madava/avaaz
1
0
Fork 0
Code Pull Requests Actions Releases Activity

first commit

Browse Source
This commit is contained in:
Madava
2025-11-24 00:30:36 +01:00
commit aef53eb953
12 changed files with 2202 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
infra/.env Normal file
View File

@@ -0,0 +1,24 @@
# Base URL of your Gitea instance (used by the runner to register itself
# and to send/receive workflow job information).
GITEA_INSTANCE_URL=https://git.avaaz.ai
# One-time registration token generated in:
# Gitea → Site Administration → Actions → Runners → "Generate Token"
# This MUST be filled in once, so the runner can register.
# After registration, the runner stores its identity inside ./gitea-runner-data/.runner
# and this value is no longer needed (can be left blank).
GITEA_RUNNER_REGISTRATION_TOKEN=
# Human-readable name for this runner.
# This is shown in the Gitea UI so you can distinguish multiple runners:
# Example: "vps-runner", "staging-runner", "gpu-runner"
GITEA_RUNNER_NAME=gitea-runner
# Runner labels allow workflows to choose specific runners.
# The label format is: label[:schema[:args]]
# - "ubuntu-latest" is the <label> name that workflows request using runs-on: [ "ubuntu-latest" ].
# - "docker://" is the <schema> indicating the job runs inside a separate Docker container.
# - "catthehacker/ubuntu:act-latest" is the <args>, specifying the Docker image to use for the container.
# Workflows can target this using:
# runs-on: [ "ubuntu-latest" ]
GITEA_RUNNER_LABELS=ubuntu-latest:docker://catthehacker/ubuntu:act-latest

