1
1

updates needed for self-hosting updates.

This commit is contained in:
Derek Smith 2022-06-22 13:42:51 -04:00
parent eb6c354922
commit 5e83204f59
Signed by: farscapian
GPG Key ID: 8F1CD799CCA516CC
5 changed files with 242 additions and 292 deletions

25
defaults.sh Normal file → Executable file
View File

@ -66,7 +66,8 @@ export NEXTCLOUD_MYSQL_ROOT_PASSWORD=
export GITEA_MYSQL_ROOT_PASSWORD= export GITEA_MYSQL_ROOT_PASSWORD=
export DUPLICITY_BACKUP_PASSPHRASE= export DUPLICITY_BACKUP_PASSPHRASE=
#opt-add-fireflyiii;opt-add-zammad #opt-add-fireflyiii;opt-add-zammad
export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage;opt-add-btctransmuter;opt-add-configurator;"
export SSH_HOME="$HOME/.ssh" export SSH_HOME="$HOME/.ssh"
export VLAN_INTERFACE= export VLAN_INTERFACE=
export VM_NAME= export VM_NAME=
@ -77,9 +78,6 @@ export DOCKER_IMAGE_CACHE_FQDN="registry-1.docker.io"
export NEXTCLOUD_SPACE_GB=10 export NEXTCLOUD_SPACE_GB=10
DEV_LXD_REMOTE="$(lxc remote get-default)"
export DEV_LXD_REMOTE="$DEV_LXD_REMOTE"
# first of all, if there are uncommited changes, we quit. You better stash or commit! # first of all, if there are uncommited changes, we quit. You better stash or commit!
# Remote VPS instances are tagged with your current git HEAD so we know which code revision # Remote VPS instances are tagged with your current git HEAD so we know which code revision
# used when provisioning the VPS. # used when provisioning the VPS.
@ -101,15 +99,9 @@ ENABLE_NGINX_CACHING=true
# 2 ensure install.sh has been run by checking for tor, docker-machine, lxd, wait-for-it, etc. # 2 ensure install.sh has been run by checking for tor, docker-machine, lxd, wait-for-it, etc.
# 3 pretty much just run the install script if anything is awry # 3 pretty much just run the install script if anything is awry
# 4 maybe check to ensure all the CNAME and A+ records are there first so we can quit before machine creation. # 4 maybe check to ensure all the CNAME and A+ records are there first so we can quit before machine creation.
export SITE_PATH_HOME="$HOME/ss-sites"
SITE_PATH="$SITE_PATH_HOME/$DOMAIN_NAME"
mkdir -p "$SITE_PATH"
if [ ! -d "$SITE_PATH" ]; then
echo "ERROR: '$SITE_PATH' does not exist."
exit 1
fi
export SITE_PATH="$SITE_PATH" BTC_CHAIN=regtest
export BTC_CHAIN="$BTC_CHAIN" export BTC_CHAIN="$BTC_CHAIN"
DEFAULT_DB_IMAGE="mariadb:10.6.5" DEFAULT_DB_IMAGE="mariadb:10.6.5"
@ -125,6 +117,9 @@ export NEXTCLOUD_DB_IMAGE="$DEFAULT_DB_IMAGE"
export GITEA_IMAGE="gitea/gitea:latest" export GITEA_IMAGE="gitea/gitea:latest"
export GITEA_DB_IMAGE="$DEFAULT_DB_IMAGE" export GITEA_DB_IMAGE="$DEFAULT_DB_IMAGE"
export WWW_MAC_ADDRESS= export WWW_MAC_ADDRESS="aa:bb:cc:00:00:00"
export BTCPAY_MAC_ADDRESS= export BTCPAY_MAC_ADDRESS="aa:bb:cc:00:00:01"
export UMBREL_MAC_ADDRESS= export UMBREL_MAC_ADDRESS="aa:bb:cc:00:00:02"
export CLUSTERS_DIR="$HOME/ss-clusters"
export SITES_PATH="$HOME/ss-sites"

296
deploy.sh
View File

@ -16,18 +16,23 @@ check_dependencies () {
check_dependencies wait-for-it dig rsync sshfs lxc docker-machine duplicity check_dependencies wait-for-it dig rsync sshfs lxc docker-machine duplicity
# TODO remove dependency on Docker-machine. That's what we use to provision VM on 3rd party vendors. Looking for LXD endpoint. # TODO remove dependency on Docker-machine. That's what we use to provision VM on 3rd party vendors. Looking for LXD endpoint.
