standard-procedure-anvil 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 826f4465c3c26af2077d355b53142e7755aa8897eceda3a030ef8dc024fa1a3a
-  data.tar.gz: c2e780bd49774ce57fc357210b10f867bd8edb1e3694698a0886527ab72d5d38
+  metadata.gz: 3d027adf40008dfa46d97cee23b65a6a8468e935d11e56da74ee9f464b06ff68
+  data.tar.gz: 81aa2e0e4b54cc557338df3198a57bd69ff8da6e1cb53b26e9a437b8aafcc082
 SHA512:
-  metadata.gz: 0d0fe31b85a435a86777fd01de0e0a4c79356dff5f831872a74f0eb552a32f03479a9f5a8a8a371b56aa646e3a2f71d3cdbbdc6d5f8c42479356403f7e163485
-  data.tar.gz: f64d1bc0457cc69932acc4a8405206ee7e63c038e68655e2fb96ac10d31bb79a7dc221a5ea497c831cf701176a223bae828e8ce157635fcc12df579f8880f0e8
+  metadata.gz: 07fc89824892dbd33fc70dd33b3b8420fc8ac4c334a92c31e98a4b7f94a2f7071a9c5c58b02d9baf20ae3926d54a3fdf206c3cdfac29de48375b98a6847c4aee
+  data.tar.gz: 8b56e4d0f3c223b4225b587d218ac6694397aa528e69a5bef8e92ba3cb9148a89718cfb842e8076d0951ae60516269db55766dd653438694783801448ca394bc

data/.devcontainer/devcontainer.json

@@ -3,20 +3,30 @@
 {
 	"name": "Ruby",
 	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-	"image": "mcr.microsoft.com/devcontainers/ruby:0-3-bullseye"
-
+	"dockerFile": "../Dockerfile",
 	// Features to add to the dev container. More info: https://containers.dev/features.
 	// "features": {},
-
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
 	// "forwardPorts": [],
-
 	// Use 'postCreateCommand' to run commands after the container is created.
-	// "postCreateCommand": "ruby --version",
-
-	// Configure tool-specific properties.
-	// "customizations": {},
-
+	"postCreateCommand": "bundle install",
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-azuretools.vscode-docker",
+				"donjayamanne.githistory",
+				"github.vscode-github-actions",
+				"GitHub.copilot-chat",
+				"GitHub.vscode-pull-request-github",
+				"aki77.rails-db-schema",
+				"rebornix.ruby",
+				"sibiraj-s.vscode-scss-formatter",
+				"testdouble.vscode-standard-ruby",
+				"bennycode.sort-everything",
+				"Thadeu.vscode-run-rspec-file",
+			]
+		}
+	}
 	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
 	// "remoteUser": "root"
 }

data/Dockerfile

@@ -0,0 +1,10 @@
+FROM mcr.microsoft.com/devcontainers/ruby:0-3-bullseye
+
+RUN gem update bundler
+RUN gem install standardrb
+
+WORKDIR /workspaces/standard-procedure-anvil
+
+COPY . /workspaces/standard-procedure-anvil/
+RUN bundle check || bundle install
+

data/assets/cloudinit/dokku.ubuntu-22.yml

@@ -0,0 +1,48 @@
+#cloud-config
+users:
+  - name: %{USER}
+    groups: users, admin, docker
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - %{PUBLIC_KEY}
+packages:
+  - fail2ban
+  - ufw
+  - wget
+  - apt-transport-https
+package_update: true
+package_upgrade: true
+runcmd:
+  # General server setup
+  - timedatectl set-timezone UTC
+  # Fail2Ban setup
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  # UFW and SSH setup
+  - ufw allow 22/tcp
+  - ufw allow 80/tcp
+  - ufw allow 443/tcp
+  - ufw enable
+  # Harden SSH
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers %{USER} dokku' /etc/ssh/sshd_config
+  # Dokku setup
+  - echo "dokku dokku/vhost_enable boolean true" | sudo debconf-set-selections
+  - wget https://dokku.com/install/v0.30.7/bootstrap.sh && sudo DOKKU_TAG=v0.30.7 bash bootstrap.sh
+  - cat /home/%{USER}/.ssh/authorized_keys | dokku ssh-keys:add admin
+  - dokku plugin:install https://github.com/dokku/dokku-cron-restart.git cron-restart
+  - dokku plugin:install https://github.com/dokku/dokku-maintenance.git maintenance
+  - dokku plugin:install https://github.com/dokku/dokku-redis.git redis
+  - dokku plugin:install https://github.com/dokku/dokku-mariadb.git mariadb
+  - dokku plugin:install https://github.com/dokku/dokku-memcached.git memcached
+  - dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git letsencrypt
+  - dokku config:set --global DOKKU_LETSENCRYPT_EMAIL=sysadmin@echodek.co
+  - dokku git:set --global deploy-branch main
+  - reboot

