Oliver/hp-prod-tracker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
hp-prod-tracker/deploy.sh
Vadym Samoilenko 250796dd0c Replace Auth.js OAuth with MSAL.js SPA browser flow 
- Token exchange now happens entirely in the browser via @azure/msal-browser
  (PKCE, no client_secret — correct for Azure SPA registrations)
- Browser stays on /hp-prod-tracker/login throughout; the /api/auth/callback
  URL never appears in the address bar
- New /api/auth/sso route validates the id_token (jose + Azure JWKS),
  creates User/Account/Session in Prisma, and sets the authjs session cookie
- Auth.js retained only for session reading (auth()) and signOut()
- Fix dev bypass safety gate: use NODE_ENV !== production instead of
  absence of AUTH_MICROSOFT_ENTRA_ID_SECRET
- Rename env vars: AUTH_MICROSOFT_ENTRA_ID_ID → AZURE_CLIENT_ID,
  AUTH_MICROSOFT_ENTRA_ID_TENANT_ID → AZURE_TENANT_ID, remove AUTH_URL
- Remove /api/auth Apache proxy rule (no longer needed)
- Delete OAuthRelay.tsx, add MsalLogin.tsx

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 18:49:43 +01:00

221 lines
11 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
# deploy.sh — idempotent deploy script for hp-prod-tracker
# Idempotent — safe to run multiple times (initial deploy or update)
# Run as normal user; uses sudo internally for apt/apache/ufw
set -euo pipefail
# ── Colours ──────────────────────────────────────────────────────────────────
RED='\033[0;31m'; YELLOW='\033[1;33m'; GREEN='\033[0;32m'; NC='\033[0m'
info() { echo -e "${GREEN}[deploy]${NC} $*"; }
warn() { echo -e "${YELLOW}[warn]${NC} $*"; }
error() { echo -e "${RED}[error]${NC} $*" >&2; }
# ── Args ─────────────────────────────────────────────────────────────────────
SKIP_PULL=false
for arg in "$@"; do [[ "$arg" == "--skip-pull" ]] && SKIP_PULL=true; done
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$SCRIPT_DIR"
APP_PORT=3001
# ── Sudo check ───────────────────────────────────────────────────────────────
if ! sudo -n true 2>/dev/null; then
warn "This script needs sudo for apt/apache/ufw — you may be prompted for your password."
fi
# ─────────────────────────────────────────────────────────────────────────────
# STEP 1: Prerequisites
# ─────────────────────────────────────────────────────────────────────────────
info "Step 1: Checking prerequisites..."
install_if_missing() {
local cmd=$1 pkg=${2:-$1}
if ! command -v "$cmd" &>/dev/null; then
info " Installing $pkg..."
sudo apt-get install -y "$pkg" -qq
else
info " $cmd: OK"
fi
}
sudo apt-get update -qq
install_if_missing docker docker.io
install_if_missing git git
install_if_missing curl curl
install_if_missing ufw ufw
if ! docker compose version &>/dev/null 2>&1; then
info " Installing docker-compose-plugin..."
sudo apt-get install -y docker-compose-plugin -qq
fi
if ! command -v apache2 &>/dev/null; then
info " Installing apache2..."
sudo apt-get install -y apache2 -qq
fi
info " Enabling Apache modules..."
sudo a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q
# Ensure current user can run docker without sudo
if ! groups | grep -q docker; then
sudo usermod -aG docker "$USER"
warn "Added $USER to docker group — you may need to re-login for this to take effect"
fi
# ─────────────────────────────────────────────────────────────────────────────
# STEP 2: Pull latest code
# ─────────────────────────────────────────────────────────────────────────────
info "Step 2: Pulling latest code..."
if [[ "$SKIP_PULL" == true ]]; then
warn " Skipping git pull (--skip-pull)"
else
# Switch to SSH remote if still on HTTPS (avoids credential prompts)
current_remote=$(git remote get-url origin 2>/dev/null || true)
if [[ "$current_remote" == https://* ]]; then
ssh_remote=$(echo "$current_remote" \
| sed 's|https://bitbucket.org/|git@bitbucket.org:|' \
| sed 's|\.git$||')
git remote set-url origin "${ssh_remote}.git"
info " Switched remote to SSH: $(git remote get-url origin)"
fi
git fetch origin
LOCAL=$(git rev-parse HEAD)
REMOTE=$(git rev-parse @{u} 2>/dev/null || echo "")
if [[ "$LOCAL" == "$REMOTE" ]]; then
info " Already up to date ($(git rev-parse --short HEAD))"
else
git pull --ff-only || { error "git pull failed — resolve conflicts manually then re-run"; exit 1; }
info " Updated to $(git rev-parse --short HEAD)$(git log -1 --pretty=%s)"
fi
fi
# ─────────────────────────────────────────────────────────────────────────────
# STEP 3: Environment file
# ─────────────────────────────────────────────────────────────────────────────
info "Step 3: Checking .env..."
