lies-exposed · ascariandrea · Aug 22, 2025 · Aug 21, 2025 · Aug 21, 2025 · Aug 21, 2025
diff --git a/.github/actions/install-deps/action.yml b/.github/actions/install-deps/action.yml
@@ -10,10 +10,9 @@ inputs:
 runs:
   using: "composite"
   steps:
-
     - uses: actions/setup-node@v4
       with:
-        node-version: 23
+        node-version: 24
 
     - uses: pnpm/action-setup@v4
       name: Install pnpm

diff --git a/.github/workflows/deploy-alpha-admin-web.yml b/.github/workflows/deploy-alpha-admin-web.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [23.x]
+        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@v4
@@ -35,7 +35,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Update .env file for Admin WEB
-        run: cp ./services/admin-web/.env.alpha ./services/admin-web/.env
+        run: cp ./services/admin-web/.env.prod ./services/admin-web/.env
 
       - name: Build Admin WEB image
         uses: docker/build-push-action@v6

diff --git a/.github/workflows/deploy-alpha-ai-bot.yml b/.github/workflows/deploy-alpha-ai-bot.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [23.x]
+        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/deploy-alpha-api.yml b/.github/workflows/deploy-alpha-api.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [23.x]
+        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/deploy-alpha-web.yml b/.github/workflows/deploy-alpha-web.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [23.x]
+        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@v4
@@ -35,7 +35,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Update .env file for WEB
-        run: cp ./services/web/.env.alpha ./services/web/.env
+        run: cp ./services/web/.env.prod ./services/web/.env
 
       - name: Build WEB image
         uses: docker/build-push-action@v6

diff --git a/.github/workflows/deploy-alpha-worker.yml b/.github/workflows/deploy-alpha-worker.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node-version: [23.x]
+        node-version: [24.x]
 
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/storybook-pull-request.yml b/.github/workflows/storybook-pull-request.yml
@@ -60,7 +60,7 @@ jobs:
           key: storybook-build
 
       - name: Type Check Storybook
-        run: pnpm storybook build
+        run: pnpm storybook typecheck
 
       - name: Build Storybook
         run: pnpm storybook build:app
diff --git a/.gitignore b/.gitignore
@@ -64,4 +64,9 @@ models
 
 # Docker deployment
 deploy/ai-bot-temp
-deploy/ai-bot.config.json
+deploy/ai-bot.config.json
+
+# Helm environment values
+helm/values.*.yaml
+helm/config/cloudflare
+helm/config/env
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-23
+24
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 
-FROM node:23-alpine AS base
+FROM node:24-alpine AS base
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"

diff --git a/adminWeb.Dockerfile b/adminWeb.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-FROM node:23-slim AS base
+FROM node:24-slim AS base
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"

diff --git a/ai-bot.Dockerfile b/ai-bot.Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/lies-exposed/liexp-base:23-latest AS dev
+FROM ghcr.io/lies-exposed/liexp-base:24-latest AS dev
 
 WORKDIR /home/node
 
@@ -16,7 +16,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile
 
 RUN pnpm packages:build
 
-FROM ghcr.io/lies-exposed/liexp-base:23-latest AS deps
+FROM ghcr.io/lies-exposed/liexp-base:24-latest AS deps
 
 WORKDIR /home/node
 
@@ -28,7 +28,7 @@ RUN pnpm add pdfjs-dist@^5 \
     puppeteer-extra-plugin-stealth@^2
 
 
-FROM ghcr.io/lies-exposed/liexp-base:23-latest AS build
+FROM ghcr.io/lies-exposed/liexp-base:24-latest AS build
 
 WORKDIR /home/node
 
@@ -51,7 +51,7 @@ RUN npx postject ai-bot NODE_SEA_BLOB ./build/ai-bot.blob \
 
 
 
-FROM ghcr.io/lies-exposed/liexp-base:23-latest AS production
+FROM ghcr.io/lies-exposed/liexp-base:24-latest AS production
 