# let's check to ensure the management machine is on the Baseline ubuntu 21.04
if ! lsb_release -d | grep -q "Ubuntu 22.04 LTS"; then
echo "ERROR: Your machine is not running the Ubuntu 22.04 LTS baseline OS on your management machine."
exit 1
fi
MIGRATE_VPS=false MIGRATE_VPS=false
DOMAIN_NAME= DOMAIN_NAME=
VPS_HOSTING_TARGET=lxd VPS_HOSTING_TARGET=lxd
RUN_CERT_RENEWAL=true RUN_CERT_RENEWAL=true
USER_NO_BACKUP=false USER_NO_BACKUP=false
USER_RUN_RESTORE=false USER_RUN_RESTORE=false
BTC_CHAIN=regtest
UPDATE_BTCPAY=false UPDATE_BTCPAY=false
RECONFIGURE_BTCPAY_SERVER=false RECONFIGURE_BTCPAY_SERVER=false
DEPLOY_BTCPAY_SERVER=false DEPLOY_BTCPAY_SERVER=false
MACVLAN_INTERFACE= CURRENT_REMOTE="$(lxc remote get-default)"
LXD_DISK_TO_USE=
# grab any modifications from the command line. # grab any modifications from the command line.
for i in "$@"; do for i in "$@"; do
@ -62,18 +67,6 @@ for i in "$@"; do
RUN_CERT_RENEWAL=false RUN_CERT_RENEWAL=false
shift shift
;; ;;
--mainnet)
BTC_CHAIN=mainnet
shift
;;
--testnet)
BTC_CHAIN=testnet
shift
;;
--regtest)
BTC_CHAIN=regtest
shift
;;
--reconfigure-btcpay) --reconfigure-btcpay)
RECONFIGURE_BTCPAY_SERVER=true RECONFIGURE_BTCPAY_SERVER=true
shift shift
@ -85,26 +78,26 @@ for i in "$@"; do
done done
# set up our default paths. # set up our default paths.
export CLUSTERS_DIR="$HOME/ss-clusters" source ./defaults.sh
export CACHES_DIR="$HOME/ss-cache" export CACHES_DIR="$HOME/ss-cache"
export SSH_HOME="$HOME/.ssh" export SSH_HOME="$HOME/.ssh"
export DOMAIN_NAME="$DOMAIN_NAME" export DOMAIN_NAME="$DOMAIN_NAME"
export REGISTRY_DOCKER_IMAGE="registry:2" export REGISTRY_DOCKER_IMAGE="registry:2"
if [ "$VPS_HOSTING_TARGET" = lxd ]; then if [ "$VPS_HOSTING_TARGET" = aws ]; then
CURRENT_REMOTE="$(lxc remote get-default)"
elif [ "$VPS_HOSTING_TARGET" = aws ]; then
CURRENT_REMOTE="docker-machine" CURRENT_REMOTE="docker-machine"
fi fi
export LXD_REMOTE_PATH="$CLUSTERS_DIR/$CURRENT_REMOTE"
export CURRENT_REMOTE="$CURRENT_REMOTE" export CURRENT_REMOTE="$CURRENT_REMOTE"
export LXD_REMOTE_PATH="$CLUSTERS_DIR/$CURRENT_REMOTE"
# ensure our cluster path is created.
mkdir -p "$LXD_REMOTE_PATH"
# if an authorized_keys file does not exist, we'll stub one out with the current user. # if an authorized_keys file does not exist, we'll stub one out with the current user.
