DEV Community: shape93 The latest articles on DEV Community by shape93 (@shape93). https://dev.to/shape93 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F852600%2Fbe654915-b95a-4729-987f-f8b99fb786db.jpeg DEV Community: shape93 https://dev.to/shape93 en Automating Docker Deployments with GitHub Actions, Cloudflare Tunnels, and Portainer shape93 Wed, 23 Apr 2025 10:30:18 +0000 https://dev.to/shape93/automating-docker-deployments-with-github-actions-cloudflare-tunnels-and-portainer-2phm https://dev.to/shape93/automating-docker-deployments-with-github-actions-cloudflare-tunnels-and-portainer-2phm <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wquvsjevpzketa524cy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4wquvsjevpzketa524cy.png" alt="Image description" width="800" height="353"></a><br> During these Easter holidays, I found myself debating whether to experiment with my self-hosted home lab setup. Spoiler alert: I did.<br><br> When I started this journey years ago, the possibilities seemed endless—even without top-tier hardware. But as my Docker services multiplied, managing them became messy. Without proper version control, backups, and orchestration, things spiraled quickly. Enter <strong>webhook-driven deployments</strong>—a flexible approach using GitHub Actions, Cloudflare Tunnels, and Portainer. Let’s dive in!</p> <h2> ⚠️ Disclaimers </h2> <ol> <li> <strong>Cloudflare Tunnels</strong>: This guide assumes you’ve already set up Cloudflare Tunnels to expose services remotely. </li> <li> <strong>Portainer Business Edition</strong>: Required for GitOps/webhook features. You can <a href="https://www.portainer.io/take-3" rel="noopener noreferrer">get a free license</a> for small setups (up to 3 nodes).</li> </ol> <h2> Step 1: Setting Up the GitHub Repository </h2> <p>Start by creating a GitHub repository (private or public—sensitive data will use secrets). Clone it locally or use GitHub Codespaces for editing.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttdx05idl7ptetsbxdk9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttdx05idl7ptetsbxdk9.png" alt="Repo setup" width="629" height="255"></a></p> <h3> Example <code>docker-compose.yml</code> (Paperless-ngx) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">broker</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redisdata:/data</span> <span class="na">db</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/mnt/sdb1/paperless-new/db:/var/lib/postgresql/data</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">paperless</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">paperless</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">paperless</span> <span class="na">webserver</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/paperless-ngx/paperless-ngx:latest</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">db</span> <span class="pi">-</span> <span class="s">broker</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8000:8000"</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">curl"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-fs"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-S"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">--max-time"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">2"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">http://localhost:8000"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/mnt/sdb1/paperless-new/data:/usr/src/paperless/data</span> <span class="pi">-</span> <span class="s">/mnt/sdb1/paperless-new/media:/usr/src/paperless/media</span> <span class="pi">-</span> <span class="s">/mnt/sdb1/export:/usr/src/paperless/export</span> <span class="na">env_file</span><span class="pi">:</span> <span class="s">stack.env</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">PAPERLESS_REDIS</span><span class="pi">:</span> <span class="s">redis://broker:6379</span> <span class="na">PAPERLESS_DBHOST</span><span class="pi">:</span> <span class="s">db</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">redisdata</span><span class="pi">:</span> </code></pre> </div> <h2> Step 2: GitHub Authentication for Portainer </h2> <h3> Create a GitHub Personal Access Token </h3> <ol> <li>Navigate to <strong><a href="https://github.com/settings/tokens/new" rel="noopener noreferrer">GitHub Tokens</a></strong>. </li> <li>Name the token (e.g., <code>Portainer-GitOps</code>) and set expiration. </li> <li>Grant <strong>repo</strong> permissions (read/write for private repos). <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhlzxk8gg87x0xjivugsi.png" alt="GitHub token permissions" width="764" height="541"> </li> <li> <strong>Copy the token</strong>—you’ll need it for Portainer.