118
infra/.gitea/workflows/cd.yml Normal file
View File

@@ -0,0 +1,118 @@
name: Continuous Deployment # Name of this workflow as shown in the CI/CD UI
on: # Section defining which events trigger this workflow
push: # Trigger when a push event occurs
tags: # Limit triggers to pushes involving tags
- 'v*' # Only run for version tags that start with 'v' (e.g., v0.0.1, v1.2.3)
workflow_dispatch: # Allow this workflow to be triggered manually from the UI
inputs: # Optional inputs for manual deployments
version: # Input used to document which version is being deployed manually
description: "Version to deploy when triggering manually (informational only)" # Help text for the version input
required: false # This input is optional
default: "manual-trigger" # Default value when no explicit version is supplied
permissions: # Default permissions for the token used in this workflow
contents: read # Allow reading repository contents (needed for checkout)
packages: write # Allow pushing packages/images to registries (adjust or remove if not needed)
id-token: write # Allow issuing OIDC tokens for cloud providers (remove if not used)
jobs: # Collection of jobs defined in this workflow
deploy: # Job responsible for deploying tagged releases
name: Deploy tagged release # Human-readable name for this deployment job
runs-on: ubuntu-latest # Use the latest Ubuntu Linux runner image
timeout-minutes: 30 # Automatically fail the job if it runs longer than 30 minutes
concurrency: # Prevent overlapping deployments
group: deploy-main-tags # Group key: serialize all deployments that share this identifier
cancel-in-progress: true # Cancel any running deployment in this group when a new one starts
environment: # Associate this job with a deployment environment
name: production # Label the environment as 'production' for visibility and protections
steps: # Ordered list of steps in this job
- name: Checkout Code # Step to check out the repository at the tagged commit
uses: actions/checkout@v6 # Standard checkout action (Gitea-compatible)
with: # Options for configuring the checkout behavior
ref: ${{ gitea.ref }} # Check out the specific commit referenced by the pushed tag
fetch-depth: 0 # Fetch full history so ancestry checks and branch analysis are reliable
- name: Verify tag commit is on current or historical commit of 'remote/main' # Ensure the tag commit comes from the assumed main branch
shell: bash # Explicitly use bash for this script
run: | # Begin multi-line bash script
set -euo pipefail # Enable strict mode: exit on error, unset var, or failed pipeline command
REMOTE_NAME="remote" # Fixed assumption: the relevant remote is named "remote"
MAIN_BRANCH_NAME="main" # Fixed assumption: the primary branch on the remote is named "main"
echo "Assuming remote name: ${REMOTE_NAME}" # Log the assumed remote name
echo "Assuming main branch name on remote: ${MAIN_BRANCH_NAME}" # Log the assumed main branch name
if ! git remote | grep -qx "${REMOTE_NAME}"; then # Check that the assumed remote actually exists
echo "❌ Expected remote '${REMOTE_NAME}' not found in repository remotes." # Explain missing remote
git remote -v # Show the actual configured remotes for debugging
exit 1 # Fail the job because we cannot safely validate without the expected remote
fi # End of remote existence check
TAG_COMMIT="$(git rev-parse HEAD)" # Determine the commit hash currently checked out (the tag target)
echo "Tag points to commit: ${TAG_COMMIT}" # Log which commit the tag references
echo "Fetching '${MAIN_BRANCH_NAME}' from remote '${REMOTE_NAME}'..." # Log the fetch action
if ! git fetch "${REMOTE_NAME}" "${MAIN_BRANCH_NAME}" > /dev/null 2>&1; then # Fetch remote/main silently and detect failure
echo "❌ Failed to fetch branch '${MAIN_BRANCH_NAME}' from remote '${REMOTE_NAME}'." # Explain fetch failure
echo " Ensure '${REMOTE_NAME}/${MAIN_BRANCH_NAME}' exists and is accessible." # Suggest verifying remote branch presence
exit 1 # Fail the job because we cannot validate against main
fi # End of fetch error check
MAIN_REF="${REMOTE_NAME}/${MAIN_BRANCH_NAME}" # Construct the fully qualified remote/main reference
echo "Discovering remote branches that contain the tag commit ${TAG_COMMIT}..." # Log start of branch discovery
BRANCHES_RAW="$(git branch -r --contains "${TAG_COMMIT}" || true)" # List remote branches whose history contains the tag commit (may be empty)
echo "Raw remote branches containing tag commit:" # Introductory log for raw remote-branch list
echo "${BRANCHES_RAW}" # Output the raw remote-tracking branches
BRANCHES_CLEANED="$(echo "${BRANCHES_RAW}" | sed 's|^[[:space:]]*||;s|.*/||')" # Trim spaces and strip remote prefixes, leaving branch names only
echo "Branch names containing tag commit (remote prefixes stripped):" # Introductory log for cleaned branch names
echo "${BRANCHES_CLEANED}" # Output the cleaned list of branch names for human inspection
if echo "${BRANCHES_RAW}" | sed 's|^[[:space:]]*||' | grep -qx "${MAIN_REF}"; then # Check if remote/main itself contains the tag commit
echo "${MAIN_REF} is listed as containing the tag commit." # Log that remote/main is explicitly reported as containing the commit
else # Branch taken when remote/main is not listed among the containing branches
echo "Note: '${MAIN_REF}' is not explicitly listed among branches containing the tag commit;" # Note about absence in the listing
echo " proceeding to verify via merge-base ancestry check as the final source of truth." # Explain that merge-base will be used to decide
fi # End of explicit listing check
echo "Verifying that tag commit ${TAG_COMMIT} is an ancestor of '${MAIN_REF}'..." # Log the start of ancestry verification
if git merge-base --is-ancestor "${TAG_COMMIT}" "${MAIN_REF}"; then # Check if the tag commit is contained in the history of remote/main
echo "✅ Tag commit is part of '${MAIN_REF}' history." # Success: tag commit is in remote/main history
echo " This means the tag was created on the current or historical commit of the main branch on remote '${REMOTE_NAME}'." # Clarify the semantic meaning
else # Branch taken when the tag commit is not reachable from remote/main
echo "❌ Tag commit is NOT part of '${MAIN_REF}' history." # Failure: invalid tag source
echo " Deployment is only allowed for tags created on the current or historical commit of '${MAIN_REF}'." # Explain the policy being enforced
exit 1 # Fail the job to prevent deployment from a non-main branch
fi # End of ancestry validation conditional
- name: Build and Publish Release # Step that builds and deploys the validated tagged release
shell: bash # Use bash for this deployment script
env: # Environment variables used during build and deployment
TAG_NAME: ${{ gitea.ref_name }} # Tag name (e.g., v0.0.1, v1.2.3) from the workflow context
CI: "true" # Conventional flag signaling that commands run in a CI/CD environment
run: | # Begin multi-line bash script for build and deploy
set -euo pipefail # Enforce strict error handling during deployment
echo "Proceeding with building and deploying version ${TAG_NAME}..." # Log which version is being deployed
# --- Begin placeholder for production build and deployment logic --- # Marker for project-specific deployment implementation
# Example for container-based deployments: # Example of a containerized deployment sequence
# make test # Run tests one more time as a safeguard before deployment
# make build-release # Build application artifacts for production
# docker build -t myorg/myapp:${TAG_NAME} . # Build Docker image tagged with the version
# docker push myorg/myapp:${TAG_NAME} # Push Docker image to the container registry
# ./deploy_to_production.sh "${TAG_NAME}" # Run custom deployment script using the version tag
# Example for non-container deployments: # Example of a file-based or script-based deployment sequence
# ./scripts/package.sh "${TAG_NAME}" # Package application into production-ready artifacts
# ./scripts/deploy.sh "${TAG_NAME}" # Deploy artifacts to servers or hosting platform
# --- End placeholder for production build and deployment logic --- # End of deployment example section
echo "Build and deployment steps completed for version ${TAG_NAME} (assuming real commands are configured above)." # Summary log for successful deployment step

