Add lots more server config

.gitignore

@@ -7,3 +7,5 @@ public/media/
 cinera/*/
 cinera/cinera.conf
 annotations/
+/hmn
+deploy.conf

cinera/cinera.conf.sample

@@ -1,12 +1,12 @@
-export CINERA_REPO_PATH=/home/handmade/src/handmade-dev/cinera/Annotation-System
+export CINERA_REPO_PATH=/home/hmn/hmn/cinera/Annotation-System
-export CINERA_HMML_PATH=/home/handmade/src/handmade-dev/cinera/cinera_handmade.network
+export CINERA_HMML_PATH=/home/hmn/hmn/cinera/cinera_handmade.network
-export CINERA_ASSETS_PATH=/home/handmade/src/handmade-dev/hmdev/static/annotations
+export CINERA_ASSETS_PATH=/home/hmn/hmn/public/annotations
-export CINERA_OUTPUT_PATH=/home/handmade/src/handmade-dev/annotations
+export CINERA_OUTPUT_PATH=/home/hmn/hmn/annotations
-export DOMAIN=handmade.local
+export DOMAIN=<handmade.network or whatever>
 export SCHEME=https
 export CINERA_MONIT_GROUP=cinera
-export CINERA_SCRIPT_PATH=/home/handmade/src/handmade-dev/cinera
+export CINERA_SCRIPT_PATH=/home/hmn/hmn/cinera
-export ANNOTATIONS_USER=handmade
+export ANNOTATIONS_USER=annotations
 
 # NOTE(asaf): Known-working version as of 2021-08-26
 export CINERA_VERSION=6da970d48ca2cee861b7fe2d8f4d7ed6ca9ccce1

cinera/setup.sh

@@ -9,4 +9,4 @@ fi
 ./update_cinera.sh
 ./update_annotations.sh
 
-[ -d "data" ] || mkdir data
+mkdir -p data

monitrc.sample

@@ -1,54 +0,0 @@
-SET DAEMON 5
-SET LOGFILE /var/log/monit.log
-SET STATEFILE /var/lib/monit/state
-SET HTTPD UNIXSOCKET /var/run/monit.sock
-    allow user:pass
-SET MAILSERVER
-    box.handmadedev.org
-    PORT 587
-    USERNAME "noreply@handmadedev.org"
-    PASSWORD "[FILL THIS IN]"
-    USING tlsv1
-SET MAIL-FORMAT {
-    from: noreply@handmadedev.org
-reply-to: noreply@handmadedev.org
- subject: $SERVICE $EVENT at $DATE
- message: Monit $ACTION $SERVICE at $DATE on $HOST: $DESCRIPTION
-}
-SET ALERT team@handmadedev.org only on { nonexist, instance }
-
-CHECK PROCESS beta_cinera PIDFILE /home/hmn-beta/srv/cinera/data/cinera.pid
-    GROUP cinera_beta
-    START PROGRAM = "/home/hmn-beta/srv/cinera/start.sh" AS UID "annotations"
-    STOP PROGRAM  = "/home/hmn-beta/srv/cinera/stop.sh"  AS UID "annotations"
-    MODE PASSIVE
-
-CHECK PROCESS live_cinera PIDFILE /home/hmn-live/srv/cinera/data/cinera.pid
-    GROUP cinera_live
-    START PROGRAM = "/home/hmn-live/srv/cinera/start.sh" AS UID "annotations"
-    STOP PROGRAM  = "/home/hmn-live/srv/cinera/stop.sh"  AS UID "annotations"
-    MODE PASSIVE
-
-CHECK PROCESS beta_discord_history PIDFILE /home/hmn-beta/discordhistory.pid
-    GROUP discord_history_beta
-    START PROGRAM = "/home/hmn-beta/start_discord_history.sh" AS UID "hmn-beta"
-    STOP PROGRAM = "/bin/bash -c '/bin/kill `/bin/cat /home/hmn-beta/discordhistory.pid`'"
-    MODE ACTIVE
-
-CHECK PROCESS beta_discord_bot PIDFILE /home/hmn-beta/discordbot.pid
-    GROUP discord_bot_beta
-    START PROGRAM = "/home/hmn-beta/start_discord_bot.sh" AS UID "hmn-beta"
-    STOP PROGRAM = "/bin/bash -c '/bin/kill `/bin/cat /home/hmn-beta/discordbot.pid`'"
-    MODE ACTIVE
-
-CHECK PROCESS live_discord_history PIDFILE /home/hmn-live/discordhistory.pid
-    GROUP discord_history_live
-    START PROGRAM = "/home/hmn-live/start_discord_history.sh" AS UID "hmn-live"
-    STOP PROGRAM = "/bin/bash -c '/bin/kill `/bin/cat /home/hmn-live/discordhistory.pid`'"
-    MODE ACTIVE
-
-CHECK PROCESS live_discord_bot PIDFILE /home/hmn-live/discordbot.pid
-    GROUP discord_bot_live
-    START PROGRAM = "/home/hmn-live/start_discord_bot.sh" AS UID "hmn-live"
-    STOP PROGRAM = "/bin/bash -c '/bin/kill `/bin/cat /home/hmn-live/discordbot.pid`'"
-    MODE ACTIVE

