Skip to content

Commit

Permalink
Add DigitalOcean Deployment (#368)
Browse files Browse the repository at this point in the history 
<!--

PLEASE MAKE SURE TO KEEP THE PR SIZE AT A MINIMUM!
Smaller PRs are easier to review and tend to get merged faster.
Unrelated changes, refactorings, fixes etc. should be made in separate
PRs.

--->

## Description

Add deployment based on [DigitalOcean's app
platform](https://www.digitalocean.com/products/app-platform). The apps
are split per domain to be compatible with routing from the app
platform.

The preview does not work yet, as I'm waiting for
vivid-planet/comet#2554.

I decided to not commit the symlinks and copy the files instead to keep
the required changes minimal.

The secrets are
[safe](https://docs.digitalocean.com/products/app-platform/how-to/use-environment-variables/)
inside the repo as they are encrypted.

This does not include a secondary site, but could be added later.

<!--

The description should describe the change you're making.
It will be used as the commit message for the squashed commit once the
PR gets merged.
Therefore, make sure to keep the description up-to-date as the PR
changes.

PLEASE DESCRIBE WHY YOU'RE MAKING THE CHANGE, NOT WHAT YOU'RE CHANGING.
Reviewers see what you're changing when reviewing the code.
However, they might not understand your motives as to why you're making
the change.

Your description should include:
-   The problem you're facing
-   Your solution to the problem
-   An example usage of your change

--->

<!--

Everything below this is intended to help ease reviewing this PR.
Remove all unrelated sections.

WHEN MERGING THE PR, REMOVE THIS FROM THE COMMIT MESSAGE.

-->

## Screenshots/screencasts

<!--

When making a visual change, please provide either screenshots or
screencasts.

Hint: For before/after views, you can use a table:

| Before   | After   |
| -------- | ------- |
| Link     | Link    |

-->

## Related tasks and documents

<!--

Link to related tasks and documents, for instance,
https://vivid-planet.atlassian.net/browse/COM-XXX.

MAKE SURE THAT EVERYTHING REQUIRED TO UNDERSTAND YOUR CHANGE IS IN THE
PR DESCRIPTION.
Reviewers shouldn't need to review tasks, JIRA conversations etc. to
understand what you're doing.

-->

## Open TODOs/questions (Future PR)

- [ ] Remove dependency to dkarnutsch/oauth2-proxy (no really
trustworthy image from Docker Hub found and GitHub registry does not
work yet on DigitalOcean)
- [ ] Replace domains with starter.comet-dxp.com and
admin.starter.comet-dxp.com
-   [ ] Add CI/CD based on GitHub Actions


## Further information

<!--

Further information that helps reviewing the PR, for instance:
-   Alternative solutions you have considered
-   Dependent PRs
-   Links to relevant documentation, blog posts etc.

