feat(deploy): CI/CD Gitea Actions + stack Docker prod pour xip.kerboul.me
Some checks failed
Deploy XIP / deploy (push) Failing after 21s
Some checks failed
Deploy XIP / deploy (push) Failing after 21s
- docker-compose.prod.yml: postgres + redis + backend (bun) + web (nginx single-origin) - backend/Dockerfile + entrypoint: prisma migrate deploy + seed idempotent au boot - frontend/Dockerfile: build Vite (VITE_API_URL=https://xip.kerboul.me) servi par nginx - deploy/nginx.conf: proxy /api + /ws vers le backend, SPA fallback - .gitea/workflows/deploy.yml: auto-deploy SSH sur push main (runner CT121 -> CT502) - scripts/deploy.sh: pull + rebuild de la stack - mode open-bar (XIP_OPEN_BAR): paywall off pour tous en prod, via isFree() centralise Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kerboul
22
backend/Dockerfile
Normal file
22
backend/Dockerfile
Normal file
@@ -0,0 +1,22 @@
|
||||
# XIP backend — Bun + Hono + Prisma.
|
||||
# Build context is the repo ROOT (see docker-compose.prod.yml) so we can copy backend/.
|
||||
FROM oven/bun:1-debian AS deps
|
||||
WORKDIR /app
|
||||
COPY backend/package.json ./
|
||||
RUN bun install
|
||||
|
||||
FROM oven/bun:1-debian AS runtime
|
||||
WORKDIR /app
|
||||
ENV NODE_ENV=production
|
||||
# Prisma's query engine needs openssl + CA certs (generate downloads it over HTTPS).
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y --no-install-recommends openssl ca-certificates \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
COPY --from=deps /app/node_modules ./node_modules
|
||||
COPY backend/ ./
|
||||
# Generate the Prisma client from the schema (no DB connection required).
|
||||
RUN bunx prisma generate \
|
||||
&& chmod +x docker-entrypoint.sh
|
||||
EXPOSE 3000
|
||||
# Entrypoint applies migrations + seeds (idempotent) then starts the server.
|
||||
ENTRYPOINT ["/app/docker-entrypoint.sh"]
|
||||
14
backend/docker-entrypoint.sh
Normal file
14
backend/docker-entrypoint.sh
Normal file
@@ -0,0 +1,14 @@
|
||||
#!/bin/sh
|
||||
# Startup sequence for the XIP backend container.
|
||||
# Runs on every (re)start so new migrations land automatically on deploy.
|
||||
set -e
|
||||
cd /app
|
||||
|
||||
echo "[xip] Applying database migrations (prisma migrate deploy)…"
|
||||
bunx prisma migrate deploy
|
||||
|
||||
echo "[xip] Seeding catalogue + ads (idempotent upserts)…"
|
||||
bun run prisma/seed.ts || echo "[xip] seed step failed (non-fatal) — continuing"
|
||||
|
||||
echo "[xip] Starting backend on :${PORT:-3000}…"
|
||||
exec bun run src/index.ts
|
||||
@@ -1,6 +1,6 @@
|
||||
import { prisma } from "./prisma";
|
||||
import { spend, getWallet, InsufficientCreditsError } from "./wallet";
|
||||
import { isLocalhost } from "./ip";
|
||||
import { isFree } from "./ip";
|
||||
import { invalidatePerks, getPerksForIp } from "./perks";
|
||||
|
||||
/**
|
||||
@@ -105,7 +105,7 @@ export async function purchase(
|
||||
const product = await getProduct(productId);
|
||||
if (!product || !product.active) throw new PurchaseError("Produit introuvable", 404);
|
||||
|
||||
const free = isLocalhost(ip);
|
||||
const free = isFree(ip);
|
||||
const price = effectivePrice(product, options);
|
||||
|
||||
// Resolve which entitlement kind(s) this grants + per-IP limit checks.
|
||||
|
||||
@@ -36,3 +36,13 @@ export function isLocalhost(ip: string): boolean {
|
||||
ip.startsWith("127.")
