ss/sovereign-stack
ss/sovereign-stack
1
1
Fork 1
Code Releases Activity

Removed all AWS functionality. Big day.

Browse Source
This commit is contained in:
Derek Smith 2022-10-30 22:24:25 -04:00
parent e5164ebc7e
commit 08b158da09
Signed by: farscapian
GPG Key ID: 8F1CD799CCA516CC
11 changed files with 138 additions and 419 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
defaults.sh
View File

@ -21,42 +21,10 @@ export NOSTR_HOSTNAME="relay"
export SITE_LANGUAGE_CODES="en"
export NOSTR_ACCOUNT_PUBKEY=
# used by 'aws' deployments only; planned deprecation
export DDNS_PASSWORD=
# this is where the html is sourced from.
export SITE_HTML_PATH=
export BTCPAY_ADDITIONAL_HOSTNAMES=
# enter your AWS Access Key and Secret Access Key here.
export AWS_ACCESS_KEY=
export AWS_SECRET_ACCESS_KEY=
# if overridden, the app will be deployed to proxy $BTCPAY_HOSTNAME.$DOMAIN_NAME requests to the URL specified.
# this is useful when you want to oursource your BTCPAY fullnode/lightning node.
#export BTCPAY_HANDLER_URL=
export SMTP_SERVER="smtp.mailgun.org"
export SMTP_PORT="587"
# default AWS region and AMI (free-tier AMI ubuntu 20.10)
export AWS_REGION="us-east-1"
# AMI NAME:
# ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20220420
export AWS_AMI_ID="ami-09d56f8956ab235b3"
WWW_INSTANCE_TYPE="t2.small"
BTCPAY_INSTANCE_TYPE="t2.medium"
# goal will be to keep any particular instance to run AT OR BELOW t2.medium.
# other options are t2.small, micro, nano; micro is the free-tier eligible.
# [1=vCPUs, 1=Mem(GiB)]
# nano [1,0.5], micro [1,1] (free-tier eligible), small [1,2], medium [2,4], large [2,8], xlarge [4,16], 2xlarge [8,32]
export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
export BTCPAY_INSTANCE_TYPE="$BTCPAY_INSTANCE_TYPE"
export GHOST_MYSQL_PASSWORD=
export GHOST_MYSQL_ROOT_PASSWORD=
export NEXTCLOUD_MYSQL_PASSWORD=
@ -90,15 +58,6 @@ export NEXTCLOUD_SPACE_GB=10
# exit 1
# fi
# TODO
# 1 add check for ~/.aws/credentials and stub one out
# 2 ensure install.sh has been run by checking for tor, docker-machine, lxd, wait-for-it, etc.
# 3 pretty much just run the install script if anything is awry
# 4 maybe check to ensure all the CNAME and A+ records are there first so we can quit before machine creation.
BTC_CHAIN=regtest
export BTC_CHAIN="$BTC_CHAIN"