# add additional id_rsa.pub entries manually for more administrative logins. # add additional id_rsa.pub entries manually for more administrative logins.
if [ ! -f "$LXD_REMOTE_PATH/authorized_keys" ]; then if [ ! -f "$LXD_REMOTE_PATH/authorized_keys" ]; then
mkdir -p "u"
cat "$SSH_HOME/id_rsa.pub" >> "$LXD_REMOTE_PATH/authorized_keys" cat "$SSH_HOME/id_rsa.pub" >> "$LXD_REMOTE_PATH/authorized_keys"
echo "INFO: Sovereign Stack just stubbed out '$LXD_REMOTE_PATH/authorized_keys'. Go update it." echo "INFO: Sovereign Stack just stubbed out '$LXD_REMOTE_PATH/authorized_keys'. Go update it."
echo " Add ssh pubkeys for your various management machines, if any. We've stubbed it out" echo " Add ssh pubkeys for your various management machines, if any. We've stubbed it out"
@ -113,54 +106,16 @@ if [ ! -f "$LXD_REMOTE_PATH/authorized_keys" ]; then
fi fi
if [ "$VPS_HOSTING_TARGET" = lxd ]; then if [ "$VPS_HOSTING_TARGET" = lxd ]; then
mkdir -p "$CACHES_DIR" "$LXD_REMOTE_PATH" CLUSTER_DEFINITION="$LXD_REMOTE_PATH/cluster_definition"
CLUSTER_DEFINTION="$LXD_REMOTE_PATH/cluster_definition" export CLUSTER_DEFINITION="$CLUSTER_DEFINITION"
export CLUSTER_DEFINTION="$CLUSTER_DEFINTION"
if [ ! -f "$CLUSTER_DEFINTION" ]; then
# stub out a cluster_definition.
cat >"$CLUSTER_DEFINTION" <<EOL
#!/bin/bash
# Note: the path above ./ corresponds to your LXD Remote. If your remote is set to 'cluster1'
# Then $HOME/clusters/cluster1 will be your cluster working path.
# This is REQUIRED. A list of all sites in ~/sites/ that will be deployed.
# e.g., 'domain1.tld,domain2.tld,domain3.tld'
SITE_LIST="domain1.tld"
# REQUIRED - change the MACVLAN_INTERFACE to the host adapter that attaches to the SERVERS LAN segment/VLAN/subnet.
MACVLAN_INTERFACE="REQUIRED_CHANGE_ME"
LXD_DISK_TO_USE=""
# Deploy a registry cache on your management machine.
DEPLOY_REGISTRY=true
# only relevant
export REGISTRY_URL="http://\$HOSTNAME:5000"
export REGISTRY_USERNAME=<USERNAME TO DOCKERHUB.COM>
export REGISTRY_PASSWORD=<PASSWORD TO DOCKERHUB.COM>
export MACVLAN_INTERFACE="\$MACVLAN_INTERFACE"
export LXD_DISK_TO_USE="\$LXD_DISK_TO_USE"
export SITE_LIST="\$SITE_LIST"
EOL
chmod 0744 "$CLUSTER_DEFINTION"
echo "We stubbed out a '$CLUSTER_DEFINTION' file for you."
echo "Use this file to customize your cluster deployment;"
echo "Check out 'https://www.sovereign-stack.org/cluster-definition' for an example."
exit 1
fi
######################################### #########################################
if [ ! -f "$CLUSTER_DEFINTION" ]; then if [ ! -f "$CLUSTER_DEFINITION" ]; then
echo "ERROR: CLUSTER DEFINITION NOT PRESENT." echo "ERROR: The cluster defintion could not be found. You may need to re-run 'ss-cluster create'."
exit 1 exit 1
fi fi
source "$CLUSTER_DEFINTION" source "$CLUSTER_DEFINITION"
###########################3 ###########################3
# # This section is done to the management machine. We deploy a registry pull through cache on port 5000 # # This section is done to the management machine. We deploy a registry pull through cache on port 5000
@ -206,65 +161,184 @@ function new_pass {
function run_domain { function run_domain {
export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET" export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
export LXD_DISK_TO_USE="$LXD_DISK_TO_USE"
export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL" export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
export BTC_CHAIN="$BTC_CHAIN" export BTC_CHAIN="$BTC_CHAIN"
export UPDATE_BTCPAY="$UPDATE_BTCPAY" export UPDATE_BTCPAY="$UPDATE_BTCPAY"
export MIGRATE_VPS="$MIGRATE_VPS" export MIGRATE_VPS="$MIGRATE_VPS"
export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER" export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
export MACVLAN_INTERFACE="$MACVLAN_INTERFACE"
export LXD_DISK_TO_USE="$LXD_DISK_TO_USE"
source ./defaults.sh
# iterate over all our server endpoints and provision them if needed. # iterate over all our server endpoints and provision them if needed.
