docker stack pipeline

Author: elliottminns

.github/workflows/pipeline.yaml

@@ -44,3 +44,20 @@ jobs:
           tags: |
             ghcr.io/dreamsofcode-io/zenstats:latest
             ghcr.io/dreamsofcode-io/zenstats:${{ github.sha }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-image
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Docker Stack Deploy
+      uses: cssnr/stack-deploy-action@v1
+      with:
+        name: zenfulstats
+        file: docker-stack.yaml
+        host: zenful.site
+        user: deploy
+        ssh_key: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}

docker-stack.yaml

@@ -1,19 +1,49 @@
 services:
+  traefik:
+    image: traefik:v3.1
+    command:
+      - "--providers.docker"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entryPoints.websecure.address=:443"
+      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
+      - "--certificatesresolvers.myresolver.acme.email=elliott@zenful.site"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
+    ports:
+      - mode: host
+        protocol: tcp
+        published: 80
+        target: 80
+      - mode: host
+        protocol: tcp
+        published: 443
+        target: 443
+    volumes:
+      - letsencrypt:/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock
 
   web:
-    image: ghcr.io/dreamsofcode-io/zenstats:cc5d97c1d8abc3c63862ca699156cca8ab062c29
+    image: ghcr.io/dreamsofcode-io/zenstats:baaf221054f44ec2b6d85f60e94b70a0619665be
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.web.loadbalancer.server.port=8080"
+      - "traefik.http.routers.web.rule=Host(`zenful.site`)"
+      - "traefik.http.routers.web.entrypoints=websecure"
+      - "traefik.http.routers.web.tls.certresolver=myresolver"
+    secrets:
+      - db-password
     environment:
       - POSTGRES_HOST=db
-      - POSTGRES_PASSWORD=mysecretpassword
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db-password
       - POSTGRES_USER=postgres
       - POSTGRES_DB=app
       - POSTGRES_PORT=5432
       - POSTGRES_SSLMODE=disable
-    ports:
-      - mode: "host"
-        protocol: "tcp"
-        published: 80
-        target: 8080
+    deploy:
+      update_config:
+        order: start-first
     depends_on:
       - db
 
@@ -22,9 +52,11 @@ services:
     user: postgres
     volumes:
       - db-data:/var/lib/postgresql/data
+    secrets:
+      - db-password
     environment:
       - POSTGRES_DB=app
-      - POSTGRES_PASSWORD=mysecretpassword
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db-password
     healthcheck:
       test: [ "CMD", "pg_isready" ]
       interval: 10s
@@ -34,3 +66,7 @@ services:
 volumes:
   db-data:
   letsencrypt:
+
+secrets:
+  db-password:
+    external: true