERVICE_COUNT// /} services)"
fi
echo "==> Seeding blog content (idempotent via upsert)"
# Every seed-blog-*.ts uses upsert with a pinned publishedAt, so running these
# on every deploy is safe: no date drift, no duplicates. Edits to content/title
# flow to prod automatically on the next deploy.
shopt -s nullglob
BLOG_SEEDS=(prisma/seed-blog-*.ts)
if [ ${#BLOG_SEEDS[@]} -eq 0 ]; then
echo " No blog seed files found"
else
echo " Found ${#BLOG_SEEDS[@]} blog seed file(s):"
for f in "${BLOG_SEEDS[@]}"; do echo " - $f"; done
for seed_file in "${BLOG_SEEDS[@]}"; do
seed_name=$(basename "$seed_file" .ts)
echo " → Running $seed_name"
if $COMPOSE run --rm migrator npx tsx "$seed_file"; then
echo " ✓ $seed_name ok"
else
echo " ✗ $seed_name FAILED (exit $?)"
echo " Continuing with remaining seeds — check DB for this post"
fi
done
fi
shopt -u nullglob
echo "==> Swapping to new container"
$COMPOSE up -d --no-deps --remove-orphans app
echo "==> Waiting for app to be ready (max 120s)..."
WAIT=0
until curl -sf http://localhost:3000/api/health > /dev/null 2>&1; do
sleep 3
WAIT=$((WAIT + 3))
if [ $WAIT -ge 120 ]; then
echo "ERROR: app did not become healthy after 120s"
$COMPOSE logs --tail=50 app
exit 1
fi
done
echo " App is up"
echo "==> Cleaning up old images"
docker image prune -f > /dev/null 2>&1
echo "==> Configuring nginx"
# Extract domain — use sed instead of grep -oP for portability.
NGINX_DOMAIN=$(sed -n 's|^NEXT_PUBLIC_APP_URL=https\?://\([^/:]*\).*|\1|p' .env.local 2>/dev/null)
NGINX_DOMAIN="${NGINX_DOMAIN:-_}"
echo " Detected domain: $NGINX_DOMAIN"
# Only write nginx config if it doesn't exist or if --force-nginx was passed.
# This prevents deploy from clobbering a working nginx config every time.
if [ -f /etc/nginx/sites-available/simplerms ] && [ "$1" != "--force-nginx" ]; then
echo " nginx config already exists — skipping (use --force-nginx to overwrite)"
sudo nginx -t && sudo systemctl reload nginx
else
if [ -d "/etc/letsencrypt/live/$NGINX_DOMAIN" ]; then
echo " SSL certificate found — configuring HTTPS"
sudo tee /etc/nginx/sites-available/simplerms > /dev/null << 'NGINX'
server {
listen 80;
server_name DOMAIN_PLACEHOLDER;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name DOMAIN_PLACEHOLDER;
ssl_certificate /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/privkey.pem;
client_max_body_size 20M;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 60s;
}
}
NGINX
sudo sed -i "s/DOMAIN_PLACEHOLDER/$NGINX_DOMAIN/g" /etc/nginx/sites-available/simplerms
else
echo " No SSL certificate — configuring HTTP only"
sudo tee /etc/nginx/sites-available/simplerms > /dev/null << 'NGINX'
server {
listen 80;
server_name DOMAIN_PLACEHOLDER;
client_max_body_size 20M;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 60s;
}
}
NGINX
sudo sed -i "s/DOMAIN_PLACEHOLDER/$NGINX_DOMAIN/g" /etc/nginx/sites-available/simplerms
fi
sudo ln -sf /etc/nginx/sites-available/simplerms /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl reload nginx
echo " nginx configured for $NGINX_DOMAIN"
fi
echo "==> Checking HTTPS"
if [ -n "$NGINX_DOMAIN" ] && [ "$NGINX_DOMAIN" != "_" ] && [ "$NGINX_DOMAIN" != "localhost" ]; then
if ! command -v certbot &> /dev/null; then
echo " Installing certbot"
sudo apt-get update -qq && sudo apt-get install -y -qq certbot python3-certbot-nginx > /dev/null
fi
if [ ! -d "/etc/letsencrypt/live/$NGINX_DOMAIN" ]; then
echo " Requesting certificate for $NGINX_DOMAIN"
sudo certbot --nginx -d "$NGINX_DOMAIN" --non-interactive --agree-tos --register-unsafely-without-email
else
echo " Certificate exists for $NGINX_DOMAIN"
fi
else
echo " Skipping HTTPS (set NEXT_PUBLIC_APP_URL to enable)"
fi
echo ""
echo "============================================"
echo " Akritos is running"
PUBLIC_URL=$(grep -E '^NEXT_PUBLIC_APP_URL=' .env.local 2>/dev/null | cut -d= -f2- | tr -d '"' || echo "")
echo " ${PUBLIC_URL:-http://$(curl -sf ifconfig.me 2>/dev/null || echo 'YOUR_IP')}"
echo ""
# If the seed generated a fresh admin password, surface the credentials file path.
# The file lives inside the migrator container; copy it to the host for the operator.
CRED_HOST_PATH="$REPO_DIR/.first-admin-credentials"
if $COMPOSE --profile tools run --rm -T migrator test -f /app/.first-admin-credentials 2>/dev/null; then
$COMPOSE --profile tools run --rm -T migrator cat /app/.first-admin-credentials > "$CRED_HOST_PATH" 2>/dev/null
chmod 600 "$CRED_HOST_PATH"
echo " FIRST-RUN ADMIN CREDENTIALS:"
echo " $CRED_HOST_PATH"
echo " (mode 0600 — read once, change password, then delete)"
echo ""
echo " cat $CRED_HOST_PATH"
else
echo " Admin already exists. To reset password:"
echo " docker compose --profile tools run --rm migrator npx tsx scripts/reset-admin-password.ts"
fi
echo "============================================"