# www # www
VPS_HOSTNAME= VPS_HOSTNAME=
for APP_TO_DEPLOY in btcpay www umbrel; do for APP_TO_DEPLOY in www btcpay umbrel; do
FQDN= FQDN=
export APP_TO_DEPLOY="$APP_TO_DEPLOY"
# shellcheck disable=SC1091 # shellcheck disable=SC1091
source ./shared.sh source ./shared.sh
# skip this iteration if the site_definition says not to deploy btcpay server. if [ ! -f "$SITE_PATH/site_definition" ]; then
if [ "$APP_TO_DEPLOY" = btcpay ]; then echo "ERROR: Something went wrong. Your site_definition is missing."
VPS_HOSTNAME="$BTCPAY_HOSTNAME" exit 1
MAC_ADDRESS_TO_PROVISION="$BTCPAY_MAC_ADDRESS"
if [ "$DEPLOY_BTCPAY_SERVER" = false ]; then
continue
fi
fi fi
# skip if the server config is set to not deploy. source "$SITE_PATH/site_definition"
if [ "$APP_TO_DEPLOY" = www ]; then
VPS_HOSTNAME="$WWW_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$WWW_MAC_ADDRESS"
if [ "$DEPLOY_WWW_SERVER" = false ]; then
continue
fi
fi
# skip umbrel if
if [ "$APP_TO_DEPLOY" = umbrel ]; then
VPS_HOSTNAME="$UMBREL_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$UMBREL_MAC_ADDRESS"
if [ "$DEPLOY_UMBREL_VPS" = false ]; then
continue
fi
fi
# create the local packup path if it's not there! # create the local packup path if it's not there!
BACKUP_PATH_CREATED=false BACKUP_PATH_CREATED=false
export BACKUP_PATH_CREATED="$BACKUP_PATH_CREATED"
export MAC_ADDRESS_TO_PROVISION=
export VPS_HOSTNAME="$VPS_HOSTNAME"
export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME"
export APP_TO_DEPLOY="$APP_TO_DEPLOY"
BACKUP_TIMESTAMP="$(date +"%Y-%m")"
UNIX_BACKUP_TIMESTAMP="$(date +%s)"
export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
LOCAL_BACKUP_PATH="$SITE_PATH/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
if [ ! -d "$LOCAL_BACKUP_PATH" ]; then if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
mkdir -p "$LOCAL_BACKUP_PATH" mkdir -p "$LOCAL_BACKUP_PATH"
BACKUP_PATH_CREATED=true BACKUP_PATH_CREATED=true
fi fi
export BACKUP_PATH_CREATED="$BACKUP_PATH_CREATED" DDNS_HOST=
export MAC_ADDRESS_TO_PROVISION="$MAC_ADDRESS_TO_PROVISION" if [ "$APP_TO_DEPLOY" = www ]; then
export VPS_HOSTNAME="$VPS_HOSTNAME" VPS_HOSTNAME="$WWW_HOSTNAME"
export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME" MAC_ADDRESS_TO_PROVISION="$WWW_MAC_ADDRESS"
DDNS_HOST="$WWW_HOSTNAME"
ROOT_DISK_SIZE_GB="$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))"
if [ "$DEPLOY_WWW_SERVER" = false ]; then
continue
fi
elif [ "$APP_TO_DEPLOY" = btcpay ]; then
DDNS_HOST="$BTCPAY_HOSTNAME"
VPS_HOSTNAME="$BTCPAY_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$BTCPAY_MAC_ADDRESS"
if [ "$BTC_CHAIN" = mainnet ]; then
ROOT_DISK_SIZE_GB=150
elif [ "$BTC_CHAIN" = testnet ]; then
ROOT_DISK_SIZE_GB=40
fi
if [ "$DEPLOY_BTCPAY_SERVER" = false ]; then
continue
fi
elif [ "$APP_TO_DEPLOY" = umbrel ]; then
DDNS_HOST="$UMBREL_HOSTNAME"
VPS_HOSTNAME="$UMBREL_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$UMBREL_MAC_ADDRESS"
if [ "$BTC_CHAIN" = mainnet ]; then
ROOT_DISK_SIZE_GB=1000
elif [ "$BTC_CHAIN" = testnet ]; then
ROOT_DISK_SIZE_GB=70
fi
if [ "$DEPLOY_UMBREL_VPS" = false ]; then
continue
fi
elif [ "$APP_TO_DEPLOY" = certonly ]; then
DDNS_HOST="$WWW_HOSTNAME"
ROOT_DISK_SIZE_GB=8
else
echo "ERROR: APP_TO_DEPLOY not within allowable bounds."
exit
fi
export DDNS_HOST="$DDNS_HOST"
export FQDN="$DDNS_HOST.$DOMAIN_NAME"
export LXD_VM_NAME="${FQDN//./-}"
export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
# This next section of if statements is our sanity checking area.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
# we require DDNS on AWS to set the public DNS to the right host.
if [ -z "$DDNS_PASSWORD" ]; then
echo "ERROR: Ensure DDNS_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GHOST" = true ]; then
if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GITEA" = true ]; then
if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NOSTR" = true ]; then
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
fi
if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
exit 1
fi
if [ -z "$DOMAIN_NAME" ]; then
echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
exit 1
fi
if [ -z "$DEPLOY_BTCPPAY_SERVER" ]; then
echo "ERROR: Ensure DEPLOY_BTCPPAY_SERVER is configured in your site_definition."
exit 1
fi
if [ -z "$DEPLOY_UMBREL_VPS" ]; then
echo "ERROR: Ensure DEPLOY_UMBREL_VPS is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
exit 1
fi
# generate the docker yaml and nginx configs. # generate the docker yaml and nginx configs.
bash -c ./deployment/stub_docker_yml.sh bash -c ./deployment/stub_docker_yml.sh
@ -333,13 +407,13 @@ function run_domain {
} }
function stub_site_definition { function stub_site_definition {
source ./defaults.sh export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
mkdir -p "$SITE_PATH"
if [ -f "$SITE_PATH/site_definition" ]; then if [ -f "$SITE_PATH/site_definition" ]; then
source "$SITE_PATH/site_definition" source ./shared.sh
else else
# check to see if the enf file exists. exist if not. # check to see if the enf file exists. exist if not.
@ -362,8 +436,8 @@ export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
## WWW ## WWW
export DEPLOY_WWW_SERVER=true export DEPLOY_WWW_SERVER=true
# REQUIRED - CHANGE ME - RESERVE ME IN DHCP # see https://www.sovereign-stack.org/mac-addresses-for-new-type-vms/ for more info
export WWW_MAC_ADDRESS="CHANGE_ME" # export WWW_MAC_ADDRESS="CHANGE_ME"
# Deploy APPS to www # Deploy APPS to www
export DEPLOY_GHOST=true export DEPLOY_GHOST=true
@ -392,16 +466,16 @@ export GITEA_MYSQL_ROOT_PASSWORD="$(new_pass)"
## BTCPAY SERVER; if true, then a BTCPay server is deployed. ## BTCPAY SERVER; if true, then a BTCPay server is deployed.
