From e130685260e5e2afde1425efb46dc13231d685dc Mon Sep 17 00:00:00 2001
From: Guillermo Pages <mail@guillermo.at>
Date: Sun, 19 Oct 2025 13:27:40 +0200
Subject: [PATCH] chore: deployment

---
 .deploy.yml       |   7 +++
 .dockerignore     |  10 ++++
 .drone.yml        | 141 ++++++++++++++++++++++++++++++++++++++++++++++
 Dockerfile        |  25 +++++---
 Dockerfile.dev    |   2 +-
 package-lock.json |  21 ++++---
 package.json      |   6 +-
 7 files changed, 192 insertions(+), 20 deletions(-)
 create mode 100644 .deploy.yml
 create mode 100644 .dockerignore
 create mode 100644 .drone.yml

diff --git a/.deploy.yml b/.deploy.yml
new file mode 100644
index 0000000..00a10ba
--- /dev/null
+++ b/.deploy.yml
@@ -0,0 +1,7 @@
+sn48:
+  vault:
+    hydrate:
+      # vault-new-project --env_file .env.prod --name playchoo-auth --inventory_hostname sn4
+      branches:
+        - master
+  deploy: 4
diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..d5f99a1
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,10 @@
+.DS_Store
+.env
+.env.prod
+node_modules/
+build/
+dist/
+coverage/
+logs/
+.git
+.gitignore
diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..e8e8127
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,141 @@
+kind: pipeline
+type: docker
+name: default
+
+trigger:
+  branch:
+    - traefik
+    - master
+
+steps:
+- name: debug-secrets
+  image: alpine
+  environment:
+    VAULT_API_URL:
+      from_secret: VAULT_API_URL
+  commands:
+    - 'echo "Docker Registry URL: $${VAULT_API_URL}"'
+  when:
+    event:
+      - push
+      - tag
+
+- name: publish
+  image: plugins/docker
+  settings:
+    dockerfile: Dockerfile
+    context: .
+    registry: registry.sn48.zivili.ch
+    repo: registry.sn48.zivili.ch/meow/playchoo-auth
+    tags:
+      - "amd64-1.0.0"
+      - "latest"
+    username:
+      from_secret: PORTUS_USER
+    password:
+      from_secret: PORTUS_PASSWORD
+    debug: true
+    launch_debug: true
+    force_tag: true
+  when:
+    event:
+      - push
+      - tag
+
+- name: deploy
+  image: registry.sn48.zivili.ch/meow/drone-deploy:amd64-1.0.0
+  pull: never
+  settings:
+    ssh_port:
+      from_secret: SSH_PORT
+    dockerconfigjson:
+      from_secret: dockerconfigjson
+    portus_user:
+      from_secret: PORTUS_USER
+    portus_password:
+      from_secret: PORTUS_PASSWORD
+    ssh_host:
+      from_secret: SSH_HOST
+    ssh_user:
+      from_secret: SSH_USER
+    ssh_key:
+      from_secret: SSH_KEY
+    ssh_fingerprint:
+      from_secret: SSH_FINGERPRINT
+    drone_agent1_token:
+      from_secret: DRONE_AGENT1_TOKEN
+    vault_api_url:
+      from_secret: VAULT_API_URL
+
+---
+kind: secret
+name: SSH_HOST
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_HOST
+
+---
+kind: secret
+name: SSH_USER
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_USER
+
+---
+kind: secret
+name: SSH_KEY
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_KEY
+
+---
+kind: secret
+name: DRONE_AGENT1_TOKEN
+get:
+  path: kv/data/__drone-admin-secrets
+  name: DRONE_AGENT1_TOKEN
+
+---
+kind: secret
+name: VAULT_API_URL
+get:
+  path: kv/data/__drone-admin-secrets
+  name: VAULT_API_URL
+
+---
+kind: secret
+name: PORTUS_USER
+get:
+  path: kv/data/__drone-admin-secrets
+  name: PORTUS_USER
+
+---
+kind: secret
+name: PORTUS_PASSWORD
+get:
+  path: kv/data/__drone-admin-secrets
+  name: PORTUS_PASSWORD
+
+---
+kind: secret
+name: dockerconfigjson
+get:
+  path: kv/data/__drone-admin-secrets
+  name: dockerconfigjson
+
+image_pull_secrets:
+  from_secret: dockerconfigjson
+
+---
+kind: secret
+name: SSH_PORT
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_PORT
+
+---
+kind: secret
+name: SSH_FINGERPRINT
+get:
+  path: kv/data/__drone-admin-secrets
+  name: SSH_FINGERPRINT
diff --git a/Dockerfile b/Dockerfile
index f7bab53..fdcd2aa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,28 @@
-FROM node:20-alpine
+FROM node:22-alpine AS build
 
