move

README.md

@@ -1,6 +1,23 @@
 # Infra setup
 
-see `new` for the new infra
+## server??
+
+Each VPS has a caddy running _on the host_, not inside docker. It's the entrypoint to the stuff.
+Everything else runs in a docker container via docker compose.
+
+## extra setup
+
+every app needs some secrets in places.
+
+there are also "global secrets" used for the docker-compose, for example
+for env vars. those should be placed in `/apps/.env`.
+
+Right now the global secrets are
+
+```
+KILLUA_BOT_TOKEN=
+HUGO_CHAT_DB_PASSWORD=
+```
 
 ## things that shall not be forgotten
 

new/README.md

@@ -1,20 +0,0 @@
-# exciting new stuff!!
-
-## server??
-
-Each VPS has a caddy running _on the host_, not inside docker. It's the entrypoint to the stuff.
-Everything else runs in a docker container via docker compose.
-
-## extra setup
-
-every app needs some secrets in places.
-
-there are also "global secrets" used for the docker-compose, for example
-for env vars. those should be placed in `/apps/.env`.
-
-Right now the global secrets are
-
-```
-KILLUA_BOT_TOKEN=
-HUGO_CHAT_DB_PASSWORD=
-```

nginx/README.md

@@ -1 +0,0 @@
-oh lord

nginx/certs.md

@@ -1,20 +0,0 @@
-```sh
-sudo certbot certonly --standalone
-```
-```
-nilstrieb.dev docker.nilstrieb.dev cors-school.nilstrieb.dev api.cors-school.nilstrieb.dev hugo-chat.nilstrieb.dev api.hugo-chat.nilstrieb.dev bisect-rustc.nilstrieb.dev
-```
-```sh
-sudo tee /etc/letsencrypt/renewal-hooks/pre/001-stop-nginx.sh > /dev/null <<EOF
-#!/usr/bin/env bash
-docker stop nginx
-EOF
-
-sudo tee /etc/letsencrypt/renewal-hooks/post/001-start-nginx.sh > /dev/null <<EOF
-#!/usr/bin/env bash
-docker start nginx
-EOF
-
-sudo chmod +x /etc/letsencrypt/renewal-hooks/pre/001-stop-nginx.sh
-sudo chmod +x /etc/letsencrypt/renewal-hooks/post/001-start-nginx.sh
-```

nginx/nginx.conf

@@ -1,136 +0,0 @@
-events {
-    worker_connections 512;
-}
-
-http {
-    ssl_certificate /etc/nginx/certs/live/nilstrieb.dev/fullchain.pem;
-    ssl_certificate_key /etc/nginx/certs/live/nilstrieb.dev/privkey.pem;
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "nilstrieb.dev";
-
-        location / {
-            return 302 https://blog.nilstrieb.dev$request_uri;
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "bisect-rustc.nilstrieb.dev";
-
-        location / {
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_service cargo-bisect-rustc-service;
-            proxy_pass http://$upstream_service:4000;
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "docker.nilstrieb.dev";
-
-        client_max_body_size 0;
-
-        location / {
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_registry registry;
-
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header Host docker.nilstrieb.dev;
-
-            proxy_pass https://$upstream_registry:5000;
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "cors-school.nilstrieb.dev";
-
-        location / {
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_frontend cors-school-frontend;
-            proxy_pass http://$upstream_frontend:80;
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "api.cors-school.nilstrieb.dev";
-
-        location / {
-            if ($request_method = 'OPTIONS') {
-                add_header 'Access-Control-Allow-Origin' 'https://cors-school.nilstrieb.dev';
-                add_header 'Access-Control-Allow-Credentials' 'true';
-                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS';
-                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,token,refresh-token,Authorization';
-
-                return 204;
-            }
-
-            proxy_pass_request_headers on;
-
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_backend cors-school-backend;
-            proxy_pass http://$upstream_backend:8080;
-
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "hugo-chat.nilstrieb.dev";
-
-        location / {
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_frontend hugo-chat-frontend;
-            proxy_pass http://$upstream_frontend:80;
-        }
-    }
-
-    # MOVED
-    server {
-        listen 443 ssl;
-
-        server_name "api.hugo-chat.nilstrieb.dev";
-
-        location / {
-            if ($request_method = 'OPTIONS') {
-                add_header 'Access-Control-Allow-Origin' 'https://hugo-chat.nilstrieb.dev';
-                add_header 'Access-Control-Allow-Credentials' 'true';
-                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, PATCH, OPTIONS';
-                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
-
-                return 204;
-            }
-
-            proxy_set_header Connection '';
-            proxy_http_version 1.1;
-            chunked_transfer_encoding off;
-
-            proxy_buffering off;
-            proxy_cache off;
-
-            proxy_pass_request_headers on;
-
-            resolver 127.0.0.11 valid=30s;
-            set $upstream_backend hugo-chat-backend;
-            proxy_pass http://$upstream_backend:8080;
-
-        }
-    }
-
-    server_tokens off;
-}

