feat: my.immich.app deployment

.github/workflows/deploy.yml

@@ -6,7 +6,7 @@ on:
       - completed
 
 jobs:
-  deploy-checks:
+  checks:
     name: Deploy checks
     runs-on: ubuntu-latest
     outputs:
@@ -120,72 +120,57 @@ jobs:
       - name: Unzip artifact
         run: unzip "${{ github.workspace }}/build-output.zip" -d "${{ github.workspace }}/build"
 
-      # - name: Deploy Subdomain
-      # env:
-      # TF_VAR_prefix_name: ${{ steps.parameters.outputs.name}}
-      # TF_VAR_prefix_event_type: ${{ steps.parameters.outputs.event }}
-      # CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-      # CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-      # TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-      # uses: gruntwork-io/terragrunt-action@v2
-      # with:
-      #   tg_version: '0.58.12'
-      #   tofu_version: '1.7.1'
-      #   tg_dir: 'deployment/modules/cloudflare/docs'
-      #   tg_command: 'apply'
-
-      # - name: Deploy Docs Subdomain Output
-      #   id: docs-output
-      #   env:
-      #     TF_VAR_prefix_name: ${{ steps.parameters.outputs.name}}
-      #     TF_VAR_prefix_event_type: ${{ steps.parameters.outputs.event }}
-      #     CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-      #     CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-      #     TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-      #   uses: gruntwork-io/terragrunt-action@v2
-      #   with:
-      #     tg_version: '0.58.12'
-      #     tofu_version: '1.7.1'
-      #     tg_dir: 'deployment/modules/cloudflare/docs'
-      #     tg_command: 'output -json'
-
-      # - name: Output Cleaning
-      #   id: clean
-      #   run: |
-      #     TG_OUT=$(echo '${{ steps.docs-output.outputs.tg_action_output }}' | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
-      #     echo "output=$TG_OUT" >> $GITHUB_OUTPUT
-
-      # - name: Publish to Cloudflare Pages
-      #   uses: cloudflare/pages-action@v1
-      #   with:
-      #     apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
-      #     accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-      #     projectName: ${{ fromJson(steps.clean.outputs.output).pages_project_name.value }}
-      #     workingDirectory: 'docs'
-      #     directory: 'build'
-      #     branch: ${{ steps.parameters.outputs.name }}
-      #     wranglerVersion: '3'
-
-      # - name: Deploy Docs Release Domain
-      #   if: ${{ steps.parameters.outputs.event == 'release' }}
-      #   env:
-      #     TF_VAR_prefix_name: ${{ steps.parameters.outputs.name}}
-      #     CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-      #     CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-      #     TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
-      #   uses: gruntwork-io/terragrunt-action@v2
-      #   with:
-      #     tg_version: '0.58.12'
-      #     tofu_version: '1.7.1'
-      #     tg_dir: 'deployment/modules/cloudflare/docs-release'
-      #     tg_command: 'apply'
-
-      # - name: Comment
-      #   uses: actions-cool/maintain-one-comment@v3
-      #   if: ${{ steps.parameters.outputs.event == 'pr' }}
-      #   with:
-      #     number: ${{ fromJson(needs.checks.outputs.parameters).pr_number }}
-      #     body: |
-      #       📖 Documentation deployed to [${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }}](https://${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }})
-      #     emojis: 'rocket'
-      #     body-include: '<!-- Docs PR URL -->'
+      - name: Deploy App
+        env:
+          TF_VAR_prefix_name: ${{ steps.parameters.outputs.name}}
+          TF_VAR_prefix_event_type: ${{ steps.parameters.outputs.event }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
+        uses: gruntwork-io/terragrunt-action@v2
+        with:
+          tg_version: '0.58.12'
+          tofu_version: '1.7.1'
+          tg_dir: 'deployment/modules/cloudflare/my-immich'
+          tg_command: 'apply'
+
+      - name: Deploy App Output
+        id: terraform-output
+        env:
+          TF_VAR_prefix_name: ${{ steps.parameters.outputs.name}}
+          TF_VAR_prefix_event_type: ${{ steps.parameters.outputs.event }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
+        uses: gruntwork-io/terragrunt-action@v2
+        with:
+          tg_version: '0.58.12'
+          tofu_version: '1.7.1'
+          tg_dir: 'deployment/modules/cloudflare/my-immich'
+          tg_command: 'output -json'
+
+      - name: Output Cleaning
+        id: clean
+        run: |
+          TG_OUT=$(echo '${{ steps.terraform-output.outputs.tg_action_output }}' | sed 's|%0A|\n|g ; s|%3C|<|g' | jq -c .)
+          echo "output=$TG_OUT" >> $GITHUB_OUTPUT
+
+      - name: Publish to Cloudflare Pages
+        uses: cloudflare/pages-action@v1
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN_PAGES_UPLOAD }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          projectName: ${{ fromJson(steps.clean.outputs.output).pages_project_name.value }}
+          directory: 'build'
+          branch: ${{ steps.parameters.outputs.name }}
+          wranglerVersion: '3'
+
+      - name: Comment
+        uses: actions-cool/maintain-one-comment@v3
+        if: ${{ steps.parameters.outputs.event == 'pr' }}
+        with:
+          number: ${{ fromJson(needs.checks.outputs.parameters).pr_number }}
+          body: |
+            📖 Preview of my.immich.app deployed to [${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }}](https://${{ fromJson(steps.clean.outputs.output).immich_app_branch_subdomain.value }})
+          emojis: 'rocket'
+          body-include: '<!-- Pages PR URL -->'

