wpp/weirsoe-party-protocol
8
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects Releases Wiki Activity

devops: harden staging runbooks and db setup docs (refs #20 #21 #23)
All checks were successful
CI / test-and-quality (push) Successful in 1m19s
Details
CI / test-and-quality (pull_request) Successful in 1m19s
Details

Browse Source
This commit is contained in:
Asger Geel Weirsøe
2026-02-27 20:16:23 +01:00
parent 6f8061644d
commit 08c22be3e9
4 changed files with 127 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/RELEASE_POLICY.md
View File

@@ -1,4 +1,28 @@
Release policy issue 23 # Release policy (Issue #23)
- Tag only after successful deploy
- Changelog reference required ## Formål
- No deploy while tester active Sikre at release-tags altid repræsenterer faktisk deployet software.
## Hård regel
- **Ingen release-tag før staging deploy er succesfuld.**
- **Ingen release-tag uden changelog-reference.**
- **Ingen deploy hvis tester er i gang med smoke-run.**
## Release-flow
1. Bekræft architect-gate (`issue #17`) er release-approved.
2. Bekræft tester ikke er aktiv.
3. Deploy kandidat til staging (`infra/staging/deploy_staging.sh`).
4. Verificér `/healthz` + smoke-resultat.
5. Tilføj changelog-entry i `CHANGELOG.md`.
6. Opret release-tag i Gitea (annotated), og referér changelog-sektion i release-notes.
## Minimum release-notes template
```markdown
## Changelog
- Ref: CHANGELOG.md#<sektion>
## Deploy
- Environment: staging
- Status: success
- Healthz: ok
```

32
infra/staging/DB_SETUP.md Normal file
View File

@@ -0,0 +1,32 @@
# DB setup runbook (Issue #21)
> Credentials ligger i Secrets-repo, ikke i applikationsrepo.
## Databaser
- `wpp_test`
- `wpp_prod`
## Brugere
- `wpp_test_user` (least privilege på `wpp_test`)
- `wpp_prod_user` (least privilege på `wpp_prod`)
## Secrets placering
I Secrets-repo:
- `wpp/wpp_test.env`
- `wpp/wpp_prod.env`
Forventede felter:
- `DB_HOST`
- `DB_PORT`
- `DB_NAME`
- `DB_USER`
- `DB_PASSWORD`
## Verifikation (eksempel)
Kør fra staging-CT eller anden tilladt klient:
```bash
mysql -h <DB_HOST> -u <DB_USER> -p<DB_PASSWORD> -e "SELECT 1" <DB_NAME>
```
Alle forbindelser skal returnere `1`.

45
infra/staging/README.md
View File

@@ -1,4 +1,41 @@
Staging runbook issue 20 # Staging runbook (Issue #20)
CT 143 wpp-staging
Service: wpp-staging.service ## Mål
Health: /healthz Staging-miljø for WPP i Proxmox LXC, så release-klar kode kan deployes og smoke-testes sikkert.
## Miljø
- LXC: `CT 143` (`wpp-staging`)
- App path: `/opt/wpp-staging/app`
- Service: `wpp-staging.service`
- Health endpoint: `GET /healthz`
## Verifikation
Kør fra devops-shell med Proxmox-adgang:
```bash
ssh proxmox-lan "sudo -n pct status 143"
ssh proxmox-lan "sudo -n pct exec 143 -- systemctl is-active wpp-staging.service"
ssh proxmox-lan "sudo -n pct exec 143 -- curl -fsS http://127.0.0.1:8000/healthz"
```
Forventet:
- CT er `running`
- service er `active`
- healthz returnerer JSON med `ok: true`
## Deploy
Script: `infra/staging/deploy_staging.sh`
```bash
# deploy main
./infra/staging/deploy_staging.sh
# deploy bestemt tag/branch
./infra/staging/deploy_staging.sh v0.3.0
```
## Policy-kobling
Før deploy:
1. Bekræft at tester **ikke** er aktiv (ingen aktiv smoke-run).
2. Deploy til staging skal lykkes.
3. Først derefter må release-tag oprettes (se `docs/RELEASE_POLICY.md`).

30
infra/staging/deploy_staging.sh
View File

@@ -1,6 +1,28 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
CT_ID="143"
ARCHIVE_URL="https://gitea.weircon.dk/wpp/weirsoe-party-protocol/archive/main.tar.gz" CT_ID="${CT_ID:-143}"
sudo -n pct exec "" -- bash -lc "set -euo pipefail; mkdir -p /opt/wpp-staging/releases/src; cd /opt/wpp-staging/releases; curl -fsSL -o main.tar.gz ; rm -rf src && mkdir src; tar -xzf main.tar.gz -C src --strip-components=1; rm -rf /opt/wpp-staging/app/*; cp -a src/. /opt/wpp-staging/app/; cd /opt/wpp-staging/app; runuser -u wpp -- python3 -m venv .venv; runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null; runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null; runuser -u wpp -- .venv/bin/python manage.py migrate --noinput; systemctl restart wpp-staging.service; curl -fsS http://127.0.0.1:8000/healthz" REF_NAME="${1:-main}"
echo "OK: staging deploy complete for CT ." ARCHIVE_URL="https://gitea.weircon.dk/wpp/weirsoe-party-protocol/archive/${REF_NAME}.tar.gz"
echo "[deploy] CT_ID=${CT_ID} REF=${REF_NAME}"
echo "[deploy] extracting source + installing deps + migrate + restart"
sudo -n pct exec "${CT_ID}" -- bash -lc "set -euo pipefail
mkdir -p /opt/wpp-staging/releases/src
cd /opt/wpp-staging/releases
curl -fsSL -o app.tar.gz
rm -rf src && mkdir src
tar -xzf app.tar.gz -C src --strip-components=1
rm -rf /opt/wpp-staging/app/*
cp -a src/. /opt/wpp-staging/app/
cd /opt/wpp-staging/app
runuser -u wpp -- python3 -m venv .venv
runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null
runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null
runuser -u wpp -- .venv/bin/python manage.py migrate --noinput
systemctl restart wpp-staging.service
curl -fsS http://127.0.0.1:8000/healthz
"
echo "[deploy] OK: staging deploy complete for CT ${CT_ID} (${REF_NAME})"