ci: setup script on actions

teknologi-umum · May 18, 2024 · 85fa71f · 85fa71f
1 parent 67a73b7
commit 85fa71f
Show file tree

Hide file tree

Showing 9 changed files with 154 additions and 33 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,14 +1,43 @@
 name: Deploy
 
 on:
- push:
- branches:
- - master
+ release:
+ types: 
+ - published
+ workflow_dispatch:
 
 jobs:
+ check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - uses: actions/setup-python@v5
+ with:
+ python-version: 3.11
+
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install -r requirements.txt
+
+ - name: Lint and Format with Ruff
+ run: |
+ pip install ruff
+ ruff check
+ ruff format
+
  deploy:
  runs-on: ubuntu-latest
+ needs:
+ - check
  steps:
+ - name: ZeroTier
+ uses: zerotier/[email protected]
+ with:
+ network_id: ${{ secrets.ZEROTIER_NETWORK_ID }}
+ auth_token: ${{ secrets.ZEROTIER_CENTRAL_TOKEN }}
+
  - uses: actions/checkout@v4
 
  - uses: actions/setup-python@v5
@@ -20,6 +49,95 @@ jobs:
  python -m pip install --upgrade pip
  pip install -r requirements.txt
 
-# TODO: Set SSH config
-# TODO: Acquire known_hosts from each config
-# TODO: Execute the `setup.py` file
+ - name: Register Hibonite SSH key
+ uses: shimataro/ssh-key-action@v2
+ with:
+ key: ${{ secrets.HIBONITE_SSH_KEY }}
+ name: id_hibonite
+ known_hosts: ${{ secrets.HIBONITE_KNOWN_HOSTS }}
+ if_key_exists: replace
+ config: |
+ Host hibonite.gems.teknologiumum.com
+ HostName hibonite.gems.teknologiumum.com
+ User ${{ secrets.HIBONITE_SSH_USER }}
+ Port ${{ secrets.HIBONITE_SSH_PORT }}
+ IdentityFile ~/.ssh/id_hibonite
+ ServerAliveInterval 15
+ 
+ - name: Register Tanzanite SSH key
+ uses: shimataro/ssh-key-action@v2
+ with:
+ key: ${{ secrets.TANZANITE_SSH_KEY }}
+ name: id_tanzanite
+ known_hosts: ${{ secrets.TANZANITE_KNOWN_HOSTS }}
+ if_key_exists: replace
+ config: |
+ Host tanzanite.gems.teknologiumum.com
+ HostName tanzanite.gems.teknologiumum.com
+ User ${{ secrets.TANZANITE_SSH_USER }}
+ Port ${{ secrets.TANZANITE_SSH_PORT }}
+ IdentityFile ~/.ssh/id_tanzanite
+ ServerAliveInterval 15
+
+ - name: Register Painite SSH key
+ uses: shimataro/ssh-key-action@v2
+ with:
+ key: ${{ secrets.PAINITE_SSH_KEY }}
+ name: id_painite
+ known_hosts: ${{ secrets.PAINITE_KNOWN_HOSTS }}
+ if_key_exists: replace
+ config: |
+ Host painite.gems.teknologiumum.com
+ HostName painite.gems.teknologiumum.com
+ User ${{ secrets.PAINITE_SSH_USER }}
+ Port ${{ secrets.PAINITE_SSH_PORT }}
+ IdentityFile ~/.ssh/id_painite
+ ServerAliveInterval 15
+ 
+ - name: Ping Hibonite Host
+ shell: bash
+ run: |
+ count=120 # 2 minutes
+ while ! ping -c 1 hibonite.gems.teknologiumum.com ; do
+ echo "waiting..." ;
+ sleep 1 ;
+ let count=count-1
+ done
+
+ if [ $count -eq 0 ]; then
+ echo "Failed to ping hibonite.gems.teknologiumum.com"
+ exit 1
+ fi
+
+ - name: Ping Tanzanite Host
+ shell: bash
+ run: |
+ count=120 # 2 minutes
+ while ! ping -c 1 tanzanite.gems.teknologiumum.com ; do
+ echo "waiting..." ;
+ sleep 1 ;
+ let count=count-1
+ done
+
+ if [ $count -eq 0 ]; then
+ echo "Failed to ping tanzanite.gems.teknologiumum.com"
+ exit 1
+ fi
+
+ - name: Ping Painite Host
+ shell: bash
+ run: |
+ count=120 # 2 minutes
+ while ! ping -c 1 painite.gems.teknologiumum.com ; do
+ echo "waiting..." ;
+ sleep 1 ;
+ let count=count-1
+ done
+
+ if [ $count -eq 0 ]; then
+ echo "Failed to ping painite.gems.teknologiumum.com"
+ exit 1
+ fi
+
+ - name: Execute setup file
+ run: python3 ./setup.py
diff --git a/README.md b/README.md
@@ -26,4 +26,4 @@ You should have received a copy of the GNU General Public License
 along with this program. If not, see <https://www.gnu.org/licenses/>.
 ```
 
-See [LICENSE](,/LICENSE)
+See [LICENSE](./LICENSE)
diff --git a/conference/docker-compose.yml b/conference/docker-compose.yml
@@ -40,7 +40,7 @@ services:
  - "traefik.enable=true"
  - "traefik.docker.network=public-web"
  - "traefik.http.routers.conf-frontend.entrypoints=web,websecure"
- - "traefik.http.routers.conf-frontend.rule=Host(`conference.teknologiumum.com`)"
+ - "traefik.http.routers.conf-frontend.rule=Host(`conference.teknologiumum.com`) || Host(`conf.teknologiumum.com`)"
  - "traefik.http.routers.conf-frontend.priority=1"
  - "traefik.http.routers.conf-frontend.tls.certresolver=tlsresolver"
  - "traefik.http.routers.conf-frontend.middlewares=conf-frontend-header,conf-frontend-rate,conf-frontend-redirectscheme"
@@ -126,8 +126,8 @@ services:
  - "traefik.enable=true"
  - "traefik.docker.network=public-web"
  - "traefik.http.routers.conf-backend.entrypoints=web,websecure"
- - "traefik.http.routers.conf-backend.rule=Host(`conference.teknologiumum.com`) && PathPrefix(`/api`)"
- - "traefik.http.routers.conf-backend.priority=1"
+ - "traefik.http.routers.conf-backend.rule=(Host(`conference.teknologiumum.com`) || Host(`conf.teknologiumum.com`)) && PathPrefix(`/api`)"
+ - "traefik.http.routers.conf-backend.priority=2"
  - "traefik.http.routers.conf-backend.tls.certresolver=tlsresolver"
  - "traefik.http.routers.conf-backend.middlewares=conf-backend-header,conf-backend-rate,conf-backend-redirectscheme"
  - "traefik.http.services.conf-backend.loadbalancer.server.port=8080"

diff --git a/hacktoberfest/docker-compose.yml b/hacktoberfest/docker-compose.yml
@@ -15,7 +15,7 @@ services:
  - "traefik.enable=true"
  - "traefik.docker.network=public-web"
  - "traefik.http.routers.hacktoberfest_frontend.entrypoints=web,websecure"
- - "traefik.http.routers.hacktoberfest_frontend.rule=Host(`hacktoberfest.teknologiumum.com`) && PathPrefix(`/`)"
+ - "traefik.http.routers.hacktoberfest_frontend.rule=Host(`hacktoberfest.teknologiumum.com`)"
  - "traefik.http.routers.hacktoberfest_frontend.priority=1"
  - "traefik.http.routers.hacktoberfest_frontend.tls.certresolver=tlsresolver"
  - "traefik.http.routers.hacktoberfest_frontend.middlewares=hacktoberfest_frontend-error,hacktoberfest_frontend-header,hacktoberfest_frontend-rate,hacktoberfest_frontend-redirectscheme,hacktoberfest_frontend-compress"

diff --git a/pesto/docker-compose.yml b/pesto/docker-compose.yml
@@ -88,7 +88,7 @@ services:
  - pesto-internal
  volumes:
  - ../redis:/data
- 
+
  pesto-auth:
  image: ghcr.io/teknologi-umum/pesto-auth:edge
  environment:
@@ -108,8 +108,8 @@ services:
  - "traefik.http.middlewares.pesto_auth-error.errors.status=500-599"
  - "traefik.http.middlewares.pesto_auth-error.errors.service=pesto_landing@docker"
  - "traefik.http.middlewares.pesto_auth-error.errors.query=/500"
- - "traefik.http.middlewares.pesto_auth-rate.ratelimit.average=20"
- - "traefik.http.middlewares.pesto_auth-rate.ratelimit.burst=5"
+ - "traefik.http.middlewares.pesto_auth-rate.ratelimit.average=350"
+ - "traefik.http.middlewares.pesto_auth-rate.ratelimit.burst=20"
  - "traefik.http.middlewares.pesto_auth-rate.ratelimit.period=1s"
  - "traefik.http.middlewares.pesto_auth-header.headers.addvaryheader=true"
  - "traefik.http.middlewares.pesto_auth-header.headers.frameDeny=true"
@@ -122,13 +122,13 @@ services:
  - "com.centurylinklabs.watchtower.enable=true"
  platform: linux/amd64
  healthcheck:
- test: "curl -f http://localhost:3000/healthz || exit 1"
+ test: "wget -q --spider http://localhost:3000/healthz || exit 1"
  interval: 15s
  timeout: 10s
  retries: 5
  deploy:
  mode: replicated
- replicas: 2
+ replicas: 1
  restart_policy:
  condition: unless-stopped
  delay: 30s
@@ -172,8 +172,8 @@ services:
  - "traefik.http.middlewares.pesto_rce-error.errors.status=500-599"
  - "traefik.http.middlewares.pesto_rce-error.errors.service=pesto_landing@docker"
  - "traefik.http.middlewares.pesto_rce-error.errors.query=/500"
- - "traefik.http.middlewares.pesto_rce-rate.ratelimit.average=60"
- - "traefik.http.middlewares.pesto_rce-rate.ratelimit.burst=5"
+ - "traefik.http.middlewares.pesto_rce-rate.ratelimit.average=350"
+ - "traefik.http.middlewares.pesto_rce-rate.ratelimit.burst=50"
  - "traefik.http.middlewares.pesto_rce-rate.ratelimit.period=1m"
  - "traefik.http.middlewares.pesto_rce-header.headers.accesscontrolallowmethods=GET,OPTIONS,POST"
  - "traefik.http.middlewares.pesto_rce-header.headers.accesscontrolalloworiginlist=*"
@@ -217,12 +217,10 @@ services:
  image: ghcr.io/teknologi-umum/pesto-registration:edge
  environment:
  <<: [ *defaults ]
- PORT: "80"
+ PORT: "3000"
  SENTRY_DSN: ${REGISTRATION_SENTRY_DSN}
- Sentry__Dsn: ${REGISTRATION_SENTRY_DSN}
- Sentry__Debug: false
- Sentry__Environment: production
- RedisUrl: "db:6379"
+ REDIS_URL: "redis://@db:6379/"
+ MAILERSEND_API_KEY:
  labels:
  - "traefik.enable=true"
  - "traefik.docker.network=public-web"
@@ -231,10 +229,6 @@ services:
  - "traefik.http.routers.pesto_registration.priority=5"
  - "traefik.http.routers.pesto_registration.tls.certresolver=tlsresolver"
  - "traefik.http.routers.pesto_registration.middlewares=pesto_registration-error,pesto_registration-header,pesto_registration-rate,pesto_registration-redirectscheme,pesto_registration-inflightreq"
- - "traefik.http.services.pesto_registration.loadbalancer.server.port=80"
- - "traefik.http.services.pesto_registration.loadbalancer.server.scheme=http"
- - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.interval=30s"
- - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.path=/healthz"
  - "traefik.http.middlewares.pesto_registration-error.errors.status=500-599"
  - "traefik.http.middlewares.pesto_registration-error.errors.service=pesto_landing@docker"
  - "traefik.http.middlewares.pesto_registration-error.errors.query=/500"
@@ -255,10 +249,14 @@ services:
  - "traefik.http.middlewares.pesto_registration-redirectscheme.redirectscheme.scheme=https"
  - "traefik.http.middlewares.pesto_registration-redirectscheme.redirectscheme.permanent=true"
  - "traefik.http.middlewares.pesto_registration-inflightreq.inflightreq.amount=50"
+ - "traefik.http.services.pesto_registration.loadbalancer.server.port=3000"
+ - "traefik.http.services.pesto_registration.loadbalancer.server.scheme=http"
+ - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.interval=30s"
+ - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.path=/healthz"
  - "com.centurylinklabs.watchtower.enable=true"
  platform: linux/amd64
  healthcheck:
- test: "curl -f http://localhost:80/healthz || exit 1"
+ test: "wget -q --spider http://localhost:3000/healthz || exit 1"
  interval: 15s
  timeout: 10s
  retries: 5
@@ -274,7 +272,7 @@ services:
  window: 120s
  resources:
  limits:
- memory: 2GB
+ memory: 500MB
  cpus: '1'
  reservations:
  memory: 25MB

diff --git a/polarite/docker-compose.yml b/polarite/docker-compose.yml
@@ -61,7 +61,8 @@ services:
 
 volumes:
  polarite-data:
-
+ external: true
+
 networks:
  public-web:
  external: true
diff --git a/polarite/setup.sh b/polarite/setup.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+docker volume create polarite-data
diff --git a/setup.py b/setup.py
@@ -107,7 +107,7 @@ def ping(host: str) -> bool:
  for container in containers:
  print(f"Running commands for {container} on {server}")
  _, o1, e1 = client.exec_command(
- f"echo '{SUDO_PASSWORD[server]}' | sudo -S bash -c 'cd {container}; if [ -f \"setup.sh\" ]; then\n sudo ./setup.sh\nfi'"
+ f"echo '{SUDO_PASSWORD[server]}' | sudo -S bash -c 'cd {container}; if [ -f \"setup.sh\" ]; then\n chmod +x setup.sh && sudo ./setup.sh\nfi'"
  )
  for c in iter(lambda: o1.read(1), b""):
  sys.stdout.buffer.write(c)

diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  traefik:
- image: traefik:v2.11.0
+ image: traefik:beaufort
  command:
  - "--api.insecure=true"
  - "--providers.docker=true"
@@ -33,7 +33,8 @@ services:
  - "0.0.0.0:443:443/udp"
  - "[::]:443:443/udp"
  # The Web UI (enabled by --api.insecure=true)
- - "192.168.193.179:8080:8080"
+ - "8080:8080"
+ - "8082:8082"
  platform: "linux/amd64"
  volumes:
  # So that Traefik can listen to the Docker events