.gitea/workflows/cleanup-branch.yaml

@@ -0,0 +1,21 @@
+name: Clean up branch.dsv.su.se
+on:
+  pull_request:
+    types:
+      - closed
+jobs:
+  Cleanup-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate mangled vhost name
+        id: mangled-name
+        run: |
+          MANGLED_BRANCH_NAME="$(echo ${{ gitea.headref}} | sed -r -e 's%/%-%g' -e 's/[^0-9a-z\-]//g')"
+          echo $MANGLED_BRANCH_NAME
+          echo "MANGLED_NAME=$MANGLED_BRANCH_NAME" >> "$GITHUB_OUTPUT"
+      - name: Set up SSH key
+        run: |
+          echo "${{ secrets.BRANCH_CLEANUP_KEY }}" >> ssh_key
+          chmod 0600 ssh_key
+      - name: Execute clean up script
+        run: echo "${{ gitea.serverurl }}/${{ gitea.repository }}.git ${{ gitea.headref }} ${{ steps.mangled-name.outputs.MANGLED_NAME }}" | ssh -o StrictHostKeyChecking=accept-new -i ssh_key branch.dsv.su.se

.gitea/workflows/deploy-branch.yaml

@@ -0,0 +1,37 @@
+name: Deploy to branch.dsv.su.se
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - ready_for_review
+jobs:
+  Deploy-branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate mangled vhost name
+        id: mangled-name
+        run: |
+          MANGLED_BRANCH_NAME="$(echo ${{ gitea.headref}} | sed -r -e 's%/%-%g' -e 's/[^0-9a-z\-]//g')"
+          echo $MANGLED_BRANCH_NAME
+          echo "MANGLED_NAME=$MANGLED_BRANCH_NAME" >> "$GITHUB_OUTPUT"
+      - name: Set up SSH key
+        run: |
+          echo "${{ secrets.BRANCH_DEPLOY_KEY }}" >> ssh_key
+          chmod 0600 ssh_key
+      - name: Execute deploy script
+        run: echo "${{ gitea.serverurl }}/${{ gitea.repository }}.git ${{ gitea.headref }} ${{ steps.mangled-name.outputs.MANGLED_NAME }}" | ssh -o StrictHostKeyChecking=accept-new -i ssh_key branch.dsv.su.se
+      - name: Post URL to deployment as comment
+        uses: actions/github-script@v7
+        env:
+          MANGLED_BRANCH_NAME: ${{ steps.mangled-name.outputs.MANGLED_NAME }}
+        with:
+          script: |
+            const repositoryName = context.repo.repo;
+            const mangledBranchName = process.env.MANGLED_BRANCH_NAME;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `https://${repositoryName}-${mangledBranchName}.branch.dsv.su.se`
+            })

Dockerfile

@@ -17,3 +17,5 @@ FROM tomcat:10-jdk21-openjdk-bookworm as run
 LABEL authors="thuning"
 
 COPY --from=build /build/target/*.war /usr/local/tomcat/webapps/ROOT.war
+
+EXPOSE 8080

docker-compose-branch.yml

@@ -0,0 +1,57 @@
+services:
+  whisper-api:
+    build:
+      context: .
+    environment:
+      - DBHOST=jdbc:mariadb://whisper-api-db:3306/whisper_api
+      - DBUSER=root
+      - DBPASS=mariadb
+      - OAUTH2_CLIENT_ID=whisper-frontend
+      - OAUTH2_CLIENT_SECRET=s3cr3t
+      - OAUTH2_AUTH_URI=https://oauth2-${VHOST}/authorize
+      - OAUTH2_TOKEN_URI=https://oauth2-${VHOST}/exchange
+      - OAUTH2_USER_INFO_URI=https://oauth2-${VHOST}/verify
+    depends_on:
+      - whisper-api-db
+      - whisper-api-oauth2
+    networks:
+      - whisper-network
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${VHOST}`)"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=secure"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencrypt"
+
+  whisper-api-db:
+    image: mariadb
+    restart: on-failure
+    networks:
+      - whisper-network
+    environment:
+      - MARIADB_ROOT_PASSWORD=mariadb
+      - MARIADB_DATABASE=whisper_api
+      - MYSQL_ROOT_HOST=%
+
+  whisper-api-oauth2:
+    build:
+      context: https://github.com/dsv-su/toker.git
+      dockerfile: embedded.Dockerfile
+    restart: on-failure
+    networks:
+      - traefik
+    environment:
+      CLIENT_ID: whisper-frontend
+      CLIENT_SECRET: s3cr3t
+      CLIENT_REDIRECT_URI: https://${VHOST}/login/oauth2/code/su
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-oauth2.rule=Host(`oauth2-${VHOST}`)"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-oauth2.entrypoints=secure"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-oauth2.tls.certresolver=letsencrypt"
+
+networks:
+  whisper-network:
+  traefik:
+    name: traefik
+    external: true

src/main/java/se/su/dsv/whisperapi/WhisperApiApplication.java

@@ -3,13 +3,16 @@ package se.su.dsv.whisperapi;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.annotation.Order;
+import org.springframework.core.Ordered;
 import org.springframework.jdbc.core.simple.JdbcClient;
 import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.web.filter.ForwardedHeaderFilter;
 import se.su.dsv.whisperapi.core.TranscriptionRepository;
 import se.su.dsv.whisperapi.core.TranscriptionService;
 
@@ -22,6 +25,13 @@ public class WhisperApiApplication {
         SpringApplication.run(WhisperApiApplication.class, args);
     }
 
+    @Bean
+    public FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
+        var filterRegistrationBean = new FilterRegistrationBean<>(new ForwardedHeaderFilter());
+        filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        return filterRegistrationBean;
+    }
+
     @Bean
     @Order(1)
     public SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {