From 2062bfecdbb1551cc7bbc6646cd429b784e48ba5 Mon Sep 17 00:00:00 2001 From: Radon Rosborough Date: Sun, 4 Jul 2021 03:29:02 +0000 Subject: [PATCH] First attempt at new AMI build --- Makefile | 7 ++++- packer/config.json | 39 +++------------------------ packer/provision.bash | 30 +++------------------ packer/riju | 44 ------------------------------- packer/riju-deploy | 35 ------------------------ packer/riju-install-certbot-hooks | 18 ------------- packer/riju.service | 2 +- packer/validate.bash | 7 ----- supervisor/src/main.go | 1 + tools/packer-build.bash | 6 +++++ 10 files changed, 22 insertions(+), 167 deletions(-) delete mode 100755 packer/riju delete mode 100755 packer/riju-deploy delete mode 100755 packer/riju-install-certbot-hooks delete mode 100755 packer/validate.bash create mode 100755 tools/packer-build.bash diff --git a/Makefile b/Makefile index 4138d80..4e4627b 100644 --- a/Makefile +++ b/Makefile @@ -230,6 +230,11 @@ config: # Generate deployment config file deploy: # Upload deployment config to S3 aws s3 cp $(BUILD)/config.json $(S3_CONFIG) +### Infrastructure + +packer: supervisor # Build and publish a new AMI + tools/packer-build.bash + ### Miscellaneous ## Run this every time you update .gitignore or .dockerignore.in. @@ -243,7 +248,7 @@ dockerignore: # Update .dockerignore from .gitignore and .dockerignore.in ## opposed to through the Makefile. env: # Run shell with .env file loaded and $PATH fixed - exec bash --rcfile <(cat ~/.bashrc - <<< 'PS1="[.env] $$PS1"') + exec bash tmux: # Start or attach to tmux session MAKELEVEL= tmux attach || MAKELEVEL= tmux new-session -s tmux diff --git a/packer/config.json b/packer/config.json index ecfd3a7..e4f6f8e 100644 --- a/packer/config.json +++ b/packer/config.json @@ -1,8 +1,6 @@ { "variables": { - "admin_password": "{{env `ADMIN_PASSWORD`}}", - "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}}", - "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}}" + "admin_password": "{{env `ADMIN_PASSWORD`}}" }, "builders": [ { @@ -11,7 +9,7 @@ "filters": { "virtualization-type": "hvm", "root-device-type": "ebs", - "name": "ubuntu/images/hvm-ssd/ubuntu-groovy-20.10-amd64-server-*" + "name": "ubuntu/images/hvm-ssd/ubuntu-*-21.04-amd64-server-*" }, "owners": ["099720109477"], "most_recent": true @@ -22,20 +20,6 @@ } ], "provisioners": [ - { - "type": "shell", - "script": "validate.bash", - "environment_vars": [ - "ADMIN_PASSWORD={{user `admin_password`}}", - "ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}", - "DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}" - ] - }, - { - "type": "file", - "source": "riju", - "destination": "/tmp/riju" - }, { "type": "file", "source": "riju-init-volume", @@ -43,29 +27,14 @@ }, { "type": "file", - "source": "riju-deploy", - "destination": "/tmp/riju-deploy" - }, - { - "type": "file", - "source": "riju-install-certbot-hooks", - "destination": "/tmp/riju-install-certbot-hooks" + "source": "../supervisor/out/riju-supervisor", + "destination": "/tmp/riju-supervisor" }, { "type": "file", "source": "riju.service", "destination": "/tmp/riju.service" }, - { - "type": "file", - "source": "{{user `admin_ssh_public_key_file`}}", - "destination": "/tmp/id_admin.pub" - }, - { - "type": "file", - "source": "{{user `deploy_ssh_public_key_file`}}", - "destination": "/tmp/id_deploy.pub" - }, { "type": "shell", "script": "provision.bash", diff --git a/packer/provision.bash b/packer/provision.bash index 303041f..f2f0f73 100644 --- a/packer/provision.bash +++ b/packer/provision.bash @@ -2,6 +2,8 @@ set -euo pipefail +: ${ADMIN_PASSWORD} + mkdir /tmp/riju-work pushd /tmp/riju-work @@ -27,40 +29,16 @@ wget -nv https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -O awscli.zip unzip -q awscli.zip sudo ./aws/install -sudo chown root:root /tmp/riju /tmp/riju-deploy /tmp/riju.service -sudo mv /tmp/riju /tmp/riju-deploy /tmp/riju-init-volume /tmp/riju-install-certbot-hooks /usr/local/bin/ +sudo chown root:root /tmp/riju-init-volume /tmp/riju-supervisor /tmp/riju.service +sudo mv /tmp/riju-init-volume /tmp/riju-supervisor /usr/local/bin/ sudo mv /tmp/riju.service /etc/systemd/system/ -for user in admin deploy; do - if ! grep -vq "PRIVATE KEY" "/tmp/id_${user}.pub"; then - echo "${user} public key was set to a private key, aborting" >&2 - exit 1 - fi - - IFS=" " read contents < "/tmp/id_${user}.pub" - echo "${contents}" > "/tmp/id_${user}.pub" -done - sudo sed -Ei 's/^#?PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config sudo sed -Ei 's/^#?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -Ei 's/^#?PermitEmptyPasswords .