labels: location: manager clone: git: image: woodpeckerci/plugin-git settings: partial: false depth: 1 recursive: true steps: # Build and Push for Staging build-push-staging: name: build-push-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD DOCKER_REGISTRY_USER: from_secret: DOCKER_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: from_secret: DOCKER_REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # # Client Secrets # CLIENT_SECRET_HEADSCALE: # from_secret: CLIENT_SECRET_HEADSCALE # CLIENT_SECRET_HEADADMIN: # from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Logging into registries" - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - echo "Building and pushing application for staging" - docker compose -f docker-compose.staging.yml build --no-cache - docker compose -f docker-compose.staging.yml push when: branch: main event: push # Deploy Staging deploy-staging: name: deploy-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Deploying to staging environment" - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - docker stack deploy --with-registry-auth -c ./stack.staging.yml $${CI_REPO_NAME}-staging when: branch: main event: push # Cleanup Staging cleanup-staging: name: cleanup-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Cleaning up staging environment" - for i in {1..5}; do docker stack rm ${CI_REPO_NAME}-staging && break || sleep 10; done - docker compose -f docker-compose.staging.yml down - docker compose -f docker-compose.staging.yml rm -f when: branch: main event: push # Build and Push for Production build-push-production: name: build-push-production image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD DOCKER_REGISTRY_USER: from_secret: DOCKER_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: from_secret: DOCKER_REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Logging into registries" - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - echo "Building and pushing application for production" - docker compose -f docker-compose.production.yml build --no-cache - docker compose -f docker-compose.production.yml push when: branch: main event: [push, cron] # Create Docker Secrets create-docker-secrets: name: create-docker-secrets image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - docker secret rm AUTHENTICATION_BACKEND_LDAP_PASSWORD || true - docker secret rm IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET || true - docker secret rm STORAGE_ENCRYPTION_KEY || true - docker secret rm SESSION_SECRET || true - docker secret rm NOTIFIER_SMTP_PASSWORD || true - docker secret rm IDENTITY_PROVIDERS_OIDC_HMAC_SECRET || true - docker secret rm IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY || true - docker secret rm IDENTITY_PROVIDERS_OIDC_JWKS_KEY || true - docker secret rm CLIENT_SECRET_HEADSCALE || true - docker secret rm CLIENT_SECRET_HEADADMIN || true - echo "$${AUTHENTICATION_BACKEND_LDAP_PASSWORD}" | docker secret create AUTHENTICATION_BACKEND_LDAP_PASSWORD - - echo "$${IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET}" | docker secret create IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - - echo "$${STORAGE_ENCRYPTION_KEY}" | docker secret create STORAGE_ENCRYPTION_KEY - - echo "$${SESSION_SECRET}" | docker secret create SESSION_SECRET - - echo "$${NOTIFIER_SMTP_PASSWORD}" | docker secret create NOTIFIER_SMTP_PASSWORD - - echo "$${IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}" | docker secret create IDENTITY_PROVIDERS_OIDC_HMAC_SECRET - - echo "$${IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY - - echo "$${IDENTITY_PROVIDERS_OIDC_JWKS_KEY}" | docker secret create IDENTITY_PROVIDERS_OIDC_JWKS_KEY - - echo "$${CLIENT_SECRET_HEADSCALE}" | docker secret create CLIENT_SECRET_HEADSCALE - - echo "$${CLIENT_SECRET_HEADADMIN}" | docker secret create CLIENT_SECRET_HEADADMIN - when: branch: main event: [push, cron] # Deploy Production deploy-production: name: deploy-production image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Deploying to production environment" - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - docker stack deploy --with-registry-auth -c ./stack.production.yml $${CI_REPO_NAME} when: branch: main event: [push, cron] # Post-Deployment Smoke Tests post-deploy-smoke-tests: name: run-post-deploy-smoke-tests image: git.nixc.us/colin/playwright:latest environment: BASE_URL: https://git.nixc.us when: branch: main event: push