remove haproxy and certbot

This commit is contained in:
deflax 2023-11-17 17:54:53 -05:00
parent 13c46df30c
commit 80a3b4c8f5
13 changed files with 4 additions and 268 deletions

View file

@ -1,14 +0,0 @@
FLASK_ENV=development
FLASK_APP=forest/__init__.py
APP_FOLDER=/usr/src/app
SQL_HOST=db
SQL_PORT=5432
DATABASE=postgres
POSTGRES_USER=forest
POSTGRES_PASSWORD=forest123
POSTGRES_DB=forest_dev
DATABASE_URL=postgresql://forest:forest123@db:5432/forest_dev

View file

@ -1,26 +0,0 @@
FLASK_ENV=production
FLASK_APP=forest/__init__.py
APP_FOLDER=/home/app/web
SECRET_KEY=123
RECAPTCHA_PUBLIC_KEY=456
RECAPTCHA_PRIVATE_KEY=789
SQL_HOST=db
SQL_PORT=5432
DATABASE=postgres
DATABASE_URL=postgresql://forest:forest123@db:5432/forest_prod
POSTGRES_USER=forest
POSTGRES_PASSWORD=forest123
POSTGRES_DB=forest_prod
PGADMIN_DEFAULT_EMAIL: daniel@deflax.net
PGADMIN_DEFAULT_PASSWORD=
PGADMIN_CONFIG_SERVER_MODE=False
MAIL_ADMIN=daniel@deflax.net
MAIL_SUBJECT_PREFIX=ForestNet
MAIL_SERVER=smtp.gmail.com
MAIL_USERNAME=admin@gmail.com
MAIL_PASSWORD=kur
MAIL_PORT=25
MAIL_USE_TLS=1

19
.gitignore vendored
View file

@ -5,24 +5,7 @@ __pycache
.DS_Store .DS_Store
# ignore env var files # ignore env var files
.env.dev .env
.env.prod
# ignore lb allowed_ips
lb/dballowed.acl
# ignore letsencrypt generated certificates
data/certbot/etc/*
!data/certbot/etc/.placeholder
data/certbot/var/*
!data/certbot/var/.placeholder
# ignore letsencrypt logs
logs/certbot/*
!logs/certbot/.placeholder
# ignore generated certificates for haproxy
data/certificates/*
# ignore postgresql volumes # ignore postgresql volumes
data/db/* data/db/*

View file

@ -1,32 +1,7 @@
### Development 1. Rename *dist.env* to *.env*. Update the environment variables.
Uses the default Flask development server.
1. Rename *.env.dev-sample* to *.env.dev*.
1. Update the environment variables in the *docker-compose.yml* and *.env.dev* files.
- (M1 chip only) Remove `-slim-buster` from the Python dependency in `services/web/Dockerfile` to suppress an issue with installing psycopg2
1. Build the images and run the containers:
```sh
$ docker-compose -f docker-compose.dev.yml up -d --build
```
Test it out at [http://localhost:5000](http://localhost:5000). The "web" folder is mounted into the container and your code changes apply automatically.
### Production
Uses gunicorn + nginx.
1. Rename *.env.prod-sample* to *.env.prod* and *.env.prod.db-sample* to *.env.prod.db*. Update the environment variables.
2. run osmtile with import script 2. run osmtile with import script
2. Build the images and run the containers: 2. Build the images and run the containers:
```sh ```sh
$ docker-compose up -d --build $ docker-compose up -d --build
``` ```
Test it out at [http://localhost:1337](http://localhost:1337). No mounted folders. To apply changes, the image must be re-built.
### More info:
Check out the [post](https://testdriven.io/blog/dockerizing-flask-with-postgres-gunicorn-and-nginx).

View file

@ -1,29 +0,0 @@
version: '3'
services:
flask:
build: ./flask
command: python manage.py run -h 0.0.0.0
volumes:
- ./flask/:/usr/src/app/
ports:
- 5000:5000
env_file:
- ./.env.dev
depends_on:
- db
db:
image: postgres:13-alpine
volumes:
- postgres_data:/var/lib/postgresql/data/
env_file:
- ./.env.dev
swagger:
image: swaggerapi/swagger-editor
volumes:
- ./swagger.json:/swagger.json
ports:
- "80:8080"
volumes:
postgres_data:

View file

@ -1,38 +1,6 @@
version: '3' version: '3'
services: services:
lb:
image: haproxy:latest
ports:
- "80:80"
- "443:443"
volumes:
- "./data/certificates:/certificates"
- "./lb:/usr/local/etc/haproxy"
depends_on:
- "certbot"
- "flask"
- "osmtile"
restart: always
networks:
- internal
labels:
- meta.role=lb
certbot:
image: "certbot/certbot"
hostname: certbot
volumes:
- "./data/certificates:/certificates"
- "./data/certbot/etc:/etc/letsencrypt"
- "./data/certbot/var:/var/lib/letsencrypt"
- "./logs/certbot:/var/log/letsencrypt"
restart: on-failure
networks:
- internal
labels:
- meta.role=certbot
#entrypoint: sh -c 'while true; do sleep 1; done'
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 15d & wait $${!}; done;'"
db: db:
image: postgres:13-alpine image: postgres:13-alpine
volumes: volumes:
@ -77,7 +45,7 @@ services:
networks: networks:
- internal - internal
#entrypoint: "/run.sh import" #entrypoint: "/run.sh import"
entrypoint: "/run.sh run" #entrypoint: "/run.sh run"
restart: always restart: always
networks: networks:
internal: {} internal: {}

View file

@ -1,11 +0,0 @@
#!/bin/bash
mkdir -p data/certificates
cd data/certificates
openssl genrsa -out default.key 2048
openssl req -new -key default.key -out default.csr
openssl x509 -req -days 3650 -in default.csr -signkey default.key -out default.crt
cat default.key default.crt >> default.pem
rm default.key
rm default.crt
rm default.csr

View file

@ -1,13 +0,0 @@
#!/bin/bash
CB=`docker ps --format='{{.Names}}' --filter=label=meta.role=certbot`
EMAIL=$2
CERTNAME=$1
DOMAIN=$1
docker exec $CB certbot certonly --non-interactive --standalone --email $2 --agree-tos --keep --preferred-challenges http --cert-name "$CERTNAME" -d "$DOMAIN"
cat "./data/certbot/etc/live/${CERTNAME}/privkey.pem" "./data/certbot/etc/live/${CERTNAME}/fullchain.pem" > "./data/certificates/${CERTNAME}.pem"

View file

@ -1 +0,0 @@
127.0.0.1/32

View file

@ -1,96 +0,0 @@
global
maxconn 4096
user root
group root
daemon
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
mode http
balance roundrobin
maxconn 1024
# This breaks HTTP2
# option abortonclose
option httpclose
option forwardfor
retries 3
option redispatch
timeout client 30s
timeout connect 30s
timeout server 30s
#option httpchk HEAD /haproxy?monitor HTTP/1.0
#timeout check 5s
#stats enable
#stats uri /haproxy?stats
#stats realm Haproxy\ Statistics
#stats auth admin:yourpasswordhere
#stats refresh 5s
cache mapscache
total-max-size 1023 # MB
max-object-size 10000 # bytes
max-age 30 # seconds
frontend http
bind :80
option http-server-close
redirect scheme https if ! { path_beg -i /.well-known/acme-challenge }
default_backend certbot
backend certbot
server c1 certbot:80
frontend https
bind :443 ssl crt /certificates alpn http/1.1
# CORS
http-response set-header Access-Control-Allow-Origin "*"
http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
http-response set-header Access-Control-Max-Age 3628800
http-response set-header Access-Control-Allow-Methods "GET"
# SNI ACLs
acl is_forestnet ssl_fc_sni -i forest.deflax.net
acl is_forestdb ssl_fc_sni -i db.forest.deflax.net
acl is_osmap ssl_fc_sni -i map.deflax.net
# IP ACls
acl is_allowed src -f /usr/local/etc/haproxy/dballowed.acl
http-request deny if is_forestdb !is_allowed
http-request set-header X-Forwarded-Protocol https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Ssl on
http-request set-header X-Url-Scheme https
http-request set-header Host %[ssl_fc_sni]
use_backend forestnet if is_forestnet
use_backend forestdb if is_forestdb
use_backend osmap if is_osmap
backend osmap
# Get from cache / put in cache
http-request cache-use mapscache
http-response cache-store mapscache
# server list
server s1 osmtile:80 check
backend forestnet
# server list
server s1 flask:5000 check
backend forestdb
server s1 pgadmin:80 check
#backend docs.deflax.net
# # server list
# server s1 swagger:80 check

View file

@ -1,4 +1,4 @@
FROM overv/openstreetmap-tile-server:1.7.4 FROM overv/openstreetmap-tile-server:2.3.0
EXPOSE 80 EXPOSE 80
# Remove all original style files # Remove all original style files
RUN rm -rf /home/renderer/src/openstreetmap-carto/style/*.mss RUN rm -rf /home/renderer/src/openstreetmap-carto/style/*.mss