diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml index c796321..96ba4cb 100644 --- a/.gitea/workflows/build-and-deploy.yml +++ b/.gitea/workflows/build-and-deploy.yml @@ -305,6 +305,7 @@ jobs: env: IMAGE_REPOSITORY: ${{ steps.image-meta.outputs.repository }} IMAGE_TAG: ${{ gitea.sha }} + ENV_DOCKER_PRODUCTION: ${{ secrets.ENV_DOCKER_PRODUCTION }} ENV_DOCKER_PRODUCTION_B64: ${{ secrets.ENV_DOCKER_PRODUCTION_B64 }} REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} @@ -318,6 +319,7 @@ jobs: fi SSH_OPTIONS="-i $HOME/.ssh/id_rsa -o BatchMode=yes -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=$HOME/.ssh/known_hosts" ENV_DOCKER_PRODUCTION_B64_CLEAN="$(printf '%s' "$ENV_DOCKER_PRODUCTION_B64" | tr -d '[:space:]')" + ENV_DOCKER_PRODUCTION_RAW_B64="$(printf '%s' "$ENV_DOCKER_PRODUCTION" | base64 | tr -d '\n')" REGISTRY_PASSWORD_B64="$(printf '%s' "$REGISTRY_PASSWORD" | base64 | tr -d '\n')" ssh $SSH_OPTIONS "${{ secrets.VPS_USER }}@$VPS_HOST" " set -e @@ -325,8 +327,11 @@ jobs: if [ -n '$ENV_DOCKER_PRODUCTION_B64_CLEAN' ]; then printf '%s' '$ENV_DOCKER_PRODUCTION_B64_CLEAN' | base64 -d > '$DEPLOY_ROOT/.env.docker.production' chmod 600 '$DEPLOY_ROOT/.env.docker.production' + elif [ -n '$ENV_DOCKER_PRODUCTION_RAW_B64' ]; then + printf '%s' '$ENV_DOCKER_PRODUCTION_RAW_B64' | base64 -d > '$DEPLOY_ROOT/.env.docker.production' + chmod 600 '$DEPLOY_ROOT/.env.docker.production' elif [ ! -f '$DEPLOY_ROOT/.env.docker.production' ]; then - echo 'ENV_DOCKER_PRODUCTION_B64 is not set and $DEPLOY_ROOT/.env.docker.production does not exist on the VPS' >&2 + echo 'ENV_DOCKER_PRODUCTION or ENV_DOCKER_PRODUCTION_B64 is not set, and $DEPLOY_ROOT/.env.docker.production does not exist on the VPS' >&2 exit 1 else echo 'Using existing $DEPLOY_ROOT/.env.docker.production on the VPS' diff --git a/docs/DOCKER.md b/docs/DOCKER.md index b86b430..6f598a6 100644 --- a/docs/DOCKER.md +++ b/docs/DOCKER.md @@ -162,13 +162,13 @@ Open `.env.docker.production` and fill in every value. The minimum required secr | `RESEND_API_KEY` | Resend API key (or configure SMTP vars instead) | | `PGMANAGE_DOMAIN` | Hostname for pgManage, e.g. `pgmanage.rentaldrivego.ma` | -For Gitea Actions deploys, store the completed production env file as the `ENV_DOCKER_PRODUCTION_B64` secret: +For Gitea Actions deploys, either store the completed production env file as the raw `ENV_DOCKER_PRODUCTION` secret or as the base64-encoded `ENV_DOCKER_PRODUCTION_B64` secret: ```bash base64 < .env.docker.production | tr -d '\n' ``` -Paste that single-line output into the Gitea secret. During deploy, the workflow writes it to `/opt/rentaldrivego/.env.docker.production` on the VPS with `600` permissions before running `scripts/docker-prod-deploy.sh`. +Paste that single-line output into `ENV_DOCKER_PRODUCTION_B64` when using the base64 option. During deploy, the workflow writes the env file to `/opt/rentaldrivego/.env.docker.production` on the VPS with `600` permissions before running `scripts/docker-prod-deploy.sh`. If neither production env secret is set, the workflow reuses `/opt/rentaldrivego/.env.docker.production` when it already exists on the VPS. Production now derives `DATABASE_URL` inside the app container from `POSTGRES_HOST`, `POSTGRES_PORT`, `POSTGRES_DB`, `POSTGRES_USER`, and `POSTGRES_PASSWORD` when `DATABASE_URL_FROM_POSTGRES=true`. That avoids Prisma auth failures when the database password contains reserved URL characters such as `@`, `:`, or `/`.