From 0cbd32fab45e9c0eecea03ff3f05894771c3e6fb Mon Sep 17 00:00:00 2001 From: Luke Murphy Date: Wed, 25 Mar 2020 18:38:57 +0100 Subject: [PATCH] Bootstrap homebase application --- .envrc.sample | 2 ++ CHECKS | 5 ++++ Dockerfile | 30 +++++++++++++++++++ README.md | 43 ++++++++++++++++++++++++++++ ansible/.vault.sh | 5 ++++ ansible/post-deploy.yml | 42 +++++++++++++++++++++++++++ ansible/pre-deploy.yml | 39 +++++++++++++++++++++++++ ansible/requirements.yml | 3 ++ ansible/templates/homebase.yml.j2 | 18 ++++++++++++ ansible/vars/all.yml | 11 +++++++ ansible/vars/ansible_become_pass.yml | 8 ++++++ ansible/vars/webapi_password.yml | 9 ++++++ ansible/vars/webapi_username.yml | 8 ++++++ app.json | 5 ++++ requirements.txt | 1 + sbin/encrypt.sh | 15 ++++++++++ 16 files changed, 244 insertions(+) create mode 100644 .envrc.sample create mode 100644 CHECKS create mode 100644 Dockerfile create mode 100644 README.md create mode 100755 ansible/.vault.sh create mode 100644 ansible/post-deploy.yml create mode 100644 ansible/pre-deploy.yml create mode 100644 ansible/requirements.yml create mode 100644 ansible/templates/homebase.yml.j2 create mode 100644 ansible/vars/all.yml create mode 100644 ansible/vars/ansible_become_pass.yml create mode 100644 ansible/vars/webapi_password.yml create mode 100644 ansible/vars/webapi_username.yml create mode 100644 app.json create mode 100644 requirements.txt create mode 100755 sbin/encrypt.sh diff --git a/.envrc.sample b/.envrc.sample new file mode 100644 index 0000000..cfe67cc --- /dev/null +++ b/.envrc.sample @@ -0,0 +1,2 @@ +# The path to our pass credentials store +export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store diff --git a/CHECKS b/CHECKS new file mode 100644 index 0000000..c393fc4 --- /dev/null +++ b/CHECKS @@ -0,0 +1,5 @@ +WAIT=3 +TIMEOUT=3 +ATTEMPTS=5 + +/.well-known/psa "My Pinning Service" diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ab58146 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,30 @@ +# Adapted from the upstream docker container packaged by the Homebase project +# https://github.com/beakerbrowser/homebase/commit/48fe5c7d1b9b72e07e29452e3e1ad969c120aaab + +FROM node:8-stretch + +ENV NODE_ENV production + +WORKDIR /usr/src/app + +RUN apt-get update && \ + apt-get install --no-install-recommends --yes \ + automake \ + build-essential \ + curl \ + libcap2-bin \ + libtool \ + m4 + +RUN curl -Lo homebase.zip https://github.com/beakerbrowser/homebase/archive/1.1.2.zip \ + && unzip homebase.zip \ + && mv homebase-1.1.2/* /usr/src/app \ + && rm homebase.zip + +RUN npm install --only=production +RUN npm install pm2@4.2.3 -g + +EXPOSE 3282 +EXPOSE 8085 + +CMD [ "pm2-runtime", "npm", "--", "start" ] diff --git a/README.md b/README.md new file mode 100644 index 0000000..9f2059f --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +# homebase + +> https://github.com/beakerbrowser/homebase + +## Setup + +### Pre-requisites + +1. You have SSH access to dokku.autonomic.zone +1. You have sudo privilege escalation working + +``` +Host dokku.autonomic.zone + Hostname dokku.autonomic.zone + User + Port 222 + IdentityFile ~/.ssh/ +``` + +See the password-store under `autonomic-dokku` for your sudo password. + +### Environment + +1. Clone the [infrastructure repository](https://gitlab.com/autonomic-cooperative/infrastructure) +1. Copy the sample file: `cp .envrc.sample .envrc` +1. Ensure that the .envrc `PASSWORD_STORE_DIR` env var points to the `infrastructure/credentials/password-store` + +### Python + +You only need to do this if you're working with Ansible vault (encrypting/decrypting new secrets). + +```bash +$ python3 -m venv .venv +$ source .venv/bin/activate +$ pip install -r requirements.txt +``` + +## Deploy + +```bash +$ git remote add dokku dokku@dokku.autonomic.zone:homebase +$ git push dokku +``` diff --git a/ansible/.vault.sh b/ansible/.vault.sh new file mode 100755 index 0000000..8f30d37 --- /dev/null +++ b/ansible/.vault.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +set -eu -o pipefail + +echo $(pass show hosts/autonomic-dokku/vault/password) diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml new file mode 100644 index 0000000..d713995 --- /dev/null +++ b/ansible/post-deploy.yml @@ -0,0 +1,42 @@ +--- +- hosts: all + gather_facts: false + tasks: + - name: Load variables + include_vars: + dir: "{{ dokku_lib_root }}/data/ansible/homebase/vars/" + extensions: + - yml + + - name: Set HTTP 80 port proxy + dokku_ports: + app: homebase + mappings: + - "http:80:{{ http_port }}" + - "http:{{ dat_port }}:{{ dat_port }}" + state: present + + - name: Setup LE certificates + shell: dokku letsencrypt homebase + args: + creates: /home/dokku/homebase/letsencrypt/certs + + - name: Setup LE certificates renew cron job + shell: dokku letsencrypt:cron-job --add + args: + creates: /home/dokku/homebase/letsencrypt/cron-job + + - name: Remove automatically configured ports + dokku_ports: + app: homebase + mappings: + - "http:{{ dat_port }}:{{ dat_port }}" + - "http:{{ http_port }}:{{ http_port }}" + state: absent + + - name: Set HTTP 443 port + dokku_ports: + app: homebase + mappings: + - "https:443:{{ http_port }}" + state: present diff --git a/ansible/pre-deploy.yml b/ansible/pre-deploy.yml new file mode 100644 index 0000000..a8b61a7 --- /dev/null +++ b/ansible/pre-deploy.yml @@ -0,0 +1,39 @@ +--- +- hosts: all + gather_facts: false + tasks: + - name: Load variables + include_vars: + dir: "{{ dokku_lib_root }}/data/ansible/homebase/vars/" + extensions: + - yml + + - name: "Configure {{ domain }} domain" + dokku_domains: + app: homebase + domains: + - "{{ domain }}" + state: present + + - name: Specify docker volume mount + dokku_storage: + app: homebase + mounts: + - /var/lib/homebase:/root/ + + - name: Configure the app environment + dokku_config: + app: homebase + restart: false + config: + DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}" + + - name: Copy template into place + + - name: Symlink the authorized keys configuration + template: + src: homebase.yml.j2 + dest: /var/lib/.homebase.yml + owner: dokku + group: dokku + become: true diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 0000000..0dddf53 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,3 @@ +--- +- src: dokku_bot.ansible_dokku + version: v2020.3.15 diff --git a/ansible/templates/homebase.yml.j2 b/ansible/templates/homebase.yml.j2 new file mode 100644 index 0000000..424e83b --- /dev/null +++ b/ansible/templates/homebase.yml.j2 @@ -0,0 +1,18 @@ +--- +directory: {{ dat_root }} + +httpMirror: {{ http_mirror }} + +letsencrypt: {{ auto_letsencrypt }} + +dashboard: {{ dashboard }} + +webapi: + domain: {{ domain }} + username: {{ webapi_username }} + password: {{ webapi_password }} + +ports: + http: {{ http_port }} + +dats: {{ dats }} diff --git a/ansible/vars/all.yml b/ansible/vars/all.yml new file mode 100644 index 0000000..c846e13 --- /dev/null +++ b/ansible/vars/all.yml @@ -0,0 +1,11 @@ +--- +auto_letsencrypt: "false" +dashboard: "false" +dat_port: "3282" +domain: "punkbase.autonomic.zone" +http_mirror: "true" +http_port: "8085" +dat_root: "/root/.homebase" +dats: + # https://sunbeam.city/@kawaiipunk/103883932490360099 + - "dat://c403b7c92eb5e1b2c293425ee6623635be11211977787053e9797e94b958e6e0" diff --git a/ansible/vars/ansible_become_pass.yml b/ansible/vars/ansible_become_pass.yml new file mode 100644 index 0000000..abb21b9 --- /dev/null +++ b/ansible/vars/ansible_become_pass.yml @@ -0,0 +1,8 @@ +--- +ansible_become_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34396236353735666531323238656533643465303131663464613162396333313836363630666266 + 6539323631656635333864316166633064633366323936610a656137616334313534333635313232 + 35323561303763366563316631313638363333393763323935343563303963616334336639386462 + 3837383830616637360a373539613630356564363662393836366462666430353439353637303035 + 63396633303166343433313439303539313637306637663137313533316531616434 diff --git a/ansible/vars/webapi_password.yml b/ansible/vars/webapi_password.yml new file mode 100644 index 0000000..e84b002 --- /dev/null +++ b/ansible/vars/webapi_password.yml @@ -0,0 +1,9 @@ +--- +webapi_username: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30383532356364623139396134326537353934386538386638353936633638613862363161333736 + 3661613834353137316538373130323035646531313061360a613335353563383366373362373338 + 37656461346137616433613234326633646330393433663135323635376566396264356230336662 + 6135313237303437340a343531333538376635393730383735616663383238376165393764656136 + 63303639613631613333636634653465383138623736383133333532343830396166393166613263 + 3163666132366235323262393135306133613333366132653434 diff --git a/ansible/vars/webapi_username.yml b/ansible/vars/webapi_username.yml new file mode 100644 index 0000000..d06b432 --- /dev/null +++ b/ansible/vars/webapi_username.yml @@ -0,0 +1,8 @@ +--- +webapi_username: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61656131613735636330666533393534613664616134323564623939353738643937323666396334 + 3235363739643361303833646666616137333063316663660a613035656531306638386533363164 + 36643262666336306631363663623432623936643134333039373464333237323031303031383564 + 3964393437643238630a356364633334343366326338616664646133376332313330306339306139 + 3033 diff --git a/app.json b/app.json new file mode 100644 index 0000000..5a28976 --- /dev/null +++ b/app.json @@ -0,0 +1,5 @@ +{ + "name": "homebase", + "description": "Self-deployable tool for seeding dat:// websites", + "repository": "https://git.autonomic.zone/autonomic-cooperative/homebase" +} diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..130e91f --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +ansible==2.9.6 diff --git a/sbin/encrypt.sh b/sbin/encrypt.sh new file mode 100755 index 0000000..d328761 --- /dev/null +++ b/sbin/encrypt.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +set -eu -o pipefail + +# Usage +# ./encrypt.sh mysecretname mysecretvalue + +declare name="$1" +declare secret="$2" + +ansible-vault \ + encrypt_string \ + --vault-password-file ansible/.vault.sh \ + --name "$name" \ + "$secret"