Production Deployment
Hetzner & Cloudflare
This project is optimized for running on Hetzner (Compute) and Cloudflare (DNS, SSL, etc.) so you will need to prepare those accounts and API tokens.
Cloudflare API token documentation
Hetzner API token documentation
After you obtained the tokens, you will need to add following GitHub repository secrets
CLOUDFLARE_API_TOKENHETZNER_TOKEN
SSH Keys
You will need to configure the following GitHub repository secrets:
HETZNER_B64_SSH_PUB_KEY
This is your base64 encoded public SSH key from your computer so you can access the server via SSH after it is running. You can use your existing public key (~/.ssh/id_rsa.pub) or you can see how to create SSH key pairs here:
To encode it with base64 you can use this command:
cat ~/.ssh/id_rsa.pub | base64CI_HETZNER_SERVER_B64_SSH_KEY
Base64 encoded private SSH key. Required so the GitHub action runner can access the Hetzner server.
CI_HETZNER_SERVER_B64_SSH_KEY_PUB
Base64 encoded public SSH key. Required so the GitHub action can access the server.
GitHub
GH_HETZNER_TOKEN
We need to create a fine-grained GitHub token and create the GitHub repository secret so the server can clone your repository.
How to create fine-grained GitHub tokens
Google
For the "Login with Google" feature you will need to prepare the Google project ID and API token.
- Sign-in to your Google Cloud account
- Create or pick an existing project
- Search / Open "APIs and Services"
- Navigate to "Credentials" from the left sidebar navigation
- Under "Create Credentials" Choose the option "OAuth client ID"
- Pick "Web Application" as the type
- Configure "Authorized JavaScript origins" with
https://your-domain.com - Configure "Authorized redirect URIs" with
https://your-domain.com/app/auth/oauth/google
After you obtained the tokens, you will need to add following GitHub repository secrets
ENV_GOOGLE_CLIENT_IDENV_GOOGLE_SECRET
Stripe
For accepting payments you will need a stripe secret and webhook secret from a production stripe account.
Read the Stripe docs to find out how to obtain the secrets
After you obtained the tokens, you will need to add following GitHub repository secrets
ENV_STRIPE_SECRET_KEYENV_STRIPE_WEBHOOK_SECRETENV_STRIPE_PKENV_STRIPE_DEFAULT_CURRENCYe.g. "usd"
You will also need to create a webhook destination.
The destination will need to be your domain and the path below:
https://your-domain.com/api/v1/payments/stripe/webhookFind out how to create a Stripe webhook destination here
Infrastructure
You will have to configure the infrastructure in the infrastructure.yaml file.
Other Variables
Here is the rest of the GitHub repository secrets you will need to configure:
ENV_SUPER_USER_EMAIL
The email used to login as super admin
ENV_SUPER_USER_PASS
The super admin password
ENV_ALTCHA_HMAC_KEY
You can create this key using this command:
openssl rand -base64 32ENV_AUTH_SECRET
This secret is used to mint the JWT refresh and access tokens. It's used across all API services to verify users identities. If you change this, all logged-in users will be logged out.
ENV_CORS_ALLOWED_ORIGINS
Value should be something like this
your-domain.com;www.your-domain.comENV_FRONTEND_URL
The value here should be your domain plus the path "/app"
https://www.your-domain.com/appENV_SMTP_HOSTENV_SMTP_PASSENV_SMTP_PORTENV_SMTP_USER
These are the SMTP settings used for transactional emails like email verification, password resets, and similar. You might use a service like Mailgun.com
Domain Nameservers
After you have setup everything and ran your first successful deployment, you should have a zone for your domain in Cloudflare.
You will have to login to your Cloudflare account navigate to your domain zone, copy the nameservers and configure them in your domain provider.
Deployment Pipeline
The deployment pipeline runs on GitHub Actions. It runs only on the main and or the master branch. It performs the following tasks automatically:
- Creates a server on Hetzner
- Clones your repository on the server
- Runs docker compose with the build option
- Creates a Cloudflare zone with A records pointing to your server IP
- Configures LetsEncrypt on the server