Create automation workflow

2024-01-17 12:36:57 -08:00
parent 7922bab8e3
commit 08467a6a47
12 changed files with 357 additions and 2 deletions
--- a/.conf/nginx/conf.d/http/main.conf
+++ b/.conf/nginx/conf.d/http/main.conf
@@ -0,0 +1,8 @@
 server {
    listen 80;
    location / {
        root /var/www/build;
        autoindex off;
        try_files $uri $uri/ =404;
    }
 }
--- a/.conf/nginx/nginx.conf
+++ b/.conf/nginx/nginx.conf
@@ -0,0 +1,69 @@
 worker_processes 4;
 pid /run/nginx.pid;
 error_log /dev/stderr info;
 events {
    worker_connections 1024;
    multi_accept off;
 }
 http {
    ## asynchronous input/output policy.
    tcp_nopush on;
    sendfile on;
    ## Security policy
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    server_tokens off;                              # disable server version response header.
    add_header X-Content-Type-Options nosniff;      # Disable sniffing
    add_header X-Frame-Options SAMEORIGIN always;   # Prevent clickjacking.
    add_header "X-XSS-Protection" "1; mode=block";  # Prevent cross-site-scripting
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;  # Force HSTS, prevent mitm attack between 301 redirect for http, and https server.
    ## Log file policy.
    log_format logformat    '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /dev/stdout logformat;
    ## Temp file policy.
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    proxy_temp_path /tmp/proxy_temp;
    scgi_temp_path /tmp/scgi_temp;
    ## Buffer Policy.
    client_body_buffer_size 1K;
    client_header_buffer_size 1k;
    client_max_body_size 1k;
    large_client_header_buffers 2 1k;
    ## Client timeout policy
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     5 5;
    send_timeout          10;
    ## Default mime type.
    include snippets/mime-types.conf;
    default_type text/html;
    ## http vhosts
    include conf.d/http/*.conf;
 }
--- a/.conf/nginx/snippets/fastcgi.conf
+++ b/.conf/nginx/snippets/fastcgi.conf
@@ -0,0 +1,26 @@
 fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
 fastcgi_param  CONTENT_LENGTH     $content_length;
 fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
 fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  DOCUMENT_URI       $document_uri;
 fastcgi_param  DOCUMENT_ROOT      $document_root;
 fastcgi_param  SERVER_PROTOCOL    $server_protocol;
 fastcgi_param  REQUEST_SCHEME     $scheme;
 fastcgi_param  HTTPS              $https if_not_empty;
 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
 fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
 fastcgi_param  REMOTE_ADDR        $remote_addr;
 fastcgi_param  REMOTE_PORT        $remote_port;
 fastcgi_param  SERVER_ADDR        $server_addr;
 fastcgi_param  SERVER_PORT        $server_port;
 fastcgi_param  SERVER_NAME        $server_name;
 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
--- a/.conf/nginx/snippets/mime-types.conf
+++ b/.conf/nginx/snippets/mime-types.conf
@@ -0,0 +1,48 @@
 types {
  text/html                             html htm shtml;
  text/css                              css;
  text/xml                              xml rss;
  image/gif                             gif;
  image/jpeg                            jpeg jpg;
  application/x-javascript              js;
  text/plain                            txt;
  text/x-component                      htc;
  text/mathml                           mml;
  image/png                             png;
  image/x-icon                          ico;
  image/x-jng                           jng;
  image/vnd.wap.wbmp                    wbmp;
  application/java-archive              jar war ear;
  application/mac-binhex40              hqx;
  application/pdf                       pdf;
  application/x-cocoa                   cco;
  application/x-java-archive-diff       jardiff;
  application/x-java-jnlp-file          jnlp;
  application/x-makeself                run;
  application/x-perl                    pl pm;
  application/x-pilot                   prc pdb;
  application/x-rar-compressed          rar;
  application/x-redhat-package-manager  rpm;
  application/x-sea                     sea;
