docker compose review

Reviewed-on: #4

.env.example

@@ -11,7 +11,7 @@ DEBUG=false
 # --- Base de données PostgreSQL ---
 POSTGRES_DB=auditshield
 POSTGRES_USER=auditshield
-POSTGRES_PASSWORD=changeme-strong-password
+POSTGRES_PASSWORD=AuditShield!
 
 # Construit automatiquement par docker-compose, à définir manuellement en dev local :
 DATABASE_URL=postgresql://auditshield:changeme-strong-password@localhost:5432/auditshield

.gitea/workflows/deploy.yml

@@ -24,18 +24,38 @@ jobs:
             echo "PROJECT_PATH=/volume1/docker/auditshield-dev" >> $GITHUB_OUTPUT
           fi
 
-      - name: Deploy to NAS
-        uses: appleboy/ssh-action@v1
-        with:
-          host: ${{ secrets.NAS_HOST }}
-          username: ${{ secrets.NAS_USER }}
-          key: ${{ secrets.NAS_SSH_KEY }}
-          script: |
-            mkdir -p ${{ steps.env.outputs.PROJECT_PATH }}
-            cd ${{ steps.env.outputs.PROJECT_PATH }}
-            git clone https://gitea.rigolet.tech/vincent/auditshield.git . 2>/dev/null || git pull
-            cp .env.example .env 2>/dev/null || true
-            sudo docker compose -f ${{ steps.env.outputs.COMPOSE_FILE }} up -d --build --remove-orphans
-            sudo docker image prune -f
+      - name: Setup SSH key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.NAS_SSH_KEY_B64 }}" | base64 -d > ~/.ssh/nas_key
+          chmod 600 ~/.ssh/nas_key
+          ssh-keyscan -p 22 ${{ secrets.NAS_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
 
+      - name: Copy files to NAS
+        run: |
+          ssh -i ~/.ssh/nas_key -o StrictHostKeyChecking=no root@${{ secrets.NAS_HOST }} \
+            "mkdir -p ${{ steps.env.outputs.PROJECT_PATH }}"
+          tar --exclude='.git' --exclude='node_modules' --exclude='.env' -czf - . | \
+            ssh -i ~/.ssh/nas_key -o StrictHostKeyChecking=no root@${{ secrets.NAS_HOST }} \
+            "tar -xzf - -C ${{ steps.env.outputs.PROJECT_PATH }}"
 
+      - name: Setup env file
+        run: |
+          ssh -i ~/.ssh/nas_key -o StrictHostKeyChecking=no root@${{ secrets.NAS_HOST }} \
+            "cat > ${{ steps.env.outputs.PROJECT_PATH }}/.env << 'EOF'
+SECRET_KEY=${{ secrets.APP_SECRET_KEY }}
+DEBUG=false
+POSTGRES_DB=auditshield
+POSTGRES_USER=auditshield
+POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
+DATABASE_URL=postgresql://auditshield:${{ secrets.POSTGRES_PASSWORD }}@postgres:5432/auditshield
+REDIS_URL=redis://redis:6379/0
+NEXT_PUBLIC_API_URL=https://auditshield.rigolet.tech
+DOMAIN=auditshield.rigolet.tech
+TAG=latest
+EOF"
+
+      - name: Deploy
+        run: |
+          ssh -i ~/.ssh/nas_key -o StrictHostKeyChecking=no root@${{ secrets.NAS_HOST }} \
+            "cd ${{ steps.env.outputs.PROJECT_PATH }} && /usr/local/bin/docker compose -f ${{ steps.env.outputs.COMPOSE_FILE }} up -d --build --remove-orphans && /usr/local/bin/docker image prune -f"

docker/docker-compose.yml

@@ -3,14 +3,14 @@ version: "3.8"
 services:
   postgres:
     image: postgres:16-alpine
-    container_name: auditshield-db
-    restart: unless-stopped
+    container_name: auditshield-db-prod
+    restart: always
     environment:
       POSTGRES_DB: ${POSTGRES_DB:-auditshield}
       POSTGRES_USER: ${POSTGRES_USER:-auditshield}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD required}
     volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - postgres_data_prod:/var/lib/postgresql/data
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-auditshield}"]
       interval: 10s
@@ -21,36 +21,35 @@ services:
 
   redis:
     image: redis:7-alpine
-    container_name: auditshield-redis
-    restart: unless-stopped
+    container_name: auditshield-redis-prod
+    restart: always
     networks:
       - internal
 
   backend:
-    build:
-      context: ../backend
-      dockerfile: Dockerfile
-    container_name: auditshield-backend
-    restart: unless-stopped
-    env_file: ../.env
+    image: ${REGISTRY}/auditshield-backend:${TAG:-latest}
+    container_name: auditshield-backend-prod
+    restart: always
+    env_file: .env
     environment:
       DATABASE_URL: postgresql://${POSTGRES_USER:-auditshield}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-auditshield}
       REDIS_URL: redis://redis:6379/0
     depends_on:
       postgres:
         condition: service_healthy
-      redis:
-        condition: service_started
     networks:
       - internal
       - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.auditshield-api.rule=Host(`${DOMAIN}`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.auditshield-api.entrypoints=websecure"
+      - "traefik.http.routers.auditshield-api.tls.certresolver=letsencrypt"
 
   frontend:
-    build:
-      context: ../frontend
-      dockerfile: Dockerfile
-    container_name: auditshield-frontend
-    restart: unless-stopped
+    image: ${REGISTRY}/auditshield-frontend:${TAG:-latest}
+    container_name: auditshield-frontend-prod
+    restart: always
     environment:
       NEXT_PUBLIC_API_URL: ""
     depends_on:
@@ -58,9 +57,14 @@ services:
     networks:
       - internal
       - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.auditshield.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.auditshield.entrypoints=websecure"
+      - "traefik.http.routers.auditshield.tls.certresolver=letsencrypt"
 
 volumes:
-  postgres_data:
+  postgres_data_prod:
 
 networks:
   internal: