diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2a757317..548d006c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -32,7 +32,24 @@ jobs: username: ${{ secrets.FREEBSD_DEPLOY_USER }} key: ${{ secrets.FREEBSD_DEPLOY_SSH_KEY }} port: 222 - script: sudo bastille cmd node sh -c "cd /usr/local/indiekit && su -l indiekit -c 'git pull origin main && npm ci && sudo service indiekit restart'" + script: | + set -eu + + # Update code and dependencies as indiekit user inside the jail. + sudo bastille cmd node sh -lc 'cd /usr/local/indiekit && su -l indiekit -c "git pull origin main && npm ci"' + + # Restart asynchronously to avoid hanging SSH sessions when rc scripts keep stdout open. + sudo bastille cmd node sh -lc 'nohup service indiekit restart >/tmp/indiekit-restart.log 2>&1 /dev/null 2>&1; then + echo "Indiekit restart triggered and process is running." + else + echo "Indiekit process not found after restart." + sudo bastille cmd node sh -lc 'tail -n 80 /tmp/indiekit-restart.log || true' + exit 1 + fi # Optionally reload nginx on web jail # - name: Reload nginx # uses: appleboy/ssh-action@v0.1.10 diff --git a/.gitignore b/.gitignore index c994f824..bd32d3df 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .env start.sh +indiekit.config.mjs.orig \ No newline at end of file diff --git a/README.md b/README.md index fb20ca67..8a8a2e3f 100644 --- a/README.md +++ b/README.md @@ -5,4 +5,10 @@ - The IndieKit admin is expected to run behind `/admin`. - Set `INDIEKIT_ADMIN_URL` to the public admin base URL, including trailing slash (example: `https://blog.giersig.eu/admin/`). - Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`. -- If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it. \ No newline at end of file +- If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it. + +## MongoDB + +- Preferred: set a full `MONGO_URL` (example: `mongodb://user:pass@host:27017/indiekit?authSource=admin`). +- If `MONGO_URL` is not set, config builds the URL from `MONGO_USERNAME`, `MONGO_PASSWORD`, `MONGO_HOST`, `MONGO_PORT`, `MONGO_DATABASE`, `MONGO_AUTH_SOURCE`. +- For `MongoServerError: Authentication failed`, first verify `MONGO_PASSWORD`, then try `MONGO_AUTH_SOURCE=admin`. \ No newline at end of file diff --git a/indiekit.config.mjs b/indiekit.config.mjs index 37adcbdd..d3e49e13 100644 --- a/indiekit.config.mjs +++ b/indiekit.config.mjs @@ -4,6 +4,28 @@ const adminUrl = new URL( rawAdminUrl.endsWith("/") ? rawAdminUrl : `${rawAdminUrl}/`, ).href; +const mongoUsername = + process.env.MONGO_USERNAME || process.env.MONGO_USER || "indiekit"; +const mongoPassword = process.env.MONGO_PASSWORD || ""; +const mongoHost = process.env.MONGO_HOST || "10.100.0.20"; +const mongoPort = process.env.MONGO_PORT || "27017"; +const mongoDatabase = + process.env.MONGO_DATABASE || process.env.MONGO_DB || "indiekit"; +const mongoAuthSource = process.env.MONGO_AUTH_SOURCE || ""; +const mongoCredentials = + mongoUsername && mongoPassword + ? `${encodeURIComponent(mongoUsername)}:${encodeURIComponent( + mongoPassword, + )}@` + : ""; +const mongoQuery = + mongoCredentials && mongoAuthSource + ? `?authSource=${encodeURIComponent(mongoAuthSource)}` + : ""; +const mongoUrl = + process.env.MONGO_URL || + `mongodb://${mongoCredentials}${mongoHost}:${mongoPort}/${mongoDatabase}${mongoQuery}`; + export default { debug: "indiekit:*", application: { @@ -12,7 +34,7 @@ export default { authorizationEndpoint: new URL("auth", adminUrl).href, introspectionEndpoint: new URL("auth/introspect", adminUrl).href, tokenEndpoint: new URL("auth/token", adminUrl).href, - mongodbUrl: `mongodb://indiekit:${process.env.MONGO_PASSWORD}@10.100.0.20:27017/indiekit`, + mongodbUrl: mongoUrl, }, publication: { me: "https://blog.giersig.eu",