From e205f4f3538404d2d34883e08e900a5f0c0217ed Mon Sep 17 00:00:00 2001 From: Damien Arnodo Date: Wed, 19 Nov 2025 11:51:56 +0000 Subject: [PATCH] Add Docker-based deployment alternative for Scaleway --- docs/SCALEWAY_DEPLOYMENT_DOCKER.md | 353 +++++++++++++++++++++++++++++ 1 file changed, 353 insertions(+) create mode 100644 docs/SCALEWAY_DEPLOYMENT_DOCKER.md diff --git a/docs/SCALEWAY_DEPLOYMENT_DOCKER.md b/docs/SCALEWAY_DEPLOYMENT_DOCKER.md new file mode 100644 index 0000000..99b5ebe --- /dev/null +++ b/docs/SCALEWAY_DEPLOYMENT_DOCKER.md @@ -0,0 +1,353 @@ +# Alternative: Docker-based Deployment on Scaleway Instance + +This guide provides an alternative deployment method using a Scaleway instance with Docker and Nginx. + +## Advantages of this Method + +- Full control over the web server +- Easy SSL/TLS setup with Let's Encrypt +- Better caching control +- Custom redirects and URL rewriting +- Lower egress costs for high-traffic sites + +## Architecture + +``` +Gitea → Build Hugo → Push to Scaleway Registry → Deploy to Instance via Docker +``` + +## Step 1: Create Scaleway Instance + +```bash +scw instance server create \ + name=notebook-server \ + type=DEV1-S \ + image=ubuntu_jammy \ + zone=fr-par-1 +``` + +Or via console: Create a DEV1-S instance with Ubuntu 22.04 + +## Step 2: Install Docker on Instance + +SSH into your instance and run: + +```bash +# Update system +sudo apt update && sudo apt upgrade -y + +# Install Docker +curl -fsSL https://get.docker.com -o get-docker.sh +sudo sh get-docker.sh +sudo usermod -aG docker $USER + +# Install Docker Compose +sudo apt install docker-compose-plugin -y + +# Install Nginx and Certbot +sudo apt install nginx certbot python3-certbot-nginx -y +``` + +## Step 3: Create Docker Deployment Structure + +On your instance, create: + +```bash +mkdir -p /opt/notebook +cd /opt/notebook +``` + +Create `docker-compose.yml`: + +```yaml +version: '3.8' + +services: + nginx: + image: nginx:alpine + container_name: notebook-nginx + ports: + - "80:80" + - "443:443" + volumes: + - ./public:/usr/share/nginx/html:ro + - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro + - ./ssl:/etc/nginx/ssl:ro + restart: unless-stopped +``` + +Create `nginx.conf`: + +```nginx +server { + listen 80; + server_name notebook.arnodo.fr; + + # Redirect to HTTPS + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + server_name notebook.arnodo.fr; + + ssl_certificate /etc/nginx/ssl/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/privkey.pem; + + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + root /usr/share/nginx/html; + index index.html; + + # Compression + gzip on; + gzip_vary on; + gzip_min_length 1024; + gzip_types text/plain text/css text/xml text/javascript + application/x-javascript application/xml+rss + application/javascript application/json; + + # Cache static assets + location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + } + + # Hugo pretty URLs + location / { + try_files $uri $uri/ $uri.html =404; + } + + # Custom 404 page + error_page 404 /404.html; +} +``` + +## Step 4: Configure DNS + +Point your domain to the Scaleway instance: + +``` +notebook.arnodo.fr A +``` + +## Step 5: Setup SSL Certificate + +```bash +sudo certbot certonly --standalone -d notebook.arnodo.fr + +# Copy certificates to project directory +sudo cp /etc/letsencrypt/live/notebook.arnodo.fr/fullchain.pem /opt/notebook/ssl/ +sudo cp /etc/letsencrypt/live/notebook.arnodo.fr/privkey.pem /opt/notebook/ssl/ +sudo chown -R $USER:$USER /opt/notebook/ssl +``` + +Set up auto-renewal: + +```bash +# Add to crontab +0 0 1 * * certbot renew && cp /etc/letsencrypt/live/notebook.arnodo.fr/*.pem /opt/notebook/ssl/ && docker-compose -f /opt/notebook/docker-compose.yml restart nginx +``` + +## Step 6: Update Gitea Workflow + +Create `.gitea/workflows/deploy-docker.yml`: + +```yaml +name: Deploy to Scaleway Instance + +on: + push: + branches: + - main + +jobs: + build-and-deploy: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + