From f88bd514f44e95d4cb4a97616491b1ee20cc1dcf Mon Sep 17 00:00:00 2001 From: Steven vanZyl Date: Sun, 17 Jan 2021 17:20:54 -0500 Subject: [PATCH 1/2] Docker Compose and Caddyfile Wrote an intial docker-compose.yml file for future deployments, and updated the README and roles files to go with it. Removed the postgrest.conf file since PostgREST is now configured through environment variables in the compose file. Renamed the postgrest folder to "examples" since it now just contains the client example. --- README.md | 22 ++++---- config/Caddyfile | 26 ++++++++++ db/migrations/20210117194733_create_roles.sql | 2 +- docker-file.yml | 52 +++++++++++++++++++ {postgrest => examples}/example_client.py | 0 postgrest/postgrest.conf | 5 -- 6 files changed, 91 insertions(+), 16 deletions(-) create mode 100644 config/Caddyfile create mode 100644 docker-file.yml rename {postgrest => examples}/example_client.py (100%) delete mode 100644 postgrest/postgrest.conf diff --git a/README.md b/README.md index 517aa88..1508c9b 100644 --- a/README.md +++ b/README.md @@ -19,13 +19,15 @@ allows access to some resources when unauthenticated for public access, and allows full access to all resources when authenticated. RCOS infrastructure cannot connect to the database directly but must interact through this API. -## Setup - -TODO DbMate docs - -## Postgrest Deployment - -1. Copy and modify `postgrest.conf` -2. Run Postgrest with the .conf file - -TODO docker-compose stuff +## Deployment + +1. Replace the `` and `` placeholders in + `docker-compose.yml` and the [roles migration + file](./db/migrations/20210117194733_create_roles.sql) with secure passwords. +2. Run `docker-compose up -d` to start everything. +3. Use [DbMate](https://github.com/amacneil/dbmate) to apply the migations + `dbmate up`. + +## TODO +-[ ] Wiki config and DB setup +-[ ] Observatory container and Caddy rules diff --git a/config/Caddyfile b/config/Caddyfile new file mode 100644 index 0000000..a055f20 --- /dev/null +++ b/config/Caddyfile @@ -0,0 +1,26 @@ +{ email rcos.management@gmail.com } + +rcos.io { + # TODO Observatory +} + +api.rcos.io { + encode zstd gzip + log { output discard } + + # Must be the same as BASE_URL in the compose file + handle_path /swagger/* { + reverse_proxy swagger:8080 + } + + handle_path /* { + reverse_proxy postgrest:3000 + } +} + +wiki.rcos.io { + encode zstd gzip + log { output discard } + + reverse_proxy wikijs:3000 +} diff --git a/db/migrations/20210117194733_create_roles.sql b/db/migrations/20210117194733_create_roles.sql index a0ab200..07b9193 100644 --- a/db/migrations/20210117194733_create_roles.sql +++ b/db/migrations/20210117194733_create_roles.sql @@ -16,7 +16,7 @@ GRANT ALL ON ALL TABLES IN SCHEMA public TO api_user; GRANT ALL ON ALL sequences IN SCHEMA public TO api_user; -- Create user that can be logged in for the API -CREATE ROLE authenticator NOINHERIT LOGIN PASSWORD ''; -- MAKE SURE TO CHANGE THIS +CREATE ROLE authenticator NOINHERIT LOGIN PASSWORD ''; -- MAKE SURE TO CHANGE THIS GRANT web_anon TO authenticator; -- migrate:down diff --git a/docker-file.yml b/docker-file.yml new file mode 100644 index 0000000..aabe669 --- /dev/null +++ b/docker-file.yml @@ -0,0 +1,52 @@ +version: '3.8' +services: + postgres: + image: postgres:12 + restart: unless-stopped + volumes: + - db_data:/var/lib/postgresql/data + environment: + POSTGRES_PASSWORD: + + postgrest: + image: postgrest/postgrest:v7 + depends_on: + - postgres + restart: unless-stopped + environment: + PGRST_DB_URI: postgres://authenticator:@postgres:5432/rcos + PGRST_DB_SCHEMA: public + PGRST_DB_ANON_ROLE: web_anon + + swagger: + image: swaggerapi/swagger-ui:v3 + depends_on: + - postgrest + restart: unless-stopped + environment: + URL: / + BASE_URL: /swagger + + wikijs: + image: requarks/wiki:2 + depends_on: + - postgres + restart: unless-stopped + environment: + DB_TYPE: postgres + DB_HOST: postgres + DB_PORT: 5432 + DB_USER: authenticator + DB_PASS: + DB_NAME: wiki + + caddy: + image: caddy:2 + restart: unless-stopped + volumes: + - config/Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + +volumes: + db_data: + caddy_data: diff --git a/postgrest/example_client.py b/examples/example_client.py similarity index 100% rename from postgrest/example_client.py