Update server config (switching to systemd)
This commit is contained in:
parent
f40936ae61
commit
6056f6c1cc
|
@ -0,0 +1,33 @@
|
||||||
|
# This service originally copied from:
|
||||||
|
# https://raw.githubusercontent.com/caddyserver/dist/master/init/caddy.service
|
||||||
|
|
||||||
|
# caddy.service
|
||||||
|
#
|
||||||
|
# For using Caddy with a config file.
|
||||||
|
#
|
||||||
|
# Make sure the ExecStart and ExecReload commands are correct
|
||||||
|
# for your installation.
|
||||||
|
#
|
||||||
|
# See https://caddyserver.com/docs/install for instructions.
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Caddy
|
||||||
|
Documentation=https://caddyserver.com/docs/
|
||||||
|
After=network.target network-online.target
|
||||||
|
Requires=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=notify
|
||||||
|
User=caddy
|
||||||
|
Group=caddy
|
||||||
|
ExecStart=/usr/bin/caddy run --config /home/caddy/Caddyfile
|
||||||
|
ExecReload=/usr/bin/caddy reload --config /home/caddy/Caddyfile
|
||||||
|
TimeoutStopSec=5s
|
||||||
|
LimitNOFILE=1048576
|
||||||
|
LimitNPROC=512
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectSystem=full
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,15 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Miblo's Cinera program
|
||||||
|
After=network-online.target nss-lookup.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
User=annotations
|
||||||
|
Group=annotations
|
||||||
|
ExecStart=/home/hmn/hmn/cinera/start.sh
|
||||||
|
ExecStop=/home/hmn/hmn/cinera/stop.sh
|
||||||
|
PIDFile=/home/hmn/hmn/cinera/data/cinera.pid
|
||||||
|
Restart=always
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,8 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# This script should be called with the name
|
# This script should be called with the name of the branch to deploy. ($1 will
|
||||||
# of the branch to deploy. ($1 will be the
|
# be the branch name.)
|
||||||
# branch name.)
|
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
|
@ -11,13 +10,13 @@ set -euo pipefail
|
||||||
pushd /home/hmn/hmn
|
pushd /home/hmn/hmn
|
||||||
git fetch --all
|
git fetch --all
|
||||||
git reset --hard $1
|
git reset --hard $1
|
||||||
go build -o hmn src/main.go
|
go build -o /home/hmn/bin/hmn src/main.go
|
||||||
popd
|
popd
|
||||||
SCRIPT
|
SCRIPT
|
||||||
|
|
||||||
monit stop hmn
|
systemctl stop hmn
|
||||||
sudo -u hmn bash -s <<'SCRIPT'
|
sudo -u hmn bash -s <<'SCRIPT'
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
/home/hmn/hmn/hmn migrate
|
/home/hmn/bin/hmn migrate
|
||||||
SCRIPT
|
SCRIPT
|
||||||
monit start hmn
|
systemctl start hmn
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
[Unit]
|
||||||
|
Description=The Handmade Network website
|
||||||
|
After=network-online.target nss-lookup.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
User=hmn
|
||||||
|
Group=hmn
|
||||||
|
ExecStart=/home/hmn/bin/hmn
|
||||||
|
Restart=always
|
||||||
|
TimeoutStopSec=15
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -1,8 +1,12 @@
|
||||||
SET DAEMON 5
|
SET DAEMON 5
|
||||||
SET LOGFILE /var/log/monit.log
|
SET LOGFILE /var/log/monit.log
|
||||||
SET STATEFILE /var/lib/monit/state
|
SET STATEFILE /var/lib/monit/state
|
||||||
SET HTTPD UNIXSOCKET /var/run/monit.sock
|
#SET HTTPD UNIXSOCKET /var/run/monit.sock
|
||||||
allow user:pass
|
# allow user:pass
|
||||||
|
SET HTTPD PORT 2812 AND
|
||||||
|
USE ADDRESS localhost
|
||||||
|
ALLOW localhost
|
