bb6dbe37a4
Ports the deploy pipeline from the Gitea main fork (commit 7ddb06d's deploy toolkit) into the Auth.js v5 / NextAuth tree: - .gitea/workflows/deploy.yml: inline deploy that brings up the Docker stack, applies migrations, builds Next.js, and runs the app under PM2. Swapped Better Auth env vars (BETTER_AUTH_SECRET/URL, NEXT_PUBLIC_BETTER_AUTH_URL) for Auth.js v5 names (AUTH_SECRET/URL, NEXT_PUBLIC_AUTH_URL). Dropped NEXT_PUBLIC_SUPABASE_URL/ANON_KEY (Supabase removal in progress). Added GOOGLE_CLIENT_ID/SECRET + ALLOW_DEV_LOGIN for the Auth.js Google provider and dev credentials path. Switched runs-on from 'ubuntu-latest' to the self-hosted runner labels matching build.yml. - deploy/: idempotent deploy toolkit (deploy.sh, docker-compose.yml, Dockerfile.nextjs, nginx.conf.template, .env.production.example, healthcheck.sh, Makefile, deploy/.gitignore). No auth/Supabase dependencies — pure infra. - deploy/.env.production.example: renamed NEXTAUTH_SECRET/NEXTAUTH_URL (v4) to AUTH_SECRET/AUTH_URL (v5) and added the v5-specific vars (NEXT_PUBLIC_AUTH_URL, GOOGLE_*, ALLOW_DEV_LOGIN). Build pipeline is now end-to-end: build.yml → typecheck + lint + build (uses [self-hosted, linux, ubuntu-latest]) deploy.yml → start docker stack + migrations + build + PM2 restart Storage / admin code ports (MinIO via @/lib/storage, Supabase removal, admin-permissions rewrite) are tracked separately — they require porting the storage and admin code first; the deploy pipeline itself is ready to run against the Auth.js world.
90 lines
3.0 KiB
Plaintext
90 lines
3.0 KiB
Plaintext
# =============================================================================
|
|
# nginx.conf.template — rendered by deploy.sh on every deploy
|
|
# =============================================================================
|
|
#
|
|
# Variables substituted by `envsubst`:
|
|
# ${POSTGREST_HOST_PORT} dynamic host port of the PostgREST container
|
|
# ${NEXTJS_HOST_PORT} dynamic host port of the Next.js container
|
|
# ${NEXT_PUBLIC_API_URL} (informational only — used in comment header)
|
|
#
|
|
# Layout:
|
|
# /api/* -> http://127.0.0.1:${POSTGREST_HOST_PORT}
|
|
# /* -> http://127.0.0.1:${NEXTJS_HOST_PORT}
|
|
#
|
|
# Tested against nginx >= 1.18 (Debian 11 / Ubuntu 22.04). Adjust ssl_*
|
|
# lines if you don't have a cert yet — deploy.sh only tests/renders, the
|
|
# operator decides whether to terminate TLS here.
|
|
# =============================================================================
|
|
|
|
# --- upstream definitions ---------------------------------------------------
|
|
upstream postgrest_upstream {
|
|
server 127.0.0.1:${POSTGREST_HOST_PORT};
|
|
keepalive 16;
|
|
}
|
|
|
|
upstream nextjs_upstream {
|
|
server 127.0.0.1:${NEXTJS_HOST_PORT};
|
|
keepalive 16;
|
|
}
|
|
|
|
# --- HTTP -> HTTPS upgrade (optional; remove if you only run on LAN) --------
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name _;
|
|
|
|
# ACME http-01 challenge needs to be served on port 80.
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/letsencrypt;
|
|
}
|
|
|
|
# Redirect everything else to HTTPS. Comment out for plain-HTTP dev.
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# --- main server block ------------------------------------------------------
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name _;
|
|
|
|
# --- TLS (uncomment + adjust after you obtain a cert) ------------------
|
|
# ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;
|
|
# ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
|
|
# --- sensible defaults ------------------------------------------------
|
|
client_max_body_size 25m;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header Connection "";
|
|
|
|
# --- API: /api/* -> PostgREST ----------------------------------------
|
|
location /api/ {
|
|
proxy_pass http://postgrest_upstream;
|
|
proxy_read_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
}
|
|
|
|
# PostgREST exposes its OpenAPI spec at the root of the API; expose it
|
|
# under a stable URL too.
|
|
location = /api {
|
|
proxy_pass http://postgrest_upstream;
|
|
}
|
|
|
|
# --- everything else -> Next.js --------------------------------------
|
|
location / {
|
|
proxy_pass http://nextjs_upstream;
|
|
proxy_read_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
}
|
|
}
|