ss/sovereign-stack
ss/sovereign-stack
1
1
Fork 1
Code Releases Activity

More work on self-hosting + projects.

Browse Source
This commit is contained in:
Derek Smith 2022-09-09 14:00:07 -04:00
parent 07c1c13bba
commit 8d0af43339
Signed by: farscapian
GPG Key ID: 8F1CD799CCA516CC
15 changed files with 720 additions and 647 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
cluster.sh
View File

@ -35,16 +35,14 @@ if [ "$COMMAND" = create ]; then
cat >"$CLUSTER_DEFINITION" <<EOL
#!/bin/bash
# Note: the path above ./ corresponds to your LXD Remote. If your remote is set to 'cluster1'
# Then $HOME/ss-clusters/cluster1 will be your cluster working path.
# see https://www.sovereign-stack.org/cluster_definition for more info!
export LXD_CLUSTER_PASSWORD="$(gpg --gen-random --armor 1 14)"
export PROJECT_NAME="[public|private1|private2]"
# only relevant
export SOVEREIGN_STACK_MAC_ADDRESS="CHANGE_ME_REQUIRED"
export PROJECT_NAME="$CLUSTER_NAME-public"
export REGISTRY_URL="http://$(hostname).$(resolvectl status | grep 'DNS Domain:' | awk '{ print $3 }'):5000"
export REGISTRY_USERNAME=""
export REGISTRY_PASSWORD=""
export REGISTRY_USERNAME="CHANGE_ME"
export REGISTRY_PASSWORD="CHANGE_ME"
EOL
@ -89,29 +87,29 @@ EOL
esac
done
if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
echo "INFO: It looks like you didn't provide input on the command line for the data plane macvlan interface."
echo " We need to know which interface that is! Enter it here now."
echo ""
# if [ -z "$DATA_PLANE_MACVLAN_INTERFACE" ]; then
# echo "INFO: It looks like you didn't provide input on the command line for the data plane macvlan interface."
# echo " We need to know which interface that is! Enter it here now."
# echo ""
ssh "ubuntu@$FQDN" ip link
# ssh "ubuntu@$FQDN" ip link
echo "Please enter the network interface that's dedicated to the Sovereign Stack data plane: "
read -r DATA_PLANE_MACVLAN_INTERFACE
# echo "Please enter the network interface that's dedicated to the Sovereign Stack data plane: "
# read -r DATA_PLANE_MACVLAN_INTERFACE
fi
# fi
if [ -z "$DISK_TO_USE" ]; then
echo "INFO: It looks like the DISK_TO_USE has not been set. Enter it now."
echo ""
# if [ -z "$DISK_TO_USE" ]; then
# echo "INFO: It looks like the DISK_TO_USE has not been set. Enter it now."
# echo ""
ssh "ubuntu@$FQDN" lsblk
# ssh "ubuntu@$FQDN" lsblk
USER_DISK=
echo "Please enter the disk or partition that Sovereign Stack will use to store data (default: loop): "
read -r USER_DISK
# USER_DISK=
# echo "Please enter the disk or partition that Sovereign Stack will use to store data (default: loop): "
# read -r USER_DISK
fi
# fi
else
echo "ERROR: the cluster already exists! You need to go delete your lxd remote if you want to re-create your cluster."

16
defaults.sh
View File

@ -14,7 +14,7 @@ export DEPLOY_GITEA=false
export WWW_HOSTNAME="www"
export BTCPAY_HOSTNAME="btcpay"
export BTCPAY_HOSTNAME_IN_CERT="pay"
export BTCPAY_HOSTNAME_IN_CERT="tip"
export NEXTCLOUD_HOSTNAME="nextcloud"
export GITEA_HOSTNAME="git"
export NOSTR_HOSTNAME="relay"
@ -82,8 +82,8 @@ export NEXTCLOUD_SPACE_GB=10
# first of all, if there are uncommited changes, we quit. You better stash or commit!
# Remote VPS instances are tagged with your current git HEAD so we know which code revision
# used when provisioning the VPS.
LATEST_GIT_COMMIT="$(cat ./.git/refs/heads/master)"
export LATEST_GIT_COMMIT="$LATEST_GIT_COMMIT"
#LATEST_GIT_COMMIT="$(cat ./.git/refs/heads/master)"
#export LATEST_GIT_COMMIT="$LATEST_GIT_COMMIT"
# check if there are any uncommited changes. It's dangerous to instantiate VMs using
# code that hasn't been committed.
@ -109,18 +109,18 @@ DEFAULT_DB_IMAGE="mariadb:10.8.3-jammy"
export ENABLE_NGINX_CACHING="$ENABLE_NGINX_CACHING"
# run the docker stack.
export GHOST_IMAGE="ghost:5.9.4"
export GHOST_IMAGE="ghost:5.12.3"
export GHOST_DB_IMAGE="$DEFAULT_DB_IMAGE"
export NGINX_IMAGE="nginx:1.23.1"
export NEXTCLOUD_IMAGE="nextcloud:24.0.3"
export NEXTCLOUD_IMAGE="nextcloud:24.0.4"
export NEXTCLOUD_DB_IMAGE="$DEFAULT_DB_IMAGE"
export GITEA_IMAGE="gitea/gitea:latest"
export GITEA_DB_IMAGE="$DEFAULT_DB_IMAGE"
export SOVEREIGN_STACK_MAC_ADDRESS=
export WWW_MAC_ADDRESS=
export BTCPAY_MAC_ADDRESS=
export WWW_SERVER_MAC_ADDRESS=
export BTCPAYSERVER_MAC_ADDRESS=
export CLUSTERS_DIR="$HOME/ss-clusters"
export PROJECTS_DIR="$HOME/ss-projects"
@ -132,7 +132,7 @@ export BASE_LXC_IMAGE="ubuntu/22.04/cloud"
# Deploy a registry cache on your management machine.
export DEPLOY_MGMT_REGISTRY=true
export OTHER_SITES_LIST=
export REMOTE_HOME="/home/ubuntu"

