Easier to deploy by avoiding merge conflicts in production

This commit is contained in:
Pablo Barton 2021-03-30 09:28:13 -04:00
parent 32e2bea52c
commit d38efa9a9d
9 changed files with 186 additions and 14 deletions

View file

@ -5,6 +5,7 @@ SECRET_KEY="7(2w1sedok=aznpq)ta1mc4i%4h=xx@hxwx*o57ctsuml0x%fr"
DEBUG=true
DOMAIN=your.domain.here
#EMAIL=your@email.here
## Leave unset to allow all hosts
# ALLOWED_HOSTS="localhost,127.0.0.1,[::1]"
@ -26,14 +27,24 @@ POSTGRES_HOST=db
MAX_STREAM_LENGTH=200
REDIS_ACTIVITY_HOST=redis_activity
REDIS_ACTIVITY_PORT=6379
#REDIS_ACTIVITY_PASSWORD=redispassword345
# Celery config with redis broker
# Redis as celery broker
#REDIS_BROKER_PORT=6379
#REDIS_BROKER_PASSWORD=redispassword123
CELERY_BROKER=redis://redis_broker:6379/0
CELERY_RESULT_BACKEND=redis://redis_broker:6379/0
FLOWER_PORT=8888
#FLOWER_USER=mouse
#FLOWER_PASSWORD=changeme
EMAIL_HOST="smtp.mailgun.org"
EMAIL_PORT=587
EMAIL_HOST_USER=mail@your.domain.here
EMAIL_HOST_PASSWORD=emailpassword123
EMAIL_USE_TLS=true
EMAIL_USE_SSL=false
# Set this to true when initializing certbot for domain, false when not
CERTBOT_INIT=false

50
.env.prod.example Normal file
View file

@ -0,0 +1,50 @@
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY="7(2w1sedok=aznpq)ta1mc4i%4h=xx@hxwx*o57ctsuml0x%fr"
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG=false
DOMAIN=your.domain.here
EMAIL=your@email.here
## Leave unset to allow all hosts
# ALLOWED_HOSTS="localhost,127.0.0.1,[::1]"
OL_URL=https://openlibrary.org
## Database backend to use.
## Default is postgres, sqlite is for dev quickstart only (NOT production!!!)
BOOKWYRM_DATABASE_BACKEND=postgres
MEDIA_ROOT=images/
POSTGRES_PASSWORD=securedbpassword123
POSTGRES_USER=fedireads
POSTGRES_DB=fedireads
POSTGRES_HOST=db
# Redis activity stream manager
MAX_STREAM_LENGTH=200
REDIS_ACTIVITY_HOST=redis_activity
REDIS_ACTIVITY_PORT=6379
REDIS_ACTIVITY_PASSWORD=redispassword345
# Redis as celery broker
REDIS_BROKER_PORT=6379
REDIS_BROKER_PASSWORD=redispassword123
CELERY_BROKER=redis://:${REDIS_BROKER_PASSWORD}@redis_broker:${REDIS_BROKER_PORT}/0
CELERY_RESULT_BACKEND=redis://:${REDIS_BROKER_PASSWORD}@redis_broker:${REDIS_BROKER_PORT}/0
FLOWER_PORT=8888
FLOWER_USER=mouse
FLOWER_PASSWORD=changeme
EMAIL_HOST="smtp.mailgun.org"
EMAIL_PORT=587
EMAIL_HOST_USER=mail@your.domain.here
EMAIL_HOST_PASSWORD=emailpassword123
EMAIL_USE_TLS=true
EMAIL_USE_SSL=false
# Set this to true when initializing certbot for domain, false when not
CERTBOT_INIT=false