262
deploy.sh
View File

@ -13,9 +13,7 @@ check_dependencies () {
}
# Check system's dependencies
check_dependencies wait-for-it dig rsync sshfs lxc docker-machine
# TODO remove dependency on Docker-machine. That's what we use to provision VM on 3rd party vendors. Looking for LXD endpoint.
check_dependencies wait-for-it dig rsync sshfs lxc
# let's check to ensure the management machine is on the Baseline ubuntu 21.04
if ! lsb_release -d | grep -q "Ubuntu 22.04"; then
@ -24,7 +22,6 @@ if ! lsb_release -d | grep -q "Ubuntu 22.04"; then
fi
DOMAIN_NAME=
VPS_HOSTING_TARGET=lxd
RUN_CERT_RENEWAL=true
SKIP_WWW=false
RESTORE_WWW=false
@ -45,10 +42,6 @@ STOP_SERVICES=false
# grab any modifications from the command line.
for i in "$@"; do
case $i in
--aws)
VPS_HOSTING_TARGET=aws
shift
;;
--restore-www)
RESTORE_WWW=true
BACKUP_APPS=false
@ -146,17 +139,6 @@ export BACKUP_BTCPAY="$BACKUP_BTCPAY"
export MIGRATE_WWW="$MIGRATE_WWW"
export MIGRATE_BTCPAY="$MIGRATE_BTCPAY"
export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
if [ "$VPS_HOSTING_TARGET" = aws ]; then
if [ -z "$DOMAIN_NAME" ]; then
echo "ERROR: Please specify a domain name with --domain= when using --aws."
exit 1
fi
CLUSTER_NAME="docker-machine"
fi
export CLUSTER_NAME="$CLUSTER_NAME"
export CLUSTER_PATH="$CLUSTERS_DIR/$CLUSTER_NAME"
@ -173,27 +155,27 @@ if [ ! -f "$CLUSTER_PATH/authorized_keys" ]; then
exit 1
fi
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
CLUSTER_DEFINITION="$CLUSTER_PATH/cluster_definition"
export CLUSTER_DEFINITION="$CLUSTER_DEFINITION"
#########################################
if [ ! -f "$CLUSTER_DEFINITION" ]; then
echo "ERROR: The cluster defintion could not be found. You may need to re-run 'ss-cluster create'."
exit 1
fi
source "$CLUSTER_DEFINITION"
CLUSTER_DEFINITION="$CLUSTER_PATH/cluster_definition"
export CLUSTER_DEFINITION="$CLUSTER_DEFINITION"
###########################3
# # This section is done to the management machine. We deploy a registry pull through cache on port 5000
# if ! docker volume list | grep -q registry_data; then
# docker volume create registry_data
# fi
#########################################
if [ ! -f "$CLUSTER_DEFINITION" ]; then
echo "ERROR: The cluster defintion could not be found. You may need to re-run 'ss-cluster create'."
exit 1
fi
source "$CLUSTER_DEFINITION"
# if the registry URL isn't defined, then we just use the upstream dockerhub.
# recommended to run a registry cache on your management machine though.
if [ -n "$REGISTRY_URL" ]; then
###########################3
# # This section is done to the management machine. We deploy a registry pull through cache on port 5000
# if ! docker volume list | grep -q registry_data; then
# docker volume create registry_data
# fi
# if the registry URL isn't defined, then we just use the upstream dockerhub.
# recommended to run a registry cache on your management machine though.
if [ -n "$REGISTRY_URL" ]; then
cat > "$CLUSTER_PATH/registry.yml" <<EOL
version: 0.1
@ -207,22 +189,22 @@ proxy:
password: ${REGISTRY_PASSWORD}
EOL
# enable docker swarm mode so we can support docker stacks.
if docker info | grep -q "Swarm: inactive"; then
docker swarm init
fi
# enable docker swarm mode so we can support docker stacks.
if docker info | grep -q "Swarm: inactive"; then
docker swarm init
fi
mkdir -p "${CACHES_DIR}/registry_images"
mkdir -p "${CACHES_DIR}/registry_images"
# run a docker registry pull through cache on the management machine.
if [ "$DEPLOY_MGMT_REGISTRY" = true ]; then
if ! docker stack list | grep -q registry; then
docker stack deploy -c management/registry_mirror.yml registry
fi
# run a docker registry pull through cache on the management machine.
if [ "$DEPLOY_MGMT_REGISTRY" = true ]; then
if ! docker stack list | grep -q registry; then
docker stack deploy -c management/registry_mirror.yml registry
fi
fi
fi
# this is our password generation mechanism. Relying on GPG for secure password generation
function new_pass {
gpg --gen-random --armor 1 25
@ -231,7 +213,6 @@ function new_pass {
function instantiate_vms {
export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
export BTC_CHAIN="$BTC_CHAIN"
export UPDATE_BTCPAY="$UPDATE_BTCPAY"
export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
@ -254,30 +235,30 @@ function instantiate_vms {
exit 1
fi
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
# which is set up during LXD cluster creation ss-cluster.
LXD_SS_CONFIG_LINE=
if lxc network list --format csv | grep lxdbrSS | grep ss-config; then
LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep lxdbrSS | grep ss-config)"
fi
if [ -z "$LXD_SS_CONFIG_LINE" ]; then
echo "ERROR: the MACVLAN interface has not been specified. You may need to run ss-cluster again."
exit 1
fi
CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
export DISK_TO_USE="$DISK_TO_USE"
./deployment/create_lxc_base.sh
# first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
# which is set up during LXD cluster creation ss-cluster.
LXD_SS_CONFIG_LINE=
if lxc network list --format csv | grep lxdbrSS | grep ss-config; then
LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep lxdbrSS | grep ss-config)"
fi
if [ -z "$LXD_SS_CONFIG_LINE" ]; then
echo "ERROR: the MACVLAN interface has not been specified. You may need to run ss-cluster again."
exit 1
fi
CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
export DATA_PLANE_MACVLAN_INTERFACE="$DATA_PLANE_MACVLAN_INTERFACE"
export DISK_TO_USE="$DISK_TO_USE"
./deployment/create_lxc_base.sh
export MAC_ADDRESS_TO_PROVISION=
export VPS_HOSTNAME="$VPS_HOSTNAME"
