Add CI/CD build and deploy scripts, along with docker-compose, HAProxy config, and a certbot

merge hook. Set up env.example generation. Add doiuse dev dependency.
2026-02-01 13:14:32 -08:00 · 2026-02-01 13:14:32 -08:00 · 1714225d00
commit 1714225d00
parent 0350a4b8e3
11 changed files with 334 additions and 2 deletions
--- a/deploy/certs/renewal-hooks/deploy/merge.sh
+++ b/deploy/certs/renewal-hooks/deploy/merge.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+cat /etc/letsencrypt/live/badblocks.dev/fullchain.pem /etc/letsencrypt/live/badblocks.dev/privkey.pem > /etc/letsencrypt/fullcert.pem
+chmod 755 /etc/letsencrypt/
+chmod 644 /etc/letsencrypt/fullcert.pem
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@ -0,0 +1,84 @@
+services:
+  badblocks-personal-site:
+    image: ${IMAGE_NAME}:latest
+    restart: always
+    container_name: badblocks-personal-site
+    ports:
+      - "4321:4321"
+    networks:
+      - proxynet
+    env_file:
+      - .env
+    # healthcheck:
+    #   test:
+    #     [
+    #       "CMD",
+    #       "curl",
+    #       "-f",
+    #       "-s",
+    #       "--max-time",
+    #       "5",
+    #       "http://localhost:4321/health",
+    #     ]
+    #   interval: 30s
+    #   timeout: 15s
+    #   retries: 3
+    #   start_period: 120s
+  # wireguard:
+  #   image: qmcgaw/gluetun
+  #   cap_add:
+  #     - NET_ADMIN
+  #   container_name: wireguard
+  #   environment:
+  #     - VPN_SERVICE_PROVIDER=custom
+  #     - VPN_TYPE=wireguard
+  #     - HTTPPROXY=on
+  #   expose:
+  #     - "8888"
+  #   env_file:
+  #     - .env
+  #   devices:
+  #     - /dev/net/tun:/dev/net/tun
+  #   restart: unless-stopped
+  #   networks:
+  #     - proxynet
+  #   healthcheck:
+  #     test: ss["CMD", "ping", "-c", "1", "-W", "3", "$$ANDROID_SMS_GATEWAY_IP"]
+  #     interval: 30s
+  #     timeout: 15s
+  #     retries: 3
+  #     start_period: 60s
+  certbot:
+    image: serversideup/certbot-dns-cloudflare
+    volumes:
+      - ./certs:/etc/letsencrypt
+    environment:
+      CLOUDFLARE_API_TOKEN: "${CLOUDFLARE_API_TOKEN}"
+      CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
+      CERTBOT_DOMAINS: "${DOMAIN}"
+  haproxy:
+    image: haproxy:3.2
+    stop_signal: SIGTERM
+    container_name: haproxy
+    env_file:
+      - .env
+    command: ["haproxy", "-f", "/usr/local/etc/haproxy"]
+    ports:
+      - "${PUBLIC_IP}:80:80"
+      - "${PUBLIC_IP}:443:443"
+      - "${PUBLIC_IP}:8404:8404"
+    volumes:
+      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./certs:/certs:ro
+    restart: always
+    networks:
+      - proxynet
+  #   healthcheck:
+  #     test: ["CMD", "haproxy", "-c", "-f", "/usr/local/etc/haproxy"]
+  #     interval: 30s
+  #     timeout: 10s
+  #     retries: 3
+networks:
+  proxynet:
+    name: proxynet
+    driver: bridge
--- a/deploy/haproxy.cfg
+++ b/deploy/haproxy.cfg
@ -0,0 +1,43 @@
+global
+  daemon
+  log stdout format raw local0 info
+  maxconn 2000
+
+defaults
+  mode http
+  log global
+  timeout connect 5s
+  timeout client 30s
+  timeout server 30s
+  timeout check 5s
+  retries 3
+  option httplog
+  option dontlognull
+  option redispatch
+
+frontend http
+  bind :80
+  mode http
+  
+  http-request redirect scheme https unless { ssl_fc }
+
+frontend https
+  bind :443 ssl crt /certs/fullcert.pem
+  
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  default_backend main
+
+backend main
+  balance leastconn
+  option httpchk GET /
+  http-check expect status 200
+
+  server badblocks-personal-site badblocks-personal-site:4321 check resolvers docker resolve-prefer ipv4 init-addr none
+  
+resolvers docker
+  nameserver dns1 127.0.0.11:53
+  resolve_retries 3
+  timeout resolve 1s
+  timeout retry 1s
+  hold valid	  10s
+  hold obsolete   30s