build: improve deploy scripts to be more automated

spwoodcock · spwoodcock · commit 52da1a1750cb · 2026-03-24T23:13:42.000Z
diff --git a/.env.example b/.env.example
@@ -1,3 +1,8 @@
+### Container runtime ###
+# Set DOCKER_ALIAS=nerdctl if using containerd/nerdctl instead of Docker.
+# DOCKER_ALIAS=${DOCKER_ALIAS:-docker}
+# CONTAINERD_SNAPSHOTTER=${CONTAINERD_SNAPSHOTTER}
+
 ### ODK Central ###
 ODK_CENTRAL_URL=${ODK_CENTRAL_URL:-"http://central:8383"}
 ODK_CENTRAL_USER=${ODK_CENTRAL_USER:-"admin@hotosm.org"}
diff --git a/deploy/README.md b/deploy/README.md
@@ -30,5 +30,7 @@ Alternative production entry points:
 
 ```sh
 just start prod-with-odk
-just start prod-login
 ```
+
+> `just start prod` automatically includes the self-hosted Hanko login overlay
+> when `AUTH_PROVIDER=bundled` is set in `.env`.
diff --git a/deploy/compose.login.yaml b/deploy/compose.login.yaml
@@ -20,7 +20,8 @@
 #
 # IMPORTANT: This file uses ${FTM_DOMAIN} in bunkerweb env var KEY names,
 # which requires envsubst preprocessing - the same pipeline already used by
-# compose.sub.yaml.  Use `just start prod-login` which handles this.
+# compose.sub.yaml.  `just start prod` handles this automatically when
+# AUTH_PROVIDER=bundled is set in .env.
 #
 # For non-VM deployments see AUTH_PROVIDER=hotosm (centralised HOT login)
 # or AUTH_PROVIDER=custom (bring-your-own Hanko).
diff --git a/docs/dev/Production.md b/docs/dev/Production.md
@@ -83,7 +83,7 @@ The `setup` wizard configures these automatically, but you may want to review:
 - `custom`: Your own Hanko instance
   Deploy with `just start prod`
 - `bundled`: Self-hosted Hanko via the login overlay
-  Deploy with `just start prod-login`
+  Deploy with `just start prod` (login overlay is included automatically)
 
 If you use `AUTH_PROVIDER=hotosm`, set:
 
@@ -211,11 +211,10 @@ just start prod-with-odk
 
 ### Field-TM with self-hosted Hanko login
 
-```bash
-just start prod-login
-```
+Set `AUTH_PROVIDER=bundled` in `.env` (or select it during `just config setup`),
+then run `just start prod` — the login overlay is included automatically.
 
-All three commands will:
+All commands will:
 
 1. Check for uncommitted changes (and refuse to proceed if dirty)
 2. Present a numbered list of available release versions
diff --git a/tasks/config b/tasks/config
@@ -151,7 +151,7 @@ setup:
   echo ""
   just _echo-blue "Setup complete. Config written to .env"
   echo ""
-  just _echo-yellow "Modify .env as needed, then run: just start prod       (or just start prod-login)"
+  just _echo-yellow "Modify .env as needed, then run: just start prod"
   echo ""
 
 # For custom branding, place favicon.svg in the repo root, then run this
diff --git a/tasks/start b/tasks/start
@@ -63,34 +63,19 @@ _select-version:
   # Persist the chosen tag for the calling recipe
   echo "${chosen}" > /tmp/.ftm_deploy_tag
 
-# Production deploy
+# Production deploy (auto-detects AUTH_PROVIDER from .env)
 [no-cd]
 prod:
-  #!/usr/bin/env sh
+  #!/usr/bin/env bash
   set -e
 
-  just start _select-version
-  export GIT_BRANCH=$(cat /tmp/.ftm_deploy_tag)
-
-  # From deploy dir
-  cd {{justfile_directory()}}/deploy
-
-  # Config
-  just config generate-dotenv "${GIT_BRANCH}"
-  just config custom-favicon
-
-  # Deploy core FieldTM
-  ../envsubst -no-unset -i compose.sub.yaml | \
-        {{docker}} compose -f - up --detach \
-        --remove-orphans --force-recreate
-
-  just _echo-blue "FieldTM ${GIT_BRANCH} started successfully"
+  # Ensure PATH includes common binary locations (rootless docker, snap, etc.)
+  export PATH="$HOME/bin:$HOME/.local/bin:/usr/local/bin:$PATH"
 
