working production deployment pipeline

cli/deploy.yml

@@ -33,16 +33,6 @@
   roles:
     - elasticsearch-docker
 
-- name: deploy containers
-  hosts: backend
-  become: yes
-  vars:
-    compose_project: elasticsearch-compose.yml
-  tags:
-    - elasticsearch
-  roles:
-    - elasticsearch-docker
-
 
 - name: initialise certs for frontend
   hosts: frontend
@@ -59,3 +49,13 @@
   roles:
     - letsencrypt
 
+- name: deploy frontend containers
+  hosts: frontend
+  become: yes
+  vars:
+    compose_project: webapp-compose.yml
+  tags:
+    - webapp
+  roles:
+    - webapp-docker
+

cli/lib/elasticsearch.py

@@ -28,15 +28,17 @@ def __init__(self, config):
         self.type = 'names'
         self.mappings = dict()
         self.secure = config['secure'] if config.get('secure') else False
-        self.prefix = 'https' if self.secure else 'http'
+        self.scheme = 'https' if self.secure else 'http'
+        self.prefix = config['prefix'] if config.get('prefix') else ''
         self.mapping_dir = config['mapping_dir'] \
             if config.get('mapping_dir') else \
             os.path.dirname(os.path.dirname(__file__))
         self.properties_path = config['properties_dir'] \
             if config.get('properties_dir') else \
             os.path.join(os.path.dirname(os.path.dirname(__file__)), 'config', 'elasticsearch.properties.json')
 
-        self.url = '{prefix}://{host}:{port}'.format(prefix=self.prefix, host=self.host, port=self.port)
+        self.url = '{scheme}://{host}:{port}{prefix}'.format(scheme=self.scheme, host=self.host, port=self.port,
+                                                             prefix='/' + self.prefix if self.prefix else '')
         try:
             self.load_mapping_config()
         except Exception:

cli/roles/common/defaults/main.yml

@@ -4,6 +4,7 @@ packages:
     - lsof
     - python3-pip
     - git
+    - software-properties-common
   container:
     - docker
 

cli/roles/elasticsearch-docker/templates/elasticsearch-compose.yml

@@ -6,7 +6,7 @@ services:
     environment:
       - cluster.name=docker-cluster
       - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - "ES_JAVA_OPTS=-Xms2048m -Xmx2048m"
     ulimits:
       memlock:
         soft: -1

cli/roles/letsencrypt/tasks/create_certs.yml

@@ -2,12 +2,19 @@
   service:
     name: nginx
     state: stopped
+- stat: path=/etc/letsencrypt/live/{{ cert_item.domains[0] }}
+  register: certs_stats
+
+- debug: var=certs_stats
 
 - name: deliver nginx configuration to server
   template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf
 
 - name: Generate new certificate if one doesn't exist
   command: "{{ certbot_create_command }}"
+  args:
+    creates: /etc/letsencrypt/live/{{ cert_item.domains[0] }}
+  when: not certs_stats.stat.isdir
 
 - name: stop nginx
   service:

cli/roles/letsencrypt/tasks/main.yml

@@ -30,7 +30,7 @@
     apt_repository:
       repo: "{{ item }}"
       update_cache: yes
-      validate_certs: no
+      validate_certs: yes
       state: present
     with_items:
       - ppa:nginx/stable

cli/roles/webapp-docker/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: deploy webapp stack
+  docker_service:
+    project_name: webapp
+    definition: "{{ lookup('template', compose_project) | from_yaml }}"
+    state: present
+  register: webapp_stack
+
+- debug:
+    var: webapp_stack

cli/roles/webapp-docker/templates/webapp-compose.yml

@@ -0,0 +1,22 @@
+version: '2'
+services:
+  webapp:
+    image: castlemilk/nutry-webapp:latest
+    environment:
+      ELASTICSEARCH_PROXY_HOST: nutry.net
+      ELASTICSEARCH_PROXY_PORT: 443
+      ELASTICSEARCH_PROXY_MODE: https
+      ELASTICSEARCH_PROXY_PREFIX: /v1/search
+      FIREBASE_ENDPOINT: https://nutry-v1.firebaseio.com
+      FIREBASE_DB_VERSION: v1
+    ports:
+      - "3000:3000"
+  proxy:
+    image: castlemilk/nutry-proxy:latest
+    volumes:
+      - /etc/letsencrypt/live/www.nutry.net:/etc/nginx/certs
+    depends_on:
+      - webapp
+    ports:
+      - "80:80"
+      - "443:443"