 WORKDIR /app
 
-# Install dependencies
 COPY package*.json ./
-RUN npm ci --only=production
+RUN npm ci
 
-# Copy source and build
 COPY . .
-RUN npm run build:prod
 
-# Expose port
+RUN npm run build:prod \
+  && npm prune --omit=dev
+
+FROM node:22-alpine
+
+WORKDIR /app
+
+ENV NODE_ENV=production
+
+COPY --from=build /app/package*.json ./
+COPY --from=build /app/node_modules ./node_modules
+COPY --from=build /app/build ./build
+
+RUN addgroup -S app && adduser -S app -G app && chown -R app:app /app
+USER app
+
 EXPOSE 3700
 
-# Start the application
 CMD ["node", "build/src/index.js"]
diff --git a/Dockerfile.dev b/Dockerfile.dev
index 6a19bc6..e90458b 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:22-alpine
 
 WORKDIR /app
 
diff --git a/package-lock.json b/package-lock.json
index 6b45bc8..6bd3f5b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14,13 +14,13 @@
         "express-knifey": "^1.1.3",
         "ioredis": "^5.8.1",
         "swiss-army-knifey": "^1.36.4",
-        "swissoid-back": "^2.2.5"
+        "swissoid-back": "^2.3.0"
       },
       "devDependencies": {
         "@types/express": "^4.17.21",
-        "@types/node": "^20.11.0",
+        "@types/node": "^22.13.14",
         "ts-node": "^10.9.2",
-        "typescript": "^5.3.3"
+        "typescript": "^5.9.3"
       }
     },
     "node_modules/@cspotcode/source-map-support": {
@@ -220,9 +220,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "20.19.22",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.22.tgz",
-      "integrity": "sha512-hRnu+5qggKDSyWHlnmThnUqg62l29Aj/6vcYgUaSFL9oc7DVjeWEQN3PRgdSc6F8d9QRMWkf36CLMch1Do/+RQ==",
+      "version": "22.18.11",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.18.11.tgz",
+      "integrity": "sha512-Gd33J2XIrXurb+eT2ktze3rJAfAp9ZNjlBdh4SVgyrKEOADwCbdUDaK7QgJno8Ue4kcajscsKqu6n8OBG3hhCQ==",
       "license": "MIT",
       "dependencies": {
         "undici-types": "~6.21.0"
@@ -1617,9 +1617,9 @@
       "license": "MIT"
     },
     "node_modules/swissoid-back": {
-      "version": "2.2.5",
-      "resolved": "https://registry.npmjs.org/swissoid-back/-/swissoid-back-2.2.5.tgz",
-      "integrity": "sha512-9qjbItzGNb8C+R0IItlYA+Re3Jt6A9QDtgoVgGWYMDiQCz0ot6s4TNruug5UMutCRBlV+AdeGZjL4FViZTBDNQ==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/swissoid-back/-/swissoid-back-2.3.0.tgz",
+      "integrity": "sha512-n2R9o7ddH/XNyL1zgHB3+SYkv3/KmfJFOcQvbzlE13aIB+6eIqX8yv5h85+LWE5s017BfXgm5vGBNXaT0XjgOg==",
       "license": "MIT",
       "dependencies": {
         "@types/express-serve-static-core": "^5.0.7",
@@ -1632,6 +1632,9 @@
         "jose": "^6.1.0",
         "node-fetch": "^3.3.2",
         "redis": "^5.8.2"
+      },
+      "bin": {
+        "swissoid-back-generate-secrets": "scripts/generate-session-secrets.js"
       }
     },
     "node_modules/swissoid-back/node_modules/@types/express-serve-static-core": {
diff --git a/package.json b/package.json
index a6bb3a6..692b75f 100644
--- a/package.json
+++ b/package.json
@@ -19,13 +19,13 @@
     "express": "^5.1.0",
     "express-knifey": "^1.1.3",
     "ioredis": "^5.8.1",
-    "swissoid-back": "^2.2.5",
+    "swissoid-back": "^2.3.0",
     "swiss-army-knifey": "^1.36.4"
   },
   "devDependencies": {
     "@types/express": "^4.17.21",
-    "@types/node": "^20.11.0",
+    "@types/node": "^22.13.14",
     "ts-node": "^10.9.2",
-    "typescript": "^5.3.3"
+    "typescript": "^5.9.3"
   }
 }