#!/bin/sh # Static workflow: clean (stack rm + prune) → rebuild (on deploy context) → redeploy. No push; uses local images. # Set DOCKER_DEPLOY_CONTEXT for stack target (default: default). # Requires: swarm mode, secrets/networks on deploy node. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)" STACK_NAME="${STACK_NAME:-authelia}" DEPLOY_CTX="${DOCKER_DEPLOY_CONTEXT:-orbstack}" STACK_RM_WAIT=15 cd "$REPO_ROOT" if [ -n "$(git status --porcelain)" ]; then echo "ERROR: Working tree is dirty. Commit your changes before deploying." >&2 exit 1 fi BUILD_COMMIT="$(git rev-parse --short HEAD)" BUILD_TIME="$(date -u +%Y-%m-%dT%H:%M:%SZ)" echo "=== Building commit $BUILD_COMMIT ===" clean_on_deploy_context() { docker context use "$DEPLOY_CTX" docker stack rm "$STACK_NAME" 2>/dev/null || true sleep "$STACK_RM_WAIT" docker image prune -a -f 2>/dev/null || true for vol in authelia_authelia_config authelia_authelia_assets authelia_authelia_redis_data authelia_authelia_mariadb_data authelia_lldap_data; do docker volume rm "$vol" 2>/dev/null || true done for name in AUTHENTICATION_BACKEND_LDAP_PASSWORD IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET NOTIFIER_SMTP_PASSWORD SESSION_SECRET STORAGE_ENCRYPTION_KEY; do docker secret rm "$name" 2>/dev/null || true done } build_on_deploy_context() { docker context use "$DEPLOY_CTX" docker compose -f docker-compose.production.yml build --no-cache \ --build-arg BUILD_COMMIT="$BUILD_COMMIT" \ --build-arg BUILD_TIME="$BUILD_TIME" } ensure_external_networks() { for net in traefik ad; do docker network inspect "$net" --format '{{.Name}}' 2>/dev/null | grep -q . || docker network create "$net" --driver overlay --attachable done } ensure_secrets() { LDAP_PW="/ETAToLiZPWo6QK171abAUqsa3WDpd9IgneZnTA4zU0=" echo "$LDAP_PW" | docker secret create AUTHENTICATION_BACKEND_LDAP_PASSWORD - 2>/dev/null || true openssl rand -base64 32 | docker secret create IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET - 2>/dev/null || true echo "not-configured" | docker secret create NOTIFIER_SMTP_PASSWORD - 2>/dev/null || true openssl rand -base64 32 | docker secret create SESSION_SECRET - 2>/dev/null || true openssl rand -base64 32 | docker secret create STORAGE_ENCRYPTION_KEY - 2>/dev/null || true } deploy_on_deploy_context() { docker context use "$DEPLOY_CTX" docker info --format '{{.Swarm.LocalNodeState}}' | grep -q active || docker swarm init ensure_external_networks ensure_secrets docker stack deploy --with-registry-auth -c ./stack.production.yml "$STACK_NAME" docker stack ps "$STACK_NAME" } echo "=== Clean (stack rm + prune) on context: $DEPLOY_CTX ===" clean_on_deploy_context echo "=== Rebuild (on $DEPLOY_CTX, local images) ===" build_on_deploy_context echo "=== Redeploy on context: $DEPLOY_CTX ===" deploy_on_deploy_context echo "=== Done ==="