web/docker-compose.dev.yml

@@ -0,0 +1,49 @@
+version: '2'
+services:
+  webapp:
+    image: castlemilk/nutry-webapp:latest
+    build:
+      context: .
+      dockerfile: ./internals/docker/Dockerfile
+      args:
+        ELASTICSEARCH_PROXY_HOST: nutry.net
+        ELASTICSEARCH_PROXY_PORT: 443
+        ELASTICSEARCH_PROXY_MODE: https
+        ELASTICSEARCH_PROXY_PREFIX: /v1/search
+        FIREBASE_ENDPOINT: https://nutry-v1.firebaseio.com
+        FIREBASE_DB_VERSION: v1
+    environment:
+      ELASTICSEARCH_PROXY_HOST: nutry.net
+      ELASTICSEARCH_PROXY_PORT: 443
+      ELASTICSEARCH_PROXY_MODE: https
+      ELASTICSEARCH_PROXY_PREFIX: /v1/search
+      FIREBASE_ENDPOINT: https://nutry-v1.firebaseio.com
+      FIREBASE_DB_VERSION: v1
+    ports:
+      - "3000:3000"
+  proxy:
+    image: castlemilk/nutry-proxy:latest
+    build:
+      context: ./internals/proxy/
+      args:
+        SERVER_NAME: nutry.net
+        WEBAPP_PORT: 3000
+        ELASTICSEARCH_PROXY_PREFIX: /v1/search/
+        ELASTICSEARCH_PROXY_HOST: elasticsearch1
+        ELASTICSEARCH_PROXY_PORT: 9200
+    environment:
+        SERVER_NAME: nutry.net
+        WEBAPP_PORT: 3000
+        ELASTICSEARCH_PROXY_PREFIX: /v1/search/
+        ELASTICSEARCH_PROXY_HOST: elasticsearch1
+        ELASTICSEARCH_PROXY_PORT: 9200
+    depends_on:
+      - webapp
+    ports:
+      - "80:80"
+      - "443:443"
+
+networks:
+  default:
+    external:
+      name: docker_esnet

web/docker-compose.prod.yml

@@ -37,4 +37,9 @@ services:
       - webapp
     ports:
       - "80:80"
-      - "443:443"
+      - "443:443"
+
+networks:
+  default:
+    external:
+      name: docker_esnet

web/internals/proxy/Dockerfile

@@ -22,6 +22,7 @@ RUN envsubst '$WEBAPP_PORT $SERVER_NAME $ELASTICSEARCH_PROXY_HOST $ELASTICSEARCH
 
 WORKDIR $NGINX_CERT_DIR
 
+RUN mkdir -p $NGINX_CERT_DIR/certs/ && chown root:root $NGINX_CERT_DIR/certs/
 ADD gen_key.sh $NGINX_CERT_DIR/gen_key.sh
 RUN chmod a+x $NGINX_CERT_DIR/gen_key.sh
 RUN bash -c "$NGINX_CERT_DIR/gen_key.sh $SERVER_NAME"

web/internals/proxy/gen_key.sh

@@ -18,20 +18,14 @@ then
 fi
 
 # #Generate a key
-# openssl genrsa -des3 -passout pass:$password -out privkey.pem 2048 -noout
-#
-# #Remove passphrase from the key. Comment the line out to keep the passphrase
-# openssl rsa -in privkey.pem -passin pass:$password -out privkey.pem
-if [ -f /etc/nginx/cert.pem ] || [ -f /etc/nginx/privkey.pem ]; then
-    cat /etc/nginx/cert/cert.pem
-    cat /etc/nginx/cert/privkey.pem
+if [ -f /etc/nginx/cert/fullchain.pem ] || [ -f /etc/nginx/cert/privkey.pem ]; then
     exit 0
 else
     #Create the request
     openssl req -x509 -days 365 -nodes -newkey rsa:2048 -keyout privkey.pem -out cert.pem \
     -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"
-    cat ./$domain.csr > /etc/nginx/cert/cert.pem
-    cat ./$domain.key > /etc/nginx/cert/privkey.pem
+    cat ./cert.pem > /etc/nginx/cert/cert.pem
+    cat ./privkey.pem > /etc/nginx/cert/privkey.pem
 fi
 
 

web/internals/proxy/nginx.conf.template

@@ -25,8 +25,8 @@ http {
     server_name ${SERVER_NAME};
 
     # SSL
-    ssl_certificate /etc/nginx/cert/cert.pem;
-    ssl_certificate_key /etc/nginx/cert/privkey.pem;
+    ssl_certificate /etc/nginx/certs/fullchain.pem; # generated by Certbot
+    ssl_certificate_key /etc/nginx/certs/privkey.pem; # generated by Certbot
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.1 TLSv1.2;