90
infra/.gitea/workflows/ci.yml Normal file
View File

@@ -0,0 +1,90 @@
name: Continuous Integration # Name of this workflow as shown in the Actions/CI UI
on: # Section defining which events trigger this workflow
push: # Trigger when code is pushed
branches: # Branch patterns that should trigger this workflow on push
- 'feature/**' # Run CI for all branches under feature/ (e.g., feature/new-api)
- 'bugfix/**' # Run CI for all branches under bugfix/ (e.g., bugfix/fix-login)
pull_request: # Trigger when a pull request event occurs
branches: # Pull requests targeting these base branches will trigger this workflow
- main # Run CI for pull requests whose base (target) branch is main
types: # Specific pull request activity types that trigger this workflow
- opened # Trigger when a pull request is opened
- reopened # Trigger when a previously closed pull request is reopened
- synchronize # Trigger when new commits are pushed to the pull request source branch
workflow_dispatch: # Allow this workflow to be triggered manually from the UI
inputs: # Optional inputs for manual runs
reason: # Input describing why CI was triggered manually
description: "Reason for manually running Continuous Integration" # Help text for this input
required: false # This input is optional
default: "manual-trigger" # Default value when no explicit reason is provided
permissions: # Default permissions for the CI token used in this workflow
contents: read # Allow reading repository contents (required for checking out code)
# Add further permissions here if CI needs them (e.g., packages: read, issues: write, etc.)
jobs: # Collection of jobs in this workflow
validate: # Job responsible for validating changes (build, tests, etc.)
name: Validate and test changes # Human-readable name for this job
runs-on: ubuntu-latest # Use the latest Ubuntu Linux runner image
timeout-minutes: 20 # Fail the job automatically if it runs longer than 20 minutes
concurrency: # Prevent overlapping CI runs for the same ref
group: ci-${{ gitea.ref_name }}-validate # Group key: serialize CI runs per branch/tag name
cancel-in-progress: true # Cancel any in-progress job in this group when a new one starts
steps: # Ordered list of steps in this job
- name: Checkout Code # Step to fetch the repository contents
uses: actions/checkout@v6 # Standard checkout action (Gitea-compatible)
with: # Options configuring the checkout behavior
fetch-depth: 0 # Fetch full history so advanced git operations are possible if needed
- name: Report Triggering Event and Branches # Step to log which event and branches triggered CI
shell: bash # Explicitly use bash for this script
run: | # Begin multi-line bash script
set -euo pipefail # Enable strict mode: exit on error, unset var, or failed pipe
EVENT_TYPE="${{ gitea.event_name }}" # Capture the event type (push, pull_request, etc.)
echo "Workflow triggered by event type: ${EVENT_TYPE}" # Log the event type
if [ "${EVENT_TYPE}" = "push" ]; then # Branch for push events
echo "Pushed to branch: ${{ gitea.ref_name }}" # Log the branch name for push events
elif [ "${EVENT_TYPE}" = "pull_request" ]; then # Branch for pull request events
echo "Pull request source branch (head_ref): ${{ gitea.head_ref }}" # Log the PR source branch
echo "Pull request target branch (base_ref): ${{ gitea.base_ref }}" # Log the PR target branch
else # Branch for unexpected event types
echo "Unexpected event type: ${EVENT_TYPE}" # Log a warning for unknown events
fi # End of event-type conditional
# - name: Restore Dependency Cache # OPTIONAL: uncomment and configure for your language/toolchain
# uses: actions/cache@v4 # Cache action for speeding up dependency installation
# with: # Cache configuration
# path: | # Paths to cache (example: Node.js dependencies)
# node_modules
# key: deps-${{ runner.os }}-${{ hashFiles('package-lock.json') }} # Cache key based on OS and lockfile
# restore-keys: | # Fallback keys for partial cache hits
# deps-${{ runner.os }}- # Broader prefix allowing reuse of older caches
- name: Run Build and Tests # Main CI step to build and test the project
shell: bash # Use bash shell for the build/test script
env: # Environment variables available to this step
CI: "true" # Conventional flag signaling that commands run in a CI environment
run: | # Begin multi-line bash script for build and tests
set -euo pipefail # Enforce strict error handling during build and tests
echo "Building and testing the branch..." # High-level log for build/test phase
# --- Placeholder for actual build and test commands --- # Marker for project-specific CI logic
# Example for a Node.js project: # Example showing a typical Node.js CI sequence
# npm ci # Clean, reproducible install of dependencies using package-lock.json
# npm test # Run unit tests
# npm run lint # Run linting/static analysis
# Example for a Go project: # Example showing a typical Go CI sequence
# go test ./... # Run all tests in all subpackages
# golangci-lint run # Run Go linters via golangci-lint
# ------------------------------------------------------ # End of placeholder examples
echo "Build and tests completed successfully (assuming real commands are configured above)." # Summary for successful CI run

