From 80a3b4c8f5e143d29706f46a34a926ed88a7e23d Mon Sep 17 00:00:00 2001
From: deflax <daniel@deflax.net>
Date: Fri, 17 Nov 2023 17:54:53 -0500
Subject: [PATCH] remove haproxy and certbot

---
 .env.dev-sample               | 14 -----
 .env.prod-sample              | 26 ----------
 .gitignore                    | 19 +------
 README.md                     | 27 +---------
 data/certbot/etc/.placeholder |  0
 data/certbot/var/.placeholder |  0
 dev-docker-compose.yml        | 29 -----------
 docker-compose.yml            | 34 +------------
 gen-selfsigned-cert.sh        | 11 ----
 issue-certificate.sh          | 13 -----
 lb/dballowed.acl-sample       |  1 -
 lb/haproxy.cfg                | 96 -----------------------------------
 tileserver/Dockerfile         |  2 +-
 13 files changed, 4 insertions(+), 268 deletions(-)
 delete mode 100644 .env.dev-sample
 delete mode 100644 .env.prod-sample
 delete mode 100644 data/certbot/etc/.placeholder
 delete mode 100644 data/certbot/var/.placeholder
 delete mode 100644 dev-docker-compose.yml
 delete mode 100755 gen-selfsigned-cert.sh
 delete mode 100755 issue-certificate.sh
 delete mode 100644 lb/dballowed.acl-sample
 delete mode 100644 lb/haproxy.cfg

diff --git a/.env.dev-sample b/.env.dev-sample
deleted file mode 100644
index bb3355a..0000000
--- a/.env.dev-sample
+++ /dev/null
@@ -1,14 +0,0 @@
-FLASK_ENV=development
-FLASK_APP=forest/__init__.py
-APP_FOLDER=/usr/src/app
-
-SQL_HOST=db
-SQL_PORT=5432
-DATABASE=postgres
-
-POSTGRES_USER=forest
-POSTGRES_PASSWORD=forest123
-POSTGRES_DB=forest_dev
-
-DATABASE_URL=postgresql://forest:forest123@db:5432/forest_dev
-
diff --git a/.env.prod-sample b/.env.prod-sample
deleted file mode 100644
index 4a08dc4..0000000
--- a/.env.prod-sample
+++ /dev/null
@@ -1,26 +0,0 @@
-FLASK_ENV=production
-FLASK_APP=forest/__init__.py
-APP_FOLDER=/home/app/web
-SECRET_KEY=123
-RECAPTCHA_PUBLIC_KEY=456
-RECAPTCHA_PRIVATE_KEY=789
-
-SQL_HOST=db
-SQL_PORT=5432
-DATABASE=postgres
-
-DATABASE_URL=postgresql://forest:forest123@db:5432/forest_prod
-POSTGRES_USER=forest
-POSTGRES_PASSWORD=forest123
-POSTGRES_DB=forest_prod
-PGADMIN_DEFAULT_EMAIL: daniel@deflax.net
-PGADMIN_DEFAULT_PASSWORD=
-PGADMIN_CONFIG_SERVER_MODE=False
-
-MAIL_ADMIN=daniel@deflax.net
-MAIL_SUBJECT_PREFIX=ForestNet
-MAIL_SERVER=smtp.gmail.com
-MAIL_USERNAME=admin@gmail.com
-MAIL_PASSWORD=kur
-MAIL_PORT=25
-MAIL_USE_TLS=1
diff --git a/.gitignore b/.gitignore
index 96b0914..1876dab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,24 +5,7 @@ __pycache
 .DS_Store
 
 # ignore env var files
-.env.dev
-.env.prod
-
-# ignore lb allowed_ips
-lb/dballowed.acl
-
-# ignore letsencrypt generated certificates
-data/certbot/etc/*
-!data/certbot/etc/.placeholder
-data/certbot/var/*
-!data/certbot/var/.placeholder
-
-# ignore letsencrypt logs
-logs/certbot/*
-!logs/certbot/.placeholder
-
-# ignore generated certificates for haproxy
-data/certificates/*
+.env
 
