setting: AWS 계정 이관 및 deploy.sh → Docker Compose 전환, Nginx HTTPS 적용 (#57)

Author: toychip

.github/workflows/cicd-release.yml

@@ -5,8 +5,13 @@ on:
     types:
       - published
 
+env:
+  AWS_REGION: ap-northeast-2
+  ECR_REGISTRY: 909176971481.dkr.ecr.ap-northeast-2.amazonaws.com
+  ECR_REPOSITORY: linktrip
+
 jobs:
-  build-and-push:
+  build-and-deploy:
     runs-on: ubuntu-latest
 
     steps:
@@ -29,37 +34,98 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-gradle-
 
+      - name: JAR 빌드
+        run: ./gradlew :linktrip-bootstrap:bootJar
+
       - name: AWS 자격 증명 설정
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ap-northeast-2
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: ECR 로그인
         id: ecr-login
         uses: aws-actions/amazon-ecr-login@v2
 
-      - name: ECR 비밀번호 발급
-        id: ecr-password
-        run: echo "password=$(aws ecr get-login-password --region ap-northeast-2)" >> $GITHUB_OUTPUT
+      - name: Docker 이미지 빌드 및 푸시
+        run: |
+          docker build -t ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest .
+          docker push ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest
 
-      - name: 이미지 빌드 및 푸쉬
+      - name: GCP credentials 파일 생성
         env:
-          ECR_REGISTRY: ${{ steps.ecr-login.outputs.registry }}
-          ECR_REPOSITORY: linktrip
-          ECR_PASSWORD: ${{ steps.ecr-password.outputs.password }}
-        run: |
-          ./gradlew :linktrip-bootstrap:bootBuildImage
+          GCP_CREDENTIALS_JSON: ${{ secrets.GCP_CREDENTIALS_JSON }}
+        run: echo "$GCP_CREDENTIALS_JSON" > gcp-credentials.json
 
-      - name: 서버 재시작 스크립트 실행
+      - name: 배포 파일 EC2에 전송
+        uses: appleboy/scp-action@master
+        with:
+          host: ${{ secrets.SERVER_HOST }}
+          username: ec2-user
+          key: ${{ secrets.SERVER_KEY }}
+          source: "docker/docker-compose.prod.yml,gcp-credentials.json"
+          target: "~/linktrip/"
+          strip_components: 0
+          overwrite: true
+
+      - name: EC2 파일 정리 및 배포
         uses: appleboy/ssh-action@master
+        env:
+          JWT_SECRET_KEY: ${{ secrets.JWT_SECRET_KEY }}
+          DISCORD_WEBHOOK_ERROR_URL: ${{ secrets.DISCORD_WEBHOOK_ERROR_URL }}
+          DISCORD_MENTION_USER_ID: ${{ secrets.DISCORD_MENTION_USER_ID }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          YOUTUBE_API_KEY: ${{ secrets.YOUTUBE_API_KEY }}
         with:
           host: ${{ secrets.SERVER_HOST }}
-          username: ubuntu
+          username: ec2-user
           key: ${{ secrets.SERVER_KEY }}
+          envs: JWT_SECRET_KEY,DISCORD_WEBHOOK_ERROR_URL,DISCORD_MENTION_USER_ID,GCP_PROJECT_ID,YOUTUBE_API_KEY
           script: |
-            ./deploy.sh
+            set -e
+
+            DEPLOY_DIR=~/linktrip
+
+            # Docker Compose 플러그인 설치 (없으면)
+            if ! docker compose version > /dev/null 2>&1; then
+              sudo mkdir -p /usr/local/lib/docker/cli-plugins
+              sudo curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-$(uname -m) -o /usr/local/lib/docker/cli-plugins/docker-compose
+              sudo chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
+            fi
+
+            # ECR 로그인
+            aws ecr get-login-password --region ap-northeast-2 | docker login --username AWS --password-stdin 909176971481.dkr.ecr.ap-northeast-2.amazonaws.com
+
+            # SCP로 전송된 파일 정리 (strip_components=0이라 docker/ 폴더 안에 들어감)
+            mkdir -p $DEPLOY_DIR
+            mv -f $DEPLOY_DIR/docker/docker-compose.prod.yml $DEPLOY_DIR/docker-compose.prod.yml 2>/dev/null || true
+            rmdir $DEPLOY_DIR/docker 2>/dev/null || true
+            chmod 600 $DEPLOY_DIR/gcp-credentials.json
+
+            # .env 파일 생성
+            echo "JWT_SECRET_KEY=${JWT_SECRET_KEY}" > $DEPLOY_DIR/.env
+            echo "DISCORD_WEBHOOK_ERROR_URL=${DISCORD_WEBHOOK_ERROR_URL}" >> $DEPLOY_DIR/.env
+            echo "DISCORD_MENTION_USER_ID=${DISCORD_MENTION_USER_ID}" >> $DEPLOY_DIR/.env
+            echo "GCP_PROJECT_ID=${GCP_PROJECT_ID}" >> $DEPLOY_DIR/.env
+            echo "YOUTUBE_API_KEY=${YOUTUBE_API_KEY}" >> $DEPLOY_DIR/.env
+            chmod 600 $DEPLOY_DIR/.env
+
+            # 네트워크 생성 (없으면)
+            docker network create linktrip-network 2>/dev/null || true
+
+            # 기존 컨테이너 정리 (docker run으로 만든 잔여 컨테이너)
+            docker stop linktrip-app 2>/dev/null || true
+            docker rm linktrip-app 2>/dev/null || true
+
+            # docker-compose 배포
+            cd $DEPLOY_DIR
+            docker compose -f docker-compose.prod.yml pull app
+            docker compose -f docker-compose.prod.yml up -d --force-recreate
+            docker image prune -f
+
+            echo ">>> 배포 완료"
+            docker compose -f docker-compose.prod.yml ps
 
       - name: 디스코드 배포 알림
         if: success()

Dockerfile

@@ -0,0 +1,19 @@
+FROM eclipse-temurin:21-jre-alpine
+
+WORKDIR /app
+
+COPY linktrip-bootstrap/build/libs/*.jar app.jar
+
+ENV JAVA_OPTS="-XX:+UseG1GC \
+  -XX:+UseContainerSupport \
+  -Xms256m -Xmx384m \
+  -XX:ReservedCodeCacheSize=128m \
+  -XX:MaxMetaspaceSize=128m \
+  -XX:+HeapDumpOnOutOfMemoryError \
+  -XX:+ExitOnOutOfMemoryError \
+  -XX:+UseStringDeduplication \
+  -Dfile.encoding=UTF-8"
+
+EXPOSE 8080
+
+ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar app.jar"]

deploy.sh

@@ -12,12 +12,15 @@ services:
       --collation-server=utf8mb4_0900_ai_ci
       --default-time-zone=+09:00
     volumes:
-      - ./mysql/data:/var/lib/mysql
+      - mysql-data:/var/lib/mysql
     ports:
       - "3306:3306"
     networks:
       - linktrip-network
 
+volumes:
+  mysql-data:
+
 networks:
   linktrip-network:
     name: linktrip-network

docker/docker-compose.yml docker/docker-compose.mysql.ymldocker/docker-compose.yml renamed to docker/docker-compose.mysql.yml

@@ -0,0 +1,30 @@
+services:
+  nginx:
+    image: nginx:alpine
+    container_name: linktrip-nginx
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - certbot-etc:/etc/letsencrypt:ro
+      - certbot-var:/var/www/certbot:ro
+    networks:
+      - linktrip-network
+
+  certbot:
+    image: certbot/certbot
+    container_name: linktrip-certbot
+    volumes:
+      - certbot-etc:/etc/letsencrypt
+      - certbot-var:/var/www/certbot
+
+volumes:
+  certbot-etc:
+  certbot-var:
+
+networks:
+  linktrip-network:
+    name: linktrip-network
+    external: true

docker/docker-compose.nginx.yml

@@ -0,0 +1,29 @@
+services:
+  app:
+    image: 909176971481.dkr.ecr.ap-northeast-2.amazonaws.com/linktrip:latest
+    container_name: linktrip-app
+    restart: unless-stopped
+    expose:
+      - "8080"
+    mem_limit: 1280m
+    environment:
+      - SPRING_PROFILES_ACTIVE=prod
+      - TZ=Asia/Seoul
+      - JWT_SECRET_KEY=${JWT_SECRET_KEY}
+      - JWT_EXPIRATION_MS=${JWT_EXPIRATION_MS:-86400000}
+      - DISCORD_WEBHOOK_ERROR_URL=${DISCORD_WEBHOOK_ERROR_URL}
+      - DISCORD_MENTION_USER_ID=${DISCORD_MENTION_USER_ID}
+      - GCP_PROJECT_ID=${GCP_PROJECT_ID}
+      - GCP_CREDENTIALS_PATH=/app/config/gcp-credentials.json
+      - GCP_VERTEX_AI_LOCATION=us-central1
+      - YOUTUBE_API_KEY=${YOUTUBE_API_KEY}
+    volumes:
+      - ./gcp-credentials.json:/app/config/gcp-credentials.json:ro
+      - /etc/localtime:/etc/localtime:ro
+    networks:
+      - linktrip-network
+
+networks:
+  linktrip-network:
+    name: linktrip-network
+    external: true

docker/docker-compose.prod.yml

@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name linktrip.cloud;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 200 'certbot challenge ready';
+        add_header Content-Type text/plain;
+    }
+}

docker/nginx/nginx-init.conf

@@ -0,0 +1,28 @@
+server {
+    listen 80;
+    server_name linktrip.cloud;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name linktrip.cloud;
+
+    ssl_certificate /etc/letsencrypt/live/linktrip.cloud/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/linktrip.cloud/privkey.pem;
+
+    location / {
+        proxy_pass http://linktrip-app:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

docker/nginx/nginx.conf

@@ -29,32 +29,12 @@ tasks {
     }
 
     getByName<org.springframework.boot.gradle.tasks.bundling.BootBuildImage>("bootBuildImage") {
-        imageName.set("${System.getenv("ECR_REGISTRY")}/${System.getenv("ECR_REPOSITORY")}")
+        imageName.set("${System.getenv("ECR_REGISTRY") ?: "linktrip"}/${System.getenv("ECR_REPOSITORY") ?: "linktrip"}")
         environment.set(
             mapOf(
                 "BP_JVM_VERSION" to "21",
-                "BPE_SPRING_PROFILES_ACTIVE" to "prod",
-                "BPE_JAVA_TOOL_OPTIONS" to
-                    buildString {
-                        append("-XX:+UseG1GC ")
-                        append("-XX:+UseContainerSupport ")
-                        append("-Xms512m -Xmx512m ")
-                        append("-XX:+HeapDumpOnOutOfMemoryError ")
-                        append("-XX:HeapDumpPath=/root/heapDump/%Y%m%d_%H%M%S.hprof ")
-                        append("-XX:+UseStringDeduplication ")
-                        append("-XX:+ExitOnOutOfMemoryError ")
-                        append("-Dfile.encoding=UTF-8")
-                    },
             ),
         )
-        docker {
-            publishRegistry {
-                url.set(System.getenv("ECR_REGISTRY"))
-                username.set("AWS")
-                password.set(System.getenv("ECR_PASSWORD") ?: "")
-            }
-        }
-        publish.set(true)
     }
 }