diff --git a/README.md b/README.md index 517aa88..1f8ff89 100644 --- a/README.md +++ b/README.md @@ -19,13 +19,11 @@ allows access to some resources when unauthenticated for public access, and allows full access to all resources when authenticated. RCOS infrastructure cannot connect to the database directly but must interact through this API. -## Setup - -TODO DbMate docs - -## Postgrest Deployment - -1. Copy and modify `postgrest.conf` -2. Run Postgrest with the .conf file - -TODO docker-compose stuff +## Deployment + +1. Replace the `` and `` placeholders in + `docker-compose.yml` and the [roles migration + file](./db/migrations/20210117194733_create_roles.sql) with secure passwords. +2. Run `docker-compose up -d` to start everything. +3. Use [DbMate](https://github.com/amacneil/dbmate) to apply the migations + `dbmate up`. diff --git a/config/Caddyfile b/config/Caddyfile new file mode 100644 index 0000000..bd1bd15 --- /dev/null +++ b/config/Caddyfile @@ -0,0 +1,32 @@ +{ + email rcos.management@gmail.com +} + +rcos.io, www.rcos.io { + encode zstd gzip + log { output discard } + + # TODO Observatory/Telescope + respond "Hello, world!" +} + +api.rcos.io { + encode zstd gzip + log { output discard } + + reverse_proxy postgrest:3000 +} + +swagger.rcos.io { + encode zstd gzip + log { output discard } + + reverse_proxy swagger:8080 +} + +wiki.rcos.io { + encode zstd gzip + log { output discard } + + reverse_proxy wikijs:3000 +} diff --git a/config/wiki.yml b/config/wiki.yml new file mode 100644 index 0000000..1081c9a --- /dev/null +++ b/config/wiki.yml @@ -0,0 +1,129 @@ +####################################################################### +# Wiki.js - CONFIGURATION # +####################################################################### +# Full documentation + examples: +# https://docs.requarks.io/install + +# --------------------------------------------------------------------- +# Port the server should listen to +# --------------------------------------------------------------------- + +port: 3000 + +# --------------------------------------------------------------------- +# Database +# --------------------------------------------------------------------- +# Supported Database Engines: +# - postgres = PostgreSQL 9.5 or later +# - mysql = MySQL 8.0 or later (5.7.8 partially supported, refer to docs) +# - mariadb = MariaDB 10.2.7 or later +# - mssql = MS SQL Server 2012 or later +# - sqlite = SQLite 3.9 or later + +db: + type: postgres + + # PostgreSQL / MySQL / MariaDB / MS SQL Server only: + host: private-rcos-db-do-user-8558031-0.b.db.ondigitalocean.com + port: 25060 + user: wiki + pass: + db: wiki + ssl: true + + # Optional - PostgreSQL / MySQL / MariaDB only: + # -> Uncomment lines you need below and set `auto` to false + # -> Full list of accepted options: https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options + sslOptions: + auto: false + # rejectUnauthorized: false + ca: /wiki/db-cert.crt + # cert: path/to/cert.crt + # key: path/to/key.pem + # pfx: path/to/cert.pfx + # passphrase: xyz123 + + # SQLite only: + # storage: path/to/database.sqlite + +####################################################################### +# ADVANCED OPTIONS # +####################################################################### +# Do not change unless you know what you are doing! + +# --------------------------------------------------------------------- +# SSL/TLS Settings +# --------------------------------------------------------------------- +# Consider using a reverse proxy (e.g. nginx) if you require more +# advanced options than those provided below. + +ssl: + enabled: false + port: 3443 + + # Provider to use, possible values: custom, letsencrypt + provider: custom + + # ++++++ For custom only ++++++ + # Certificate format, either 'pem' or 'pfx': + format: pem + # Using PEM format: + key: path/to/key.pem + cert: path/to/cert.pem + # Using PFX format: + pfx: path/to/cert.pfx + # Passphrase when using encrypted PEM / PFX keys (default: null): + passphrase: null + # Diffie Hellman parameters, with key length being greater or equal + # to 1024 bits (default: null): + dhparam: null + + # ++++++ For letsencrypt only ++++++ + domain: wiki.yourdomain.com + subscriberEmail: admin@example.com + +# --------------------------------------------------------------------- +# Database Pool Options +# --------------------------------------------------------------------- +# Refer to https://github.com/vincit/tarn.js for all possible options + +pool: + # min: 2 + # max: 10 + +# --------------------------------------------------------------------- +# IP address the server should listen to +# --------------------------------------------------------------------- +# Leave 0.0.0.0 for all interfaces + +bindIP: 0.0.0.0 + +# --------------------------------------------------------------------- +# Log Level +# --------------------------------------------------------------------- +# Possible values: error, warn, info (default), verbose, debug, silly + +logLevel: info + +# --------------------------------------------------------------------- +# Offline Mode +# --------------------------------------------------------------------- +# If your server cannot access the internet. Set to true and manually +# download the offline files for sideloading. + +offline: false + +# --------------------------------------------------------------------- +# High-Availability +# --------------------------------------------------------------------- +# Set to true if you have multiple concurrent instances running off the +# same DB (e.g. Kubernetes pods / load balanced instances). Leave false +# otherwise. You MUST be using PostgreSQL to use this feature. + +ha: false + +# --------------------------------------------------------------------- +# Data Path +# --------------------------------------------------------------------- +# Writeable data path used for cache and temporary user uploads. +dataPath: ./data diff --git a/db/migrations/20210117194733_create_roles.sql b/db/migrations/20210117194733_create_roles.sql index a0ab200..07b9193 100644 --- a/db/migrations/20210117194733_create_roles.sql +++ b/db/migrations/20210117194733_create_roles.sql @@ -16,7 +16,7 @@ GRANT ALL ON ALL TABLES IN SCHEMA public TO api_user; GRANT ALL ON ALL sequences IN SCHEMA public TO api_user; -- Create user that can be logged in for the API -CREATE ROLE authenticator NOINHERIT LOGIN PASSWORD ''; -- MAKE SURE TO CHANGE THIS +CREATE ROLE authenticator NOINHERIT LOGIN PASSWORD ''; -- MAKE SURE TO CHANGE THIS GRANT web_anon TO authenticator; -- migrate:down diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..462bb5d --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,32 @@ +version: '3' +services: + postgrest: + image: postgrest/postgrest:v7.0.1 + restart: unless-stopped + environment: + PGRST_DB_URI: + PGRST_DB_SCHEMA: public + PGRST_DB_ANON_ROLE: web_anon + + swagger: + image: swaggerapi/swagger-ui:v3.40.0 + restart: unless-stopped + environment: + URL: api.rcos.io + + wikijs: + image: requarks/wiki:2 + restart: unless-stopped + volumes: + - /home/rcos/config/wiki.yml:/wiki/config.yml + - /home/rcos/config/db-cert.crt:/wiki/db-cert.crt + + caddy: + image: caddy:2 + restart: unless-stopped + volumes: + - /home/rcos/config/Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + +volumes: + caddy_data: diff --git a/postgrest/example_client.py b/examples/example_client.py similarity index 100% rename from postgrest/example_client.py rename to examples/example_client.py diff --git a/postgrest/postgrest.conf b/postgrest/postgrest.conf deleted file mode 100644 index 7db3aae..0000000 --- a/postgrest/postgrest.conf +++ /dev/null @@ -1,5 +0,0 @@ -# TODO replace this file with environment variables in a docker-compose -db-uri = "postgres://authenticator:@localhost:5433/authenticator" -db-schema = "public" -db-anon-role = "web_anon" -jwt-secret = "<32+ character long password>"