ci: add deploy workflow

.dockerignore

@@ -5,4 +5,5 @@
 /services.md
 /APIs.md
 /README.md
-/benchmarking.cpp
+/benchmarking.cpp
+/.github

.github/workflows/build.yaml

@@ -1,4 +1,4 @@
-name: Publish Staging
+name: Build
 on:
   push:
     branches:
@@ -29,3 +29,13 @@ jobs:
           tags: |
             docker.pkg.github.com/${{ env.IMAGE_REPOSITORY }}/ccash:${{ github.sha }}
             docker.pkg.github.com/${{ env.IMAGE_REPOSITORY }}/ccash:latest
+  trigger-deploy:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          curl -X POST \
+          -H 'Accept: application/vnd.github.v3+json' \
+          -H 'Authorization: Bearer ${{ secrets.CCASH_DEPLOY_TOKEN }}' \
+          https://api.github.com/repos/${{ github.repository }}/actions/workflows/deploy.yaml/dispatches \
+          -d '{"ref":"main"}'

.github/workflows/deploy.yaml

@@ -0,0 +1,59 @@
+name: Deploy
+on: workflow_dispatch
+jobs:
+  release:
+    name: Deploy Docker image to remote machine
+    runs-on: ubuntu-latest
+    steps:
+      - name: Write CCASH_CONFIG_JSON to remote filesystem
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "echo '${{ secrets.CCASH_CONFIG_JSON }}' > $(pwd)/config.json"
+      - name: Write CCASH_USERS_JSON to remote filesystem if it doesn't already exist
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "[[ -f $(pwd)/users.json ]] && echo 'users.json already exists' || echo '${{ secrets.CCASH_USERS_JSON }}' > $(pwd)/users.json"
+      - name: Authenticate Docker Engine with GitHub Packages container registry
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "docker login -u '${{ github.actor }}' -p '${{ secrets.GITHUB_TOKEN }}' docker.pkg.github.com"
+      - name: Prune docker system
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "docker system prune -af"
+      - name: Format repository
+        run: |
+          echo IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+      - name: Pull latest image
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "docker pull docker.pkg.github.com/${{ env.IMAGE_REPOSITORY }}/ccash:latest"
+      - name: Stop previous container
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "curl -X POST -H 'Password: ${{ secrets.CCASH_ADMIN_PASSWORD }}' https://${{ secrets.CCASH_DOMAIN }}/BankF/close && docker kill $(docker ps -q)"
+      - name: Run CCash Docker image
+        uses: appleboy/ssh-action@master
+        with:
+          host: ${{ secrets.CCASH_DOMAIN }}
+          username: root
+          key: ${{ secrets.CCASH_SSH_KEY }}
+          script: "docker run -d -p 80:80 -p 443:443 -v $(pwd)/config.json:/ccash/config.json -v $(pwd)/users.json:/ccash/users.json -v ${{ secrets.CCASH_TLS_CERT_PATH }}:/ccash/cert -v ${{ secrets.CCASH_TLS_KEY_PATH }}:/ccash/key docker.pkg.github.com/${{ env.IMAGE_REPOSITORY }}/ccash:latest ${{ secrets.CCASH_ADMIN_PASSWORD }} ${{ secrets.CCASH_SAVE_FREQUENCY }} ${{ secrets.CCASH_THREAD_COUNT }}"

Dockerfile

@@ -11,6 +11,6 @@ RUN mkdir build
 WORKDIR /ccash/build
 
 RUN cmake ..
-RUN make -j$(nprov)
+RUN make -j$(nproc)
 
-CMD ["/ccash/build/bank", "$CCASH_ADMIN_PASSWORD", "$CCASH_SAVE_FREQUENCY", "$CCASH_THREAD_COUNT"]
+ENTRYPOINT ["/ccash/build/bank"]

config.json

@@ -9,8 +9,8 @@
         "address": "0.0.0.0",
         "port": 443,
         "https": true,
-        "cert": "",
-        "key": ""
+        "cert": "/ccash/cert",
+        "key": "/ccash/key"
       }
   ]
 }

docs/deploy.md

@@ -24,14 +24,24 @@ Similarly, the CCash repo also provides a GitHub Workflow to deploy the latest d
 
 ### Configure the machine
 
-* Create a machine using your chosen cloud provider.
-* Configure DNS to point your chosen domain name to the machines IP address. _(Without this, TLS/SSL will not work)_.
-* Create an SSH key-pair by running `ssh-keygen` locally. Make sure you **don't** set a password.
-* Add the `*.pub` public key to the servers `~/.ssh/authorized_keys` file.
-* Install Docker Engine following [official docs](https://docs.docker.com/engine/install/).
-* Add the private key _(not `*.pub`)_ to a [GitHub secret](https://docs.github.com/en/actions/reference/encrypted-secrets) named `CCASH_SSH_KEY` in your CCash repo.
-* Add the domain name pointing to the remote machine to a GitHub secret named `CCASH_DOMAIN`.
+1. Create a machine using your chosen cloud provider
+1. Configure DNS to point your chosen domain name to the machines IP address. _(Without this, TLS/SSL will not work)_
+1. Create an SSH key-pair by running `ssh-keygen` locally. Make sure you **don't** set a password
+1. Add the `*.pub` public key to the servers `~/.ssh/authorized_keys` file
+1. Install Docker Engine on the remote machine following [official docs](https://docs.docker.com/engine/install/)
+1. Generate SSL/TLS certificate (Using [certbot](https://certbot.eff.org/lets-encrypt/debianbuster-other) is recommended)
+1. Configure [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) for the repo
+  * `CCASH_SSH_KEY` - The private key _(not `*.pub`)_ created earlier
+  * `CCASH_DOMAIN` - The domain name pointing to the remote machine
+  * `CCASH_CONFIG_JSON` - A config.json file that will be written every deploy _(https config cert path should be `/ccash/cert` and key path should be `/ccash/key`)_
+  * `CCASH_USERS_JSON` - A users.json file that will be written only on first deploy
+  * `CCASH_ADMIN_PASSWORD` - A CCash server admin account password
+  * `CCASH_SAVE_FREQUENCY` - A number representing the frequency to save to users.json (in minutes)
+  * `CCASH_THREAD_COUNT` - A number representing the number of threads to use
+  * `CCASH_TLS_CERT_PATH` - The path to the TLS/SSL certificate on the host machine
+  * `CCASH_TLS_KEY_PATH` - The path to the TLS/SSL key on the host machine
+  * `CCASH_DEPLOY_TOKEN` - A [GitHub personal access token](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token), used to trigger the deploy workflow automatically when the build workflow is successful. _(Leave empty to disable automatic deploys.)_
 
-You are now ready to run the "Deploy" workflow mentioned above. This workflow will SSH in to the `CCASH_DOMAIN` machine, using the `CCASH_SSH_KEY` and `docker run` the latest `entiretwix/ccash` image, binding to port 80 and 443. It will also handle the creation of a TLS/SSL certificate for you.
+You are now ready to run the "Deploy" workflow mentioned above. This workflow will SSH in to the `CCASH_DOMAIN` machine, using the `CCASH_SSH_KEY` and `docker run` the latest `entiretwix/ccash` image, binding to port 80 and 443, setting the appropriate volumes and environment variables.
 
-Visiting `https://$SSH_TARGET/BankF/ping` in your browser should verify that it has been deployed correctly.
+Run `curl https://$CCASH_DOMAIN/BankF/ping` to verify that the server has been deployed correctly.