|
| 1 | +name: Deploy |
| 2 | + |
| 3 | +# Deploys the docker-compose stack to the Hetzner host via Ansible. The host has |
| 4 | +# no public SSH, so the runner joins the tailnet (Tailscale) and reaches it over |
| 5 | +# Tailscale SSH. Secrets come from GitHub Actions Secrets (no Ansible Vault). |
| 6 | + |
| 7 | +on: |
| 8 | + push: |
| 9 | + branches: [main] |
| 10 | + workflow_dispatch: |
| 11 | + |
| 12 | +# Never let two deploys race on the same host. |
| 13 | +concurrency: |
| 14 | + group: deploy-production |
| 15 | + cancel-in-progress: false |
| 16 | + |
| 17 | +jobs: |
| 18 | + deploy: |
| 19 | + runs-on: ubuntu-latest |
| 20 | + environment: production |
| 21 | + steps: |
| 22 | + - name: Checkout |
| 23 | + uses: actions/checkout@v4 |
| 24 | + |
| 25 | + - name: Connect to Tailscale |
| 26 | + uses: tailscale/github-action@v3 |
| 27 | + with: |
| 28 | + oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} |
| 29 | + oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} |
| 30 | + # The tailnet ACL must allow `tag:ci` to SSH to the server's tag as |
| 31 | + # root with `action: accept` (not `check`, which needs interactivity). |
| 32 | + tags: tag:ci |
| 33 | + |
| 34 | + - name: Install Ansible |
| 35 | + run: pipx install --include-deps ansible |
| 36 | + |
| 37 | + - name: Write inventory |
| 38 | + run: | |
| 39 | + cat > ansible/inventory.ini <<EOF |
| 40 | + [dashtec] |
| 41 | + ${{ vars.DEPLOY_HOST || 'dashtec-host' }} ansible_user=root |
| 42 | + [dashtec:vars] |
| 43 | + ansible_python_interpreter=/usr/bin/python3 |
| 44 | + EOF |
| 45 | +
|
| 46 | + - name: Run Ansible |
| 47 | + working-directory: ansible |
| 48 | + run: ansible-playbook site.yml |
| 49 | + env: |
| 50 | + ANSIBLE_HOST_KEY_CHECKING: "False" |
| 51 | + # Per-network secrets injected into the committed config.json. |
| 52 | + MAINNET_ETHEREUM_RPC_URL: ${{ secrets.MAINNET_ETHEREUM_RPC_URL }} |
| 53 | + MAINNET_SENTINEL_PROXY_URL: ${{ secrets.MAINNET_SENTINEL_PROXY_URL }} |
| 54 | + MAINNET_SESSION_PASSWORD: ${{ secrets.MAINNET_SESSION_PASSWORD }} |
| 55 | + TESTNET_ETHEREUM_RPC_URL: ${{ secrets.TESTNET_ETHEREUM_RPC_URL }} |
| 56 | + TESTNET_SENTINEL_PROXY_URL: ${{ secrets.TESTNET_SENTINEL_PROXY_URL }} |
| 57 | + TESTNET_SESSION_PASSWORD: ${{ secrets.TESTNET_SESSION_PASSWORD }} |
| 58 | + # OAuth, shared across networks (one app each). IDs are public |
| 59 | + # (variables); secrets are sensitive. |
| 60 | + DISCORD_CLIENT_ID: ${{ vars.DISCORD_CLIENT_ID }} |
| 61 | + DISCORD_CLIENT_SECRET: ${{ secrets.DISCORD_CLIENT_SECRET }} |
| 62 | + X_CLIENT_ID: ${{ vars.X_CLIENT_ID }} |
| 63 | + X_CLIENT_SECRET: ${{ secrets.X_CLIENT_SECRET }} |
0 commit comments