 WORKDIR /home/node
 

diff --git a/api.Dockerfile b/api.Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/lies-exposed/liexp-base:23-latest AS dev
+FROM ghcr.io/lies-exposed/liexp-base:24-latest AS dev
 
 WORKDIR /usr/src/app
 
@@ -26,7 +26,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm api fetch --prod
 
 RUN pnpm api --prod deploy --legacy /prod/api
 
-FROM ghcr.io/lies-exposed/liexp-base:23-pnpm-latest AS production
+FROM ghcr.io/lies-exposed/liexp-base:24-pnpm-latest AS production
 
 WORKDIR /prod/api
 

diff --git a/base.Dockerfile b/base.Dockerfile
@@ -1,4 +1,4 @@
-FROM node:23-alpine AS base
+FROM node:24-alpine AS base
 
 
 FROM base AS pnpm

diff --git a/compose.yml b/compose.yml
@@ -17,7 +17,7 @@ services:
       - reverseproxy
 
   fra1.space.liexp.dev:
-    image: minio/minio:latest
+    image: minio/minio:RELEASE.2024-08-03T04-33-23Z
     command: server --console-address ":9001" /data
     ports:
       - "127.0.0.1:9000:9000"

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+name: lies-exposed
+description: Development environment for Lies Exposed
+version: 0.1.0
+appVersion: "0.1.0"
+home: https://lies.exposed/
+maintainers:
+  - name: Andrea Ascari
+    email: [email protected]
diff --git a/helm/config/nginx/telegram-bot-api.conf b/helm/config/nginx/telegram-bot-api.conf
@@ -0,0 +1,87 @@
+# use $sanitized_request instead of $request to hide Telegram token
+log_format token_filter '$remote_addr - $remote_user [$time_local] '
+                        '"$sanitized_request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
+
+upstream telegram-bot-api-upstream {
+    server telegram-bot-api.prod.svc.cluster.local:8081;
+}
+
+server {
+    listen 9008;
+    server_name _;
+
+    chunked_transfer_encoding on;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+    proxy_read_timeout 600;
+    send_timeout 600;
+    client_max_body_size 2G;
+    client_body_buffer_size 30M;
+    keepalive_timeout 0;
+
+    set $sanitized_request $request;
+    if ( $sanitized_request ~ (\w+)\s(\/bot\d+):[-\w]+\/(\S+)\s(.*) ) {
+        set $sanitized_request "$1 $2:<hidden-token>/$3 $4";
+    }
+
+    access_log /var/log/nginx/telegram-bot-api-access.log token_filter;
+    error_log /var/log/nginx/telegram-bot-api-error.log;
+
+    location ~* \/file\/bot\d+:(.*) {
+        rewrite ^/file\/bot[^/]+\/var\/lib\/telegram-bot-api(.*) /$1 break;
+        try_files $uri @files;
+    }
+
+    location / {
+        try_files $uri @api;
+    }
+
+    location @files {
+        rewrite //var/lib/telegram-bot-api/(.*)/(.*) $1 break;
+        root /var/lib/telegram-bot-api;
+        gzip on;
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 64 8k;
+        gzip_http_version 1.1;
+        gzip_min_length 1100;
+    }
+
+    location @api {
+        proxy_pass http://telegram-bot-api-upstream;
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+}
+
+# server {
+#     # Enable HTTP/2
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name tg.lies.exposed;
+
+#     # Use the Let’s Encrypt certificates
+#     ssl_certificate /etc/letsencrypt/live/alpha.api.lies.exposed/fullchain.pem; # managed by Certbot
+#     ssl_certificate_key /etc/letsencrypt/live/alpha.api.lies.exposed/privkey.pem; # managed by Certbot
+
+#     # Include the SSL configuration from cipherli.st
+#     include /etc/nginx/snippets/ssl-params.conf;
+
+#     client_max_body_size 3G;
+
+#     location / {
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_pass http://127.0.0.1:8081/;
+#         proxy_ssl_session_reuse off;
+#         proxy_set_header Host $http_host;
+#         proxy_cache_bypass $http_upgrade;
+#         proxy_redirect off;
+#     }