data/assets/cloudinit/memcached.ubuntu-22.yml

@@ -0,0 +1,50 @@
+#cloud-config
+users:
+  - name: %{USER}
+    groups: users, admin, docker
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - %{PUBLIC_KEY}
+packages:
+  - fail2ban
+  - ufw
+  - wget
+  - memcached
+  - logrotate
+package_update: true
+package_upgrade: true
+runcmd:
+  # General server setup
+  - timedatectl set-timezone UTC
+  # Fail2Ban setup
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  # UFW and SSH setup
+  - ufw allow 22/tcp
+  - ufw allow 11211/tcp
+  - ufw enable
+  # Harden SSH
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers %{USER}' /etc/ssh/sshd_config
+  # Set up memcached
+  - sed -i 's/-m 64/-m 512/g' /etc/memcached.conf
+  - sed -i 's/-l 127.0.0.1/-l 0.0.0.0/g' /etc/memcached.conf
+  - systemctl restart memcached.service
+  - |
+    cat > /etc/logrotate.d/memcached << EOF
+    /var/log/redis/memcached*.log {
+      daily
+      missingok
+      rotate 7
+      compress
+      notifempty
+    }
+    EOF
+  - reboot

data/assets/cloudinit/mysql.ubuntu-22.yml

@@ -0,0 +1,57 @@
+#cloud-config
+users:
+  - name: %{USER}
+    groups: users, admin
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - %{PUBLIC_KEY}
+packages:
+  - fail2ban
+  - mysql-client
+  - libmysqlclient-dev
+  - ufw
+package_update: true
+package_upgrade: true
+runcmd:
+  # General server setup
+  - timedatectl set-timezone UTC
+  # Install MySQL
+  - echo "mysql-server mysql-server/root_password password root" | sudo debconf-set-selections
+  - echo "mysql-server mysql-server/root_password_again password root" | sudo debconf-set-selections
+  - sudo apt-get -y install mysql-server
+  - |
+    cat >> /etc/mysql/mysql.conf.d/utf8.cnf << CONF
+    [client]
+    default-character-set=utf8mb4
+
+    [mysql]
+    default-character-set=utf8mb4
+
+    [mysqld]
+    init_connect='SET collation_connection = utf8mb4_unicode_ci'
+    init_connect='SET NAMES utf8mb4'
+    character-set-server=utf8mb4
+    collation-server=utf8mb4_unicode_ci
+    skip-character-set-client-handshake
+    CONF
+  - sed -i -e '/^\(#\|\)bind-address/s/^.*$/bind-address = 0.0.0.0/' /etc/mysql/mysql.conf.d/mysqld.cnf
+  # Setup fail2ban
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  # Start MySQL
+  - systemctl start mysql.service
+  # Setup ufw
+  - ufw allow 22/tcp
+  - ufw allow 3306/tcp
+  - ufw enable
+  # Harden SSH
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers %{USER}' /etc/ssh/sshd_config
+  - reboot

data/assets/cloudinit/opensearch.ubuntu-22.yml

@@ -0,0 +1,90 @@
+#cloud-config
+users:
+  - name: %{USER}
+    groups: users, admin, docker
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - %{PUBLIC_KEY}
+packages:
+  - fail2ban
+  - ufw
+  - wget
+  - docker.io
+  - docker-compose
+  - apt-transport-https
+package_update: true
+package_upgrade: true
+runcmd:
+  # General server setup
+  - timedatectl set-timezone UTC
+  # Prepare for OpenSearch
+  - swapoff -a
+  - echo "vm.max_map_count=262144" > /etc/sysctl.d/98-opensearch.conf
+  - sysctl -p /etc/sysctl.d/98-opensearch.conf
+  # Fail2Ban setup
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  # UFW and SSH setup
+  - ufw allow 22/tcp
+  - ufw allow 9200/tcp
+  - ufw allow 9600/tcp
+  - ufw enable
+  # Harden SSH
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers %{USER}' /etc/ssh/sshd_config
+  # OpenSearch setup
+  - mkdir -p /etc/opensearch
+  - docker pull opensearchproject/opensearch:latest
+  - docker pull opensearchproject/opensearch-dashboards:latest
+  - |
+    cat >> /etc/opensearch/docker-compose.yml << EOF
+    version: '3'
+    services:
+      search_db:
+        image: opensearchproject/opensearch:latest
+        container_name: search_db
+        environment:
+          - discovery.type=single-node
+          - node.name=search_db
+          - bootstrap.memory_lock=true
+          - plugins.security.disabled=true
+          - "OPENSEARCH_JAVA_OPTS=-Xms4096m -Xmx4096m"
+        ulimits:
+          memlock:
+            soft: -1
+            hard: -1
+          nofile:
+            soft: 65536
+            hard: 65536
+        volumes:
+          - opensearch_data:/usr/share/opensearch/data
+        ports:
+          - 9200:9200
+          - 9600:9600
+    volumes:
+      opensearch_data:
+    EOF
+  - |
+    cat >> /etc/systemd/system/opensearch.service << EOF
+    Description=OpenSearch container
+    Requires=docker.service
+    After=docker.service
+    [Service]
+    WorkingDirectory=/etc/opensearch
+    Restart=always
+    ExecStart=/usr/bin/docker-compose up
+    ExecStop=/usr/bin/docker-compose down
+    [Install]
+    WantedBy=multi-user.target
+    EOF
+  - systemctl daemon-reload
+  - systemctl enable opensearch.service
+  - service opensearch start
+  - reboot

