deploy on new infra

Author: foodelevator

.github/workflows/deploy.yml

@@ -5,24 +5,50 @@ on:
     branches: [ master ]
   workflow_dispatch:
 
+env:
+  NOMAD_VERSION: 1.7.7
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Git checkout
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-
-    # See the following link for documentation:
-    # https://github.com/marketplace/actions/dokku
-    - name: Push to sips
-      uses: dokku/[email protected]
-      with:
-        ssh_private_key: ${{ secrets.SIPS_GLOBAL_DEPLOY_KEY }}
-        git_remote_url: ssh://[email protected]/zfinger
-        # force might feel risky, but there is no good reason why the server
-        # should ever not be a mirror of the deploy branch. And the errors we
-        # could get otherwise would probably be nasty to deal with
-        git_push_flags: --force
+      - name: Git checkout
+        uses: actions/checkout@v4
+
+      - name: Set environment variables
+        run: |
+          cat >> "$GITHUB_ENV" <<EOF
+          latest=ghcr.io/${{ github.repository }}:latest
+          current=ghcr.io/${{ github.repository }}:$(git rev-parse --short ${{ github.sha }})
+          EOF
+
+      - name: Download Nomad
+        run: |
+          curl -LO https://releases.hashicorp.com/nomad/${{ env.NOMAD_VERSION }}/nomad_${{ env.NOMAD_VERSION }}_linux_amd64.zip
+          unzip -d /usr/local/bin nomad_${{ env.NOMAD_VERSION }}_linux_amd64.zip nomad
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.latest }},${{ env.current }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Deploy to nomad
+        env:
+          NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
+        run: |
+          nomad run -var=image_tag=${{ env.current }} job.nomad.hcl

README.md

@@ -28,12 +28,13 @@ Information displayed in `hodis` is `ugKthid`,`uid`,`on`,`mail`,`givenName`,`dis
 ## Environment variables
 Required environment variables:
 ```
-  AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID>
-  AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
-  LOGIN_API_KEY=<LOGIN_API_KEY>
+AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID>
+AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
+LOGIN_API_KEY=<LOGIN_API_KEY>
 
 ## Optional
-  S3_BUCKET=zfinger
-  HODIS_HOST=https://hodis.datasektionen.se
-  LOGIN_HOST=https://login.datasektionen.se
+S3_BUCKET=zfinger
+HODIS_HOST=https://hodis.datasektionen.se
+LOGIN_API_URL=https://login.datasektionen.se
+LOGIN_FRONTEND_URL=https://login.datasektionen.se
 ```

app.py

@@ -20,7 +20,8 @@
 app.wsgi_app = ProxyFix(app.wsgi_app)
 
 LOGIN_API_KEY = getenv('LOGIN_API_KEY')
-LOGIN_HOST = getenv('LOGIN_HOST', 'https://login.datasektionen.se')
+LOGIN_API_URL = getenv('LOGIN_API_URL', 'https://login.datasektionen.se')
+LOGIN_FRONTEND_URL = getenv('LOGIN_FRONTEND_URL', 'https://login.datasektionen.se')
 HODIS_HOST = getenv('HODIS_HOST', 'https://hodis.datasektionen.se')
 
 MISSING = s3.get('missing.svg')['Body'].read()
@@ -38,7 +39,7 @@ def verify_token(token: str):
         return login_cache[token][0]
 
     payload = {'format': 'json', 'api_key': LOGIN_API_KEY}
-    response = get(f'{LOGIN_HOST}/verify/{token}', params=payload)
+    response = get(f'{LOGIN_API_URL}/verify/{token}', params=payload)
     if response.status_code == 200:
         user = response.json()['user']
         login_cache[token] = (user, datetime.now())
@@ -60,7 +61,7 @@ def wrapped_func(*args, **kwargs):
             user = None if token is None else verify_token(token)
 
             if user is None:
-                return redirect(f'{LOGIN_HOST}/login?callback={url_quote(request.base_url)}?token=')
+                return redirect(f'{LOGIN_FRONTEND_URL}/login?callback={url_quote(request.base_url)}?token=')
 
             kwargs[user_param_name] = user
             return func(*args, **kwargs)

docker-compose.yaml

@@ -3,6 +3,6 @@ services:
   web:
     build: .
     env_file:
-      - variables.env
+      - .env
     ports:
       - "5000:5000"

job.nomad.hcl

@@ -0,0 +1,55 @@
+job "zfinger" {
+  type = "service"
+
+  group "zfinger" {
+    network {
+      port "http" {
+        to = 5000
+      }
+    }
+
+    service {
+      name     = "zfinger"
+      port     = "http"
+      provider = "nomad"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.zfinger.rule=Host(`zfinger.datasektionen.se`)",
+        "traefik.http.routers.zfinger.tls.certresolver=default",
+      ]
+    }
+
+    task "zfinger" {
+      driver = "docker"
+
+      config {
+        image = var.image_tag
+        ports = ["http"]
+      }
+
+      template {
+        data        = <<ENV
+{{ with nomadVar "nomad/jobs/zfinger" }}
+AWS_SECRET_ACCESS_KEY={{ .aws_secret_access_key }}
+LOGIN_API_KEY={{ .login_api_key }}
+{{ end }}
+AWS_ACCESS_KEY_ID=AKIATUCF4UAO3OIEOFJA
+LOGIN_FRONTEND_URL=https://logout.datasektionen.se/legacyapi
+LOGIN_API_URL=http://logout.nomad.dsekt.internal.se/legacyapi
+HODIS_HOST=https://hodis.datasektionen.se
+ENV
+        destination = "local/.env"
+        env         = true
+      }
+
+      resources {
+        memory = 80
+      }
+    }
+  }
+}
+
+variable "image_tag" {
+  type = string
+  default = "ghcr.io/datasektionen/zfinger:latest"
+}