standard-procedure-anvil 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 47f486a924f5bdee358e37587a81182f20578c61180508124ed2cef551b1fd62
+  data.tar.gz: 87f4d8498543db8f3aefd10ddd5e288bed1d9db89c47e84c82de2745bdd61a4a
+SHA512:
+  metadata.gz: 92a3dbc97db730b1a55d31bdae8cae9b607f36070b2cee53b6dc386b1cfc755b13f57b90f6874c885882f4d08fd9cc6057dc5e520d9d8dcce7750339124ca518
+  data.tar.gz: b378044a88edce05a58234c9cca4c7878d7ed7ed25255e57b544392286d18458afffd5b709e51fe70e5e237df0a876111eb3cf4ed529ff2042ac2d8051aa6abd

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/testdouble/standard
+ruby_version: 2.6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2023-06-19
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Rahoul Baruah
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,139 @@
+# Standard::Procedure::Anvil
+
+Some simple scripts for installing [Dokku](https://dokku.com) applications on Ubuntu servers.
+
+## Installation
+
+```ruby
+gem install standard-procedure-anvil
+```
+
+## Usage
+
+### To build a new server
+
+Coming soon (plan is to use [Fog](https://github.com/fog/fog) to handle building servers)
+
+### To install an application onto a blank server
+
+Move to your application's root folder and create the anvil.yml file (see below).
+
+Then run `anvil host --user=user --use-sudo --identity=~/.ssh/my_key`.
+
+This will SSH into each server and:
+
+- Sets the server hostname and timezone
+- Installs various necessary packages, plus dokku itself
+- Sets up the firewall
+- Creates unix users for each app, adding them to the sudo and docker groups, and setting their authorized_keys files with the given public key
+- Schedule a `docker system prune` once per week to clean up any dangling images or containers
+- Configure nginx
+- Install dokku plugins and run any configuration you have defined
+- Sets the dokku deployment branch to `main`
+- Disallows root and passwordless logins over SSH
+
+For each app it will then:
+
+- Create the dokku app
+- Set the environment variables to those defined in your configuration and secrets files
+- Set the app's domain and set up a proxy from nginx to the app's port
+- Sets resource limits for the app
+- Disables checks for workers
+
+Then a git remote for each app is created on your local machine and then pushed.  This performs the initial dokku deployment. Once complete:
+
+- The app is scaled to the correct number of workers
+- Plugins are configured for the app
+
+### Configuration Files
+
+An Anvil configuration file specifies the configuration for multiple servers and multiple apps.  Each server is configured, then each app is installed onto each server.
+
+So you could have one app on two servers (and, we assume, a load-balancer set up in front of them).  Or two apps on one server.  Or even two apps on two servers (again, using a load-balancer)
+
+
+```yml
+version: 0.1
+servers:
+  hosts:
+    - server1.example.com
+  user: user
+  public_key: /home/local-user/.ssh/my-key.pub
+  timezone: Europe/London
+  ports:
+    - 22/tcp
+    - 80/tcp
+    - 443/tcp
+  nginx:
+    forward_proxy_headers: false
+    client_max_body_size: 512m
+    proxy_read_timeout: 60s
+  plugins:
+    cron-restart:
+      url: https://github.com/dokku/dokku-cron-restart.git
+    maintenance:
+      url: https://github.com/dokku/dokku-maintenance.git
+    redis:
+      url: https://github.com/dokku/dokku-redis.git
+    memcached:
+      url: https://github.com/dokku/dokku-memcached.git
+    letsencrypt:
+      url: https://github.com/dokku/dokku-letsencrypt.git
+      config:
+        - set --global email ssl-admin@mycompany.com
+        - cronjob --add
+apps:
+  first_app:
+    hostname: first_app.example.com
+    port: 3000
+    environment:
+      - ENV_VAR=value
+      - ENV_VAR2=value2
+      - RAILS_ENV=production
+    secrets: secrets.yml
+    resource_limit: 2048m
+    scale: web=2 worker=1
+    plugins:
+        cron-restart:
+          - set first_app schedule '0 3 * * *'
+        redis:
+          - create first_app_redis_db
+          - link first_app_redis_db first_app
+        memcached:
+          - create first_app_memcached
+          - link first_app_memcached first_app
+        letsencrypt:
+          - set first_app email ssl-admin@mycompany.com
+          - enable first_app
+  second_app:
+    hostname: second_app.example.com
+    port: 3000
+    environment:
+      - ENV_VAR=value
+      - ENV_VAR2=value2
+      - RAILS_ENV=production
+    secrets: secrets.yml
+    resource_limit: 2048m
+    scale: web=2 worker=1
+    plugins:
+        cron-restart:
+          - set second_app schedule '0 3 * * *'
+        letsencrypt:
+          - set second_app email ssl-admin@mycompany.com
+          - enable second_app
+```
+`secrets.yml` is an optional additional file containing environment variables that you do not want to check into your source code repository.  It is a simple KEY=VALUE format:
+
+```
+DB_PASSWORD=letmein
+ENCRYPTION_KEY=secretstuff
+```
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/standard-procedure-anvil.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "standard/rake"
+
+task default: %i[spec standard]