export DEPLOY_BTCPAY_SERVER=false export DEPLOY_BTCPAY_SERVER=false
# REQUIRED if DEPLOY_BTCPAY_SERVER=true # https://www.sovereign-stack.org/mac-addresses-for-new-type-vms/
#export BTCPAY_MAC_ADDRESS="CHANGE_ME" #export BTCPAY_MAC_ADDRESS=""
## BTCPAY Server ## Deploy and Umbrel node?
export DEPLOY_UMBREL_VPS=false export DEPLOY_UMBREL_VPS=false
# REQUIRED if DEPLOY_UMBREL_VPS=true # REQUIRED if DEPLOY_UMBREL_VPS=true; https://www.sovereign-stack.org/mac-addresses-for-new-type-vms/
#export UMBREL_MAC_ADDRESS="CHANGE_ME" # export UMBREL_MAC_ADDRESS=""
# CHAIN to DEPLOY; valid are 'testnet' and 'mainnet' # CHAIN to DEPLOY; valid are 'regtest', 'testnet', and 'mainnet'
export BTC_CHAIN=regtest export BTC_CHAIN=regtest
# set to false to disable nginx caching; helps when making website updates. # set to false to disable nginx caching; helps when making website updates.
@ -418,10 +492,12 @@ EOL
} }
# let's iterate over the user-supplied domain list and provision each domain.
if [ "$VPS_HOSTING_TARGET" = lxd ]; then if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# iterate through our site list as provided by operator from cluster_definition # iterate through our site list as provided by operator from cluster_definition
for i in ${SITE_LIST//,/ }; do for i in ${SITE_LIST//,/ }; do
export DOMAIN_NAME="$i" export DOMAIN_NAME="$i"
export SITE_PATH=""
stub_site_definition stub_site_definition

View File

@ -4,6 +4,8 @@ set -eux
cd "$(dirname "$0")" cd "$(dirname "$0")"
# let's make sure we have an ssh keypair. We just use ~/.ssh/id_rsa # let's make sure we have an ssh keypair. We just use ~/.ssh/id_rsa
# TODO convert this to SSH private key held on Trezor. THus trezor-T required for
# login operations. This should be configurable of course.
if [ ! -f "$SSH_HOME/id_rsa" ]; then if [ ! -f "$SSH_HOME/id_rsa" ]; then
# generate a new SSH key for the base vm image. # generate a new SSH key for the base vm image.
ssh-keygen -f "$SSH_HOME/id_rsa" -t ecdsa -b 521 -N "" ssh-keygen -f "$SSH_HOME/id_rsa" -t ecdsa -b 521 -N ""
@ -24,6 +26,23 @@ EOF
fi fi
function prepare_host {
# scan the remote machine and install it's identity in our SSH known_hosts file.
ssh-keyscan -H -t ecdsa "$FQDN" >> "$SSH_HOME/known_hosts"
# create a directory to store backup archives. This is on all new vms.
ssh "$FQDN" mkdir -p "$REMOTE_HOME/backups"
if [ "$APP_TO_DEPLOY" = btcpay ]; then
echo "INFO: new machine detected. Provisioning BTCPay server scripts."
./btcpayserver/run_setup.sh
exit
fi
}
# when set to true, this flag indicates that a new VPS was created during THIS script run. # when set to true, this flag indicates that a new VPS was created during THIS script run.
if [ "$VPS_HOSTING_TARGET" = aws ]; then if [ "$VPS_HOSTING_TARGET" = aws ]; then
# let's create the remote VPS if needed. # let's create the remote VPS if needed.
@ -32,7 +51,7 @@ if [ "$VPS_HOSTING_TARGET" = aws ]; then
./provision_vps.sh ./provision_vps.sh
./prepare_vps_host.sh prepare_host
fi fi
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN" ssh-keygen -f "$SSH_HOME/known_hosts" -R "$FQDN"
@ -51,8 +70,7 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
./provision_lxc.sh ./provision_lxc.sh
fi fi
# prepare the VPS to support our applications and backups and stuff. prepare_host
./prepare_vps_host.sh
fi fi
# if the local docker client isn't logged in, do so; # if the local docker client isn't logged in, do so;
@ -64,12 +82,11 @@ fi
# this tells our local docker client to target the remote endpoint via SSH # this tells our local docker client to target the remote endpoint via SSH
export DOCKER_HOST="ssh://ubuntu@$FQDN" export DOCKER_HOST="ssh://ubuntu@$FQDN"
# the following scripts take responsibility for the rest of the provisioning depending on the app you're deploying. # the following scripts take responsibility for the rest of the provisioning depending on the app you're deploying.
