Add CI/CD again

ljfp · ljfp · commit 30a3f46836d9 · 2025-10-04T18:08:08.000+02:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,55 @@
+name: Deploy to EC2
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Export deployment settings
+        run: |
+          echo "EC2_HOST=${{ secrets.EC2_HOST }}" >> "$GITHUB_ENV"
+          echo "EC2_USER=${{ secrets.EC2_USER }}" >> "$GITHUB_ENV"
+          if [ -n "${{ vars.DEPLOY_PORT }}" ]; then
+            echo "PORT=${{ vars.DEPLOY_PORT }}" >> "$GITHUB_ENV"
+          else
+            echo "PORT=80" >> "$GITHUB_ENV"
+          fi
+
+      - name: Set up SSH key
+        uses: webfactory/ssh-agent@v0.8.0
+        with:
+          ssh-private-key: ${{ secrets.EC2_SSH_KEY }}
+
+      - name: Add EC2 host to known_hosts
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H "$EC2_HOST" >> ~/.ssh/known_hosts
+
+      - name: Sync project to EC2
+        run: |
+          rsync -az --delete \
+            --exclude '.git' \
+            --exclude '.github' \
+            --exclude '.venv' \
+            --exclude '__pycache__' \
+            --exclude '*.pyc' \
+            --exclude '.ruff_cache' \
+            ./ "$EC2_USER@$EC2_HOST:/home/$EC2_USER/nasa-sky-app"
+
+      - name: Execute remote deployment
+        run: |
+          ssh "$EC2_USER@$EC2_HOST" '
+            set -euo pipefail
+            cd ~/nasa-sky-app
+            chmod +x deploy/deploy.sh
+            APP_ROOT=/opt/nasa-sky-app SERVICE_NAME=nasa-sky-app PORT=$PORT ./deploy/deploy.sh
+          '
diff --git a/README.md b/README.md
@@ -40,6 +40,35 @@ NASASpaceAppsChallenge2025/
 │   └── server.py         # FastAPI application serving the HTML page
 └── web/
     └── index.html        # Static HTML served at the root route
+└── deploy/
+   └── deploy.sh         # Helper script to install and run the service via systemd
 ```
 
 Feel free to build on this foundation for richer APIs or interfaces.
+
+## Deployment script
+
+The `deploy/deploy.sh` script provisions the application on a Linux host using `systemd`. It:
+
+- Syncs the repository into `/opt/nasa-sky-app/app` (configurable with `APP_ROOT`).
+- Creates a virtual environment and installs dependencies.
+- Generates a `systemd` unit that runs Uvicorn on port `80` by default.
+- Enables and restarts the service.
+
+Run it directly on the target server after cloning or syncing the repository:
+
+```bash
+chmod +x deploy/deploy.sh
+APP_ROOT=/opt/nasa-sky-app SERVICE_NAME=nasa-sky-app ./deploy/deploy.sh
+```
+
+Override `SERVICE_USER`, `SERVICE_GROUP`, `PORT`, or `PYTHON_BIN` to fit your environment. When the
+port is below `1024` (the default `80`), the generated unit grants
+`CAP_NET_BIND_SERVICE` so the application can bind to the port without running as root.
+
+### GitHub Actions deployment
+
+A workflow at `.github/workflows/deploy.yml` uses the repository secrets `EC2_HOST`, `EC2_USER`,
+and `EC2_SSH_KEY` to sync the codebase to an Ubuntu 24.04 EC2 instance and execute the deployment
+script remotely. It runs on every push to `main` (and can be triggered manually). Optional
+repository variable `DEPLOY_PORT` lets you override the port without editing the workflow.
