docs(deploy): Dockerfile + compose template + deploy guide#33
Merged
Conversation
Generic deploy infrastructure for shipping a private rota instance from this public repo. No operator data anywhere; all secrets + config + per-cert private keys live only on the deploy host. * Dockerfile: multi-stage rust:1.90-slim-bookworm build into gcr.io/distroless/cc-debian12 runtime. Ships both `rotad` and `rota` binaries. Distroless cc gives glibc + ca-certs without a shell; runs as root so file-mode 0600 mounts (config + per-cert keys) are readable without UID-mapping gymnastics. Builds with --locked against the pinned Cargo.lock for reproducible images. * deploy/compose.yml: bind-mount template that points at a host workdir with rota.yaml, secrets/, keys/, data/, run/. Image is pulled from ghcr.io/oneiriq/rota; operator never builds locally unless they want to. ROTA_DASHBOARD_PORT defaults to 127.0.0.1 so the dashboard is reverse-proxy-friendly out of the box. * deploy/README.md: walkthrough covering the public/private split, workdir layout (Synology DSM /volume1/docker/rota/ convention), build options (on-host vs docker save/load), minimal rota.yaml reference, bring-it-up commands, CLI access via docker exec, upgrade flow, federation pointer. * .dockerignore: filter book/, docs/, *.md, .github/, AppleDouble noise, target/. Keeps the build context lean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generic deploy infrastructure so operators can stand up private rota instances from this public repo without any secrets entering the source tree.
Dockerfile — multi-stage
rust:1.90-slim-bookwormbuild intogcr.io/distroless/cc-debian12runtime. Ships bothrotadandrotabinaries. Builds with--lockedagainst the pinned Cargo.lock for reproducibility. Runs as root so file-mode 0600 mounts (config + per-cert keys) are readable without UID-mapping gymnastics.deploy/compose.yml — operator-private template. Bind-mounts a workdir layout (
rota.yaml,secrets/,keys/,data/,run/) into the container. Image is pulled fromghcr.io/oneiriq/rota:latest. Dashboard binds 127.0.0.1 by default so it's reverse-proxy-friendly.deploy/README.md — walkthrough covering the public/private split, the Synology
/volume1/docker/rota/workdir convention, build options (on-host build vsdocker save | ssh host docker load), minimalrota.yaml, CLI access viadocker exec, upgrades, federation pointer..dockerignore — filter
book/,docs/,*.md,.github/, AppleDouble noise,target/. Lean build context.Verified
cargo build --release --bin rotad --bin rota --lockedclean (5m 45s on Mac)cargo fmt --all --checkcleanNot verified (deferred to first deploy)
.github/workflows/release.ymlthat builds + pushes on tag.