add staging support: compose-staging, Caddy proxy, configurable compose src · notplants.bsky.social/lichen-deploy@37fcf27

+8 -6

ansible/roles/lichen/tasks/main.yml

··· 11 11 state: directory 12 12 mode: "0755" 13 13 14 - - name: Sync compose stack files from ../docker-compose 14 + - name: Sync compose stack files 15 15 copy: 16 - src: "{{ playbook_dir }}/../docker-compose/{{ item.name }}" 16 + src: "{{ playbook_dir }}/../{{ lichen_compose_src | default('docker-compose') }}/{{ item.name }}" 17 17 dest: "{{ lichen_deploy_dir }}/{{ item.name }}" 18 18 mode: "{{ item.mode }}" 19 - loop: 20 - - { name: docker-compose.yml, mode: "0644" } 21 - - { name: Caddyfile, mode: "0644" } 22 - - { name: entrypoint.sh, mode: "0755" } 19 + loop: "{{ lichen_compose_files | default(default_compose_files) }}" 20 + vars: 21 + default_compose_files: 22 + - { name: docker-compose.yml, mode: "0644" } 23 + - { name: Caddyfile, mode: "0644" } 24 + - { name: entrypoint.sh, mode: "0755" } 23 25 24 26 - name: Render .env 25 27 template:

+30

docker-compose-staging/docker-compose.yml

··· 1 + services: 2 + app: 3 + image: notplants/lichen-full:latest 4 + entrypoint: ["/bin/sh", "/entrypoint.sh"] 5 + network_mode: host 6 + environment: 7 + - LM_SERVER_PORT=9001 8 + - LM_DASHBOARD_DOMAIN=${DOMAIN} 9 + - LM_USE_AUTH=true 10 + - LM_ROOT_DIR=/data 11 + - LM_PUBLIC_URL=https://${DOMAIN} 12 + - AUTH_PROVIDERS=${AUTH_PROVIDERS:-file,atproto} 13 + - ADMIN_USER=${ADMIN_USER:-admin} 14 + - ADMIN_PASSWORD=${ADMIN_PASSWORD} 15 + - DEFAULT_STORAGE_LIMIT=${DEFAULT_STORAGE_LIMIT:-} 16 + - RUST_LOG=${RUST_LOG:-info} 17 + volumes: 18 + - staging_data:/data 19 + - ./entrypoint.sh:/entrypoint.sh:ro 20 + - ./bin:/opt/lichen-bin:ro 21 + healthcheck: 22 + test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9001/tls-check"] 23 + interval: 30s 24 + timeout: 10s 25 + retries: 5 26 + start_period: 30s 27 + restart: unless-stopped 28 + 29 + volumes: 30 + staging_data:

+42

docker-compose-staging/entrypoint.sh

··· 1 + #!/bin/sh 2 + set -e 3 + 4 + # disable bubblewrap sandbox — not supported inside Docker 5 + rm -f /usr/bin/bwrap 6 + 7 + # install bash (shell feature) and git-daemon (provides git-http-backend for clone/push) 8 + apk add --no-cache bash git-daemon > /dev/null 2>&1 || true 9 + 10 + # set git identity for auto-commit 11 + if command -v git > /dev/null 2>&1; then 12 + git config --global user.email "lichen@${LM_DASHBOARD_DOMAIN:-localhost}" 13 + git config --global user.name "lichen" 14 + fi 15 + 16 + # write lichen.toml if it doesn't exist yet 17 + if [ ! -f /data/lichen.toml ]; then 18 + TOML_PROVIDERS=$(echo "${AUTH_PROVIDERS:-file,atproto}" | sed 's/[^,][^,]*/\"&\"/g') 19 + echo "auth_providers = [$TOML_PROVIDERS]" > /data/lichen.toml 20 + if [ -n "$DEFAULT_STORAGE_LIMIT" ]; then 21 + echo "default_storage_limit = \"$DEFAULT_STORAGE_LIMIT\"" >> /data/lichen.toml 22 + fi 23 + fi 24 + 25 + # create or update admin user on every startup 26 + if [ -n "$ADMIN_PASSWORD" ]; then 27 + if [ -f "/data/users/${ADMIN_USER:-admin}.toml" ]; then 28 + lichen-server --multi user set-password "${ADMIN_USER:-admin}" \ 29 + --password "$ADMIN_PASSWORD" --root-dir /data 30 + else 31 + lichen-server --multi user add "${ADMIN_USER:-admin}" \ 32 + --password "$ADMIN_PASSWORD" --root-dir /data 33 + fi 34 + fi 35 + 36 + # use custom binary if present, otherwise use the image's built-in binary 37 + if [ -x /opt/lichen-bin/lichen-server ]; then 38 + echo "++ using custom binary from /opt/lichen-bin/lichen-server" 39 + exec /opt/lichen-bin/lichen-server --multi serve 40 + else 41 + exec lichen-server --multi serve 42 + fi

+9

docker-compose/Caddyfile

··· 4 4 } 5 5 } 6 6 7 + # staging: proxy staging.lichen.page and *.staging.lichen.page to the 8 + # staging app running on the host on port 9001 9 + staging.lichen.page, *.staging.lichen.page { 10 + tls { 11 + on_demand 12 + } 13 + reverse_proxy localhost:9001 14 + } 15 + 7 16 :443 { 8 17 tls { 9 18 on_demand

Configure Feed

Configure Feed