 # ignore postgresql volumes
 data/db/*
diff --git a/README.md b/README.md
index 3fe788d..5b9846e 100644
--- a/README.md
+++ b/README.md
@@ -1,32 +1,7 @@
-### Development
-
-Uses the default Flask development server.
-
-1. Rename *.env.dev-sample* to *.env.dev*.
-1. Update the environment variables in the *docker-compose.yml* and *.env.dev* files.
-    - (M1 chip only) Remove `-slim-buster` from the Python dependency in `services/web/Dockerfile` to suppress an issue with installing psycopg2
-1. Build the images and run the containers:
-
-    ```sh
-    $ docker-compose -f docker-compose.dev.yml up -d --build
-    ```
-
-    Test it out at [http://localhost:5000](http://localhost:5000). The "web" folder is mounted into the container and your code changes apply automatically.
-
-### Production
-
-Uses gunicorn + nginx.
-
-1. Rename *.env.prod-sample* to *.env.prod* and *.env.prod.db-sample* to *.env.prod.db*. Update the environment variables.
+1. Rename *dist.env* to *.env*. Update the environment variables.
 2. run osmtile with import script
 2. Build the images and run the containers:
 
     ```sh
     $ docker-compose  up -d --build
     ```
-
-    Test it out at [http://localhost:1337](http://localhost:1337). No mounted folders. To apply changes, the image must be re-built.
-
-### More info:
-Check out the [post](https://testdriven.io/blog/dockerizing-flask-with-postgres-gunicorn-and-nginx).
-
diff --git a/data/certbot/etc/.placeholder b/data/certbot/etc/.placeholder
deleted file mode 100644
index e69de29..0000000
diff --git a/data/certbot/var/.placeholder b/data/certbot/var/.placeholder
deleted file mode 100644
index e69de29..0000000
diff --git a/dev-docker-compose.yml b/dev-docker-compose.yml
deleted file mode 100644
index 978ce2a..0000000
--- a/dev-docker-compose.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-version: '3'
-
-services:
-  flask:
-    build: ./flask
-    command: python manage.py run -h 0.0.0.0
-    volumes:
-      - ./flask/:/usr/src/app/
-    ports:
-      - 5000:5000
-    env_file:
-      - ./.env.dev
-    depends_on:
-      - db
-  db:
-    image: postgres:13-alpine
-    volumes:
-      - postgres_data:/var/lib/postgresql/data/
-    env_file:
-      - ./.env.dev
-  swagger:
-    image: swaggerapi/swagger-editor
-    volumes:
-      - ./swagger.json:/swagger.json
-    ports:
-      - "80:8080"
-
-volumes:
-  postgres_data:
diff --git a/docker-compose.yml b/docker-compose.yml
index 5994520..81e1fc6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,38 +1,6 @@
 version: '3'
 