+
+# }
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -0,0 +1,35 @@
+{{/*
+Function to parse .env file and output in yaml
+KEY_ENV1=VAL_ENV1      KEY_ENV1: base64(VAL_ENV1)
+KEY_ENV2=VAL_ENV2  =>  KEY_ENV2: base64(VAL_ENV2)
+KEY_ENV3=VAL_ENV3      KEY_ENV3: base64(VAL_ENV3)
+
+Usage: {{ tuple . "config/env/api.env" | include "env.parseFile" | indent 2}}
+
+*/}}
+
+{{- define "env.parseFile" -}}
+{{- $scope := index . 0 -}}
+{{- $filePath := index . 1 -}}
+
+{{- range $scope.Files.Lines $filePath -}}
+{{- $a := splitn "=" 2 . -}}
+{{- if $a._0 -}}
+{{ $a._0 }}: {{ $a._1 | quote }}
+{{ end -}}
+{{- end -}}
+
+{{- end -}}
+
+{{- define "common.labels" -}}
+{{- $scope := index . 0 -}}
+{{- $lies_exposed_name := index . 1 -}}
+{{- $component := index . 2 -}}
+labels:
+  lies.exposed/name: {{ $lies_exposed_name | quote }}
+  app.kubernetes.io/instance: {{ $scope.Release.Name | quote }}
+  app.kubernetes.io/namespace: {{ $scope.Release.Namespace | quote }}
+  app.kubernetes.io/component: {{ $component | quote }}
+  app.kubernetes.io/part-of: lies-exposed
+  app.kubernetes.io/managed-by: Helm
+{{- end -}}
diff --git a/helm/templates/network/external/_external-dns.yaml b/helm/templates/network/external/_external-dns.yaml
@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+  labels:
+    lies.exposed/name: external-dns
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/namespace: {{ .Release.Namespace | quote }}
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+    spec:
+      containers:
+        - name: external-dns
+          image: registry.k8s.io/external-dns/external-dns:v0.18.0
+          args:
+            - --source=ingress # ingress is also possible
+            - "--domain-filter={{ .Values.domain }}" # (optional) limit to only example.com domains; change to match the zone created above.
+            - --provider=cloudflare
+            - --cloudflare-proxied # (optional) enable the proxy feature of Cloudflare (DDOS protection, CDN...)
+            - --cloudflare-dns-records-per-page=5000 # (optional) configure how many DNS records to fetch per request
+            # - --cloudflare-regional-services # (optional) enable the regional hostname feature that configure which region can decrypt HTTPS requests
+            # - --cloudflare-region-key="eu" # (optional) configure which region can decrypt HTTPS requests
+            # - --cloudflare-record-comment="provisioned by external-dns" # (optional) configure comments for provisioned records; <=100 chars for free zones; <=500 chars for paid zones
+            # - "--godaddy-api-key={{ .Values.externalDNS.apiKey }}"
+            # - "--godaddy-api-secret={{ .Values.externalDNS.secretKey }}"
+            - --policy=sync
+            - --registry=txt
+            - --log-level=debug
+            - --txt-owner-id='default'
+            # - --dry-run
+          env:
+            - name: CF_API_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: cloudflare-api-token
+                  key: apiToken
diff --git a/helm/templates/network/external/cf-token.secret.yaml b/helm/templates/network/external/cf-token.secret.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: {{ .Release.Namespace }}
+  labels:
+    lies.exposed/name: cloudflare-api-token
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/namespace: {{ .Release.Namespace | quote }}
+    app.kubernetes.io/managed-by: Helm
+type: Opaque
+data:
+{{ if .Files.Get "config/cloudflare/token.txt" }}
+  apiToken: {{ .Files.Get "config/cloudflare/token.txt" | b64enc }}
+{{ else }}
+{{ fail "you need to supply your license file! add 'config/cloudflare/token.txt' to your chart 'config' directory." }}
+{{ end }}