211
deploy.sh
View File

@ -128,6 +128,7 @@ export RESTORE_BTCPAY="$RESTORE_BTCPAY"
export BACKUP_BTCPAY="$RESTORE_BTCPAY"
export MIGRATE_WWW="$MIGRATE_WWW"
export MIGRATE_BTCPAY="$MIGRATE_BTCPAY"
export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
if [ "$VPS_HOSTING_TARGET" = aws ]; then
@ -150,8 +151,8 @@ mkdir -p "$CLUSTER_PATH"
if [ ! -f "$CLUSTER_PATH/authorized_keys" ]; then
cat "$SSH_HOME/id_rsa.pub" >> "$CLUSTER_PATH/authorized_keys"
echo "INFO: Sovereign Stack just stubbed out '$CLUSTER_PATH/authorized_keys'. Go update it."
echo " Add ssh pubkeys for your various management machines, if any. We've stubbed it out"
echo " with your ssh pubkey at '$HOME/.ssh/id_rsa.pub'."
echo " Add ssh pubkeys for your various management machines, if any."
echo " By default we added your main ssh pubkey: '$HOME/.ssh/id_rsa.pub'."
exit 1
fi
@ -214,7 +215,6 @@ function new_pass {
function instantiate_vms {
export VPS_HOSTING_TARGET="$VPS_HOSTING_TARGET"
export RUN_CERT_RENEWAL="$RUN_CERT_RENEWAL"
export BTC_CHAIN="$BTC_CHAIN"
export UPDATE_BTCPAY="$UPDATE_BTCPAY"
export RECONFIGURE_BTCPAY_SERVER="$RECONFIGURE_BTCPAY_SERVER"
@ -227,12 +227,9 @@ function instantiate_vms {
FQDN=
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
if [ ! -f "$SITE_PATH/site_definition" ]; then
echo "ERROR: Something went wrong. Your site_definition is missing."
exit 1
fi
source "$SITE_PATH/site_definition"
source ./domain_env.sh
# VALIDATE THE INPUT from the ENVFILE
if [ -z "$DOMAIN_NAME" ]; then
@ -240,34 +237,10 @@ function instantiate_vms {
exit 1
fi
# TODO, ensure VPS_HOSTING_TARGET is in range.
export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
export ADMIN_ACCOUNT_USERNAME="info"
export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
export BTC_CHAIN="$BTC_CHAIN"
export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"
# ensure the
if [ ! -f "$PROJECT_PATH/project_definition" ]; then
echo "ERROR: Your project_definition is not set."
exit 1
fi
source "$PROJECT_PATH/project_definition"
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# first let's get the DISK_TO_USE and DATA_PLANE_MACVLAN_INTERFACE from the ss-config
# which is set up during LXD cluster creation ss-cluster.
LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep ss-config)"
LXD_SS_CONFIG_LINE="$(lxc network list --format csv | grep lxdbrSS | grep ss-config)"
CONFIG_ITEMS="$(echo "$LXD_SS_CONFIG_LINE" | awk -F'"' '{print $2}')"
DATA_PLANE_MACVLAN_INTERFACE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f2)"
DISK_TO_USE="$(echo "$CONFIG_ITEMS" | cut -d ',' -f3)"
@ -286,29 +259,13 @@ function instantiate_vms {
export MAC_ADDRESS_TO_PROVISION=
export VPS_HOSTNAME="$VPS_HOSTNAME"
export FQDN="$VPS_HOSTNAME.$DOMAIN_NAME"
export VIRTUAL_MACHINE="$VIRTUAL_MACHINE"
BACKUP_TIMESTAMP="$(date +"%Y-%m")"
UNIX_BACKUP_TIMESTAMP="$(date +%s)"
export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
LOCAL_BACKUP_PATH="$SITE_PATH/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
# ensure the admin has set the MAC address for the base image.
if [ -z "$SOVEREIGN_STACK_MAC_ADDRESS" ]; then
echo "ERROR: SOVEREIGN_STACK_MAC_ADDRESS is undefined. Check your project definition."
exit 1
fi
if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
mkdir -p "$LOCAL_BACKUP_PATH"
BACKUP_PATH_CREATED=true
fi
DDNS_HOST=
MIGRATE_VPS=false
if [ "$VIRTUAL_MACHINE" = www ]; then
@ -317,7 +274,7 @@ function instantiate_vms {
fi
VPS_HOSTNAME="$WWW_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$WWW_MAC_ADDRESS"
MAC_ADDRESS_TO_PROVISION="$WWW_SERVER_MAC_ADDRESS"
DDNS_HOST="$WWW_HOSTNAME"
ROOT_DISK_SIZE_GB="$((ROOT_DISK_SIZE_GB + NEXTCLOUD_SPACE_GB))"
if [ "$MIGRATE_WWW" = true ]; then
@ -330,7 +287,7 @@ function instantiate_vms {
DDNS_HOST="$BTCPAY_HOSTNAME"
VPS_HOSTNAME="$BTCPAY_HOSTNAME"
MAC_ADDRESS_TO_PROVISION="$BTCPAY_MAC_ADDRESS"
MAC_ADDRESS_TO_PROVISION="$BTCPAYSERVER_MAC_ADDRESS"
if [ "$BTC_CHAIN" = mainnet ]; then
ROOT_DISK_SIZE_GB=150
elif [ "$BTC_CHAIN" = testnet ]; then
@ -352,8 +309,25 @@ function instantiate_vms {
export DDNS_HOST="$DDNS_HOST"
export FQDN="$DDNS_HOST.$DOMAIN_NAME"
export LXD_VM_NAME="${FQDN//./-}"
#${PROJECT_NAME//./-}-
BACKUP_TIMESTAMP="$(date +"%Y-%m")"
UNIX_BACKUP_TIMESTAMP="$(date +%s)"
export VIRTUAL_MACHINE="$VIRTUAL_MACHINE"
export REMOTE_BACKUP_PATH="$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
export BACKUP_TIMESTAMP="$BACKUP_TIMESTAMP"
export UNIX_BACKUP_TIMESTAMP="$UNIX_BACKUP_TIMESTAMP"
export REMOTE_CERT_DIR="$REMOTE_CERT_BASE_DIR/$FQDN"
export REMOTE_BACKUP_PATH="$REMOTE_BACKUP_PATH"
export MAC_ADDRESS_TO_PROVISION="$MAC_ADDRESS_TO_PROVISION"
LOCAL_BACKUP_PATH="$SITE_PATH/backups/$VIRTUAL_MACHINE/$BACKUP_TIMESTAMP"
export LOCAL_BACKUP_PATH="$LOCAL_BACKUP_PATH"
if [ ! -d "$LOCAL_BACKUP_PATH" ]; then
mkdir -p "$LOCAL_BACKUP_PATH"
BACKUP_PATH_CREATED=true
fi
# This next section of if statements is our sanity checking area.
if [ "$VPS_HOSTING_TARGET" = aws ]; then
@ -383,7 +357,8 @@ function instantiate_vms {
fi
# get a backup of the machine. This is what we restore to the new VPS.
echo "INFO: Machine exists. Since we're going to delete it, let's grab a backup. We don't need to restore services since we're deleting it."
echo "INFO: Machine exists. Since we're going to delete it, let's grab a backup. "
echo " We don't need to restore services since we're deleting it."
./deployment/deploy_vms.sh
# delete the remote VPS.
@ -411,7 +386,8 @@ function instantiate_vms {
fi
else
if [ "$MIGRATE_VPS" = true ]; then
echo "INFO: User has indicated to delete the machine, but it doesn't exist. Going to create it anyway."
echo "INFO: User has indicated to delete the machine, but it doesn't exist."
echo " Going to create it anyway."
fi
# The machine does not exist. Let's bring it into existence, restoring from latest backup.
@ -419,40 +395,24 @@ function instantiate_vms {
./deployment/deploy_vms.sh
fi
# if the local docker client isn't logged in, do so;
# this helps prevent docker pull errors since they throttle.
if [ ! -f "$HOME/.docker/config.json" ]; then
echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
fi
# this tells our local docker client to target the remote endpoint via SSH
export DOCKER_HOST="ssh://ubuntu@$PRIMARY_WWW_FQDN"
# enable docker swarm mode so we can support docker stacks.
if docker info | grep -q "Swarm: inactive"; then
docker swarm init --advertise-addr enp6s0
fi
done
}
function run_domain {
# if the local docker client isn't logged in, do so;
# this helps prevent docker pull errors since they throttle.
if [ ! -f "$HOME/.docker/config.json" ]; then
echo "$REGISTRY_PASSWORD" | docker login --username "$REGISTRY_USERNAME" --password-stdin
fi
# this tells our local docker client to target the remote endpoint via SSH
export DOCKER_HOST="ssh://ubuntu@$WWW_FQDN"
# enable docker swarm mode so we can support docker stacks.
if docker info | grep -q "Swarm: inactive"; then
docker swarm init --advertise-addr enp6s0
fi
bash -c "./deployment/www/go.sh"
export DOCKER_HOST="ssh://ubuntu@$BTCPAY_FQDN"
# enable docker swarm mode so we can support docker stacks.
if docker info | grep -q "Swarm: inactive"; then
docker swarm init --advertise-addr enp6s0
fi
bash -c "./deployment/btcpayserver/go.sh"
echo "Successfully deployed '$DOMAIN_NAME' with git commit '$(cat ./.git/refs/heads/master)' VPS_HOSTING_TARGET=$VPS_HOSTING_TARGET;"
}
function stub_site_definition {
mkdir -p "$SITE_PATH" "$PROJECT_PATH/sites"
@ -471,36 +431,21 @@ function stub_site_definition {
cat >"$SITE_DEFINITION_PATH" <<EOL
#!/bin/bash
# Set the domain name for the identity site.
export DOMAIN_NAME="${DOMAIN_NAME}"
# duplicitiy backup archive password
export DUPLICITY_BACKUP_PASSPHRASE="$(new_pass)"
# AWS only
#export DDNS_PASSWORD=
# Deploy APPS to www
#export BTCPAY_HOSTNAME_IN_CERT="store"
export DEPLOY_GHOST=true
export DEPLOY_NEXTCLOUD=true
export DEPLOY_NOSTR=false
# set if NOSTR_ACCOUNT_PUBKEY=true
export NOSTR_ACCOUNT_PUBKEY="CHANGE_ME"
export DEPLOY_GITEA=false
export DEPLOY_ONION_SITE=false
# passwords for WWW apps
## GHOST
export GHOST_MYSQL_PASSWORD="$(new_pass)"
export GHOST_MYSQL_ROOT_PASSWORD="$(new_pass)"
## NEXTCLOUD
export NEXTCLOUD_MYSQL_PASSWORD="$(new_pass)"
export NEXTCLOUD_MYSQL_ROOT_PASSWORD="$(new_pass)"
## GITEA
export GITEA_MYSQL_PASSWORD="$(new_pass)"
export GITEA_MYSQL_ROOT_PASSWORD="$(new_pass)"
@ -526,40 +471,25 @@ function stub_project_definition {
cat >"$PROJECT_DEFINITION_PATH" <<EOL
#!/bin/bash
# for more info about this file and how to use it, see
# www.sovereign-stack.org/project-defintion
# see https://www.sovereign-stack.org/project-definition for more info.
# Createa a DHCP reservation for the baseline image.
export SOVEREIGN_STACK_MAC_ADDRESS="CHANGE_ME_REQUIRED"
# Create a DHCP reservation for the www/reverse proxy VM.
export DEPLOY_WWW_SERVER=true
export WWW_SERVER_MAC_ADDRESS="CHANGE_ME_REQUIRED"
# Create a DHCP reservation for the btcpay server VM.
export DEPLOY_BTCPAY_SERVER=false
export DEPLOY_BTCPAY_SERVER=true
export BTCPAYSERVER_MAC_ADDRESS="CHANGE_ME_REQUIRED"
# valid are 'regtest', 'testnet', and 'mainnet'
export BTC_CHAIN=regtest
# set to true to enable nginx caching; helps when making website updates.
# export BTC_CHAIN=mainnet
# export ENABLE_NGINX_CACHING=true
# A list of all sites in ~/ss-sites/ that will be deployed under the project.
# e.g., 'domain1.tld,domain2.tld,domain3.tld'.
export SITE_LIST="domain1.tld"
export PRIMARY_DOMAIN="CHANGE_ME"
export OTHER_SITES_LIST=
EOL
chmod 0744 "$PROJECT_DEFINITION_PATH"
echo "INFO: we stubbed a new project_defition for you at '$PROJECT_DEFINITION_PATH'. Go update it yo!"
echo "INFO: Learn more at https://www.sovereign-stack.org/project-defition/"
echo "INFO: Learn more at https://www.sovereign-stack.org/project-definitions/"
exit 1
fi
# source project defition.
source "$PROJECT_DEFINITION_PATH"
}
@ -568,13 +498,13 @@ EOL
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
CURRENT_PROJECT="$(lxc info | grep "project:" | awk '{print $2}')"
PROJECT_PATH="$PROJECTS_DIR/$CURRENT_PROJECT"
PROJECT_PATH="$PROJECTS_DIR/$PROJECT_NAME"
mkdir -p "$PROJECT_PATH" "$CLUSTER_PATH/projects"
export PROJECT_PATH="$PROJECT_PATH"
# create a symlink from ./clusterpath/projects/project
if [ ! -d "$CLUSTER_PATH/projects/$CURRENT_PROJECT" ]; then
ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$CURRENT_PROJECT"
if [ ! -d "$CLUSTER_PATH/projects/$PROJECT_NAME" ]; then
ln -s "$PROJECT_PATH" "$CLUSTER_PATH/projects/$PROJECT_NAME"
fi
# check if we need to provision a new lxc project.
@ -589,29 +519,36 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
fi
# stub out the project definition if needed.
stub_project_definition
# the DOMAIN_LIST is a complete list of all our domains. We often iterate over this list.
export DOMAIN_LIST="${PRIMARY_DOMAIN},${OTHER_SITES_LIST}"
export DOMAIN_COUNT=$(("$(echo $DOMAIN_LIST | tr -cd , | wc -c)"+1))
# iterate through our site list as provided by operator from cluster_definition
iteration=0
for DOMAIN_NAME in ${SITE_LIST//,/ }; do
# let's provision our primary domain first.
export DOMAIN_NAME="$PRIMARY_DOMAIN"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
export PRIMARY_WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
stub_site_definition
# bring the vms up under the primary domain name.
instantiate_vms
# let's stub out the rest of our site definitions, if any.
for DOMAIN_NAME in ${OTHER_SITES_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# the vms are named accordignt to the first domain listed.
if [ $iteration = 0 ]; then
# bring the vms up
instantiate_vms
fi
# stub out the site_defition if it's doesn't exist.
stub_site_definition
# run the logic for a domain deployment.
run_domain
iteration=$((iteration+1))
done
# now let's run the www and btcpay-specific provisioning scripts.
bash -c "./deployment/www/go.sh"
bash -c "./deployment/btcpayserver/go.sh"
elif [ "$VPS_HOSTING_TARGET" = aws ]; then
stub_site_definition

