From 4ea197cabe64b89dbcfe168d773fc0d342c9719a Mon Sep 17 00:00:00 2001
From: Radon Rosborough <radon.neon@gmail.com>
Date: Thu, 11 Jun 2020 13:57:36 -0600
Subject: [PATCH] Get TLS cert&key inside container, fix SSH options

---
 backend/src/server.ts   |  8 ++++++--
 scripts/deploy.bash     |  6 +++++-
 scripts/riju-serve.bash | 14 ++++++++++++++
 scripts/riju.service    |  2 +-
 4 files changed, 26 insertions(+), 4 deletions(-)
 create mode 100755 scripts/riju-serve.bash

diff --git a/backend/src/server.ts b/backend/src/server.ts
index 408a52c..0cb1a08 100644
--- a/backend/src/server.ts
+++ b/backend/src/server.ts
@@ -70,8 +70,12 @@ app.ws("/api/v1/ws", (ws, req) => {
 const secureApp = useTLS
   ? https.createServer(
       {
-        key: fs.readFileSync("/etc/letsencrypt/live/riju.codes/privkey.pem"),
-        cert: fs.readFileSync("/etc/letsencrypt/live/riju.codes/fullchain.pem"),
+        key: Buffer.from(process.env.TLS_PRIVATE_KEY, "base64").toString(
+          "ascii"
+        ),
+        cert: Buffer.from(process.env.TLS_CERTIFICATE, "base64").toString(
+          "ascii"
+        ),
       },
       app
     )
diff --git a/scripts/deploy.bash b/scripts/deploy.bash
index 7763808..0752b56 100755
--- a/scripts/deploy.bash
+++ b/scripts/deploy.bash
@@ -15,5 +15,9 @@ else
     exit 1
 fi
 
-ssh -o IdentitiesOnly=yes -o StrictHostKeyChecking=no \
+chmod go-rw "$keyfile"
+ssh -o IdentitiesOnly=yes \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -o LogLevel=QUIET \
     -i "${keyfile}" deploy@209.141.40.107 /usr/bin/riju-install
diff --git a/scripts/riju-serve.bash b/scripts/riju-serve.bash
new file mode 100755
index 0000000..13f0a9e
--- /dev/null
+++ b/scripts/riju-serve.bash
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+TLS=1
+TLS_PRIVATE_KEY="$(base64 -d /etc/letsencrypt/live/riju.codes/privkey.pem)"
+TLS_CERTIFICATE="$(base64 -d /etc/letsencrypt/live/riju.codes/fullchain.pem)"
+
+# Do this separately so that errors in command substitution will crash
+# the script.
+export TLS TLS_PRIVATE_KEY TLS_CERTIFICATE
+
+docker run --rm -p 0.0.0.0:80:6119 riju:prod
diff --git a/scripts/riju.service b/scripts/riju.service
index 3ba25a9..7c20330 100644
--- a/scripts/riju.service
+++ b/scripts/riju.service
@@ -2,7 +2,7 @@
 Description=Riju online coding sandbox
 
 [Service]
-ExecStart=docker run --rm -p 0.0.0.0:80:6119 riju:prod
+ExecStart=riju-serve
 
 [Install]
 WantedBy=multi-user.target