export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME"
@ -333,22 +314,9 @@ function instantiate_vms {
export MAC_ADDRESS_TO_PROVISION="$MAC_ADDRESS_TO_PROVISION"
export BTCPAY_LOCAL_BACKUP_PATH="$SITE_PATH/backups/btcpayserver/$BACKUP_TIMESTAMP"
export BTCPAY_LOCAL_BACKUP_ARCHIVE_PATH="$BTCPAY_LOCAL_BACKUP_PATH/$UNIX_BACKUP_TIMESTAMP.tar.gz"
# This next section of if statements is our sanity checking area.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# we require DDNS on AWS to set the public DNS to the right host.
if [ -z "$DDNS_PASSWORD" ]; then
echo "ERROR: Ensure DDNS_PASSWORD is configured in your site_definition."
exit 1
fi
fi
MACHINE_EXISTS=false
if [ "$VPS_HOSTING_TARGET" = aws ] && docker-machine ls -q | grep -q "$FQDN"; then
MACHINE_EXISTS=true
fi
if [ "$VPS_HOSTING_TARGET" = lxd ] && lxc list --format csv | grep -q "$FQDN"; then
if lxc list --format csv | grep -q "$FQDN"; then
MACHINE_EXISTS=true
fi
@ -364,18 +332,7 @@ function instantiate_vms {
./deployment/deploy_vms.sh
# delete the remote VPS.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
RESPONSE=
read -r -p "Do you want to continue with deleting '$FQDN' (y/n)": RESPONSE
if [ "$RESPONSE" = y ]; then
docker-machine rm -f "$FQDN"
else
echo "STOPPING the migration. User entered something other than 'y'."
exit 1
fi
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
lxc delete --force "$LXD_VM_NAME"
fi
lxc delete --force "$LXD_VM_NAME"
# Then we run the script again to re-instantiate a new VPS, restoring all user data
# if restore directory doesn't exist, then we end up with a new site.
@ -493,74 +450,65 @@ EOL
source "$PROJECT_DEFINITION_PATH"
}
# let's iterate over the user-supplied domain list and provision each domain.
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
CURRENT_PROJECT="$(lxc info | grep "project:" | awk '{print $2}')"
PROJECT_PATH="$PROJECTS_DIR/$PROJECT_NAME"
mkdir -p "$PROJECT_PATH" "$CLUSTER_PATH/projects"
export PROJECT_PATH="$PROJECT_PATH"
# create a symlink from ./clusterpath/projects/project
if [ ! -d "$CLUSTER_PATH/projects/$PROJECT_NAME" ]; then
ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$PROJECT_NAME"
CURRENT_PROJECT="$(lxc info | grep "project:" | awk '{print $2}')"
PROJECT_PATH="$PROJECTS_DIR/$PROJECT_NAME"
mkdir -p "$PROJECT_PATH" "$CLUSTER_PATH/projects"
export PROJECT_PATH="$PROJECT_PATH"
# create a symlink from ./clusterpath/projects/project
if [ ! -d "$CLUSTER_PATH/projects/$PROJECT_NAME" ]; then
ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$PROJECT_NAME"
fi
# check if we need to provision a new lxc project.
if [ "$PROJECT_NAME" != "$CURRENT_PROJECT" ]; then
if ! lxc project list | grep -q "$PROJECT_NAME"; then
echo "INFO: The lxd project specified in the cluster_definition did not exist. We'll create one!"
lxc project create "$PROJECT_NAME"
fi
# check if we need to provision a new lxc project.
if [ "$PROJECT_NAME" != "$CURRENT_PROJECT" ]; then
if ! lxc project list | grep -q "$PROJECT_NAME"; then
echo "INFO: The lxd project specified in the cluster_definition did not exist. We'll create one!"
lxc project create "$PROJECT_NAME"
fi
echo "INFO: switch to lxd project '$PROJECT_NAME'."
lxc project switch "$PROJECT_NAME"
fi
# stub out the project definition if needed.
stub_project_definition
# the DOMAIN_LIST is a complete list of all our domains. We often iterate over this list.
export DOMAIN_LIST="${PRIMARY_DOMAIN},${OTHER_SITES_LIST}"
export DOMAIN_COUNT=$(("$(echo $DOMAIN_LIST | tr -cd , | wc -c)"+1))
echo "INFO: switch to lxd project '$PROJECT_NAME'."
lxc project switch "$PROJECT_NAME"
# let's provision our primary domain first.
export DOMAIN_NAME="$PRIMARY_DOMAIN"
fi
# we deploy the WWW and btcpay server under the PRIMARY_DOMAIN.
export DEPLOY_WWW_SERVER=true
export DEPLOY_BTCPAY_SERVER=true
# stub out the project definition if needed.
stub_project_definition
# the DOMAIN_LIST is a complete list of all our domains. We often iterate over this list.
export DOMAIN_LIST="${PRIMARY_DOMAIN},${OTHER_SITES_LIST}"
export DOMAIN_COUNT=$(("$(echo $DOMAIN_LIST | tr -cd , | wc -c)"+1))
# let's provision our primary domain first.
export DOMAIN_NAME="$PRIMARY_DOMAIN"
# we deploy the WWW and btcpay server under the PRIMARY_DOMAIN.
export DEPLOY_WWW_SERVER=true
export DEPLOY_BTCPAY_SERVER=true
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
stub_site_definition
# bring the vms up under the primary domain name.
instantiate_vms
# let's stub out the rest of our site definitions, if any.
for DOMAIN_NAME in ${OTHER_SITES_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
# stub out the site_defition if it's doesn't exist.
stub_site_definition
# bring the vms up under the primary domain name.
instantiate_vms
done
# let's stub out the rest of our site definitions, if any.
for DOMAIN_NAME in ${OTHER_SITES_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# now let's run the www and btcpay-specific provisioning scripts.
if [ "$SKIP_WWW" = false ]; then
bash -c "./deployment/www/go.sh"
fi
# stub out the site_defition if it's doesn't exist.
stub_site_definition
done
# now let's run the www and btcpay-specific provisioning scripts.
if [ "$SKIP_WWW" = false ]; then
bash -c "./deployment/www/go.sh"
fi
if [ "$SKIP_BTCPAY" = false ]; then
bash -c "./deployment/btcpayserver/go.sh"
fi
elif [ "$VPS_HOSTING_TARGET" = aws ]; then
stub_site_definition
# if we're on AWS, we can just provision each system separately.
run_domain
fi
if [ "$SKIP_BTCPAY" = false ]; then
bash -c "./deployment/btcpayserver/go.sh"
fi

