MirrorMirror
/
riju
mirror of https://github.com/radian-software/riju.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

First attempt at new AMI build

This commit is contained in:
Radon Rosborough 2021-07-04 03:29:02 +00:00
parent 130fb8b34c
commit 2062bfecdb
10 changed files with 22 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Makefile
View File

@ -230,6 +230,11 @@ config: # Generate deployment config file
deploy: # Upload deployment config to S3
aws s3 cp $(BUILD)/config.json $(S3_CONFIG)
### Infrastructure
packer: supervisor # Build and publish a new AMI
tools/packer-build.bash
### Miscellaneous
## Run this every time you update .gitignore or .dockerignore.in.
@ -243,7 +248,7 @@ dockerignore: # Update .dockerignore from .gitignore and .dockerignore.in
## opposed to through the Makefile.
env: # Run shell with .env file loaded and $PATH fixed
exec bash --rcfile <(cat ~/.bashrc - <<< 'PS1="[.env] $$PS1"')
exec bash
tmux: # Start or attach to tmux session
MAKELEVEL= tmux attach || MAKELEVEL= tmux new-session -s tmux

39
packer/config.json
View File

@ -1,8 +1,6 @@
{
"variables": {
"admin_password": "{{env `ADMIN_PASSWORD`}}",
"admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}}",
"deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}}"
"admin_password": "{{env `ADMIN_PASSWORD`}}"
},
"builders": [
{
@ -11,7 +9,7 @@
"filters": {
"virtualization-type": "hvm",
"root-device-type": "ebs",
"name": "ubuntu/images/hvm-ssd/ubuntu-groovy-20.10-amd64-server-*"
"name": "ubuntu/images/hvm-ssd/ubuntu-*-21.04-amd64-server-*"
},
"owners": ["099720109477"],
"most_recent": true
@ -22,20 +20,6 @@
}
],
"provisioners": [
{
"type": "shell",
"script": "validate.bash",
"environment_vars": [
"ADMIN_PASSWORD={{user `admin_password`}}",
"ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}",
"DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}"
]
},
{
"type": "file",
"source": "riju",
"destination": "/tmp/riju"
},
{
"type": "file",
"source": "riju-init-volume",
@ -43,29 +27,14 @@
},
{
"type": "file",
"source": "riju-deploy",
"destination": "/tmp/riju-deploy"
},
{
"type": "file",
"source": "riju-install-certbot-hooks",
"destination": "/tmp/riju-install-certbot-hooks"
"source": "../supervisor/out/riju-supervisor",
"destination": "/tmp/riju-supervisor"
},
{
"type": "file",
"source": "riju.service",
"destination": "/tmp/riju.service"
},
{
"type": "file",
"source": "{{user `admin_ssh_public_key_file`}}",
"destination": "/tmp/id_admin.pub"
},
{
"type": "file",
"source": "{{user `deploy_ssh_public_key_file`}}",
"destination": "/tmp/id_deploy.pub"
},
{
"type": "shell",
"script": "provision.bash",

30
packer/provision.bash
View File

@ -2,6 +2,8 @@
set -euo pipefail
: ${ADMIN_PASSWORD}
mkdir /tmp/riju-work
pushd /tmp/riju-work
@ -27,40 +29,16 @@ wget -nv https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -O awscli.zip
unzip -q awscli.zip
sudo ./aws/install
sudo chown root:root /tmp/riju /tmp/riju-deploy /tmp/riju.service
sudo mv /tmp/riju /tmp/riju-deploy /tmp/riju-init-volume /tmp/riju-install-certbot-hooks /usr/local/bin/
sudo chown root:root /tmp/riju-init-volume /tmp/riju-supervisor /tmp/riju.service
sudo mv /tmp/riju-init-volume /tmp/riju-supervisor /usr/local/bin/
sudo mv /tmp/riju.service /etc/systemd/system/
for user in admin deploy; do
if ! grep -vq "PRIVATE KEY" "/tmp/id_${user}.pub"; then
echo "${user} public key was set to a private key, aborting" >&2
exit 1
fi
IFS=" " read contents < "/tmp/id_${user}.pub"
echo "${contents}" > "/tmp/id_${user}.pub"
done
sudo sed -Ei 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -Ei 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -Ei 's/^#?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sudo passwd -l root
sudo useradd admin -g admin -G sudo -s /usr/bin/bash -p "$(echo "${ADMIN_PASSWORD}" | mkpasswd -s)" -m
sudo useradd deploy -s /usr/bin/bash -p "!" -m
for user in admin deploy; do
sudo runuser -u "${user}" -- mkdir -p "/home/${user}/.ssh"
sudo mv "/tmp/id_${user}.pub" "/home/${user}/.ssh/authorized_keys"
sudo chown -R "${user}:${user}" "/home/${user}/.ssh"
sudo chmod -R go-rwx "/home/${user}/.ssh"
done
sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy ${SSH_ORIGINAL_COMMAND}",restrict /' /home/deploy/.ssh/authorized_keys
sudo tee /etc/sudoers.d/riju >/dev/null <<"EOF"
deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy
EOF
sudo hostnamectl set-hostname riju