||||||
|
ALLOW admin:monit
|
||||||
SET MAILSERVER
|
SET MAILSERVER
|
||||||
box.handmadedev.org
|
box.handmadedev.org
|
||||||
PORT 587
|
PORT 587
|
||||||
|
|
|
@ -2,155 +2,252 @@
|
||||||
|
|
||||||
set -euxo pipefail
|
set -euxo pipefail
|
||||||
|
|
||||||
BLACK_BOLD=$'\e[1;30m'
|
BLUE_BOLD=$'\e[1;34m'
|
||||||
RESET=$'\e[0m'
|
RESET=$'\e[0m'
|
||||||
|
|
||||||
|
checkpoint=$(cat ./hmn_setup_checkpoint || echo 0)
|
||||||
|
|
||||||
|
savecheckpoint() {
|
||||||
|
echo $1 > ./hmn_setup_checkpoint
|
||||||
|
}
|
||||||
|
|
||||||
# Add swap space
|
# Add swap space
|
||||||
# https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04
|
# https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04
|
||||||
fallocate -l 1G /swapfile
|
if [ $checkpoint -lt 10 ]; then
|
||||||
chmod 600 /swapfile
|
savecheckpoint 10
|
||||||
mkswap /swapfile
|
|
||||||
swapon /swapfile
|
fallocate -l 1G /swapfile
|
||||||
swapon --show
|
chmod 600 /swapfile
|
||||||
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
|
mkswap /swapfile
|
||||||
sysctl vm.swappiness=10
|
swapon /swapfile
|
||||||
sysctl vm.vfs_cache_pressure=50
|
swapon --show
|
||||||
echo 'vm.swappiness=10' >> /etc/sysctl.conf
|
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
|
||||||
echo 'vm.vfs_cache_pressure=50' >> /etc/sysctl.conf
|
sysctl vm.swappiness=10
|
||||||
|
sysctl vm.vfs_cache_pressure=50
|
||||||
|
echo 'vm.swappiness=10' >> /etc/sysctl.conf
|
||||||
|
echo 'vm.vfs_cache_pressure=50' >> /etc/sysctl.conf
|
||||||
|
fi
|
||||||
|
|
||||||
# Configure Linux users
|
# Configure Linux users
|
||||||
groupadd --system caddy
|
if [ $checkpoint -lt 20 ]; then
|
||||||
useradd --system \
|
savecheckpoint 20
|
||||||
--gid caddy \
|
|
||||||
--create-home --home-dir /home/caddy \
|
groupadd --system caddy
|
||||||
caddy
|
useradd --system \
|
||||||
groupadd --system hmn
|
--gid caddy \
|
||||||
useradd --system \
|
--shell /bin/bash \
|
||||||
--gid hmn \
|
--create-home --home-dir /home/caddy \
|
||||||
--create-home --home-dir /home/hmn \
|
caddy
|
||||||
hmn
|
groupadd --system hmn
|
||||||
groupadd --system annotations
|
useradd --system \
|
||||||
useradd --system \
|
--gid hmn \
|
||||||
--gid annotations \
|
--shell /bin/bash \
|
||||||
--create-home --home-dir /home/annotations \
|
--create-home --home-dir /home/hmn \
|
||||||
annotations
|
hmn
|
||||||
|
groupadd --system annotations
|
||||||
|
useradd --system \
|
||||||
|
--gid annotations \
|
||||||
|
--shell /bin/bash \
|
||||||
|
--create-home --home-dir /home/annotations \
|
||||||
|
annotations
|
||||||
|
fi
|
||||||
|
|
||||||
# Install important stuff
|
# Install important stuff
|
||||||
apt update
|
if [ $checkpoint -lt 30 ]; then
|
||||||
apt install -y \
|
savecheckpoint 30
|
||||||
build-essential monit \
|
|
||||||
libcurl4-openssl-dev byacc flex
|
apt update
|
||||||
|
apt install -y \
|
||||||
|
build-essential \
|
||||||
|
libcurl4-openssl-dev byacc flex
|
||||||
|
fi
|
||||||
|
|
||||||
# Install Go
|
# Install Go
|
||||||
wget https://golang.org/dl/go1.17.linux-amd64.tar.gz
|
if [ $checkpoint -lt 40 ]; then
|
||||||
tar -C /usr/local -xzf go1.17.linux-amd64.tar.gz
|
savecheckpoint 40
|
||||||
echo 'PATH=$PATH:/usr/local/go/bin:/root/go/bin' >> ~/.profile
|
|
||||||
source ~/.profile
|
wget https://golang.org/dl/go1.17.linux-amd64.tar.gz
|
||||||
|
tar -C /usr/local -xzf go1.17.linux-amd64.tar.gz
|
||||||
|
echo 'PATH=$PATH:/usr/local/go/bin:/root/go/bin' >> ~/.bash_profile
