x/terraform-digitalocean-spoke
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Porting over most of the things

Browse Source
This commit is contained in:
Dan Buch 2020-02-09 22:28:45 -05:00
parent 2fc2139bd6
commit cbf4e851e2
Signed by: meatballhat
GPG Key ID: 9685130D8B763EA7
7 changed files with 418 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app.env.tpl Normal file
View File

@ -0,0 +1 @@
# TODO

188
main.tf
View File

@ -0,0 +1,188 @@
resource "digitalocean_ssh_key" "app" {
count = length(var.ssh_keys)
name = "${var.resource_prefix}app-${count.index}"
public_key = element(var.ssh_keys, count.index)
}
resource "digitalocean_database_cluster" "pg" {
name = "${var.resource_prefix}pg"
engine = "pg"
version = "11"
size = var.database_cluster_size
region = var.region
node_count = 1
}
resource "digitalocean_droplet" "app" {
image = "ubuntu-18-04-x64"
name = "${var.resource_prefix}app"
region = var.region
size = var.droplet_size
ssh_keys = [digitalocean_ssh_key.app.*.id]
}
resource "digitalocean_certificate" "app" {
name = "${var.resource_prefix}app"
private_key = var.cert_private_key
leaf_certificate = var.cert_leaf_certificate
lifecycle {
create_before_destroy = true
}
}
resource "digitalocean_loadbalancer" "app" {
name = "${var.resource_prefix}lb-app"
region = var.region
droplet_ids = [digitalocean_droplet.app.id]
redirect_http_to_https = true
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = var.port
target_protocol = "http"
}
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = var.port
target_protocol = "http"
certificate_id = digitalocean_certificate.app.id
}
healthcheck {
port = var.port
protocol = "tcp"
}
}
resource "digitalocean_firewall" "app" {
name = "${var.resource_prefix}app"
droplet_ids = [digitalocean_droplet.app.id]
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
}
inbound_rule {
protocol = "tcp"
port_range = "1-65535"
# FIXME: what
#port_range = var.port
source_load_balancer_uids = [digitalocean_loadbalancer.app.id]
}
inbound_rule {
protocol = "icmp"
source_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "tcp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "udp"
port_range = "1-65535"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
outbound_rule {
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
}
}
resource "random_string" "session_secret" {
length = 199
special = false
}
resource "null_resource" "app_provision" {
triggers = {
droplet_id = digitalocean_droplet.app.id
database_cluster_id = digitalocean_database_cluster.pg.id
provision_script_sha1 = filesha1("spoke-app-provision")
run_script_sha1 = filesha1("spoke-app-run")
service_sha1 = filesha1("spoke.service")
env_sha1 = sha1(join(";", [
jsonencode(var.env),
random_string.session_secret.result,
var.base_url,
var.node_env,
var.node_options,
var.port,
]))
}
connection {
host = digitalocean_droplet.app.ipv4_address
}
provisioner "file" {
source = "spoke-app-provision"
destination = "/tmp/spoke-app-provision"
}
provisioner "file" {
source = "spoke-app-run"
destination = "/tmp/spoke-app-run"
}
provisioner "file" {
content = templatefile("app.env.tpl", merge({
ASSETS_MAP_FILE = "assets.json",
ASSETS_DIR = "./build/client/assets",
BASE_URL = var.base_url,
DATABASE_URL = digitalocean_database_cluster.pg.uri,
DB_HOST = digitalocean_database_cluster.pg.host,
DB_NAME = digitalocean_database_cluster.pg.database,
DB_PASSWORD = digitalocean_database_cluster.pg.password,
DB_PORT = digitalocean_database_cluster.pg.port,
DB_TYPE = "pg",
DB_USER = digitalocean_database_cluster.pg.user,
DB_USE_SSL = "true",
JOBS_SAME_PROCESS = "1",
NODE_ENV = var.node_env,
NODE_OPTIONS = var.node_options,
OUTPUT_DIR = "./build",
PORT = var.port,
REDIS_URL = "redis://127.0.0.1:6379/0",
SESSION_SECRET = random_string.session_secret.result,
}, var.env))
destination = "/tmp/app.env"
}
provisioner "file" {
source = "spoke.service"
destination = "/tmp/spoke.service"
}
provisioner "remote-exec" {
inline = [
"bash /tmp/spoke-app-provision system0",
"sudo -H -u spoke bash /tmp/spoke-app-provision spoke0",
"bash /tmp/spoke-app-provision system1",
]
}
}
resource "digitalocean_database_firewall" "app_pg" {
cluster_id = digitalocean_database_cluster.pg.id
rule {
type = "droplet"
value = digitalocean_droplet.app.id
}
}

19
outputs.tf
View File

@ -0,0 +1,19 @@
output "loadbalancer_ip" {
value = digitalocean_loadbalancer.app.ip
}
output "droplet_urn" {
value = digitalocean_droplet.app.urn
}
output "loadbalancer_urn" {
value = digitalocean_loadbalancer.app.urn
}
output "database_cluster_urn" {
value = digitalocean_database_cluster.pg.urn
}
output "droplet_ipv4_address" {
value = digitalocean_droplet.app.ipv4_address
}

