feat: caddyfile, api.service, 01.sh makefile
This commit is contained in:
@@ -93,3 +93,40 @@ build/api:
|
||||
go build -ldflags=${linker_flags} -o=./bin/api ./cmd/api
|
||||
GOOS=linux GOARCH=amd64 go build -ldflags=${linker_flags} -o=./bin/linux_amd64/api ./cmd/api
|
||||
|
||||
|
||||
# ==================================================================================== #
|
||||
# PRODUCTION
|
||||
# ==================================================================================== #
|
||||
|
||||
production_host_ip = 'xx.xx.xx.xx'
|
||||
|
||||
## production/connect: connect to the production server
|
||||
.PHONY: production/connect
|
||||
production/connect:
|
||||
ssh greenlight@${production_host_ip}
|
||||
|
||||
## production/deploy/api: deploy the api to production
|
||||
.PHONY: production/deploy/api
|
||||
production/deploy/api:
|
||||
rsync -rP --delete ./bin/linux_amd64/api ./migrations greenlight@${production_host_ip}:~
|
||||
ssh -t greenlight@${production_host_ip} 'migrate -path ~/migrations -database $$GREENLIGHT_DB_DSN up'
|
||||
|
||||
|
||||
## production/configure/api.service: configure the production systemd api.service file
|
||||
.PHONY: production/configure/api.service
|
||||
production/configure/api.service:
|
||||
rsync -P ./remote/production/api.service greenlight@${production_host_ip}:~
|
||||
ssh -t greenlight@${production_host_ip} '\
|
||||
sudo mv ~/api.service /etc/systemd/system/ \
|
||||
&& sudo systemctl enable api \
|
||||
&& sudo systemctl restart api \
|
||||
'
|
||||
|
||||
## production/configure/caddyfile: configure the production Caddyfile
|
||||
.PHONY: production/configure/caddyfile
|
||||
production/configure/caddyfile:
|
||||
rsync -P ./remote/production/Caddyfile greenlight@${production_host_ip}:~
|
||||
ssh -t greenlight@${production_host_ip} '\
|
||||
sudo mv ~/Caddyfile /etc/caddy/ \
|
||||
&& sudo systemctl reload caddy \
|
||||
'
|
||||
|
||||
Binary file not shown.
@@ -0,0 +1,12 @@
|
||||
# Set the email address that should be used to contact you if there is a problem with
|
||||
# your TLS certificates.
|
||||
{
|
||||
email you@example.com
|
||||
}
|
||||
|
||||
# Remove the http:// prefix from your site address.
|
||||
xxx.xxx.net {
|
||||
respond /debug/* "Not Permitted" 403
|
||||
reverse_proxy localhost:4000
|
||||
}
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
[Unit]
|
||||
# Description is a human-readable name for the service.
|
||||
Description=Greenlight API service
|
||||
|
||||
# Wait until PostgreSQL is running and the network is "up" before starting the service.
|
||||
After=postgresql.service
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
# Configure service start rate limiting. If the service is (re)started more than 5 times
|
||||
# in 600 seconds then don't permit it to start anymore.
|
||||
StartLimitIntervalSec=600
|
||||
StartLimitBurst=5
|
||||
|
||||
[Service]
|
||||
# Execute the API binary as the greenlight user, loading the environment variables from
|
||||
# /etc/environment and using the working directory /home/greenlight.
|
||||
Type=exec
|
||||
User=greenlight
|
||||
Group=greenlight
|
||||
EnvironmentFile=/etc/environment
|
||||
WorkingDirectory=/home/greenlight
|
||||
ExecStart=/home/greenlight/api -port=4000 -db-dsn=${GREENLIGHT_DB_DSN} -env=production
|
||||
|
||||
# Automatically restart the service after a 5-second wait if it exits with a non-zero
|
||||
# exit code. If it restarts more than 5 times in 600 seconds, then the rate limit we
|
||||
# configured above will be hit and it won't be restarted anymore.
|
||||
Restart=on-failure
|
||||
RestartSec=5
|
||||
|
||||
[Install]
