ci: migrate to Portainer Git stack + registry-pushed image

- Compose: build → image (Gitea registry ci namespace); ./data → named volume pngx-data - Workflow: build + push image + POST Portainer webhook (3-attempt retry on transient lease error) - Drop transient .env file; secrets via Portainer stack Env - Drop auto-version-bump commit-back (image SHA tag is the rollback handle) - Add crowdsec@file to middlewares chain (defense-in-depth) Repo secrets required: REGISTRY_TOKEN, PORTAINER_WEBHOOK_URL. Rollback branch: pre-portainer-migration.
2026-06-20 12:24:00 +02:00
parent b29e332011
commit 23c68f6382
2 changed files with 31 additions and 46 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,28 +26,29 @@ services:
      - "traefik.http.routers.pngx-controller.rule=Host(`pngx.domverse-berlin.eu`)"
      - "traefik.http.routers.pngx-controller.entrypoints=https"
      - "traefik.http.routers.pngx-controller.tls.certresolver=http"
-      - "traefik.http.routers.pngx-controller.middlewares=authentik@docker"
+      - "traefik.http.routers.pngx-controller.middlewares=crowdsec@file,authentik@docker"
      - "traefik.http.services.pngx-controller.loadbalancer.server.port=8000"

  pngx-controller:
-    build:
-      context: .
-      args:
-        APP_VERSION: ${APP_VERSION:-dev}
+    image: git.domverse-berlin.eu/ci/pngx-sync/app:${TAG:-latest}
    container_name: pngx-controller
    restart: unless-stopped
    depends_on:
      - pngx-controller-ts
    network_mode: "service:pngx-controller-ts"
-    env_file: .env
    environment:
      DATABASE_URL: sqlite:////data/db.sqlite3
+      SECRET_KEY: ${SECRET_KEY}
+      MASTER_URL: ${MASTER_URL}
+      MASTER_TOKEN: ${MASTER_TOKEN}
    volumes:
-      - ./data:/data
+      - pngx-data:/data

 volumes:
  tailscale-state:
    driver: local
+  pngx-data:
+    driver: local

 networks:
  default: {}