mirror of
https://github.com/ENSL/ensl.org.git
synced 2024-11-14 00:40:49 +00:00
Add a working version with new server setup
Add nginx configs, env.sh update docker-compose
This commit is contained in:
parent
7baa8ce807
commit
3d75804b62
6 changed files with 294 additions and 1 deletions
27
.env.production
Normal file
27
.env.production
Normal file
|
@ -0,0 +1,27 @@
|
|||
# This file is actually loaded by Dotenv when RAILS_ENV=development
|
||||
|
||||
RACK_ENV=production
|
||||
RAILS_ENV=production
|
||||
|
||||
ASSETS_PRECOMPILE=1
|
||||
|
||||
SCRYPT_MAX_TIME=0.001
|
||||
|
||||
# FIXME Disable workers + cluster mode for now. They break start up.
|
||||
PUMA_WORKERS=0
|
||||
PUMA_MIN_THREADS=1
|
||||
PUMA_MAX_THREADS=32
|
||||
PUMA_TIMEOUT=30
|
||||
|
||||
PRODUCTION_PUMA_PORT=4000
|
||||
PRODUCTION_ROOT_DOMAIN=ensl.org
|
||||
PRODUCTION_DOMAIN=www.ensl.org
|
||||
PRODUCTION_PORT=80
|
||||
PRODUCTION_PORT_SSL=443
|
||||
|
||||
MYSQL_DATABASE=ensl
|
||||
MYSQL_CONNECTION_POOL=48
|
||||
|
||||
APP_DOMAIN=ensl.org
|
||||
|
||||
GOOGLE_CALENDAR=enabled
|
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -7,12 +7,16 @@
|
|||
.ruby-version
|
||||
.ruby-gemset
|
||||
.env
|
||||
.env*.local
|
||||
.tmp*
|
||||
.rspec
|
||||
.sass-cache
|
||||
*.sassc
|
||||
*.rbc
|
||||
*.sassc
|
||||
db/data
|
||||
ext/ssl
|
||||
.htpass*
|
||||
|
||||
# Database and files
|
||||
db_data/*
|
||||
|
|
|
@ -15,7 +15,7 @@ services:
|
|||
# - redis
|
||||
db:
|
||||
image: mariadb:latest
|
||||
command: mysqld
|
||||
command: mysqld --skip-grant-tables
|
||||
volumes:
|
||||
- "./db_data:/var/lib/mysql"
|
||||
- "./ext/mysql.conf.d:/etc/mysql/conf.d"
|
||||
|
@ -38,3 +38,8 @@ services:
|
|||
- OPENDKIM_DOMAINS=ensl.org
|
||||
#redis:
|
||||
# image: redis
|
||||
|
||||
networks:
|
||||
default:
|
||||
external:
|
||||
name: catpack_docker
|
||||
|
|
143
ext/nginx.conf.d/production.conf.template
Normal file
143
ext/nginx.conf.d/production.conf.template
Normal file
|
@ -0,0 +1,143 @@
|
|||
# PRODUCTION nginx conf
|
||||
# The point of this config file is to have near-identical setup in PRODUCTION.
|
||||
# Use it in production or copy it over
|
||||
|
||||
upstream ensl_production {
|
||||
server web:$PRODUCTION_PUMA_PORT;
|
||||
# server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
|
||||
}
|
||||
|
||||
upstream gathers {
|
||||
# server unix:/srv/ensl/puma.production.sock fail_timeout=0;
|
||||
server ensl_gather_production:6500;
|
||||
}
|
||||
|
||||
# root-level -> www redirect
|
||||
server {
|
||||
listen *:$PRODUCTION_PORT;
|
||||
listen *:$PRODUCTION_PORT_SSL ssl;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
server_name $PRODUCTION_ROOT_DOMAIN;
|
||||
root $PRODUCTION_NGINX_PUBLIC;
|
||||
return 301 https://$PRODUCTION_DOMAIN$request_uri;
|
||||
}
|
||||
|
||||
# HTTP -> HTTPS redirect
|
||||
#server {
|
||||
# listen *:$PRODUCTION_PORT;
|
||||
# server_name $PRODUCTION_DOMAIN;
|
||||
# return 301 https://$PRODUCTION_DOMAIN$request_uri;
|
||||
#}
|
||||
|
||||
server {
|
||||
listen *:$PRODUCTION_PORT default_server;
|
||||
listen *:$PRODUCTION_PORT_SSL ssl default_server;
|
||||
|
||||
# Redirect to HTTPS
|
||||
error_page 497 https://$host:$server_port$request_uri;
|
||||
|
||||
server_name $PRODUCTION_DOMAIN;
|
||||
root $PRODUCTION_NGINX_PUBLIC;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
# Fixme: add logs as volume
|
||||
access_log /var/log/nginx/ensl.production.access.log;
|
||||
error_log /var/log/nginx/ensl.production.error.log;
|
||||
|
||||
rewrite_log on;
|
||||
client_max_body_size 20M;
|
||||
keepalive_timeout 10;
|
||||
|
||||
location ~ /.well-known {
|
||||
allow all;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
# FIXME: use env. var
|
||||
location ^~ /assets/ {
|
||||
gzip_static on;
|
||||
expires 1m;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
|
||||
# FIXME: use env. var
|
||||
location /files/ {
|
||||
# try_files $uri $uri/ @puma;
|
||||
# alias root $APP_PATH_PUBLIC/files/;
|
||||
autoindex on;
|
||||
}
|
||||
location @puma {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://ensl_production;
|
||||
}
|
||||
|
||||
try_files $uri/index.html $uri @puma;