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Free mode: the paywall is OFF. True on localhost (README rule "si localhost:
|
||||
* pas de paywall"), OR whenever the deployment sets XIP_OPEN_BAR=true — the prod
|
||||
* "open bar" where every paid feature is free for everyone. Every paywall gate
|
||||
* in the app routes through this single helper.
|
||||
*/
|
||||
export function isFree(ip: string): boolean {
|
||||
return process.env.XIP_OPEN_BAR === "true" || isLocalhost(ip);
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { prisma } from "./prisma";
|
||||
import { redis } from "./redis";
|
||||
import { isLocalhost } from "./ip";
|
||||
import { isFree } from "./ip";
|
||||
|
||||
/**
|
||||
* Wallet engine — fictional "crédits XIP", keyed on IP (no accounts).
|
||||
@@ -41,7 +41,7 @@ export async function ensureWallet(ip: string): Promise<void> {
|
||||
}
|
||||
|
||||
export async function getWallet(ip: string): Promise<WalletView> {
|
||||
if (isLocalhost(ip)) return { ip, balance: INFINITE, freeMode: true };
|
||||
if (isFree(ip)) return { ip, balance: INFINITE, freeMode: true };
|
||||
await ensureWallet(ip);
|
||||
const w = await prisma.wallet.findUnique({ where: { ip } }).catch(() => null);
|
||||
const balance = w?.balance ?? 0;
|
||||
@@ -51,7 +51,7 @@ export async function getWallet(ip: string): Promise<WalletView> {
|
||||
|
||||
/** Free, instant, satirical top-up. No-op for localhost (already infinite). */
|
||||
export async function topUp(ip: string, amount = TOPUP_AMOUNT): Promise<WalletView> {
|
||||
if (isLocalhost(ip)) return { ip, balance: INFINITE, freeMode: true };
|
||||
if (isFree(ip)) return { ip, balance: INFINITE, freeMode: true };
|
||||
await ensureWallet(ip);
|
||||
const w = await prisma.wallet.update({
|
||||
where: { ip },
|
||||
@@ -83,7 +83,7 @@ export async function spend(
|
||||
reason: string,
|
||||
meta?: Record<string, unknown>
|
||||
): Promise<number> {
|
||||
if (isLocalhost(ip)) return INFINITE;
|
||||
if (isFree(ip)) return INFINITE;
|
||||
if (amount <= 0) {
|
||||
// Free item — still record the (zero) purchase for history, no balance change.
|
||||
const w = await getWallet(ip);
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import { Hono } from "hono";
|
||||
import { getClientIp, isLocalhost } from "../lib/ip";
|
||||
import { getClientIp, isFree } from "../lib/ip";
|
||||
import { prisma } from "../lib/prisma";
|
||||
import { redis } from "../lib/redis";
|
||||
import { spend } from "../lib/wallet";
|
||||
@@ -24,7 +24,7 @@ alert.post("/", async (c) => {
|
||||
}
|
||||
|
||||
// Must own the audio-alert entitlement (localhost bypasses).
|
||||
if (!isLocalhost(ip)) {
|
||||
if (!isFree(ip)) {
|
||||
const owned = await prisma.entitlement.findFirst({
|
||||
where: { ip, kind: "audio-alert", active: true },
|
||||
});
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { Hono } from "hono";
|
||||
import { prisma } from "../lib/prisma";
|
||||
import { getClientIp, isLocalhost } from "../lib/ip";
|
||||
import { getClientIp, isFree } from "../lib/ip";
|
||||
import { recordMessage } from "../lib/stats";
|
||||
import { broadcastNewMessage } from "../realtime";
|
||||
import { getPerksForIp, getPerksForIps } from "../lib/perks";
|
||||
@@ -11,7 +11,7 @@ const RICH_MAX = 64 * 1024; // 64 KB cap on rich markup
|
||||
|
||||
/** Does this IP own the entitlement needed for a rich tier? */
|
||||
async function ownsRich(ip: string, mode: "htmlcss" | "js"): Promise<boolean> {
|
||||
if (isLocalhost(ip)) return true;
|
||||
if (isFree(ip)) return true;
|
||||
const kind = mode === "js" ? "rich-js" : "rich-htmlcss";
|
||||
const now = new Date();
|
||||
const rows = await prisma.entitlement.findMany({ where: { ip, kind, active: true } });
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import { Hono } from "hono";
|
||||
import { randomUUID } from "node:crypto";
|
||||
import { prisma } from "../lib/prisma";
|
||||
import { getClientIp, isLocalhost } from "../lib/ip";
|
||||
import { getClientIp, isFree } from "../lib/ip";
|
||||
import { storeFile, absolutePathFor } from "../lib/storage";
|
||||
|
||||
const uploads = new Hono();
|
||||
@@ -10,7 +10,7 @@ const FREE_LIMIT = 1_000_000; // 1 Mo for the free tier (README)
|
||||
const ABSOLUTE_MAX = 50_000_000; // hard cap even for paid, to protect the dev box
|
||||
|
||||
async function ownsNoFileLimit(ip: string): Promise<boolean> {
|
||||
if (isLocalhost(ip)) return true;
|
||||
if (isFree(ip)) return true;
|
||||
const rows = await prisma.entitlement.findMany({
|
||||
where: { ip, kind: "no-file-limit", active: true },
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user