data/assets/cloudinit/redis.ubuntu-22.yml

@@ -0,0 +1,51 @@
+#cloud-config
+users:
+  - name: %{USER}
+    groups: users, admin, docker
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - %{PUBLIC_KEY}
+packages:
+  - fail2ban
+  - ufw
+  - wget
+  - redis-server
+  - logrotate
+package_update: true
+package_upgrade: true
+runcmd:
+  # General server setup
+  - timedatectl set-timezone UTC
+  # Fail2Ban setup
+  - printf "[sshd]\nenabled = true\nbanaction = iptables-multiport" > /etc/fail2ban/jail.local
+  - systemctl enable fail2ban
+  # UFW and SSH setup
+  - ufw allow 22/tcp
+  - ufw allow 6379/tcp
+  - ufw enable
+  # Harden SSH
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers %{USER}' /etc/ssh/sshd_config
+  # Set up Redis
+  - sed -i 's/supervised no/supervised systemd/g' /etc/redis/redis.conf
+  - sed -i 's/bind 127.0.0.1 ::1/# bind 127.0.0.1 ::1/g' /etc/redis/redis.conf
+  - sed -i 's/protected-mode yes/protected-mode no/g' /etc/redis/redis.conf
+  - systemctl restart redis.service
+  - |
+    cat > /etc/logrotate.d/redis-server << EOF
+    /var/log/redis/redis-server*.log {
+      daily
+      missingok
+      rotate 7
+      compress
+      notifempty
+    }
+    EOF
+  - reboot

data/lib/anvil/app/env.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Anvil
+  class App
+    require_relative "../configuration_reader"
+    class Env < Struct.new(:configuration, :host, :secrets)
+      include ConfigurationReader
+
+      def call
+        self.host ||= hosts.first
+        validate host
+        [env_vars_for(host), env_vars_for_app, secrets].compact.join(" ").strip
+      end
+
+      protected
+
+      def env_vars_for host
+        generate_from environment_for(host)
+      end
+
+      def env_vars_for_app
+        generate_from environment_for_app
+      end
+
+      def generate_from variables
+        variables&.join(" ")&.strip
+      end
+    end
+  end
+end

data/lib/anvil/app/host_installer.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require "standard_procedure/async"
+module Anvil
+  require_relative "../logger"
+  require_relative "../ssh_executor"
+  require_relative "env"
+  class App
+    class HostInstaller < Struct.new(:configuration, :host, :secrets)
+      include StandardProcedure::Async::Actor
+
+      async :call do
+        Anvil::SshExecutor.new(host, user_for(host), logger).call do |ssh|
+          create_app ssh
+          set_environment ssh
+          set_dokku_options ssh
+          run_post_installation_scripts ssh
+        end
+      end
+
+      protected
+
+      def create_app ssh
+        ssh.exec! "dokku apps:create app", "create_app"
+      end
+
+      def set_environment ssh
+        ssh.exec! "dokku config:set app #{Anvil::App::Env.new(configuration, host, secrets).call}", "set_environment"
+      end
+
+      def set_dokku_options ssh
+        ssh.exec! "dokku docker-options:add app run \"--add-host=host.docker.internal:host-gateway\"", "set_dokku_options"
+        ssh.exec! "dokku domains:set app #{configuration_for_app["domain"]}", "set_dokku_options"
+        ssh.exec! "dokku proxy:ports-add app http:80:#{configuration_for_app["port"]}", "set_dokku_options"
+        ssh.exec! "dokku nginx:set app client-max-body-size 512m", "set_dokku_options"
+        ssh.exec! "dokku nginx:set app proxy-read-timeout 60s", "set_dokku_options"
+        ssh.exec! "dokku proxy:build-config app", "set_dokku_options"
+      end
+
+      def run_post_installation_scripts ssh
+        configuration_for_app.fetch("scripts")&.fetch("post_install")&.each do |script|
+          ssh.exec! script, "run_post_installation_scripts"
+        end
+        configuration_for(host).fetch("scripts")&.fetch("post_install")&.each do |script|
+          ssh.exec! script, "run_post_installation_scripts"
+        end
+      end
+
+      def logger
+        @logger ||= Anvil::Logger.new("HostInstaller - #{host}")
+      end
+    end
+  end
+end