*/PermitEmptyPasswords no/' /etc/ssh/sshd_config sudo passwd -l root sudo useradd admin -g admin -G sudo -s /usr/bin/bash -p "$(echo "${ADMIN_PASSWORD}" | mkpasswd -s)" -m -sudo useradd deploy -s /usr/bin/bash -p "!" -m - -for user in admin deploy; do - sudo runuser -u "${user}" -- mkdir -p "/home/${user}/.ssh" - sudo mv "/tmp/id_${user}.pub" "/home/${user}/.ssh/authorized_keys" - sudo chown -R "${user}:${user}" "/home/${user}/.ssh" - sudo chmod -R go-rwx "/home/${user}/.ssh" -done - -sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy ${SSH_ORIGINAL_COMMAND}",restrict /' /home/deploy/.ssh/authorized_keys - -sudo tee /etc/sudoers.d/riju >/dev/null <<"EOF" -deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy -EOF sudo hostnamectl set-hostname riju diff --git a/packer/riju b/packer/riju deleted file mode 100755 index 552102c..0000000 --- a/packer/riju +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)" || true - -if [[ -n "${DISABLE_TLS:-}" ]]; then - echo "Disabling TLS due to DISABLE_TLS=${DISABLE_TLS}" >&2 -elif [[ -z "${domain}" ]]; then - echo "No certs installed in /etc/letsencrypt/live, disabling TLS" >&2 -else - echo "Detected cert for domain: ${domain}, enabling TLS" >&2 - export TLS=1 - TLS_PRIVATE_KEY="$(base64 "/etc/letsencrypt/live/${domain}/privkey.pem")" - TLS_CERTIFICATE="$(base64 "/etc/letsencrypt/live/${domain}/fullchain.pem")" - export TLS_PRIVATE_KEY TLS_CERTIFICATE - if [[ "${domain}" == riju.codes ]]; then - echo "Domain is riju.codes, enabling analytics" >&2 - export ANALYTICS=1 - else - echo "Domain is not riju.codes, disabling analytics" >&2 - fi -fi - -if [[ -n "${DETACH:-}" ]]; then - extra_args="-d" -elif [[ -t 1 ]]; then - extra_args="-it" -else - extra_args= -fi - -port_args="${PORT_MAPPING:--p 0.0.0.0:80:6119 -p 0.0.0.0:443:6120}" -image_name="${IMAGE_NAME:-riju:app}" -container_name="${CONTAINER_NAME:-riju-prod}" - -if docker container inspect ${container_name} &>/dev/null; then - docker stop ${container_name} -fi - -docker run --rm ${port_args} ${extra_args} \ - -e TLS -e TLS_PRIVATE_KEY -e TLS_CERTIFICATE -e ANALYTICS \ - -h riju --name "${container_name}" \ - "${image_name}" diff --git a/packer/riju-deploy b/packer/riju-deploy deleted file mode 100755 index f978f66..0000000 --- a/packer/riju-deploy +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -if (( $# != 1 )); then - echo "usage: ssh deploy@riju IMAGE" >&2 - exit 1 -fi - -image="$1" - -riju-init-volume - -echo "Pull image to be deployed..." -docker pull "${image}" - -echo "Start new image in test container..." >&2 -CONTAINER_NAME=riju-test IMAGE_NAME="${image}" DETACH=1 \ - PORT_MAPPING="-p 127.0.0.1:6119:6119" DISABLE_TLS=0 riju - -echo "Wait for web server to come up..." >&2 -sleep 5 - -echo "Test web server health..." >&2 -output="$(curl -fsSL http://localhost:6119)" -head -n15 <<< "${output}" - -echo "Tear down test container..." >&2 -docker stop riju-test - -echo "Retag production image..." >&2 -docker tag "${image}" riju:app - -echo "Restart production server..." >&2 -systemctl restart riju diff --git a/packer/riju-install-certbot-hooks b/packer/riju-install-certbot-hooks deleted file mode 100755 index d83cd8b..0000000 --- a/packer/riju-install-certbot-hooks +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -sudo tee /etc/letsencrypt/renewal-hooks/pre/riju >/dev/null <<"EOF" -#!/usr/bin/env bash -set -euo pipefail -systemctl stop riju -EOF - -sudo tee /etc/letsencrypt/renewal-hooks/post/riju >/dev/null <<"EOF" -#!/usr/bin/env bash -set -euo pipefail -systemctl start riju -EOF - -sudo chmod +x /etc/letsencrypt/renewal-hooks/pre/riju -sudo chmod +x /etc/letsencrypt/renewal-hooks/post/riju diff --git a/packer/riju.service b/packer/riju.service index 6ea3ac0..10a121c 100644 --- a/packer/riju.service +++ b/packer/riju.service @@ -5,7 +5,7 @@ After=docker.service [Service] Type=exec -ExecStart=riju +ExecStart=riju-supervisor Restart=always [Install] diff --git a/packer/validate.bash b/packer/validate.bash deleted file mode 100755 index ab4f836..0000000 --- a/packer/validate.bash +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -: ${ADMIN_PASSWORD} -: ${ADMIN_SSH_PUBLIC_KEY_FILE} -: ${DEPLOY_SSH_PUBLIC_KEY_FILE} diff --git a/supervisor/src/main.go b/supervisor/src/main.go index 85f1673..5762c1e 100644 --- a/supervisor/src/main.go +++ b/supervisor/src/main.go @@ -262,6 +262,7 @@ func (sv *supervisor) reload() error { "-v", "/var/run/docker.sock:/var/run/docker.sock", "-p", fmt.Sprintf("%s:6119", port), "-e", "RIJU_DEPLOY_CONFIG", + "-e", "ANALYTICS=1", "--name", name, fmt.Sprintf("riju:%s", deployCfg.AppImageTag), ) diff --git a/tools/packer-build.bash b/tools/packer-build.bash new file mode 100755 index 0000000..f20726b --- /dev/null +++ b/tools/packer-build.bash @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +set -euo pipefail + +cd packer +packer build config.json