99
infra/Caddyfile Normal file
View File

@@ -0,0 +1,99 @@
{
# Global Caddy options.
#
# auto_https on
# - Caddy listens on port 80 for every host (ACME + redirect).
# - Automatically issues HTTPS certificates.
# - Automatically redirects HTTP → HTTPS unless disabled.
#
}
# ------------------------------------------------------------
# Redirect www → root domain
# ------------------------------------------------------------
www.avaaz.ai {
# Permanent redirect to naked domain
redir https://avaaz.ai{uri} permanent
}
# ------------------------------------------------------------
# Marketing site (optional — if frontend handles it, remove this)
# Redirect root → app
# ------------------------------------------------------------
avaaz.ai {
# If you have a static marketing page, serve it here.
# If not, redirect visitors to the app.
redir https://app.avaaz.ai{uri}
}
# ------------------------------------------------------------
# Frontend (Next.js)
# Public URL: https://app.avaaz.ai
# Internal target: frontend:3000
# ------------------------------------------------------------
app.avaaz.ai {
# Reverse-proxy HTTPS traffic to the frontend container
reverse_proxy frontend:3000
# Access log for debugging frontend activity
log {
output file /data/app-access.log
}
# Compression for faster delivery of JS, HTML, etc.
encode gzip zstd
}
# ------------------------------------------------------------
# Backend (FastAPI)
# Public URL: https://api.avaaz.ai
# Internal target: backend:8000
# ------------------------------------------------------------
api.avaaz.ai {
# Reverse-proxy all API traffic to FastAPI
reverse_proxy backend:8000
# Access log — useful for monitoring API traffic and debugging issues
log {
output file /data/api-access.log
}
# Enable response compression (JSON, text, etc.)
encode gzip zstd
}
# ------------------------------------------------------------
# LiveKit (signaling only — media uses direct UDP)
# Public URL: wss://rtc.avaaz.ai
# Internal target: livekit:7880
# ------------------------------------------------------------
rtc.avaaz.ai {
# LiveKit uses WebSocket signaling, so we reverse-proxy WS → WS
reverse_proxy livekit:7880
# Access log — helps diagnose WebRTC connection failures
log {
output file /data/rtc-access.log
}
# Compression not needed for WS traffic, but harmless
encode gzip zstd
}
# ------------------------------------------------------------
# Gitea (Git server UI + HTTPS + SSH clone)
# Public URL: https://git.avaaz.ai
# Internal target: gitea:3000
# ------------------------------------------------------------
git.avaaz.ai {
# Route all HTTPS traffic to Giteas web UI
reverse_proxy gitea:3000
# Log all Git UI requests and API access
log {
output file /data/git-access.log
}
# Compress UI responses
encode gzip zstd
}