.github/workflows/destroy.yml

@@ -0,0 +1,32 @@
+name: Docs destroy
+on:
+  pull_request_target:
+    types: [closed]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Destroy Docs Subdomain
+        env:
+          TF_VAR_prefix_name: 'pr-${{ github.event.number }}'
+          TF_VAR_prefix_event_type: 'pr'
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          TF_STATE_POSTGRES_CONN_STR: ${{ secrets.TF_STATE_POSTGRES_CONN_STR }}
+        uses: gruntwork-io/terragrunt-action@v2
+        with:
+          tg_version: '0.58.12'
+          tofu_version: '1.7.1'
+          tg_dir: 'deployment/modules/cloudflare/my-immich'
+          tg_command: 'destroy'
+
+      - name: Comment
+        uses: actions-cool/maintain-one-comment@v3
+        with:
+          number: ${{ github.event.number }}
+          delete: true
+          body-include: '<!-- Docs PR URL -->'

deployment/.gitignore

@@ -0,0 +1,38 @@
+# OpenTofu
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Terragrunt
+
+# terragrunt cache directories
+**/.terragrunt-cache/*
+
+# Terragrunt debug output file (when using `--terragrunt-debug` option)
+# See: https://terragrunt.gruntwork.io/docs/reference/cli-options/#terragrunt-debug
+terragrunt-debug.tfvars.json

deployment/modules/cloudflare/my-immich/config.tf

@@ -0,0 +1,11 @@
+terraform {
+  backend "pg" {}
+  required_version = "~> 1.7"
+
+  required_providers {
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+      version = "4.36.0"
+    }
+  }
+}

deployment/modules/cloudflare/my-immich/domain.tf

@@ -0,0 +1,26 @@
+resource "cloudflare_pages_domain" "immich_app_branch_domain" {
+  account_id   = var.cloudflare_account_id
+  project_name = data.terraform_remote_state.cloudflare_account.outputs.my_immich_app_pages_project_name
+  domain       = local.domain
+}
+
+resource "cloudflare_record" "immich_app_branch_subdomain" {
+  name    = local.domain
+  proxied = true
+  ttl     = 1
+  type    = "CNAME"
+  value   = local.is_main ? data.terraform_remote_state.cloudflare_account.outputs.my_immich_app_pages_project_subdomain : "${replace(var.prefix_name, "/\\/|\\./", "-")}.${data.terraform_remote_state.cloudflare_account.outputs.my_immich_app_pages_project_subdomain}"
+  zone_id = data.terraform_remote_state.cloudflare_account.outputs.immich_app_zone_id
+}
+
+output "immich_app_branch_subdomain" {
+  value = cloudflare_record.immich_app_branch_subdomain.hostname
+}
+
+output "immich_app_branch_pages_hostname" {
+  value = cloudflare_record.immich_app_branch_subdomain.value
+}
+
+output "pages_project_name" {
+  value = cloudflare_pages_domain.immich_app_branch_domain.project_name
+}

deployment/modules/cloudflare/my-immich/locals.tf

@@ -0,0 +1,6 @@
+locals {
+  domain_name = "my.immich.app"
+  is_main = var.prefix_name == "main"
+  domain_prefix =  !local.is_main && contains(["branch", "pr"], var.prefix_event_type) ? "${var.prefix_name}.preview." : ""
+  domain = "${local.domain_prefix}${local.domain_name}"
+}

deployment/modules/cloudflare/my-immich/providers.tf

@@ -0,0 +1,3 @@
+provider "cloudflare" {
+  api_token = data.terraform_remote_state.api_keys_state.outputs.terraform_key_cloudflare_docs
+}

deployment/modules/cloudflare/my-immich/remote-state.tf

@@ -0,0 +1,17 @@
+data "terraform_remote_state" "api_keys_state" {
+  backend = "pg"
+
+  config = {
+    conn_str = var.tf_state_postgres_conn_str
+    schema_name = "prod_cloudflare_api_keys"
+  }
+}
+
+data "terraform_remote_state" "cloudflare_account" {
+  backend = "pg"
+
+  config = {
+    conn_str = var.tf_state_postgres_conn_str
+    schema_name = "prod_cloudflare_account"
+  }
+}

deployment/modules/cloudflare/my-immich/terragrunt.hcl

@@ -0,0 +1,24 @@
+terraform {
+  source = "."
+
+  extra_arguments custom_vars {
+    commands = get_terraform_commands_that_need_vars()
+  }
+}
+
+include {
+  path = find_in_parent_folders("state.hcl")
+}
+
+locals {
+  prefix_name = get_env("TF_VAR_prefix_name")
+}
+
+remote_state {
+  backend = "pg"
+
+  config = {
+    conn_str = get_env("TF_STATE_POSTGRES_CONN_STR")
+    schema_name = "prod_cloudflare_immich_app_my_immich_${local.prefix_name}"
+  }
+}

deployment/modules/cloudflare/my-immich/variables.tf

@@ -0,0 +1,5 @@
+variable "cloudflare_account_id" {}
+variable "tf_state_postgres_conn_str" {}
+
+variable "prefix_name" {}
+variable "prefix_event_type" {}

deployment/state.hcl

@@ -0,0 +1,20 @@
+locals {
+  cloudflare_account_id = get_env("CLOUDFLARE_ACCOUNT_ID")
+  cloudflare_api_token  = get_env("CLOUDFLARE_API_TOKEN")
+
+  tf_state_postgres_conn_str = get_env("TF_STATE_POSTGRES_CONN_STR")
+}
+
+remote_state {
+  backend = "pg"
+
+  config = {
+    conn_str = local.tf_state_postgres_conn_str
+  }
+}
+
+inputs = {
+  cloudflare_account_id      = local.cloudflare_account_id
+  cloudflare_api_token       = local.cloudflare_api_token
+  tf_state_postgres_conn_str = local.tf_state_postgres_conn_str
+}