data/exe/anvil

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require_relative "../lib/anvil"
+
+Anvil::Cli.start(ARGV)

data/lib/anvil/cli.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "thor"
+require_relative "installer"
+class Anvil::Cli < Thor
+  desc "anvil install", "Perform an installation of dokku on a server"
+  long_desc <<-DESC
+    Perform an installation of dokku on a server in preparation for deploying apps.
+
+      Example:
+      `anvil install CONFIG`
+
+      The default CONFIG file is `anvil.yml` in the current directory.
+
+      Options:
+      --private_key, -k: The path to the key certificate file to use when connecting to the server.
+      --passphrase, -p: The passphrase to use when connecting to the server.
+  DESC
+  option :private_key, type: :string, default: nil, aliases: "-k"
+  option :passphrase, type: :string, default: nil, aliases: "-p"
+
+  def install config = "anvil.yml", private_key = nil, passphrase = nil
+    Anvil::Installer.new(configuration_from(config), private_key, passphrase).call
+  end
+
+  def self.exit_on_failure?
+    true
+  end
+
+  protected
+
+  def configuration_from(file_name)
+    @configuration ||= YAML.load_file(file_name)
+  end
+end

data/lib/anvil/installer.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "yaml"
+require_relative "server_installer"
+
+# The Installer reads the configuration and runs the ServerInstaller for each host.
+class Anvil::Installer < Struct.new(:configuration, :private_key, :passphrase)
+  def call
+    hosts.each do |host|
+      Anvil::ServerInstaller.new(host, configuration, private_key, passphrase).call
+    end
+  end
+
+  def hosts
+    configuration["hosts"]
+  end
+end

data/lib/anvil/logger.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class Anvil::Logger < Struct.new(:prefix)
+  def info message, category = nil
+    puts [timestamp, category, message].compact.join(" ")
+  end
+
+  protected
+
+  def timestamp
+    "#{Time.now.strftime("%H:%M:%S")} #{prefix}".rjust(40)
+  end
+end

data/lib/anvil/server_installer/configure_docker.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::ConfigureDocker < Struct.new(:ssh_connection)
+  def call
+    script = <<~SCRIPT
+      echo "15 0 3 * * /usr/bin/docker system prune -f" | crontab
+    SCRIPT
+    ssh_connection.exec! script, "ConfigureDocker"
+  end
+end

data/lib/anvil/server_installer/configure_dokku.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::ConfigureDokku < Struct.new(:ssh_connection, :hostname)
+  def call
+    script = <<~SCRIPT
+      dokku domains:set-global #{hostname}
+      dokku git:set --global deploy-branch main
+    SCRIPT
+    ssh_connection.exec! script, "ConfigureDokku"
+  end
+end

data/lib/anvil/server_installer/configure_firewall.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::ConfigureFirewall < Struct.new(:ssh_connection, :ports)
+  def call
+    ports.collect do |port|
+      ssh_connection.exec! "ufw allow #{port}", "ConfigureFirewall"
+    end
+    ssh_connection.exec! "ufw --force enable", "ConfigureFirewall"
+  end
+end

data/lib/anvil/server_installer/configure_ssh_server.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::ConfigureSshServer < Struct.new(:ssh_connection)
+  def call
+    script = <<-SCRIPT
+      sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
+      sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config
+      service sshd restart
+    SCRIPT
+    ssh_connection.exec! script, "ConfigureSshServer"
+  end
+end

