[WIP] Initial packer/terraform config for wallabag

2021-01-06 12:46:47 -05:00 · 2021-01-06 12:46:47 -05:00 · 91b6dfffe6
commit 91b6dfffe6
parent 4b638634fa
17 changed files with 368 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@ -11,6 +11,9 @@ export SYNCTHING_API_KEY=$(pass packer-syncthing-api-key)
 export SYNCTHING_CERT_PEM=$(pass packer-syncthing-cert.pem)
 export SYNCTHING_KEY_PEM=$(pass packer-syncthing-key.pem)
 export CERTBOT_EMAIL=$(pass certbot-email)
+export WALLABAG_MAILGUN_PASSWORD=$(pass packer-wallabag-mailgun-password)
+export WALLABAG_SECRET=$(pass packer-wallabag-secret)
+export WALLABAG_PASSWORD=$(pass wallabag.jeremydormitzer.com)

 if [ -f ".env.local" ]; then
    echo "sourcing .env.local"
--- a/prod/wallabag/packer/.gitignore
+++ b/prod/wallabag/packer/.gitignore
@ -0,0 +1 @@
+files/wallabag-params.yml
--- a/prod/wallabag/packer/Makefile
+++ b/prod/wallabag/packer/Makefile
@ -0,0 +1,12 @@
+packer-manifest.json: wallabag.json \
+		      scripts/dependencies.sh \
+		      scripts/nginx.sh \
+		      scripts/redis.sh \
+                      scripts/wallabag.sh \
+		      files/wallabag-nginx.conf \
+		      files/entries.json \
+	              files/wallabag-params.yml
+	packer build wallabag.json
+
+files/wallabag-params.yml: templates/wallabag-params.yml.template
+	sigil -p -f templates/wallabag-params.yml.template > files/wallabag-params.yml
--- a/prod/wallabag/packer/files/entries.json
+++ b/prod/wallabag/packer/files/entries.json
--- a/prod/wallabag/packer/files/wallabag-nginx.conf
+++ b/prod/wallabag/packer/files/wallabag-nginx.conf
@ -0,0 +1,39 @@
+server {
+    root /var/www/wallabag/web;
+
+    location / {
+        # try to serve file directly, fallback to app.php
+        try_files $uri /app.php$is_args$args;
+    }
+    location ~ ^/app\.php(/|$) {
+        # if, for some reason, you are still using PHP 5,
+        # then replace /run/php/php7.0 by /var/run/php5
+        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        fastcgi_param  SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/app.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    error_log /var/log/nginx/wallabag_error.log;
+    access_log /var/log/nginx/wallabag_access.log;
+
+    client_max_body_size 512M; # allows file uploads up to 512 megabytes
+}
--- a/prod/wallabag/packer/packer-manifest.json
+++ b/prod/wallabag/packer/packer-manifest.json
@ -0,0 +1,59 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609885342,
+      "files": null,
+      "artifact_id": "nyc1:76421685",
+      "packer_run_uuid": "990cb13b-f868-37b3-067f-ad0427c28022",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609891000,
+      "files": null,
+      "artifact_id": "nyc1:76426560",
+      "packer_run_uuid": "484d51bc-f44e-4815-7a88-25205bf293d1",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609893774,
+      "files": null,
+      "artifact_id": "nyc1:76431170",
+      "packer_run_uuid": "cc8a035a-ef43-4910-fdde-59d9ae491449",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609941260,
+      "files": null,
+      "artifact_id": "nyc1:76462043",
+      "packer_run_uuid": "5c66f7fe-71a0-b1b9-bd49-1739a347fc66",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609942737,
+      "files": null,
+      "artifact_id": "nyc1:76462488",
+      "packer_run_uuid": "5e0cd34c-0d90-9910-b596-55dfa92ad2a1",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1609954695,
+      "files": null,
+      "artifact_id": "nyc1:76466549",