if [ "$APP_TO_DEPLOY" = www ]; then if [ "$APP_TO_DEPLOY" = www ]; then
./go_www.sh ./go_www.sh
elif [ "$APP_TO_DEPLOY" = btcpay ]; then elif [ "$APP_TO_DEPLOY" = btcpay ]; then
./go_btcpay.sh ./btcpayserver/go.sh
elif [ "$APP_TO_DEPLOY" = umbrel ]; then elif [ "$APP_TO_DEPLOY" = umbrel ]; then
./go_umbrel.sh ./go_umbrel.sh
elif [ "$APP_TO_DEPLOY" = certonly ]; then elif [ "$APP_TO_DEPLOY" = certonly ]; then
@ -85,4 +102,4 @@ else
exit exit
fi fi
echo "Successfull deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;" >> "$SITE_PATH/debug.log" echo "Successfull deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;"

View File

@ -30,21 +30,24 @@ config:
- git - git
- nano - nano
- wait-for-it - wait-for-it
- dnsutils
- wget
groups: groups:
- docker - docker
users: users:
- name: ubuntu - name: ubuntu
groups: docker
shell: /bin/bash shell: /bin/bash
lock_passwd: false lock_passwd: false
groups: sudo: ALL=(ALL) NOPASSWD:ALL
- docker
sudo:
- ALL=(ALL) NOPASSWD:ALL
ssh_authorized_keys: ssh_authorized_keys:
- ${SSH_AUTHORIZED_KEY} - ${SSH_AUTHORIZED_KEY}
write_files: write_files:
- path: ${REMOTE_HOME}/docker.asc - path: ${REMOTE_HOME}/docker.asc
content: | content: |
@ -113,32 +116,31 @@ config:
- path: /etc/ssh/ssh_config - path: /etc/ssh/ssh_config
content: | content: |
Port 22 Port 22
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
Protocol 2 Protocol 2
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
PasswordAuthentication no PasswordAuthentication no
UsePAM no UsePAM no
LogLevel INFO LogLevel INFO
- path: /etc/docker/daemon.json - path: /etc/docker/daemon.json
content: | content: |
{ {
"registry-mirrors": [ "registry-mirrors": [
"${REGISTRY_URL}" "${REGISTRY_URL}"
] ]
} }
runcmd: runcmd:
- cat ${REMOTE_HOME}/docker.asc | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg - cat ${REMOTE_HOME}/docker.asc | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
- sudo rm ${REMOTE_HOME}/docker.asc - sudo rm ${REMOTE_HOME}/docker.asc
- echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list - echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
- sudo apt-get remove docker docker.io containerd runc
- sudo apt-get update - sudo apt-get update
- sudo apt-get install -y docker-ce docker-ce-cli containerd.io - sudo apt-get install -y docker-ce docker-ce-cli containerd.io
- echo "alias ll='ls -lah'" >> ${REMOTE_HOME}/.bash_profile - echo "alias ll='ls -lah'" >> ${REMOTE_HOME}/.bash_profile
- sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose - sudo curl -s -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
- sudo chmod +x /usr/local/bin/docker-compose - sudo chmod +x /usr/local/bin/docker-compose
- sudo apt-get install -y openssh-server - sudo apt-get install -y openssh-server
@ -146,13 +148,8 @@ description: Default LXD profile for ${DOMAIN_NAME}
devices: devices:
root: root:
path: / path: /
pool: default pool: sovereign-stack
type: disk type: disk
config: config:
source: cloud-init:config source: cloud-init:config
type: disk type: disk
enp5s0:
nictype: macvlan
parent: ${MACVLAN_INTERFACE}
type: nic
name: ${LXD_VM_NAME}

139
shared.sh
View File

@ -16,23 +16,7 @@ fi
DOCKER_YAML_PATH="$SITE_PATH/appstack.yml" DOCKER_YAML_PATH="$SITE_PATH/appstack.yml"
export DOCKER_YAML_PATH="$DOCKER_YAML_PATH" export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
# TODO add file existence check
if [ ! -f "$SITE_PATH/site_definition" ]; then
echo "ERROR: site_definition does not exist."
