Add production deployment configuration

- Add deploy/ folder with Dockerfile.prod, nginx, uwsgi configs
- Add production.ini (secrets externalized to secrets.ini)
- Add entrypoint that merges production.ini + secrets.ini at startup
- Add build-deploy.yml GitHub Actions workflow
- Add dependabot.yml

Author: cooper667

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/build-deploy.yml

@@ -0,0 +1,109 @@
+name: Build and Deploy CKAN
+
+on:
+  push:
+    branches: [master, ckan211-prod-deploy]
+    tags: ['v*']
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: 'Image tag to deploy (e.g., sha-abc1234 or v1.0.0)'
+        required: true
+        type: string
+      environment:
+        description: 'Target environment'
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+env:
+  ACR_NAME: adracr
+  IMAGE_NAME: ckan
+
+jobs:
+  build:
+    if: github.event_name != 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.set-env.outputs.image_tag }}
+      environment: ${{ steps.set-env.outputs.environment }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Determine environment and image tag
+        id: set-env
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "image_tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "environment=staging" >> $GITHUB_OUTPUT
+            echo "image_tag=sha-$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.6.1
+        with:
+          images: ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+
+      - name: Login to ACR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.ACR_NAME }}.azurecr.io
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.10.0
+        with:
+          context: .
+          file: deploy/Dockerfile.prod
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    if: always() && (needs.build.result == 'success' || github.event_name == 'workflow_dispatch')
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ github.event_name == 'workflow_dispatch' && inputs.environment || needs.build.outputs.environment }}
+      url: ${{ steps.params.outputs.url }}
+    steps:
+      - name: Set deploy params
+        id: params
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            ENV="${{ inputs.environment }}"
+            echo "image_tag=${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
+          else
+            ENV="${{ needs.build.outputs.environment }}"
+            echo "image_tag=${{ needs.build.outputs.image_tag }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "$ENV" == "production" ]]; then
+            echo "namespace=adr-p" >> $GITHUB_OUTPUT
+            echo "url=https://p-ckan.azurefd.net" >> $GITHUB_OUTPUT
+          else
+            echo "namespace=adr-s" >> $GITHUB_OUTPUT
+            echo "url=https://s-ckan-g3c2cqgzfygmfdam.z01.azurefd.net" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Deploy to AKS
+        run: |
+          kubectl set image deployment/ckan \
+            ckan=${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ steps.params.outputs.image_tag }} \
+            -n ${{ steps.params.outputs.namespace }}
+          kubectl rollout status deployment/ckan -n ${{ steps.params.outputs.namespace }} --timeout=5m

