mirror of
https://github.com/ENSL/ensl.org.git
synced 2024-11-14 00:40:49 +00:00
Add a working version with new server setup
Add nginx configs, env.sh update docker-compose
This commit is contained in:
parent
7baa8ce807
commit
3d75804b62
6 changed files with 294 additions and 1 deletions
27
.env.production
Normal file
27
.env.production
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
# This file is actually loaded by Dotenv when RAILS_ENV=development
|
||||||
|
|
||||||
|
RACK_ENV=production
|
||||||
|
RAILS_ENV=production
|
||||||
|
|
||||||
|
ASSETS_PRECOMPILE=1
|
||||||
|
|
||||||
|
SCRYPT_MAX_TIME=0.001
|
||||||
|
|
||||||
|
# FIXME Disable workers + cluster mode for now. They break start up.
|
||||||
|
PUMA_WORKERS=0
|
||||||
|
PUMA_MIN_THREADS=1
|
||||||
|
PUMA_MAX_THREADS=32
|
||||||
|
PUMA_TIMEOUT=30
|
||||||
|
|
||||||
|
PRODUCTION_PUMA_PORT=4000
|
||||||
|
PRODUCTION_ROOT_DOMAIN=ensl.org
|
||||||
|
PRODUCTION_DOMAIN=www.ensl.org
|
||||||
|
PRODUCTION_PORT=80
|
||||||
|
PRODUCTION_PORT_SSL=443
|
||||||
|
|
||||||
|
MYSQL_DATABASE=ensl
|
||||||
|
MYSQL_CONNECTION_POOL=48
|
||||||
|
|
||||||
|
APP_DOMAIN=ensl.org
|
||||||
|
|
||||||
|
GOOGLE_CALENDAR=enabled
|
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -7,12 +7,16 @@
|
||||||
.ruby-version
|
.ruby-version
|
||||||
.ruby-gemset
|
.ruby-gemset
|
||||||
.env
|
.env
|
||||||
|
.env*.local
|
||||||
.tmp*
|
.tmp*
|
||||||
.rspec
|
.rspec
|
||||||
.sass-cache
|
.sass-cache
|
||||||
*.sassc
|
*.sassc
|
||||||
*.rbc
|
*.rbc
|
||||||
*.sassc
|
*.sassc
|
||||||
|
db/data
|
||||||
|
ext/ssl
|
||||||
|
.htpass*
|
||||||
|
|
||||||
# Database and files
|
# Database and files
|
||||||
db_data/*
|
db_data/*
|
||||||
|
|
|
@ -15,7 +15,7 @@ services:
|
||||||
# - redis
|
# - redis
|
||||||
db:
|
db:
|
||||||
image: mariadb:latest
|
image: mariadb:latest
|
||||||
command: mysqld
|
command: mysqld --skip-grant-tables
|
||||||
volumes:
|
volumes:
|
||||||
- "./db_data:/var/lib/mysql"
|
- "./db_data:/var/lib/mysql"
|
||||||
- "./ext/mysql.conf.d:/etc/mysql/conf.d"
|
- "./ext/mysql.conf.d:/etc/mysql/conf.d"
|
||||||
|
@ -38,3 +38,8 @@ services:
|
||||||
- OPENDKIM_DOMAINS=ensl.org
|
- OPENDKIM_DOMAINS=ensl.org
|
||||||
#redis:
|
#redis:
|
||||||
# image: redis
|
# image: redis
|
||||||
|
|
||||||
|
networks:
|
||||||
|
default:
|
||||||
|
external:
|
||||||
|
name: catpack_docker
|
||||||
|
|
143
ext/nginx.conf.d/production.conf.template
Normal file
143
ext/nginx.conf.d/production.conf.template
Normal file
|
@ -0,0 +1,143 @@
|
||||||
|
# PRODUCTION nginx conf
|
||||||
|
# The point of this config file is to have near-identical setup in PRODUCTION.
|
||||||
|
# Use it in production or copy it over
|
||||||
|
|
||||||
|
upstream ensl_production {
|
||||||
|
server web:$PRODUCTION_PUMA_PORT;
|
||||||
|
# server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream gathers {
|
||||||
|
# server unix:/srv/ensl/puma.production.sock fail_timeout=0;
|
||||||
|
server ensl_gather_production:6500;
|
||||||
|
}
|
||||||
|
|
||||||
|
# root-level -> www redirect
|
||||||
|
server {
|
||||||
|
listen *:$PRODUCTION_PORT;
|
||||||
|
listen *:$PRODUCTION_PORT_SSL ssl;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||||
|
|
||||||
|
server_name $PRODUCTION_ROOT_DOMAIN;
|
||||||
|
root $PRODUCTION_NGINX_PUBLIC;
|
||||||
|
return 301 https://$PRODUCTION_DOMAIN$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# HTTP -> HTTPS redirect
|
||||||
|
#server {
|
||||||
|
# listen *:$PRODUCTION_PORT;
|
||||||
|
# server_name $PRODUCTION_DOMAIN;
|
||||||
|
# return 301 https://$PRODUCTION_DOMAIN$request_uri;
|
||||||
|
#}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen *:$PRODUCTION_PORT default_server;
|
||||||
|
listen *:$PRODUCTION_PORT_SSL ssl default_server;
|
||||||
|
|
||||||
|
# Redirect to HTTPS
|
||||||
|
error_page 497 https://$host:$server_port$request_uri;
|
||||||
|
|
||||||
|
server_name $PRODUCTION_DOMAIN;
|
||||||
|
root $PRODUCTION_NGINX_PUBLIC;
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||||
|
|
||||||
|
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
# ssl_stapling on;
|
||||||
|
# ssl_stapling_verify on;
|
||||||
|
# add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
|
||||||
|
# Fixme: add logs as volume
|
||||||
|
access_log /var/log/nginx/ensl.production.access.log;
|
||||||
|
error_log /var/log/nginx/ensl.production.error.log;
|
||||||
|
|
||||||
|
rewrite_log on;
|
||||||
|
client_max_body_size 20M;
|
||||||
|
keepalive_timeout 10;
|
||||||
|
|
||||||
|
location ~ /.well-known {
|
||||||
|
allow all;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
|
||||||
|
# FIXME: use env. var
|
||||||
|
location ^~ /assets/ {
|
||||||
|
gzip_static on;
|
||||||
|
expires 1m;
|
||||||
|
add_header Cache-Control public;
|
||||||
|
}
|
||||||
|
|
||||||
|
# FIXME: use env. var
|
||||||
|
location /files/ {
|
||||||
|
# try_files $uri $uri/ @puma;
|
||||||
|
# alias root $APP_PATH_PUBLIC/files/;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
location @puma {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_pass http://ensl_production;
|
||||||
|
}
|
||||||
|
|
||||||
|
try_files $uri/index.html $uri @puma;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# HTTP -> HTTPS redirect
|
||||||
|
server {
|
||||||
|
listen *:80;
|
||||||
|
server_name gathers.ensl.org;
|
||||||
|
return 301 https://gathers.ensl.org$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen *:443 ssl;
|
||||||
|
server_name gathers.ensl.org;
|
||||||
|
root /srv/ensl/gathers/public;
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
# ssl_stapling on;
|
||||||
|
# ssl_stapling_verify on;
|
||||||
|
add_header Strict-Transport-Security max-age=0;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/ensl.gathers.access.log;
|
||||||
|
error_log /var/log/nginx/ensl.gathers.error.log;
|
||||||
|
|
||||||
|
rewrite_log on;
|
||||||
|
client_max_body_size 20M;
|
||||||
|
keepalive_timeout 10;
|
||||||
|
|
||||||
|
location ~ /.well-known {
|
||||||
|
allow all;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
location ^~ /assets/ {
|
||||||
|
gzip_static on;
|
||||||
|
expires max;
|
||||||
|
add_header Cache-Control public;
|
||||||
|
}
|
||||||
|
location @gathers {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_pass http://gathers;
|
||||||
|
}
|
||||||
|
|
||||||
|
try_files $uri/index.html $uri @gathers;