-# Production deploy with self-hosted Hanko auth (contrib/login)
-[no-cd]
-prod-login:
-  #!/usr/bin/env sh
-  set -e
+  if ! command -v {{docker}} >/dev/null 2>&1; then
+    just _echo-red "'{{docker}}' not found. If using nerdctl, set DOCKER_ALIAS=nerdctl in .env"
+    exit 1
+  fi
 
   just start _select-version
   export GIT_BRANCH=$(cat /tmp/.ftm_deploy_tag)
@@ -100,26 +85,44 @@ prod-login:
 
   # Config
   just config generate-dotenv "${GIT_BRANCH}"
-  just config custom-favicon
-
-  # Both compose files use ${FTM_DOMAIN} in bunkerweb env var KEY names, which
-  # requires envsubst preprocessing.  Process to temp files then compose together.
-  tmp_main=$(mktemp)
-  tmp_login=$(mktemp)
-  ../envsubst -no-unset -i compose.sub.yaml > "$tmp_main"
-  ../envsubst -no-unset -i compose.login.yaml > "$tmp_login"
-  {{docker}} compose -f "$tmp_main" -f "$tmp_login" up --detach \
-    --remove-orphans --force-recreate
-  rm -f "$tmp_main" "$tmp_login"
 
-  just _echo-blue "FieldTM ${GIT_BRANCH} + self-hosted Hanko started successfully"
+  # Read AUTH_PROVIDER from .env
+  auth_provider=$(grep -E '^AUTH_PROVIDER=' ../.env | cut -d= -f2 | tr -d '"' || echo "")
+
+  if [ "$auth_provider" = "bundled" ]; then
+    just _echo-blue "AUTH_PROVIDER=bundled detected, deploying with self-hosted Hanko..."
+    # Both compose files use ${FTM_DOMAIN} in bunkerweb env var KEY names, which
+    # requires envsubst preprocessing.  Process to temp files then compose together.
+    tmp_main=$(mktemp)
+    tmp_login=$(mktemp)
+    ../envsubst -no-unset -i compose.sub.yaml > "$tmp_main"
+    ../envsubst -no-unset -i compose.login.yaml > "$tmp_login"
+    {{docker}} compose -f "$tmp_main" -f "$tmp_login" up --detach \
+      --remove-orphans --force-recreate
+    rm -f "$tmp_main" "$tmp_login"
+    just _echo-blue "FieldTM ${GIT_BRANCH} + self-hosted Hanko started successfully"
+  else
+    just _echo-blue "AUTH_PROVIDER=${auth_provider} detected, deploying without bundled login..."
+    ../envsubst -no-unset -i compose.sub.yaml | \
+          {{docker}} compose -f - up --detach \
+          --remove-orphans --force-recreate
+    just _echo-blue "FieldTM ${GIT_BRANCH} started successfully"
+  fi
 
 # Production deploy with self-hosted ODK Central
 [no-cd]
 prod-with-odk:
-  #!/usr/bin/env sh
+  #!/usr/bin/env bash
   set -e
 
+  # Ensure PATH includes common binary locations (rootless docker, snap, etc.)
+  export PATH="$HOME/bin:$HOME/.local/bin:/usr/local/bin:$PATH"
+
+  if ! command -v {{docker}} >/dev/null 2>&1; then
+    just _echo-red "'{{docker}}' not found. If using nerdctl, set DOCKER_ALIAS=nerdctl in .env"
+    exit 1
+  fi
+
   just start _select-version
   export GIT_BRANCH=$(cat /tmp/.ftm_deploy_tag)
 
@@ -128,7 +131,6 @@ prod-with-odk:
 
   # Config
   just config generate-dotenv "${GIT_BRANCH}"
-  just config custom-favicon
 
   # Deploy core FieldTM + ODK Central addon
   ../envsubst -no-unset -i compose.sub.yaml | \

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,8 @@`
`20`	`20`	`#`
`21`	`21`	`# IMPORTANT: This file uses ${FTM_DOMAIN} in bunkerweb env var KEY names,`
`22`	`22`	`# which requires envsubst preprocessing - the same pipeline already used by`
`23`		-# compose.sub.yaml. Use `just start prod-login` which handles this.
	`23`	+# compose.sub.yaml. `just start prod` handles this automatically when
	`24`	`+# AUTH_PROVIDER=bundled is set in .env.`
`24`	`25`	`#`
`25`	`26`	`# For non-VM deployments see AUTH_PROVIDER=hotosm (centralised HOT login)`
`26`	`27`	`# or AUTH_PROVIDER=custom (bring-your-own Hanko).`