 services:
-  lb:
-    image: haproxy:latest
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "./data/certificates:/certificates"
-      - "./lb:/usr/local/etc/haproxy"
-    depends_on:
-      - "certbot"
-      - "flask"
-      - "osmtile"
-    restart: always
-    networks:
-      - internal
-    labels:
-      - meta.role=lb
-  certbot:
-    image: "certbot/certbot"
-    hostname: certbot
-    volumes:
-      - "./data/certificates:/certificates"
-      - "./data/certbot/etc:/etc/letsencrypt"
-      - "./data/certbot/var:/var/lib/letsencrypt"
-      - "./logs/certbot:/var/log/letsencrypt"
-    restart: on-failure
-    networks:
-      - internal
-    labels:
-      - meta.role=certbot
-    #entrypoint: sh -c 'while true; do sleep 1; done'
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
   db:
     image: postgres:13-alpine
     volumes:
@@ -77,7 +45,7 @@ services:
     networks:
       - internal
     #entrypoint: "/run.sh import"
-    entrypoint: "/run.sh run"
+    #entrypoint: "/run.sh run"
     restart: always
 networks:
   internal: {} 
diff --git a/gen-selfsigned-cert.sh b/gen-selfsigned-cert.sh
deleted file mode 100755
index 2ccc007..0000000
--- a/gen-selfsigned-cert.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-mkdir -p data/certificates
-cd data/certificates
-openssl genrsa -out default.key 2048
-openssl req -new -key default.key -out default.csr
-openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
-cat default.key default.crt >> default.pem
-rm default.key
-rm default.crt
-rm default.csr
diff --git a/issue-certificate.sh b/issue-certificate.sh
deleted file mode 100755
index 7749f9b..0000000
--- a/issue-certificate.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-CB=`docker ps --format='{{.Names}}' --filter=label=meta.role=certbot`
-
-EMAIL=$2
-
-CERTNAME=$1
-DOMAIN=$1
-
-docker exec $CB certbot certonly --non-interactive --standalone --email $2 --agree-tos --keep --preferred-challenges http --cert-name "$CERTNAME" -d "$DOMAIN"
-
-cat "./data/certbot/etc/live/${CERTNAME}/privkey.pem" "./data/certbot/etc/live/${CERTNAME}/fullchain.pem" > "./data/certificates/${CERTNAME}.pem"
-
diff --git a/lb/dballowed.acl-sample b/lb/dballowed.acl-sample
deleted file mode 100644
index 26fe2b0..0000000
--- a/lb/dballowed.acl-sample
+++ /dev/null
@@ -1 +0,0 @@
-127.0.0.1/32
diff --git a/lb/haproxy.cfg b/lb/haproxy.cfg
deleted file mode 100644
index a7dd746..0000000
--- a/lb/haproxy.cfg
+++ /dev/null
@@ -1,96 +0,0 @@
-global
-    maxconn 4096
-    user root
-    group root
-    daemon
-
-    tune.ssl.default-dh-param       2048
-    ssl-default-bind-options no-sslv3 no-tls-tickets
-    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-
-defaults
-    log global
-    mode http
-    balance roundrobin
-    maxconn 1024
-
-#   This breaks HTTP2
-#    option abortonclose
-    option httpclose
-    option forwardfor
-
-    retries 3
-    option redispatch
-
-    timeout client  30s
-    timeout connect 30s
-    timeout server  30s
-
-    #option httpchk HEAD /haproxy?monitor HTTP/1.0
-    #timeout check 5s
-    #stats enable
-    #stats uri     /haproxy?stats
-    #stats realm   Haproxy\ Statistics
-    #stats auth    admin:yourpasswordhere
-    #stats refresh 5s
-
-cache mapscache
-    total-max-size 1023   # MB
-    max-object-size 10000 # bytes
-    max-age 30            # seconds
-
-frontend http
-    bind :80
-    option http-server-close
-    redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
-    default_backend certbot
-
-backend certbot
-    server c1 certbot:80
-
-frontend https
-    bind :443 ssl crt /certificates alpn http/1.1
-
-    # CORS
-    http-response set-header Access-Control-Allow-Origin "*"
-    http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
-    http-response set-header Access-Control-Max-Age 3628800
-    http-response set-header Access-Control-Allow-Methods "GET"
-
-    # SNI ACLs
-    acl is_forestnet ssl_fc_sni -i forest.deflax.net
-    acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
-    acl is_osmap ssl_fc_sni -i map.deflax.net
-    
-    # IP ACls
-    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
-
-    http-request deny if is_forestdb !is_allowed
-
-    http-request set-header X-Forwarded-Protocol https
-    http-request set-header X-Forwarded-Proto https
-    http-request set-header X-Forwarded-Ssl on
-    http-request set-header X-Url-Scheme https
-    http-request set-header Host %[ssl_fc_sni]
-
-    use_backend forestnet if is_forestnet
-    use_backend forestdb if is_forestdb
-    use_backend osmap if is_osmap
-
-backend osmap
-    # Get from cache / put in cache
-    http-request cache-use mapscache
-    http-response cache-store mapscache
-    # server list
-    server s1 osmtile:80 check
-
-backend forestnet
-    # server list
-    server s1 flask:5000 check
-
-backend forestdb
-    server s1 pgadmin:80 check
-
-#backend docs.deflax.net
-#    # server list
-#    server s1 swagger:80 check
diff --git a/tileserver/Dockerfile b/tileserver/Dockerfile
index 3ea57f3..7d67b26 100644
--- a/tileserver/Dockerfile
+++ b/tileserver/Dockerfile
@@ -1,4 +1,4 @@
-FROM overv/openstreetmap-tile-server:1.7.4
+FROM overv/openstreetmap-tile-server:2.3.0
 EXPOSE 80
 # Remove all original style files
 RUN rm -rf /home/renderer/src/openstreetmap-carto/style/*.mss