Documented zero-downtime deployment installation. Included SSL version of the...

Documented zero-downtime deployment installation. Included SSL version of the nginx configuration template as a sample. Removed old and unused nginx configuration templates. (On the server, fixed permissions for /etc/nginx/sites-available and deployed the new waystone.template — closes #55.)

__start-deployment-server

@@ -17,8 +17,8 @@ RUNNING="$(docker ps | grep waystone: | head -1 | awk '{ print $1 }')"
 
 # If there is an existing container running, kill it.
 if [ ! -z $RUNNING ]; then
-    echo "[DEPLOY] Killing container with ID '$RUNNING'"
-    docker kill $RUNNING
+	echo "[DEPLOY] Killing container with ID '$RUNNING'"
+	docker kill $RUNNING
 fi
 
 #
@@ -35,35 +35,35 @@ WAYSTONE_PORT=$(docker inspect -f '{{ .NetworkSettings.Ports }}' $ID | sed -e 's
 WAYSTONE_HOST="localhost"
 if [ ! -z $DOCKER_HOST ]
 then
-    WAYSTONE_HOST=`echo $DOCKER_HOST | sed -e 's#^tcp\://\(.*\):.*$#\1#'`
+	WAYSTONE_HOST=`echo $DOCKER_HOST | sed -e 's#^tcp\://\(.*\):.*$#\1#'`
 fi
 WAYSTONE="http://$WAYSTONE_HOST:$WAYSTONE_PORT"
 
 echo "[DEPLOY] Waystone running locally at $WAYSTONE"
 
-# Begin attempting to view waystone page
+# Begin attempting to view waystone page.
 for i in 1 2 3 4 5 6 7 8 9 10; do
-    # Make a HEAD request to waystone in order to see if it's up
-    echo "[DEPLOY] [ $i/10] Checking if Waystone has begun\c"
-    # Break if waystone responds with a non-zero request
-    curl -s --head "$WAYSTONE" >/dev/null && echo "\n[DEPLOY] Waystone Up" && break
-    sleep 1
-    echo "\r\c"
-    if [ "$i" -eq "10" ]; then
-        echo "\n[DEPLOY] Waystone didn’t start; exiting. Logs follow:"
-        docker logs $ID
-        exit 1
-    fi
+	# Make a HEAD request to waystone in order to see if it's up.
+	echo "[DEPLOY] [ $i/10] Checking if Waystone has begun\c"
+	# Break if waystone responds with a non-zero request
+	curl -s --head "$WAYSTONE" >/dev/null && echo "\n[DEPLOY] Waystone Up" && break
+	sleep 1
+	echo "\r\c"
+	if [ "$i" -eq "10" ]; then
+		echo "\n[DEPLOY] Waystone didn’t start; exiting. Logs follow:"
+		docker logs $ID
+		exit 1
+	fi
 done
 
-# If nginx is not present as expected then exit with zero status
+# If nginx is not present as expected then exit with zero status.
 if [ -f /etc/init.d/nginx ]; then
-    # Otherwise re-write and restart nginx
-    echo "[DEPLOY] Rewriting nginx config with new port"
-    # Write out new nginx template to default available site
-    echo $WAYSTONE_PORT | xargs -I{} sh -c "sed -e 's/SERVICE_ADDR/localhost:{}/' /home/git/default.conf.tmpl > /etc/nginx/sites-available/default" -- {}
+	# Otherwise re-write and restart nginx.
+	echo "[DEPLOY] Rewriting nginx config with new port."
+	# Write out new nginx template to default available site.
+	sudo echo $WAYSTONE_PORT | xargs -I{} sh -c "sed -e 's/SERVICE_ADDR/localhost:{}/' /home/git/waystone.template > /etc/nginx/sites-available/waystone" -- {}
 
-    # Send a reload to nginx
-    echo "[DEPLOY] Restarting nginx"
-    sudo /etc/init.d/nginx reload
+	# Reload nginx
+	echo "[DEPLOY] Restarting nginx."
+	sudo /etc/init.d/nginx reload
 fi

deploy-to-docker

 #!/bin/sh
 
-echo "[DEPLOY] BEGIN"
+echo "[DEPLOY] Started."
 