-->
  • Loading branch information
@dkarnutsch
dkarnutsch authored Oct 15, 2024
1 parent 13446c0 commit c07ee74
Show file tree
Hide file tree
Showing 6 changed files with 402 additions and 1 deletion.
2 changes: 2 additions & 0 deletions .digitalocean/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
comet-starter-cms.yaml
comet-starter-site-main.yaml
276 changes: 276 additions & 0 deletions .digitalocean/comet-starter-cms.tpl.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
alerts:
- rule: DEPLOYMENT_FAILED
- rule: DOMAIN_FAILED
features:
- buildpack-stack=ubuntu-22
ingress:
rules:
- component:
name: admin
match:
path:
prefix: /admin-do-not-use
- component:
name: oauth2-proxy
match:
path:
prefix: /
- component:
name: api
match:
path:
prefix: /public-api
name: comet-starter-cms
region: fra
services:
- build_command: |-
cp ../site-configs.d.ts src/site-configs.d.ts &&
npm run build &&
npm prune --omit=dev
environment_slug: node-js
envs:
- key: NODE_ENV
scope: RUN_TIME
value: production
- key: POSTGRESQL_HOST
scope: RUN_AND_BUILD_TIME
value: db-postgresql-fra1-74967-do-user-15310175-0.l.db.ondigitalocean.com
- key: POSTGRESQL_PORT
scope: RUN_AND_BUILD_TIME
value: "25060"
- key: POSTGRESQL_DB
scope: RUN_AND_BUILD_TIME
value: db_starter
- key: POSTGRESQL_PASSWORD
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:VJWKcWvicy4ClCPNzpPOSwiZB0p8/gZq:SZK9hwGdXBqcCEApIdFWuSLWS//rvY/VEfyJ2WWwM/agjP+BLUOiew==]
- key: POSTGRESQL_USER
scope: RUN_AND_BUILD_TIME
value: starter
- key: API_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/public-api/api
- key: API_PORT
scope: RUN_AND_BUILD_TIME
value: "4000"
- key: CORS_ALLOWED_ORIGIN
scope: RUN_AND_BUILD_TIME
value: comet-starter-site-tyqqf\.ondigitalocean\.app
- key: IMGPROXY_SALT
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:DpbiOlcKj5C5taV+27VGP0Wc2GFFu0Cu:I8RNxsSOqaGk12doCtjeIT9hUNWTM6rAr7kMX6X+JlE4VyYH5kd1XFZ9SozGmADqFKEkI//BIJQ00XAq6dkXr6amsH7AtVJSxkl4WjBBs24sW/jnSIjebEYDq4n9oQbptdhrQcNwTYaAy/VZm1KzgzxdXaQHDsLmbtYWXLKUue/VldiCajnRExZjiTdk/x8Y]
- key: IMGPROXY_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-imgproxy-ovgzu.ondigitalocean.app
- key: IMGPROXY_KEY
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:wD77N9Aop33RXd8qv/pUCyIyItqY877u:DeExUMZXlI96dabfE09kuc/Kj54FZmVrjuTb2VMLajK1B+fxuNIHecelUdFX1wo1lrYm+jRFBotC8nWh4uhEYfC4KVS6QdjeKIXAxhuZ7cGI848/VAzkWKoEgYoSUYTXNTbpETptNFWQ1XFzJxDKZiYFaW8LmknvxUixuaxULsobxjFhH/S+fTlHt6j9DN9K]
- key: DAM_SECRET
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:cN8JQAPIBnJqXpO8RGBqx9tvzArnSMFz:tQ2EW+BE5XWg2rPUvXqCjbXKNxIYLRGLdsAKk+CVhaDRWhc=]
- key: BLOB_STORAGE_DRIVER
scope: RUN_AND_BUILD_TIME
value: s3
- key: BLOB_STORAGE_DIRECTORY_PREFIX
scope: RUN_AND_BUILD_TIME
value: starter
- key: S3_REGION
scope: RUN_AND_BUILD_TIME
value: fra1
- key: S3_ENDPOINT
scope: RUN_AND_BUILD_TIME
value: https://fra1.digitaloceanspaces.com
- key: S3_BUCKET
scope: RUN_AND_BUILD_TIME
value: comet-starter
- key: S3_ACCESS_KEY_ID
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:MoPtts0J/3qbPVcLpNbJDQncPsvQBWmG:sseL7FpcEps7IV5v/uqBctUwp+tSMBAzJl3XkZjMCLZ69PUt]