7
deployment/btcpayserver/go.sh
View File

@ -3,7 +3,10 @@
set -eux
cd "$(dirname "$0")"
export DOCKER_HOST="ssh://ubuntu@$BTCPAY_FQDN"
OPEN_URL=false
RUN_SERVICES=false
# we will re-run the btcpayserver provisioning scripts if directed to do so.
# if an update does occur, we grab another backup.
@ -58,8 +61,8 @@ fi
if [ "$OPEN_URL" = true ]; then
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
if wait-for-it -t 5 "$WWW_FQDN:80"; then
xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
if wait-for-it -t 5 "$PRIMARY_WWW_FQDN:80"; then
xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
fi
else
if wait-for-it -t 5 "$FQDN:443"; then

2
deployment/deploy_vms.sh
View File

@ -60,7 +60,7 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
# create a base image if needed and instantiate a VM.
if [ -z "$MAC_ADDRESS_TO_PROVISION" ]; then
echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_MAC_ADDRESS, BTCPAY_MAC_ADDRESS in your site defintion."
echo "ERROR: You MUST define a MAC Address for all your machines by setting WWW_SERVER_MAC_ADDRESS, BTCPAYSERVER_MAC_ADDRESS in your site defintion."
echo "INFO: IMPORTANT! You MUST have DHCP Reservations for these MAC addresses. You also need static DNS entries."
exit 1
fi

