Merge pull request #24 from inowas/dev

Merge dev into main

Author: rabbl

.gitlab-ci.yml

@@ -1,22 +1,44 @@
+variables:
+  SCHEMA_IMAGE: inowas/schema
+  SCHEMA_PATH: /srv/docker/schema.inowas.com
+
 stages:
+  - publish
   - deploy
 
+image: docker:20.10.16
+
+services:
+  - docker:20.10.16-dind
+
+publish:
+  stage: publish
+  before_script:
+    - docker info
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_TOKEN $CI_REGISTRY
+  script:
+    - docker build --tag $SCHEMA_IMAGE:$CI_COMMIT_SHA --tag $SCHEMA_IMAGE:latest --file src/docker/Dockerfile .
+    - docker push $SCHEMA_IMAGE:$CI_COMMIT_SHA
+    - docker push $SCHEMA_IMAGE:latest
+  only:
+    - main
+
 deploy:
+  image: ubuntu:22.04
   stage: deploy
-  image: ubuntu:latest
-
   before_script:
     - 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )'
     - mkdir -p ~/.ssh
     - eval $(ssh-agent -s)
     - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-    - ssh-add <(echo "$PRIVATE_KEY")
-    - apt-get install rsync -y
+    - ssh-add <(echo "$SSH_PRIVATE_KEY")
   script:
-    - ssh -p22 $SSH_CREDENTIALS_PRODUCTION_SERVER "mkdir -p $PRODUCTION_PATH.tmp/"
-    - rsync -rav --exclude=.git --exclude=.gitlab-ci.yml -e ssh ./ $SSH_CREDENTIALS_PRODUCTION_SERVER:/$PRODUCTION_PATH.tmp/
-    - ssh -p22 $SSH_CREDENTIALS_PRODUCTION_SERVER "mv $PRODUCTION_PATH $PRODUCTION_PATH.old"
-    - ssh -p22 $SSH_CREDENTIALS_PRODUCTION_SERVER "mv $PRODUCTION_PATH.tmp $PRODUCTION_PATH"
-    - ssh -p22 $SSH_CREDENTIALS_PRODUCTION_SERVER "rm -rf $PRODUCTION_PATH.old"
+    - ssh -p22 $SSH_CREDENTIALS "cd $SCHEMA_PATH && docker compose down"
+    - scp -P22 ./infrastructure/schema/docker-compose.yml $SSH_CREDENTIALS:/$SCHEMA_PATH/docker-compose.yml
+    - ssh -p22 $SSH_CREDENTIALS "cd $SCHEMA_PATH && docker compose pull"
+    - ssh -p22 $SSH_CREDENTIALS "cd $SCHEMA_PATH && docker compose up -d --force-recreate"
+  environment:
+    name: development
+    url: https://schema.inowas.com
   only:
-    - master
+    - main

import/boundary.json

@@ -0,0 +1,10 @@
+COMPOSE_PROJECT_NAME=morpheus_prod
+DOMAIN=example.com
+FRONTEND_HOST=${DOMAIN}
+
+# Certificate resolver
+# possible values:
+# - letsencrypt: use Let's Encrypt to generate certificates
+# - tud-resolver: use the resolver provided by TU-Dresden
+TRAEFIK_CERT_RESOLVER=letsencrypt
+TRAEFIK_NETWORK=traefik

infrastructure/schema/.env.dist

@@ -0,0 +1,30 @@
+version: "3.8"
+services:
+  frontend:
+    image: inowas/schema:latest
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend-http.entrypoints=web"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend-http.rule=Host(`${FRONTEND_HOST}`)"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend.entrypoints=websecure"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend.rule=Host(`${FRONTEND_HOST}`)"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend.tls=true"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend.tls.certresolver=${TRAEFIK_CERT_RESOLVER}"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-frontend.service=${COMPOSE_PROJECT_NAME}-frontend"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}-frontend.loadbalancer.server.port=8080"
+      - "traefik.docker.network=${TRAEFIK_NETWORK}"
+    networks:
+      - traefik
+    restart: always
+    read_only: true
+    tmpfs:
+      - /var/run:mode=777,size=100m
+      - /var/cache/nginx:mode=777,size=100m
+
+networks:
+  traefik:
+    name: ${TRAEFIK_NETWORK}
+    external: true

