Add a working version with new server setup

Add nginx configs, env.sh update docker-compose

.env.production

@@ -0,0 +1,27 @@
+# This file is actually loaded by Dotenv when RAILS_ENV=development
+
+RACK_ENV=production
+RAILS_ENV=production
+
+ASSETS_PRECOMPILE=1
+
+SCRYPT_MAX_TIME=0.001
+
+# FIXME Disable workers + cluster mode for now. They break start up.
+PUMA_WORKERS=0
+PUMA_MIN_THREADS=1
+PUMA_MAX_THREADS=32
+PUMA_TIMEOUT=30
+
+PRODUCTION_PUMA_PORT=4000
+PRODUCTION_ROOT_DOMAIN=ensl.org
+PRODUCTION_DOMAIN=www.ensl.org
+PRODUCTION_PORT=80
+PRODUCTION_PORT_SSL=443
+
+MYSQL_DATABASE=ensl
+MYSQL_CONNECTION_POOL=48
+
+APP_DOMAIN=ensl.org
+
+GOOGLE_CALENDAR=enabled

.gitignore

@@ -7,12 +7,16 @@
 .ruby-version
 .ruby-gemset
 .env
+.env*.local
 .tmp*
 .rspec
 .sass-cache
 *.sassc
 *.rbc
 *.sassc
+db/data
+ext/ssl
+.htpass*
 
 # Database and files
 db_data/*

docker-compose.yml

@@ -15,7 +15,7 @@ services:
   #    - redis
   db:
     image: mariadb:latest
-    command: mysqld
+    command: mysqld --skip-grant-tables
     volumes:
      - "./db_data:/var/lib/mysql"
      - "./ext/mysql.conf.d:/etc/mysql/conf.d"
@@ -38,3 +38,8 @@ services:
       - OPENDKIM_DOMAINS=ensl.org
   #redis:
   #  image: redis
+
+networks:
+  default:
+    external:
+      name: catpack_docker

ext/nginx.conf.d/production.conf.template

@@ -0,0 +1,143 @@
+# PRODUCTION nginx conf
+# The point of this config file is to have near-identical setup in PRODUCTION.
+# Use it in production or copy it over
+
+upstream ensl_production {
+  server web:$PRODUCTION_PUMA_PORT;
+  # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
+}
+
+upstream gathers {
+  #  server unix:/srv/ensl/puma.production.sock fail_timeout=0;
+  server ensl_gather_production:6500;
+}
+
+# root-level -> www redirect
+server {
+  listen *:$PRODUCTION_PORT;
+  listen *:$PRODUCTION_PORT_SSL ssl;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+
+  server_name $PRODUCTION_ROOT_DOMAIN;
+  root $PRODUCTION_NGINX_PUBLIC;
+  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+}
+
+# HTTP -> HTTPS redirect
+#server {
+#  listen *:$PRODUCTION_PORT;
+#  server_name $PRODUCTION_DOMAIN;
+#  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+#}
+
+server {
+  listen *:$PRODUCTION_PORT default_server;
+  listen *:$PRODUCTION_PORT_SSL ssl default_server;
+
+  # Redirect to HTTPS
+  error_page 497 https://$host:$server_port$request_uri;
+
+  server_name $PRODUCTION_DOMAIN;
+  root $PRODUCTION_NGINX_PUBLIC;
+  index index.html index.htm index.php;
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+
+  # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
+  # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # add_header Strict-Transport-Security max-age=15768000;
+
+  # Fixme: add logs as volume
+  access_log /var/log/nginx/ensl.production.access.log;
+  error_log /var/log/nginx/ensl.production.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+
+  # FIXME: use env. var
+  location ^~ /assets/ {
+    gzip_static on;
+    expires 1m;
+    add_header Cache-Control public;
+  }
+
+  # FIXME: use env. var
+  location /files/ {
+    # try_files $uri $uri/ @puma;
+    # alias root $APP_PATH_PUBLIC/files/;
+    autoindex on;
+  }
+  location @puma {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://ensl_production;
+  }
+
+  try_files $uri/index.html $uri @puma;
+}
+
+
+# HTTP -> HTTPS redirect
+server {
+  listen *:80;
+  server_name gathers.ensl.org;
+  return 301 https://gathers.ensl.org$request_uri;
+}
+
+server {
+  listen *:443 ssl;
+  server_name gathers.ensl.org;
+  root /srv/ensl/gathers/public;
+  index index.html index.htm index.php;
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  add_header Strict-Transport-Security max-age=0;
+
+  access_log /var/log/nginx/ensl.gathers.access.log;
+  error_log /var/log/nginx/ensl.gathers.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+  location ^~ /assets/ {
+    gzip_static on;
+    expires max;
+    add_header Cache-Control public;
+  }
+  location @gathers {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://gathers;
+  }
+
+  try_files $uri/index.html $uri @gathers;
+}

ext/nginx.conf.d/staging.conf.template

@@ -0,0 +1,95 @@
+# Staging nginx conf
+# The point of this config file is to have near-identical setup in staging.
+# Use it in production or copy it over
+
+upstream ensl_staging {
+  server staging:$PUMA_STAGING_PORT;
+  # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
+}
+
+# root-level -> www redirect
+#server {
+#  listen *:$STAGING_PORT;
+#  listen *:$STAGING_PORT_SSL ssl;
+
+  # FIXME
+  # ssl_certificate /etc/ssl/certs/ensl_fullchain.pem;
+  # ssl_certificate_key /etc/ssl/private/ensl_privkey.pem;
+  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+#  #server_name $STAGING_ROOT_DOMAIN;
+#  #root $APP_PATH_PUBLIC;
+#  return 301 https://$STAGING_DOMAIN$request_uri;
+#}
+
+# HTTP -> HTTPS redirect
+#server {
+#  listen *:$STAGING_PORT;
+#  server_name $STAGING_DOMAIN;
+#  return 301 https://$STAGING_DOMAIN$request_uri;
+#}
+
+server {
+  #listen *:$STAGING_PORT default_server;
+  listen *:$STAGING_PORT_SSL ssl default_server;
+
+  # Redirect to HTTPS
+  error_page 497 https://$host:$server_port$request_uri;
+
+  ## domain_agnostic staging
+  # server_name $STAGING_DOMAIN;
+  root $APP_PATH_PUBLIC;
+  index index.html index.htm index.php;
+
+  # Add basic auth
+  # TODO: add htpassword generation
+  # auth_basic           "Staging Area";
+  # auth_basic_user_file "/etc/nginx/conf.d/.htpasswd_staging";
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+
+  # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
+  # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  # add_header Strict-Transport-Security max-age=15768000;
+
+  access_log /var/log/nginx/ensl.access.log;
+  error_log /var/log/nginx/ensl.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+
+  # FIXME: use env. var
+  location ^~ /assets/ {
+    gzip_static on;
+    expires 1m;
+    add_header Cache-Control public;
+  }
+
+  # FIXME: use env. var
+  location /files/ {
+    # try_files $uri $uri/ @puma;
+    # alias root $APP_PATH_PUBLIC/files/;
+    autoindex on;
+  }
+  location @puma {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://puma;
+  }
+
+  try_files $uri/index.html $uri @puma;
+}

script/env.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# use source script/env.sh
+
+args=("$@")
+
+if [[ $# -eq 1 ]]; then
+  args+=(.env)
+fi
+
+for FILE in "$@"
+do
+  echo "Loading env vars from: $FILE"
+  ARGS=$(cat $FILE |grep -vE '^[[:space:]]*(#.*)*$')
+
+  export $(echo $ARGS|xargs)
+  echo "$ARGS"
+  echo
+done
+