git updates

This commit is contained in:
2025-09-09 16:26:07 -04:00
parent f29d060d59
commit 27cb38c3bb
5 changed files with 117 additions and 98 deletions
+28 -90
View File
@@ -44,110 +44,48 @@ jobs:
docker tag nfoguard:latest nfoguard:${{ github.sha }} docker tag nfoguard:latest nfoguard:${{ github.sha }}
echo "Docker image built and tagged successfully" echo "Docker image built and tagged successfully"
- name: Find local Gitea IP - name: Login and Push to Gitea registry (local network)
run: | run: |
echo "Using known local Gitea IP: 192.168.253.221" echo "Using local network connection to avoid Cloudflare tunnel timeouts..."
GITEA_LOCAL_IP="192.168.253.221"
# Test connectivity to local IP
echo "Testing local connectivity..."
if timeout 3 curl -s "http://$GITEA_LOCAL_IP:3000" >/dev/null 2>&1; then
echo "✅ Local Gitea accessible at $GITEA_LOCAL_IP:3000"
else
echo "❌ Cannot reach local Gitea at $GITEA_LOCAL_IP:3000"
fi
# Test registry endpoint
if timeout 3 curl -s "http://$GITEA_LOCAL_IP:3000/v2/" >/dev/null 2>&1; then
echo "✅ Registry endpoint accessible"
else
echo "❌ Registry endpoint not accessible"
fi
# Export for other steps
echo "GITEA_LOCAL_IP=$GITEA_LOCAL_IP" >> $GITHUB_ENV
echo "Using Gitea at: $GITEA_LOCAL_IP"
- name: Login to Gitea registry
run: |
echo "Logging into Gitea container registry..."
export DOCKER_CONFIG=/tmp/docker-config export DOCKER_CONFIG=/tmp/docker-config
mkdir -p $DOCKER_CONFIG mkdir -p $DOCKER_CONFIG
# Test local IP connectivity first # Use local IP directly - no tunnel overhead
REGISTRY="$GITEA_LOCAL_IP:3000" LOCAL_REGISTRY="192.168.253.221:3000"
echo "Testing registry connectivity to: $REGISTRY" echo "Registry: $LOCAL_REGISTRY"
# Test if we can reach the registry endpoint # Login to local registry
if curl -s -f "http://$REGISTRY/v2/" >/dev/null 2>&1; then echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login "$LOCAL_REGISTRY" -u "${{ secrets.username }}" --password-stdin
echo "✅ Registry endpoint accessible via HTTP"
# Try login with local IP
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login "$REGISTRY" -u "${{ secrets.username }}" --password-stdin && {
echo "REGISTRY_URL=$REGISTRY" >> $GITHUB_ENV
echo "✅ Local registry login successful"
} || {
echo "❌ Local registry login failed, using domain fallback"
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login gitea.skalas.org -u "${{ secrets.username }}" --password-stdin
echo "REGISTRY_URL=gitea.skalas.org" >> $GITHUB_ENV
}
else
echo "❌ Local registry not accessible, using domain"
echo "${{ secrets.token }}" | docker --config $DOCKER_CONFIG login gitea.skalas.org -u "${{ secrets.username }}" --password-stdin
echo "REGISTRY_URL=gitea.skalas.org" >> $GITHUB_ENV
fi
echo "Using registry: ${REGISTRY_URL:-gitea.skalas.org}" # Tag images for local registry
docker tag nfoguard:latest "$LOCAL_REGISTRY/jskala/nfoguard:latest"
docker tag nfoguard:latest "$LOCAL_REGISTRY/jskala/nfoguard:${{ github.sha }}"
- name: Push to Gitea registry echo "Pushing to local registry (much faster!)..."
run: |
echo "Pushing to Gitea container registry at: ${REGISTRY_URL:-gitea.skalas.org}"
export DOCKER_CONFIG=/tmp/docker-config
# Use the discovered registry URL or fallback to domain name # Push to local network - should be very fast
REGISTRY=${REGISTRY_URL:-gitea.skalas.org}
# Retag images for the correct registry
docker tag nfoguard:latest "$REGISTRY/jskala/nfoguard:latest"
docker tag nfoguard:latest "$REGISTRY/jskala/nfoguard:${{ github.sha }}"
echo "Pushing to $REGISTRY..."