data/lib/anvil/server_installer/create_users.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::CreateUsers < Struct.new(:ssh_connection, :names)
+  def call
+    names.collect do |name|
+      script = <<~SCRIPT
+        if id -u #{name} >/dev/null 2>&1; then
+          echo "#{name} already exists"
+        else
+          echo "Adding #{name}"
+          adduser --disabled-password --gecos "" #{name}
+          usermod -aG sudo #{name}
+          usermod -aG docker #{name}
+          echo "#{name} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+          fi
+      SCRIPT
+      ssh_connection.exec! script, "CreateUsers"
+    end
+  end
+end

data/lib/anvil/server_installer/install_packages.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::InstallPackages < Struct.new(:ssh_connection, :public_key_file)
+  def call
+    public_key = File.read public_key_file
+    script = <<~SCRIPT
+      mkdir -p /root/.ssh
+      echo "#{public_key}" > /root/.ssh/id_rsa.pub
+      mkdir -p /etc/skel/.ssh
+      cp /root/.ssh/id_rsa.pub /etc/skel/.ssh/authorized_keys
+
+      echo "Installing packages"
+      apt-get update -qq >/dev/null
+      apt-get -qq -y --no-install-recommends install apt-transport-https
+
+      if command -v "$@" > /dev/null 2>&1; then
+        echo "Docker is already installed"
+      else
+        echo "Installing docker"
+        wget -nv -O - https://get.docker.com/ | sh
+
+        wget -qO- https://packagecloud.io/dokku/dokku/gpgkey | tee /etc/apt/trusted.gpg.d/dokku.asc
+        DISTRO="$(awk -F= '$1=="ID" { print tolower($2) ;}' /etc/os-release)"
+        OS_ID="$(awk -F= '$1=="VERSION_CODENAME" { print tolower($2) ;}' /etc/os-release)"
+        echo "deb https://packagecloud.io/dokku/dokku/${DISTRO}/ ${OS_ID} main" | tee /etc/apt/sources.list.d/dokku.list
+      fi
+
+      echo "Installing dokku"
+      apt-get update -qq >/dev/null
+      apt-get -qq -y install dokku
+
+      echo "Installing dependencies"
+      dokku plugin:install-dependencies --core
+
+      cat /root/.ssh/id_rsa.pub | dokku ssh-keys:add admin
+    SCRIPT
+
+    ssh_connection.exec! script, "InstallPackages"
+  end
+end

data/lib/anvil/server_installer/install_plugins.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::InstallPlugins < Struct.new(:ssh_connection, :plugins)
+  def call
+    plugins.each do |name, config|
+      scripts = ["dokku plugin:install #{config["url"]} #{name}"]
+      plugin_config = config["config"] || []
+      scripts += plugin_config.collect do |cmd|
+        "dokku #{name}:#{cmd}"
+      end
+      ssh_connection.exec! scripts.join("\n"), "InstallPlugins"
+    end
+  end
+end

data/lib/anvil/server_installer/set_hostname.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::SetHostname < Struct.new(:ssh_connection, :hostname)
+  def call
+    script = <<-SCRIPT
+      hostnamectl set-hostname #{hostname}
+      mkdir -p /etc/environment.d
+      echo "HOSTNAME=#{hostname}" > /etc/environment.d/99-hostname
+    SCRIPT
+    ssh_connection.exec! script, "SetHostname"
+  end
+end

data/lib/anvil/server_installer/set_timezone.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Anvil::ServerInstaller::SetTimezone < Struct.new(:ssh_connection, :timezone)
+  def call
+    script = <<-SCRIPT
+    timedatectl set-timezone #{timezone}
+    SCRIPT
+    ssh_connection.exec! script, "SetTimezone"
+  end
+end

