prod: lots of little hacks to get things working on the prod server

2 years ago · b0384cf554
parent da94dbd1d5
commit b0384cf554
14 changed files with 85 additions and 72 deletions
--- a/6
+++ b/6
@ -41,6 +41,8 @@ mastodon-streaming-shell:
 	$(DOCKER) exec mastodon-streaming bash
 matrix-shell:
 	$(DOCKER) exec matrix-synapse bash
+nextcloud-shell:
+	$(DOCKER) exec nextcloud bash
 matrix-logs:
 	$(DOCKER) logs -f matrix-synapse
 nextcloud-logs:
@ -67,7 +69,7 @@ data/%/secrets:
 	echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"

 keycloak-setup: secrets-setup
-	$(DOCKER) run keycloak-setup
+	docker exec keycloak /setup.sh

 certbot:
 	$(DOCKER) \
@ -88,6 +90,8 @@ certbot:

 nginx-reload:
 	$(DOCKER) restart nginx
+nextcloud-restart:
+	$(DOCKER) restart nextcloud


 config:
--- a/env.production
+++ b/env.production
@ -1,6 +1,6 @@
 # Fill in with your top-level domain name and desired OAUTH realm name
-DOMAIN_NAME=dev.v.st
-REALM=hackerspace
+DOMAIN_NAME=v.st
+REALM=voidstar

 # Fill in with your SMTP server, if you have one
 SMTP_SERVER=
--- a/grafana.yaml
+++ b/grafana.yaml
@ -36,8 +36,7 @@ services:
      - ./grafana/nginx.conf:/etc/nginx/templates/grafana.conf.template:ro

  # add the grafana client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/grafana/secrets
+  keycloak:
    volumes:
      - ./grafana/keycloak.sh:/keycloak-setup/grafana.sh:ro
+      - ./data/grafana/secrets:/run/secrets/grafana:ro
--- a/hedgedoc.yaml
+++ b/hedgedoc.yaml
@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
  hedgedoc-db:
    image: postgres:13.4-alpine
@ -35,7 +35,7 @@ services:
      - CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_CLIENT_SECRET}
      - CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
    env_file:
-      - env.production
+      - ./env.production
    volumes:
      - ./data/hedgedoc/uploads:/hedgedoc/public/uploads
        #    ports:
@ -51,8 +51,7 @@ services:
      - ./hedgedoc/nginx.conf:/etc/nginx/templates/hedgedoc.conf.template:ro

  # add the hedgedoc client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/hedgedoc/secrets
+  keycloak:
    volumes:
      - ./hedgedoc/keycloak.sh:/keycloak-setup/hedgedoc.sh:ro
+      - ./data/hedgedoc/secrets:/run/secrets/hedgedoc:ro
--- a/keycloak.yaml
+++ b/keycloak.yaml
@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
  keycloak-db:
      image: mysql:5.7
@ -13,7 +13,7 @@ services:
        MYSQL_PASSWORD: password

  keycloak:
-      image: quay.io/keycloak/keycloak:18.0.0
+      image: quay.io/keycloak/keycloak:18.0
      restart: always
      container_name: keycloak
      entrypoint: /opt/keycloak/bin/kc.sh start --hostname="$${KEYCLOAK_HOSTNAME}.$${DOMAIN_NAME}" --proxy=edge
@ -23,9 +23,6 @@ services:
 #        timeout: 10s
 #        retries: 3
      user: "0:0" # otherwise the persistent data directory is not writable
-      env_file:
-        - env.production
-        - data/keycloak/secrets
      environment:
        DB_VENDOR: MYSQL
        DB_ADDR: keycloak-db
@ -33,35 +30,20 @@ services:
        DB_USER: keycloak
        DB_PASSWORD: password
        KEYCLOAK_ADMIN: admin
-        KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+        KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
        PROXY_ADDRESS_FORWARDING: 'true'
-        # KEYCLOAK_ADMIN_PASSWORD is set in env.secrets
+      env_file:
+        - ./env.production
      volumes:
        - ./data/keycloak/certs:/etc/x509/https
        - ./data/keycloak/keycloak:/opt/keycloak/data
+        - ./keycloak/client-create:/bin/client-create:ro
+        - ./keycloak/entrypoint-setup.sh:/setup.sh:ro
+        - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
+        - ./data/keycloak/secrets:/run/secrets/keycloak-secrets:ro
      depends_on:
        - keycloak-db

-  # all of the various subdomains can install files in
-  # /keycloak-setup/ to be executed during the setup phase
-  # to enable their clients using the client-create tool
-  keycloak-setup:
-        image: quay.io/keycloak/keycloak:18.0.0
-        container_name: keycloak-setup
-        profiles:
-          - setup
-        depends_on:
-          - keycloak
-        restart: never
-        env_file:
-          - env.production
-          - data/keycloak/secrets
-        entrypoint: /entrypoint.sh
-        volumes:
-          - ./keycloak/entrypoint-setup.sh:/entrypoint.sh:ro
-          - ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
-          - ./keycloak/client-create:/bin/client-create:ro
-
  # add the keycloak nginx configuration into the nginx volume
  nginx:
    volumes:
--- a/keycloak/entrypoint-setup.sh
+++ b/keycloak/entrypoint-setup.sh
@ -1,7 +1,11 @@
-#!/bin/bash
+#!/bin/bash -x

 export PATH=/opt/keycloak/bin:$PATH

+for file in /run/secrets/* ; do
+	. "$file"
+done
+
 # perform an authentication as admin so that all other scripts can
 # use the cached credentials