- key: S3_SECRET_ACCESS_KEY
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:GNjlve0WqXUtZr2TVaxvI9UTcv6a0Mta:zK4fpoWTpwDHO6MfYEWLoOsw3Kq3W3N9FvGAIuHRc1I6FF6zeZOULOIxzOXgLJPb6xIIiUKB8dAOu7Y=]
- key: POSTGRESQL_CA_CERT
scope: RUN_AND_BUILD_TIME
value: |-
-----BEGIN CERTIFICATE-----
MIIEQTCCAqmgAwIBAgIUFbJ/dvvfKgsSSRZ1WB3LZ5OiEWQwDQYJKoZIhvcNAQEM
BQAwOjE4MDYGA1UEAwwvYjNjZTRjMWYtZWUyOS00MDQ4LWE2ZmItZTFlNDU0MTIy
MTk1IFByb2plY3QgQ0EwHhcNMjMxMjA0MTQ1NDIxWhcNMzMxMjAxMTQ1NDIxWjA6
MTgwNgYDVQQDDC9iM2NlNGMxZi1lZTI5LTQwNDgtYTZmYi1lMWU0NTQxMjIxOTUg
UHJvamVjdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKRtK5Ud
nFGKdoyjGssagR9vMRQw73tpuNeZG4OmewPwKdgDhsjH+ZLfgJOI2wSoclBkWFQj
dIg0GuXkFVwO4SZ0a/7uBtJLYh9z8U4N14pOa+xrBISE7zshGjJjKjHhbCT7VYhc
l6OK2CZZzXZk+xoh5o1JwLxkc1l2rzG5l3CrZnL43L93h6KEGY4VWe8QBoxqUCxG
2aDuyYpqjlHJhS4imRxbJ9R++t3UBPVpaebU4jwWw91DujYD86LMmq9WEVNfnrno
8SNNYRS6ojay/WUphKTfK3VqwUw7OGAIHxAzQPc6nx8mdNa++Y51J6IOL4O7bBp5
gxb46TVlHeH0GXZEu+m2AUnPT8tmPgzHzDAI7UQ2NN2kTxrUGZ2aV/f1lxIhij6o
sfwoSJZzt98dvp02Cg9zqgXxxyv04YUeK7PDoS9aP7uXrj81dLl84MIdbqJOZNd1
XwfIhu0hKlAi2H5PuPBwn++aJ9Htjhbte4Bp2QJF6hcqfW0chpZPupQOmwIDAQAB
oz8wPTAdBgNVHQ4EFgQUZm7RuycpRchnPp3PzsK3vPORT4AwDwYDVR0TBAgwBgEB
/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEMBQADggGBABmGDsdgEKDGS4wU
v+170Nl3JFDySE3DwcYEUFQCm9/gLW6dpHV5S5Vghiq3oTtmUAB/atXYjS6FlFTx
lWkyW4j9m9YbbzW+SX5rPiO01Hu3sUae0s2kjRWpFnoZWirphCS4JZ24wLtWBkyl
1pthVhUg4qh4zOfeWvVmd8MENkieFf0mhWyY2gvbcvPgYRrsVoNDzm72vvRnhjtG
81+MMudCLUKtYg+oNIbBwzu2JZ2tdr6lrxTCwlnepyPAQfxF3oC7FbxfMirf/Rp+
eibIi9DYfjschlTe0BW1afYn1cradTsH0uFrSV6UCYjhN7aYCLYBJoL+c/raEA0u
avwdD47sHsIhse+1HjF2VRVPDP+ZGTvqkAuiLAXEi4eht0rluX/j/Rnc+peq21al
bamtaNx6H7l4QlXegUXaxxAmeW2FR5nBUb2tiFBF70KA+rl4hRa7FuxcPmkNOtRO
EokFG4nQ9lh/mN5vpkdxCA438Ur3yBqzaSI1NvGpb8/8gBG0Gg==
-----END CERTIFICATE-----
- key: PRIVATE_SITE_CONFIGS
scope: RUN_AND_BUILD_TIME
value: "{{ site://configs/private/dev }}"
- key: POSTGRESQL_USE_SSL
scope: RUN_AND_BUILD_TIME
value: "true"
- key: USE_AUTHPROXY
scope: RUN_AND_BUILD_TIME
value: "true"
- key: BASIC_AUTH_SYSTEM_USER_PASSWORD
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:RRBCV3yOi07TjXxGcad36RGJAJ2DnHbw:mmzqyMwl9gtfoiNigjj/0GrZTduEp6LtgJKV/5a3geMwKSk=]
- key: IDP_CLIENT_ID
scope: RUN_AND_BUILD_TIME
value: 59e44de5-0431-4413-b50b-7e52740a6d7b
- key: IDP_JWKS_URI
scope: RUN_AND_BUILD_TIME
value: https://auth-sso.vivid-planet.cloud/.well-known/jwks.json
- key: IDP_END_SESSION_ENDPOINT
scope: RUN_AND_BUILD_TIME
value: https://auth-sso.vivid-planet.cloud/oauth2/sessions/logout
- key: POST_LOGOUT_REDIRECT_URI
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/oauth2/sign_out?rd=%2F
github:
branch: main
deploy_on_push: false
repo: vivid-planet/comet-starter
http_port: 4000
instance_count: 1
instance_size_slug: apps-s-1vcpu-0.5gb
name: api
run_command: npm run db:migrate:prod && npm run start:prod
source_dir: /api
- envs:
- key: OAUTH2_PROXY_API_ROUTES
scope: RUN_AND_BUILD_TIME
value: /api
- key: OAUTH2_PROXY_CODE_CHALLENGE_METHOD
scope: RUN_AND_BUILD_TIME
value: S256
- key: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_PASS_ACCESS_TOKEN
