Upgrade to Kamal 2 (#452)

.env.example

@@ -0,0 +1 @@
+KAMAL_REGISTRY_PASSWORD=

.kamal/secrets

@@ -0,0 +1,17 @@
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
+
+# Option 1: Read secrets from the environment
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+
+# Option 2: Read secrets via a command
+RAILS_MASTER_KEY=$(cat demo/config/master.key)
+
+# Option 3: Read secrets via kamal secrets helpers
+# These will handle logging in and fetching the secrets in as few calls as possible
+# There are adapters for 1Password, LastPass + Bitwarden
+#
+# SECRETS=$(kamal secrets fetch --adapter 1password --account my-account --from MyVault/MyItem KAMAL_REGISTRY_PASSWORD RAILS_MASTER_KEY)
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD $SECRETS)
+# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY $SECRETS)

Gemfile.lock

@@ -86,7 +86,9 @@ GEM
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     base64 (0.2.0)
-    bcrypt_pbkdf (1.1.0)
+    bcrypt_pbkdf (1.1.1)
+    bcrypt_pbkdf (1.1.1-arm64-darwin)
+    bcrypt_pbkdf (1.1.1-x86_64-darwin)
     bigdecimal (3.1.6)
     builder (3.2.4)
     capybara (3.40.0)
@@ -105,7 +107,7 @@ GEM
     css_parser (1.16.0)
       addressable
     date (3.3.4)
-    dotenv (2.8.1)
+    dotenv (3.1.4)
     drb (2.2.1)
     ed25519 (1.3.0)
     erubi (1.12.0)
@@ -125,16 +127,16 @@ GEM
       rdoc
       reline (>= 0.4.2)
     json (2.7.1)
-    kamal (1.3.1)
+    kamal (2.0.0)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
       concurrent-ruby (~> 1.2)
-      dotenv (~> 2.8)
+      dotenv (~> 3.1)
       ed25519 (~> 1.2)
       net-ssh (~> 7.0)
-      sshkit (~> 1.21)
-      thor (~> 1.2)
+      sshkit (>= 1.23.0, < 2.0)
+      thor (~> 1.3)
       zeitwerk (~> 2.5)
     language_server-protocol (3.17.0.3)
     lint_roller (1.1.0)
@@ -177,7 +179,7 @@ GEM
       net-ssh (>= 5.0.0, < 8.0.0)
     net-smtp (0.4.0.1)
       net-protocol
-    net-ssh (7.2.1)
+    net-ssh (7.2.3)
     nio4r (2.7.0)
     nokogiri (1.16.2-aarch64-linux)
       racc (~> 1.4)
@@ -187,6 +189,7 @@ GEM
       racc (~> 1.4)
     nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
+    ostruct (0.6.0)
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)
@@ -280,11 +283,12 @@ GEM
     sqlite3 (1.7.2-arm64-darwin)
     sqlite3 (1.7.2-x86_64-darwin)
     sqlite3 (1.7.2-x86_64-linux)
-    sshkit (1.22.0)
-      mutex_m
+    sshkit (1.23.1)
+      base64
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
+      ostruct
     standard (1.34.0)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
@@ -339,9 +343,10 @@ PLATFORMS
 
 DEPENDENCIES
   capybara
+  dotenv
   foreman
   importmap-rails
-  kamal
+  kamal (~> 2.0.0)
   lookbook (~> 2.0)
   minitest (~> 5.0)
   polaris_view_components!

config/deploy.yml

@@ -1,37 +1,19 @@
+<% require "dotenv"; Dotenv.load(".env") %>
+
 service: polaris_view_components
 image: kirillplatonov/polaris_view_components
-
+servers:
+  - 195.201.128.126
+proxy:
+  app_port: 3000
+  ssl: true
+  host: polarisviewcomponents.org
 registry:
   username: kirillplatonov
   password:
     - KAMAL_REGISTRY_PASSWORD
-
+builder:
+  arch: amd64
 env:
   secret:
     - RAILS_MASTER_KEY
-
-servers:
-  web:
-    hosts:
-      - 195.201.128.126
-    labels:
-      traefik.http.routers.polaris_view_components.entrypoints: websecure
-      traefik.http.routers.polaris_view_components.rule: "Host(`polarisviewcomponents.org`) || Host(`www.polarisviewcomponents.org`)"
-      traefik.http.routers.polaris_view_components.tls.certresolver: letsencrypt
-
-traefik:
-  options:
-    publish:
-      - "443:443"
-    volume:
-      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
-  args:
-    entryPoints.web.address: ":80"
-    entryPoints.websecure.address: ":443"
-    entryPoints.web.http.redirections.entryPoint.to: websecure # We want to force https
-    entryPoints.web.http.redirections.entryPoint.scheme: https
-    entryPoints.web.http.redirections.entrypoint.permanent: true
-    certificatesResolvers.letsencrypt.acme.email: "[email protected]"
-    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json" # Must match the path in `volume`
-    certificatesResolvers.letsencrypt.acme.httpchallenge: true
-    certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web

demo/config/environments/production.rb

@@ -73,4 +73,6 @@
   # ]
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
+  config.active_record.sqlite3_production_warning = false
 end

polaris_view_components.gemspec

@@ -31,5 +31,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "pry"
   spec.add_development_dependency "sprockets-rails"
-  spec.add_development_dependency "kamal"
+  spec.add_development_dependency "kamal", "~> 2.0.0"
+  spec.add_development_dependency "dotenv"
 end