wip: deploy on new infra

still needed:
- mount a host volume for file uploads and mongodb data
- make the app talk to mongodb without exposing the mongodb port to the
internet

.github/workflows/deploy.yml

@@ -5,24 +5,50 @@ on:
     branches: [ master ]
   workflow_dispatch:
 
+env:
+  NOMAD_VERSION: 1.7.7
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Git checkout
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-
-    # See the following link for documentation:
-    # https://github.com/marketplace/actions/dokku
-    - name: Push to sips
-      uses: dokku/[email protected]
-      with:
-        ssh_private_key: ${{ secrets.SIPS_GLOBAL_DEPLOY_KEY }}
-        git_remote_url: ssh://[email protected]/tv
-        # force might feel risky, but there is no good reason why the server
-        # should ever not be a mirror of the deploy branch. And the errors we
-        # could get otherwise would probably be nasty to deal with
-        git_push_flags: --force
+      - name: Git checkout
+        uses: actions/checkout@v4
+
+      - name: Set environment variables
+        run: |
+          cat >> "$GITHUB_ENV" <<EOF
+          latest=ghcr.io/${{ github.repository }}:latest
+          current=ghcr.io/${{ github.repository }}:$(git rev-parse --short ${{ github.sha }})
+          EOF
+
+      - name: Download Nomad
+        run: |
+          curl -LO https://releases.hashicorp.com/nomad/${{ env.NOMAD_VERSION }}/nomad_${{ env.NOMAD_VERSION }}_linux_amd64.zip
+          unzip -d /usr/local/bin nomad_${{ env.NOMAD_VERSION }}_linux_amd64.zip nomad
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ env.latest }},${{ env.current }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Deploy to nomad
+        env:
+          NOMAD_ADDR: ${{ vars.NOMAD_ADDR }}
+          NOMAD_TOKEN: ${{ secrets.NOMAD_TOKEN }}
+        run: |
+          nomad run -var=image_tag=${{ env.current }} job.nomad.hcl

job.nomad.hcl

@@ -0,0 +1,75 @@
+job "meta-tv" {
+  type = "service"
+
+  group "meta-tv" {
+    network {
+      port "http" { }
+      port "mongodb" {
+        static = 27017
+      }
+    }
+
+    service {
+      name     = "meta-tv"
+      port     = "http"
+      provider = "nomad"
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.meta-tv.rule=Host(`meta-tv.datasektionen.se`)",
+        "traefik.http.routers.meta-tv.tls.certresolver=default",
+      ]
+    }
+
+    task "meta-tv" {
+      driver = "docker"
+
+      config {
+        image = var.image_tag
+        ports = ["http"]
+      }
+
+      template {
+        data        = <<ENV
+{{ with nomadVar "nomad/jobs/meta-tv" }}
+LOGIN_KEY={{ .login_api_key }}
+MONGO_URL=mongodb://tv:{{ .database_password }}@{{ env "NOMAD_ADDR_mongodb" }}/
+BANLIST={{ .banlist }}
+{{ end }}
+PORT={{ env "NOMAD_PORT_http" }}
+ROOT_URL=https://tv.datasektionen.se
+ENV
+        destination = "local/.env"
+        env         = true
+      }
+
+      resources {
+        memory = 200
+      }
+    }
+
+    task "mongodb" {
+      driver = "docker"
+
+      config {
+        image = "docker.io/mongo:3.2.9"
+      }
+
+      template {
+        data        = <<ENV
+{{ with nomadVar "nomad/jobs/meta-tv" }}
+MONGO_INITDB_ROOT_USERNAME=tv
+MONGO_INITDB_ROOT_PASSWORD={{ .database_password }}
+{{ end }}
+ENV
+        destination = "local/.env"
+        env         = true
+      }
+
+    }
+  }
+}
+
+variable "image_tag" {
+  type = string
+  default = "ghcr.io/datasektionen/meta-tv:latest"
+}