|
||||
# Start the service automatically at boot time (the 'multi-user.target' describes a boot
|
||||
# state when the system will accept logins).
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,83 @@
|
||||
#!/bin/bash
|
||||
set -eu
|
||||
|
||||
# ==================================================================================== #
|
||||
# VARIABLES
|
||||
# ==================================================================================== #
|
||||
|
||||
# Set the timezone for the server. A full list of available timezones can be found by
|
||||
# running timedatectl list-timezones.
|
||||
TIMEZONE=America/New_York
|
||||
|
||||
# Set the name of the new user to create.
|
||||
USERNAME=greenlight
|
||||
|
||||
# Prompt to enter a password for the PostgreSQL greenlight user (rather than hard-coding
|
||||
# a password in this script).
|
||||
read -p "Enter password for greenlight DB user: " DB_PASSWORD
|
||||
|
||||
# Force all output to be presented in en_US for the duration of this script. This avoids
|
||||
# any "setting locale failed" errors while this script is running, before we have
|
||||
# installed support for all locales. Do not change this setting!
|
||||
export LC_ALL=en_US.UTF-8
|
||||
|
||||
# ==================================================================================== #
|
||||
# SCRIPT LOGIC
|
||||
# ==================================================================================== #
|
||||
|
||||
# Enable the "universe" repository.
|
||||
add-apt-repository --yes universe
|
||||
|
||||
# Update all software packages. Using the --force-confnew flag means that configuration
|
||||
# files will be replaced if newer ones are available.
|
||||
apt update
|
||||
apt --yes -o Dpkg::Options::="--force-confnew" upgrade
|
||||
|
||||
# Set the system timezone and install all locales.
|
||||
timedatectl set-timezone ${TIMEZONE}
|
||||
apt --yes install locales-all
|
||||
|
||||
# Add the new user (and give them sudo privileges).
|
||||
useradd --create-home --shell "/bin/bash" --groups sudo "${USERNAME}"
|
||||
|
||||
# Force a password to be set for the new user the first time they log in.
|
||||
passwd --delete "${USERNAME}"
|
||||
chage --lastday 0 "${USERNAME}"
|
||||
|
||||
# Copy the SSH keys from the root user to the new user.
|
||||
rsync --archive --chown=${USERNAME}:${USERNAME} /root/.ssh /home/${USERNAME}
|
||||
|
||||
# Configure the firewall to allow SSH, HTTP and HTTPS traffic.
|
||||
ufw allow 22
|
||||
ufw allow 80/tcp
|
||||
ufw allow 443/tcp
|
||||
ufw --force enable
|
||||
|
||||
# Install fail2ban.
|
||||
apt --yes install fail2ban
|
||||
|
||||
# Install the migrate CLI tool.
|
||||
curl -L https://github.com/golang-migrate/migrate/releases/download/v4.14.1/migrate.linux-amd64.tar.gz | tar xvz
|
||||
mv migrate.linux-amd64 /usr/local/bin/migrate
|
||||
|
||||
# Install PostgreSQL.
|
||||
apt --yes install postgresql
|
||||
|
||||
# Set up the greenlight DB and create a user account with the password entered earlier.
|
||||
sudo -i -u postgres psql -c "CREATE DATABASE greenlight"
|
||||
sudo -i -u postgres psql -d greenlight -c "CREATE EXTENSION IF NOT EXISTS citext"
|
||||
sudo -i -u postgres psql -d greenlight -c "CREATE ROLE greenlight WITH LOGIN PASSWORD '${DB_PASSWORD}'"
|
||||
|
||||
# Add a DSN for connecting to the greenlight database to the system-wide environment
|
||||
# variables in the /etc/environment file.
|
||||
echo "GREENLIGHT_DB_DSN='postgres://greenlight:${DB_PASSWORD}@localhost/greenlight'" >>/etc/environment
|
||||
|
||||
# Install Caddy (see https://caddyserver.com/docs/install#debian-ubuntu-raspbian).
|
||||
apt --yes install -y debian-keyring debian-archive-keyring apt-transport-https
|
||||
curl -L https://dl.cloudsmith.io/public/caddy/stable/gpg.key | sudo apt-key add -
|
||||
curl -L https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt | sudo tee -a /etc/apt/sources.list.d/caddy-stable.list
|
||||
apt update
|
||||
apt --yes install caddy
|
||||
|
||||
echo "Script complete! Rebooting..."
|
||||
reboot
|
||||
Reference in New Issue
Block a user