102
infra/docker-compose.yml Normal file
View File

@@ -0,0 +1,102 @@
services:
caddy:
# Use the latest official Caddy image
image: caddy:latest
# Docker Compose automatically generates container names: <folder>_<service>_<index>
container_name: caddy # Fixed name used by Docker engine
# Automatically restart unless manually stopped
restart: unless-stopped
ports:
# Expose HTTP (ACME + redirect)
- "80:80"
# Expose HTTPS/WSS (frontend, backend, LiveKit)
- "443:443"
volumes:
# Mount the Caddy config file read-only
- ./Caddyfile:/etc/caddy/Caddyfile:ro
# Caddy TLS certs (persistent Docker volume)
- caddy_data:/data
# Internal Caddy state/config
- caddy_config:/config
networks:
# Attach to the shared "proxy" network
- proxy
gitea:
# Official Gitea image with built-in Actions
image: gitea/gitea:latest
container_name: gitea # Fixed name used by Docker engine
# Auto-restart service
restart: unless-stopped
environment:
# Run Gitea as host user 1000 (prevents permission issues)
- USER_UID=1000
# Same for group
- USER_GID=1000
# Use SQLite (stored inside /data)
- GITEA__database__DB_TYPE=sqlite3
# Location of the SQLite DB
- GITEA__database__PATH=/data/gitea/gitea.db
# Custom config directory
- GITEA_CUSTOM=/data/gitea
volumes:
# Bind mount instead of Docker volume because:
# - We want repos, configs, SSH keys, and SQLite DB **visible and editable** on host
# - Easy backups (just copy `./gitea-data`)
# - Easy migration
# - Avoids losing data if Docker volumes are pruned
- ./gitea-data:/data
networks:
- proxy
ports:
# SSH for Git operations mapped to host 2222
- "2222:22"
gitea-runner:
# Official Gitea Actions Runner
image: gitea/act_runner:latest
container_name: gitea-runner # Fixed name used by Docker engine
restart: unless-stopped
depends_on:
# Runner requires Gitea to be available
- gitea
volumes:
# Runner uses host Docker daemon to spin up job containers (Docker-out-of-Docker)
- /var/run/docker.sock:/var/run/docker.sock
# Bind mount instead of volume because:
# - Runner identity is stored in /data/.runner
# - Must persist across container recreations
# - Prevents duplicated runner registrations in Gitea
# - Easy to inspect/reset via `./gitea-runner-data/.runner`
- ./gitea-runner-data:/data
environment:
# Base URL of your Gitea instance
- GITEA_INSTANCE_URL=${GITEA_INSTANCE_URL}
# One-time registration token
- GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
# Human-readable name for the runner
- GITEA_RUNNER_NAME=${GITEA_RUNNER_NAME}
# Runner labels (e.g., ubuntu-latest)
- GITEA_RUNNER_LABELS=${GITEA_RUNNER_LABELS}
# Set container timezone to UTC for consistent logs
- TZ=Etc/UTC
networks:
- proxy
# Start runner using persisted config
command: ["act_runner", "daemon", "--config", "/data/.runner"]
networks:
proxy:
# Shared network for Caddy + Gitea (+ later app stack)
name: proxy
# Default Docker bridge network
driver: bridge
volumes:
# Docker volume for Caddy TLS data (safe to keep inside Docker)
caddy_data:
name: caddy_data
# Docker volume for internal Caddy configs/state
caddy_config:
name: caddy_config

103
infra/gitea-data/gitea/conf/app.ini Normal file
View File

@@ -0,0 +1,103 @@
APP_NAME = Gitea
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
PROTOCOL = http
APP_DATA_PATH = /data/gitea
DOMAIN = git.avaaz.ai
SSH_DOMAIN = git.avaaz.ai
HTTP_PORT = 3000
ROOT_URL = https://git.avaaz.ai/
DISABLE_SSH = false
SSH_PORT = 2222
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = HbSrdK2xM1XsFwcX92OjA96s3X-L4H73Jhl0OPrLnEg
OFFLINE_MODE = true
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3NjMwMTg2Mjd9.O0B7VVK_TRiM8fkn8Jcw0K10ypWX-r6K_lmeFNhIlo4
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = false
REQUIRE_SIGNIN_VIEW = true
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[lfs]
PATH = /data/git/lfs
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
[cron.update_checker]
ENABLED = true
[repository.pull-request]
DEFAULT_MERGE_STYLE = merge
[repository.signing]
DEFAULT_TRUST_MODEL = committer
[oauth2]
JWT_SECRET = c0-Xl6vRyjNC9UPykpCWA_XtXC62fygtoPh2ZxJgQu4
[actions]
ENABLED = true
DEFAULT_ACTIONS_URL = github