11
deployment/btcpayserver/go.sh
View File

@ -59,14 +59,7 @@ if [ "$RUN_SERVICES" = true ]; then
fi
if [ "$OPEN_URL" = true ]; then
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
if wait-for-it -t 5 "$PRIMARY_WWW_FQDN:80"; then
xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
fi
else
if wait-for-it -t 5 "$FQDN:443"; then
xdg-open "https://$FQDN" > /dev/null 2>&1
fi
if wait-for-it -t 5 "$PRIMARY_WWW_FQDN:80"; then
xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
fi
fi

34
deployment/deploy_vms.sh
View File

@ -43,31 +43,19 @@ function prepare_host {
}
# when set to true, this flag indicates that a new VPS was created during THIS script run.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# let's create the remote VPS if needed.
if ! docker-machine ls -q --filter name="$FQDN" | grep -q "$FQDN"; then
ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
./provision_vps.sh
# if the machine doesn't exist, we create it.
if ! lxc list --format csv | grep -q "$LXD_VM_NAME"; then
prepare_host
fi
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
# if the machine doesn't exist, we create it.
if ! lxc list --format csv | grep -q "$LXD_VM_NAME"; then
# create a base image if needed and instantiate a VM.
if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_SERVER_MAC_ADDRESS, BTCPAYSERVER_MAC_ADDRESS in your site defintion."
echo "INFO: IMPORTANT! You MUST have DHCP Reservations for these MAC addresses. You also need records established the DNS."
exit 1
fi
./provision_lxc.sh
# create a base image if needed and instantiate a VM.
if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_SERVER_MAC_ADDRESS, BTCPAYSERVER_MAC_ADDRESS in your site defintion."
echo "INFO: IMPORTANT! You MUST have DHCP Reservations for these MAC addresses. You also need records established the DNS."
exit 1
fi
prepare_host
./provision_lxc.sh
fi
prepare_host

