#!/usr/bin/env bash # # deploy.sh — build custard for linux/amd64 and deploy it behind Caddy + systemd. # Reads deploy/deploy.env (copy from deploy.env.example). Idempotent; re-run to # update. Generates the Caddyfile + systemd unit from your settings — nothing to # hand-edit on the server. # set -euo pipefail cd "$(dirname "$0")/.." ENV_FILE="deploy/deploy.env" if [ ! -f "$ENV_FILE" ]; then echo "missing $ENV_FILE — copy deploy/deploy.env.example to it and fill in your values" >&2 exit 1 fi set -a; . "$ENV_FILE"; set +a : "${REMOTE:?set REMOTE in deploy.env}" : "${DOMAIN:?set DOMAIN in deploy.env}" : "${RUN_USER:?set RUN_USER in deploy.env}" : "${REPOS_PATH:?set REPOS_PATH in deploy.env}" SOFT_SERVE_DB="${SOFT_SERVE_DB:-}" SOFT_SERVE_BACKEND="${SOFT_SERVE_BACKEND:-}" WEBHOOK_SECRET="${WEBHOOK_SECRET:-}" TAP_REPO="${TAP_REPO:-homebrew-tap}" DL_PATH="/var/lib/custard/dl" echo "==> building static linux/amd64 binary" command -v templ >/dev/null 2>&1 && templ generate GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /tmp/custard-linux ./cmd/custard echo "==> rendering Caddyfile + unit for $DOMAIN" gitblock="" if [ -n "$SOFT_SERVE_BACKEND" ]; then gitblock=" handle_path /git/* { reverse_proxy $SOFT_SERVE_BACKEND } " fi cat > /tmp/custard.Caddyfile < /tmp/custard.service < uploading to $REMOTE" scp -q /tmp/custard-linux "$REMOTE:/usr/local/bin/custard.new" scp -q /tmp/custard.service "$REMOTE:/etc/systemd/system/custard.service" scp -q /tmp/custard.Caddyfile "$REMOTE:/tmp/custard.Caddyfile" # Webhook secret → root-only env file (not process args). Empty file if unset. if [ -n "$WEBHOOK_SECRET" ]; then printf 'WEBHOOK_SECRET=%s\n' "$WEBHOOK_SECRET" > /tmp/custard.env else : > /tmp/custard.env fi scp -q /tmp/custard.env "$REMOTE:/tmp/custard.env" # Download dir owned by the run user (custard writes), world-readable (Caddy serves). ssh "$REMOTE" "install -d -o ${RUN_USER} -g ${RUN_USER} -m 755 ${DL_PATH} && install -m 600 /tmp/custard.env /etc/custard.env && rm -f /tmp/custard.env" echo "==> installing on remote" ssh "$REMOTE" 'bash -seu' <<'REMOTE_EOF' if ! command -v caddy >/dev/null 2>&1; then echo "installing caddy..." apt-get install -y -q debian-keyring debian-archive-keyring apt-transport-https curl >/dev/null 2>&1 curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' > /etc/apt/sources.list.d/caddy-stable.list apt-get update -q >/dev/null 2>&1 && apt-get install -y -q caddy >/dev/null 2>&1 fi install -d -o caddy -g caddy /etc/caddy mv /tmp/custard.Caddyfile /etc/caddy/Caddyfile mv /usr/local/bin/custard.new /usr/local/bin/custard chmod +x /usr/local/bin/custard systemctl daemon-reload systemctl enable --now custard >/dev/null 2>&1 || true systemctl restart custard caddy validate --config /etc/caddy/Caddyfile --adapter caddyfile >/dev/null && { systemctl reload caddy || systemctl restart caddy; } sleep 1 echo " custard: $(systemctl is-active custard) caddy: $(systemctl is-active caddy)" curl -s -o /dev/null -w ' local probe -> %{http_code}\n' http://127.0.0.1:8080/ || true REMOTE_EOF echo "==> done → https://${DOMAIN}"