data/lib/anvil/server_installer.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require_relative "ssh_executor"
+require_relative "logger"
+
+# The server installer uses Net::SSH to connect to the server and then run the following steps:
+# - Sets the server hostname and timezone
+# - Installs various necessary packages, plus dokku itself
+# - Sets up the firewall
+# - Creates unix users for each app, adding them to the sudo and docker groups, and setting their authorized_keys files with the given public key
+# - Sets the dokku deployment branch to `main`
+# - Schedule a `docker system prune` once per week to clean up any dangling images or containers
+# - Configure nginx
+# - Install dokku plugins and run any configuration you have defined
+# - Disallows root and passwordless logins over SSH
+class Anvil::ServerInstaller < Struct.new(:hostname, :configuration, :private_key, :passphrase)
+  require_relative "server_installer/set_hostname"
+  require_relative "server_installer/set_timezone"
+  require_relative "server_installer/install_packages"
+  require_relative "server_installer/create_users"
+  require_relative "server_installer/configure_dokku"
+  require_relative "server_installer/configure_docker"
+  require_relative "server_installer/install_plugins"
+  require_relative "server_installer/configure_firewall"
+  require_relative "server_installer/configure_ssh_server"
+  def call
+    Anvil::SshExecutor.new(hostname, server_configuration["user"], logger).call do |ssh_connection|
+      logger.info "SetHostname"
+      Anvil::ServerInstaller::SetHostname.new(ssh_connection, hostname).call
+      logger.info "SetTimezone"
+      Anvil::ServerInstaller::SetTimezone.new(ssh_connection, server_configuration["timezone"]).call
+      logger.info "InstallPackages"
+      Anvil::ServerInstaller::InstallPackages.new(ssh_connection, server_configuration["public_key"]).call
+      logger.info "ConfigureDokku"
+      Anvil::ServerInstaller::ConfigureDokku.new(ssh_connection, hostname).call
+      logger.info "CreateUsers"
+      Anvil::ServerInstaller::CreateUsers.new(ssh_connection, app_names).call
+      logger.info "InstallPlugins"
+      Anvil::ServerInstaller::InstallPlugins.new(ssh_connection, server_configuration["plugins"]).call
+      logger.info "ConfigureDocker"
+      Anvil::ServerInstaller::ConfigureDocker.new(ssh_connection).call
+      logger.info "ConfigureFirewall"
+      Anvil::ServerInstaller::ConfigureFirewall.new(ssh_connection, server_configuration["ports"]).call
+      logger.info "ConfigureSshServer"
+      Anvil::ServerInstaller::ConfigureSshServer.new(ssh_connection).call
+    end
+  end
+
+  def server_configuration
+    configuration["server_config"]
+  end
+
+  def app_names
+    configuration["apps"].keys
+  end
+
+  def logger
+    Anvil::Logger.new(hostname)
+  end
+end

data/lib/anvil/ssh_executor.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "net/ssh"
+
+# The Installer reads the configuration and runs the ServerInstaller for each host.
+class Anvil::SshExecutor < Struct.new(:hostname, :user, :logger)
+  def call &block
+    @connection = Net::SSH.start hostname, user, use_agent: true
+    block.call self
+  end
+
+  def exec! script, category = ""
+    @connection.exec! script do |channel, stream, data|
+      data.to_s.split("\n") do |line|
+        logger.info line, category
+      end
+    end
+  end
+end

data/lib/anvil/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Anvil
+  VERSION = "0.1.1"
+end

data/lib/anvil.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require_relative "anvil/version"
+require_relative "anvil/cli"
+
+module Anvil
+  class Error < StandardError; end
+end

data/sig/standard/procedure/anvil.rbs

@@ -0,0 +1,8 @@
+module Standard
+  module Procedure
+    module Anvil
+      VERSION: String
+      # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+    end
+  end
+end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification
+name: standard-procedure-anvil
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Rahoul Baruah
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2023-06-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt_pbkdf
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Tools for managing servers and apps built using dokku
+email:
+- rahoulb@standardprocedure.app
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".standard.yml"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- exe/anvil
+- lib/anvil.rb
+- lib/anvil/cli.rb
+- lib/anvil/installer.rb
+- lib/anvil/logger.rb
+- lib/anvil/server_installer.rb
+- lib/anvil/server_installer/configure_docker.rb
+- lib/anvil/server_installer/configure_dokku.rb
+- lib/anvil/server_installer/configure_firewall.rb
+- lib/anvil/server_installer/configure_ssh_server.rb
+- lib/anvil/server_installer/create_users.rb
+- lib/anvil/server_installer/install_packages.rb
+- lib/anvil/server_installer/install_plugins.rb
+- lib/anvil/server_installer/set_hostname.rb
+- lib/anvil/server_installer/set_timezone.rb
+- lib/anvil/ssh_executor.rb
+- lib/anvil/version.rb
+- sig/standard/procedure/anvil.rbs
+homepage: https://github.com/standard-procedure/anvil
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/standard-procedure/anvil
+  source_code_uri: https://github.com/standard-procedure/anvil
+  changelog_uri: https://github.com/standard-procedure/anvil
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.14
+signing_key:
+specification_version: 4
+summary: Tools for managing servers and apps built using dokku
+test_files: []