|
||||||
|
source ~/.bash_profile
|
||||||
|
fi
|
||||||
|
|
||||||
# Install Caddy
|
# Install Caddy
|
||||||
# https://www.digitalocean.com/community/tutorials/how-to-host-a-website-with-caddy-on-ubuntu-18-04
|
# https://www.digitalocean.com/community/tutorials/how-to-host-a-website-with-caddy-on-ubuntu-18-04
|
||||||
# (with modifications)
|
if [ $checkpoint -lt 50 ]; then
|
||||||
go install github.com/caddyserver/xcaddy/cmd/xcaddy@v0.1.9
|
savecheckpoint 50
|
||||||
xcaddy build \
|
|
||||||
--with github.com/caddy-dns/cloudflare \
|
go install github.com/caddyserver/xcaddy/cmd/xcaddy@v0.1.9
|
||||||
--with github.com/aksdb/caddy-cgi/v2
|
xcaddy build \
|
||||||
mv caddy /usr/bin
|
--with github.com/caddy-dns/cloudflare \
|
||||||
chown root:root /usr/bin/caddy
|
--with github.com/aksdb/caddy-cgi/v2
|
||||||
chmod 755 /usr/bin/caddy
|
mv caddy /usr/bin
|
||||||
|
chown root:root /usr/bin/caddy
|
||||||
|
chmod 755 /usr/bin/caddy
|
||||||
|
fi
|
||||||
|
|
||||||
# Install Postgres
|
# Install Postgres
|
||||||
# (instructions at https://www.postgresql.org/download/linux/ubuntu/)
|
# (instructions at https://www.postgresql.org/download/linux/ubuntu/)
|
||||||
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
|
if [ $checkpoint -lt 60 ]; then
|
||||||
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
savecheckpoint 60
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get -y install postgresql
|
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
|
||||||
|
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get -y install postgresql
|
||||||
|
fi
|
||||||
|
|
||||||
# Configure Postgres
|
# Configure Postgres
|
||||||
# TODO: This was supposed to create a user without a password - why didn't it?
|
# TODO: This was supposed to create a user without a password - why didn't it?
|
||||||
# ...or was it?
|
# ...or was it?
|
||||||
sudo -u postgres createuser --createdb --login --pwprompt hmn
|
if [ $checkpoint -lt 70 ]; then
|
||||||
|
savecheckpoint 70
|
||||||
|
sudo -u postgres createuser --createdb --login --pwprompt hmn
|
||||||
|
fi
|
||||||
|
|
||||||
# Set up the folder structure, clone the repo
|
# Set up the folder structure, clone the repo
|
||||||
sudo -u hmn bash -s <<'SCRIPT'
|
if [ $checkpoint -lt 80 ]; then
|
||||||
set -euxo pipefail
|
savecheckpoint 80
|
||||||
|
|
||||||
cd ~
|
sudo -u hmn bash -s <<'SCRIPT'
|
||||||
mkdir log
|
set -euxo pipefail
|
||||||
mkdir bin
|
|
||||||
|
|
||||||
echo 'PATH=$PATH:/usr/local/go/bin' >> ~/.profile
|
cd ~
|
||||||
source ~/.profile
|
mkdir log
|
||||||
|
mkdir bin
|
||||||
|
|
||||||
ssh-keygen -t ed25519 -C "beta-server" -N "" -f ~/.ssh/gitlab
|
echo 'PATH=$PATH:/usr/local/go/bin:/home/hmn/bin' >> ~/.bash_profile
|
||||||
git config --global core.sshCommand "ssh -i ~/.ssh/gitlab"
|
source ~/.bash_profile
|
||||||
echo ""
|
|
||||||
echo ""
|
|
||||||
echo "Copy the following key and add it as a Deploy Key in the project in GitLab (https://git.handmade.network/hmn/hmn/-/settings/ci_cd#js-deploy-keys-settings):"
|
|
||||||
echo ""
|
|
||||||
cat ~/.ssh/gitlab.pub
|
|
||||||
echo ""
|
|
||||||
echo "Press enter to continue when you're done."
|
|
||||||
read
|
|
||||||
|
|
||||||
git clone git@gitssh.handmade.network:hmn/hmn.git
|
ssh-keygen -t ed25519 -C "beta-server" -N "" -f ~/.ssh/gitlab
|
||||||
pushd hmn
|
git config --global core.sshCommand "ssh -i ~/.ssh/gitlab"
|
||||||
echo "Building the site for the first time. This may take a while..."
