ci: replace GitHub Actions deploy with Gitea FreeBSD runner

- runs-on: freebsd (act_runner host label) instead of ubuntu-latest
- Drop appleboy/ssh-action; use plain ssh in a run step (same pattern as
  indiekit-blog deploy.yml)
- Drop actions/setup-node; no build step on runner side
- On deploy: set git remote to internal Gitea URL, fetch, reset --hard
- npm ci --legacy-peer-deps (postinstall applies all patches automatically)
- .env and SECRET preflight checks; preflight-production-security and
  preflight-mongo-connection before restart
- Async restart via nohup + poll loop (avoids SSH hanging on open stdout)
- add workflow_dispatch trigger

Required repo secrets: SSH_PRIVATE_KEY, SSH_USER, SSH_HOST
(copy values from giersig.eu/indiekit-blog repo secrets)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/deploy.yml

@@ -1,78 +1,58 @@
-name: Deploy Indiekit Blog
+name: Deploy Indiekit Server
 
 on:
   push:
-    branches:
+    branches: [main]
-      - main
+  workflow_dispatch:
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: freebsd
     steps:
-      - name: Checkout code
+      - uses: actions/checkout@v4
-        uses: actions/checkout@v5
 
-      - name: Set up Node.js
+      - name: Deploy to node jail
-        uses: actions/setup-node@v5
-        with:
-          node-version: '22'
-
-      - name: Install dependencies
-        run: npm ci --legacy-peer-deps
-
-      - name: Build (if needed)
         run: |
-          # Add build steps if your project requires them
+          set -eu
-          echo "No build step required"
+          mkdir -p ~/.ssh
+          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+          ssh-keyscan -p 222 ${{ secrets.SSH_HOST }} >> ~/.ssh/known_hosts 2>/dev/null
 
-      - name: Deploy to FreeBSD host and jail
+          ssh -p 222 ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} << SSHEOF
-        uses: appleboy/ssh-action@v0.1.10
+          set -eu
-        with:
+          restart_log=/tmp/indiekit-restart.log
-          host: ${{ secrets.FREEBSD_HOST }}
-          username: ${{ secrets.FREEBSD_DEPLOY_USER }}
-          key: ${{ secrets.FREEBSD_DEPLOY_SSH_KEY }}
-          port: 222
-          script: |
-            set -eu
-            restart_log=/tmp/indiekit-restart.log
 
-            # Update code and dependencies as indiekit user inside the jail.
+          # Update code as indiekit user; point remote at internal Gitea (no auth needed — public read).
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git fetch origin && git reset --hard origin/main && npm ci --legacy-peer-deps && install -m 755 start.example.sh start.sh"'
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && git remote set-url origin http://10.100.0.90:3000/giersig.eu/indiekit-server.git && git fetch origin && git reset --hard origin/main"'
 
-            # sharp/libvips are managed manually on the server.
+          # Install dependencies (postinstall runs all patches automatically).
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && npm ci --legacy-peer-deps"'
 
-            # Verify and re-apply patches in case postinstall was skipped (e.g. npm ci --ignore-scripts).
+          # Ensure env file and required secrets are present.
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && for patch in scripts/patch-*.mjs; do node \"\$patch\"; done"'
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && grep -Eq \"^SECRET=.+\" .env || { echo \"Missing SECRET in .env\"; exit 1; }"'
 
-            # Ensure env file exists and contains auth secrets required by start.sh.
+          # Preflight checks before touching the running service.
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-production-security.mjs"'
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! grep -Eq \"^SECRET=.*\" .env; then echo \"Missing SECRET in /usr/local/indiekit/.env\"; exit 1; fi; if ! (grep -Eq \"^PASSWORD_SECRET=.*\" .env || grep -Eq \"^INDIEKIT_ALLOW_PASSWORD_SETUP=1\" .env); then echo \"Missing PASSWORD_SECRET (or set INDIEKIT_ALLOW_PASSWORD_SETUP=1 for one-time recovery) in /usr/local/indiekit/.env\"; exit 1; fi"'
+          sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
 
-            # Validate startup prerequisites before touching the running service.
+          # Restart asynchronously to avoid the SSH session hanging on open stdout.
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-production-security.mjs"'
+          sudo bastille cmd node sh -lc "nohup service indiekit restart >\${restart_log} 2>&1 </dev/null &"
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs"'
-
-            # Restart asynchronously to avoid hanging SSH sessions when rc scripts keep stdout open.
-            sudo bastille cmd node sh -lc "nohup service indiekit restart >${restart_log} 2>&1 </dev/null &"
-
-            # Give the process time to boot and pass preflight checks.
-            attempts=0
-            max_attempts=30
-            while [ "$attempts" -lt "$max_attempts" ]; do
-              if sudo bastille cmd node sh -lc 'service indiekit onestatus >/dev/null 2>&1'; then
-                echo "Indiekit restart triggered and service is running."
-                exit 0
-              fi
-
-              attempts=$((attempts + 1))
-              sleep 2
-            done
-
-            echo "Indiekit process not found after restart."
-            sudo bastille cmd node sh -lc "tail -n 120 ${restart_log} || true"
-            sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-production-security.mjs" || true'
-            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && NODE_ENV=production node scripts/preflight-mongo-connection.mjs" || true'
-            exit 1
 
+          # Wait for service to come up.
+          attempts=0
+          while [ \$attempts -lt 30 ]; do
+            if sudo bastille cmd node sh -lc 'service indiekit onestatus >/dev/null 2>&1'; then
+              echo "IndieKit is running."
+              exit 0
+            fi
+            attempts=\$((attempts + 1))
+            sleep 2
+          done
 
+          echo "IndieKit failed to start."
+          sudo bastille cmd node sh -lc "tail -n 120 \${restart_log} || true"
+          sudo bastille cmd node sh -lc 'service indiekit onestatus || true'
+          exit 1
+          SSHEOF