 # Create a flag that Waystone can use to tell that it’s
 # running on the deployment server.
@@ -15,11 +15,11 @@ docker build -t $TAG --no-cache . || exit 1
 echo "[DEPLOY] Running container from build '$TAG'"
 
 if [ ! -f config.json ]; then
-    cat << EOF > ./config.json
-    {
-        "PulseAPIKey":"",
-        "DeviceID":""
-    }
+	cat << EOF > ./config.json
+	{
+		"PulseAPIKey":"",
+		"DeviceID":""
+	}
 EOF
 fi
 

git-deployment/nginx-config/default

-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# http://wiki.nginx.org/Pitfalls
-# http://wiki.nginx.org/QuickStart
-# http://wiki.nginx.org/Configuration
-#
-# Generally, you will want to move this file somewhere, and start with a clean
-# file but keep this around for reference. Or just disable in sites-enabled.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
-# Default server configuration
-#
-server {
-	listen 80 default_server;
-	listen [::]:80 default_server;
-
-	# SSL configuration
-	#
-	# listen 443 ssl default_server;
-	# listen [::]:443 ssl default_server;
-	#
-	# Self signed certs generated by the ssl-cert package
-	# Don't use them in a production server!
-	#
-	# include snippets/snakeoil.conf;
-
-	root /var/www/html;
-
-	# Add index.php to the list if you are using PHP
-	index index.html index.htm index.nginx-debian.html;
-
-	server_name _;
-
-	location / {
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
-
-	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-	#
-	#location ~ \.php$ {
-	#	include snippets/fastcgi-php.conf;
-	#
-	#	# With php5-cgi alone:
-	#	fastcgi_pass 127.0.0.1:9000;
-	#	# With php5-fpm:
-	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
-	#}
-
-	# deny access to .htaccess files, if Apache's document root
-	# concurs with nginx's one
-	#
-	#location ~ /\.ht {
-	#	deny all;
-	#}
-}
-
-
-# Virtual Host configuration for example.com
-#
-# You can move that to a different file under sites-available/ and symlink that
-# to sites-enabled/ to enable it.
-#
-#server {
-#	listen 80;
-#	listen [::]:80;
-#
-#	server_name example.com;
-#
-#	root /var/www/example.com;
-#	index index.html;
-#
-#	location / {
-#		try_files $uri $uri/ =404;
-#	}
-#}
\ No newline at end of file

git-deployment/nginx-config/default.conf.tmpl

-server {
-    listen 80;
-
-    location / {
-        proxy_set_header    X-Real-IP         $remote_addr;
-        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_pass http://SERVICE_ADDR;
-    }
-}
\ No newline at end of file

git-deployment/nginx-config/waystone.template

+##
+#
+# Waystone deployment server nginx configuration.
+#
+# Do not deploy Waystone without TLS. At the very least, the admin
+# routes use basic authentication with is not secure without TLS.
+# (Not to mention all the other reasons.)
+#
+# For help in setting up SSL with nginx, please see:
+# https://aralbalkan.com/scribbles/setting-up-ssl-with-nginx-using-a-namecheap-essentialssl-wildcard-certificate-on-digitalocean/
+#
+# Note that the service address (SERVICE_ADDR) is a template
+# variable that is updated automatically by the __start-deployment-server script.
+#
+# To install, move this script to /home/git and make sure that the git deployment user
+# on your server has privileges to access it and to write to /etc/nginx/sites-available/waystone
+# (These are used by the __start-deployment-server script for zero-downtime deployments.)
+#
+##
+
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server ipv6only=on;
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl ipv6only=on;
+
+	# Configure this for your own server.
+	server_name	waystone.ind.ie;
+
+	# Place your SSL certificate and private key at the default locations
+	# (or configure the settings, below.)
+	ssl on;
+	ssl_certificate /etc/nginx/ssl/waystone.crt;
+	ssl_certificate_key	/etc/nginx/ssl/waystone.key;
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+	# Add perfect forward secrecy
+	# Implement a unique Diffie Hellman Group
+	# (See https://weakdh.org/sysadmin.html for details on generating your own.)
+	ssl_dhparam /etc/nginx/ssl/dhparams.pem;
+
+	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
+
+	ssl_ecdh_curve	secp521r1;
+
+	# Implement HSTS
+	ssl_prefer_server_ciphers	on;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+
+	location / {
+		proxy_set_header	X-Real-IP		$remote_addr;
+		proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
+
+		# We pass the service address dynamically from the Git post-commit hook.
+		proxy_pass http://SERVICE_ADDR
+	}
+}