41
deployment/provision_lxc.sh
View File

@ -5,39 +5,6 @@ cd "$(dirname "$0")"
./stub_lxc_profile.sh "$LXD_VM_NAME"
function run_ddns {
# now that the VM has an IP, we can update the DNS record. TODO add additional DNS providers here; namecheap only atm.
DDNS_STRING="$VPS_HOSTNAME"
if [ "$VPS_HOSTNAME" = www ]; then
# next update our DDNS record. TODO enable local/remote name provider.
DDNS_STRING="@"
fi
# if the DNS record is incorrect, we run DDNS to get it corrected yo.
if "$(getent hosts "$FQDN" | awk '{ print $1 }')" != "$IP_V4_ADDRESS"; then
curl "https://dynamicdns.park-your-domain.com/update?host=$DDNS_STRING&domain=$DOMAIN_NAME&password=$DDNS_PASSWORD&ip=$IP_V4_ADDRESS"
DDNS_SLEEP_SECONDS=60
while true; do
# we test the www CNAME here so we can be assured the underlying has corrected.
if [[ "$(getent hosts "$FQDN" | awk '{ print $1 }')" == "$IP_V4_ADDRESS" ]]; then
echo ""
echo "SUCCESS: The DNS appears to be configured correctly."
# we're waiting here to allow dns records to stale out.
# this is necessary for certificate renewal; letsencrypt might have stale records
echo "INFO: Waiting $DDNS_SLEEP_SECONDS seconds to allow cached DNS records to expire."
sleep "$DDNS_SLEEP_SECONDS";
break;
fi
printf "." && sleep 2;
done
fi
}
# now let's create a new VM to work with.
lxc init --profile="$LXD_VM_NAME" "$VM_NAME" "$LXD_VM_NAME" --vm
@ -49,11 +16,3 @@ lxc config device override "$LXD_VM_NAME" root size="${ROOT_DISK_SIZE_GB}GB"
lxc start "$LXD_VM_NAME"
./wait_for_lxc_ip.sh "$LXD_VM_NAME"
if [ "$VPS_HOSTING_TARGET" = aws ]; then
run_ddns
# remove any existing SSH identities for the host, then add it back.
ssh-keygen -R "$IP_V4_ADDRESS"
fi

84
deployment/provision_vps.sh
View File

@ -1,84 +0,0 @@
#!/bin/bash
set -eu
cd "$(dirname "$0")"
if [ ! -f "$HOME/.aws/credentials" ]; then
# TODO write a credential file baseline
echo "ERROR: Please update your '$HOME/.aws/credentials' file before continuing."
mkdir -p "$HOME/.aws"
touch "$HOME/.aws/credentials"
# stub out a site_definition with new passwords.
cat >"$HOME/.aws/credentials" <<EOL
#!/bin/bash
# enter your AWS Access Key and Secret Access Key here.
export AWS_ACCESS_KEY=
export AWS_SECRET_ACCESS_KEY=
EOL
exit 1
fi
source "$HOME/.aws/credentials"
if [ -z "$AWS_ACCESS_KEY" ]; then
echo "ERROR: AWS_ACCESS_KEY is not set."
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "ERROR: AWS_SECRET_ACCESS_KEY is not set."
exit 1
fi
# Note, we assume the script has already made sure the machine doesn't exist.
if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = certonly ]; then
# creates a public VM in AWS and provisions the bcm website.
docker-machine create --driver amazonec2 \
--amazonec2-open-port 80 \
--amazonec2-open-port 443 \
--amazonec2-access-key "$AWS_ACCESS_KEY" \
--amazonec2-secret-key "$AWS_SECRET_ACCESS_KEY" \
--amazonec2-region "$AWS_REGION" \
--amazonec2-ami "$AWS_AMI_ID" \
--amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
--amazonec2-instance-type "$WWW_INSTANCE_TYPE" \
"$FQDN"
# --engine-label commit="$LATEST_GIT_COMMIT" \
elif [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
# creates a public VM in AWS and provisions the bcm website.
docker-machine create --driver amazonec2 \
--amazonec2-open-port 80 \
--amazonec2-open-port 443 \
--amazonec2-open-port 9735 \
--amazonec2-access-key "$AWS_ACCESS_KEY" \
--amazonec2-secret-key "$AWS_SECRET_ACCESS_KEY" \
--amazonec2-region "$AWS_REGION" \
--amazonec2-ami "$AWS_AMI_ID" \
--amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
--amazonec2-instance-type "$BTCPAY_INSTANCE_TYPE" \
"$FQDN"
# --engine-label commit="$LATEST_GIT_COMMIT" \
fi
docker-machine scp "$CLUSTER_PATH/authorized_keys" "$FQDN:$REMOTE_HOME/authorized_keys"
docker-machine ssh "$FQDN" "cat $REMOTE_HOME/authorized_keys >> $REMOTE_HOME/.ssh/authorized_keys"
# we have to ensure ubuntu is able to do sudo less docker commands.
docker-machine ssh "$FQDN" sudo usermod -aG docker ubuntu
# we restart so dockerd starts with fresh group membership.
docker-machine ssh "$FQDN" sudo systemctl restart docker
# TODO INSTALL DOCKER COMPOSE
# let's wire up the DNS so subsequent ssh commands resolve to the VPS.
./run_ddns.sh
# remove the SSH hostname from known_hosts as we'll
# todo why do we need this again?
ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"

