diff --git a/.gitignore b/.gitignore index a547bf3..1d4f5c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,8 @@ +.env +.env.* +!.env.example +/.reports/ + # Logs logs *.log diff --git a/.woodpecker.yml b/.woodpecker.yml new file mode 100644 index 0000000..252f41f --- /dev/null +++ b/.woodpecker.yml @@ -0,0 +1,193 @@ +when: + - branch: main + event: push + +steps: + + # Etape 1 : Validation syntaxique du docker-compose.yml + - name: validate + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + APP_DOMAIN: validate.example.com + commands: + - | + export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') + docker compose config --quiet + - echo "docker-compose.yml valide" + + # Etape 2 : Verifications de securite + - name: security-check + image: alpine:3.20 + commands: + - | + if [ -f .env ]; then + echo "ERREUR: .env ne doit pas etre commite dans le depot" + exit 1 + fi + - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)' + - echo "Verifications de securite OK" + + # Etape 3 : Build de l'image Docker en local sur sonic + # VITE_USE_LIVE_API=true est bake dans l'image au moment du build (Vite) + # NOTE: volumes + pas de from_secret : compatible + - name: build-image + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - docker build -t g1flux:latest . + - echo "Image g1flux:latest construite" + + # Etape 4a : Generation SBOM (Syft) depuis l'image locale + # NOTE: volumes + pas de from_secret : compatible + - name: sbom-generate + image: alpine:3.20 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - apk add --no-cache curl + - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest + - mkdir -p .reports + - syft g1flux:latest -o cyclonedx-json --file .reports/sbom-app.cyclonedx.json + - echo "SBOM genere" + + # Etape 4b : Scan CVE (Trivy) depuis le SBOM + - name: sbom-scan + image: aquasec/trivy:latest + volumes: + - /home/syoul/trivy-cache:/root/.cache/trivy + commands: + - trivy sbom --format json --output .reports/trivy-app.json .reports/sbom-app.cyclonedx.json + - echo "Scan CVE termine" + + # Etape 4c : Publication SBOM vers Dependency-Track + # NOTE: from_secret + pas de volumes : compatible + - name: sbom-publish + image: alpine/curl:latest + environment: + DTRACK_TOKEN: + from_secret: dependency_track_token + DTRACK_DOMAIN: + from_secret: dtrack_domain + commands: + - | + VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) + HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \ + -H "X-Api-Key: $DTRACK_TOKEN" \ + -F "autoCreate=true" \ + -F "projectName=g1flux-app" \ + -F "projectVersion=$VERSION" \ + -F "bom=@.reports/sbom-app.cyclonedx.json") + echo "HTTP $HTTP : $(cat /tmp/dtrack-resp.txt)" + [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1 + + # Etape 5a : Ecriture du .env.deploy depuis les secrets + # NOTE: from_secret + pas de volumes : compatible + - name: write-env + image: alpine:3.20 + environment: + APP_DOMAIN: + from_secret: app_domain + commands: + - env | grep -E "^(APP_DOMAIN)=" > .env.deploy + - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy + - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)" + + # Etape 5b : Validation du .env.deploy + - name: test-env + image: alpine:3.20 + commands: + - | + [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; } + echo "PASS: .env.deploy present" + - | + VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2) + [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1 + echo "PASS: COMPOSE_PROJECT_NAME = $VAL" + - | + VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) + [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1 + echo "PASS: APP_DOMAIN = $VAL" + + # Etape 6 : Deploiement sur sonic via Docker socket + # Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose + # NOTE: volumes + pas de from_secret : compatible + - name: deploy + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /opt/g1flux:/opt/g1flux + commands: + - cp .env.deploy /opt/g1flux/.env + - chmod 600 /opt/g1flux/.env + - cp docker-compose.yml /opt/g1flux/docker-compose.yml + - cd /opt/g1flux && docker compose stop + - | + DOMAIN=$(grep '^APP_DOMAIN=' /opt/g1flux/.env | cut -d= -f2) + + # Certificat TLS (acme.sh, idempotent) + # Exit 0 = emis/renouvele, exit 2 = skip (cert valide), autres = erreur + ACME_EXIT=0 + docker exec sonic-acme-1 /app/acme.sh \ + --home /etc/acme.sh \ + --issue -d "$DOMAIN" \ + --webroot /usr/share/nginx/html \ + --server letsencrypt \ + --accountemail support+acme@asycn.io || ACME_EXIT=$? + if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then + echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)" + exit 1 + fi + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem + echo "Cert TLS OK (acme exit $ACME_EXIT)" + - cd /opt/g1flux && docker compose up -d --remove-orphans + - cd /opt/g1flux && docker compose ps + + # Etape 7 : Verification que le container est running + - name: test-deploy + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /opt/g1flux:/opt/g1flux + commands: + - | + PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/g1flux/.env | cut -d= -f2) + STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-app" 2>/dev/null || echo "absent") + echo "$PROJECT-app : $STATUS" + [ "$STATUS" = "running" ] || { echo "FAIL: container non running"; exit 1; } + echo "PASS: container running" + + # Etape 8 : Healthcheck HTTP public + - name: healthcheck + image: alpine:3.20 + commands: + - apk add --no-cache --quiet curl + - | + SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) + TARGET="https://$SITE" + echo "Healthcheck $TARGET..." + MAX=18 + i=0 + until [ $i -ge $MAX ]; do + CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null) + echo "Tentative $((i+1))/$MAX - HTTP $CODE" + if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then + echo "PASS: app repond sur $TARGET" + exit 0 + fi + i=$((i+1)) + sleep 10 + done + echo "FAIL: app ne repond pas apres 3 minutes" + exit 1 + + # Notification en cas d'echec + - name: notify-failure + image: alpine:3.20 + commands: + - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"' + when: + - status: failure diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..e8ce121 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,11 @@ +FROM node:20-alpine AS builder +WORKDIR /app +COPY package*.json ./ +RUN npm ci +COPY . . +RUN VITE_USE_LIVE_API=true npm run build + +FROM nginx:alpine +COPY --from=builder /app/dist /usr/share/nginx/html +COPY nginx.conf /etc/nginx/conf.d/default.conf +EXPOSE 80 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..5e6c81e --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,18 @@ +name: ${COMPOSE_PROJECT_NAME:-syoul-g1flux-main} + +services: + app: + image: g1flux:latest + container_name: ${COMPOSE_PROJECT_NAME:-syoul-g1flux-main}-app + restart: always + labels: + - SERVICE_80_NAME=${COMPOSE_PROJECT_NAME:-syoul-g1flux-main}-app-80 + - SERVICE_80_TAGS=urlprefix-${APP_DOMAIN}/* + - SERVICE_80_CHECK_TCP=true + - LETSENCRYPT_HOST=${APP_DOMAIN} + networks: + - sonic + +networks: + sonic: + external: true diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..2d7335c --- /dev/null +++ b/nginx.conf @@ -0,0 +1,12 @@ +server { + listen 80; + root /usr/share/nginx/html; + index index.html; + + location / { + try_files $uri $uri/ /index.html; + } + + gzip on; + gzip_types text/css application/javascript application/json image/svg+xml; +}