basic deployment setup

Author: artcz

deploy/.python-version

@@ -0,0 +1 @@
+3.11

deploy/Makefile

@@ -0,0 +1,11 @@
+run-playbook:
+	ansible-playbook -i hosts.ini playbook.yml --extra-vars "app_version=$(V)"
+
+deploy/deps/init:
+	pip install pip-tools
+
+deploy/deps/compile:
+	pip-compile
+
+deploy/deps/install:
+	pip-sync

deploy/docker-compose.yml.j2

@@ -0,0 +1,28 @@
+version: '3'
+
+services:
+  app:
+    build: .
+    env_file:
+      - env/config
+    volumes:
+      - ./data/static:/srv/data/public
+
+  nginx:
+    image: nginx:latest
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+      - ./data/static:/usr/share/static
+    depends_on:
+      - app
+
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot

deploy/env.example

@@ -0,0 +1 @@
+PRETALX_TOKEN=pretalx_token

deploy/hosts.ini

@@ -0,0 +1,2 @@
+[hetzner]
+49.13.23.199 ansible_user=root domain_name=programapi24.europython.eu ansible_ssh_common_args='-o StrictHostKeyChecking=no'

deploy/init-letsencrypt.sh.j2

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker)" ]; then
+  echo 'Error: docker is not installed.' >&2
+  exit 1
+fi
+
+domains=({{ domain_name }} www.{{ domain_name }})
+rsa_key_size=4096
+data_path="./data/certbot"
+email="czepiel.artur@gmail.com" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker compose up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker compose exec nginx nginx -s reload

deploy/nginx.conf.j2

@@ -0,0 +1,82 @@
+user nginx;
+worker_processes 1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    map $remote_addr $remote_addr_anon {
+        ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+        ~(?P<ip>[^:]+:[^:]+):       $ip::;
+        # IP addresses to not anonymize (such as your server)
+        127.0.0.1                   $remote_addr;
+        ::1                         $remote_addr;
+        #w.x.y.z                     $remote_addr;
+        #a:b:c:d::e:f                $remote_addr;
+        default                     0.0.0.0;
+    }
+
+    log_format anonymized '$remote_addr_anon - $remote_user [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  anonymized;
+
+    keepalive_timeout 65;
+    sendfile on;
+
+
+    # To drop all the connections that don't use the valid host name
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        listen 443 ssl http2 default_server;
+        listen [::]:443 ssl http2 default_server;
+
+        ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
+
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        server_name _;
+
+        return 444;
+    }
+
+    server {
+        listen 80;
+        server_name {{ domain_name }} www.{{ domain_name }};
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        location / {
+            return 301 https://$server_name$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl;
+        server_name {{ domain_name }} www.{{ domain_name }};
+
+        ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
+
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+        location /2024 {
+            alias /usr/share/static/2024;
+        }
+    }
+}

deploy/playbook.yml

@@ -0,0 +1,82 @@
+- name: Deploy programapi generator with Nginx and Let's Encrypt SSL certificate
+  hosts: hetzner
+  become: yes
+  gather_facts: yes
+
+  vars:
+    repository_url: https://github.com/EuroPython/programapi.git
+
+  tasks:
+    - name: Install Docker dependencies
+      apt:
+        name: "{{ packages }}"
+        state: present
+        update_cache: yes
+      vars:
+        packages:
+          - apt-transport-https
+          - ca-certificates
+          - curl
+          - gnupg
+          - lsb-release
+
+    - name: Install Docker
+      block:
+        - name: Add Docker GPG key
+          apt_key:
+            url: https://download.docker.com/linux/ubuntu/gpg
+            state: present
+
+        - name: Add Docker repository
+          apt_repository:
+            repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_lsb.codename }} stable
+            state: present
+
+        - name: Install Docker
+          apt:
+            name: docker-ce
+            state: present
+
+        - name: Add current user to docker group
+          user:
+            name: "{{ ansible_user }}"
+            groups: docker
+            append: yes
+          changed_when: false
+
+    - name: Clone repository to specific version (to a temporary location)
+      git:
+        repo: "{{ repository_url }}"
+        dest: /tmp/repo
+        version: "{{ app_version }}"
+
+    - name: Copy latest src from repository clone to /srv
+      command: cp -R /tmp/repo/src /srv
+
+    - name: Copy Dockerfile
+      command: cp /tmp/repo/Dockerfile /srv
+
+    - name: Copy requirements.txt
+      command: cp /tmp/repo/requirements.txt /srv
+
+    - name: Copy Makefile
+      command: cp /tmp/repo/Makefile /srv
+
+    - name: Copy docker-compose.yml to the remote server
+      ansible.builtin.template:
+        src: ./docker-compose.yml.j2
+        dest: /srv/docker-compose.yml
+
+    - name: Copy Nginx configuration file
+      ansible.builtin.template:
+        src: ./nginx.conf.j2
+        dest: /srv/nginx.conf
+
+    - name: Copy Init-Letsencrypt
+      ansible.builtin.template:
+        src: ./init-letsencrypt.sh.j2
+        dest: /srv/init-letsencrypt.sh
+
+    #- name: Start Docker compose
+    #  shell: "cd /srv && docker compose up -d"
+    #  docker compose up -d --build --force-recreate

deploy/requirements.in

@@ -0,0 +1 @@
+ansible

deploy/requirements.txt

@@ -0,0 +1,26 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile
+#
+ansible==9.5.1
+    # via -r requirements.in
+ansible-core==2.16.6
+    # via ansible
+cffi==1.16.0
+    # via cryptography
+cryptography==42.0.7
+    # via ansible-core
+jinja2==3.1.4
+    # via ansible-core
+markupsafe==2.1.5
+    # via jinja2
+packaging==24.0
+    # via ansible-core
+pycparser==2.22
+    # via cffi
+pyyaml==6.0.1
+    # via ansible-core
+resolvelib==1.0.1
+    # via ansible-core