Bootstrap homebase application

.envrc.sample

@@ -0,0 +1,2 @@
+# The path to our pass credentials store
+export PASSWORD_STORE_DIR=$(pwd)/../infrastructure/credentials/password-store

CHECKS

@@ -0,0 +1,5 @@
+WAIT=3
+TIMEOUT=3
+ATTEMPTS=5
+
+/.well-known/psa "My Pinning Service"

Dockerfile

@@ -0,0 +1,30 @@
+# Adapted from the upstream docker container packaged by the Homebase project
+# https://github.com/beakerbrowser/homebase/commit/48fe5c7d1b9b72e07e29452e3e1ad969c120aaab
+
+FROM node:8-stretch
+
+ENV NODE_ENV production
+
+WORKDIR /usr/src/app
+
+RUN apt-get update && \
+    apt-get install --no-install-recommends --yes \
+      automake \
+      build-essential \
+      curl \
+      libcap2-bin \
+      libtool \
+      m4
+
+RUN curl -Lo homebase.zip https://github.com/beakerbrowser/homebase/archive/1.1.2.zip \
+    && unzip homebase.zip \
+    && mv homebase-1.1.2/* /usr/src/app \
+    && rm homebase.zip
+
+RUN npm install --only=production
+RUN npm install pm2@4.2.3 -g
+
+EXPOSE 3282
+EXPOSE 8085
+
+CMD [ "pm2-runtime", "npm", "--", "start" ]

README.md

@@ -0,0 +1,43 @@
+# homebase
+
+> https://github.com/beakerbrowser/homebase
+
+## Setup
+
+### Pre-requisites
+
+1. You have SSH access to dokku.autonomic.zone
+1. You have sudo privilege escalation working
+
+```
+Host dokku.autonomic.zone
+  Hostname dokku.autonomic.zone
+  User <your-username>
+  Port 222
+  IdentityFile ~/.ssh/<your-ssh-key-private-file>
+```
+
+See the password-store under `autonomic-dokku` for your sudo password.
+
+### Environment
+
+1. Clone the [infrastructure repository](https://gitlab.com/autonomic-cooperative/infrastructure)
+1. Copy the sample file: `cp .envrc.sample .envrc`
+1. Ensure that the .envrc `PASSWORD_STORE_DIR` env var points to the `infrastructure/credentials/password-store`
+
+### Python
+
+You only need to do this if you're working with Ansible vault (encrypting/decrypting new secrets).
+
+```bash
+$ python3 -m venv .venv
+$ source .venv/bin/activate
+$ pip install -r requirements.txt
+```
+
+## Deploy
+
+```bash
+$ git remote add dokku dokku@dokku.autonomic.zone:homebase
+$ git push dokku
+```

ansible/.vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+echo $(pass show hosts/autonomic-dokku/vault/password)

ansible/post-deploy.yml

@@ -0,0 +1,42 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/homebase/vars/"
+        extensions:
+          - yml
+
+    - name: Set HTTP 80 port proxy
+      dokku_ports:
+        app: homebase
+        mappings:
+          - "http:80:{{ http_port }}"
+          - "http:{{ dat_port }}:{{ dat_port }}"
+        state: present
+
+    - name: Setup LE certificates
+      shell: dokku letsencrypt homebase
+      args:
+        creates: /home/dokku/homebase/letsencrypt/certs
+
+    - name: Setup LE certificates renew cron job
+      shell: dokku letsencrypt:cron-job --add
+      args:
+        creates: /home/dokku/homebase/letsencrypt/cron-job
+
+    - name: Remove automatically configured ports
+      dokku_ports:
+        app: homebase
+        mappings:
+          - "http:{{ dat_port }}:{{ dat_port }}"
+          - "http:{{ http_port }}:{{ http_port }}"
+        state: absent
+
+    - name: Set HTTP 443 port
+      dokku_ports:
+        app: homebase
+        mappings:
+          - "https:443:{{ http_port }}"
+        state: present