@ -13,6 +17,15 @@ kcadm.sh \
 	--realm master \
 || exit 1

+if ! kcadm.sh get realms/$REALM ; then
+	echo >&2 "***** Creating realm $REALM"
+	kcadm.sh \
+		create realms \
+		-s "realm=$REALM" \
+		-s enabled=true \
+	|| exit 1
+fi
+
 for file in /keycloak-setup/* ; do
 	echo >&2 "$file: running setup"
 	$file || exit 1
--- a/mastodon.yaml
+++ b/mastodon.yaml
@ -11,12 +11,14 @@ services:
      test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
    volumes:
      - ./data/mastodon/database:/var/lib/postgresql/data
+      - ../prod.dump:/prod.dump:ro
    environment:
      - POSTGRES_USER=mastodon
      - POSTGRES_PASSWORD=mastodon
-        #- POSTGRES_DB=mastodon_production
+      - POSTGRES_DB=mastodon_production
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production

  mastodon-redis:
    image: redis:6-alpine
@ -27,7 +29,8 @@ services:
    healthcheck:
      test: ['CMD', 'redis-cli', 'ping']
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
    volumes:
      - ./data/mastodon/redis:/data

@ -41,7 +44,8 @@ services:
      - "discovery.type=single-node"
      - "bootstrap.memory_lock=true"
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
 #    networks:
 #       - internal_network
    healthcheck:
@ -78,7 +82,8 @@ services:
      - ./data/mastodon/system:/mastodon/public/system
      - ./mastodon/entrypoint.sh:/entrypoint.sh:ro
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
    environment:
      - WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
      - LOCAL_DOMAIN=$DOMAIN_NAME
@ -113,7 +118,8 @@ services:
      - SMTP_PASSWORD=$SMTP_PASSWORD
      - SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
    command: node ./streaming
 #    networks:
 #      - external_network
@ -132,7 +138,8 @@ services:
    restart: always
    container_name: mastodon-sidekiq
    env_file:
-      - mastodon/env.production
+      - ./env.production
+      - ./mastodon/env.production
    environment:
      - WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
      - LOCAL_DOMAIN=$DOMAIN_NAME
@ -186,11 +193,10 @@ services:
      - ./data/mastodon/system/accounts:/mastodon/system/accounts:ro

  # add the subdomain client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/mastodon/secrets
+  keycloak:
    volumes:
      - ./mastodon/keycloak.sh:/keycloak-setup/mastodon.sh:ro
+      - ./data/mastodon/secrets:/run/secrets/mastodon:ro

 #networks:
 #  external_network:
--- a/mastodon/entrypoint.sh
+++ b/mastodon/entrypoint.sh
@ -6,7 +6,10 @@ export MASTODON_DIR=/mastodon/public/system
 export VAPID_KEY="$MASTODON_DIR/vapid_key"
 export DB_SETUP="$MASTODON_DIR/db_done"

-chown -R mastodon:mastodon "$MASTODON_DIR"
+if [ ! -r "$DB_SETUP" ]; then
+	echo >&2 "*** Setting permissions on $MASTODON_DIR"
+	chown -R mastodon:mastodon "$MASTODON_DIR"
+fi

 exec su mastodon <<EOF

--- a/mastodon/env.production
+++ b/mastodon/env.production
@ -25,8 +25,8 @@ REDIS_PORT=6379
 # PostgreSQL
 # ----------
 DB_HOST=mastodon-db
-DB_USER=mastodon
 DB_NAME=mastodon_production
+DB_USER=mastodon
 DB_PASS=mastodon
 DB_PORT=5432

--- a/matrix.yaml
+++ b/matrix.yaml
@ -15,11 +15,11 @@ services:
    image: vectorim/element-web:latest
    restart: unless-stopped
    container_name: matrix-element
-    env_file:
-     - env.production
    volumes:
      - ./matrix/10-envsubst-config.sh:/docker-entrypoint.d/10-envsubst-config.sh:ro
      - ./matrix/config.sample.json:/app/config.sample.json:ro
+    env_file:
+      - ./env.production
    depends_on:
      - matrix-synapse
 #    ports:
@ -33,10 +33,10 @@ services:
      - ./data/matrix/synapse:/data
      - ./matrix/entrypoint-synapse.sh:/entrypoint.sh:ro
    entrypoint: ["/entrypoint.sh"]
-    env_file:
-      - env.production
    environment:
      - MATRIX_CLIENT_SECRET=${MATRIX_CLIENT_SECRET}
+    env_file:
+      - ./env.production
    depends_on:
      - keycloak
      - nginx
@ -49,8 +49,7 @@ services:
      - ./matrix/nginx.conf:/etc/nginx/templates/matrix.conf.template:ro