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+APP_ROOT=${APP_ROOT:-/opt/nasa-sky-app}
+APP_DIR="${APP_ROOT}/app"
+VENV_DIR="${APP_ROOT}/venv"
+SERVICE_NAME=${SERVICE_NAME:-nasa-sky-app}
+PORT=${PORT:-80}
+PYTHON_BIN=${PYTHON_BIN:-python3}
+SUDO_BIN=${SUDO_BIN:-sudo}
+export DEBIAN_FRONTEND=${DEBIAN_FRONTEND:-noninteractive}
+
+SERVICE_USER=${SERVICE_USER:-$(whoami)}
+SERVICE_GROUP=${SERVICE_GROUP:-$(id -gn)}
+
+if [ "${PORT}" -lt 1024 ]; then
+  echo "Deploying service on privileged port ${PORT}."
+fi
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+REPO_ROOT=$(cd "${SCRIPT_DIR}/.." && pwd)
+
+if command -v apt-get >/dev/null 2>&1; then
+  if ! command -v rsync >/dev/null 2>&1; then
+    echo "Installing rsync via apt-get"
+    ${SUDO_BIN} apt-get update -y
+    ${SUDO_BIN} apt-get install -y rsync
+  fi
+
+  if ! command -v "${PYTHON_BIN}" >/dev/null 2>&1; then
+    echo "Installing Python via apt-get"
+    ${SUDO_BIN} apt-get update -y
+    ${SUDO_BIN} apt-get install -y python3 python3-venv python3-pip
+  else
+    if ! "${PYTHON_BIN}" -m venv --help >/dev/null 2>&1; then
+      echo "Installing python3-venv via apt-get"
+      ${SUDO_BIN} apt-get update -y
+      ${SUDO_BIN} apt-get install -y python3-venv
+    fi
+    if ! command -v pip3 >/dev/null 2>&1; then
+      echo "Installing python3-pip via apt-get"
+      ${SUDO_BIN} apt-get update -y
+      ${SUDO_BIN} apt-get install -y python3-pip
+    fi
+  fi
+fi
+
+if ! command -v rsync >/dev/null 2>&1; then
+  echo "rsync is required but was not found in PATH" >&2
+  exit 1
+fi
+
+if ! command -v "${PYTHON_BIN}" >/dev/null 2>&1; then
+  echo "Python interpreter '${PYTHON_BIN}' not found" >&2
+  exit 1
+fi
+
+mkdir -p "${APP_DIR}"
+rsync -a --delete \
+  --exclude ".git" \
+  --exclude ".venv" \
+  --exclude "__pycache__" \
+  --exclude "*.pyc" \
+  --exclude ".ruff_cache" \
+  "${REPO_ROOT}/" "${APP_DIR}/"
+
+"${PYTHON_BIN}" -m venv "${VENV_DIR}"
+"${VENV_DIR}/bin/pip" install --upgrade pip
+"${VENV_DIR}/bin/pip" install -r "${APP_DIR}/requirements.txt"
+
+SERVICE_FILE="/etc/systemd/system/${SERVICE_NAME}.service"
+
+CAPABILITY_LINES=""
+if [ "${PORT}" -lt 1024 ]; then
+  CAPABILITY_LINES=$'AmbientCapabilities=CAP_NET_BIND_SERVICE\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE'
+fi
+
+read -r -d '' SERVICE_UNIT <<EOF
+[Unit]
+Description=NASA Sky Explorer FastAPI Service
+After=network.target
+
+[Service]
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${APP_DIR}
+Environment="PATH=${VENV_DIR}/bin"
+ExecStart=${VENV_DIR}/bin/uvicorn src.server:app --host 0.0.0.0 --port ${PORT}
+Restart=on-failure
+${CAPABILITY_LINES}
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+${SUDO_BIN} tee "${SERVICE_FILE}" >/dev/null <<<"${SERVICE_UNIT}"
+${SUDO_BIN} systemctl daemon-reload
+${SUDO_BIN} systemctl enable --now "${SERVICE_NAME}.service"
+${SUDO_BIN} systemctl restart "${SERVICE_NAME}.service"
+
+${SUDO_BIN} systemctl status "${SERVICE_NAME}.service" --no-pager
