#!/usr/bin/env bash # deploy.sh — idempotent deploy script for hp-prod-tracker # Idempotent — safe to run multiple times (initial deploy or update) # Run as normal user; uses sudo internally for apt/apache/ufw set -euo pipefail # ── Colours ────────────────────────────────────────────────────────────────── RED='\033[0;31m'; YELLOW='\033[1;33m'; GREEN='\033[0;32m'; NC='\033[0m' info() { echo -e "${GREEN}[deploy]${NC} $*"; } warn() { echo -e "${YELLOW}[warn]${NC} $*"; } error() { echo -e "${RED}[error]${NC} $*" >&2; } # ── Args ───────────────────────────────────────────────────────────────────── SKIP_PULL=false for arg in "$@"; do [[ "$arg" == "--skip-pull" ]] && SKIP_PULL=true; done SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" cd "$SCRIPT_DIR" APP_PORT=3001 # ── Sudo check ─────────────────────────────────────────────────────────────── if ! sudo -n true 2>/dev/null; then warn "This script needs sudo for apt/apache/ufw — you may be prompted for your password." fi # ───────────────────────────────────────────────────────────────────────────── # STEP 1: Prerequisites # ───────────────────────────────────────────────────────────────────────────── info "Step 1: Checking prerequisites..." install_if_missing() { local cmd=$1 pkg=${2:-$1} if ! command -v "$cmd" &>/dev/null; then info " Installing $pkg..." sudo apt-get install -y "$pkg" -qq else info " $cmd: OK" fi } sudo apt-get update -qq install_if_missing docker docker.io install_if_missing git git install_if_missing curl curl install_if_missing ufw ufw if ! docker compose version &>/dev/null 2>&1; then info " Installing docker-compose-plugin..." sudo apt-get install -y docker-compose-plugin -qq fi if ! command -v apache2 &>/dev/null; then info " Installing apache2..." sudo apt-get install -y apache2 -qq fi info " Enabling Apache modules..." sudo a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q # Ensure current user can run docker without sudo if ! groups | grep -q docker; then sudo usermod -aG docker "$USER" warn "Added $USER to docker group — you may need to re-login for this to take effect" fi # ───────────────────────────────────────────────────────────────────────────── # STEP 2: Pull latest code # ───────────────────────────────────────────────────────────────────────────── info "Step 2: Pulling latest code..." if [[ "$SKIP_PULL" == true ]]; then warn " Skipping git pull (--skip-pull)" else # Switch to SSH remote if still on HTTPS (avoids credential prompts) current_remote=$(git remote get-url origin 2>/dev/null || true) if [[ "$current_remote" == https://* ]]; then ssh_remote=$(echo "$current_remote" \ | sed 's|https://bitbucket.org/|git@bitbucket.org:|' \ | sed 's|\.git$||') git remote set-url origin "${ssh_remote}.git" info " Switched remote to SSH: $(git remote get-url origin)" fi git fetch origin LOCAL=$(git rev-parse HEAD) REMOTE=$(git rev-parse @{u} 2>/dev/null || echo "") if [[ "$LOCAL" == "$REMOTE" ]]; then info " Already up to date ($(git rev-parse --short HEAD))" else git pull --ff-only || { error "git pull failed — resolve conflicts manually then re-run"; exit 1; } info " Updated to $(git rev-parse --short HEAD) — $(git log -1 --pretty=%s)" fi fi # ───────────────────────────────────────────────────────────────────────────── # STEP 3: Environment file # ───────────────────────────────────────────────────────────────────────────── info "Step 3: Checking .env..." if [[ ! -f .env ]]; then if [[ -f .env.example ]]; then cp .env.example .env warn " .env was missing — copied from .env.example" warn " Edit .env with real secrets before continuing (Ctrl-C to abort)" read -rp " Press Enter to continue or Ctrl-C to abort..." else error " .env and .env.example both missing — cannot continue" exit 1 fi fi # Warn on unset critical vars for var in AUTH_SECRET AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_REDIRECT_URI DB_PASSWORD; do val=$(grep -E "^${var}=" .env | cut -d= -f2- | tr -d '"' || true) [[ -z "$val" ]] && warn " WARNING: $var is not set in .env" done info " .env OK" # ───────────────────────────────────────────────────────────────────────────── # STEP 4: Build and start Docker containers # ───────────────────────────────────────────────────────────────────────────── info "Step 4: Building and starting containers..." docker compose down --remove-orphans docker compose up -d --build # ───────────────────────────────────────────────────────────────────────────── # STEP 5: Wait for Postgres # ───────────────────────────────────────────────────────────────────────────── info "Step 5: Waiting for Postgres..." MAX_WAIT=30 for i in $(seq 1 $MAX_WAIT); do if docker compose exec -T db pg_isready -U postgres &>/dev/null; then info " Postgres ready (${i}s)" break fi if [[ $i -eq $MAX_WAIT ]]; then error " Postgres did not become ready within ${MAX_WAIT}s" docker compose logs db --tail 20 exit 1 fi sleep 1 done # ───────────────────────────────────────────────────────────────────────────── # STEP 6: Wait for app health check # ───────────────────────────────────────────────────────────────────────────── info "Step 6: Waiting for app to be healthy (Prisma migrations run on startup)..." HEALTH_URL="http://localhost:${APP_PORT}/hp-prod-tracker/api/health" for i in $(seq 1 40); do if curl -sf "$HEALTH_URL" &>/dev/null; then info " App healthy (${i}s)" break fi if [[ $i -eq 40 ]]; then error " App did not become healthy within 120s" error " Check logs: docker compose logs app --tail 50" docker compose logs app --tail 30 exit 1 fi echo -n "." sleep 3 done echo "" # ───────────────────────────────────────────────────────────────────────────── # STEP 7: Apache — add Include if not already present # ───────────────────────────────────────────────────────────────────────────── info "Step 7: Configuring Apache..." APACHE_CONF="/etc/apache2/sites-available/optical-dev.oliver.solutions.conf" APACHE_SNIPPET="$SCRIPT_DIR/apache/hp-prod-tracker.conf" INCLUDE_LINE=" Include $APACHE_SNIPPET" if [[ ! -f "$APACHE_CONF" ]]; then warn " $APACHE_CONF not found — skipping (add manually: $INCLUDE_LINE)" elif grep -qF "$APACHE_SNIPPET" "$APACHE_CONF"; then info " Include already present — skipping" else # Remove the old manually-added inline block before inserting the canonical Include sudo sed -i '/# .*HP-PROD-TRACKER\|HP-PROD-TRACKER.*3001/d' "$APACHE_CONF" sudo sed -i '/ProxyPass[[:space:]].*hp-prod-tracker/d' "$APACHE_CONF" sudo sed -i '/ProxyPassReverse[[:space:]].*hp-prod-tracker/d' "$APACHE_CONF" # Insert Include before sudo sed -i "s||$INCLUDE_LINE\n|" "$APACHE_CONF" info " Added: $INCLUDE_LINE" sudo apache2ctl configtest 2>&1 | grep -q "Syntax OK" \ || { error "Apache config test failed — check $APACHE_CONF"; sudo apache2ctl configtest; exit 1; } sudo systemctl reload apache2 info " Apache reloaded OK" fi # ───────────────────────────────────────────────────────────────────────────── # STEP 8: UFW Firewall # ───────────────────────────────────────────────────────────────────────────── info "Step 8: Configuring UFW firewall..." sudo ufw default deny incoming 2>/dev/null || true sudo ufw default allow outgoing 2>/dev/null || true sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw --force enable info " UFW enabled (22/tcp, 80/tcp allowed)" # ───────────────────────────────────────────────────────────────────────────── # Done # ───────────────────────────────────────────────────────────────────────────── echo "" docker compose ps echo "" info "Deploy complete!" info " Commit : $(git rev-parse --short HEAD) — $(git log -1 --pretty=%s)" info " App : https://optical-dev.oliver.solutions/hp-prod-tracker" info " Logs : docker compose logs -f app"