server/Caddyfile

@@ -0,0 +1,19 @@
+{
+    acme_dns cloudflare <CLOUDFLARE KEY>
+    order cgi last
+}
+
+<DOMAIN>, *.<DOMAIN> {
+    handle /public/* {
+        file_server {
+            root /home/hmn/hmn
+        }
+    }
+    handle {
+        reverse_proxy localhost:9001
+    }
+}
+
+srv.<DOMAIN>:8888 {
+    cgi /deploy /home/hmn/hmn/server/deploy_hook.sh <BRANCH>
+}

server/deploy.conf.example

@@ -0,0 +1 @@
+export GITLAB_SECRET=<GITLAB WEBHOOK SECRET>

server/deploy.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# This script should be called with the name
+# of the branch to deploy. ($1 will be the
+# branch name.)
+
+set -euo pipefail
+
+sudo -u hmn bash -s <<SCRIPT
+set -euo pipefail
+pushd /home/hmn/hmn
+    git fetch --all
+    git reset --hard $1
+    go build -o hmn src/main.go
+popd
+SCRIPT
+
+monit stop hmn
+sudo -u hmn bash -s <<'SCRIPT'
+set -euo pipefail
+/home/hmn/hmn/hmn migrate
+SCRIPT
+monit start hmn

server/deploy_hook.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eo pipefail
+
+. /home/hmn/hmn/server/deploy.conf
+
+echo 'Content-Type: text/plain'
+echo ''
+
+if [[ "$HTTP_X_GITLAB_TOKEN" != "$GITLAB_SECRET" ]]; then
+    echo 'Not Authorized'
+    exit 1
+fi
+
+/home/hmn/hmn/server/deploy.sh $1

server/logrotate

@@ -0,0 +1,10 @@
+# This is a config file for the `logrotate` utility.
+# https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04
+/home/hmn/log/*.log {
+    daily
+    missingok
+    notifempty
+    rotate 30
+    compress
+    copytruncate
+}

server/monitrc

@@ -0,0 +1,37 @@
+SET DAEMON 5
+SET LOGFILE /var/log/monit.log
+SET STATEFILE /var/lib/monit/state
+SET HTTPD UNIXSOCKET /var/run/monit.sock
+    allow user:pass
+SET MAILSERVER
+    box.handmadedev.org
+    PORT 587
+    USERNAME "noreply@handmadedev.org"
+    PASSWORD "<EMAIL PASSWORD>"
+    USING tlsv1
+SET MAIL-FORMAT {
+    from: noreply@handmadedev.org
+reply-to: noreply@handmadedev.org
+ subject: $SERVICE $EVENT at $DATE
+ message: Monit $ACTION $SERVICE at $DATE on $HOST: $DESCRIPTION
+}
+SET ALERT team@handmadedev.org only on { nonexist, instance }
+
+CHECK PROCESS caddy PIDFILE /home/caddy/caddy.pid
+    GROUP caddy
+    START PROGRAM   = "/usr/bin/caddy start --config /home/caddy/Caddyfile --pidfile /home/caddy/caddy.pid" AS UID "caddy"
+    STOP PROGRAM    = "/usr/bin/caddy stop" AS UID "caddy"
+    RESTART PROGRAM = "/usr/bin/caddy reload --config /home/caddy/Caddyfile" AS UID "caddy"
+    MODE ACTIVE
+
+CHECK PROCESS hmn PIDFILE /home/hmn/hmn.pid
+    GROUP hmn
+    START PROGRAM = "/home/hmn/hmn/server/start.sh" AS UID "hmn"
+    STOP PROGRAM  = "/home/hmn/hmn/server/stop.sh"  AS UID "hmn"
+    MODE ACTIVE
+
+CHECK PROCESS cinera PIDFILE /home/hmn/hmn/cinera/data/cinera.pid
+    GROUP cinera
+    START PROGRAM = "/home/hmn/hmn/cinera/start.sh" AS UID "annotations"
+    STOP PROGRAM  = "/home/hmn/hmn/cinera/stop.sh"  AS UID "annotations"
+    MODE PASSIVE