exit 1
fi
# shellcheck disable=SC1090
source "$SITE_PATH/site_definition"
export REMOTE_HOME="/home/ubuntu" export REMOTE_HOME="/home/ubuntu"
BACKUP_TIMESTAMP="$(date +"%Y-%m")"
UNIX_BACKUP_TIMESTAMP="$(date +%s)"
export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
LOCAL_BACKUP_PATH="$SITE_PATH/backups/$APP_TO_DEPLOY/$BACKUP_TIMESTAMP"
export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
mkdir -p "$SSHFS_PATH" mkdir -p "$SSHFS_PATH"
@ -50,7 +34,7 @@ export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
export ADMIN_ACCOUNT_USERNAME="info" export ADMIN_ACCOUNT_USERNAME="info"
export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME" export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs" export REMOTE_CERT_BASE_DIR="$REMOTE_HOME/.certs"
export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
export VM_NAME="sovereign-stack-base" export VM_NAME="sovereign-stack-base"
export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud" export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
@ -59,129 +43,10 @@ export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
# this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA. # this space is for OS, docker images, etc. DOES NOT INCLUDE USER DATA.
export ROOT_DISK_SIZE_GB=20 export ROOT_DISK_SIZE_GB=20
DDNS_HOST=
if [ "$APP_TO_DEPLOY" = www ]; then
DDNS_HOST="$WWW_HOSTNAME"
ROOT_DISK_SIZE_GB=$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))
elif [ "$APP_TO_DEPLOY" = btcpay ]; then
DDNS_HOST="$BTCPAY_HOSTNAME"
if [ "$BTC_CHAIN" = mainnet ]; then
ROOT_DISK_SIZE_GB=150
elif [ "$BTC_CHAIN" = testnet ]; then
ROOT_DISK_SIZE_GB=40
fi
elif [ "$APP_TO_DEPLOY" = umbrel ]; then
DDNS_HOST="$UMBREL_HOSTNAME"
if [ "$BTC_CHAIN" = mainnet ]; then
ROOT_DISK_SIZE_GB=1000
elif [ "$BTC_CHAIN" = testnet ]; then
ROOT_DISK_SIZE_GB=70
fi
elif [ "$APP_TO_DEPLOY" = certonly ]; then
DDNS_HOST="$WWW_HOSTNAME"
ROOT_DISK_SIZE_GB=8
else
echo "ERROR: APP_TO_DEPLOY not within allowable bounds."
exit
fi
# we use this in other subshells.
export APP_TO_DEPLOY="$APP_TO_DEPLOY"
export DDNS_HOST="$DDNS_HOST"
export FQDN="$DDNS_HOST.$DOMAIN_NAME"
export LXD_VM_NAME="${FQDN//./-}"
export BTC_CHAIN="$BTC_CHAIN" export BTC_CHAIN="$BTC_CHAIN"
export ROOT_DISK_SIZE_GB=$ROOT_DISK_SIZE_GB export ROOT_DISK_SIZE_GB=$ROOT_DISK_SIZE_GB
export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE" export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES" export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# check to ensure the admin has specified a MACVLAN interface
if [ -z "$MACVLAN_INTERFACE" ]; then
echo "ERROR: MACVLAN_INTERFACE not defined in project."
exit 1
fi
elif [ "$VPS_HOSTING_TARGET" = aws ]; then
# we require DDNS on AWS to set the public DNS to the right host.
if [ -z "$DDNS_PASSWORD" ]; then
echo "ERROR: Ensure DDNS_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GHOST" = true ]; then
if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GITEA" = true ]; then
if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NOSTR" = true ]; then
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
fi
if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
exit 1
fi
if [ -z "$DOMAIN_NAME" ]; then
echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
exit 1
fi
if [ -z "$DEPLOY_BTCPPAY_SERVER" ]; then
echo "ERROR: Ensure DEPLOY_BTCPPAY_SERVER is configured in your site_definition."
exit 1
fi
if [ -z "$DEPLOY_UMBREL_VPS" ]; then
echo "ERROR: Ensure DEPLOY_UMBREL_VPS is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
exit 1
fi