submodules: recursive + fetch-depth: 0 + + - name: Setup Hugo + uses: peaceiris/actions-hugo@v2 + with: + hugo-version: 'latest' + extended: true + + - name: Build Hugo site + run: hugo --minify + + - name: Install rsync + run: sudo apt-get install -y rsync + + - name: Setup SSH key + run: | + mkdir -p ~/.ssh + echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + ssh-keyscan -H ${{ secrets.SERVER_IP }} >> ~/.ssh/known_hosts + + - name: Deploy to server + run: | + rsync -avz --delete \ + -e "ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no" \ + public/ \ + ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_IP }}:/opt/notebook/public/ + + - name: Restart Nginx + run: | + ssh -i ~/.ssh/id_rsa ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_IP }} \ + "cd /opt/notebook && docker-compose restart nginx" +``` + +## Step 7: Configure Gitea Secrets + +Add to repository secrets: +- `SSH_PRIVATE_KEY`: Your SSH private key for the instance +- `SERVER_IP`: Your Scaleway instance IP +- `SERVER_USER`: SSH user (usually `root` or `ubuntu`) + +## Step 8: Create Deployment User (Recommended) + +For better security, create a dedicated deployment user: + +```bash +# On the Scaleway instance +sudo useradd -m -s /bin/bash deployer +sudo usermod -aG docker deployer +sudo chown -R deployer:deployer /opt/notebook + +# Generate SSH key on your local machine +ssh-keygen -t ed25519 -C "gitea-deployment" -f ~/.ssh/notebook_deploy + +# Copy public key to instance +ssh-copy-id -i ~/.ssh/notebook_deploy.pub deployer@ +``` + +Then update the workflow to use `deployer` user. + +## Cost Analysis + +### Monthly Costs: +- **DEV1-S Instance**: ~€7-10/month +- **100 GB outbound traffic**: Included +- **Additional traffic**: €0.01/GB +- **Total**: ~€10/month for typical blog traffic + +### Comparison with Object Storage: +- **More predictable costs** +- Better for high-traffic sites +- More control over caching and optimization +- Easier SSL/TLS management + +## Monitoring + +Install monitoring tools: + +```bash +# Install Prometheus Node Exporter +docker run -d \ + --name=node-exporter \ + --net="host" \ + --pid="host" \ + -v "/:/host:ro,rslave" \ + quay.io/prometheus/node-exporter:latest \ + --path.rootfs=/host +``` + +Or use Scaleway monitoring (free): +- Enable in console under Instance → Monitoring +- Set up alerts for CPU, memory, disk usage + +## Backup Strategy + +1. **Automated backups**: +```bash +# Add to crontab +0 2 * * * tar -czf /backup/notebook-$(date +\%Y\%m\%d).tar.gz /opt/notebook +``` + +2. **Use Scaleway snapshots**: +```bash +scw instance snapshot create volume-id= name=notebook-backup +``` + +## Security Hardening + +1. **Configure firewall**: +```bash +sudo ufw allow 22/tcp +sudo ufw allow 80/tcp +sudo ufw allow 443/tcp +sudo ufw enable +``` + +2. **Disable password authentication**: +Edit `/etc/ssh/sshd_config`: +``` +PasswordAuthentication no +PubkeyAuthentication yes +``` + +3. **Keep system updated**: +```bash +sudo apt update && sudo apt upgrade -y +``` + +4. **Install fail2ban**: +```bash +sudo apt install fail2ban -y +sudo systemctl enable fail2ban +``` + +## Troubleshooting + +### Check logs: +```bash +docker-compose -f /opt/notebook/docker-compose.yml logs -f +``` + +### Test Nginx config: +```bash +docker-compose exec nginx nginx -t +``` + +### Check SSL certificate: +```bash +openssl s_client -connect notebook.arnodo.fr:443 -servername notebook.arnodo.fr +``` + +## Performance Optimization + +Add to `nginx.conf`: + +```nginx +# HTTP/2 Server Push +http2_push_preload on; + +# Connection optimization +keepalive_timeout 65; +keepalive_requests 100; + +# Buffer sizes +client_body_buffer_size 128k; +client_max_body_size 10m; +``` + +Enable Brotli compression (optional): +```bash +# Add Brotli module to nginx container +# Or use a pre-built image with Brotli support +``` + +--- + +This Docker-based approach gives you more control and can be more cost-effective for sites with consistent traffic patterns.