nginx/nginx.local.conf

@@ -1,51 +0,0 @@
-events {
-    worker_connections 512;
-}
-
-http {
-    server {
-        listen 80;
-
-        server_name "nilstrieb.dev";
-
-        return 302 http://blog.nilstrieb.dev$request_uri;
-    }
-
-    server {
-        listen 80;
-
-        server_name "docker.nilstrieb.dev";
-        set $target "http://registry:5000/";
-
-        client_max_body_size 0;
-
-        location / {
-            proxy_pass $target;
-        }
-    }
-
-    server {
-        listen 80;
-
-        server_name "cors-school.nilstrieb.dev";
-        set $target "http://cors-school-frontend/";
-
-        location / {
-            proxy_pass $target;
-        }
-    }
-
-    server {
-        listen 80;
-
-        server_name "api.cors-school.nilstrieb.dev";
-        set $target "http://cors-school-backend:8080/";
-
-        location / {
-            proxy_pass $target;
-            add_header Access-Control-Allow-Origin cors-school.nilstrieb.dev;
-        }
-    }
-
-    server_tokens off;
-}

nginx/run.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -eu pipefail
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-if [ "${STAGE-}" = "prod" ] ;
-then
-    echo "INFO Running on prod"
-    NGINX_CONF="nginx.conf"
-    EXTRA_ARGS="-v=/etc/letsencrypt:/etc/nginx/certs -p 443:443"
-else
-    echo "INFO Running on localhost"
-    NGINX_CONF="nginx.local.conf"
-    EXTRA_ARGS="-p 80:80"
-fi
-
-if docker container inspect nginx > /dev/null 2>&1 ;
-then
-    echo "INFO nginx container exists already..."
-else
-    docker run -d --restart=always --name=nginx \
-        -v="$SCRIPT_DIR/$NGINX_CONF:/etc/nginx/nginx.conf:ro" \
-        $EXTRA_ARGS \
-        --net=internal \
-        nginx:latest
-fi

registry/README.md

@@ -1,6 +0,0 @@
-- https://docs.docker.com/registry/deploying/
-- https://docs.docker.com/registry/configuration/
-
-```sh
-sudo htpasswd -cB /etc/.htpasswd username
-```

registry/run.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-set -eu pipefail
-
-SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-
-if [ "${STAGE-}" = "prod" ] ;
-then
-    echo "INFO Running on prod"
-    CERT_VOLUME="\
-        -v=/etc/letsencrypt:/etc/letsencrypt \
-        -v=/etc/htpasswd:/htpasswd \
-        -e=REGISTRY_HTTP_TLS_CERTIFICATE=/etc/letsencrypt/live/nilstrieb.dev/fullchain.pem \
-        -e=REGISTRY_HTTP_TLS_KEY=/etc/letsencrypt/live/nilstrieb.dev/privkey.pem \
-        -e=REGISTRY_AUTH=htpasswd \
-        -e=REGISTRY_AUTH_HTPASSWD_REALM=Realm \
-        -e=REGISTRY_AUTH_HTPASSWD_PATH=/htpasswd \
-    "
-else
-    echo "INFO Running on localhost"
-    CERT_VOLUME=""
-fi
-
-if docker container inspect registry > /dev/null 2>&1 ;
-then
-    echo "INFO Registry container exists already..."
-else
-    docker run -d --restart=always --name registry \
-        -v "$SCRIPT_DIR/config.yml:/etc/docker/registry/config.yml" \
-        -v "/var/lib/docker/registry:/var/lib/registry" \
-        $CERT_VOLUME \
-        --net internal \
-        registry:2
-fi

run_scripts/cargo-bisect-rustc.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu pipefail
-
-docker run -d --name cargo-bisect-rustc-service --net=internal --restart=always  \
-                                "-v=/apps/cargo-bisect-rustc-service/db:/app/db" \
-                                "-e=SQLITE_DB=/app/db/db.sqlite" "-e=RUST_LOG=debug" \
-                                 docker.nilstrieb.dev/cargo-bisect-rustc-service:1.8

run_scripts/cors-school.sh

@@ -1,18 +0,0 @@
-set -eu pipefail
-
-# frontend
-docker run --net internal --name cors-school-frontend -d \
-    --restart=always docker.nilstrieb.dev/cors-school-frontend:1.0.0
-
-# postgres
-docker run --net internal -d --name cors-postgres \
-    -e POSTGRES_PASSWORD=hugo58hugo -e POSTGRES_DB=davinci postgres
-
-# backend
-docker run --net internal -d --name cors-school-backend \
-    -e DATABASE_URL=postgres://postgres:hugo58hugo@cors-postgres/davinci \
-    -e RUST_LOG=info -e JWT_SECRET='redacted' docker.nilstrieb.dev/cors-school-backend:1.0
-
-# bot
-docker run --net internal -d --name cors-school-bot \
-    -v "$(pwd)/env:/.env" docker.nilstrieb.dev/cors-school-bot:1.0