domverse/crowdsec-admin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: migrate to Portainer Git stack + registry-pushed image
Some checks failed
Deploy / deploy (push) Failing after 24s
Details

Browse Source 
- Compose: build → image:latest from Gitea registry (ci namespace)
- Workflow: build + push image + POST Portainer webhook (vs. host docker compose up)
- Drop transient .env write — secrets now live in Portainer stack Env
- Add crowdsec@file middleware (defense-in-depth project rule)

Repo secrets required: REGISTRY_TOKEN, PORTAINER_WEBHOOK_URL.
Rollback branch: pre-portainer-migration.
This commit is contained in:
domverse
2026-06-20 12:16:56 +02:00
parent ff8ed3428f
commit 3f1d2341ce
2 changed files with 17 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
.gitea/workflows/deploy.yml
View File

@@ -1,21 +1,13 @@
# ────────────────────────────────────────────────────────────────────────────── # ──────────────────────────────────────────────────────────────────────────────
# CrowdSec Admin — Gitea Actions CI/CD # CrowdSec Admin — Gitea Actions CI/CD
# #
# Triggers on push to main. Runner builds image + brings stack up via docker # Build image, push to Gitea registry, trigger Portainer redeploy via webhook.
# compose on the host. Image stays local (no registry push), same pattern as # Stack itself is managed by Portainer (type=git). Env vars (LAPI creds) live
# flight-radar. # in the Portainer stack — NOT in repo secrets — so rotation is one place.
# #
# PREREQUISITES (one-time): # Repo secrets required:
# 1. Host LAPI machine registered (for DELETE auth): # REGISTRY_TOKEN token for ci user, scope write:package
# sudo cscli machines add crowdsec-admin --password '<PW>' -f - # PORTAINER_WEBHOOK_URL POST URL from Portainer stack auto-update setting
# 2. Host LAPI bouncer registered (for GET auth):
# sudo cscli bouncers add crowdsec-admin
# 3. Repo secrets set in Gitea → Settings → Secrets:
# LAPI_MACHINE_ID=crowdsec-admin
# LAPI_MACHINE_PASSWORD=<PW>
# LAPI_BOUNCER_KEY=<bouncer key from step 2>
# 4. DNS: crowdsec.domverse-berlin.eu → host IP.
# 5. Authentik wildcard forward_domain already covers *.domverse-berlin.eu.
# ────────────────────────────────────────────────────────────────────────────── # ──────────────────────────────────────────────────────────────────────────────
name: Deploy name: Deploy
@@ -27,8 +19,7 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
COMPOSE_PROJECT: crowdsec-admin IMAGE: git.domverse-berlin.eu/ci/crowdsec-admin/app
COMPOSE_FILE: docker-compose.yml
jobs: jobs:
deploy: deploy:
@@ -37,25 +28,18 @@ jobs:
- name: Checkout - name: Checkout
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Write .env for compose - name: Login to Gitea registry
run: | run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin
cat > .env <<EOF
LAPI_MACHINE_ID=${{ secrets.LAPI_MACHINE_ID }}
LAPI_MACHINE_PASSWORD=${{ secrets.LAPI_MACHINE_PASSWORD }}
LAPI_BOUNCER_KEY=${{ secrets.LAPI_BOUNCER_KEY }}
EOF
chmod 600 .env
- name: Deploy with docker compose - name: Build and push
run: | run: |
echo "=== Deploying commit ${{ gitea.sha }} to ${{ gitea.ref_name }} ===" docker build -t "$IMAGE:latest" -t "$IMAGE:${{ gitea.sha }}" ./app
docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" up --build -d --remove-orphans docker push "$IMAGE:latest"
docker push "$IMAGE:${{ gitea.sha }}"
- name: Show health - name: Trigger Portainer redeploy
run: | run: |
sleep 3 curl -sk -X POST --fail "${{ secrets.PORTAINER_WEBHOOK_URL }}"
docker compose -f "$COMPOSE_FILE" -p "$COMPOSE_PROJECT" ps
docker exec "$COMPOSE_PROJECT" python -c "import urllib.request; print(urllib.request.urlopen('http://127.0.0.1:8000/healthz', timeout=3).read().decode())" || true
- name: Prune dangling images - name: Prune dangling images
run: docker image prune -f run: docker image prune -f

6
docker-compose.yml
View File

@@ -1,8 +1,6 @@
services: services:
crowdsec-admin: crowdsec-admin:
build: image: git.domverse-berlin.eu/ci/crowdsec-admin/app:${TAG:-latest}
context: ./app
image: crowdsec-admin:local
container_name: crowdsec-admin container_name: crowdsec-admin
restart: unless-stopped restart: unless-stopped
networks: networks:
@@ -21,7 +19,7 @@ services:
- "traefik.http.routers.crowdsec-admin.rule=Host(`crowdsec.domverse-berlin.eu`)" - "traefik.http.routers.crowdsec-admin.rule=Host(`crowdsec.domverse-berlin.eu`)"
- "traefik.http.routers.crowdsec-admin.entrypoints=https" - "traefik.http.routers.crowdsec-admin.entrypoints=https"
- "traefik.http.routers.crowdsec-admin.tls.certresolver=http" - "traefik.http.routers.crowdsec-admin.tls.certresolver=http"
- "traefik.http.routers.crowdsec-admin.middlewares=authentik@docker" - "traefik.http.routers.crowdsec-admin.middlewares=crowdsec@file,authentik@docker"
- "traefik.http.services.crowdsec-admin.loadbalancer.server.port=8000" - "traefik.http.services.crowdsec-admin.loadbalancer.server.port=8000"
- "kuma.crowdsec-admin.http.name=CrowdSec Admin" - "kuma.crowdsec-admin.http.name=CrowdSec Admin"