6
deployment/provision_vps.sh
View File

@ -47,9 +47,8 @@ if [ "$VIRTUAL_MACHINE" = www ] || [ "$VIRTUAL_MACHINE" = certonly ]; then
--amazonec2-ami "$AWS_AMI_ID" \
--amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
--amazonec2-instance-type "$WWW_INSTANCE_TYPE" \
--engine-label commit="$LATEST_GIT_COMMIT" \
"$FQDN"
# --engine-label commit="$LATEST_GIT_COMMIT" \
elif [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
# creates a public VM in AWS and provisions the bcm website.
docker-machine create --driver amazonec2 \
@ -62,9 +61,8 @@ elif [ "$VIRTUAL_MACHINE" = btcpayserver ]; then
--amazonec2-ami "$AWS_AMI_ID" \
--amazonec2-root-size "$ROOT_DISK_SIZE_GB" \
--amazonec2-instance-type "$BTCPAY_INSTANCE_TYPE" \
--engine-label commit="$LATEST_GIT_COMMIT" \
"$FQDN"
# --engine-label commit="$LATEST_GIT_COMMIT" \
fi
docker-machine scp "$CLUSTER_PATH/authorized_keys" "$FQDN:$REMOTE_HOME/authorized_keys"

6
deployment/www/backup.sh
View File

@ -9,12 +9,12 @@ cd "$(dirname "$0")"
# maybe something like https://superuser.com/questions/616182/how-to-mount-local-directory-to-remote-like-sshfs
# step 1: run duplicity on the remote system to backup all files to the remote system.
ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
ssh "$WWW_FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
ssh "$PRIMARY_WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --allow-source-mismatch --exclude "$REMOTE_HOME/backups" "$REMOTE_HOME" "file://$REMOTE_BACKUP_PATH"
ssh "$PRIMARY_WWW_FQDN" sudo chown -R ubuntu:ubuntu "$REMOTE_BACKUP_PATH"
# now let's pull down the latest files from the backup directory.
# create a temp directory to serve as the mountpoint for the remote machine backups directory
sshfs "$WWW_FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
sshfs "$PRIMARY_WWW_FQDN:$REMOTE_BACKUP_PATH" "$SSHFS_PATH"
# rsync the files from the remote server to our local backup path.
rsync -av "$SSHFS_PATH/" "$LOCAL_BACKUP_PATH/"

42
deployment/www/generate_certs.sh
View File

@ -2,6 +2,7 @@
set -ex
# let's do a refresh of the certificates. Let's Encrypt will not run if it's not time.
docker pull certbot/certbot:latest
@ -20,13 +21,38 @@ if [ "$VPS_HOSTING_TARGET" = aws ]; then
elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
# docker run -it --rm \
# --name certbot \
# -p 80:80 \
# -p 443:443 \
# -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
# -v /var/lib/letsencrypt:/var/lib/letsencrypt \
# -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
# certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$PRIMARY_WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
# with the lxd side, we are trying to expose ALL OUR services from one IP address, which terminates
# at a cachehing reverse proxy that runs nginx.
ssh "$PRIMARY_WWW_FQDN" sudo mkdir -p "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs"
docker run -it --rm \
--name certbot \
-p 80:80 \
-p 443:443 \
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt/$DOMAIN_NAME/_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
done
fi

214
deployment/www/go.sh
View File

@ -1,94 +1,109 @@
#!/bin/bash
set -exuo
set -exu
cd "$(dirname "$0")"
if [ "$DEPLOY_GHOST" = true ]; then
if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GITEA" = true ]; then
if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NOSTR" = true ]; then
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
fi
if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
exit 1
fi
if [ -z "$DOMAIN_NAME" ]; then
echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
exit 1
fi
# Create the nginx config file which covers all domains.
bash -c ./stub_nginxconf.sh
TOR_CONFIG_PATH=
# redirect all docker commands to the remote host.
export DOCKER_HOST="ssh://ubuntu@$PRIMARY_WWW_FQDN"
ssh "$WWW_FQDN" mkdir -p "$REMOTE_HOME/ghost_site" "$REMOTE_HOME/ghost_db"
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
ssh "$WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
fi
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
if [ "$DEPLOY_GITEA" = true ]; then
ssh "$FQDN" "mkdir -p $REMOTE_GITEA_PATH/data $REMOTE_GITEA_PATH/db"
fi
### Let's check to ensure all the requiredsettings are set.
if [ "$DEPLOY_GHOST" = true ]; then
if [ -z "$GHOST_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GHOST_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GHOST_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_GITEA" = true ]; then
if [ -z "$GITEA_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$GITEA_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure GITEA_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
if [ -z "$NEXTCLOUD_MYSQL_ROOT_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_ROOT_PASSWORD is configured in your site_definition."
exit 1
fi
if [ -z "$NEXTCLOUD_MYSQL_PASSWORD" ]; then
echo "ERROR: Ensure NEXTCLOUD_MYSQL_PASSWORD is configured in your site_definition."
exit 1
fi
fi
if [ "$DEPLOY_NOSTR" = true ]; then
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: Ensure NOSTR_ACCOUNT_PUBKEY is configured in your site_definition."
exit 1
fi
fi
if [ -z "$DUPLICITY_BACKUP_PASSPHRASE" ]; then
echo "ERROR: Ensure DUPLICITY_BACKUP_PASSPHRASE is configured in your site_definition."
exit 1
fi
if [ -z "$DOMAIN_NAME" ]; then
echo "ERROR: Ensure DOMAIN_NAME is configured in your site_definition."
exit 1
fi
if [ -z "$NOSTR_ACCOUNT_PUBKEY" ]; then
echo "ERROR: You MUST specify a Nostr public key. This is how you get all your social features."
echo "INFO: Go to your site_definition file and set the NOSTR_ACCOUNT_PUBKEY variable."
exit 1
fi
TOR_CONFIG_PATH=
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/data"
ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/db/logs"
ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_NEXTCLOUD_PATH/html"
fi
if [ "$DEPLOY_GITEA" = true ]; then
ssh "$FQDN" "mkdir -p $REMOTE_GITEA_PATH/data $REMOTE_GITEA_PATH/db"
fi
done
### The next series of commands
# stop services.
if docker stack list --format "{{.Name}}" | grep -q webstack; then
docker stack rm webstack
sleep 15
fi
if [ "$BACKUP_WWW" = true ]; then
./backup.sh
fi
@ -98,7 +113,10 @@ if [ "$RESTORE_WWW" = true ]; then
# just created, we know that we'll deploy fresh.
./restore.sh
else
./generate_certs.sh
if [ "$RUN_CERT_RENEWAL" = true ]; then
./generate_certs.sh
fi
fi
@ -108,8 +126,8 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
# if the tor folder doesn't exist, we provision a new one. Otherwise you need to restore.
# this is how we generate a new torv3 endpoint.
if ! ssh "$WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
ssh "$WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
if ! ssh "$PRIMARY_WWW_FQDN" "[ -d $REMOTE_HOME/tor/www ]"; then
ssh "$PRIMARY_WWW_FQDN" "mkdir -p $REMOTE_HOME/tor"
TOR_CONFIG_PATH="$(pwd)/tor/torrc-init"
export TOR_CONFIG_PATH="$TOR_CONFIG_PATH"
docker stack deploy -c ./tor.yml torstack
@ -118,37 +136,31 @@ if [ "$DEPLOY_ONION_SITE" = true ]; then
sleep 20
fi
ONION_ADDRESS="$(ssh "$WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
ONION_ADDRESS="$(ssh "$PRIMARY_WWW_FQDN" sudo cat "${REMOTE_HOME}"/tor/www/hostname)"
export ONION_ADDRESS="$ONION_ADDRESS"
# # Since we run a separate ghost process, we create a new directory and symlink it to the original
# if ! ssh "$WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
# ssh "$WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
# if ! ssh "$PRIMARY_WWW_FQDN" "[ -L $REMOTE_HOME/tor_ghost ]"; then
# ssh "$PRIMARY_WWW_FQDN" ln -s "$REMOTE_HOME/ghost_site/themes $REMOTE_HOME/tor_ghost/themes"
# fi
fi
#if [ "$RUN_SERVICES" = true ]; then
mkdir -p "$SITE_PATH/stacks"
DOCKER_YAML_PATH="$SITE_PATH/stacks/www.yml"
export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
bash -c ./stub_docker_yml.sh
docker stack deploy -c "$DOCKER_YAML_PATH" webstack
# # start a browser session; point it to port 80 to ensure HTTPS redirect.
# wait-for-it -t 320 "$PRIMARY_WWW_FQDN:80"
# wait-for-it -t 320 "$PRIMARY_WWW_FQDN:443"
# start a browser session; point it to port 80 to ensure HTTPS redirect.
wait-for-it -t 320 "$WWW_FQDN:80"
wait-for-it -t 320 "$WWW_FQDN:443"
# # open bowser tabs.
# if [ "$DEPLOY_GHOST" = true ]; then
# xdg-open "http://$PRIMARY_WWW_FQDN" > /dev/null 2>&1
# fi
# open bowser tabs.
if [ "$DEPLOY_GHOST" = true ]; then
xdg-open "http://$WWW_FQDN" > /dev/null 2>&1
fi
# if [ "$DEPLOY_NEXTCLOUD" = true ]; then
# xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
# fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
xdg-open "http://$NEXTCLOUD_FQDN" > /dev/null 2>&1
fi
if [ "$DEPLOY_GITEA" = true ]; then
xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
fi
#fi
# if [ "$DEPLOY_GITEA" = true ]; then
# xdg-open "http://$GITEA_FQDN" > /dev/null 2>&1
# fi
# #fi