server/serversetup.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+
+BLACK_BOLD=$'\e[1;30m'
+RESET=$'\e[0m'
+
+# Add swap space
+# https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04
+fallocate -l 1G /swapfile
+chmod 600 /swapfile
+mkswap /swapfile
+swapon /swapfile
+swapon --show
+echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
+sysctl vm.swappiness=10
+sysctl vm.vfs_cache_pressure=50
+echo 'vm.swappiness=10' >> /etc/sysctl.conf
+echo 'vm.vfs_cache_pressure=50' >> /etc/sysctl.conf
+
+# Configure Linux users
+groupadd --system caddy
+useradd --system \
+    --gid caddy \
+    --create-home --home-dir /home/caddy \
+    caddy
+groupadd --system hmn
+useradd --system \
+    --gid hmn \
+    --create-home --home-dir /home/hmn \
+    hmn
+groupadd --system annotations
+useradd --system \
+    --gid annotations \
+    --create-home --home-dir /home/annotations \
+    annotations
+
+# Install important stuff
+apt update
+apt install -y \
+    build-essential monit \
+    libcurl4-openssl-dev byacc flex
+
+# Install Go
+wget https://golang.org/dl/go1.17.linux-amd64.tar.gz
+tar -C /usr/local -xzf go1.17.linux-amd64.tar.gz
+echo 'PATH=$PATH:/usr/local/go/bin:/root/go/bin' >> ~/.profile
+source ~/.profile
+
+# Install Caddy
+# https://www.digitalocean.com/community/tutorials/how-to-host-a-website-with-caddy-on-ubuntu-18-04
+# (with modifications)
+go install github.com/caddyserver/xcaddy/cmd/xcaddy@v0.1.9
+xcaddy build \
+    --with github.com/caddy-dns/cloudflare \
+    --with github.com/aksdb/caddy-cgi/v2
+mv caddy /usr/bin
+chown root:root /usr/bin/caddy
+chmod 755 /usr/bin/caddy
+
+# Install Postgres
+# (instructions at https://www.postgresql.org/download/linux/ubuntu/)
+sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
+wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
+sudo apt-get update
+sudo apt-get -y install postgresql
+
+# Configure Postgres
+sudo -u postgres createuser --createdb --login --pwprompt hmn
+
+# Set up the folder structure, clone the repo
+sudo -u hmn bash -s <<'SCRIPT'
+cd ~
+mkdir log
+mkdir bin
+
+ssh-keygen -t ed25519 -C "beta-server" -N "" -f ~/.ssh/gitlab
+git config --global core.sshCommand "ssh -i ~/.ssh/gitlab"
+echo ""
+echo "Copy the following key and add it as a Deploy Key in the project in GitLab (https://git.handmade.network/hmn/hmn/-/settings/ci_cd#js-deploy-keys-settings):"
+cat ~/.ssh/gitlab.pub
+echo "Press enter to continue when you're done."
+read
+
+git clone git@gitssh.handmade.network:hmn/hmn.git
+SCRIPT
+
+# Copy config files to the right places
+cp /home/hmn/hmn/server/Caddyfile /home/caddy/Caddyfile
+cp /home/hmn/hmn/server/logrotate /etc/logrotate.d/hmn
+cp /home/hmn/hmn/server/monitrc ~/.monitrc
+cp /home/hmn/hmn/server/deploy.conf.example /home/hmn/hmn/server/deploy.conf
+cp /home/hmn/hmn/src/config/config.go.example /home/hmn/hmn/src/config/config.go
+cp /home/hmn/hmn/cinera/cinera.conf.sample /home/hmn/hmn/cinera/cinera.conf
+chmod 600 ~/.monitrc
+
+# TODO: Work this message in with all the others about config files you need to update
+echo "The Caddyfile has been written to the home folder. Please edit it and add the Cloudflare key so that the ACME challenge can pass."
+
+echo <<HELP
+Everything has been installed, but before you can run the site, you will need to edit several config files:
+
+${BLACK_BOLD}Caddy${RESET}: /home/caddy/Caddyfile
+
+    Add the Cloudflare key to allow the ACME challenge to succeed, and add the correct domains. (Don't forget to include both the normal and wildcard domains.)
+
+    Also, in the CGI config, add the name of the Git branch you would like to use when deploying.
+
+${BLACK_BOLD}Monit${RESET}: ~/.monitrc
+
+    Add the password for the email server.
+
+${BLACK_BOLD}Deploy Secret${RESET}: /home/hmn/hmn/server/deploy.conf
+
+    Fill in the secret value from the GitLab webhook.
+
+${BLACK_BOLD}Website${RESET}: /home/hmn/hmn/src/config/config.go
+
+    Fill out everything :)
+
+${BLACK_BOLD}Cinera${RESET}: /home/hmn/hmn/cinera/cinera.conf
+
+    Add the correct domain.
+
+
+${BLACK_BOLD}Next steps:${RESET}
+
+Restore a database backup:
+
+    pg_restore --single-transaction --dbname hmn --host localhost --username hmn ./path/to/dumpfile
+
+Reload the monit config:
+
+    monit reload
+
+Start up Caddy:
+
+    monit start caddy
+
+Then run the deploy script:
+
+    /home/hmn/hmn/server/deploy.sh
+
+HELP

server/start.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mkdir -p /home/hmn/log
+nohup /home/hmn/hmn/hmn > /home/hmn/log/hmn.log 2>&1 &
+echo $! > /home/hmn/hmn.pid

server/stop.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+kill $(cat /home/hmn/hmn.pid)