ansible/pre-deploy.yml

@@ -0,0 +1,39 @@
+---
+- hosts: all
+  gather_facts: false
+  tasks:
+    - name: Load variables
+      include_vars:
+        dir: "{{ dokku_lib_root }}/data/ansible/homebase/vars/"
+        extensions:
+          - yml
+
+    - name: "Configure {{ domain }} domain"
+      dokku_domains:
+        app: homebase
+        domains:
+          - "{{ domain }}"
+        state: present
+
+    - name: Specify docker volume mount
+      dokku_storage:
+        app: homebase
+        mounts:
+          - /var/lib/homebase:/root/
+
+    - name: Configure the app environment
+      dokku_config:
+        app: homebase
+        restart: false
+        config:
+          DOKKU_LETSENCRYPT_EMAIL: "{{ autonomic_admin_mail }}"
+
+    - name: Copy template into place
+
+    - name: Symlink the authorized keys configuration
+      template:
+        src: homebase.yml.j2
+        dest: /var/lib/.homebase.yml
+        owner: dokku
+        group: dokku
+      become: true

ansible/requirements.yml

@@ -0,0 +1,3 @@
+---
+- src: dokku_bot.ansible_dokku
+  version: v2020.3.15

ansible/templates/homebase.yml.j2

@@ -0,0 +1,18 @@
+---
+directory: {{ dat_root }}
+
+httpMirror: {{ http_mirror }}
+
+letsencrypt: {{ auto_letsencrypt }}
+
+dashboard: {{ dashboard }}
+
+webapi:
+  domain: {{ domain }}
+  username: {{ webapi_username }}
+  password: {{ webapi_password }}
+
+ports:
+  http: {{ http_port }}
+
+dats: {{ dats }}

ansible/vars/all.yml

@@ -0,0 +1,11 @@
+---
+auto_letsencrypt: "false"
+dashboard: "false"
+dat_port: "3282"
+domain: "punkbase.autonomic.zone"
+http_mirror: "true"
+http_port: "8085"
+dat_root: "/root/.homebase"
+dats:
+  # https://sunbeam.city/@kawaiipunk/103883932490360099
+  - "dat://c403b7c92eb5e1b2c293425ee6623635be11211977787053e9797e94b958e6e0"

ansible/vars/ansible_become_pass.yml

@@ -0,0 +1,8 @@
+---
+ansible_become_pass: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  34396236353735666531323238656533643465303131663464613162396333313836363630666266
+  6539323631656635333864316166633064633366323936610a656137616334313534333635313232
+  35323561303763366563316631313638363333393763323935343563303963616334336639386462
+  3837383830616637360a373539613630356564363662393836366462666430353439353637303035
+  63396633303166343433313439303539313637306637663137313533316531616434

ansible/vars/webapi_password.yml

@@ -0,0 +1,9 @@
+---
+webapi_username: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  30383532356364623139396134326537353934386538386638353936633638613862363161333736
+  3661613834353137316538373130323035646531313061360a613335353563383366373362373338
+  37656461346137616433613234326633646330393433663135323635376566396264356230336662
+  6135313237303437340a343531333538376635393730383735616663383238376165393764656136
+  63303639613631613333636634653465383138623736383133333532343830396166393166613263
+  3163666132366235323262393135306133613333366132653434

ansible/vars/webapi_username.yml

@@ -0,0 +1,8 @@
+---
+webapi_username: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  61656131613735636330666533393534613664616134323564623939353738643937323666396334
+  3235363739643361303833646666616137333063316663660a613035656531306638386533363164
+  36643262666336306631363663623432623936643134333039373464333237323031303031383564
+  3964393437643238630a356364633334343366326338616664646133376332313330306339306139
+  3033

app.json

@@ -0,0 +1,5 @@
+{
+  "name": "homebase",
+  "description": "Self-deployable tool for seeding dat:// websites",
+  "repository": "https://git.autonomic.zone/autonomic-cooperative/homebase"
+}

requirements.txt

@@ -0,0 +1 @@
+ansible==2.9.6

sbin/encrypt.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+# Usage
+# ./encrypt.sh mysecretname mysecretvalue
+
+declare name="$1"
+declare secret="$2"
+
+ansible-vault \
+  encrypt_string \
+  --vault-password-file ansible/.vault.sh \
+  --name "$name" \
+  "$secret"