rename to examples/example_client.py diff --git a/postgrest/postgrest.conf b/postgrest/postgrest.conf deleted file mode 100644 index 7db3aae..0000000 --- a/postgrest/postgrest.conf +++ /dev/null @@ -1,5 +0,0 @@ -# TODO replace this file with environment variables in a docker-compose -db-uri = "postgres://authenticator:@localhost:5433/authenticator" -db-schema = "public" -db-anon-role = "web_anon" -jwt-secret = "<32+ character long password>" From e5ac14a971c33a5e5d077beb488ce4428f654404 Mon Sep 17 00:00:00 2001 From: Steven vanZyl Date: Tue, 19 Jan 2021 17:35:06 -0500 Subject: [PATCH 2/2] update with things that work on the server --- README.md | 4 -- config/Caddyfile | 26 +++++---- config/wiki.yml | 129 +++++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 32 +++++++++++ docker-file.yml | 52 ------------------ 5 files changed, 177 insertions(+), 66 deletions(-) create mode 100644 config/wiki.yml create mode 100644 docker-compose.yml delete mode 100644 docker-file.yml diff --git a/README.md b/README.md index 1508c9b..1f8ff89 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,3 @@ cannot connect to the database directly but must interact through this API. 2. Run `docker-compose up -d` to start everything. 3. Use [DbMate](https://github.com/amacneil/dbmate) to apply the migations `dbmate up`. - -## TODO --[ ] Wiki config and DB setup --[ ] Observatory container and Caddy rules diff --git a/config/Caddyfile b/config/Caddyfile index a055f20..bd1bd15 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -1,21 +1,27 @@ -{ email rcos.management@gmail.com } +{ + email rcos.management@gmail.com +} + +rcos.io, www.rcos.io { + encode zstd gzip + log { output discard } -rcos.io { - # TODO Observatory + # TODO Observatory/Telescope + respond "Hello, world!" } api.rcos.io { encode zstd gzip log { output discard } - # Must be the same as BASE_URL in the compose file - handle_path /swagger/* { - reverse_proxy swagger:8080 - } + reverse_proxy postgrest:3000 +} + +swagger.rcos.io { + encode zstd gzip + log { output discard } - handle_path /* { - reverse_proxy postgrest:3000 - } + reverse_proxy swagger:8080 } wiki.rcos.io { diff --git a/config/wiki.yml b/config/wiki.yml new file mode 100644 index 0000000..1081c9a --- /dev/null +++ b/config/wiki.yml @@ -0,0 +1,129 @@ +####################################################################### +# Wiki.js - CONFIGURATION # +####################################################################### +# Full documentation + examples: +# https://docs.requarks.io/install + +# --------------------------------------------------------------------- +# Port the server should listen to +# --------------------------------------------------------------------- + +port: 3000 + +# --------------------------------------------------------------------- +# Database +# --------------------------------------------------------------------- +# Supported Database Engines: +# - postgres = PostgreSQL 9.5 or later +# - mysql = MySQL 8.0 or later (5.7.8 partially supported, refer to docs) +# - mariadb = MariaDB 10.2.7 or later +# - mssql = MS SQL Server 2012 or later +# - sqlite = SQLite 3.9 or later + +db: + type: postgres + + # PostgreSQL / MySQL / MariaDB / MS SQL Server only: + host: private-rcos-db-do-user-8558031-0.b.db.ondigitalocean.com + port: 25060 + user: wiki + pass: + db: wiki + ssl: true + + # Optional - PostgreSQL / MySQL / MariaDB only: + # -> Uncomment lines you need below and set `auto` to false + # -> Full list of accepted options: https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options + sslOptions: + auto: false + # rejectUnauthorized: false + ca: /wiki/db-cert.crt + # cert: path/to/cert.crt + # key: path/to/key.pem + # pfx: path/to/cert.pfx + # passphrase: xyz123 + + # SQLite only: + # storage: path/to/database.sqlite + +####################################################################### +# ADVANCED OPTIONS # +####################################################################### +# Do not change unless you know what you are doing! + +# --------------------------------------------------------------------- +# SSL/TLS Settings +# --------------------------------------------------------------------- +# Consider using a reverse proxy (e.g. nginx) if