123
spoke-app-provision Executable file
View File

@ -0,0 +1,123 @@
#!/usr/bin/env bash
set -o errexit
set -o pipefail
main() {
local target="${1:-system0}"
"_run_${target}"
}
_run_system0() {
set -o xtrace
sudo swapon --show | if ! grep -q /swap; then
sudo fallocate -l 8G /swap
sudo chmod 600 /swap
sudo mkswap -L swap /swap
sudo swapon /swap
fi
if ! grep -q ^LABEL=swap /etc/fstab &>/dev/null; then
echo 'LABEL=swap none swap sw 0 0' | sudo tee -a /etc/fstab
fi
sudo sysctl vm.swappiness=10
echo 'vm.swappiness=10' | sudo tee /etc/sysctl.d/99-swappiness.conf
sudo sysctl vm.vfs_cache_pressure=50
echo 'vm.vfs_cache_pressure=50' |
sudo tee /etc/sysctl.d/99-cache-pressure.conf
sudo apt-get update -y
sudo apt-get install -y \
build-essential \
ca-certificates \
curl \
git \
gnupg \
redis
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" >/etc/apt/sources.list.d/pgdg.list'
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update -y
sudo apt-get install -y postgresql-client-11
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" |
sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt-get update -y
sudo apt-get install -y --no-install-recommends yarn
if ! getent passwd spoke; then
sudo useradd --create-home --comment 'Spoke app' spoke
fi
sudo chsh -s /bin/bash spoke
sudo chown -R spoke:spoke /home/spoke
}
_run_system1() {
set -o xtrace
sudo cp -v /tmp/spoke.service /etc/systemd/system/spoke.service
sudo systemctl enable spoke
sudo systemctl stop spoke || true
sudo systemctl start spoke || true
}
_run_spoke0() {
set -o xtrace
git --version
if [[ ! -d /home/spoke/app/.git ]]; then
git clone https://github.com/MoveOnOrg/Spoke.git /home/spoke/app
fi
cd /home/spoke/app
git checkout -qf 'v5.1'
cp -v /tmp/spoke-app-run /home/spoke/spoke-app-run
chmod +x /home/spoke/spoke-app-run
if ! command -v nvm; then
curl -fsSL \
https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.2/install.sh | bash
set +o errexit
set +o xtrace
source ~/.nvm/nvm.sh
set -o xtrace
set -o errexit
fi
nvm --version 2>/dev/null
nvm install 2>/dev/null
nvm use 2>/dev/null
if [[ -f /tmp/app.env ]]; then
cp -v /tmp/app.env /home/spoke/app/.env
fi
sha1sum /home/spoke/app/.env
set -o allexport
source /home/spoke/app/.env
set +o allexport
yarn --version
yarn install --ignore-scripts --non-interactive --frozen-lockfile
local git_head
git_head="$(cat .git/HEAD || true)"
local yarn_prod_build_ref
yarn_prod_build_ref="$(
cat /home/spoke/yarn_prod_build_ref 2>/dev/null || true
)"
if [[ "${git_head}" == "${yarn_prod_build_ref}" ]]; then
echo "skipping yarn run prod-build"
return
fi
yarn run prod-build
rm -rf ./node_modules
yarn install --production --ignore-scripts
echo "${git_ref}" >/home/spoke/yarn_prod_build_ref
}
main "${@}"

12
spoke-app-run Executable file
View File

@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -o errexit
set -o pipefail
main() {
cd /home/spoke/app
source ~/.nvm/nvm.sh
nvm use
exec npm start
}
main "${@}"

14
spoke.service Normal file
View File

@ -0,0 +1,14 @@
# vim:filetype=systemd
[Unit]
Description=Spoke
[Service]
Type=simple
User=spoke
Group=spoke
EnvironmentFile=-/home/spoke/app/.env
ExecStart=/home/spoke/spoke-app-run
Restart=always
[Install]
WantedBy=multi-user.target

61
variables.tf
View File

@ -0,0 +1,61 @@
variable "base_url" {
description = "Fully qualified https URL of the app"
}
variable "resource_prefix" {
description = "Prefix prepended to resource names"
default = "spoke-"
}
variable "node_options" {
description = "Value defined at build time and run time as NODE_OPTIONS"
default = "--max_old_space_size=8192"
}
variable "node_env" {
description = "Value defined at build time and run time as NODE_ENV"
default = "production"
}
variable "port" {
description = "TCP port used to communicate between droplet and load balancer"
default = "3000"
}
variable "droplet_size" {
description = "Size value passed when provisioning app droplet"
default = "s-1vcpu-1gb"
}
variable "database_cluster_size" {
description = "Size value passed when provisioning database cluster"
default = "db-s-1vcpu-1gb"
}
variable "database_cluster_node_count" {
default = 1
}
variable "region" {
description = "Region at which all resources will be provisioned"
default = "nyc1"
}
variable "ssh_keys" {
type = "list"
description = "List of ssh public keys to pass to droplet provisioning"
}
variable "cert_private_key" {
description = "Certificate key to use when defining th cert used with the load balancer"
}
variable "cert_leaf_certificate" {
description = "Leaf certificate to use when defining the cert used with the load balancer"
}
variable "env" {
type = "map"
description = "Arbitrary *additional* environment variables passed at build time and run time"
default = {}
}