chore: align deploy workflow with inventory canonical
Brings nanodrop into parity with ~/inventory/.github/workflows/deploy.yml,
the cross-project canonical:
- Rename .github/workflows/deploy-homelab.yml -> deploy.yml
- Update workflow name to "Deploy to birb co. production"
- Add validate-secrets gate (SSH_PRIVATE_KEY, JWT_SECRET) using
${VAR:?msg} no-op expansion (does not echo secret values)
- Switch deploy heredoc from << 'EOF' (quoted) to << EOF (unquoted)
to match canonical; functional no-op since the body contains no
bash $VAR refs, only GitHub Actions ${{ ... }} interpolations
- Single-quote the right-hand side of interpolated export values to
prevent shell-metacharacter re-interpretation server-side
- Reorder exports: secret first, then hardcoded literals, then vars
- Rename docker-compose.yml -> compose.yaml (pure rename) and update
the workflow's compose invocations to reference compose.yaml
- Update one README example to match the new compose filename
The env-var block remains nanodrop-specific (JWT_SECRET +
TRUST_PROXY/COOKIE_SECURE literals + PORT/BASE_URL/MAX_FILE_SIZE);
that delta is allowed by the bug spec.
No app-code changes. Build and tests green.
Manual deploy verification (push to main / "Run workflow" -> hit the
deployed instance, log in, upload a test file, confirm share link)
is the user's job post-merge.
This commit is contained in:
@@ -144,7 +144,7 @@ bantime = 600
|
||||
Adjust `logpath` to wherever your `LOG_FILE` is. With Docker, the log file lives inside the `nanodrop-data` volume — mount it to a host path or bind-mount a host directory instead of the named volume to make it accessible to fail2ban:
|
||||
|
||||
```yaml
|
||||
# docker-compose.yml override
|
||||
# compose.yaml override
|
||||
volumes:
|
||||
- /var/lib/nanodrop:/app/data
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user