remove haproxy and certbot

2023-11-17 17:54:53 -05:00 · 2023-11-17 17:54:53 -05:00 · 80a3b4c8f5
commit 80a3b4c8f5
parent 13c46df30c
13 changed files with 4 additions and 268 deletions
--- a/.env.dev-sample
+++ b/.env.dev-sample
@ -1,14 +0,0 @@
 FLASK_ENV=development
 FLASK_APP=forest/__init__.py
 APP_FOLDER=/usr/src/app
 SQL_HOST=db
 SQL_PORT=5432
 DATABASE=postgres
 POSTGRES_USER=forest
 POSTGRES_PASSWORD=forest123
 POSTGRES_DB=forest_dev
 DATABASE_URL=postgresql://forest:forest123@db:5432/forest_dev
--- a/.env.prod-sample
+++ b/.env.prod-sample
@ -1,26 +0,0 @@
 FLASK_ENV=production
 FLASK_APP=forest/__init__.py
 APP_FOLDER=/home/app/web
 SECRET_KEY=123
 RECAPTCHA_PUBLIC_KEY=456
 RECAPTCHA_PRIVATE_KEY=789
 SQL_HOST=db
 SQL_PORT=5432
 DATABASE=postgres
 DATABASE_URL=postgresql://forest:forest123@db:5432/forest_prod
 POSTGRES_USER=forest
 POSTGRES_PASSWORD=forest123
 POSTGRES_DB=forest_prod
 PGADMIN_DEFAULT_EMAIL: daniel@deflax.net
 PGADMIN_DEFAULT_PASSWORD=
 PGADMIN_CONFIG_SERVER_MODE=False
 MAIL_ADMIN=daniel@deflax.net
 MAIL_SUBJECT_PREFIX=ForestNet
 MAIL_SERVER=smtp.gmail.com
 MAIL_USERNAME=admin@gmail.com
 MAIL_PASSWORD=kur
 MAIL_PORT=25
 MAIL_USE_TLS=1
--- a/.gitignore
+++ b/.gitignore
@ -5,24 +5,7 @@ __pycache
 .DS_Store
 # ignore env var files
-.env.dev
+.env
 .env.prod
 # ignore lb allowed_ips
 lb/dballowed.acl
 # ignore letsencrypt generated certificates
 data/certbot/etc/*
 !data/certbot/etc/.placeholder
 data/certbot/var/*
 !data/certbot/var/.placeholder
 # ignore letsencrypt logs
 logs/certbot/*
 !logs/certbot/.placeholder
 # ignore generated certificates for haproxy
 data/certificates/*
 # ignore postgresql volumes
 data/db/*
--- a/README.md
+++ b/README.md
@ -1,32 +1,7 @@
-### Development
+1. Rename *dist.env* to *.env*. Update the environment variables.
 Uses the default Flask development server.
 1. Rename *.env.dev-sample* to *.env.dev*.
 1. Update the environment variables in the *docker-compose.yml* and *.env.dev* files.
    - (M1 chip only) Remove `-slim-buster` from the Python dependency in `services/web/Dockerfile` to suppress an issue with installing psycopg2
 1. Build the images and run the containers:
    ```sh
    $ docker-compose -f docker-compose.dev.yml up -d --build
    ```
    Test it out at [http://localhost:5000](http://localhost:5000). The "web" folder is mounted into the container and your code changes apply automatically.
 ### Production
 Uses gunicorn + nginx.
 1. Rename *.env.prod-sample* to *.env.prod* and *.env.prod.db-sample* to *.env.prod.db*. Update the environment variables.
 2. run osmtile with import script
 2. Build the images and run the containers:
    ```sh
    $ docker-compose  up -d --build
    ```
    Test it out at [http://localhost:1337](http://localhost:1337). No mounted folders. To apply changes, the image must be re-built.
 ### More info:
 Check out the [post](https://testdriven.io/blog/dockerizing-flask-with-postgres-gunicorn-and-nginx).
--- a/data/certbot/etc/.placeholder
+++ b/data/certbot/etc/.placeholder
--- a/data/certbot/var/.placeholder
+++ b/data/certbot/var/.placeholder
--- a/dev-docker-compose.yml
+++ b/dev-docker-compose.yml
@ -1,29 +0,0 @@
 version: '3'
 services:
  flask:
    build: ./flask
    command: python manage.py run -h 0.0.0.0
    volumes:
      - ./flask/:/usr/src/app/
    ports:
      - 5000:5000
    env_file:
      - ./.env.dev
    depends_on:
      - db
  db:
    image: postgres:13-alpine
    volumes:
      - postgres_data:/var/lib/postgresql/data/
    env_file:
      - ./.env.dev
  swagger:
    image: swaggerapi/swagger-editor
    volumes:
      - ./swagger.json:/swagger.json
    ports:
      - "80:8080"
 volumes:
  postgres_data:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,38 +1,6 @@
 version: '3'
 services:
  lb:
    image: haproxy:latest
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./data/certificates:/certificates"
      - "./lb:/usr/local/etc/haproxy"
    depends_on:
      - "certbot"
      - "flask"
      - "osmtile"
    restart: always
    networks:
      - internal
    labels:
      - meta.role=lb
  certbot:
    image: "certbot/certbot"
    hostname: certbot
    volumes:
      - "./data/certificates:/certificates"
      - "./data/certbot/etc:/etc/letsencrypt"
      - "./data/certbot/var:/var/lib/letsencrypt"
      - "./logs/certbot:/var/log/letsencrypt"
    restart: on-failure
    networks:
      - internal
    labels:
      - meta.role=certbot
    #entrypoint: sh -c 'while true; do sleep 1; done'
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
  db:
    image: postgres:13-alpine
    volumes:
@ -77,7 +45,7 @@ services:
    networks:
      - internal
    #entrypoint: "/run.sh import"
-    entrypoint: "/run.sh run"
+    #entrypoint: "/run.sh run"
    restart: always
 networks:
  internal: {} 
--- a/gen-selfsigned-cert.sh
+++ b/gen-selfsigned-cert.sh
@ -1,11 +0,0 @@
 #!/bin/bash
 mkdir -p data/certificates
 cd data/certificates
 openssl genrsa -out default.key 2048
 openssl req -new -key default.key -out default.csr
 openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
 cat default.key default.crt >> default.pem
 rm default.key
 rm default.crt
 rm default.csr
--- a/issue-certificate.sh
+++ b/issue-certificate.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 CB=`docker ps --format='{{.Names}}' --filter=label=meta.role=certbot`
 EMAIL=$2
 CERTNAME=$1
 DOMAIN=$1
 docker exec $CB certbot certonly --non-interactive --standalone --email $2 --agree-tos --keep --preferred-challenges http --cert-name "$CERTNAME" -d "$DOMAIN"
 cat "./data/certbot/etc/live/${CERTNAME}/privkey.pem" "./data/certbot/etc/live/${CERTNAME}/fullchain.pem" > "./data/certificates/${CERTNAME}.pem"
--- a/lb/dballowed.acl-sample
+++ b/lb/dballowed.acl-sample
@ -1 +0,0 @@
 127.0.0.1/32
--- a/lb/haproxy.cfg
+++ b/lb/haproxy.cfg
@ -1,96 +0,0 @@
 global
    maxconn 4096
    user root
    group root
    daemon
    tune.ssl.default-dh-param       2048
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 defaults
    log global
    mode http
    balance roundrobin
    maxconn 1024
 #   This breaks HTTP2
 #    option abortonclose
    option httpclose
    option forwardfor
    retries 3
    option redispatch
    timeout client  30s
    timeout connect 30s
    timeout server  30s
    #option httpchk HEAD /haproxy?monitor HTTP/1.0
    #timeout check 5s
    #stats enable
    #stats uri     /haproxy?stats
    #stats realm   Haproxy\ Statistics
    #stats auth    admin:yourpasswordhere
    #stats refresh 5s
 cache mapscache
    total-max-size 1023   # MB
    max-object-size 10000 # bytes
    max-age 30            # seconds
 frontend http
    bind :80
    option http-server-close
    redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
    default_backend certbot
 backend certbot
    server c1 certbot:80
 frontend https
    bind :443 ssl crt /certificates alpn http/1.1
    # CORS
    http-response set-header Access-Control-Allow-Origin "*"
    http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
    http-response set-header Access-Control-Max-Age 3628800
    http-response set-header Access-Control-Allow-Methods "GET"
    # SNI ACLs
    acl is_forestnet ssl_fc_sni -i forest.deflax.net
    acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
    acl is_osmap ssl_fc_sni -i map.deflax.net
    # IP ACls
    acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
    http-request deny if is_forestdb !is_allowed
    http-request set-header X-Forwarded-Protocol https
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Ssl on
    http-request set-header X-Url-Scheme https
    http-request set-header Host %[ssl_fc_sni]
    use_backend forestnet if is_forestnet
    use_backend forestdb if is_forestdb
    use_backend osmap if is_osmap
 backend osmap
    # Get from cache / put in cache
    http-request cache-use mapscache
    http-response cache-store mapscache
    # server list
    server s1 osmtile:80 check
 backend forestnet
    # server list
    server s1 flask:5000 check
 backend forestdb
    server s1 pgadmin:80 check
 #backend docs.deflax.net
 #    # server list
 #    server s1 swagger:80 check
--- a/tileserver/Dockerfile
+++ b/tileserver/Dockerfile
@ -1,4 +1,4 @@
-FROM overv/openstreetmap-tile-server:1.7.4
+FROM overv/openstreetmap-tile-server:2.3.0
 EXPOSE 80
 # Remove all original style files
 RUN rm -rf /home/renderer/src/openstreetmap-carto/style/*.mss