labels: location: manager clone: git: image: woodpeckerci/plugin-git settings: partial: false depth: 1 recursive: true steps: # Build and Push for Staging build-push-staging: name: build-push-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD DOCKER_REGISTRY_USER: from_secret: DOCKER_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: from_secret: DOCKER_REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # # Client Secrets # CLIENT_SECRET_HEADSCALE: # from_secret: CLIENT_SECRET_HEADSCALE # CLIENT_SECRET_HEADADMIN: # from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Logging into registries" - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - echo "Building and pushing application for staging" - docker compose -f docker-compose.staging.yml build --no-cache - docker compose -f docker-compose.staging.yml push when: branch: main event: push # Deploy Staging deploy-staging: name: deploy-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Deploying to staging environment" - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - docker stack deploy --with-registry-auth -c ./stack.staging.yml $${CI_REPO_NAME}-staging when: branch: main event: push # Cleanup Staging cleanup-staging: name: cleanup-staging image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Cleaning up staging environment" - for i in {1..5}; do docker stack rm ${CI_REPO_NAME}-staging && break || sleep 10; done - docker compose -f docker-compose.staging.yml down - docker compose -f docker-compose.staging.yml rm -f when: branch: main event: push # Build and Push for Production build-push-production: name: build-push-production image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD DOCKER_REGISTRY_USER: from_secret: DOCKER_REGISTRY_USER DOCKER_REGISTRY_PASSWORD: from_secret: DOCKER_REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "Logging into registries" - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin - echo "$${REGISTRY_PASSWORD}" | docker login -u "$${REGISTRY_USER}" --password-stdin git.nixc.us - echo "Building and pushing application for production" - docker compose -f docker-compose.production.yml build --no-cache - docker compose -f docker-compose.production.yml push when: branch: main event: [push, cron] # Deploy Production deploy-production: name: deploy-production image: woodpeckerci/plugin-docker-buildx environment: REGISTRY_USER: from_secret: REGISTRY_USER REGISTRY_PASSWORD: from_secret: REGISTRY_PASSWORD # Authelia Core Secrets AUTHENTICATION_BACKEND_LDAP_PASSWORD: from_secret: AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: from_secret: IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET STORAGE_ENCRYPTION_KEY: from_secret: STORAGE_ENCRYPTION_KEY SESSION_SECRET: from_secret: SESSION_SECRET NOTIFIER_SMTP_PASSWORD: from_secret: NOTIFIER_SMTP_PASSWORD # OIDC Secrets IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: from_secret: IDENTITY_PROVIDERS_OIDC_HMAC_SECRET IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY IDENTITY_PROVIDERS_OIDC_JWKS_KEY: from_secret: IDENTITY_PROVIDERS_OIDC_JWKS_KEY # Client Secrets CLIENT_SECRET_HEADSCALE: from_secret: CLIENT_SECRET_HEADSCALE CLIENT_SECRET_HEADADMIN: from_secret: CLIENT_SECRET_HEADADMIN volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - echo "=== DEBUGGING CI WORKSPACE ===" - pwd - ls -la - echo "=== CHECKING SCRIPTS DIRECTORY ===" - ls -la scripts/ || echo "scripts directory not found" - echo "=== AVAILABLE SHELLS ===" - which bash || echo "bash not found" - which sh || echo "sh not found" - echo "=== ENVIRONMENT INFO ===" - uname -a || echo "uname not available" - echo "=== ATTEMPTING DEPLOYMENT ===" - sh ./scripts/ci-deploy-production.sh when: branch: main event: [push, cron] # Post-Deployment Smoke Tests post-deploy-smoke-tests: name: run-post-deploy-smoke-tests image: git.nixc.us/colin/playwright:latest environment: BASE_URL: https://git.nixc.us when: branch: main event: push