8
deployment/www/restore.sh
View File

@ -7,13 +7,13 @@ set -exu
# indeed, our first step is the delete the home directory on the remote server.
# delete the home directory so we know we are restoring all files from the duplicity archive.
ssh "$WWW_FQDN" sudo rm -rf "$REMOTE_HOME/*"
ssh "$PRIMARY_WWW_FQDN" sudo rm -rf "$REMOTE_HOME/*"
# scp our local backup directory to the remote machine
ssh "$WWW_FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
ssh "$PRIMARY_WWW_FQDN" mkdir -p "$REMOTE_BACKUP_PATH"
# TODO instead of scp the files up there, lets' mount the local backup folder to a remote folder then just run a duplicity restore.
scp -r "$LOCAL_BACKUP_PATH/" "$WWW_FQDN:$REMOTE_HOME/backups/$VIRTUAL_MACHINE"
scp -r "$LOCAL_BACKUP_PATH" "$PRIMARY_WWW_FQDN:$REMOTE_BACKUP_PATH"
# now we run duplicity to restore the archive.
ssh "$WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/" "$REMOTE_HOME/"
ssh "$PRIMARY_WWW_FQDN" sudo PASSPHRASE="$DUPLICITY_BACKUP_PASSPHRASE" duplicity --force restore "file://$REMOTE_BACKUP_PATH/$BACKUP_TIMESTAMP" "$REMOTE_HOME/"

