ci(gitea): add deploy workflow + self-hosted homelab deploy toolkit (Auth.js port)
Ports the deploy pipeline from the Gitea main fork (commit 7ddb06d's deploy toolkit) into the Auth.js v5 / NextAuth tree: - .gitea/workflows/deploy.yml: inline deploy that brings up the Docker stack, applies migrations, builds Next.js, and runs the app under PM2. Swapped Better Auth env vars (BETTER_AUTH_SECRET/URL, NEXT_PUBLIC_BETTER_AUTH_URL) for Auth.js v5 names (AUTH_SECRET/URL, NEXT_PUBLIC_AUTH_URL). Dropped NEXT_PUBLIC_SUPABASE_URL/ANON_KEY (Supabase removal in progress). Added GOOGLE_CLIENT_ID/SECRET + ALLOW_DEV_LOGIN for the Auth.js Google provider and dev credentials path. Switched runs-on from 'ubuntu-latest' to the self-hosted runner labels matching build.yml. - deploy/: idempotent deploy toolkit (deploy.sh, docker-compose.yml, Dockerfile.nextjs, nginx.conf.template, .env.production.example, healthcheck.sh, Makefile, deploy/.gitignore). No auth/Supabase dependencies — pure infra. - deploy/.env.production.example: renamed NEXTAUTH_SECRET/NEXTAUTH_URL (v4) to AUTH_SECRET/AUTH_URL (v5) and added the v5-specific vars (NEXT_PUBLIC_AUTH_URL, GOOGLE_*, ALLOW_DEV_LOGIN). Build pipeline is now end-to-end: build.yml → typecheck + lint + build (uses [self-hosted, linux, ubuntu-latest]) deploy.yml → start docker stack + migrations + build + PM2 restart Storage / admin code ports (MinIO via @/lib/storage, Supabase removal, admin-permissions rewrite) are tracked separately — they require porting the storage and admin code first; the deploy pipeline itself is ready to run against the Auth.js world.
This commit is contained in:
@@ -0,0 +1,52 @@
|
||||
# =============================================================================
|
||||
# .env.production — secrets + dynamic ports for the running containers
|
||||
# =============================================================================
|
||||
#
|
||||
# deploy.sh writes the first three lines on every successful deploy.
|
||||
# Everything below is YOUR responsibility to populate. deploy.sh preserves
|
||||
# unknown lines verbatim across deploys (it only overwrites the lines it
|
||||
# knows about), so you can safely commit this file to a private repo or
|
||||
# provision it via your secrets manager of choice.
|
||||
#
|
||||
# In production, this file should be mode 0600 and owned by the deploy user.
|
||||
# =============================================================================
|
||||
|
||||
# --- managed by deploy.sh (do not edit by hand) -------------------------------
|
||||
POSTGREST_HOST_PORT=3011
|
||||
NEXTJS_HOST_PORT=3012
|
||||
NEXT_PUBLIC_API_URL=http://localhost:3011
|
||||
|
||||
# --- PostgREST connection ---------------------------------------------------
|
||||
PGRST_DB_URI=postgres://app:secret@db.internal:5432/app_production
|
||||
PGRST_DB_ANON_ROLE=anon
|
||||
PGRST_DB_SCHEMA=public
|
||||
|
||||
# --- Next.js server-side secrets -------------------------------------------
|
||||
# Anything not prefixed NEXT_PUBLIC_ is server-only and read at request time.
|
||||
DATABASE_URL=postgres://app:secret@db.internal:5432/app_production
|
||||
|
||||
# Auth.js v5 (NextAuth). Generate AUTH_SECRET with `npx auth secret` or
|
||||
# `openssl rand -base64 32`. AUTH_URL is the public base URL the browser
|
||||
# uses to build OAuth callback URLs.
|
||||
AUTH_SECRET=change-me-to-a-long-random-string
|
||||
AUTH_URL=https://app.example.com
|
||||
NEXT_PUBLIC_AUTH_URL=https://app.example.com
|
||||
ALLOW_DEV_LOGIN=false
|
||||
|
||||
# Google OAuth provider for Auth.js. Set both AUTH_GOOGLE_ID/SECRET and
|
||||
# GOOGLE_CLIENT_ID/SECRET (the v5 code reads either name).
|
||||
GOOGLE_CLIENT_ID=
|
||||
GOOGLE_CLIENT_SECRET=
|
||||
AUTH_GOOGLE_ID=
|
||||
AUTH_GOOGLE_SECRET=
|
||||
|
||||
# --- External services ------------------------------------------------------
|
||||
STRIPE_SECRET_KEY=sk_live_replace_me
|
||||
STRIPE_PUBLISHABLE_KEY=pk_live_replace_me
|
||||
STRIPE_WEBHOOK_SECRET=whsec_replace_me
|
||||
|
||||
SMTP_HOST=smtp.example.com
|
||||
SMTP_PORT=587
|
||||
SMTP_USER=apikey
|
||||
SMTP_PASSWORD=replace_me
|
||||
SMTP_FROM="My App <noreply@example.com>"
|
||||
Reference in New Issue
Block a user