# 07 — Deploy Pipeline Update (Test) ## Context - **File:** `.gitea/workflows/deploy-test.yml` - Changes: 1. Remove manual `scp STAR.iklim.co.full.crt` steps (SWAG now owns cert lifecycle). 2. Add SWAG host directories preparation (dns-conf, nginx proxy-confs). 3. Add cert bootstrap step: on first deploy, wait for SWAG to obtain cert, then copy to `/opt/iklimco/ssl/` so Vault can start. 4. Ensure `GODADDY_KEY` and `GODADDY_SECRET` are available from `.env.secrets.swag`. ## Step 1 — Update `Initialize Servers` step **Remove** the two `scp` lines that copy the TLS cert files: ```yaml # DELETE these two lines from the "Initialize Servers" step: scp -P 23 ${{ vars.STORAGEBOX_USER }}@${{ vars.STORAGEBOX_USER }}.your-storagebox.de:test/app/iklim.co/ssl/STAR.iklim.co.full.crt ./STAR.iklim.co.full.crt scp -P 23 ${{ vars.STORAGEBOX_USER }}@${{ vars.STORAGEBOX_USER }}.your-storagebox.de:test/app/iklim.co/ssl/STAR.iklim.co_key.txt ./STAR.iklim.co_key.txt ``` Also remove any references to `STAR.iklim.co.full.crt` and `STAR.iklim.co_key.txt` in the `Prepare Init Files` step's `sudo cp` commands: ```yaml # DELETE or make conditional: sudo cp STAR.iklim.co.full.crt STAR.iklim.co_key.txt /opt/iklimco/ssl/ 2>/dev/null || true ``` ## Step 2 — Add `Prepare SWAG Directories` step Insert this step **before** `Deploy Swarm Stack`: ```yaml - name: Prepare SWAG Directories run: | set -a; . ./.env; . ./.env.secrets.swag; set +a # GoDaddy credentials file sudo mkdir -p /opt/iklimco/swag/dns-conf envsubst < swag/dns-conf/godaddy.ini.tpl | sudo tee /opt/iklimco/swag/dns-conf/godaddy.ini > /dev/null sudo chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini echo "✅ godaddy.ini written" # Nginx proxy conf files sudo mkdir -p /opt/iklimco/swag/proxy-confs /opt/iklimco/swag/site-confs export RESTRICTED_IP_1="78.187.87.109" export RESTRICTED_IP_2="95.70.151.248" for tpl in swag/proxy-confs/*.conf.tpl; do out="/opt/iklimco/swag/proxy-confs/$(basename "${tpl%.tpl}")" envsubst < "$tpl" | sudo tee "$out" > /dev/null echo "✅ $out" done sudo cp swag/site-confs/default.conf /opt/iklimco/swag/site-confs/default.conf echo "✅ SWAG directories ready" working-directory: /workspace/iklim.co ``` > `GODADDY_KEY` and `GODADDY_SECRET` must be present in `.env.secrets.swag` (see step 02). > `API_SUBDOMAIN`, `APIGW_SUBDOMAIN`, etc. must be in `.env` (see step 04). ## Step 3 — Add `Bootstrap SWAG Certificate` step Insert this step **after** `Deploy Swarm Stack` and **before** any step that depends on Vault being accessible (e.g., `Provision Vault AppRole IDs`): ```yaml - name: Bootstrap SWAG Certificate run: | echo "Waiting for SWAG container to start..." SWAG_CTR="" for i in $(seq 1 24); do SWAG_CTR=$(docker ps -q -f name=iklimco_swag 2>/dev/null | head -1) [ -n "$SWAG_CTR" ] && break sleep 10 done if [ -z "$SWAG_CTR" ]; then echo "❌ SWAG container did not start in time" exit 1 fi CERT_PATH="/config/etc/letsencrypt/live/iklim.co/fullchain.pem" echo "Waiting for SWAG to obtain Let's Encrypt cert (up to 10 min)..." for i in $(seq 1 20); do if docker exec "$SWAG_CTR" test -f "$CERT_PATH" 2>/dev/null; then echo "✅ Cert obtained by SWAG" break fi echo " attempt $i/20 — waiting 30s..." sleep 30 done if ! docker exec "$SWAG_CTR" test -f "$CERT_PATH" 2>/dev/null; then echo "❌ SWAG did not obtain cert in time. Check logs:" docker service logs iklimco_swag --tail 50 exit 1 fi # Copy cert to host for Vault bootstrap sudo mkdir -p /opt/iklimco/ssl docker exec "$SWAG_CTR" cat "$CERT_PATH" | \ sudo tee /opt/iklimco/ssl/STAR.iklim.co.full.crt > /dev/null docker exec "$SWAG_CTR" cat "/config/etc/letsencrypt/live/iklim.co/privkey.pem" | \ sudo tee /opt/iklimco/ssl/STAR.iklim.co_key.txt > /dev/null echo "✅ Cert bootstrapped to /opt/iklimco/ssl/" working-directory: /workspace/iklim.co ``` > **First deploy only:** SWAG contacts Let's Encrypt via GoDaddy DNS challenge. > This step waits up to 10 minutes. On subsequent deploys the cert is already in > `swag-vl` (persisted volume) and SWAG starts immediately — wait loop exits fast. ## Step 4 — Re-order steps Final step order in the pipeline: 1. Checkout Branch 2. Prepare Folders 3. Set up SSH Key 4. Update Apt / Install Tools 5. Fetch Service Secret Files 6. Initialize Servers 7. Upload Updated Secrets to Storagebox 8. Provision Vault AppRole IDs and Docker Secrets 9. Upload Updated Env to Storagebox 10. Prepare Init Files ← `sudo cp STAR.iklim.co.*.crt` lines removed 11. Initialize Docker Swarm 12. Stop Docker Compose Services 13. Docker Login to Harbor 14. **Prepare SWAG Directories** ← NEW 15. Deploy Swarm Stack 16. **Bootstrap SWAG Certificate** ← NEW 17. Review Environment > Steps 8 (Provision Vault) runs before SWAG because it creates Docker secrets and > AppRole IDs — Vault must be reachable for this. On re-deploys, Vault is already > running with the previous cert. On first deploy, step 16 handles the cert wait before > any further Vault interaction is needed post-deploy. > > If Vault provisioning (step 8) fails on first deploy because Vault has no cert yet, > move step 16 before step 8. Adjust based on observed behavior. ## Notes - `.env` must contain the subdomain env vars added in step 04. Add them to storagebox `test/secrets/iklim.co/.env` before the first deploy. - `RESTRICTED_IP_1` and `RESTRICTED_IP_2` are hardcoded in the pipeline step above. Move to `.env` if they change often.