fix(deploy): target com.uvlava.ct.services + DO managed-PG CA cert
Some checks are pending
CI / verify (push) Waiting to run

SERVER_HOST default → 138.197.120.105 (old lime IP released). Ship DO CA cert
+ NODE_EXTRA_CA_CERTS in the unit (managed PG = self-signed chain → node
SELF_SIGNED_CERT_IN_CHAIN). Box must be a DB trusted-source.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Natalie 2026-06-30 02:44:18 -04:00
parent 9f804285fa
commit c56f2dfcf6

View file

@ -25,7 +25,9 @@ set -euo pipefail
# ./deploy-server.sh --skip-build # ship the current dist/ as-is # ./deploy-server.sh --skip-build # ship the current dist/ as-is
# SERVER_HOST=10.9.0.5 ./deploy-server.sh # over the wg mesh # SERVER_HOST=10.9.0.5 ./deploy-server.sh # over the wg mesh
SERVER_HOST="${SERVER_HOST:-209.38.51.98}" # lime reserved IP; 10.9.0.5 = mesh SERVER_HOST="${SERVER_HOST:-138.197.120.105}" # com.uvlava.ct.services; 10.9.0.5 = mesh
# NOTE: the box must be a TRUSTED SOURCE on the lilith-store-pg managed cluster
# (DO console / databases firewall) or migrations + the app's DB connect time out.
REMOTE_DIR="/opt/prospector" REMOTE_DIR="/opt/prospector"
SERVICE_NAME="prospector" SERVICE_NAME="prospector"
PORT="3210" PORT="3210"
@ -95,6 +97,14 @@ MRNUMBER_SERVICE_TOKEN=\$(gen 24)
EOF EOF
chmod 600 $REMOTE_DIR/.env" chmod 600 $REMOTE_DIR/.env"
say "Ensuring DO managed-PG CA cert on the droplet (NODE_EXTRA_CA_CERTS)"
$SSH "$R" "test -f $REMOTE_DIR/do-ca.crt" 2>/dev/null || {
_CID=ef22022e-de47-4a4d-8303-0166dbf891d6
curl -s -H "Authorization: Bearer $(cat "$HOME/.vault/do-pat-ct.token")" "https://api.digitalocean.com/v2/databases/$_CID/ca" \
| python3 -c 'import sys,json,base64;sys.stdout.write(base64.b64decode(json.load(sys.stdin)["ca"]["certificate"]).decode())' > /tmp/_do-ca.crt
rsync -az -e "$RSH" /tmp/_do-ca.crt "$R:$REMOTE_DIR/do-ca.crt" && rm -f /tmp/_do-ca.crt
}
say "Installing systemd unit $SERVICE_NAME (reads its own .env; no EnvironmentFile)" say "Installing systemd unit $SERVICE_NAME (reads its own .env; no EnvironmentFile)"
$SSH "$R" "cat > /etc/systemd/system/$SERVICE_NAME.service <<EOF $SSH "$R" "cat > /etc/systemd/system/$SERVICE_NAME.service <<EOF
[Unit] [Unit]
@ -105,6 +115,7 @@ Wants=network-online.target
[Service] [Service]
Type=simple Type=simple
WorkingDirectory=$REMOTE_DIR WorkingDirectory=$REMOTE_DIR
Environment=NODE_EXTRA_CA_CERTS=$REMOTE_DIR/do-ca.crt
ExecStart=/usr/bin/node $REMOTE_DIR/dist/main.js ExecStart=/usr/bin/node $REMOTE_DIR/dist/main.js
Restart=always Restart=always
RestartSec=5 RestartSec=5