|
||||||
|
}
|
95
ext/nginx.conf.d/staging.conf.template
Normal file
95
ext/nginx.conf.d/staging.conf.template
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
# Staging nginx conf
|
||||||
|
# The point of this config file is to have near-identical setup in staging.
|
||||||
|
# Use it in production or copy it over
|
||||||
|
|
||||||
|
upstream ensl_staging {
|
||||||
|
server staging:$PUMA_STAGING_PORT;
|
||||||
|
# server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
||||||
|
# root-level -> www redirect
|
||||||
|
#server {
|
||||||
|
# listen *:$STAGING_PORT;
|
||||||
|
# listen *:$STAGING_PORT_SSL ssl;
|
||||||
|
|
||||||
|
# FIXME
|
||||||
|
# ssl_certificate /etc/ssl/certs/ensl_fullchain.pem;
|
||||||
|
# ssl_certificate_key /etc/ssl/private/ensl_privkey.pem;
|
||||||
|
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
|
||||||
|
# #server_name $STAGING_ROOT_DOMAIN;
|
||||||
|
# #root $APP_PATH_PUBLIC;
|
||||||
|
# return 301 https://$STAGING_DOMAIN$request_uri;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# HTTP -> HTTPS redirect
|
||||||
|
#server {
|
||||||
|
# listen *:$STAGING_PORT;
|
||||||
|
# server_name $STAGING_DOMAIN;
|
||||||
|
# return 301 https://$STAGING_DOMAIN$request_uri;
|
||||||
|
#}
|
||||||
|
|
||||||
|
server {
|
||||||
|
#listen *:$STAGING_PORT default_server;
|
||||||
|
listen *:$STAGING_PORT_SSL ssl default_server;
|
||||||
|
|
||||||
|
# Redirect to HTTPS
|
||||||
|
error_page 497 https://$host:$server_port$request_uri;
|
||||||
|
|
||||||
|
## domain_agnostic staging
|
||||||
|
# server_name $STAGING_DOMAIN;
|
||||||
|
root $APP_PATH_PUBLIC;
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
# Add basic auth
|
||||||
|
# TODO: add htpassword generation
|
||||||
|
# auth_basic "Staging Area";
|
||||||
|
# auth_basic_user_file "/etc/nginx/conf.d/.htpasswd_staging";
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||||
|
|
||||||
|
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
# add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/ensl.access.log;
|
||||||
|
error_log /var/log/nginx/ensl.error.log;
|
||||||
|
|
||||||
|
rewrite_log on;
|
||||||
|
client_max_body_size 20M;
|
||||||
|
keepalive_timeout 10;
|
||||||
|
|
||||||
|
location ~ /.well-known {
|
||||||
|
allow all;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
|
||||||
|
# FIXME: use env. var
|
||||||
|
location ^~ /assets/ {
|
||||||
|
gzip_static on;
|
||||||
|
expires 1m;
|
||||||
|
add_header Cache-Control public;
|
||||||
|
}
|
||||||
|
|
||||||
|
# FIXME: use env. var
|
||||||
|
location /files/ {
|
||||||
|
# try_files $uri $uri/ @puma;
|
||||||
|
# alias root $APP_PATH_PUBLIC/files/;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
location @puma {
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_pass http://puma;
|
||||||
|
}
|
||||||
|
|
||||||
|
try_files $uri/index.html $uri @puma;
|
||||||
|
}
|
19
script/env.sh
Executable file
19
script/env.sh
Executable file
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# use source script/env.sh
|
||||||
|
|
||||||
|
args=("$@")
|
||||||
|
|
||||||
|
if [[ $# -eq 1 ]]; then
|
||||||
|
args+=(.env)
|
||||||
|
fi
|
||||||
|
|
||||||
|
for FILE in "$@"
|
||||||
|
do
|
||||||
|
echo "Loading env vars from: $FILE"
|
||||||
|
ARGS=$(cat $FILE |grep -vE '^[[:space:]]*(#.*)*$')
|
||||||
|
|
||||||
|
export $(echo $ARGS|xargs)
|
||||||
|
echo "$ARGS"
|
||||||
|
echo
|
||||||
|
done
|
||||||
|
|
Loading…
Reference in a new issue