create deployment files

Author: rishibalakrishnan

.env.prod.sample

@@ -0,0 +1,36 @@
+# Production Environment Configuration
+# This file serves as a template for GitHub Secrets configuration
+#
+# IMPORTANT: Secrets are injected directly into Docker containers via environment
+# variables. No .env files are created on the host system for security.
+
+# Domain Configuration
+DOMAIN=
+
+# Container Registry Configuration
+FRONTEND_IMAGE=
+BACKEND_IMAGE=
+
+# Database Configuration (External PostgreSQL)
+PGUSER=
+PGPASSWORD=
+PGHOST=
+PGDATABASE=
+PGPORT=
+
+# Security Keys (Store as GitHub Secrets)
+ENCRYPTION_KEY
+JWT_SECRET=
+
+# RSKY Configuration
+RSKY_FEEDGEN=
+RSKY_API_KEY=your_rsky_api_key
+
+# Fixed Configuration (automatically set in deployment)
+PORT=
+CLIENT_URL=
+BASE_URL=
+BSKY_BASE_API_URL=https://api.bsky.app
+MUTE_LIST_URI=
+MUTE_LIST_ADMIN_DID=
+RECONCILIATION_INTERVAL_MS=

.github/workflows/ci.yml

@@ -0,0 +1,62 @@
+name: CI - Validate Changes
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run type checking
+        run: npm run type-check
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image for testing
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: prodrunner
+          load: true
+          tags: safe-skies-api:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Create test docker-compose override
+        run: |
+          cat > docker-compose.test.yml << EOF
+          services:
+            backend:
+              image: safe-skies-api:test
+          EOF
+
+      - name: Start test environment with built image
+        run: docker compose -f docker-compose.yml -f docker-compose.test.yml up -d
+
+      - name: Run tests using Docker image
+        run: docker compose -f docker-compose.yml -f docker-compose.test.yml exec backend npm run test
+
+      - name: Stop test environment
+        run: docker compose -f docker-compose.yml -f docker-compose.test.yml down
+        if: always()
+
+      - name: Clean up test files
+        run: rm -f docker-compose.test.yml
+        if: always()

.github/workflows/deploy.yml

@@ -0,0 +1,49 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches: [main]
+
+env:
+  IMAGE_NAME: safe-skies-api
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to DigitalOcean Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.DO_REGISTRY_URL }}
+          username: ${{ vars.DIGITALOCEAN_USERNAME }}
+          password: ${{ secrets.DO_REGISTRY_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DO_REGISTRY_URL }}/safe-skies-api
+          tags: |
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: prodrunner
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Caddyfile

@@ -0,0 +1,64 @@
+safeskies.blackskyweb.xyz {
+	# --- Compression (use both; zstd is faster/smaller where supported)
+	encode zstd gzip
+
+	# --- Security headers
+	header {
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+
+		# (Optional / legacy) XSS protection header; modern browsers ignore it
+		X-XSS-Protection "1; mode=block"
+	}
+
+	# --- Common /public files (add more as needed)
+	handle /favicon.ico {
+		root * /srv/frontend/public
+		file_server
+		header Cache-Control "public, max-age=86400"
+	}
+	handle /robots.txt {
+		root * /srv/frontend/public
+		file_server
+		header Cache-Control "public, max-age=86400"
+	}
+	handle /sitemap.xml {
+		root * /srv/frontend/public
+		file_server
+		header Cache-Control "public, max-age=3600"
+	}
+
+	# --- Admin auth (hit backend service directly)
+	handle /admin/auth/* {
+		reverse_proxy backend:4000
+	}
+    
+    # Handle regular OAuth callbacks
+    handle /auth/* {
+        reverse_proxy backend:4000
+    }
+
+	# Serve client metadata from backend
+    handle /oauth/client-metadata.json {
+        reverse_proxy backend:4000
+    }
+
+    # Handle front-end login and callback after original OAuth callback returns
+    handle /oauth/* {
+        reverse_proxy frontend:3000
+    }
+
+	# --- Everything else → Next.js server
+	#     (do NOT SPA-fallback; let Next handle routing)
+	reverse_proxy frontend:3000 {
+		header_up Host {host}
+	}
+
+	# --- Access log
+	log {
+		output file /var/log/caddy/access.log
+		format console
+	}
+}

Dockerfile

@@ -25,10 +25,15 @@ RUN chown -R node:node /usr/src/app
 
 USER node
 COPY --chown=node:node . .
-RUN npm run build
+RUN npm run build && npm run build:knexfile
 
 FROM base AS prodrunner
+COPY docker-entrypoint.sh ./docker-entrypoint.sh
+RUN chmod +x ./docker-entrypoint.sh && sed -i 's/\r$//' ./docker-entrypoint.sh && chown node:node ./docker-entrypoint.sh
 USER node
 COPY --from=prodbuilder --chown=node:node /usr/src/app/node_modules ./node_modules
 COPY --from=prodbuilder --chown=node:node /usr/src/app/dist ./dist
-CMD node dist/src/server.js
+COPY --from=prodbuilder --chown=node:node /usr/src/app/migrations ./migrations
+COPY --from=prodbuilder --chown=node:node /usr/src/app/knexfile.js ./knexfile.js
+COPY --from=prodbuilder --chown=node:node /usr/src/app/package.json ./package.json
+ENTRYPOINT ["./docker-entrypoint.sh"]

docker-compose.prod.yml

@@ -0,0 +1,38 @@
+version: '3.8'
+
+services:
+  frontend:
+    image: ${FRONTEND_IMAGE}
+    restart: unless-stopped
+    depends_on:
+      - backend
+
+  backend:
+    image: ${BACKEND_IMAGE}
+    restart: unless-stopped
+    # Provide the environment variables via .env file
+    env_file:
+      - .env.prod.sample
+    expose:
+      - "4000"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+    depends_on:
+      - frontend
+      - backend
+
+volumes:
+  caddy_data:

docker-entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+echo "Running database migrations..."
+npm run migrate:up
+
+echo "Starting server..."
+exec node dist/src/server.js

package.json

@@ -16,9 +16,10 @@
     "type-check": "tsc --noEmit",
     "format": "biome format . --write",
     "prepare": "husky install",
-    "migrate:create": "knex migrate:make",
-    "migrate:up": "knex migrate:latest",
-    "migrate:down": "knex migrate:down"
+    "migrate:create": "ts-node node_modules/.bin/knex migrate:make",
+    "migrate:up": "ts-node node_modules/.bin/knex migrate:latest",
+    "migrate:down": "ts-node node_modules/.bin/knex migrate:down",
+    "build:knexfile": "tsc knexfile.ts --outDir . --esModuleInterop --module commonjs --target ES2020 --skipLibCheck"
   },
   "keywords": [],
   "author": "",