9
deployment/run_ddns.sh
View File

@ -13,15 +13,6 @@ fi
# wait for DNS to get setup. Pass in the IP address of the actual VPS.
MACHINE_IP="$(docker-machine ip "$FQDN")"
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# wire DNS entries using namecheap DDNS API (via HTTPS rather than ddclient)
curl "https://dynamicdns.park-your-domain.com/update?host=$DDNS_STRING&domain=$DOMAIN_NAME&password=$DDNS_PASSWORD&ip=$MACHINE_IP"
#install dependencies.
docker-machine ssh "$FQDN" sudo apt-get -qq install -y wait-for-it git rsync duplicity sshfs
fi
DDNS_SLEEP_SECONDS=60
while true; do
# we test the www CNAME here so we can be assured the underlying has corrected.

63
deployment/www/generate_certs.sh
View File

@ -6,53 +6,28 @@ set -e
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
docker pull certbot/certbot:latest
# when deploying to AWS, www exists on a separate IP address from btcpay, etc.
# thus, we structure the certificate accordingly.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# iterate over each domain and call certbot
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
ssh "$PRIMARY_WWW_FQDN" sudo mkdir -p "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs"
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
# docker run -it --rm \
# --name certbot \
# -p 80:80 \
# -p 443:443 \
# -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
# -v /var/lib/letsencrypt:/var/lib/letsencrypt \
# -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
# certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$PRIMARY_WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
ssh "$PRIMARY_WWW_FQDN" sudo mkdir -p "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs"
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
done
fi
done

2
deployment/www/stop_docker_stacks.sh
View File

@ -59,7 +59,7 @@ if docker stack list --format "{{.Name}}" | grep -q reverse-proxy; then
# wait for all docker containers to stop.
# TODO see if there's a way to check for this.
sleep 10
sleep 15
fi
# generate the certs and grab a backup

2
domain_env.sh
View File

@ -2,7 +2,6 @@
set -e
# TODO, ensure VPS_HOSTING_TARGET is in range.
export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
@ -14,7 +13,6 @@ export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
export BTC_CHAIN="$BTC_CHAIN"
export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
BACKUP_TIMESTAMP="$(date +"%Y-%m")"

8
install.sh
View File

@ -36,14 +36,6 @@ if ! snap list | grep -q lxd; then
sudo snap install lxd --candidate
fi
# TODO WORK ON GETTING RID OF THIS DEPENDENCY
if [ ! -f /usr/local/bin/docker-machine ]; then
# let's ensure docker-machine is available. This is only temporary though.
curl -L "https://github.com/docker/machine/releases/download/v0.16.2/docker-machine-$(uname -s)-$(uname -m)" >/tmp/docker-machine &&
chmod +x /tmp/docker-machine &&
sudo cp /tmp/docker-machine /usr/local/bin/docker-machine
fi
# make ss-deploy available to the user
if ! groups | grep -q docker; then
sudo groupadd docker