deploy/Dockerfile.prod

@@ -0,0 +1,96 @@
+FROM python:3.10
+
+# OCI Annotations
+LABEL org.opencontainers.image.maintainer="support@fjelltopp.org"
+LABEL org.opencontainers.image.title="CKAN-ADX"
+LABEL org.opencontainers.image.description="Fjelltopp's ADX CKAN production image"
+
+ARG CKAN_SITE_URL
+
+# Set timezone
+ENV TZ=UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+# Setting the locale
+ENV LC_ALL=en_US.UTF-8
+RUN apt-get update && \
+    apt-get install --no-install-recommends -y locales && \
+    sed -i "/$LC_ALL/s/^# //g" /etc/locale.gen && \
+    dpkg-reconfigure --frontend=noninteractive locales && \
+    update-locale LANG=${LC_ALL}
+
+# Define environment variables
+ENV CKAN_HOME /usr/lib/adx
+ENV CKAN_VENV $CKAN_HOME/venv
+ENV CKAN_CONFIG /etc/ckan
+ENV CKAN_STORAGE_PATH=/var/lib/ckan
+ENV PATH=${CKAN_VENV}/bin:${PATH}
+
+# Install required system packages
+RUN apt-get -q -y update \
+    && apt-get -q -y install \
+        libpq-dev \
+        libmagic-dev \
+        libxml2-dev \
+        libxslt-dev \
+        libgeos-dev \
+        libssl-dev \
+        libffi-dev \
+        postgresql-client \
+        build-essential \
+        git-core \
+        vim \
+        wget \
+        curl \
+        xmlsec1 \
+        jq \
+        supervisor \
+        nginx \
+    && apt-get -q clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Add CKAN user
+RUN useradd -r -u 900 -m -c "ckan account" -d $CKAN_HOME -s /bin/false ckan
+
+# Install pipenv and uwsgi
+RUN pip3 install pipenv uwsgi
+
+# Copy submodules and Pipfile
+COPY submodules /usr/lib/adx/submodules
+COPY Pipfile Pipfile.lock /usr/lib/adx/
+
+# Install Python dependencies
+WORKDIR /usr/lib/adx
+RUN mkdir .venv && pipenv sync -v && ln -s .venv venv
+
+# Install Node.js and yarn for React build
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y nodejs && \
+    npm install --global yarn
+
+# Build React components
+RUN yarn --cwd /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/react/ && \
+    yarn --cwd /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/react/ build && \
+    chmod -R 777 /usr/lib/adx/submodules/ckanext-unaids/ckanext/unaids/assets/build
+
+RUN chown -R ckan:ckan /usr/lib/adx/
+RUN mkdir -p /var/lib/ckan/resources && chmod 777 -R /var/lib/ckan
+
+# Create symlink for backward compatibility with configs that reference /usr/lib/ckan
+RUN ln -s /usr/lib/adx /usr/lib/ckan
+
+# Copy entrypoint and config files
+COPY deploy/ckan-entrypoint-prod.sh /ckan-entrypoint.sh
+COPY ckan/adx_config.ini $CKAN_CONFIG/ckan.ini
+COPY ckan/adx_who.ini $CKAN_CONFIG/who.ini
+COPY ckan/ckan_supervisor.conf /etc/supervisor/conf.d/ckan_supervisor.conf
+COPY deploy/uwsgi.ini /usr/lib/adx/uwsgi.ini
+COPY deploy/nginx.conf /etc/nginx/nginx.conf
+
+RUN chmod +x /*.sh
+
+USER root
+EXPOSE 5000
+
+ENTRYPOINT ["/ckan-entrypoint.sh"]
+CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