data/lib/anvil/app/install.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Anvil
+  class App
+    require_relative "host_installer"
+    require_relative "../configuration_reader"
+    class Install < Struct.new(:configuration, :secrets)
+      include ConfigurationReader
+      def call
+        hosts.each do |host|
+          HostInstaller.new(configuration, host, secrets).call
+        end
+      end
+    end
+  end
+end

data/lib/anvil/app.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative "subcommand"
+require "yaml"
+
+module Anvil
+  class App < Anvil::SubCommandBase
+    require_relative "app/env"
+
+    desc "env", "Generate environment variables for an app"
+    long_desc <<-DESC
+    List the environment variables for an app (on a given host)
+
+    Example:
+      anvil app env /path/to/config
+
+      If the /path/to/config is not supplied, it defaults to deploy.yml
+
+      Options:
+
+      --host, -h: The server that the environment variables should be generated for - only required if multiple servers are configured
+
+      --secrets, -s: The path to a file containing secrets to be injected into the environment variables
+
+      --secrets-stdin, -S: Read secrets from STDIN instead of a file
+    DESC
+    option :host, type: :string, default: nil, aliases: "-h"
+    option :secrets, type: :string, default: nil, aliases: "-s"
+    option :secrets_stdin, type: :boolean, default: false, aliases: "-S"
+    def env filename = "deploy.yml"
+      configuration = YAML.load_file(filename)
+      secrets = read_secrets filename: options[:secrets], stdin: options[:secrets_stdin]
+      puts Anvil::App::Env.new(configuration, options[:host], secrets).call
+    end
+
+    desc "install", "Install an app"
+    long_desc <<-DESC
+    Install an app on the hosts specified in the configuration.
+
+    This logs in to each host in turn, using the user specified in the configuration file, it initialises the app, using dokku, then sets up the environment variables and other dokku options and finally runs any post-installation scripts.
+
+    In order to SSH in to the server correctly, it expects the private key to be available via your SSH agent. To test this, make sure you can `ssh user@host` without being prompted for a password.
+
+    Example:
+      anvil app install /path/to/config
+      If the /path/to/config is not supplied, it defaults to deploy.yml
+
+      Options:
+
+      --secrets, -s: The path to a file containing secrets to be injected into the environment variables
+
+      --secrets-stdin, -S: Read secrets from STDIN instead of a file
+    DESC
+    def install filename = "deploy.yml"
+      configuration = YAML.load_file(filename)
+      secrets = read_secrets filename: options[:secrets], stdin: options[:secrets_stdin]
+      Anvil::App::Install.new(configuration, secrets).call
+    end
+
+    protected
+
+    def read_secrets(filename: nil, stdin: false)
+      return nil if filename.nil? && !stdin
+      return $stdin.read if stdin
+      return File.read(filename) if File.exist?(filename)
+    end
+  end
+end

data/lib/anvil/cli.rb

@@ -1,56 +1,30 @@
 # frozen_string_literal: true
 
 require "thor"
-require_relative "installer"
-class Anvil::Cli < Thor
-  desc "anvil install", "Perform an installation of dokku on a server"
-  long_desc <<-DESC
-    Perform an installation of dokku on a server in preparation for deploying apps.
+require_relative "cloudinit"
+require_relative "app"
 
-      Example:
-      `anvil install CONFIG`
+module Anvil
+  class Cli < Thor
+    desc "cloudinit", "Generate a cloudinit configuration"
+    subcommand "cloudinit", Anvil::Cloudinit
 
-      The default CONFIG file is `anvil.yml` in the current directory.
+    desc "app", "Install or deploy a dokku app"
+    subcommand "app", Anvil::App
 