if [[ ! -f .env ]]; then
if [[ -f .env.example ]]; then
cp .env.example .env
warn " .env was missing — copied from .env.example"
warn " Edit .env with real secrets before continuing (Ctrl-C to abort)"
read -rp " Press Enter to continue or Ctrl-C to abort..."
else
error " .env and .env.example both missing — cannot continue"
exit 1
fi
fi
# Warn on unset critical vars
for var in AUTH_SECRET AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_REDIRECT_URI DB_PASSWORD; do
val=$(grep -E "^${var}=" .env | cut -d= -f2- | tr -d '"' || true)
[[ -z "$val" ]] && warn " WARNING: $var is not set in .env"
done
info " .env OK"
# ─────────────────────────────────────────────────────────────────────────────
# STEP 4: Build and start Docker containers
# ─────────────────────────────────────────────────────────────────────────────
info "Step 4: Building and starting containers..."
docker compose down --remove-orphans
docker compose up -d --build
# ─────────────────────────────────────────────────────────────────────────────
# STEP 5: Wait for Postgres
# ─────────────────────────────────────────────────────────────────────────────
info "Step 5: Waiting for Postgres..."
MAX_WAIT=30
for i in $(seq 1 $MAX_WAIT); do
if docker compose exec -T db pg_isready -U postgres &>/dev/null; then
info " Postgres ready (${i}s)"
break
fi
if [[ $i -eq $MAX_WAIT ]]; then
error " Postgres did not become ready within ${MAX_WAIT}s"
docker compose logs db --tail 20
exit 1
fi
sleep 1
done
# ─────────────────────────────────────────────────────────────────────────────
# STEP 6: Wait for app health check
# ─────────────────────────────────────────────────────────────────────────────
info "Step 6: Waiting for app to be healthy (Prisma migrations run on startup)..."
HEALTH_URL="http://localhost:${APP_PORT}/hp-prod-tracker/api/health"
for i in $(seq 1 40); do
if curl -sf "$HEALTH_URL" &>/dev/null; then
info " App healthy (${i}s)"
break
fi
if [[ $i -eq 40 ]]; then
error " App did not become healthy within 120s"
error " Check logs: docker compose logs app --tail 50"
docker compose logs app --tail 30
exit 1
fi
echo -n "."
sleep 3
done
echo ""
# ─────────────────────────────────────────────────────────────────────────────
# STEP 7: Apache — add Include if not already present
# ─────────────────────────────────────────────────────────────────────────────
info "Step 7: Configuring Apache..."
APACHE_CONF="/etc/apache2/sites-available/optical-dev.oliver.solutions.conf"
APACHE_SNIPPET="$SCRIPT_DIR/apache/hp-prod-tracker.conf"
INCLUDE_LINE=" Include $APACHE_SNIPPET"
if [[ ! -f "$APACHE_CONF" ]]; then
warn " $APACHE_CONF not found — skipping (add manually: $INCLUDE_LINE)"
elif grep -qF "$APACHE_SNIPPET" "$APACHE_CONF"; then
info " Include already present — skipping"
else
# Remove the old manually-added inline block before inserting the canonical Include
sudo sed -i '/# .*HP-PROD-TRACKER\|HP-PROD-TRACKER.*3001/d' "$APACHE_CONF"
sudo sed -i '/ProxyPass[[:space:]].*hp-prod-tracker/d' "$APACHE_CONF"
sudo sed -i '/ProxyPassReverse[[:space:]].*hp-prod-tracker/d' "$APACHE_CONF"
# Insert Include before </VirtualHost>
sudo sed -i "s|</VirtualHost>|$INCLUDE_LINE\n</VirtualHost>|" "$APACHE_CONF"
info " Added: $INCLUDE_LINE"
sudo apache2ctl configtest 2>&1 | grep -q "Syntax OK" \
|| { error "Apache config test failed — check $APACHE_CONF"; sudo apache2ctl configtest; exit 1; }
sudo systemctl reload apache2
info " Apache reloaded OK"
fi
# ─────────────────────────────────────────────────────────────────────────────
# STEP 8: UFW Firewall
# ─────────────────────────────────────────────────────────────────────────────
info "Step 8: Configuring UFW firewall..."
sudo ufw default deny incoming 2>/dev/null || true
sudo ufw default allow outgoing 2>/dev/null || true
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw --force enable
info " UFW enabled (22/tcp, 80/tcp allowed)"
# ─────────────────────────────────────────────────────────────────────────────
# Done
# ─────────────────────────────────────────────────────────────────────────────
echo ""
docker compose ps
echo ""
info "Deploy complete!"
info " Commit : $(git rev-parse --short HEAD)$(git log -1 --pretty=%s)"
info " App : https://optical-dev.oliver.solutions/hp-prod-tracker"
info " Logs : docker compose logs -f app"
Reference in a new issue View git blame Copy permalink