  application/x-shockwave-flash         swf;
  application/x-stuffit                 sit;
  application/x-tcl                     tcl tk;
  application/x-x509-ca-cert            der pem crt;
  application/x-xpinstall               xpi;
  application/zip                       zip;
  application/octet-stream              deb;
  application/octet-stream              bin exe dll;
  application/octet-stream              dmg;
  application/octet-stream              eot;
  application/octet-stream              iso img;
  application/octet-stream              msi msp msm;
  audio/mpeg                            mp3;
  audio/x-realaudio                     ra;
  video/mpeg                            mpeg mpg;
  video/quicktime                       mov;
  video/x-flv                           flv;
  video/x-msvideo                       avi;
  video/x-ms-wmv                        wmv;
  video/x-ms-asf                        asx asf;
  video/x-mng                           mng;
 }
--- a/.conf/nginx/snippets/proxy.conf
+++ b/.conf/nginx/snippets/proxy.conf
@@ -0,0 +1,10 @@
 proxy_redirect off;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 client_max_body_size 10m;
 client_body_buffer_size 128k;
 proxy_connect_timeout 90;
 proxy_send_timeout 90;
 proxy_read_timeout 90;
 proxy_buffers 32 4k;
--- a/.conf/nginx/snippets/scgi.conf
+++ b/.conf/nginx/snippets/scgi.conf
@@ -0,0 +1,17 @@
 scgi_param  REQUEST_METHOD     $request_method;
 scgi_param  REQUEST_URI        $request_uri;
 scgi_param  QUERY_STRING       $query_string;
 scgi_param  CONTENT_TYPE       $content_type;
 scgi_param  DOCUMENT_URI       $document_uri;
 scgi_param  DOCUMENT_ROOT      $document_root;
 scgi_param  SCGI               1;
 scgi_param  SERVER_PROTOCOL    $server_protocol;
 scgi_param  REQUEST_SCHEME     $scheme;
 scgi_param  HTTPS              $https if_not_empty;
 scgi_param  REMOTE_ADDR        $remote_addr;
 scgi_param  REMOTE_PORT        $remote_port;
 scgi_param  SERVER_PORT        $server_port;
 scgi_param  SERVER_NAME        $server_name;
--- a/.conf/nginx/snippets/uwsgi.conf
+++ b/.conf/nginx/snippets/uwsgi.conf
@@ -0,0 +1,17 @@
 uwsgi_param  QUERY_STRING       $query_string;
 uwsgi_param  REQUEST_METHOD     $request_method;
 uwsgi_param  CONTENT_TYPE       $content_type;
 uwsgi_param  CONTENT_LENGTH     $content_length;
 uwsgi_param  REQUEST_URI        $request_uri;
 uwsgi_param  PATH_INFO          $document_uri;
 uwsgi_param  DOCUMENT_ROOT      $document_root;
 uwsgi_param  SERVER_PROTOCOL    $server_protocol;
 uwsgi_param  REQUEST_SCHEME     $scheme;
 uwsgi_param  HTTPS              $https if_not_empty;
 uwsgi_param  REMOTE_ADDR        $remote_addr;
 uwsgi_param  REMOTE_PORT        $remote_port;
 uwsgi_param  SERVER_PORT        $server_port;
 uwsgi_param  SERVER_NAME        $server_name;
--- a/.conf/supervisor/supervisord.conf
+++ b/.conf/supervisor/supervisord.conf
@@ -0,0 +1,15 @@
 [supervisord]
 nodaemon=true
 logfile=/dev/null
 logfile_maxbytes=0
 pidfile=/run/supervisord.pid
 [program:nginx]
 command=nginx -g 'daemon off;'
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autorestart=true
 startretries=3
--- a/.gitea/workflows/production/build-deploy-docs.yml
+++ b/.gitea/workflows/production/build-deploy-docs.yml
@@ -0,0 +1,129 @@
 on:
  push:
    paths:
      - "content/**"
      - "static/**"
      - "templates/**"
    branches:
      - "main"
 jobs:
  job1:
    name: Build static site, docker image, upload artifact...
    runs-on: catthehacker-ubuntu
    steps:
      -
        name: Get current date
        id: date
        run: echo "::set-output name=date::$(date +'%Y%m%d%H%M%S')"
      -
        name: Checkout the git repo...
        uses: actions/checkout@v3
      -
        name: Set up docker buildx...
        uses: docker/setup-buildx-action@v3
      -
        name: Login to gitea registry
        uses: docker/login-action@v3
        with:
          registry: gitea.raer.me
          username: ${{ secrets.PRODUCTION_REGISTRY_USERNAME }}
          password: ${{ secrets.PRODUCTION_REGISTRY_TOKEN }}
      -
        name: Install required system packages...