516
deployment/www/stub_docker_yml.sh
View File

@ -1,40 +1,119 @@
#!/bin/bash
set -eu
set -eux
cd "$(dirname "$0")"
if [ "$DEPLOY_ONION_SITE" = true ]; then
if [ -z "$ONION_ADDRESS" ]; then
echo "ERROR: ONION_ADDRESS is not defined."
exit 1
fi
fi
# here's the NGINX config. We support ghost and nextcloud.
echo "" > "$DOCKER_YAML_PATH"
ssh "$PRIMARY_WWW_FQDN" sudo rm -rf /home/ubuntu/ghost
sleep 4
cat >>"$DOCKER_YAML_PATH" <<EOL
#https://github.com/fiatjaf/expensive-relay
# NOSTR RELAY WHICH REQUIRES PAYMENTS.
DOCKER_YAML_PATH="$PROJECT_PATH/nginx.yml"
cat > "$DOCKER_YAML_PATH" <<EOL
version: "3.8"
services:
nginx:
image: ${NGINX_IMAGE}
ports:
- 0.0.0.0:443:443
- 0.0.0.0:80:80
networks:
EOL
for i in $(seq 0 $DOMAIN_COUNT); do
cat >> "$DOCKER_YAML_PATH" <<EOL
- ghostnet-$i
EOL
done
cat >> "$DOCKER_YAML_PATH" <<EOL
volumes:
- ${REMOTE_HOME}/letsencrypt:/etc/letsencrypt:ro
configs:
- source: nginx-config
target: /etc/nginx/nginx.conf
deploy:
restart_policy:
condition: on-failure
configs:
nginx-config:
file: ${PROJECT_PATH}/nginx.conf
EOL
cat >> "$DOCKER_YAML_PATH" <<EOL
networks:
EOL
for i in $(seq 0 $DOMAIN_COUNT); do
cat >> "$DOCKER_YAML_PATH" <<EOL
ghostnet-$i:
attachable: true
EOL
done
docker stack deploy -c "$DOCKER_YAML_PATH" "reverse-proxy"
# iterate over all our domains and create the nginx config file.
domain_number=0
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
ssh "$PRIMARY_WWW_FQDN" mkdir -p "$REMOTE_HOME/ghost/$DOMAIN_NAME/ghost" "$REMOTE_HOME/ghost/$DOMAIN_NAME/db"
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
STACK_TAG="ghost-$domain_number"
# todo append domain number or port number.
mkdir -p "$SITE_PATH/webstack"
DOCKER_YAML_PATH="$SITE_PATH/webstack/$STACK_TAG.yml"
export DOCKER_YAML_PATH="$DOCKER_YAML_PATH"
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# if [ -z "$ONION_ADDRESS" ]; then
# echo "ERROR: ONION_ADDRESS is not defined."
# exit 1
# fi
# fi
# here's the NGINX config. We support ghost and nextcloud.
echo "" > "$DOCKER_YAML_PATH"
cat >>"$DOCKER_YAML_PATH" <<EOL
version: "3.8"
services:
EOL
# This is the ghost for HTTPS (not over Tor)
cat >>"$DOCKER_YAML_PATH" <<EOL
ghost:
# This is the ghost for HTTPS (not over Tor)
cat >>"$DOCKER_YAML_PATH" <<EOL
ghost-${domain_number}:
image: ${GHOST_IMAGE}
networks:
- ghost-net
- ghostdb-net
- ghostnet-${domain_number}
- ghostdbnet-${domain_number}
volumes:
- ${REMOTE_HOME}/ghost_site:/var/lib/ghost/content
- ${REMOTE_HOME}/ghost/${DOMAIN_NAME}/ghost:/var/lib/ghost/content
environment:
- url=https://${WWW_FQDN}
- url=https://${PRIMARY_WWW_FQDN}
- database__client=mysql
- database__connection__host=ghostdb
- database__connection__host=ghostdb-${domain_number}
- database__connection__user=ghost
- database__connection__password=\${GHOST_MYSQL_PASSWORD}
- database__connection__database=ghost
@ -44,12 +123,12 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
restart_policy:
condition: on-failure
ghostdb:
ghostdb-${domain_number}:
image: ${GHOST_DB_IMAGE}
networks:
- ghostdb-net
- ghostdbnet-${domain_number}
volumes:
- ${REMOTE_HOME}/ghost_db:/var/lib/mysql
- ${REMOTE_HOME}/ghost/${DOMAIN_NAME}/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=\${GHOST_MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=ghost
@ -62,247 +141,214 @@ cat >>"$DOCKER_YAML_PATH" <<EOL
EOL
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
nextcloud-db:
image: ${NEXTCLOUD_DB_IMAGE}
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
networks:
- nextclouddb-net
volumes:
- ${REMOTE_HOME}/nextcloud/db/data:/var/lib/mysql
environment:
- MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
deploy:
restart_policy:
condition: on-failure
# if [ "$DEPLOY_NEXTCLOUD" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# nextcloud-db:
# image: ${NEXTCLOUD_DB_IMAGE}
# command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW --innodb_read_only_compressed=OFF
# networks:
# - nextclouddb-net
# volumes:
# - ${REMOTE_HOME}/nextcloud/db/data:/var/lib/mysql
# environment:
# - MARIADB_ROOT_PASSWORD=\${NEXTCLOUD_MYSQL_ROOT_PASSWORD}
# - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
# - MYSQL_DATABASE=nextcloud
# - MYSQL_USER=nextcloud
# deploy:
# restart_policy:
# condition: on-failure
nextcloud:
image: ${NEXTCLOUD_IMAGE}
networks:
- nextclouddb-net
- nextcloud-net
volumes:
- ${REMOTE_HOME}/nextcloud/html:/var/www/html
environment:
- MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=nextcloud-db
- NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
- OVERWRITEHOST=${NEXTCLOUD_FQDN}
- OVERWRITEPROTOCOL=https
- SERVERNAME=${NEXTCLOUD_FQDN}
deploy:
restart_policy:
condition: on-failure
# nextcloud:
# image: ${NEXTCLOUD_IMAGE}
# networks:
# - nextclouddb-net
# - nextcloud-net
# volumes:
# - ${REMOTE_HOME}/nextcloud/html:/var/www/html
# environment:
# - MYSQL_PASSWORD=\${NEXTCLOUD_MYSQL_PASSWORD}
# - MYSQL_DATABASE=nextcloud
# - MYSQL_USER=nextcloud
# - MYSQL_HOST=nextcloud-db
# - NEXTCLOUD_TRUSTED_DOMAINS=${DOMAIN_NAME}
# - OVERWRITEHOST=${NEXTCLOUD_FQDN}
# - OVERWRITEPROTOCOL=https
# - SERVERNAME=${NEXTCLOUD_FQDN}
# deploy:
# restart_policy:
# condition: on-failure
EOL
fi
# EOL
# fi
if [ "$DEPLOY_NOSTR" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
# TODO
# if [ "$DEPLOY_GITEA" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# gitea:
# image: ${GITEA_IMAGE}
# volumes:
# - ${REMOTE_GITEA_PATH}/data:/data
# - /etc/timezone:/etc/timezone:ro
# - /etc/localtime:/etc/localtime:ro
# environment:
# - USER_UID=1000
# - USER_GID=1000
# - ROOT_URL=https://${GITEA_FQDN}
# - GITEA__database__DB_TYPE=mysql
# - GITEA__database__HOST=gitea-db:3306
# - GITEA__database__NAME=gitea
# - GITEA__database__USER=gitea
# - GITEA__PASSWD=\${GITEA_MYSQL_PASSWORD}
# networks:
# - gitea-net
# - giteadb-net
# deploy:
# restart_policy:
# condition: on-failure
EOL
fi
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
gitea:
image: ${GITEA_IMAGE}
volumes:
- ${REMOTE_GITEA_PATH}/data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- USER_UID=1000
- USER_GID=1000
- ROOT_URL=https://${GITEA_FQDN}
- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=gitea-db:3306
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__PASSWD=\${GITEA_MYSQL_PASSWORD}
networks:
- gitea-net
- giteadb-net
deploy:
restart_policy:
condition: on-failure
gitea-db:
image: ${GITEA_DB_IMAGE}
networks:
- giteadb-net
volumes:
- ${REMOTE_GITEA_PATH}/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=\${GITEA_MYSQL_ROOT_PASSWORD}
- MYSQL_PASSWORD=\${GITEA_MYSQL_PASSWORD}
- MYSQL_DATABASE=gitea
- MYSQL_USER=gitea
deploy:
restart_policy:
condition: on-failure
EOL
fi
# gitea-db:
# image: ${GITEA_DB_IMAGE}
# networks:
# - giteadb-net
# volumes:
# - ${REMOTE_GITEA_PATH}/db:/var/lib/mysql
# environment:
# - MYSQL_ROOT_PASSWORD=\${GITEA_MYSQL_ROOT_PASSWORD}
# - MYSQL_PASSWORD=\${GITEA_MYSQL_PASSWORD}
# - MYSQL_DATABASE=gitea
# - MYSQL_USER=gitea
# deploy:
# restart_policy:
# condition: on-failure
# EOL
# fi
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
# a hidden service that routes to the nginx container at http://onionurl.onion server block
tor-onion:
image: tor:latest
networks:
- tor-net
volumes:
- ${REMOTE_HOME}/tor:/var/lib/tor
- tor-logs:/var/log/tor
configs:
- source: tor-config
target: /etc/tor/torrc
mode: 0644
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# # a hidden service that routes to the nginx container at http://onionurl.onion server block
# tor-onion:
# image: tor:latest
# networks:
# - tor-net
# volumes:
# - ${REMOTE_HOME}/tor:/var/lib/tor
# - tor-logs:/var/log/tor
# configs:
# - source: tor-config
# target: /etc/tor/torrc
# mode: 0644
# deploy:
# mode: replicated
# replicas: 1
# restart_policy:
# condition: on-failure
tor-ghost:
image: ${GHOST_IMAGE}
networks:
- ghostdb-net
- ghost-net
volumes:
- ${REMOTE_HOME}/tor_ghost:/var/lib/ghost/content
environment:
- url=https://${ONION_ADDRESS}
- database__client=mysql
- database__connection__host=ghostdb
- database__connection__user=ghost
- database__connection__password=\${GHOST_MYSQL_PASSWORD}
- database__connection__database=ghost
deploy:
restart_policy:
condition: on-failure
# tor-ghost:
# image: ${GHOST_IMAGE}
# networks:
# - ghostdb-net
# - ghost-net
# volumes:
# - ${REMOTE_HOME}/tor_ghost:/var/lib/ghost/content
# environment:
# - url=https://${ONION_ADDRESS}
# - database__client=mysql
# - database__connection__host=ghostdb
# - database__connection__user=ghost
# - database__connection__password=\${GHOST_MYSQL_PASSWORD}
# - database__connection__database=ghost
# deploy:
# restart_policy:
# condition: on-failure
EOL
fi
# EOL
# fi
#https://github.com/fiatjaf/expensive-relay
# NOSTR RELAY WHICH REQUIRES PAYMENTS.
cat >>"$DOCKER_YAML_PATH" <<EOL
nginx:
image: ${NGINX_IMAGE}
ports:
- 0.0.0.0:443:443
- 0.0.0.0:80:80
networks:
- ghost-net
EOL
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# - torghost-net
# EOL
# fi
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
- torghost-net
EOL
fi
# if [ "$DEPLOY_NEXTCLOUD" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# - nextcloud-net
# EOL
# fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
- nextcloud-net
EOL
fi
# if [ "$DEPLOY_GITEA" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# - gitea-net
# EOL
# fi
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
- gitea-net
EOL
fi
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# - tor-net
# EOL
# fi
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
- tor-net
EOL
fi
# the rest of the nginx config
cat >>"$DOCKER_YAML_PATH" <<EOL
volumes:
- ${REMOTE_HOME}/letsencrypt:/etc/letsencrypt:ro
configs:
- source: nginx-config
target: /etc/nginx/nginx.conf
deploy:
restart_policy:
condition: on-failure
EOL
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
volumes:
tor-data:
tor-logs:
# volumes:
# tor-data:
# tor-logs:
EOL
fi
#-------------------------
# EOL
# fi
# #-------------------------
# networks ----------------------
cat >>"$DOCKER_YAML_PATH" <<EOL
cat >>"$DOCKER_YAML_PATH" <<EOL
networks:
EOL
if [ "$DEPLOY_GHOST" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
ghost-net:
ghostdb-net:
if [ "$DEPLOY_GHOST" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
ghostnet-${domain_number}:
name: "reverse-proxy_ghostnet-${domain_number}"
external: true
ghostdbnet-${domain_number}:
EOL
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
nextclouddb-net:
nextcloud-net:
EOL
fi
# if [ "$DEPLOY_NEXTCLOUD" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# nextclouddb-net:
# nextcloud-net:
# EOL
# fi
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
gitea-net:
giteadb-net:
EOL
fi
# if [ "$DEPLOY_GITEA" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# gitea-net:
# giteadb-net:
# EOL
# fi
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
tor-net:
torghost-net:
EOL
fi
# -------------------------------
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# tor-net:
# torghost-net:
# EOL
# fi
# # -------------------------------
# configs ----------------------
cat >>"$DOCKER_YAML_PATH" <<EOL
# if [ "$DEPLOY_ONION_SITE" = true ]; then
# cat >>"$DOCKER_YAML_PATH" <<EOL
# tor-config:
# file: $(pwd)/tor/torrc
# EOL
# fi
# # -----------------------------
configs:
nginx-config:
file: ${PROJECT_PATH}/nginx.conf
EOL
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$DOCKER_YAML_PATH" <<EOL
tor-config:
file: $(pwd)/tor/torrc
EOL
fi
# -----------------------------
docker stack deploy -c "$DOCKER_YAML_PATH" "$STACK_TAG"
domain_number=$((domain_number+1))
done

