hjess/tink-demo
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

fix: production deployment — Docker, Nomad, Consul KV, SHA tags

Browse Source 
- Dockerfile: multi-stage build, non-root user, src/static tracked with .gitkeep
- Nomad job: force_pull=true, Traefik router fixed to tink-demo.i80.dk,
  loadbalancer.server.port=8000, job renamed from moneycapp-tink-demo
- CI/CD: git SHA image tags (deterministic deploys), removed .env.production
  baking — secrets injected at runtime via Consul KV template stanza
- Session security: asyncio lock prevents duplicate code exchange on callback,
  guard for already-stored token, api_log moved server-side (cookie overflow fix)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Henrik Jess Nielsen
2026-05-23 02:08:27 +02:00
parent ab591be464
commit bf61790465
6 changed files with 90 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
moneycapp-tink-demo.nomad
View File

@@ -1,4 +1,4 @@
job "moneycapp-tink-demo" {
job "tink-demo" {
datacenters = ["dc1"]
type = "service"
@@ -10,12 +10,13 @@ job "moneycapp-tink-demo" {
}
service {
name = "moneycapp-tink-demo"
name = "tink-demo"
port = "http"
tags = ["traefik.enable=true",
"traefik.http.routers.tink-demo.rule=Host(`tink-demo.i80.dk`)",
"traefik.http.routers.tink-demo.tls=true",
"traefik.http.routers.tink-demo.tls.certresolver=le"]
"traefik.http.routers.tink-demo.tls.certresolver=le",
"traefik.http.services.tink-demo.loadbalancer.server.port=8000"]
check {
type = "http"
path = "/"
@@ -28,8 +29,21 @@ job "moneycapp-tink-demo" {
driver = "docker"
config {
image = "registry.i80.dk/gitea/moneycapp-tink-demo:latest"
ports = ["http"]
image = "registry.i80.dk/gitea/tink-demo:latest"
force_pull = true
ports = ["http"]
}
template {
data = <<EOH
TINK_CLIENT_ID="{{ key "tink-demo/TINK_CLIENT_ID" }}"
TINK_CLIENT_SECRET="{{ key "tink-demo/TINK_CLIENT_SECRET" }}"
TINK_REDIRECT_URI="https://tink-demo.i80.dk/callback"
APP_BASE_URL="https://tink-demo.i80.dk"
DEMO_MODE="false"
EOH
destination = "secrets/app.env"
env = true
}
resources {