deploy/ckan-entrypoint-prod.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+set -e
+
+# URL for the primary database, in the format expected by sqlalchemy
+: "${CKAN_SQLALCHEMY_URL:=}"
+: "${CKAN_SOLR_URL:=}"
+: "${CKAN_REDIS_URL:=}"
+: "${CKAN_DATAPUSHER_URL:=}"
+
+export CKAN_HOME=/usr/lib/adx
+export CKAN_VENV=$CKAN_HOME/venv
+export PATH=${CKAN_VENV}/bin:${PATH}
+
+# Combine base config with secrets using Python ConfigParser
+# secrets.ini values override production.ini
+echo "Combining configuration files..."
+python3 << 'PYEOF'
+import configparser
+import sys
+
+config = configparser.ConfigParser()
+config.read('/etc/ckan/production.ini')
+config.read('/etc/ckan/secrets.ini')  # Later values override earlier
+
+with open('/tmp/ckan.ini', 'w') as f:
+    config.write(f)
+PYEOF
+export CONFIG="/tmp/ckan.ini"
+export CKAN_INI="/tmp/ckan.ini"
+
+abort () {
+  echo "$@" >&2
+  exit 1
+}
+
+set_environment () {
+  export CKAN_SITE_ID=${CKAN_SITE_ID}
+  export CKAN_SITE_URL=${CKAN_SITE_URL}
+  export CKAN_SQLALCHEMY_URL=${CKAN_SQLALCHEMY_URL}
+  export CKAN_SOLR_URL=${CKAN_SOLR_URL}
+  export CKAN_REDIS_URL=${CKAN_REDIS_URL}
+  export CKAN_STORAGE_PATH=/var/lib/ckan
+  export CKAN_DATAPUSHER_URL=${CKAN_DATAPUSHER_URL}
+  export CKAN_DATASTORE_WRITE_URL=${CKAN_DATASTORE_WRITE_URL}
+  export CKAN_DATASTORE_READ_URL=${CKAN_DATASTORE_READ_URL}
+  export CKAN_SMTP_SERVER=${CKAN_SMTP_SERVER}
+  export CKAN_SMTP_STARTTLS=${CKAN_SMTP_STARTTLS}
+  export CKAN_SMTP_USER=${CKAN_SMTP_USER}
+  export CKAN_SMTP_PASSWORD=${CKAN_SMTP_PASSWORD}
+  export CKAN_SMTP_MAIL_FROM=${CKAN_SMTP_MAIL_FROM}
+  export CKAN_MAX_UPLOAD_SIZE_MB=${CKAN_MAX_UPLOAD_SIZE_MB}
+  if [ -n "${ADR_CKAN_SAML_IDP_CERT}" ]; then
+    echo "${ADR_CKAN_SAML_IDP_CERT}" > /tmp/saml_idp.crt || echo "Warning: Could not write SAML IDP cert"
+  fi
+}
+
+# Validate required environment variables
+if [ -z "$CKAN_SQLALCHEMY_URL" ]; then
+  abort "ERROR: no CKAN_SQLALCHEMY_URL specified"
+fi
+
+if [ -z "$CKAN_SOLR_URL" ]; then
+    abort "ERROR: no CKAN_SOLR_URL specified"
+fi
+
+if [ -z "$CKAN_REDIS_URL" ]; then
+    abort "ERROR: no CKAN_REDIS_URL specified"
+fi
+
+if [ -z "$CKAN_DATAPUSHER_URL" ]; then
+    abort "ERROR: no CKAN_DATAPUSHER_URL specified"
+fi
+
+set_environment
+echo "CKAN production environment ready"
+
+# Initialize CKAN database and run plugin migrations
+echo "Initializing CKAN database..."
+ckan --config="$CONFIG" db init || echo "CKAN database already initialized"
+
+echo "Setting up DataStore permissions..."
+ckan --config="$CONFIG" datastore set-permissions | psql "${CKAN_DATASTORE_WRITE_URL}" || echo "Warning: DataStore set-permissions failed or already applied"
+
+echo "Running database migrations for plugins..."
+ckan --config="$CONFIG" db upgrade -p pages || echo "Warning: ckanext-pages migration failed or already applied"
+# ckan --config="$CONFIG" versions initdb || echo "Warning: ckanext-versions initdb failed or already applied"
+# ckan --config="$CONFIG" validation init-db || echo "Warning: ckanext-validation init-db failed or already applied"
+ckan --config="$CONFIG" unaids initdb || echo "Warning: ckanext-unaids initdb failed or already applied"
+
+exec "$@"

deploy/nginx.conf

@@ -0,0 +1,71 @@
+worker_processes auto;
+error_log /dev/stderr warn;
+pid /tmp/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /dev/stdout main;
+
+    sendfile on;
+    tcp_nopush on;
+    keepalive_timeout 65;
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+
+    upstream ckan {
+        server 127.0.0.1:8000;
+    }
+
+    server {
+        listen 5000;
+        server_name _;
+
+        client_max_body_size 256M;
+
+        # Internal location for X-Accel-Redirect (x-sendfile)
+        # CKAN sends X-Accel-Redirect with the full filesystem path
+        location /var/lib/ckan/webassets/ {
+            internal;
+            alias /var/lib/ckan/webassets/;
+            expires 7d;
+            add_header Cache-Control "public, max-age=604800" always;
+            add_header Vary "Accept-Encoding" always;
+        }
+
+        # Other static assets - set proper caching headers
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            proxy_pass http://ckan;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Override Cache-Control from origin - remove no-cache, set public caching
+            proxy_hide_header Cache-Control;
+            proxy_hide_header Vary;
+            add_header Cache-Control "public, max-age=604800" always;
+            add_header Vary "Accept-Encoding" always;
+        }
+
+        # All other requests
+        location / {
+            proxy_pass http://ckan;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 300s;
+            proxy_connect_timeout 75s;
+        }
+    }
+}