  # add the client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/matrix/secrets
+  keycloak:
    volumes:
      - ./matrix/keycloak.sh:/keycloak-setup/matrix.sh:ro
+      - ./data/matrix/secrets:/run/secrets/matrix:ro
--- a/mobilizon.yaml
+++ b/mobilizon.yaml
@ -2,7 +2,7 @@ version: "3"

 services:
  mobilizon:
-    image: framasoft/mobilizon
+    image: framasoft/mobilizon:2.1.0
    container_name: mobilizon
    restart: always
    volumes:
@ -11,7 +11,6 @@ services:
    environment:
      - KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}
      - REALM=${REALM}
-      - MOBILIZON_INSTANCE_NAME=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
      - MOBILIZON_INSTANCE_HOST=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
      - MOBILIZON_INSTANCE_SECRET_KEY_BASE=${MOBILIZON_ADMIN_PASSWORD}
      - MOBILIZON_INSTANCE_SECRET_KEY=${MOBILIZON_SESSION_SECRET}
@ -29,6 +28,8 @@ services:
      - MOBILIZON_DATABASE_HOST=mobilizon-db
      - MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
      - MOBILIZON_INSTANCE_PORT=7000
+    env_file:
+      - ./env.production
    user: root
    entrypoint:
      - "/bin/sh"
@ -55,8 +56,7 @@ services:
      - ./mobilizon/nginx.conf:/etc/nginx/templates/mobilizon.conf.template:ro

  # add the client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/mobilizon/secrets
+  keycloak:
    volumes:
      - ./mobilizon/keycloak.sh:/keycloak-setup/mobilizon.sh:ro
+      - ./data/mobilizon/secrets:/run/secrets/mobilizon:ro
--- a/nextcloud.yaml
+++ b/nextcloud.yaml
@ -16,8 +16,6 @@ services:
    image: nextcloud:25.0.1-apache
    container_name: nextcloud
    restart: always
-    env_file:
-      - env.production
    environment:
      POSTGRES_HOST: nextcloud-db
      POSTGRES_DB: nextcloud
@ -28,6 +26,8 @@ services:
      NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
      NEXTCLOUD_CLIENT_SECRET: ${NEXTCLOUD_CLIENT_SECRET}
      NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_HOSTNAME}.${DOMAIN_NAME}
+    env_file:
+      - ./env.production
    volumes:
      - ./data/nextcloud/nextcloud:/var/www/html
      - ./nextcloud/setup.sh:/setup.sh:ro
@ -41,8 +41,7 @@ services:
      - ./nextcloud/nginx.conf:/etc/nginx/templates/nextcloud.conf.template:ro

  # add the grafana client secrets to the keycloak-setup volume
-  keycloak-setup:
-    env_file:
-      - data/nextcloud/secrets
+  keycloak:
    volumes:
      - ./nextcloud/keycloak.sh:/keycloak-setup/nextcloud.sh:ro
+      - ./data/nextcloud/secrets:/run/secrets/nextcloud:ro
--- a/nextcloud/setup.sh
+++ b/nextcloud/setup.sh
@ -6,11 +6,18 @@ if [ -r "$CANARY" ]; then
 	exec "/entrypoint.sh" "$SERVER"
 fi

+# Wrapper to run OwnCloudConsole (occ) as www-data user
+occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
+
 echo >&2 "**** installing nextcloud"
 NEXTCLOUD_UPDATE=1 bash /entrypoint.sh date || exit 1

+echo >&2 "***** Waiting for nextcloud for ${DOMAIN_NAME}"
+sleep 10
+occ status
+
 echo >&2 "***** Setting up nextcloud for ${DOMAIN_NAME}"
-occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
+
 #occ maintenance:install || exit 1

 PROVIDER="$(cat <<EOF
--- a/nginx.yaml
+++ b/nginx.yaml
@ -1,4 +1,4 @@
-version: '3.9'
+version: '3'
 services:
  nginx:
 #    image: nginx:1.21-alpine
@ -12,6 +12,8 @@ services:
      - "80:80"
      - "443:443"
      - "8448:8448"
+    env_file:
+      - ./env.production
    volumes:
      - ./nginx/etc/includes:/etc/nginx/includes:ro
      - ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
@ -20,12 +22,12 @@ services:
      - ./data/nginx/certbot/www:/var/www/certbot:ro
      - ./data/nginx/certbot/conf:/etc/letsencrypt:rw
      - /home:/home:ro
-    env_file:
-      - env.production

  certbot:
    image: certbot/certbot
    container_name: certbot
+    env_file:
+      - ./env.production
    volumes:
      - ./data/nginx/certbot/conf:/etc/letsencrypt
      - ./data/nginx/certbot/www:/var/www/certbot