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt update
          apt upgrade -y
          apt install -y curl tar p7zip-full python3 pip pipx
      -
        name: Install pipenv, build blog...
        run: |
          pip install pipenv
          pipenv install
          pipenv run blag build
      -
        name: Create artifact...
        run: 7z a -mx=9 ./artifact.7z build
      -
        name: Upload artifact...
        uses: actions/upload-artifact@v3
        with:
          name: artifact_${{ steps.date.outputs.date }}
          path: ./artifact.7z
          retention-days: 7
      -
        name: Build and push docker image to gitea package store
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          platforms: linux/amd64
          tags: gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}
  job2:
    needs: job1
    name: Connect to deployment host, update, and redeploy docs website.
    runs-on: ubuntu-latest
    steps:
      -
        name: Install required system packages...
        run: |
          export DEBIAN_FRONTEND=noninteractive
          apt update
          apt upgrade -y
          apt install -y iputils-ping
      -
        name: Configure SSH...
        env:
          SSH_USER: ${{ secrets.PRODUCTION_SSH_USER }}
          SSH_KEY: ${{ secrets.PRODUCTION_SSH_KEY }}
          SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
        run: |
          mkdir -p ~/.ssh/
          echo "$SSH_KEY" > ~/.ssh/staging.key
          chmod 600 ~/.ssh/staging.key
          cat >> ~/.ssh/config <<END
          Host staging
            HostName $SSH_HOST
            User $SSH_USER
            IdentityFile ~/.ssh/staging.key
            StrictHostKeyChecking no
          END
          cat ~/.ssh/config
      -
        name: Test SSH Host...
        env:
          SSH_HOST: ${{ secrets.PRODUCTION_SSH_HOST }}
        run: |
          ping -c 3 $SSH_HOST
          ssh staging 'ls'
      -
        name: Safety check (ensure dirs exist and repo has been cloned)...
        run: |
          echo "Adding ci dir if it doesn't exist..."
          ssh staging 'bash -c "[ -d ci ] || mkdir ci"'
          echo "Cloning git repo if it isn't already cloned..."
          ssh staging 'cd ci; bash -c "[ -d ${{ gitea.event.repository.name }} ] || git clone https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository }}.git"'
      -
        name: Deploy testing script on remote...
        run: |
          ssh staging '\
            cd ci/${{ gitea.event.repository.name }}; \
            git remote remove origin; \
            git remote add origin https://${{ secrets.PRODUCTION_API_TOKEN }}@gitea.raer.me/${{ gitea.repository} }.git; \
            git checkout ${{ gitea.ref_name }}; \
            git reset --hard HEAD; \
            git pull origin ${{ gitea.ref_name }}; \
            git remote remove origin;'
      -
        name: Pull new image and redeploy...
        run: |
          ssh staging '\
            echo "${{ secrets.PRODUCTION_REGISTRY_TOKEN }}" | docker login --password-stdin --username ${{ secrets.PRODUCTION_REGISTRY_USERNAME }} gitea.raer.me; \
            docker stop blog.raer.me-prod; \
            docker rm blog.raer.me-prod; \
            docker pull gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
            docker run -d --name blog.raer.me-prod -p ${{ secrets.PRODUCTION_DEPLOYMENT_HOST }}:4020:80 gitea.raer.me/${{ gitea.repository }}:${{ gitea.ref_name }}; \
            docker logout gitea.raer.me;'
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-build
+build
 Pipfile.lock
--- a/15
+++ b/15
@@ -0,0 +1,15 @@
 ####
 ##
 ##      Build a docker image out of the static html book generated by mdbook.
 ##      Used by automation. Can be built manually for testing.
 ##
 ####
 FROM alpine:3.17
 RUN apk add nginx supervisor
 RUN mkdir -p /var/www
 RUN rm -rf /etc/nginx
 COPY build /var/www/build
 COPY .conf/nginx /etc/nginx
 COPY .conf/supervisor/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
 EXPOSE 80
--- a/content/love.md
+++ b/content/love.md
@@ -1,6 +1,6 @@
 title: My lover
 description: Hello love
-# Hello Jaime
+# To my lover, Jaimie
 I love you very much, babydoll. <3