[codex] Prepare EC2 hosting

ontime-back/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17-jdk
+FROM eclipse-temurin:17-jre
 RUN apt-get update && \
     apt-get install -y tzdata && \
     ln -snf /usr/share/zoneinfo/Asia/Seoul /etc/localtime && \
@@ -7,4 +7,4 @@ RUN apt-get update && \
     rm -rf /var/lib/apt/lists/*
 WORKDIR /app
 COPY project.jar app.jar
-ENTRYPOINT ["java", "-jar", "/app/app.jar"]
+ENTRYPOINT ["java", "-jar", "/app/app.jar"]

ontime-back/EC2_DEPLOY.md

@@ -0,0 +1,60 @@
+# EC2 Deployment
+
+This service deploys to Amazon EC2 through `.github/workflows/deploy.yml`.
+
+## How to Deploy
+
+1. Make sure the EC2 instance has Docker installed and the security group allows inbound traffic for the service port, currently `8080`.
+2. Add the required GitHub Actions secrets listed below.
+3. Run the `Deploy` workflow manually from GitHub Actions, or push to the `deploy` branch.
+
+The workflow builds the Spring Boot jar, creates deploy-only config files from GitHub Secrets, uploads them to `/home/ubuntu/OnTime-back`, and restarts Docker Compose on the EC2 instance.
+
+## Required EC2 Secrets
+
+- `EC2_HOST`
+- `EC2_USER`
+- `EC2_SSH_KEY`
+
+## Required Application Secrets
+
+- `SPRING_APPLICATION_NAME`
+- `SPRING_DATASOURCE_URL`
+- `SPRING_DATASOURCE_USERNAME`
+- `SPRING_DATASOURCE_PASSWORD`
+- `SPRING_DATASOURCE_DRIVER_CLASS_NAME`
+- `SPRING_JPA_HIBERNATE_DDL_AUTO`
+- `JWT_SECRETKEY`
+- `JWT_ACCESS_EXPIRATION`
+- `JWT_REFRESH_EXPIRATION`
+- `JWT_ACCESS_HEADER`
+- `JWT_REFRESH_HEADER`
+- `GOOGLE_WEB_CLIENT_ID`
+- `GOOGLE_APP_CLIENT_ID`
+- `APPLE_CLIENT_ID`
+- `APPLE_LOGIN_KEY`
+- `APPLE_TEAM_ID`
+- `AUTHKEY_743M7R5W3W`
+- `SPRING_FLYWAY_URL`
+- `SPRING_FLYWAY_USER`
+- `SPRING_FLYWAY_PASSWORD`
+- `ONTIME_PUSH_FIREBASE_ADMINSDK`
+
+## Optional Secrets
+
+- `SPRING_JPA_DATABASE_PLATFORM` defaults to `org.hibernate.dialect.MySQL8Dialect`.
+- `FEATURE_APPLE_LOGIN_ENABLED` defaults to `true`.
+- Google and Kakao OAuth provider/registration secrets are included by the workflow when configured.
+
+## Runtime Files on EC2
+
+The deploy workflow writes these files under `/home/ubuntu/OnTime-back`:
+
+- `project.jar`
+- `Dockerfile`
+- `docker-compose.yml`
+- `config/application.properties`
+- `secrets/firebase-adminsdk.json`
+- `secrets/AuthKey_743M7R5W3W.p8`
+
+Do not commit local `application.properties`, Firebase service account JSON, Apple `.p8` keys, or `.env` files.

ontime-back/docker-compose.yml

@@ -1,15 +1,14 @@
-version: "3.8"
-
 services:
   backend:
     build:
       context: .
-      dockerfile: Dockerfile # Dockerfile 이름
-    image: ontimedemo # 빌드된 백엔드 이미지
-    container_name: ontime-container
+      dockerfile: Dockerfile
+    image: ontime-backend
+    container_name: ontime-backend
+    restart: unless-stopped
     ports:
       - "8080:8080"
-      - "8443:8443"
     volumes:
-      - /home/ubuntu/OnTime-back/ontime-back/src/main/resources/:/app/src/main/resources/
-      - /home/ubuntu/OnTime-back/ontime-back/src/main/resources/key/:/app/resources/key/
+      - ./config/application.properties:/app/config/application.properties:ro
+      - ./secrets/firebase-adminsdk.json:/app/secrets/firebase-adminsdk.json:ro
+      - ./secrets/AuthKey_743M7R5W3W.p8:/app/secrets/AuthKey_743M7R5W3W.p8:ro

ontime-back/src/main/java/devkor/ontime_back/config/FirebaseInitialization.java

@@ -4,6 +4,7 @@
 import com.google.firebase.FirebaseApp;
 import com.google.firebase.FirebaseOptions;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.PostConstruct;
@@ -13,23 +14,38 @@
 import java.io.InputStream;
 
 @Service
+@Slf4j
 public class FirebaseInitialization {
 
+    private static final String DEFAULT_FIREBASE_RESOURCE = "ontime-c63f1-firebase-adminsdk-fbsvc-a043cdc829.json";
+
+    @Value("${firebase.service-account.path:}")
+    private String serviceAccountPath;
+
     @PostConstruct
     public void initialize() {
-        try {
-            InputStream serviceAccount = getClass().getClassLoader().getResourceAsStream("ontime-c63f1-firebase-adminsdk-fbsvc-a043cdc829.json");
-            if (serviceAccount == null) {
-                throw new FileNotFoundException("Resource not found: ontime-c63f1-firebase-adminsdk-fbsvc-a043cdc829.json");
-            }
-
+        try (InputStream serviceAccount = openServiceAccount()) {
             FirebaseOptions options = new FirebaseOptions.Builder()
                     .setCredentials(GoogleCredentials.fromStream(serviceAccount))
                     .build();
 
-            FirebaseApp.initializeApp(options);
+            if (FirebaseApp.getApps().isEmpty()) {
+                FirebaseApp.initializeApp(options);
+            }
         } catch (IOException e) {
-            e.printStackTrace();
+            log.error("Failed to initialize Firebase", e);
+        }
+    }
+
+    private InputStream openServiceAccount() throws IOException {
+        if (serviceAccountPath != null && !serviceAccountPath.isBlank()) {
+            return new FileInputStream(serviceAccountPath);
+        }
+
+        InputStream serviceAccount = getClass().getClassLoader().getResourceAsStream(DEFAULT_FIREBASE_RESOURCE);
+        if (serviceAccount == null) {
+            throw new FileNotFoundException("Resource not found: " + DEFAULT_FIREBASE_RESOURCE);
         }
+        return serviceAccount;
     }
 }

ontime-back/src/main/java/devkor/ontime_back/global/oauth/apple/AppleLoginService.java

@@ -187,7 +187,6 @@ public AppleTokenResponseDto getAppleAccessTokenAndRefreshToken(String authCode)
         String clientSecret = generateClientSecret();
         log.info("getAppleAccessTokenAndRefreshToken");
         log.info("client_id: {}", clientId);
-        log.info("client_secret: {}", clientSecret);
         MultiValueMap<String, String> requestBody = new LinkedMultiValueMap<>();
         requestBody.add("grant_type", "authorization_code");
         requestBody.add("code", authCode);
@@ -270,4 +269,3 @@ public boolean revokeToken(Long userId) throws Exception {
         }
     }
 }
-