-      Options:
-      --private_key, -k: The path to the key certificate file to use when connecting to the server.
-      --passphrase, -p: The passphrase to use when connecting to the server.
-  DESC
-  option :private_key, type: :string, default: nil, aliases: "-k"
-  option :passphrase, type: :string, default: nil, aliases: "-p"
-  def install config = "anvil.yml", private_key = nil, passphrase = nil
-    Anvil::Installer.new(configuration_from(config), private_key, passphrase).call
-  end
-
-  desc "anvil deploy", "Deploy the current app"
-  long_desc <<-DESC
-    Deploy the current app to the server to the servers
-
-      Example:
-      `anvil deploy CONFIG`
-
-      The default CONFIG file is `anvil.yml` in the current directory.
-      Options:
-      --private_key, -k: The path to the key certificate file to use when connecting to the server.
-      --passphrase, -p: The passphrase to use when connecting to the server.
-  DESC
-  option :private_key, type: :string, default: nil, aliases: "-k"
-  option :passphrase, type: :string, default: nil, aliases: "-p"
-  def deploy config = "anvil.yml", private_key = nil, passphrase = nil
-  end
-
-  desc "anvil version", "Print the version of the anvil gem"
-  def version
-    puts Anvil::VERSION
-  end
+    desc "version", "Print the version of the anvil gem"
+    def version
+      puts Anvil::VERSION
+    end
 
-  def self.exit_on_failure?
-    true
-  end
+    def self.exit_on_failure?
+      true
+    end
 
-  protected
+    protected
 
-  def configuration_from(file_name)
-    @configuration ||= YAML.load_file(file_name)
+    def configuration_from(file_name)
+      @configuration ||= YAML.load_file(file_name)
+    end
   end
 end

data/lib/anvil/cloudinit/generator.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Anvil
+  class Cloudinit
+    class Generator < Struct.new(:filename, :user, :public_key_path)
+      def call
+        public_key = public_key_path.to_s.gsub("~", Dir.home)
+
+        if File.exist?(public_key)
+          puts File.read(filename).gsub("%{USER}", user).gsub("%{PUBLIC_KEY}", File.read(public_key))
+        else
+          puts "Cannot find public key file at #{public_key}"
+        end
+      end
+    end
+  end
+end
+
+# Compare this snippet from assets/cloudinit/mysql.ubuntu-22.yml:
+# # frozen_string_literal: true
+#
+# ---
+# packages:
+#   - mysql-server
+#   - mysql-client
+#   - libmysqlclient-dev
+#
+# users:
+#   - name: <%= user %>
+#     groups: sudo
+#     shell: /bin/bash
+#     sudo: ALL=(ALL) NOPASSWD:ALL
+#     ssh_authorized_keys:
+#       - <%= public_key %>
+#
+# files:
+#   - path: /etc/mysql/mysql.conf.d/mysqld.cnf
+#     content: |
+#       [mysqld]
+#       bind-address =

data/lib/anvil/cloudinit.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative "subcommand"
+
+module Anvil
+  class Cloudinit < Anvil::SubCommandBase
+    require_relative "cloudinit/generator"
+
+    desc "list", "List cloudinit generators"
+    def list
+      Dir[File.dirname(__FILE__) + "/../../assets/cloudinit/*.yml"].each do |filename|
+        puts File.basename(filename.to_s, ".yml")
+      end
+    end
+
+    desc "generate", "Generate a cloudinit configuration"
+    long_desc <<-DESC
+    Generate a cloudinit configuration for a server
+
+    Example:
+      anvil cloudinit generate mysql.ubuntu-22 --user dbuser --public_key ~/.ssh/my_key.pub
+
+      Options:
+      --user, -u: The user to create on the server - defaults to app
+      --public_key, -k: The path to the public key file that will be installed for the user - default to ~/.ssh/id_rsa.pub
+    DESC
+    option :user, type: :string, default: "app", aliases: "-u"
+    option :public_key, type: :string, default: "~/.ssh/id_rsa.pub", aliases: "-k"
+    def generate configuration
+      filename = File.dirname(__FILE__) + "/../../assets/cloudinit/#{configuration}.yml"
+      Anvil::Cloudinit::Generator.new(filename, options[:user], options[:public_key]).call
+    end
+  end
+end

data/lib/anvil/configuration_reader.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Anvil
+  # A set of utility methods for reading configuration data
+  # It expects the implemneting class to have a `configuration` method
+  module ConfigurationReader
+    def hosts
+      configuration["hosts"].collect { |host_data| host_data.keys }.flatten
+    end
+
+    def validate hostname
+      raise ArgumentError.new("Host #{hostname} is not in the configuration hosts list") unless hosts.include? hostname
+    end
+
+    def configuration_for_app
+      configuration["app"]
+    end
+
+    def environment_for_app
+      configuration_for_app.fetch "environment", []
+    end
+
+    def configuration_for hostname
+      host_config = configuration["hosts"].find { |host_data| host_data.key?(hostname) ? host_data[hostname] : nil }
+      host_config&.fetch(hostname)
+    end
+
+    def environment_for hostname
+      configuration_for(hostname)&.fetch "environment", []
+    end
+
+    def user_for hostname
+      configuration_for(hostname)&.fetch "user", nil
+    end
+  end
+end

data/lib/anvil/ssh_executor.rb

@@ -7,31 +7,19 @@ require "net/ssh"
 # - without sudo it runs the scripts as supplied
 # - with sudo it creates a script on the remote server, runs it via sudo, and then deletes it
 # If supplied, it will also write the output of the script to a logger.
-class Anvil::SshExecutor < Struct.new(:hostname, :user, :use_sudo, :logger)
-  def call &block
-    @connection = Net::SSH.start hostname, user, use_agent: true
-    block.call self
-  end
+module Anvil
+  class SshExecutor < Struct.new(:hostname, :user, :logger)
+    def call &block
+      @connection = Net::SSH.start hostname, user, use_agent: true
+      block.call self
+    end
 
-  def exec! script, category = ""
-    method = use_sudo ? :exec_with_sudo : :exec_without_sudo
-    send(method, script, category) do |channel, stream, data|
-      data.to_s.split("\n") do |line|
-        logger&.info line, category
+    def exec! script, category = ""
+      @connection.exec! script do |channel, stream, data|
+        data.to_s.split("\n") do |line|
+          logger&.info line, category
+        end
       end
     end
   end
-
-  protected
-
-  def exec_without_sudo script, category = "", &block
-    @connection.exec! script, &block
-  end
-
-  def exec_with_sudo script, category = "", &block
-    @connection.exec! "cat >> exec.sh << SCRIPT\n#{script}\nSCRIPT", &block
-    @connection.exec! "chmod 755 exec.sh", &block
-    @connection.exec! "sudo ./exec.sh", &block
-    @connection.exec! "rm exec.sh", &block
-  end
 end

data/lib/anvil/subcommand.rb

@@ -0,0 +1,13 @@
+require "thor"
+
+module Anvil
+  class SubCommandBase < Thor
+    def self.banner(command, namespace = nil, subcommand = false)
+      "#{basename} #{subcommand_prefix} #{command.usage}"
+    end
+
+    def self.subcommand_prefix
+      name.gsub(%r{.*::}, "").gsub(%r{^[A-Z]}) { |match| match[0].downcase }.gsub(%r{[A-Z]}) { |match| "-#{match[0].downcase}" }
+    end
+  end
+end

data/lib/anvil/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Anvil
-  VERSION = "0.1.2"
+  VERSION = "0.1.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: standard-procedure-anvil
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Rahoul Baruah
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-06-21 00:00:00.000000000 Z
+date: 2023-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: standard-procedure-async
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Tools for managing servers and apps built using dokku
 email:
 - rahoulb@standardprocedure.app
@@ -77,25 +91,28 @@ files:
 - ".rspec"
 - ".standard.yml"
 - CHANGELOG.md
+- Dockerfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- assets/cloudinit/dokku.ubuntu-22.yml
+- assets/cloudinit/memcached.ubuntu-22.yml
+- assets/cloudinit/mysql.ubuntu-22.yml
+- assets/cloudinit/opensearch.ubuntu-22.yml
+- assets/cloudinit/redis.ubuntu-22.yml
 - exe/anvil
 - lib/anvil.rb
+- lib/anvil/app.rb
+- lib/anvil/app/env.rb
+- lib/anvil/app/host_installer.rb
+- lib/anvil/app/install.rb
 - lib/anvil/cli.rb
-- lib/anvil/installer.rb
+- lib/anvil/cloudinit.rb
+- lib/anvil/cloudinit/generator.rb
+- lib/anvil/configuration_reader.rb
 - lib/anvil/logger.rb
-- lib/anvil/server_installer.rb
-- lib/anvil/server_installer/configure_docker.rb
-- lib/anvil/server_installer/configure_dokku.rb
-- lib/anvil/server_installer/configure_firewall.rb
-- lib/anvil/server_installer/configure_ssh_server.rb
-- lib/anvil/server_installer/create_user.rb
-- lib/anvil/server_installer/install_packages.rb
-- lib/anvil/server_installer/install_plugins.rb
-- lib/anvil/server_installer/set_hostname.rb
-- lib/anvil/server_installer/set_timezone.rb
 - lib/anvil/ssh_executor.rb
+- lib/anvil/subcommand.rb
 - lib/anvil/version.rb
 - sig/standard/procedure/anvil.rbs
 homepage: https://github.com/standard-procedure/anvil

