diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml index 86564f9c..81cf885c 100644 --- a/.gitea/workflows/nightly.yml +++ b/.gitea/workflows/nightly.yml @@ -30,6 +30,9 @@ name: nightly # STAGING_OCR_TRAINING_TOKEN # STAGING_APP_ADMIN_USERNAME # STAGING_APP_ADMIN_PASSWORD +# GRAFANA_ADMIN_PASSWORD +# GLITCHTIP_SECRET_KEY +# SENTRY_DSN (set after GlitchTip first-run; empty = Sentry disabled) on: schedule: @@ -74,6 +77,14 @@ jobs: MAIL_STARTTLS_ENABLE=false APP_MAIL_FROM=noreply@staging.raddatz.cloud IMPORT_HOST_DIR=/srv/familienarchiv-staging/import + POSTGRES_USER=archiv + PORT_GRAFANA=3003 + PORT_GLITCHTIP=3002 + PORT_PROMETHEUS=9090 + GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }} + GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }} + GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud + SENTRY_DSN=${{ secrets.SENTRY_DSN }} EOF - name: Verify backend /import:ro mount is wired @@ -120,6 +131,13 @@ jobs: --profile staging \ up -d --wait --remove-orphans + - name: Start observability stack + run: | + docker compose \ + -f docker-compose.observability.yml \ + --env-file .env.staging \ + up -d --wait --remove-orphans + - name: Reload Caddy # Apply any committed Caddyfile changes before smoke-testing the # public surface. Without this step, a Caddyfile edit lands in the diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index d980ca10..2645dc15 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -34,6 +34,9 @@ name: release # MAIL_PORT # MAIL_USERNAME # MAIL_PASSWORD +# GRAFANA_ADMIN_PASSWORD +# GLITCHTIP_SECRET_KEY +# SENTRY_DSN (set after GlitchTip first-run; empty = Sentry disabled) on: push: @@ -72,6 +75,14 @@ jobs: MAIL_STARTTLS_ENABLE=true APP_MAIL_FROM=noreply@raddatz.cloud IMPORT_HOST_DIR=/srv/familienarchiv-production/import + POSTGRES_USER=archiv + PORT_GRAFANA=3003 + PORT_GLITCHTIP=3002 + PORT_PROMETHEUS=9090 + GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }} + GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }} + GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud + SENTRY_DSN=${{ secrets.SENTRY_DSN }} EOF - name: Build images @@ -93,6 +104,13 @@ jobs: --env-file .env.production \ up -d --wait --remove-orphans + - name: Start observability stack + run: | + docker compose \ + -f docker-compose.observability.yml \ + --env-file .env.production \ + up -d --wait --remove-orphans + - name: Reload Caddy # See nightly.yml — same rationale and mechanism: DooD job containers # cannot call systemctl directly; nsenter via a privileged sibling diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index e8687d45..73139252 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -39,6 +39,7 @@ networks: archiv-net: driver: bridge + name: archiv-net volumes: postgres-data: diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index 32e47798..b6845cf3 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -223,6 +223,9 @@ git.raddatz.cloud A | `MAIL_PORT` | release.yml | typically `587` | | `MAIL_USERNAME` | release.yml | SMTP user | | `MAIL_PASSWORD` | release.yml | SMTP password | +| `GRAFANA_ADMIN_PASSWORD` | both | Grafana `admin` login — generate a strong password | +| `GLITCHTIP_SECRET_KEY` | both | Django secret key — `openssl rand -hex 32` | +| `SENTRY_DSN` | both | GlitchTip project DSN — set after first-run (§4); leave empty to keep Sentry disabled | ### 3.4 First deploy diff --git a/infra/caddy/Caddyfile b/infra/caddy/Caddyfile index 2c0c0757..b3d1e971 100644 --- a/infra/caddy/Caddyfile +++ b/infra/caddy/Caddyfile @@ -88,3 +88,13 @@ git.raddatz.cloud { import security_headers reverse_proxy 127.0.0.1:3005 } + +grafana.archiv.raddatz.cloud { + import security_headers + reverse_proxy 127.0.0.1:3003 +} + +glitchtip.archiv.raddatz.cloud { + import security_headers + reverse_proxy 127.0.0.1:3002 +}