On push to main, the homelab runner (container mode, docker socket
mounted) builds the image, pushes it to the Forgejo registry tagged
with the commit SHA and latest, then runs docker compose pull + up -d
directly against the host Docker daemon — no SSH hop, since the
runner already lives on the deploy host. Finishes with one
curl -u admin:... against https://quartermaster.unbiasedgeek.com/healthz
to catch TLS, Traefik routing, and basic-auth regressions in a
single probe. Two repo-scoped secrets required: REGISTRY_TOKEN for
docker login and QUARTERMASTER_SMOKE_PASSWORD for the public
healthz probe.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Consumes the image from #28 with the platform-contract bindings:
/mnt/quartermaster -> /data, QUARTERMASTER_DB_URL with four slashes,
proxy-net external, Traefik routed on quartermaster.unbiasedgeek.com
through the platform-owned basicauth + ratelimit middlewares, and the
required tenant / project / managed_by / watchtower-disable labels
for host hygiene. Image tag is parameterised via QUARTERMASTER_TAG
so the Actions workflow (#30) can pin a specific SHA per deploy
without editing the checked-in file.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Produces a python:3.12-slim-bookworm image that runs migrations (with
the pre-upgrade backup hook) then uvicorn under uid/gid 1000:1000, as
required by the /mnt/quartermaster/ bind mount on the deploy host.
HEALTHCHECK hits /healthz; uvicorn is pointed at logconfig.json so
access logs land on stdout as JSON.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CLAUDE.md states the durable rule: run scripts/backup-db.sh before
any schema change, data migration, or destructive DB operation. The
rule deliberately excludes routine app writes. README summarises
backup location, override env var, and restore procedure.
Refs #5
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