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_COOKIE_SECURE
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_COOKIE_SAMESITE
scope: RUN_AND_BUILD_TIME
value: lax
- key: OAUTH2_PROXY_COOKIE_HTTPONLY
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_SILENCE_PING_LOGGING_true
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_REQUEST_LOGGING
scope: RUN_AND_BUILD_TIME
value: "false"
- key: OAUTH2_PROXY_AUTH_LOGGING
scope: RUN_AND_BUILD_TIME
value: "true"
- key: OAUTH2_PROXY_COOKIE_REFRESH
scope: RUN_AND_BUILD_TIME
value: 23h
- key: OAUTH2_PROXY_EMAIL_DOMAINS
scope: RUN_AND_BUILD_TIME
value: "*"
- key: OAUTH2_PROXY_CLIENT_SECRET
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:uQi0YzdSCPn4w2obTTkdFOiUmYC0onNR:NEwKBNspvye4T0NkL6QpCP5PiTduvpyfnF/JjvKbX8Aec0s=]
- key: OAUTH2_PROXY_CLIENT_ID
scope: RUN_AND_BUILD_TIME
value: 59e44de5-0431-4413-b50b-7e52740a6d7b
- key: OAUTH2_PROXY_COOKIE_SECRET
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:nG0XBGrISwLqRYdFFELwYeszfQ0vMCjC:XBISzF+YWffV1LA25rTvp4v6iLhjVL4a3VGkd2v7Iiw=]
- key: OAUTH2_PROXY_PROVIDER
scope: RUN_AND_BUILD_TIME
value: oidc
- key: OAUTH2_PROXY_OIDC_ISSUER_URL
scope: RUN_AND_BUILD_TIME
value: https://auth-sso.vivid-planet.cloud
- key: OAUTH2_PROXY_UPSTREAMS
scope: RUN_AND_BUILD_TIME
value: http://admin:80,http://api:80/api/
- key: OAUTH2_PROXY_WHITELIST_DOMAIN
scope: RUN_AND_BUILD_TIME
value: auth-sso.vivid-planet.cloud
- key: OAUTH2_PROXY_SCOPE
scope: RUN_AND_BUILD_TIME
value: openid profile email offline_access
- key: OAUTH2_PROXY_HTTP_ADDRESS
scope: RUN_AND_BUILD_TIME
value: 0.0.0.0:4180
- key: OAUTH2_PROXY_SKIP_AUTH_PREFLIGHT
scope: RUN_AND_BUILD_TIME
value: "true"
http_port: 4180
image:
registry: dkarnutsch
registry_type: DOCKER_HUB
repository: oauth2-proxy
tag: latest
instance_count: 1
instance_size_slug: apps-s-1vcpu-0.5gb
name: oauth2-proxy
- build_command: |-
./intl-update.sh &&
cp ../api/schema.gql schema.gql &&
cp ../api/block-meta.json block-meta.json &&
cp ../api/src/comet-config.json src/comet-config.json &&
cp ../site-configs.d.ts src/site-configs.d.ts &&
npm run build &&
rm -rf ./node_modules
environment_slug: node-js
envs:
- key: NODE_ENV
scope: RUN_TIME
value: production
- key: API_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/api
- key: ADMIN_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/
- key: PUBLIC_SITE_CONFIGS
scope: RUN_AND_BUILD_TIME
value: "{{ site://configs/public/dev }}"
- key: PREVIEW_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-site-preview-jespg.ondigitalocean.app # TODO
github:
branch: main
deploy_on_push: false
repo: vivid-planet/comet-starter
http_port: 3000
instance_count: 1
instance_size_slug: apps-s-1vcpu-0.5gb
name: admin
run_command: npm run serve
source_dir: admin
50 changes: 50 additions & 0 deletions .digitalocean/comet-starter-imgproxy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
alerts:
- rule: DEPLOYMENT_FAILED
- rule: DOMAIN_FAILED
features:
- buildpack-stack=ubuntu-22
ingress:
rules:
- component:
name: darthsim-imgproxy
match:
path:
prefix: /
name: comet-starter-imgproxy
region: fra