+      "packer_run_uuid": "870a0b80-2ca0-3561-92a3-210b79e7c773",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "870a0b80-2ca0-3561-92a3-210b79e7c773"
+}
--- a/prod/wallabag/packer/scripts/dependencies.sh
+++ b/prod/wallabag/packer/scripts/dependencies.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo apt-get update
+sudo apt-get install -y \
+     git \
+     unzip \
+     make \
+     sqlite3 \
+     redis \
+     nginx \
+     php \
+     php-fpm \
+     php-curl \
+     php-xml \
+     php-gd \
+     php-mbstring \
+     php-tidy \
+     php-intl \
+     composer \
+     php-sqlite3 \
--- a/prod/wallabag/packer/scripts/nginx.sh
+++ b/prod/wallabag/packer/scripts/nginx.sh
@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo mv /tmp/wallabag-nginx.conf \
+     /etc/nginx/sites-available/wallabag.conf
+sudo ln -s /etc/nginx/sites-available/wallabag.conf \
+     /etc/nginx/sites-enabled/
+sudo unlink /etc/nginx/sites-enabled/default
+sudo systemctl enable nginx
--- a/prod/wallabag/packer/scripts/redis.sh
+++ b/prod/wallabag/packer/scripts/redis.sh
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo systemctl enable redis
+sudo systemctl start redis
--- a/prod/wallabag/packer/scripts/wallabag.sh
+++ b/prod/wallabag/packer/scripts/wallabag.sh
@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo usermod --shell /bin/bash www-data
+
+git clone https://github.com/wallabag/wallabag.git /var/www/wallabag
+mv /tmp/wallabag-params.yml /var/www/wallabag/app/config/parameters.yml
+chown -R www-data:www-data /var/www/wallabag
+
+sudo -i -u www-data bash << EOF
+set -xe
+
+cd /var/www/wallabag
+make install
+php bin/console --env=prod fos:user:create jdormit jeremy.dormitzer@gmail.com "$ADMIN_PASSWORD" --super-admin
+EOF
--- a/prod/wallabag/packer/templates/wallabag-params.yml.template
+++ b/prod/wallabag/packer/templates/wallabag-params.yml.template
@ -0,0 +1,31 @@
+# -*- yaml-mode -*-
+parameters:
+    database_driver: pdo_sqlite
+    database_driver_class: null
+    database_host: null
+    database_port: null
+    database_name: null
+    database_user: null
+    database_password: null
+    database_path: /var/www/wallabag/wallabag.sqlite
+    database_table_prefix: wallabag_
+    database_socket: null
+    database_charset: utf8mb4
+    domain_name: 'https://wallabag.jeremydormitzer.com'
+    mailer_transport: smtp
+    mailer_host: 184.173.153.194
+    mailer_user: postmaster@mg.getpterotype.com
+    mailer_password: ${WALLABAG_MAILGUN_PASSWORD:?}
+    locale: en
+    secret: ${WALLABAG_SECRET:?}
+    twofactor_auth: true
+    twofactor_sender: no-reply@wallabag.org
+    fosuser_registration: true
+    fosuser_confirmation: true
+    from_email: no-reply@wallabag.org
+    rss_limit: 50
+    redis_scheme: tcp
+    redis_host: localhost
+    redis_port: 6379
+    redis_path: null
+    redis_password: null
--- a/prod/wallabag/packer/wallabag.json
+++ b/prod/wallabag/packer/wallabag.json
@ -0,0 +1,48 @@
+{
+  "variables": {
+    "wallabag_admin_password": "{{env `WALLABAG_PASSWORD`}}"
+  },
+  "sensitive-variables": ["wallabag_admin_password"],
+  "builders": [
+    {
+      "type": "digitalocean",
+      "image": "ubuntu-18-04-x64",
+      "region": "nyc1",
+      "size": "s-1vcpu-1gb",
+      "snapshot_name": "packer-wallabag-{{timestamp}}",
+      "ssh_username": "root"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "script": "scripts/dependencies.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/wallabag-params.yml",
