Get TLS cert&key inside container, fix SSH options

backend/src/server.ts

@@ -70,8 +70,12 @@ app.ws("/api/v1/ws", (ws, req) => {
 const secureApp = useTLS
   ? https.createServer(
       {
-        key: fs.readFileSync("/etc/letsencrypt/live/riju.codes/privkey.pem"),
-        cert: fs.readFileSync("/etc/letsencrypt/live/riju.codes/fullchain.pem"),
+        key: Buffer.from(process.env.TLS_PRIVATE_KEY, "base64").toString(
+          "ascii"
+        ),
+        cert: Buffer.from(process.env.TLS_CERTIFICATE, "base64").toString(
+          "ascii"
+        ),
       },
       app
     )

scripts/deploy.bash

@@ -15,5 +15,9 @@ else
     exit 1
 fi
 
-ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no \
+chmod go-rw "$keyfile"
+ssh -o IdentitiesOnly=yes \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -o LogLevel=QUIET \
     -i "${keyfile}" deploy@209.141.40.107 /usr/bin/riju-install

scripts/riju-serve.bash

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+TLS=1
+TLS_PRIVATE_KEY="$(base64 -d /etc/letsencrypt/live/riju.codes/privkey.pem)"
+TLS_CERTIFICATE="$(base64 -d /etc/letsencrypt/live/riju.codes/fullchain.pem)"
+
+# Do this separately so that errors in command substitution will crash
+# the script.
+export TLS TLS_PRIVATE_KEY TLS_CERTIFICATE
+
+docker run --rm -p 0.0.0.0:80:6119 riju:prod

scripts/riju.service

@@ -2,7 +2,7 @@
 Description=Riju online coding sandbox
 
 [Service]
-ExecStart=docker run --rm -p 0.0.0.0:80:6119 riju:prod
+ExecStart=riju-serve
 
 [Install]
 WantedBy=multi-user.target