From ae96b79fb255ec7c514d880c0c4b0c623ecad4e0 Mon Sep 17 00:00:00 2001
From: gitea <the.dark.mist23@gmail.com>
Date: Wed, 26 Nov 2025 00:59:21 +0330
Subject: [PATCH] adding reverse proxy with ssl

---
 .gitea/workflows/cicd.yaml    | 54 +++++++++++++++++++++++------------
 docker-compose.yml            | 24 ++++++++++++++++
 nginx_user_conf.d/server.conf | 17 +++++++++++
 3 files changed, 77 insertions(+), 18 deletions(-)
 create mode 100644 docker-compose.yml
 create mode 100644 nginx_user_conf.d/server.conf

diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml
index 3df2d9e..46b47b0 100644
--- a/.gitea/workflows/cicd.yaml
+++ b/.gitea/workflows/cicd.yaml
@@ -1,27 +1,20 @@
 name: Build and Deploy Demo App
-
 on:
   push:
     branches:
-      - main  # Or whichever branch you want to trigger on
-
+      - main
 jobs:
   build-and-deploy:
-    runs-on: ubuntu-latest  # Use a label that supports Docker; adjust if needed (e.g., cth-ubuntu-latest)
-
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-
       - name: Build Docker image
         run: docker build -t demo-app:latest .
-
       - name: Save Docker image to tar
         run: docker save demo-app:latest > demo-app.tar
-
       - name: Set up SSH
         run: |
           apt update && apt install -y openssh-client
@@ -31,16 +24,41 @@ jobs:
           eval "$(ssh-agent -s)"
           ssh-add ~/.ssh/id_ed25519
           ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
-
-      - name: Copy tar to server via SCP
-        run: scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
-
+      - name: Copy files to server via SCP
+        run: |
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} docker-compose.yml ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}docker-compose.yml
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r nginx_user_conf.d ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}nginx_user_conf.d
       - name: Deploy on server via SSH
         run: |
           ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
-            docker load -i ${{ secrets.DEPLOY_PATH }}demo-app.tar
-            docker stop demo-app || true
-            docker rm demo-app || true
-            docker run -d --name demo-app -p 5000:5000 --restart unless-stopped demo-app:latest
-            rm ${{ secrets.DEPLOY_PATH }}demo-app.tar  # Clean up
+            cd ${{ secrets.DEPLOY_PATH }}
+
+            # Check and install Docker if not present (Ubuntu/Debian assumed)
+            if ! command -v docker &> /dev/null; then
+              sudo apt update -y
+              sudo apt install -y ca-certificates curl
+              sudo install -m 0755 -d /etc/apt/keyrings
+              sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+              sudo chmod a+r /etc/apt/keyrings/docker.asc
+              echo "deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \$(. /etc/os-release && echo "\$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+              sudo apt update -y
+              sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+              sudo systemctl start docker
+              sudo systemctl enable docker
+            fi
+
+            # Check and install Docker Compose if not present
+            if ! command -v docker-compose &> /dev/null; then
+              sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-\$(uname -s)-\$(uname -m)" -o /usr/local/bin/docker-compose
+              sudo chmod +x /usr/local/bin/docker-compose
+            fi
+
+            # Load image and deploy with Compose
+            docker load -i demo-app.tar
+            docker-compose down || true  # Graceful stop
+            docker-compose up -d
+
+            # Cleanup
+            rm demo-app.tar
           EOF
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..bfdbcec
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,24 @@
+services:
+  app:
+    image: demo-app:latest
+    container_name: demo-app
+    restart: unless-stopped
+
+  nginx:
+    image: jonasal/nginx-certbot:latest
+    container_name: demo-nginx
+    restart: unless-stopped
+    ports:
+      - 8008:80
+      - 4433:443
+    environment:
+      - CERTBOT_EMAIL=your@email.com
+      - ENVSUBST_TEMPLATE_SUFFIX=.tmpl  # Enables template processing if needed
+    volumes:
+      - ./nginx_user_conf.d:/etc/nginx/user_conf.d:ro
+      - letsencrypt:/etc/letsencrypt
+    depends_on:
+      - app
+
+volumes:
+  letsencrypt:
diff --git a/nginx_user_conf.d/server.conf b/nginx_user_conf.d/server.conf
new file mode 100644
index 0000000..583e641
--- /dev/null
+++ b/nginx_user_conf.d/server.conf
@@ -0,0 +1,17 @@
+server {
+    listen 80;
+    listen 443 ssl;
+    server_name demo.networkwizard.xyz;
+
+    # SSL config handled by the container image
+
+    location / {
+        proxy_pass http://app:5000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Redirect HTTP to HTTPS (handled automatically by the image after certs are obtained)
+}