data/lib/anvil/installer.rb

@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-require "yaml"
-require_relative "server_installer"
-
-# The Installer reads the configuration and runs the ServerInstaller for each host.
-class Anvil::Installer < Struct.new(:configuration, :private_key, :passphrase)
-  def call
-    hosts.each do |host|
-      Anvil::ServerInstaller.new(host, configuration, private_key, passphrase).call
-    end
-  end
-
-  def hosts
-    configuration["hosts"]
-  end
-end

data/lib/anvil/server_installer/configure_docker.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::ConfigureDocker < Struct.new(:ssh_connection)
-  def call
-    script = <<~SCRIPT
-      echo "15 0 3 * * /usr/bin/docker system prune -f" | crontab
-    SCRIPT
-    ssh_connection.exec! script, "ConfigureDocker"
-  end
-end

data/lib/anvil/server_installer/configure_dokku.rb

@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::ConfigureDokku < Struct.new(:ssh_connection, :hostname)
-  def call
-    script = <<~SCRIPT
-      dokku domains:set-global #{hostname}
-      dokku git:set --global deploy-branch main
-    SCRIPT
-    ssh_connection.exec! script, "ConfigureDokku"
-  end
-end

data/lib/anvil/server_installer/configure_firewall.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::ConfigureFirewall < Struct.new(:ssh_connection, :ports)
-  def call
-    ports.collect do |port|
-      ssh_connection.exec! "ufw allow #{port}", "ConfigureFirewall"
-    end
-    ssh_connection.exec! "ufw --force enable", "ConfigureFirewall"
-  end
-end

data/lib/anvil/server_installer/configure_ssh_server.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::ConfigureSshServer < Struct.new(:ssh_connection)
-  def call
-    script = <<-SCRIPT
-      sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
-      sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/g' /etc/ssh/sshd_config
-      service sshd restart
-    SCRIPT
-    ssh_connection.exec! script, "ConfigureSshServer"
-  end
-end

data/lib/anvil/server_installer/create_user.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::CreateUser < Struct.new(:ssh_connection, :user_name)
-  def call
-    script = <<~SCRIPT
-      if id -u #{user_name} >/dev/null 2>&1; then
-        echo "#{user_name} already exists"
-      else
-        echo "Adding #{user_name}"
-        adduser --disabled-password --gecos "" #{user_name}
-        usermod -aG sudo #{user_name}
-        usermod -aG docker #{user_name}
-        echo "#{user_name} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-        fi
-    SCRIPT
-    ssh_connection.exec! script, "CreateUser"
-  end
-end

data/lib/anvil/server_installer/install_packages.rb

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::InstallPackages < Struct.new(:ssh_connection, :public_key_file)
-  def call
-    public_key = File.read public_key_file
-    script = <<~SCRIPT
-      mkdir -p /root/.ssh
-      echo "#{public_key}" > /root/.ssh/id_rsa.pub
-      mkdir -p /etc/skel/.ssh
-      cp /root/.ssh/id_rsa.pub /etc/skel/.ssh/authorized_keys
-
-      echo "Installing packages"
-      apt-get update -qq >/dev/null
-      apt-get -qq -y --no-install-recommends install apt-transport-https
-
-      if command -v "$@" > /dev/null 2>&1; then
-        echo "Docker is already installed"
-      else
-        echo "Installing docker"
-        wget -nv -O - https://get.docker.com/ | sh
-
-        wget -qO- https://packagecloud.io/dokku/dokku/gpgkey | tee /etc/apt/trusted.gpg.d/dokku.asc
-        DISTRO="$(awk -F= '$1=="ID" { print tolower($2) ;}' /etc/os-release)"
-        OS_ID="$(awk -F= '$1=="VERSION_CODENAME" { print tolower($2) ;}' /etc/os-release)"
-        echo "deb https://packagecloud.io/dokku/dokku/${DISTRO}/ ${OS_ID} main" | tee /etc/apt/sources.list.d/dokku.list
-      fi
-
-      echo "Installing dokku"
-      apt-get update -qq >/dev/null
-      apt-get -qq -y install dokku
-
-      echo "Installing dependencies"
-      dokku plugin:install-dependencies --core
-
-      cat /root/.ssh/id_rsa.pub | dokku ssh-keys:add admin
-    SCRIPT
-
-    ssh_connection.exec! script, "InstallPackages"
-  end
-end