44
packer/riju
View File

@ -1,44 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)" || true
if [[ -n "${DISABLE_TLS:-}" ]]; then
echo "Disabling TLS due to DISABLE_TLS=${DISABLE_TLS}" >&2
elif [[ -z "${domain}" ]]; then
echo "No certs installed in /etc/letsencrypt/live, disabling TLS" >&2
else
echo "Detected cert for domain: ${domain}, enabling TLS" >&2
export TLS=1
TLS_PRIVATE_KEY="$(base64 "/etc/letsencrypt/live/${domain}/privkey.pem")"
TLS_CERTIFICATE="$(base64 "/etc/letsencrypt/live/${domain}/fullchain.pem")"
export TLS_PRIVATE_KEY TLS_CERTIFICATE
if [[ "${domain}" == riju.codes ]]; then
echo "Domain is riju.codes, enabling analytics" >&2
export ANALYTICS=1
else
echo "Domain is not riju.codes, disabling analytics" >&2
fi
fi
if [[ -n "${DETACH:-}" ]]; then
extra_args="-d"
elif [[ -t 1 ]]; then
extra_args="-it"
else
extra_args=
fi
port_args="${PORT_MAPPING:--p 0.0.0.0:80:6119 -p 0.0.0.0:443:6120}"
image_name="${IMAGE_NAME:-riju:app}"
container_name="${CONTAINER_NAME:-riju-prod}"
if docker container inspect ${container_name} &>/dev/null; then
docker stop ${container_name}
fi
docker run --rm ${port_args} ${extra_args} \
-e TLS -e TLS_PRIVATE_KEY -e TLS_CERTIFICATE -e ANALYTICS \
-h riju --name "${container_name}" \
"${image_name}"

35
packer/riju-deploy
View File

@ -1,35 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
if (( $# != 1 )); then
echo "usage: ssh deploy@riju IMAGE" >&2
exit 1
fi
image="$1"
riju-init-volume
echo "Pull image to be deployed..."
docker pull "${image}"
echo "Start new image in test container..." >&2
CONTAINER_NAME=riju-test IMAGE_NAME="${image}" DETACH=1 \
PORT_MAPPING="-p 127.0.0.1:6119:6119" DISABLE_TLS=0 riju
echo "Wait for web server to come up..." >&2
sleep 5
echo "Test web server health..." >&2
output="$(curl -fsSL http://localhost:6119)"
head -n15 <<< "${output}"
echo "Tear down test container..." >&2
docker stop riju-test
echo "Retag production image..." >&2
docker tag "${image}" riju:app
echo "Restart production server..." >&2
systemctl restart riju

18
packer/riju-install-certbot-hooks
View File

@ -1,18 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
sudo tee /etc/letsencrypt/renewal-hooks/pre/riju >/dev/null <<"EOF"
#!/usr/bin/env bash
set -euo pipefail
systemctl stop riju
EOF
sudo tee /etc/letsencrypt/renewal-hooks/post/riju >/dev/null <<"EOF"
#!/usr/bin/env bash
set -euo pipefail
systemctl start riju
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/pre/riju
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/riju

2
packer/riju.service
View File

@ -5,7 +5,7 @@ After=docker.service
[Service]
Type=exec
ExecStart=riju
ExecStart=riju-supervisor
Restart=always
[Install]

7
packer/validate.bash
View File

@ -1,7 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
: ${ADMIN_PASSWORD}
: ${ADMIN_SSH_PUBLIC_KEY_FILE}
: ${DEPLOY_SSH_PUBLIC_KEY_FILE}

1
supervisor/src/main.go
View File

@ -262,6 +262,7 @@ func (sv *supervisor) reload() error {
"-v", "/var/run/docker.sock:/var/run/docker.sock",
"-p", fmt.Sprintf("%s:6119", port),
"-e", "RIJU_DEPLOY_CONFIG",
"-e", "ANALYTICS=1",
"--name", name,
fmt.Sprintf("riju:%s", deployCfg.AppImageTag),
)

6
tools/packer-build.bash Executable file
View File

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
cd packer
packer build config.json