</li> </ol> <h2> Step 3: Configuring Portainer Stack </h2> <ol> <li>In Portainer, navigate to <strong>Stacks</strong> &gt; <strong>Add Stack</strong>. </li> <li>Under <strong>Build Method</strong>, select <strong>Repository</strong>. </li> <li>Enable authentication and input: <ul> <li> <strong>Username</strong>: Your GitHub handle </li> <li> <strong>Password</strong>: The token from Step 2 </li> </ul> </li> <li>Configure GitOps: <ul> <li> <strong>Repository URL</strong>: <code>https://github.com/your-username/repo-name</code> </li> <li> <strong>Compose Path</strong>: <code>docker-compose.yml</code> (adjust if needed) </li> <li> <strong>Enable Automatic Updates</strong>: Toggle <strong>Webhook</strong> </li> <li>Enable <strong>Re-pull image</strong> and <strong>Redeploy when changes are pulled</strong> </li> </ul> </li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvelozysjxqdtogxg1ssz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvelozysjxqdtogxg1ssz.png" alt="Portainer stack setup" width="800" height="468"></a></p> <ol> <li>Add environment variables (e.g., worker counts): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> PAPERLESS_WEBSERVER_WORKERS=1 PAPERLESS_TASK_WORKERS=1 </code></pre> </div> <ol> <li>Deploy the stack!</li> </ol> <h2> Step 4: Cloudflare Tunnel Service Token </h2> <ol> <li>In <strong><a href="https://one.dash.cloudflare.com" rel="noopener noreferrer">Cloudflare Zero Trust</a></strong>, go to <strong>Access</strong> &gt; <strong>Service Auth</strong>. </li> <li>Create a new <strong>Service Token</strong>. Note the <strong>Client ID</strong> and <strong>Secret</strong>. </li> <li>Edit your Portainer application under <strong>Applications</strong>: <ul> <li>Add a <strong>Bypass</strong> policy tied to the service token. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb4vadpwxa2mcljzbuasu.png" alt="Cloudflare policy setup" width="631" height="230"> </li> </ul> </li> </ol> <h2> Step 5: GitHub Actions Workflow </h2> <h3> Configure Secrets in GitHub </h3> <p>Under repo <strong>Settings</strong> &gt; <strong>Secrets</strong> &gt; <strong>Actions</strong>, add: </p> <ul> <li> <code>PORTAINER_WEBHOOK_URL</code>: From Portainer’s webhook setup </li> <li> <code>CF_ACCESS_CLIENT_ID</code>: Cloudflare Service Token Client ID </li> <li> <code>CF_ACCESS_CLIENT_SECRET</code>: Cloudflare Service Token Secret </li> </ul> <h3> Create the Workflow File </h3> <p>Add <code>.github/workflows/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Update Portainer Stack</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="c1"># Manual trigger</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">update-stack</span><span class="pi">:</span> <span class="c1"># Only run if commit message contains [deploy]</span> <span class="na">if</span><span class="pi">:</span> <span class="s">contains(github.event.head_commit.message, '[deploy]')</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Trigger Portainer Webhook</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PORTAINER_WEBHOOK_URL</span><span class="pi">:</span> <span class="s">${{ secrets.PORTAINER_WEBHOOK_URL }}</span> <span class="na">CF_ACCESS_CLIENT_ID</span><span class="pi">:</span> <span class="s">${{ secrets.CF_ACCESS_CLIENT_ID }}</span> <span class="na">CF_ACCESS_CLIENT_SECRET</span><span class="pi">:</span> <span class="s">${{ secrets.CF_ACCESS_CLIENT_SECRET }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">curl -X POST "$PORTAINER_WEBHOOK_URL" \</span> <span class="s">-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \</span> <span class="s">-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET"</span> </code></pre> </div> <h2> Step 6: Testing the Pipeline </h2> <ol> <li>Commit changes with <code>[deploy]</code> in the message: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> git commit <span class="nt">-m</span> <span class="s2">"chore: update compose [deploy]"</span> </code></pre> </div> <ol> <li>Push to trigger the action: <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fodbxohgue7tzuvsl13kg.png" alt="GitHub Actions success" width="800" height="84"> </li> </ol> <p>Portainer will now redeploy your stack automatically! Failed deployments roll back gracefully, and you can reuse the repo as a template for future projects.</p> <h2> Final Thoughts </h2> <p>This setup brings GitOps practices to self-hosting—version control, CI/CD, and secure access. Suggestions? Let me know! 🚀</p>