data/lib/anvil/server_installer/install_plugins.rb

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::InstallPlugins < Struct.new(:ssh_connection, :plugins)
-  def call
-    plugins.each do |name, config|
-      scripts = ["dokku plugin:install #{config["url"]} #{name}"]
-      plugin_config = config["config"] || []
-      scripts += plugin_config.collect do |cmd|
-        "dokku #{name}:#{cmd}"
-      end
-      ssh_connection.exec! scripts.join("\n"), "InstallPlugins"
-    end
-  end
-end

data/lib/anvil/server_installer/set_hostname.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::SetHostname < Struct.new(:ssh_connection, :hostname)
-  def call
-    script = <<-SCRIPT
-      hostnamectl set-hostname #{hostname}
-      mkdir -p /etc/environment.d
-      echo "HOSTNAME=#{hostname}" > /etc/environment.d/99-hostname
-    SCRIPT
-    ssh_connection.exec! script, "SetHostname"
-  end
-end

data/lib/anvil/server_installer/set_timezone.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-class Anvil::ServerInstaller::SetTimezone < Struct.new(:ssh_connection, :timezone)
-  def call
-    script = <<-SCRIPT
-    timedatectl set-timezone #{timezone}
-    SCRIPT
-    ssh_connection.exec! script, "SetTimezone"
-  end
-end

data/lib/anvil/server_installer.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "ssh_executor"
-require_relative "logger"
-
-# The server installer uses Net::SSH to connect to the server and then run the following steps:
-# - Sets the server hostname and timezone
-# - Installs various necessary packages, plus dokku itself
-# - Sets up the firewall
-# - Creates unix users for each app, adding them to the sudo and docker groups, and setting their authorized_keys files with the given public key
-# - Sets the dokku deployment branch to `main`
-# - Schedule a `docker system prune` once per week to clean up any dangling images or containers
-# - Configure nginx
-# - Install dokku plugins and run any configuration you have defined
-# - Disallows root and passwordless logins over SSH
-# You can specify a custom logger or SSH executor using the options hash.
-class Anvil::ServerInstaller < Struct.new(:hostname, :configuration, :private_key, :passphrase, :options)
-  require_relative "server_installer/set_hostname"
-  require_relative "server_installer/set_timezone"
-  require_relative "server_installer/install_packages"
-  require_relative "server_installer/create_user"
-  require_relative "server_installer/configure_dokku"
-  require_relative "server_installer/configure_docker"
-  require_relative "server_installer/install_plugins"
-  require_relative "server_installer/configure_firewall"
-  require_relative "server_installer/configure_ssh_server"
-
-  def call
-    ssh_executor.call do |ssh_connection|
-      logger.info "SetHostname"
-      Anvil::ServerInstaller::SetHostname.new(ssh_connection, hostname).call
-      logger.info "SetTimezone"
-      Anvil::ServerInstaller::SetTimezone.new(ssh_connection, server_configuration["timezone"]).call
-      logger.info "InstallPackages"
-      Anvil::ServerInstaller::InstallPackages.new(ssh_connection, server_configuration["public_key"]).call
-      logger.info "ConfigureDokku"
-      Anvil::ServerInstaller::ConfigureDokku.new(ssh_connection, hostname).call
-      logger.info "CreateUsers"
-      Anvil::ServerInstaller::CreateUser.new(ssh_connection, server_configuration["app_user"]).call
-      logger.info "InstallPlugins"
-      Anvil::ServerInstaller::InstallPlugins.new(ssh_connection, server_configuration["plugins"]).call
-      logger.info "ConfigureDocker"
-      Anvil::ServerInstaller::ConfigureDocker.new(ssh_connection).call
-      logger.info "ConfigureFirewall"
-      Anvil::ServerInstaller::ConfigureFirewall.new(ssh_connection, server_configuration["ports"]).call
-      logger.info "ConfigureSshServer"
-      Anvil::ServerInstaller::ConfigureSshServer.new(ssh_connection).call
-    end
-  end
-
-  def server_configuration
-    configuration["server"]
-  end
-
-  def options
-    super || {}
-  end
-
-  def logger
-    options[:logger].nil? ? Anvil::Logger.new(hostname) : options[:logger]
-  end
-
-  def ssh_executor
-    options[:ssh_executor].nil? ? Anvil::SshExecutor.new(hostname, server_configuration["install_user"], server_configuration["use_sudo"], logger) : options[:ssh_executor]
-  end
-end