diff options
| -rw-r--r-- | .github/workflows/deploy.yml | 26 | ||||
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | Makefile | 23 | ||||
| -rw-r--r-- | letsencrypt/lego/.gitignore | 2 | ||||
| -rw-r--r-- | letsencrypt/webroot/.well-known/acme-challenge/.gitignore | 2 | ||||
| -rw-r--r-- | mioproxy.local.hcl | 18 | ||||
| -rw-r--r-- | mioproxy.prod.hcl | 34 | ||||
| -rw-r--r-- | provisioning/.gitignore | 1 | ||||
| -rw-r--r-- | provisioning/recipe.rb | 110 | ||||
| -rwxr-xr-x | provisioning/run.sh | 30 | ||||
| m--------- | vhosts/t/albatross | 0 |
12 files changed, 250 insertions, 0 deletions
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000..7087976 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,26 @@ +name: Deploy +on: + push: + branches: [main] +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Deploy + uses: appleboy/ssh-action@cc051b07ed0666619f6ea5703319edf00d06be13 + with: + key: ${{ secrets.SSH_KEY }} + host: ${{ secrets.SSH_HOST }} + username: ${{ secrets.SSH_USERNAME }} + port: ${{ secrets.SSH_PORT }} + script: | + set -e + cd nil.ninja + git fetch --prune origin + git restore -- . + git clean -fd + git switch -d origin/main + git submodule update --init + make deploy diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..88ee633 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/*.htpasswd diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..03f00fd --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "vhosts/t/albatross"] + path = vhosts/t/albatross + url = git@github.com:nsfisis/phperkaigi-2024-albatross.git diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..2b33341 --- /dev/null +++ b/Makefile @@ -0,0 +1,23 @@ +.PHONY: all +all: deploy + +.PHONY: deploy +deploy: clean build serve + +.PHONY: provision +provision: + sudo sh provisioning/run.sh + +.PHONY: build +build: + cd vhosts/t/albatross; make -f Makefile.prod build + +.PHONY: serve +serve: + sudo systemctl start mioproxy + cd vhosts/t/albatross; make -f Makefile.prod serve + +.PHONY: clean +clean: + cd vhosts/t/albatross; make -f Makefile.prod clean + sudo systemctl stop mioproxy diff --git a/letsencrypt/lego/.gitignore b/letsencrypt/lego/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/letsencrypt/lego/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/letsencrypt/webroot/.well-known/acme-challenge/.gitignore b/letsencrypt/webroot/.well-known/acme-challenge/.gitignore new file mode 100644 index 0000000..d6b7ef3 --- /dev/null +++ b/letsencrypt/webroot/.well-known/acme-challenge/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/mioproxy.local.hcl b/mioproxy.local.hcl new file mode 100644 index 0000000..ee7d06a --- /dev/null +++ b/mioproxy.local.hcl @@ -0,0 +1,18 @@ +server http { + host = "127.0.0.1" + port = 8000 + + proxy albatross { + from { + path = "/x/albatross/" + } + to { + host = "127.0.0.1:8000" + port = 8001 + } + auth basic { + realm = "Auth required /x/albatross/" + credential_file = "albatross.htpasswd" + } + } +} diff --git a/mioproxy.prod.hcl b/mioproxy.prod.hcl new file mode 100644 index 0000000..fa712c4 --- /dev/null +++ b/mioproxy.prod.hcl @@ -0,0 +1,34 @@ +user = "ken" + +server http { + host = "0.0.0.0" + port = 80 + + redirect_to_https = true + acme_challenge { + root = "letsencrypt/webroot" + } +} + +server https { + host = "0.0.0.0" + port = 443 + + tls_cert_file = "letsencrypt/lego/certificates/nil.ninja.crt" + tls_key_file = "letsencrypt/lego/certificates/nil.ninja.key" + + proxy albatross { + from { + host = "t.nil.ninja" + path = "/phperkaigi/2024/golf/" + } + to { + host = "127.0.0.1" + port = 8001 + } + auth basic { + realm = "Auth required albatross" + credential_file = "albatross.htpasswd" + } + } +} diff --git a/provisioning/.gitignore b/provisioning/.gitignore new file mode 100644 index 0000000..69b8101 --- /dev/null +++ b/provisioning/.gitignore @@ -0,0 +1 @@ +/.bin diff --git a/provisioning/recipe.rb b/provisioning/recipe.rb new file mode 100644 index 0000000..99d935b --- /dev/null +++ b/provisioning/recipe.rb @@ -0,0 +1,110 @@ +BIN_ROOT = ENV['BIN_ROOT'] || raise +REPO_ROOT = ENV['REPO_ROOT'] || raise +LEGO_VERSION = ENV['LEGO_VERSION'] || raise +LEGO_ARCH = ENV['LEGO_ARCH'] || raise +LEGO_CONF_EMAIL = ENV['LEGO_CONF_EMAIL'] || raise +LEGO_CONF_WEBROOT = ENV['LEGO_CONF_WEBROOT'] || raise +LEGO_CONF_PATH = ENV['LEGO_CONF_PATH'] || raise +LEGO_CONF_DOMAINS = ENV['LEGO_CONF_DOMAINS'] || raise +GOLANG_VERSION = ENV['GOLANG_VERSION'] || raise +MIOPROXY_VERSION = ENV['MIOPROXY_VERSION'] || raise + +lego_tarball = "lego_#{LEGO_VERSION}_linux_#{LEGO_ARCH}.tar.gz" +lego_tarball_url = "https://github.com/go-acme/lego/releases/download/#{LEGO_VERSION}/#{lego_tarball}" +lego_conf_domains = LEGO_CONF_DOMAINS.split(',') +lego_conf_primary_domain = lego_conf_domains.first || raise +lego_run_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'run', +].join(' ') +lego_renew_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--http.webroot', LEGO_CONF_WEBROOT, + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'renew', + '--renew-hook', "'systemctl restart mioproxy'", +].join(' ') + +http_request "#{BIN_ROOT}/lego.tar.gz" do + url lego_tarball_url +end + +execute "tar xf #{BIN_ROOT}/lego.tar.gz -C #{BIN_ROOT}" + +file "#{BIN_ROOT}/CHANGELOG.md" do action :delete end +file "#{BIN_ROOT}/LICENSE" do action :delete end +file "#{BIN_ROOT}/lego.tar.gz" do action :delete end + +execute lego_run_cmdline do + not_if "test -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.crt' -a -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.key'" +end + +execute "docker run --rm golang:#{GOLANG_VERSION} sh -c 'go install github.com/nsfisis/mioproxy@#{MIOPROXY_VERSION}; cat \"$(go env GOPATH)/bin/mioproxy\"' > #{BIN_ROOT}/mioproxy" + +file "#{BIN_ROOT}/mioproxy" do + mode '755' +end + +file '/etc/systemd/system/mioproxy.service' do + content <<~EOS + [Unit] + Description=MioProxy + + [Service] + ExecStart=#{BIN_ROOT}/mioproxy #{REPO_ROOT}/mioproxy.prod.hcl + Restart=always + User=root + Group=root + WorkingDirectory=#{REPO_ROOT} + + [Install] + WantedBy=multi-user.target + EOS +end + +service 'mioproxy.service' do + action [:enable, :start] +end + +file '/etc/systemd/system/lego-renew.service' do + content <<~EOS + [Unit] + Description=Lego Renew + + [Service] + Type=oneshot + ExecStart=#{lego_renew_cmdline} + User=root + Group=root + EOS +end + +file '/etc/systemd/system/lego-renew.timer' do + content <<~EOS + [Unit] + Description=Lego Renew Timer + + [Timer] + Persistent=true + OnCalendar=*-*-* 1:23 + RandomizedDelaySec=1h + + [Install] + WantedBy=timers.target + EOS +end + +service 'lego-renew.timer' do + action [:enable, :start] +end + +# ken ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status mioproxy, /usr/bin/systemctl start mioproxy, /usr/bin/systemctl stop mioproxy, /usr/bin/systemctl restart mioproxy diff --git a/provisioning/run.sh b/provisioning/run.sh new file mode 100755 index 0000000..5f8ade4 --- /dev/null +++ b/provisioning/run.sh @@ -0,0 +1,30 @@ +set -eu + +this_dir="$(cd "$(dirname "$0")"; pwd)" +export BIN_ROOT="${this_dir}/.bin" +export REPO_ROOT="$(cd "${this_dir}/.."; pwd)" + +export MITAMAE_VERSION=v1.14.0 +export MITAMAE_ARCH=x86_64-linux +export LEGO_VERSION=v4.14.2 +export LEGO_ARCH=amd64 +export LEGO_CONF_EMAIL=nsfisis@gmail.com +export LEGO_CONF_WEBROOT="${REPO_ROOT}/letsencrypt/webroot" +export LEGO_CONF_PATH="${REPO_ROOT}/letsencrypt/lego" +export LEGO_CONF_DOMAINS="\ +nil.ninja,\ +t.nil.ninja" +export GOLANG_VERSION=1.21.1 +export MIOPROXY_VERSION=v0.2.1 + +mitamae_bin_url="https://github.com/itamae-kitchen/mitamae/releases/download/${MITAMAE_VERSION}/mitamae-${MITAMAE_ARCH}.tar.gz" + +rm -rf "${BIN_ROOT}" +mkdir "${BIN_ROOT}" + +curl -L -o "${BIN_ROOT}/mitamae.tar.gz" "${mitamae_bin_url}" +tar xf "${BIN_ROOT}/mitamae.tar.gz" -C "${BIN_ROOT}" +mv "${BIN_ROOT}/mitamae-${MITAMAE_ARCH}" "${BIN_ROOT}/mitamae" +rm -f '${BIN_ROOT}/mitamae.tar.gz' + +"${BIN_ROOT}/mitamae" local "${this_dir}/recipe.rb" diff --git a/vhosts/t/albatross b/vhosts/t/albatross new file mode 160000 +Subproject bba37a42b4fb3f122b00a5a035e66809ec552f5 |