|
echo ""
|
||||||
go build -o hmn src/main.go
|
echo ""
|
||||||
popd
|
echo "Copy the following key and add it as a Deploy Key in the project in GitLab (https://git.handmade.network/hmn/hmn/-/settings/ci_cd#js-deploy-keys-settings):"
|
||||||
|
echo ""
|
||||||
|
cat ~/.ssh/gitlab.pub
|
||||||
|
echo ""
|
||||||
|
echo "Press enter to continue when you're done."
|
||||||
|
read
|
||||||
|
|
||||||
|
while true ; do
|
||||||
|
ssh -T git@gitssh.handmade.network && break || true
|
||||||
|
echo "Failed to connect to GitLab. Fix the issue and then try again. (Press enter when you're done.)"
|
||||||
|
read
|
||||||
|
done
|
||||||
SCRIPT
|
SCRIPT
|
||||||
|
|
||||||
|
echo 'PATH=$PATH:/home/hmn/bin' >> ~/.bash_profile
|
||||||
|
source ~/.bash_profile
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $checkpoint -lt 90 ]; then
|
||||||
|
savecheckpoint 90
|
||||||
|
|
||||||
|
sudo -u hmn bash -s <<'SCRIPT'
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
cd ~
|
||||||
|
git clone git@gitssh.handmade.network:hmn/hmn.git
|
||||||
|
SCRIPT
|
||||||
|
fi
|
||||||
|
|
||||||
# Copy config files to the right places
|
# Copy config files to the right places
|
||||||
cp /home/hmn/hmn/server/Caddyfile /home/caddy/Caddyfile
|
if [ $checkpoint -lt 100 ]; then
|
||||||
cp /home/hmn/hmn/server/logrotate /etc/logrotate.d/hmn
|
savecheckpoint 100
|
||||||
cp /home/hmn/hmn/server/monitrc ~/.monitrc
|
|
||||||
cp /home/hmn/hmn/server/deploy.conf.example /home/hmn/hmn/server/deploy.conf
|
cp /home/hmn/hmn/server/Caddyfile /home/caddy/Caddyfile
|
||||||
cp /home/hmn/hmn/src/config/config.go.example /home/hmn/hmn/src/config/config.go
|
|
||||||
cp /home/hmn/hmn/cinera/cinera.conf.sample /home/hmn/hmn/cinera/cinera.conf
|
cp /home/hmn/hmn/server/caddy.service /etc/systemd/system/caddy.service
|
||||||
chmod 600 ~/.monitrc
|
cp /home/hmn/hmn/server/hmn.service /etc/systemd/system/hmn.service
|
||||||
|
cp /home/hmn/hmn/server/cinera.service /etc/systemd/system/cinera.service
|
||||||
|
chmod 644 /etc/systemd/system/caddy.service
|
||||||
|
chmod 644 /etc/systemd/system/hmn.service
|
||||||
|
chmod 644 /etc/systemd/system/cinera.service
|
||||||
|
|
||||||
|
cp /home/hmn/hmn/server/logrotate /etc/logrotate.d/hmn
|
||||||
|
|
||||||
|
cp /home/hmn/hmn/src/config/config.go.example /home/hmn/hmn/src/config/config.go
|
||||||
|
cp /home/hmn/hmn/server/deploy.conf.example /home/hmn/hmn/server/deploy.conf
|
||||||
|
cp /home/hmn/hmn/cinera/cinera.conf.sample /home/hmn/hmn/cinera/cinera.conf
|
||||||
|
|
||||||
|
systemctl daemon-reload
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Build the site for the first time (despite bad config)
|
||||||
|
if [ $checkpoint -lt 110 ]; then
|
||||||
|
savecheckpoint 110
|
||||||
|
|
||||||
|
sudo -u hmn bash -s <<'SCRIPT'
|
||||||
|
set -euxo pipefail
|
||||||
|
|
||||||
|
cd /home/hmn/hmn
|
||||||
|
echo "Building the site for the first time. This may take a while..."
|
||||||
|
go build -o /home/hmn/bin/hmn src/main.go
|
||||||
|
SCRIPT
|
||||||
|
fi
|
||||||
|
|
||||||
cat <<HELP
|
cat <<HELP
|
||||||
Everything has been installed, but before you can run the site, you will need to edit several config files:
|
Everything has been installed, but before you can run the site, you will need
|
||||||
|
to edit several config files:
|
||||||
|
|
||||||
${BLACK_BOLD}Caddy${RESET}: /home/caddy/Caddyfile
|
${BLUE_BOLD}Caddy${RESET}: /home/caddy/Caddyfile
|
||||||
|
|
||||||
Add the Cloudflare key to allow the ACME challenge to succeed, and add the correct domains. (Don't forget to include both the normal and wildcard domains.)
