本番デプロイ設定: SSL, Kamal, API環境変数化, テスト修正

config/credentials.yml.enc

@@ -1 +1 @@
-7mDalwYZdLi7w0m1MvGVhygx/O0YiNIiiVA+tj/LBukGJInb/cy6jHV7xg1oGIhzzQ1nl0sUbuMHtitmdkb6QWOUiSPAjkpiqfx5sbnE+5Q7U5CPjg0szp7CrNbBhL4ojibKYRPI5Js78x6eBSr9L1vmoWirFZS/ar3B2TwGQ0yNPxghxN7kQ0pEVoiFZUmuXmErih/nTUy5patG1zPPGsXUiAkMGYXztn6n+cIahX6lgFpV79HzI/c01VeMcOV/pZRs/RrQrzfTlnSX2UQlsHqLTQyXx4O6yDUNF8Mii7g6N57jyd26Osi5OIUAsBkrZOhfSSXmd3ceBlt+oSlMXtKaT+qfg+vywqI026eDlsKyEYbCyIaXp9kn+8VMaJcCI+qSGlewfxmxFKVgq7MyNDBrL1VM51UVO00s6cxXWUZ2W96t1SnLyVwcq/NIuhN530imvLvE6cAOAJJKgCfY1gEmUCZ3kuEMO64OSL5Ynm2wxyMF48cCJrxP--rN5KnyzLPaDv/sop--ouscdd1e738zVM6LolPIQA==
+NPIjsO0jVJUPWi47JkVirr7vs24Tgxo1+ZUhxCjTTtgGsZjXCHCP1agNcjl1MLlRzjy+2DZgbZuhLGbx33e7veoQ2YMz5kb+AZ7aMzkXla8+TZlqXWYBpQtx3yquV7c7SBHBRy+F+KkvLsyEinWDceoZ3O8kYeu3Fw3QsXBlKENHfDmNEnZ2csm9Yak+jpptNpe+kojuiT/r2F4cD5unOZu8VMluhcGLZ2n2dBev3wFQo/tUgK8CmkFhkd5vSjCFuBhbu6dqwq1jxTrtZdhTG/aia6/RuAnrm/S5MJdxNnXq3dHIa8Wrg0qKp0DBwXxy3okWrRPaPT5udUcZvRA+7DS+to4FnoJDTKI+VanWzOxIbBeqYB9W+kqjKJB1w2Ii2rUoTfSPK9GEcJSb0QI9UNa8Hdjdn/w9MSj9Bkm4LtZch5+HptwLtpZrrKmt4FEIeNhMsVulrbbCMcAANxTRqPxOSbL7Zr5OMMSB/9ReP+atU6u8miWMQkXg--T8JQCM/t7+czYn/u--J/FQEJ3U1dEPM67GCMxR9w==

config/deploy.yml

@@ -7,34 +7,25 @@ image: dip_front
 # Deploy to these servers.
 servers:
   web:
-    - 192.168.0.1
+    - 153.127.48.108
   # job:
   #   hosts:
-  #     - 192.168.0.1
+  #     - 153.127.48.108
   #   cmd: bin/jobs
 
 # Enable SSL auto certification via Let's Encrypt and allow for multiple apps on a single web server.
-# If used with Cloudflare, set encryption mode in SSL/TLS setting to "Full" to enable CF-to-app encryption.
-#
-# Using an SSL proxy like this requires turning on config.assume_ssl and config.force_ssl in production.rb!
-#
-# Don't use this when deploying to multiple web servers (then you have to terminate SSL at your load balancer).
-#
-# proxy:
-#   ssl: true
-#   host: app.example.com
+# Kamal Proxy will automatically obtain and renew SSL certificates.
+proxy:
+  ssl: true
+  host: diplo.kontei.net
 
 # Where you keep your container images.
+# Using a local registry on the VPS server.
 registry:
-  # Alternatives: hub.docker.com / registry.digitalocean.com / ghcr.io / ...
   server: localhost:5555
-
-  # Needed for authenticated registries.
-  # username: your-user
-
-  # Always use an access token rather than real password when possible.
-  # password:
-  #   - KAMAL_REGISTRY_PASSWORD
+  username: kamal
+  password:
+    - KAMAL_REGISTRY_PASSWORD
 
 # Inject ENV variables into containers (secrets come from .kamal/secrets).
 env:
@@ -51,9 +42,8 @@ env:
     # Set number of cores available to the application on each server (default: 1).
     # WEB_CONCURRENCY: 2
 
-    # Match this to any external database server to configure Active Record correctly
-    # Use dip_front-db for a db accessory server on same machine via local kamal docker network.
-    # DB_HOST: 192.168.0.2
+    # Diplomacy API URL (dip_api container accessible via Docker host network)
+    DIPLOMACY_API_URL: http://172.17.0.1:8000
 
     # Log everything from Rails
     # RAILS_LOG_LEVEL: debug
@@ -77,28 +67,20 @@ volumes:
 asset_path: /rails/public/assets
 
 # Configure the image builder.
+# Build on the remote VPS server to avoid insecure registry issues.
 builder:
   arch: amd64
+  remote: ssh://kontei@153.127.48.108
 
-  # # Build image via remote server (useful for faster amd64 builds on arm64 computers)
-  # remote: ssh://docker@docker-builder-server
-  #
-  # # Pass arguments and secrets to the Docker build process
-  # args:
-  #   RUBY_VERSION: 4.0.1
-  # secrets:
-  #   - GITHUB_TOKEN
-  #   - RAILS_MASTER_KEY
-
-# Use a different ssh user than root
-# ssh:
-#   user: app
+# Use a non-root ssh user
+ssh:
+  user: kontei
 
 # Use accessory services (secrets come from .kamal/secrets).
 # accessories:
 #   db:
 #     image: mysql:8.0
-#     host: 192.168.0.2
+#     host: 153.127.48.108
 #     # Change to 3306 to expose port to the world instead of just local network.
 #     port: "127.0.0.1:3306:3306"
 #     env:
@@ -113,7 +95,7 @@ builder:
 #       - data:/var/lib/mysql
 #   redis:
 #     image: valkey/valkey:8
-#     host: 192.168.0.2
+#     host: 153.127.48.108
 #     port: 6379
 #     directories:
 #       - data:/data

config/environments/production.rb

@@ -25,13 +25,13 @@ Rails.application.configure do
   config.active_storage.service = :local
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
-  # config.assume_ssl = true
+  config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Skip http-to-https redirect for the default health check endpoint.
-  # config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
+  config.ssl_options = { redirect: { exclude: ->(request) { request.path == "/up" } } }
 
   # Log to STDOUT with the current request id as a default log tag.
   config.log_tags = [ :request_id ]
@@ -58,7 +58,7 @@ Rails.application.configure do
   # config.action_mailer.raise_delivery_errors = false
 
   # Set host to be used by links generated in mailer templates.
-  config.action_mailer.default_url_options = { host: "example.com" }
+  config.action_mailer.default_url_options = { host: "diplo.kontei.net" }
 
   # Specify outgoing SMTP server. Remember to add smtp/* credentials via bin/rails credentials:edit.
   # config.action_mailer.smtp_settings = {
@@ -80,11 +80,11 @@ Rails.application.configure do
   config.active_record.attributes_for_inspect = [ :id ]
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
-  #
+  config.hosts = [
+    "diplo.kontei.net",
+    /.*\.kontei\.net/
+  ]
+
   # Skip DNS rebinding protection for the default health check endpoint.
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end