3
.gitignore vendored
View file

@ -24,3 +24,6 @@
#Node tools
/node_modules/
#nginx
nginx/default.conf

View file

@ -91,10 +91,15 @@ Deployment
## Setting up the developer environment
Set up the environment file:
Set up the development environment file:
``` bash
cp .env.example .env
cp .env.dev.example .env
```
Set up nginx for development `nginx/default.conf`:
``` bash
cp nginx/development nginx/default.conf
```
For most testing, you'll want to use ngrok. Remember to set the DOMAIN in `.env` to your ngrok domain.
@ -108,7 +113,7 @@ docker-compose run --rm web python manage.py initdb
docker-compose up
```
Once the build is complete, you can access the instance at `localhost:1333`
Once the build is complete, you can access the instance at `http://localhost:1333`
### Editing static files
If you edit the CSS or JavaScript, you will need to run Django's `collectstatic` command in order for your changes to have effect. You can do this by running:
@ -160,26 +165,35 @@ Instructions for running BookWyrm in production:
- Get the application code:
`git clone git@github.com:mouse-reeve/bookwyrm.git`
- Switch to the `production` branch
- Switch to the `production` branch:
`git checkout production`
- Create your environment variables file
`cp .env.example .env`
- Add your domain, email address, SMTP credentials
- Set a secure redis password and secret key
- Set a secure database password for postgres
- Create your environment variables file, `cp .env.prod.example .env`, and update the following:
- `SECRET_KEY` | A difficult to guess, secret string of characers
- `DOMAIN` | Your web domain
- `EMAIL` | Email address to be used for certbot domain verification
- `POSTGRES_PASSWORD` | Set a secure password for the database
- `REDIS_ACTIVITY_PASSWORD` | Set a secure password for Redis Activity subsystem
- `REDIS_BROKER_PASSWORD` | Set a secure password for Redis queue broker subsystem
- `FLOWER_USER` | Your own username for accessing Flower queue monitor
- `FLOWER_PASSWORD` | Your own secure password for accessing Flower queue monitor
- Update your nginx configuration in `nginx/default.conf`
- Replace `your-domain.com` with your domain name
- If you aren't using the `www` subdomain, remove the www.your-domain.com version of the domain from the `server_name` in the first server block in `nginx/default.conf` and remove the `-d www.${DOMAIN}` flag at the end of the `certbot` command in `docker-compose.yml`.
- If you are running another web-server on your host machine, you will need to follow the [reverse-proxy instructions](#running-bookwyrm-behind-a-reverse-proxy)
- Configure nginx
- Make a copy of the production template config and set it for use in nginx `cp nginx/production nginx/default.conf`
- Update `nginx/default.conf`:
- Replace `your-domain.com` with your domain name
- If you aren't using the `www` subdomain, remove the www.your-domain.com version of the domain from the `server_name` in the first server block in `nginx/default.conf` and remove the `-d www.${DOMAIN}` flag at the end of the `certbot` command in `docker-compose.yml`.
- If you are running another web-server on your host machine, you will need to follow the [reverse-proxy instructions](#running-bookwyrm-behind-a-reverse-proxy)
- If you need to initialize your certbot for your domain, set `CERTBOT_INIT=true` in your `.env` file
- Run the application (this should also set up a Certbot ssl cert for your domain) with
`docker-compose up --build`, and make sure all the images build successfully
- If you are running other services on your host machine, you may run into errors where services fail when attempting to bind to a port.
See the [troubleshooting guide](#port-conflicts) for advice on resolving this.
- When docker has built successfully, stop the process with `CTRL-C`
- Comment out the `command: certonly...` line in `docker-compose.yml`, and uncomment the following line (`command: renew ...`) so that the certificate will be automatically renewed.
- Uncomment the https redirect and `server` block in `nginx/default.conf` (lines 17-48).
- If you set `CERTBOT_INIT=true` earlier, set it now as `CERTBOT_INIT=false` so that certbot runs in renew mode
- Run docker-compose in the background with: `docker-compose up -d`
- Initialize the database with: `./bw-dev initdb`
- Set up schedule backups with cron that runs that `docker-compose exec db pg_dump -U <databasename>` and saves the backup to a safe location
Congrats! You did it, go to your domain and enjoy the fruits of your labors.

View file

@ -98,6 +98,7 @@ WSGI_APPLICATION = "bookwyrm.wsgi.application"
# redis/activity streams settings
REDIS_ACTIVITY_HOST = env("REDIS_ACTIVITY_HOST", "localhost")
REDIS_ACTIVITY_PORT = env("REDIS_ACTIVITY_PORT", 6379)
REDIS_ACTIVITY_PASSWORD = env("REDIS_ACTIVITY_PASSWORD", None)
MAX_STREAM_LENGTH = int(env("MAX_STREAM_LENGTH", 200))
STREAMS = ["home", "local", "federated"]

19
certbot.sh Normal file
View file

@ -0,0 +1,19 @@
#!/usr/bin/env bash
source .env;
if [ "$CERTBOT_INIT" = "true" ]
then
certonly \
--webroot \
--webroot-path=/var/www/certbot \
--email ${EMAIL} \
--agree-tos \
--no-eff-email \
-d ${DOMAIN} \
-d www.${DOMAIN}
else
renew \
--webroot \
--webroot-path \
/var/www/certbot
fi

View file

@ -20,6 +20,8 @@ services:
- pgdata:/var/lib/postgresql/data
networks:
- main
ports:
- 5432:5432
web:
build: .
env_file: .env

72
nginx/production Normal file
View file

@ -0,0 +1,72 @@
upstream web {
server web:8000;
}
server {
listen [::]:80;
listen 80;
server_name your-domain.com www.your-domain.com;
location ~ /.well-known/acme-challenge {
allow all;
root /var/www/certbot;
}
# # redirect http to https
# return 301 https://your-domain.com$request_uri;
# }
#
# server {
# listen [::]:443 ssl http2;
# listen 443 ssl http2;
#
# server_name your-domain.com;
#
# # SSL code
# ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
# ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
#
# location ~ /.well-known/acme-challenge {
# allow all;
# root /var/www/certbot;
# }
#
# location / {
# proxy_pass http://web;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# }
#
# location /images/ {
# alias /app/images/;
# }
#
# location /static/ {
# alias /app/static/;
# }
}
# Reverse-Proxy server
# server {
# listen [::]:8001;
# listen 8001;
# server_name your-domain.com www.your-domain.com;
# location / {
# proxy_pass http://web;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# }
# location /images/ {
# alias /app/images/;
# }
# location /static/ {
# alias /app/static/;
# }
# }