|
||||
}
|
||||
|
||||
|
||||
# HTTP -> HTTPS redirect
|
||||
server {
|
||||
listen *:80;
|
||||
server_name gathers.ensl.org;
|
||||
return 301 https://gathers.ensl.org$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen *:443 ssl;
|
||||
server_name gathers.ensl.org;
|
||||
root /srv/ensl/gathers/public;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
add_header Strict-Transport-Security max-age=0;
|
||||
|
||||
access_log /var/log/nginx/ensl.gathers.access.log;
|
||||
error_log /var/log/nginx/ensl.gathers.error.log;
|
||||
|
||||
rewrite_log on;
|
||||
client_max_body_size 20M;
|
||||
keepalive_timeout 10;
|
||||
|
||||
location ~ /.well-known {
|
||||
allow all;
|
||||
autoindex on;
|
||||
}
|
||||
location ^~ /assets/ {
|
||||
gzip_static on;
|
||||
expires max;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
location @gathers {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://gathers;
|
||||
}
|
||||
|
||||
try_files $uri/index.html $uri @gathers;
|
||||
}
|
95
ext/nginx.conf.d/staging.conf.template
Normal file
95
ext/nginx.conf.d/staging.conf.template
Normal file
|
@ -0,0 +1,95 @@
|
|||
# Staging nginx conf
|
||||
# The point of this config file is to have near-identical setup in staging.
|
||||
# Use it in production or copy it over
|
||||
|
||||
upstream ensl_staging {
|
||||
server staging:$PUMA_STAGING_PORT;
|
||||
# server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
|
||||
}
|
||||
|
||||
# root-level -> www redirect
|
||||
#server {
|
||||
# listen *:$STAGING_PORT;
|
||||
# listen *:$STAGING_PORT_SSL ssl;
|
||||
|
||||
# FIXME
|
||||
# ssl_certificate /etc/ssl/certs/ensl_fullchain.pem;
|
||||
# ssl_certificate_key /etc/ssl/private/ensl_privkey.pem;
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
|
||||
# #server_name $STAGING_ROOT_DOMAIN;
|
||||
# #root $APP_PATH_PUBLIC;
|
||||
# return 301 https://$STAGING_DOMAIN$request_uri;
|
||||
#}
|
||||
|
||||
# HTTP -> HTTPS redirect
|
||||
#server {
|
||||
# listen *:$STAGING_PORT;
|
||||
# server_name $STAGING_DOMAIN;
|
||||
# return 301 https://$STAGING_DOMAIN$request_uri;
|
||||
#}
|
||||
|
||||
server {
|
||||
#listen *:$STAGING_PORT default_server;
|
||||
listen *:$STAGING_PORT_SSL ssl default_server;
|
||||
|
||||
# Redirect to HTTPS
|
||||
error_page 497 https://$host:$server_port$request_uri;
|
||||
|
||||
## domain_agnostic staging
|
||||
# server_name $STAGING_DOMAIN;
|
||||
root $APP_PATH_PUBLIC;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
# Add basic auth
|
||||
# TODO: add htpassword generation
|
||||
# auth_basic "Staging Area";
|
||||
# auth_basic_user_file "/etc/nginx/conf.d/.htpasswd_staging";
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
|
||||
|
||||
# ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
# ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
# add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
access_log /var/log/nginx/ensl.access.log;
|
||||
error_log /var/log/nginx/ensl.error.log;
|
||||
|
||||
rewrite_log on;
|
||||
client_max_body_size 20M;
|
||||
keepalive_timeout 10;
|
||||
|
||||
location ~ /.well-known {
|
||||
allow all;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
# FIXME: use env. var
|
||||
location ^~ /assets/ {
|
||||
gzip_static on;
|
||||
expires 1m;
|
||||
add_header Cache-Control public;
|
||||
}
|
||||
|
||||
# FIXME: use env. var
|
||||
location /files/ {
|
||||
# try_files $uri $uri/ @puma;
|
||||
# alias root $APP_PATH_PUBLIC/files/;
|
||||
autoindex on;
|
||||
}
|
||||
location @puma {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_pass http://puma;
|
||||
}
|
||||
|
||||
try_files $uri/index.html $uri @puma;
|
||||
}
|
19
script/env.sh
Executable file
19
script/env.sh
Executable file
|
@ -0,0 +1,19 @@
|
|||
#!/bin/bash
|
||||
# use source script/env.sh
|
||||
|
||||
args=("$@")
|
||||
|
||||
if [[ $# -eq 1 ]]; then
|
||||
args+=(.env)
|
||||
fi
|
||||
|
||||
for FILE in "$@"
|
||||
do
|
||||
echo "Loading env vars from: $FILE"
|
||||
ARGS=$(cat $FILE |grep -vE '^[[:space:]]*(#.*)*$')
|
||||
|
||||
export $(echo $ARGS|xargs)
|
||||
echo "$ARGS"
|
||||
echo
|
||||
done
|
||||
|
Loading…
Reference in a new issue