+      "destination": "/tmp/wallabag-params.yml"
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "ADMIN_PASSWORD={{user `wallabag_admin_password`}}"
+      ],
+      "script": "scripts/wallabag.sh"
+    },
+    {
+      "type": "file",
+      "source": "files/wallabag-nginx.conf",
+      "destination": "/tmp/wallabag-nginx.conf"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/nginx.sh"
+    }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
+  ]
+}
--- a/prod/wallabag/terraform/.terraform.lock.hcl
+++ b/prod/wallabag/terraform/.terraform.lock.hcl
@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.0.0"
+  hashes = [
+    "h1:pO1ANXtOCRfecKsY9Hn4UsXoPBLv6LFiDIEiS1MZ09E=",
+    "zh:34ce8b79493ace8333d094752b579ccc907fa9392a2c1d6933a6c95d0786d3f1",
+    "zh:5c5a19c4f614a4ffb68bae0b0563f3860115cf7539b8adc21108324cfdc10092",
+    "zh:67ddb1ca2cd3e1a8f948302597ceb967f19d2eeb2d125303493667388fe6330e",
+    "zh:68e6b16f3a8e180fcba1a99754118deb2d82331b51f6cca39f04518339bfdfa6",
+    "zh:8393a12eb11598b2799d51c9b0a922a3d9fadda5a626b94a1b4914086d53120e",
+    "zh:90daea4b2010a86f2aca1e3a9590e0b3ddcab229c2bd3685fae76a832e9e836f",
+    "zh:99308edc734a0ac9149b44f8e316ca879b2670a1cae387a8ae754c180b57cdb4",
+    "zh:c76594db07a9d1a73372a073888b672df64adb455d483c2426cc220eda7e092e",
+    "zh:dc09c1fb36c6a706bdac96cce338952888c8423978426a09f5df93031aa88b84",
+    "zh:deda88134e9780319e8de91b3745520be48ead6ec38cb662694d09185c3dac70",
+  ]
+}
--- a/prod/wallabag/terraform/main.tf
+++ b/prod/wallabag/terraform/main.tf
@ -0,0 +1,43 @@
+provider "digitalocean" {
+  token             = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+data "terraform_remote_state" "do_ssh_keys" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "mgmt/do-ssh-keys.tfstate"
+  }
+}
+
+data "local_file" "packer_manifest" {
+  filename = "${path.module}/../packer/packer-manifest.json"
+}
+
+locals {
+  packer_manifest  = jsondecode(data.local_file.packer_manifest.content)
+  packer_builds = local.packer_manifest.builds
+  packer_image_str = element(local.packer_builds, length(local.packer_builds) - 1).artifact_id
+  packer_image     = split(":", local.packer_image_str)[1]
+}
+
+resource "digitalocean_droplet" "wallabag" {
+  name       = "wallabag"
+  image      = local.packer_image
+  region     = "nyc1"
+  size       = "s-1vcpu-1gb"
+  backups    = true
+  ssh_keys = [
+    data.terraform_remote_state.do_ssh_keys.outputs.jdormit_laptop_ssh_key_id,
+    data.terraform_remote_state.do_ssh_keys.outputs.jdormit_macbook_lola_ssh_key_id
+  ]
+}
--- a/prod/wallabag/terraform/outputs.tf
+++ b/prod/wallabag/terraform/outputs.tf
@ -0,0 +1,7 @@
+output "ip_address" {
+  value = digitalocean_droplet.wallabag.ipv4_address
+}
+
+output "urn" {
+  value = digitalocean_droplet.wallabag.urn
+}
--- a/prod/wallabag/terraform/terraform.tf
+++ b/prod/wallabag/terraform/terraform.tf
@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.3.0"
+    }
+  }
+
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    # Need to specify an AWS region to stop Terraform complaining
+    region   = "us-east-1"
+    endpoint = "nyc3.digitaloceanspaces.com"
+    bucket   = "jdormit-tf-state"
+    key      = "prod/wallabag.tfstate"
+  }
+}
--- a/prod/wallabag/terraform/variables.tf
+++ b/prod/wallabag/terraform/variables.tf
@ -0,0 +1,11 @@
+variable "do_token" {
+  type = string
+}
+
+variable "spaces_access_id" {
+  type = string
+}
+
+variable "spaces_secret_key" {
+  type = string
+}