services:
- envs:
- key: IMGPROXY_KEY
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:caLHr/u1NkMWvW8NG5nn0+JvpBW+NMNu:yhmQi6RpvAt58666wyk3IzIMFg7ALTeIhruXpPFabcQgSkmAaBXzj08oAYuhv6u0tnWabUIHDkvzyY0CnoYpHD3vE1R5tWLUQwOoEgzGKHqiO7f5zdeuTzFUxG7ctCFfsXedzL2e4R7+u3FmLox0woPk0DhbiYiA8+qSNnVEKWMXJTkAkfQkwdtovgskqdz5]
- key: IMGPROXY_SALT
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:yCE1f0mZPV+uFFs96/SmFsbvWXH3pfDn:1dt+Waq2vALvR7qXaC3Lh2VONtDjgmBzSuPyn+6kpk3DN9xzmbSPhV3G1pCZ+NRA16TOL3jhfiIgWD4QbCAs5y2JM2EOcptDQKpuQ6YYGvB9Gb2dBgrJS7WG5pKqSIuI3g+YKKa/ns5HWzH/CdIsieVdvmlb4PFasdhdCIMOHCIhwNONChz0yIO7XsV8vLJl]
- key: IMGPROXY_USE_S3
scope: RUN_AND_BUILD_TIME
value: "true"
- key: IMGPROXY_S3_REGION
scope: RUN_AND_BUILD_TIME
value: fra1
- key: IMGPROXY_S3_ENDPOINT
scope: RUN_AND_BUILD_TIME
value: https://comet-starter.fra1.digitaloceanspaces.com
- key: AWS_ACCESS_KEY_ID
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:utFAK7Ej0e07tb6cQhWCCLlRUSKJy6DU:rGoIItdercf5JSs2oSEanA11liimnDjdLxwmhcBjO9UCeHaM]
- key: AWS_SECRET_ACCESS_KEY
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:xupjwXwlpZv8VeQyLx9nKJTrw1BipI3a:Lkws9OWy+b5a20BNHCHiFv8H2M99aYNirhY+eGBZsCoUkLvCYoJvKDaVpHLz7N+CCC3Hfgycd4Ix008=]
http_port: 8080
image:
registry: darthsim
registry_type: DOCKER_HUB
repository: imgproxy
tag: v3
instance_count: 1
instance_size_slug: apps-s-1vcpu-0.5gb
name: darthsim-imgproxy
58 changes: 58 additions & 0 deletions .digitalocean/comet-starter-site-main.tpl.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
alerts:
- rule: DEPLOYMENT_FAILED
- rule: DOMAIN_FAILED
features:
- buildpack-stack=ubuntu-22
ingress:
rules:
- component:
name: comet-starter-site-main
match:
path:
prefix: /
name: comet-starter-site-main
region: fra
services:
- build_command: |-
./intl-update.sh &&
cp ../api/schema.gql schema.gql &&
cp ../api/block-meta.json block-meta.json &&
cp ../api/src/comet-config.json src/comet-config.json &&
cp ../site-configs.d.ts src/site-configs.d.ts &&
npm run build &&
npm prune --omit=dev
environment_slug: node-js
envs:
- key: NODE_ENV
scope: RUN_TIME
value: production
- key: ADMIN_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/
- key: NEXT_PUBLIC_API_URL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/public-api/api
- key: API_URL_INTERNAL
scope: RUN_AND_BUILD_TIME
value: https://comet-starter-cms-64wfr.ondigitalocean.app/public-api/api
- key: SITE_PREVIEW_SECRET
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:/Nf0VXO5XP5SJY9Y/JAFyZttB4Z1B6po:xL4pWQaF02cU4y1QCahqXdvD94A+QOJxXVVGDea4TYFVPQ==]
- key: PUBLIC_SITE_CONFIGS
scope: RUN_AND_BUILD_TIME
value: "{{ site://configs/public/dev }}"
- key: API_BASIC_AUTH_SYSTEM_USER_PASSWORD
scope: RUN_AND_BUILD_TIME
type: SECRET
value: EV[1:qkU44a+IP3BfIT4YvfGdrOj505b+mdu2:aD7wKJCkMvTng/HGtOjuXg2QjP2KGUn8FHghsVmZpptr4JA=]
github:
branch: main
deploy_on_push: false
repo: vivid-planet/comet-starter
http_port: 3000
instance_count: 1
instance_size_slug: apps-s-1vcpu-0.5gb
name: comet-starter-site-main
run_command: npm run serve
source_dir: site
Loading

0 comments on commit c07ee74

Please sign in to comment.