diff --git a/.gitignore b/.gitignore index 36b7169..0625426 100644 --- a/.gitignore +++ b/.gitignore @@ -21,8 +21,8 @@ npm-debug.log* .env.* !.env.example -# Deploy secrets (server password / host) — keep the .example tracked -deploy.config +# Local deploy trigger password (never commit) +deploy.secret # Build output dist/ diff --git a/DEPLOY.md b/DEPLOY.md new file mode 100644 index 0000000..cb81a2a --- /dev/null +++ b/DEPLOY.md @@ -0,0 +1,109 @@ +# Deploying BizGaze Support + +The app runs as a Docker container behind the existing **Nginx Proxy Manager**, +which terminates TLS and proxies `https://remote.bizgaze.com` → `bizgaze-support:8090` +on the shared `nginx_proxy_manager_default` network. No host ports are published. + +Deployment model: **the server holds a git clone of this repo.** Each deploy is a +`git pull` + rebuild via [`deploy.sh`](deploy.sh). Two files are *not* in git and +live only on the server — they survive every pull: + +| File | Purpose | +|------|---------| +| `.env` | Secrets — TURN credentials, optional `SSO_SECRET`, `BIZGAZE_WEBHOOK_URL`. See [.env.example](.env.example). | +| `server/cert.pem`, `server/key.pem` | Self-signed cert for the app's *optional* direct-HTTPS listener (8443). Not needed behind NPM, but harmless. | + +Server facts: +- Host: `root@118.95.33.89` port `61` +- App path: `/opt/bizgaze-support` +- Data: Docker named volume `bizgaze_support_data` → `/data/data.db` (persists across rebuilds) +- Backups: `/opt/bizgaze-support.backups/` (newest 3 `.tgz` snapshots, auto-rotated) + +--- + +## One-time bootstrap (server → git clone) + +Run **once** to convert the existing folder into a git checkout without losing the +secrets. Prerequisite: the deployment files (Dockerfile, docker-compose.yml, +deploy.sh, etc.) are committed and pushed to `origin/master` first. + +```bash +ssh -p 61 root@118.95.33.89 # or: plink -ssh -P 61 -pw '' root@118.95.33.89 + +# 1. Store git credentials so pulls are non-interactive (once per server). +git config --global credential.helper store +printf 'https://devops%%40bizgaze.com:Bizgaze%%40123@code.bizgaze.com\n' > ~/.git-credentials +chmod 600 ~/.git-credentials + +# 2. Stash the live secrets. +cd /opt +cp -a bizgaze-support /opt/bizgaze-support.preclone.bak +mkdir -p /tmp/bzsecrets +cp bizgaze-support/.env /tmp/bzsecrets/ 2>/dev/null || true +cp bizgaze-support/server/cert.pem /tmp/bzsecrets/ 2>/dev/null || true +cp bizgaze-support/server/key.pem /tmp/bzsecrets/ 2>/dev/null || true + +# 3. Replace the folder with a fresh clone. +rm -rf bizgaze-support +git clone https://code.bizgaze.com/Sravan/BizGaze_Remote.git bizgaze-support +cd bizgaze-support + +# 4. Restore the secrets the clone doesn't carry. +cp /tmp/bzsecrets/.env ./.env +cp /tmp/bzsecrets/cert.pem ./server/cert.pem 2>/dev/null || true +cp /tmp/bzsecrets/key.pem ./server/key.pem 2>/dev/null || true +rm -rf /tmp/bzsecrets + +# 5. Build & launch. +chmod +x deploy.sh +docker compose up -d --build +docker compose ps +``` + +If `.env` did not exist yet, create it from the template and fill in the TURN secret: + +```bash +cp .env.example .env && nano .env +``` + +--- + +## Routine deploy + +After pushing changes to `origin/master`: + +```bash +ssh -p 61 root@118.95.33.89 'cd /opt/bizgaze-support && ./deploy.sh' +``` + +`deploy.sh` snapshots the current tree (keeping 3 backups), `git reset --hard`s to +`origin/master`, rebuilds, and verifies `/api/ice`. Flags: + +- `./deploy.sh --no-pull` — rebuild the current checkout without pulling +- `./deploy.sh --rollback` — restore the newest backup snapshot and rebuild + +--- + +## Verify + +```bash +curl https://remote.bizgaze.com/api/ice +``` + +Response must list the public STUN entry **and** a TURN entry at +`global.relay.metered.ca`. If only STUN appears, `.env` isn't reaching the +container — check `docker exec bizgaze-support env | grep TURN`. + +--- + +## Rollback + +```bash +cd /opt/bizgaze-support && ./deploy.sh --rollback # newest snapshot +# or restore a specific snapshot: +ls -1t /opt/bizgaze-support.backups/*.tgz +tar -xzf /opt/bizgaze-support.backups/.tgz -C /opt/bizgaze-support && docker compose up -d --build +``` + +The `data.db` volume is never overwritten by a rebuild, so data is retained +regardless of code version. diff --git a/deploy.sh b/deploy.sh old mode 100644 new mode 100755 diff --git a/redeploy.bat b/redeploy.bat new file mode 100644 index 0000000..ab9306d --- /dev/null +++ b/redeploy.bat @@ -0,0 +1,27 @@ +@echo off +setlocal enabledelayedexpansion +REM redeploy.bat - trigger a remote deploy FROM YOUR LAPTOP (Windows). +REM Double-click, or run from a terminal. Pass deploy.sh flags through: +REM redeploy.bat pull latest + rebuild +REM redeploy.bat --no-pull rebuild current checkout +REM redeploy.bat --rollback restore newest backup on the server +REM +REM Password order: %DEPLOY_PASS% -> deploy.secret file -> prompt. + +set "HOST=118.95.33.89" +set "PORT=61" +set "USER=root" +set "APPDIR=/opt/bizgaze-support" + +REM Locate plink +set "PLINK=plink" +where plink >nul 2>nul || set "PLINK=C:\Program Files\PuTTY\plink.exe" + +REM Resolve password +set "PW=%DEPLOY_PASS%" +if "!PW!"=="" if exist "%~dp0deploy.secret" set /p PW=<"%~dp0deploy.secret" +if "!PW!"=="" set /p "PW=Server password for %USER%@%HOST%: " + +echo ==^> Triggering deploy on %USER%@%HOST% (%APPDIR%) ... +"%PLINK%" -ssh -batch -P %PORT% -pw "!PW!" %USER%@%HOST% "cd %APPDIR% && bash deploy.sh %*" +endlocal diff --git a/redeploy.sh b/redeploy.sh new file mode 100755 index 0000000..c477fc3 --- /dev/null +++ b/redeploy.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# +# redeploy.sh — trigger a remote deploy FROM YOUR LAPTOP (Git Bash). +# It SSHes into the server and runs the server-side ./deploy.sh. +# +# Usage: +# ./redeploy.sh # pull latest + rebuild +# ./redeploy.sh --no-pull # rebuild current checkout +# ./redeploy.sh --rollback # restore newest backup on the server +# +# Password (in priority order): +# 1. $DEPLOY_PASS environment variable +# 2. a gitignored `deploy.secret` file next to this script (one line = the pw) +# 3. hidden prompt +set -euo pipefail + +HOST=118.95.33.89 +PORT=61 +USER=root +APPDIR=/opt/bizgaze-support + +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Locate plink (PuTTY). +PLINK="$(command -v plink 2>/dev/null || true)" +[ -n "$PLINK" ] || PLINK="/c/Program Files/PuTTY/plink" +[ -x "$PLINK" ] || { echo "ERROR: plink not found (install PuTTY or add to PATH)"; exit 1; } + +# Resolve password. +PW="${DEPLOY_PASS:-}" +if [ -z "$PW" ] && [ -f "$DIR/deploy.secret" ]; then + PW="$(tr -d '\r\n' < "$DIR/deploy.secret")" +fi +if [ -z "$PW" ]; then + read -rsp "Server password for $USER@$HOST: " PW; echo +fi + +echo "==> Triggering deploy on $USER@$HOST ($APPDIR) …" +exec "$PLINK" -ssh -batch -P "$PORT" -pw "$PW" "$USER@$HOST" "cd $APPDIR && bash deploy.sh $*"