infrastructure/schema/docker-compose.yml

@@ -0,0 +1,6 @@
+TRAEFIK_NETWORK=traefik
+TRAEFIK_ACME_EMAIL=[email protected]
+TRAEFIK_ACME_LETSENCRYPT_CASERVER=https://acme-v02.api.letsencrypt.org/directory
+TRAEFIK_ACME_TUD_CASERVER=https://acme.sectigo.com/v2/OV
+TRAEFIK_ACME_TUD_EAB_KID=titugjUE8MISdpQk1i_cPw
+TRAEFIK_ACME_TUD_EAB_HMAC_ENCODED=SZwKYNiJpDEhhVrh-METQBEhF8s9bUx8S2Nzd6KmbqnOiTTZyXRZIinxxXyowpaaFORmWLZZk7e8ro6IShsKeg

infrastructure/traefik/.env

@@ -0,0 +1,7 @@
+TRAEFIK_NETWORK=traefik
+
+TRAEFIK_ACME_EMAIL=...
+TRAEFIK_ACME_LETSENCRYPT_CASERVER=https://acme-v02.api.letsencrypt.org/directory
+TRAEFIK_ACME_TUD_CASERVER=...
+TRAEFIK_ACME_TUD_EAB_KID=...
+TRAEFIK_ACME_TUD_EAB_HMAC_ENCODED=...

infrastructure/traefik/.env.dist

@@ -0,0 +1,44 @@
+version: "3.8"
+services:
+  traefik:
+    image: traefik:v2.10
+    command:
+      - "--log.level=INFO"
+      - "--log.filePath=/var/logs/traefik/traefik.log"
+      - "--accesslog=true"
+      - "--api=false"
+      - "--api.dashboard=false"
+      - "--api.insecure=false"
+      - "--entryPoints.web.address=:80"
+      - "--entryPoints.websecure.address=:443"
+      - "--global.checkNewVersion=true"
+      - "--global.sendAnonymousUsage=false"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedByDefault=false"
+      # Let's Encrypt
+      - "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_LETSENCRYPT_CASERVER}"
+      - "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme_letsencrypt.json"
+      # TU-Dresden CA
+      #- "--certificatesresolvers.tud-resolver.acme.tlschallenge=true"
+      #- "--certificatesresolvers.tud-resolver.acme.caserver=${TRAEFIK_ACME_TUD_CASERVER}"
+      #- "--certificatesresolvers.tud-resolver.acme.email=${TRAEFIK_ACME_EMAIL}"
+      #- "--certificatesresolvers.tud-resolver.acme.eab.kid=${TRAEFIK_ACME_TUD_EAB_KID}"
+      #- "--certificatesresolvers.tud-resolver.acme.eab.hmacencoded=${TRAEFIK_ACME_TUD_EAB_HMAC_ENCODED}"
+      #- "--certificatesresolvers.tud-resolver.acme.storage=/etc/traefik/acme/acme_tud.json"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./acme:/etc/traefik/acme
+      - ./logs:/var/logs/traefik
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: always
+    networks:
+      - traefik
+    read_only: true
+networks:
+  traefik:
+    name: ${TRAEFIK_NETWORK}
+    external: true

infrastructure/traefik/docker-compose.yml

@@ -0,0 +1,9 @@
+FROM nginx:1.25.2-alpine
+COPY src/docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
+RUN rm -rf /usr/share/nginx/html
+COPY src/public /usr/share/nginx/html
+RUN touch /var/run/nginx.pid
+RUN chown -R nginx:nginx /var/run/nginx.pid /usr/share/nginx/html /var/cache/nginx /var/log/nginx /etc/nginx/conf.d
+USER nginx
+EXPOSE 8080
+CMD ["nginx", "-g", "daemon off;"]