echo "Image 1: $REGISTRY/jskala/nfoguard:latest"
echo "Image 2: $REGISTRY/jskala/nfoguard:${{ github.sha }}"
# Push first image with detailed output
echo "=== Pushing latest tag ===" echo "=== Pushing latest tag ==="
timeout 600 docker --config $DOCKER_CONFIG push "$REGISTRY/jskala/nfoguard:latest" 2>&1 | tee /tmp/push1.log && { if docker --config $DOCKER_CONFIG push "$LOCAL_REGISTRY/jskala/nfoguard:latest"; then
echo "✅ First image pushed successfully" echo "✅ Latest tag pushed successfully"
FIRST_SUCCESS=true
} || {
echo "❌ First push failed"
cat /tmp/push1.log
FIRST_SUCCESS=false
}
# Push second image echo "=== Pushing SHA tag ==="
echo "=== Pushing SHA tag ===" if docker --config $DOCKER_CONFIG push "$LOCAL_REGISTRY/jskala/nfoguard:${{ github.sha }}"; then
timeout 600 docker --config $DOCKER_CONFIG push "$REGISTRY/jskala/nfoguard:${{ github.sha }}" 2>&1 | tee /tmp/push2.log && { echo "✅ SHA tag pushed successfully"
echo "✅ Second image pushed successfully" else
SECOND_SUCCESS=true echo "⚠️ SHA tag push failed but latest succeeded"
} || { fi
echo "❌ Second push failed"
cat /tmp/push2.log
SECOND_SUCCESS=false
}
# Verify what actually made it
echo "=== Verifying push results ==="
curl -s "$REGISTRY/v2/jskala/nfoguard/tags/list" || echo "Could not verify tags"
if [ "$FIRST_SUCCESS" = "true" ]; then
echo "🎉 At least one image pushed successfully!"
exit 0
else else
echo "💥 Push failed" echo "❌ Local registry push failed"
docker images | grep nfoguard
exit 1 exit 1
fi fi
# Verify the push worked
echo "=== Verifying push ==="
curl -s "http://$LOCAL_REGISTRY/v2/jskala/nfoguard/tags/list" || echo "Could not verify (but push likely succeeded)"
echo "🎉 Local registry push completed!"
deploy: deploy:
needs: build needs: build
runs-on: host runs-on: host
+40 -5
View File
@@ -1,25 +1,60 @@
FROM python:3.11-slim FROM python:3.11-slim
# Set working directory
WORKDIR /app WORKDIR /app
# deps (curl for healthcheck; gosu only needed when running as root) # Install system dependencies in a single layer and clean up
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
sqlite3 curl gosu \ sqlite3 curl gosu \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/* \
&& apt-get clean
# Create a default appuser (will be ignored if process isnt root) # Create user early
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
# Copy and install Python dependencies first (for better caching)
COPY requirements.txt . COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt RUN pip install --no-cache-dir -r requirements.txt \
&& pip cache purge
# Copy new modular structure # Copy application files
COPY nfoguard.py . COPY nfoguard.py .
COPY core/ ./core/ COPY core/ ./core/
COPY clients/ ./clients/ COPY clients/ ./clients/
COPY VERSION . COPY VERSION .
# Set permissions
RUN mkdir -p /app/data && chown -R appuser:appuser /app RUN mkdir -p /app/data && chown -R appuser:appuser /app
# Root-aware entrypoint
RUN echo '#!/bin/bash' > /entrypoint.sh && \
echo 'set -euo pipefail' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \
echo 'else' >> /entrypoint.sh && \
echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
echo ' exec "$@"' >> /entrypoint.sh && \
echo 'fi' >> /entrypoint.sh
RUN chmod +x /entrypoint.sh
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/health || exit 1
EXPOSE 8080
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "nfoguard.py"]
# Root-aware entrypoint # Root-aware entrypoint
RUN echo '#!/bin/bash' > /entrypoint.sh && \ RUN echo '#!/bin/bash' > /entrypoint.sh && \
echo 'set -euo pipefail' >> /entrypoint.sh && \ echo 'set -euo pipefail' >> /entrypoint.sh && \
+33
View File
@@ -0,0 +1,33 @@
# Test image size optimization
FROM python:3.11-slim
WORKDIR /app
# Single layer for all dependencies to reduce image size
RUN apt-get update && apt-get install -y --no-install-recommends \
sqlite3 curl gosu \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get clean \
&& groupadd -g 1000 appuser \
&& useradd -u 1000 -g appuser -m appuser
# Install Python deps with cleanup
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt && pip cache purge
# Copy app files
COPY nfoguard.py core/ clients/ VERSION ./
# Set permissions and create entrypoint in single layer
RUN mkdir -p /app/data \
&& chown -R appuser:appuser /app \
&& echo '#!/bin/bash\nset -euo pipefail\nPUID=${PUID:-1000}\nPGID=${PGID:-1000}\nif [ "$(id -u)" -eq 0 ]; then\n groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser\n id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser\n usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true\n chown -R "$PUID:$PGID" /app || true\n exec gosu appuser "$@"\nelse\n exec "$@"\nfi' > /entrypoint.sh \
&& chmod +x /entrypoint.sh
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8080/health || exit 1
EXPOSE 8080
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "nfoguard.py"]
+1 -1
View File
@@ -1 +1 @@
0.6.0 0.2.14
+13
View File
@@ -41,3 +41,16 @@ docker push gitea.skalas.org/jskala/test:latest
``` ```
After enabling packages, your workflow should work! After enabling packages, your workflow should work!
## 5. Performance tip: Use local network for same-host setups
If your runner and Gitea are on the same host, use the local IP to avoid Cloudflare tunnel overhead:
```bash
# Much faster for same-host setups
docker login 192.168.253.221:3000
docker tag hello-world 192.168.253.221:3000/jskala/test:latest
docker push 192.168.253.221:3000/jskala/test:latest
```
This bypasses the tunnel completely and should be very fast!