|
Get an API token from Cloudflare and add it to the Caddyfile to allow the
|
||||||
|
ACME challenge to succeed. The token must have the Zone / Zone / Read and
|
||||||
|
Zone / DNS / Edit permissions (as laid out in the following links).
|
||||||
|
|
||||||
Also, in the CGI config, add the name of the Git branch you would like to use when deploying.
|
https://github.com/caddy-dns/cloudflare
|
||||||
|
https://github.com/libdns/cloudflare
|
||||||
|
|
||||||
${BLACK_BOLD}Monit${RESET}: ~/.monitrc
|
Add the Cloudflare token to allow the ACME challenge to succeed, and add
|
||||||
|
the correct domains. (Don't forget to include both the normal and wildcard
|
||||||
|
domains.)
|
||||||
|
|
||||||
|
Also, in the CGI config, add the name of the Git branch you would like to
|
||||||
|
use when deploying. For example, a deployment of the beta site should use
|
||||||
|
the `beta` branch.
|
||||||
|
|
||||||
|
${BLUE_BOLD}Monit${RESET}: ~/.monitrc
|
||||||
|
|
||||||
Add the password for the email server.
|
Add the password for the email server.
|
||||||
|
|
||||||
${BLACK_BOLD}Deploy Secret${RESET}: /home/hmn/hmn/server/deploy.conf
|
${BLUE_BOLD}Deploy Secret${RESET}: /home/hmn/hmn/server/deploy.conf
|
||||||
|
|
||||||
First, go to GitLab and add a webhook with a secret. Filter it down to just push events on the branch you care about.
|
First, go to GitLab and add a webhook with a secret. Set it to trigger on
|
||||||
|
push events for the branch you are using for deploys.
|
||||||
|
|
||||||
https://git.handmade.network/hmn/hmn/hooks
|
https://git.handmade.network/hmn/hmn/hooks
|
||||||
|
|
||||||
Then, edit the above file and fill in the secret value from the GitLab webhook.
|
Then, edit the above file and fill in the secret value from the
|
||||||
|
GitLab webhook.
|
||||||
|
|
||||||
${BLACK_BOLD}Website${RESET}: /home/hmn/hmn/src/config/config.go
|
${BLUE_BOLD}Website${RESET}: /home/hmn/hmn/src/config/config.go
|
||||||
|
|
||||||
Fill out everything :)
|
Fill out everything :)
|
||||||
|
|
||||||
${BLACK_BOLD}Cinera${RESET}: /home/hmn/hmn/cinera/cinera.conf
|
Then rebuild the site:
|
||||||
|
|
||||||
|
su hmn
|
||||||
|
cd ~/hmn
|
||||||
|
go build -o /home/hmn/bin/hmn src/main.go
|
||||||
|
|
||||||
|
${BLUE_BOLD}Cinera${RESET}: /home/hmn/hmn/cinera/cinera.conf
|
||||||
|
|
||||||
Add the correct domain.
|
Add the correct domain.
|
||||||
|
|
||||||
|
|
||||||
${BLACK_BOLD}Next steps:${RESET}
|
${BLUE_BOLD}===== Next steps =====${RESET}
|
||||||
|
|
||||||
Restore a database backup:
|
Restore a database backup:
|
||||||
|
|
||||||
pg_restore --single-transaction --dbname hmn --host localhost --username hmn ./path/to/dumpfile
|
su hmn
|
||||||
|
cd ~
|
||||||
Reload the monit config:
|
/home/hmn/bin/hmn seedfile <I dunno man figure it out>
|
||||||
|
|
||||||
monit reload
|
|
||||||
|
|
||||||
Start up Caddy:
|
Start up Caddy:
|
||||||
|
|
||||||
monit start caddy
|
systemctl start caddy
|
||||||
|
|
||||||
Then run the deploy script:
|
Then run the deploy script:
|
||||||
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
mkdir -p /home/hmn/log
|
|
||||||
nohup /home/hmn/hmn/hmn > /home/hmn/log/hmn.log 2>&1 &
|
|
||||||
echo $! > /home/hmn/hmn.pid
|
|
|
@ -1,3 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
kill $(cat /home/hmn/hmn.pid)
|
|
Reference in New Issue