you require more +# advanced options than those provided below. + +ssl: + enabled: false + port: 3443 + + # Provider to use, possible values: custom, letsencrypt + provider: custom + + # ++++++ For custom only ++++++ + # Certificate format, either 'pem' or 'pfx': + format: pem + # Using PEM format: + key: path/to/key.pem + cert: path/to/cert.pem + # Using PFX format: + pfx: path/to/cert.pfx + # Passphrase when using encrypted PEM / PFX keys (default: null): + passphrase: null + # Diffie Hellman parameters, with key length being greater or equal + # to 1024 bits (default: null): + dhparam: null + + # ++++++ For letsencrypt only ++++++ + domain: wiki.yourdomain.com + subscriberEmail: admin@example.com + +# --------------------------------------------------------------------- +# Database Pool Options +# --------------------------------------------------------------------- +# Refer to https://github.com/vincit/tarn.js for all possible options + +pool: + # min: 2 + # max: 10 + +# --------------------------------------------------------------------- +# IP address the server should listen to +# --------------------------------------------------------------------- +# Leave 0.0.0.0 for all interfaces + +bindIP: 0.0.0.0 + +# --------------------------------------------------------------------- +# Log Level +# --------------------------------------------------------------------- +# Possible values: error, warn, info (default), verbose, debug, silly + +logLevel: info + +# --------------------------------------------------------------------- +# Offline Mode +# --------------------------------------------------------------------- +# If your server cannot access the internet. Set to true and manually +# download the offline files for sideloading. + +offline: false + +# --------------------------------------------------------------------- +# High-Availability +# --------------------------------------------------------------------- +# Set to true if you have multiple concurrent instances running off the +# same DB (e.g. Kubernetes pods / load balanced instances). Leave false +# otherwise. You MUST be using PostgreSQL to use this feature. + +ha: false + +# --------------------------------------------------------------------- +# Data Path +# --------------------------------------------------------------------- +# Writeable data path used for cache and temporary user uploads. +dataPath: ./data diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..462bb5d --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,32 @@ +version: '3' +services: + postgrest: + image: postgrest/postgrest:v7.0.1 + restart: unless-stopped + environment: + PGRST_DB_URI: + PGRST_DB_SCHEMA: public + PGRST_DB_ANON_ROLE: web_anon + + swagger: + image: swaggerapi/swagger-ui:v3.40.0 + restart: unless-stopped + environment: + URL: api.rcos.io + + wikijs: + image: requarks/wiki:2 + restart: unless-stopped + volumes: + - /home/rcos/config/wiki.yml:/wiki/config.yml + - /home/rcos/config/db-cert.crt:/wiki/db-cert.crt + + caddy: + image: caddy:2 + restart: unless-stopped + volumes: + - /home/rcos/config/Caddyfile:/etc/caddy/Caddyfile + - caddy_data:/data + +volumes: + caddy_data: diff --git a/docker-file.yml b/docker-file.yml deleted file mode 100644 index aabe669..0000000 --- a/docker-file.yml +++ /dev/null @@ -1,52 +0,0 @@ -version: '3.8' -services: - postgres: - image: postgres:12 - restart: unless-stopped - volumes: - - db_data:/var/lib/postgresql/data - environment: - POSTGRES_PASSWORD: - - postgrest: - image: postgrest/postgrest:v7 - depends_on: - - postgres - restart: unless-stopped - environment: - PGRST_DB_URI: postgres://authenticator:@postgres:5432/rcos - PGRST_DB_SCHEMA: public - PGRST_DB_ANON_ROLE: web_anon - - swagger: - image: swaggerapi/swagger-ui:v3 - depends_on: - - postgrest - restart: unless-stopped - environment: - URL: / - BASE_URL: /swagger - - wikijs: - image: requarks/wiki:2 - depends_on: - - postgres - restart: unless-stopped - environment: - DB_TYPE: postgres - DB_HOST: postgres - DB_PORT: 5432 - DB_USER: authenticator - DB_PASS: - DB_NAME: wiki - - caddy: - image: caddy:2 - restart: unless-stopped - volumes: - - config/Caddyfile:/etc/caddy/Caddyfile - - caddy_data:/data - -volumes: - db_data: - caddy_data: