diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 66e577b..12dd8e6 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,14 +1,43 @@ name: Deploy on: - push: - branches: - - master + release: + types: + - published + workflow_dispatch: jobs: + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: 3.11 + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + + - name: Lint and Format with Ruff + run: | + pip install ruff + ruff check + ruff format + deploy: runs-on: ubuntu-latest + needs: + - check steps: + - name: ZeroTier + uses: zerotier/github-action@v1.0.1 + with: + network_id: ${{ secrets.ZEROTIER_NETWORK_ID }} + auth_token: ${{ secrets.ZEROTIER_CENTRAL_TOKEN }} + - uses: actions/checkout@v4 - uses: actions/setup-python@v5 @@ -20,6 +49,95 @@ jobs: python -m pip install --upgrade pip pip install -r requirements.txt -# TODO: Set SSH config -# TODO: Acquire known_hosts from each config -# TODO: Execute the `setup.py` file + - name: Register Hibonite SSH key + uses: shimataro/ssh-key-action@v2 + with: + key: ${{ secrets.HIBONITE_SSH_KEY }} + name: id_hibonite + known_hosts: ${{ secrets.HIBONITE_KNOWN_HOSTS }} + if_key_exists: replace + config: | + Host hibonite.gems.teknologiumum.com + HostName hibonite.gems.teknologiumum.com + User ${{ secrets.HIBONITE_SSH_USER }} + Port ${{ secrets.HIBONITE_SSH_PORT }} + IdentityFile ~/.ssh/id_hibonite + ServerAliveInterval 15 + + - name: Register Tanzanite SSH key + uses: shimataro/ssh-key-action@v2 + with: + key: ${{ secrets.TANZANITE_SSH_KEY }} + name: id_tanzanite + known_hosts: ${{ secrets.TANZANITE_KNOWN_HOSTS }} + if_key_exists: replace + config: | + Host tanzanite.gems.teknologiumum.com + HostName tanzanite.gems.teknologiumum.com + User ${{ secrets.TANZANITE_SSH_USER }} + Port ${{ secrets.TANZANITE_SSH_PORT }} + IdentityFile ~/.ssh/id_tanzanite + ServerAliveInterval 15 + + - name: Register Painite SSH key + uses: shimataro/ssh-key-action@v2 + with: + key: ${{ secrets.PAINITE_SSH_KEY }} + name: id_painite + known_hosts: ${{ secrets.PAINITE_KNOWN_HOSTS }} + if_key_exists: replace + config: | + Host painite.gems.teknologiumum.com + HostName painite.gems.teknologiumum.com + User ${{ secrets.PAINITE_SSH_USER }} + Port ${{ secrets.PAINITE_SSH_PORT }} + IdentityFile ~/.ssh/id_painite + ServerAliveInterval 15 + + - name: Ping Hibonite Host + shell: bash + run: | + count=120 # 2 minutes + while ! ping -c 1 hibonite.gems.teknologiumum.com ; do + echo "waiting..." ; + sleep 1 ; + let count=count-1 + done + + if [ $count -eq 0 ]; then + echo "Failed to ping hibonite.gems.teknologiumum.com" + exit 1 + fi + + - name: Ping Tanzanite Host + shell: bash + run: | + count=120 # 2 minutes + while ! ping -c 1 tanzanite.gems.teknologiumum.com ; do + echo "waiting..." ; + sleep 1 ; + let count=count-1 + done + + if [ $count -eq 0 ]; then + echo "Failed to ping tanzanite.gems.teknologiumum.com" + exit 1 + fi + + - name: Ping Painite Host + shell: bash + run: | + count=120 # 2 minutes + while ! ping -c 1 painite.gems.teknologiumum.com ; do + echo "waiting..." ; + sleep 1 ; + let count=count-1 + done + + if [ $count -eq 0 ]; then + echo "Failed to ping painite.gems.teknologiumum.com" + exit 1 + fi + + - name: Execute setup file + run: python3 ./setup.py diff --git a/README.md b/README.md index 3dcbf44..5839855 100644 --- a/README.md +++ b/README.md @@ -26,4 +26,4 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . ``` -See [LICENSE](,/LICENSE) +See [LICENSE](./LICENSE) diff --git a/conference/docker-compose.yml b/conference/docker-compose.yml index c4e49a1..e549538 100644 --- a/conference/docker-compose.yml +++ b/conference/docker-compose.yml @@ -40,7 +40,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=public-web" - "traefik.http.routers.conf-frontend.entrypoints=web,websecure" - - "traefik.http.routers.conf-frontend.rule=Host(`conference.teknologiumum.com`)" + - "traefik.http.routers.conf-frontend.rule=Host(`conference.teknologiumum.com`) || Host(`conf.teknologiumum.com`)" - "traefik.http.routers.conf-frontend.priority=1" - "traefik.http.routers.conf-frontend.tls.certresolver=tlsresolver" - "traefik.http.routers.conf-frontend.middlewares=conf-frontend-header,conf-frontend-rate,conf-frontend-redirectscheme" @@ -126,8 +126,8 @@ services: - "traefik.enable=true" - "traefik.docker.network=public-web" - "traefik.http.routers.conf-backend.entrypoints=web,websecure" - - "traefik.http.routers.conf-backend.rule=Host(`conference.teknologiumum.com`) && PathPrefix(`/api`)" - - "traefik.http.routers.conf-backend.priority=1" + - "traefik.http.routers.conf-backend.rule=(Host(`conference.teknologiumum.com`) || Host(`conf.teknologiumum.com`)) && PathPrefix(`/api`)" + - "traefik.http.routers.conf-backend.priority=2" - "traefik.http.routers.conf-backend.tls.certresolver=tlsresolver" - "traefik.http.routers.conf-backend.middlewares=conf-backend-header,conf-backend-rate,conf-backend-redirectscheme" - "traefik.http.services.conf-backend.loadbalancer.server.port=8080" diff --git a/hacktoberfest/docker-compose.yml b/hacktoberfest/docker-compose.yml index c989d9c..9a970e1 100644 --- a/hacktoberfest/docker-compose.yml +++ b/hacktoberfest/docker-compose.yml @@ -15,7 +15,7 @@ services: - "traefik.enable=true" - "traefik.docker.network=public-web" - "traefik.http.routers.hacktoberfest_frontend.entrypoints=web,websecure" - - "traefik.http.routers.hacktoberfest_frontend.rule=Host(`hacktoberfest.teknologiumum.com`) && PathPrefix(`/`)" + - "traefik.http.routers.hacktoberfest_frontend.rule=Host(`hacktoberfest.teknologiumum.com`)" - "traefik.http.routers.hacktoberfest_frontend.priority=1" - "traefik.http.routers.hacktoberfest_frontend.tls.certresolver=tlsresolver" - "traefik.http.routers.hacktoberfest_frontend.middlewares=hacktoberfest_frontend-error,hacktoberfest_frontend-header,hacktoberfest_frontend-rate,hacktoberfest_frontend-redirectscheme,hacktoberfest_frontend-compress" diff --git a/pesto/docker-compose.yml b/pesto/docker-compose.yml index 9921584..7b0a19b 100644 --- a/pesto/docker-compose.yml +++ b/pesto/docker-compose.yml @@ -88,7 +88,7 @@ services: - pesto-internal volumes: - ../redis:/data - + pesto-auth: image: ghcr.io/teknologi-umum/pesto-auth:edge environment: @@ -108,8 +108,8 @@ services: - "traefik.http.middlewares.pesto_auth-error.errors.status=500-599" - "traefik.http.middlewares.pesto_auth-error.errors.service=pesto_landing@docker" - "traefik.http.middlewares.pesto_auth-error.errors.query=/500" - - "traefik.http.middlewares.pesto_auth-rate.ratelimit.average=20" - - "traefik.http.middlewares.pesto_auth-rate.ratelimit.burst=5" + - "traefik.http.middlewares.pesto_auth-rate.ratelimit.average=350" + - "traefik.http.middlewares.pesto_auth-rate.ratelimit.burst=20" - "traefik.http.middlewares.pesto_auth-rate.ratelimit.period=1s" - "traefik.http.middlewares.pesto_auth-header.headers.addvaryheader=true" - "traefik.http.middlewares.pesto_auth-header.headers.frameDeny=true" @@ -122,13 +122,13 @@ services: - "com.centurylinklabs.watchtower.enable=true" platform: linux/amd64 healthcheck: - test: "curl -f http://localhost:3000/healthz || exit 1" + test: "wget -q --spider http://localhost:3000/healthz || exit 1" interval: 15s timeout: 10s retries: 5 deploy: mode: replicated - replicas: 2 + replicas: 1 restart_policy: condition: unless-stopped delay: 30s @@ -172,8 +172,8 @@ services: - "traefik.http.middlewares.pesto_rce-error.errors.status=500-599" - "traefik.http.middlewares.pesto_rce-error.errors.service=pesto_landing@docker" - "traefik.http.middlewares.pesto_rce-error.errors.query=/500" - - "traefik.http.middlewares.pesto_rce-rate.ratelimit.average=60" - - "traefik.http.middlewares.pesto_rce-rate.ratelimit.burst=5" + - "traefik.http.middlewares.pesto_rce-rate.ratelimit.average=350" + - "traefik.http.middlewares.pesto_rce-rate.ratelimit.burst=50" - "traefik.http.middlewares.pesto_rce-rate.ratelimit.period=1m" - "traefik.http.middlewares.pesto_rce-header.headers.accesscontrolallowmethods=GET,OPTIONS,POST" - "traefik.http.middlewares.pesto_rce-header.headers.accesscontrolalloworiginlist=*" @@ -217,12 +217,10 @@ services: image: ghcr.io/teknologi-umum/pesto-registration:edge environment: <<: [ *defaults ] - PORT: "80" + PORT: "3000" SENTRY_DSN: ${REGISTRATION_SENTRY_DSN} - Sentry__Dsn: ${REGISTRATION_SENTRY_DSN} - Sentry__Debug: false - Sentry__Environment: production - RedisUrl: "db:6379" + REDIS_URL: "redis://@db:6379/" + MAILERSEND_API_KEY: labels: - "traefik.enable=true" - "traefik.docker.network=public-web" @@ -231,10 +229,6 @@ services: - "traefik.http.routers.pesto_registration.priority=5" - "traefik.http.routers.pesto_registration.tls.certresolver=tlsresolver" - "traefik.http.routers.pesto_registration.middlewares=pesto_registration-error,pesto_registration-header,pesto_registration-rate,pesto_registration-redirectscheme,pesto_registration-inflightreq" - - "traefik.http.services.pesto_registration.loadbalancer.server.port=80" - - "traefik.http.services.pesto_registration.loadbalancer.server.scheme=http" - - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.interval=30s" - - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.path=/healthz" - "traefik.http.middlewares.pesto_registration-error.errors.status=500-599" - "traefik.http.middlewares.pesto_registration-error.errors.service=pesto_landing@docker" - "traefik.http.middlewares.pesto_registration-error.errors.query=/500" @@ -255,10 +249,14 @@ services: - "traefik.http.middlewares.pesto_registration-redirectscheme.redirectscheme.scheme=https" - "traefik.http.middlewares.pesto_registration-redirectscheme.redirectscheme.permanent=true" - "traefik.http.middlewares.pesto_registration-inflightreq.inflightreq.amount=50" + - "traefik.http.services.pesto_registration.loadbalancer.server.port=3000" + - "traefik.http.services.pesto_registration.loadbalancer.server.scheme=http" + - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.interval=30s" + - "traefik.http.services.pesto_registration.loadbalancer.healthcheck.path=/healthz" - "com.centurylinklabs.watchtower.enable=true" platform: linux/amd64 healthcheck: - test: "curl -f http://localhost:80/healthz || exit 1" + test: "wget -q --spider http://localhost:3000/healthz || exit 1" interval: 15s timeout: 10s retries: 5 @@ -274,7 +272,7 @@ services: window: 120s resources: limits: - memory: 2GB + memory: 500MB cpus: '1' reservations: memory: 25MB diff --git a/polarite/docker-compose.yml b/polarite/docker-compose.yml index b4c6fec..faf9a3f 100644 --- a/polarite/docker-compose.yml +++ b/polarite/docker-compose.yml @@ -61,7 +61,8 @@ services: volumes: polarite-data: - + external: true + networks: public-web: external: true diff --git a/polarite/setup.sh b/polarite/setup.sh new file mode 100644 index 0000000..5dcc7f5 --- /dev/null +++ b/polarite/setup.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +docker volume create polarite-data diff --git a/setup.py b/setup.py index 6a1da46..67c6a34 100644 --- a/setup.py +++ b/setup.py @@ -107,7 +107,7 @@ def ping(host: str) -> bool: for container in containers: print(f"Running commands for {container} on {server}") _, o1, e1 = client.exec_command( - f"echo '{SUDO_PASSWORD[server]}' | sudo -S bash -c 'cd {container}; if [ -f \"setup.sh\" ]; then\n sudo ./setup.sh\nfi'" + f"echo '{SUDO_PASSWORD[server]}' | sudo -S bash -c 'cd {container}; if [ -f \"setup.sh\" ]; then\n chmod +x setup.sh && sudo ./setup.sh\nfi'" ) for c in iter(lambda: o1.read(1), b""): sys.stdout.buffer.write(c) diff --git a/traefik/docker-compose.yml b/traefik/docker-compose.yml index b8bc71c..c8af230 100644 --- a/traefik/docker-compose.yml +++ b/traefik/docker-compose.yml @@ -1,6 +1,6 @@ services: traefik: - image: traefik:v2.11.0 + image: traefik:beaufort command: - "--api.insecure=true" - "--providers.docker=true" @@ -33,7 +33,8 @@ services: - "0.0.0.0:443:443/udp" - "[::]:443:443/udp" # The Web UI (enabled by --api.insecure=true) - - "192.168.193.179:8080:8080" + - "8080:8080" + - "8082:8082" platform: "linux/amd64" volumes: # So that Traefik can listen to the Docker events