git-deployment/readme.html

@@ -1014,9 +1014,15 @@ body .markdown-body
     page-break-after: avoid;
   }
 }
-</style><title>readme</title></head><body><article class="markdown-body"><h1 id="deployment-server-files"><a name="user-content-deployment-server-files" href="#deployment-server-files" class="headeranchor-link" aria-hidden="true"><span class="headeranchor"></span></a>Deployment server files</h1>
-<p>These files should be on the deployment server.</p>
-<ul>
-<li><code>default</code> and <code>default.conf.tmpl</code>: in <code>/home/git</code></li>
-<li><code>hooks/post-receive</code> in <code>/home/git/waystone.git/</code></li>
-</ul></article></body></html>
\ No newline at end of file
+</style><title>readme</title></head><body><article class="markdown-body"><h1 id="waystone-zero-downtime-deployments"><a name="user-content-waystone-zero-downtime-deployments" href="#waystone-zero-downtime-deployments" class="headeranchor-link" aria-hidden="true"><span class="headeranchor"></span></a>Waystone zero-downtime deployments</h1>
+<p>Unfortunately, it is currently a manual process to set up the server itself.</p>
+<h2 id="installation"><a name="user-content-installation" href="#installation" class="headeranchor-link" aria-hidden="true"><span class="headeranchor"></span></a>Installation</h2>
+<ol>
+<li>Create a deployment user (we’ll call ours <code>git</code>)</li>
+<li>Create a full git repository at <code>/home/git/waystone.git</code></li>
+<li>Copy <code>hooks/post-receive</code> to <code>/home/git/waystone.git/hooks</code></li>
+<li>Copy <code>nginx-config/waystone.template</code> to <code>/home/git</code></li>
+</ol>
+<h2 id="deploy"><a name="user-content-deploy" href="#deploy" class="headeranchor-link" aria-hidden="true"><span class="headeranchor"></span></a>Deploy</h2>
+<p>Run <code>./deploy</code></p>
+<p>In a nutshell, this will push to the <code>live</code> remote (as set up by the <code>./install</code> script). That will trigger the post-receive hook and that will result in the <code>deploy-to-docker</code> script being run. Finally, the <code>__start-deployment-server</code> will be run and it will do a zero-downtime switchover between the old Docker container and the new one.</p></article></body></html>
\ No newline at end of file

git-deployment/readme.md

-Deployment server files
-=======================
+# Waystone zero-downtime deployments
 
-These files should be on the deployment server.
+Unfortunately, it is currently a manual process to set up the server itself.
 
-  * ```default``` and ```default.conf.tmpl```: in ```/home/git```
-  * ```hooks/post-receive``` in ```/home/git/waystone.git/```
+## Installation
 
-  
\ No newline at end of file
+1. Create a deployment user (we’ll call ours `git`)
+2. Make sure the `git` user or the group they’re in has access to `/etc/nginx/sites-available` (e.g., `chown git /etc/nginx/sites-available`)
+2. Create a full git repository at `/home/git/waystone.git`
+3. Copy `hooks/post-receive` to `/home/git/waystone.git/hooks`
+4. Copy `nginx-config/waystone.template` to `/home/git`
+
+## Deploy
+
+Run `./deploy`
+
+In a nutshell, this will push to the `live` remote (as set up by the `./install` script). That will trigger the post-receive hook and that will result in the `deploy-to-docker` script being run. Finally, the `__start-deployment-server` will be run and it will do a zero-downtime switchover between the old Docker container and the new one.