233
deployment/www/stub_nginxconf.sh
View File

@ -4,17 +4,29 @@ set -eu
cd "$(dirname "$0")"
if [ "$DEPLOY_ONION_SITE" = true ]; then
if [ -z "$ONION_ADDRESS" ]; then
echo "ERROR: ONION_ADDRESS is not defined."
exit 1
fi
fi
# here's the NGINX config. We support ghost and nextcloud.
NGINX_CONF_PATH="$PROJECT_PATH/nginx.conf"
# clear the existing nginx config.
echo "" > "$NGINX_CONF_PATH"
cat >>"$NGINX_CONF_PATH" <<EOL
# iterate over all our domains and create the nginx config file.
iteration=0
echo "DOMAIN_LIST: $DOMAIN_LIST"
for DOMAIN_NAME in ${DOMAIN_LIST//,/ }; do
export DOMAIN_NAME="$DOMAIN_NAME"
export SITE_PATH="$SITES_PATH/$DOMAIN_NAME"
export CONTAINER_TLS_PATH="/etc/letsencrypt/${DOMAIN_NAME}/live/${DOMAIN_NAME}"
# source the site path so we know what features it has.
source ../../reset_env.sh
source "$SITE_PATH/site_definition"
source ../../domain_env.sh
echo "Doing DOMAIN_NAME: $DOMAIN_NAME"
if [ $iteration = 0 ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
events {
worker_connections 1024;
}
@ -25,14 +37,13 @@ http {
# next two sets commands and connection_upgrade block come from https://docs.btcpayserver.org/FAQ/Deployment/#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination
# Needed to allow very long URLs to prevent issues while signing PSBTs
server_names_hash_bucket_size 128;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size 500k;
http2_max_header_size 500k;
server_names_hash_bucket_size 128;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_header_size 500k;
# Needed websocket support (used by Ledger hardware wallets)
map \$http_upgrade \$connection_upgrade {
@ -43,14 +54,14 @@ http {
# return 403 for all non-explicit hostnames
server {
listen 80 default_server;
return 403;
return 301 https://${WWW_FQDN}\$request_uri;
}
EOL
fi
# ghost http to https redirects.
cat >>"$NGINX_CONF_PATH" <<EOL
# ghost http to https redirects.
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${DOMAIN_NAME} redirect to https://${WWW_FQDN}
server {
listen 80;
@ -66,7 +77,7 @@ cat >>"$NGINX_CONF_PATH" <<EOL
EOL
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${WWW_FQDN} redirect to https://${WWW_FQDN}
server {
listen 80;
@ -77,9 +88,9 @@ cat >>"$NGINX_CONF_PATH" <<EOL
EOL
# nextcloud http-to-https redirect
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# nextcloud http-to-https redirect
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${NEXTCLOUD_FQDN} redirect to https://${NEXTCLOUD_FQDN}
server {
listen 80;
@ -89,11 +100,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
fi
fi
# gitea http to https redirect.
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# gitea http to https redirect.
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${GITEA_FQDN} redirect to https://${GITEA_FQDN}
server {
listen 80;
@ -103,12 +114,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
fi
fi
# REDIRECT FOR BTCPAY_USER_FQDN
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
# REDIRECT FOR BTCPAY_USER_FQDN
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
@ -121,11 +132,13 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
EOL
fi
fi
fi
# TLS config for ghost.
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$iteration" = 0 ]; then
# TLS config for ghost.
cat >>"$NGINX_CONF_PATH" <<EOL
# global TLS settings
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
@ -143,34 +156,42 @@ cat >>"$NGINX_CONF_PATH" <<EOL
server {
listen 443 default_server;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
return 403;
}
# maybe helps with Twitter cards.
map \$http_user_agent \$og_prefix {
~*(googlebot|twitterbot)/ /open-graph;
}
#map \$http_user_agent \$og_prefix {
# ~*(googlebot|twitterbot)/ /open-graph;
#}
EOL
fi
# https://${DOMAIN_NAME} redirect to https://${FQDN}
cat >>"$NGINX_CONF_PATH" <<EOL
# https://${DOMAIN_NAME} redirect to https://${WWW_FQDN}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
server_name ${DOMAIN_NAME};
EOL
###########################################
# catch all; send request to ${WWW_FQDN}
location / {
return 301 https://${WWW_FQDN}\$request_uri;
}
if [ "$DEPLOY_NOSTR" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
EOL
if [ "$DEPLOY_NOSTR" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# We return a JSON object with name/pubkey mapping per NIP05.
# https://www.reddit.com/r/nostr/comments/rrzk76/nip05_mapping_usernames_to_dns_domains_by_fiatjaf/sssss
# TODO I'm not sure about the security of this Access-Control-Allow-Origin. Read up and restrict it if possible.
@ -181,46 +202,38 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
fi
fi
cat >>"$NGINX_CONF_PATH" <<EOL
# catch all; send request to ${WWW_FQDN}
location / {
return 301 https://${WWW_FQDN}\$request_uri;
}
EOL
#####################################################
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
}
#access_log /var/log/nginx/ghost-access.log;
#error_log /var/log/nginx/ghost-error.log;
EOL
if [ "$ENABLE_NGINX_CACHING" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# main TLS listener; proxies requests to ghost service. NGINX configured to cache
proxy_cache_path /tmp/nginx_ghost levels=1:2 keys_zone=ghostcache:600m max_size=100m inactive=24h;
EOL
fi
fi
# SERVER block for BTCPAY Server
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
# SERVER block for BTCPAY Server
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
server {
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
server_name ${BTCPAY_USER_FQDN};
@ -240,42 +253,34 @@ if [ "$VPS_HOSTING_TARGET" = lxd ]; then
EOL
fi
fi
fi
# the open server block for the HTTPS listener
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
server_name ${WWW_FQDN};
EOL
# add the Onion-Location header if specifed.
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# add the Onion-Location header if specifed.
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
add_header Onion-Location https://${ONION_ADDRESS}\$request_uri;
EOL
fi
fi
if [ "$ENABLE_NGINX_CACHING" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$ENABLE_NGINX_CACHING" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# No cache + keep cookies for admin and previews
location ~ ^/(ghost/|p/|private/) {
@ -284,14 +289,14 @@ cat >>"$NGINX_CONF_PATH" <<EOL
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_intercept_errors on;
proxy_pass http://ghost:2368;
proxy_pass http://ghost-${iteration}:2368;
}
EOL
fi
# proxy config for ghost
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
# Set the crawler policy.
location = /robots.txt {
add_header Content-Type text/plain;
@ -306,11 +311,11 @@ cat >>"$NGINX_CONF_PATH" <<EOL
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_intercept_errors on;
proxy_pass http://ghost:2368;
proxy_pass http://ghost-${iteration}:2368;
EOL
if [ "$ENABLE_NGINX_CACHING" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$ENABLE_NGINX_CACHING" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# https://stanislas.blog/2019/08/ghost-nginx-cache/ for nginx caching instructions
# Remove cookies which are useless for anonymous visitor and prevent caching
proxy_ignore_headers Set-Cookie Cache-Control;
@ -338,10 +343,10 @@ cat >>"$NGINX_CONF_PATH" <<EOL
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
EOL
fi
fi
# this is the closing location / block for the ghost HTTPS segment
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
@ -354,19 +359,19 @@ EOL
# proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto \$scheme;
# proxy_intercept_errors on;
# proxy_pass http://ghost:2368\$og_prefix\$request_uri;
# proxy_pass http://ghost-${iteration}::2368\$og_prefix\$request_uri;
# }
# this is the closing server block for the ghost HTTPS segment
cat >>"$NGINX_CONF_PATH" <<EOL
cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
# tor config
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$DEPLOY_ONION_SITE" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# server listener for tor v3 onion endpoint
server {
listen 443 ssl http2;
@ -385,18 +390,18 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
}
EOL
fi
fi
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$DEPLOY_NEXTCLOUD" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# TLS listener for ${NEXTCLOUD_FQDN}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate $CONTAINER_TLS_PATH/fullchain.pem;
ssl_certificate_key $CONTAINER_TLS_PATH/privkey.pem;
ssl_trusted_certificate $CONTAINER_TLS_PATH/fullchain.pem;
server_name ${NEXTCLOUD_FQDN};
@ -422,11 +427,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
}
EOL
fi
fi
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
if [ "$DEPLOY_GITEA" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# TLS listener for ${GITEA_FQDN}
server {
listen 443 ssl http2;
@ -447,9 +453,12 @@ cat >>"$NGINX_CONF_PATH" <<EOL
}
}
EOL
fi
fi
iteration=$((iteration+1))
done
# add the closing brace.
cat >>"$NGINX_CONF_PATH" <<EOL
}
EOL
EOL

18
domain_env.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/bash
set -ex
# TODO, ensure VPS_HOSTING_TARGET is in range.
export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"
export NOSTR_FQDN="$NOSTR_HOSTNAME.$DOMAIN_NAME"
export ADMIN_ACCOUNT_USERNAME="info"
export CERTIFICATE_EMAIL_ADDRESS="$ADMIN_ACCOUNT_USERNAME@$DOMAIN_NAME"
export REMOTE_NEXTCLOUD_PATH="$REMOTE_HOME/nextcloud"
export REMOTE_GITEA_PATH="$REMOTE_HOME/gitea"
export BTC_CHAIN="$BTC_CHAIN"
export WWW_INSTANCE_TYPE="$WWW_INSTANCE_TYPE"
export BTCPAY_ADDITIONAL_HOSTNAMES="$BTCPAY_ADDITIONAL_HOSTNAMES"

20
reset.sh
View File

@ -2,20 +2,23 @@
set -x
CLUSTER_NAME="development"
SSH_ENDPOINT_HOSTNAME="atlantis"
SSH_ENDPOINT_DOMAIN_NAME="ancapistan.io"
TEST_DOMAIN="ancapistan.casa"
CLUSTER_NAME="development"
export LXD_VM_NAME="${TEST_DOMAIN//./-}"
lxc delete --force www-"$LXD_VM_NAME"
lxc delete --force btcpay-"$LXD_VM_NAME"
lxc delete --force sovereign-stack
lxc delete --force sovereign-stack-base
if [ -n "$TEST_DOMAIN" ]; then
lxc delete --force www-"$LXD_VM_NAME"
lxc delete --force btcpay-"$LXD_VM_NAME"
lxc delete --force sovereign-stack
lxc delete --force sovereign-stack-base
lxc profile delete www-"$LXD_VM_NAME"
lxc profile delete btcpay-"$LXD_VM_NAME"
fi
lxc profile delete www-"$LXD_VM_NAME"
lxc profile delete btcpay-"$LXD_VM_NAME"
lxc profile delete sovereign-stack
lxc image rm sovereign-stack-base
@ -30,6 +33,7 @@ lxc remote remove "$CLUSTER_NAME"
source "$HOME/.bashrc"
./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT_HOSTNAME.$SSH_ENDPOINT_DOMAIN_NAME" --data-plane-interface=enp89s0
./cluster.sh create "$CLUSTER_NAME" "$SSH_ENDPOINT_HOSTNAME.$SSH_ENDPOINT_DOMAIN_NAME"
#--data-plane-interface=enp89s0
#./deploy.sh

22
reset_env.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
set -ex
export DOMAIN_NAME=
export DUPLICITY_BACKUP_PASSPHRASE=
export BTCPAY_HOSTNAME_IN_CERT=
export DEPLOY_GHOST=true
export DEPLOY_NEXTCLOUD=true
export DEPLOY_NOSTR=false
export NOSTR_ACCOUNT_PUBKEY=
export DEPLOY_GITEA=false
export DEPLOY_ONION_SITE=false
export GHOST_MYSQL_PASSWORD=
export GHOST_MYSQL_ROOT_PASSWORD=
export NEXTCLOUD_MYSQL_PASSWORD=
export NEXTCLOUD_MYSQL_ROOT_PASSWORD=
export GITEA_MYSQL_PASSWORD=
export GITEA_MYSQL_ROOT_PASSWORD=
SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
source "$SCRIPT_DIR/defaults.sh"