From b106b621c094de8e9abc411e7f37ef0b9b4975b3 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 12:45:56 +0200 Subject: [PATCH 01/11] updated .gitignore --- server/.gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/.gitignore b/server/.gitignore index 06f443a..a31c622 100644 --- a/server/.gitignore +++ b/server/.gitignore @@ -1,5 +1,6 @@ key.txt -data +key* +data/* output.yaml letsencrypt secrets.dev.env From ad56dae601eb2304108788307a0c3299f9d91c01 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 12:46:26 +0200 Subject: [PATCH 02/11] added prod secrets --- server/secrets/.sops.yaml | 4 ++++ server/secrets/secrets.prod.enc.env | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 server/secrets/secrets.prod.enc.env diff --git a/server/secrets/.sops.yaml b/server/secrets/.sops.yaml index b96f363..7b1857d 100644 --- a/server/secrets/.sops.yaml +++ b/server/secrets/.sops.yaml @@ -6,3 +6,7 @@ creation_rules: age: 'age1qtqxa0rutdhfs0kunh9nja3jg999qq3adjjs0r09j9l0apvym5psdh5vc6' - path_regex: \.dev\.enc\.env$ age: 'age1qtqxa0rutdhfs0kunh9nja3jg999qq3adjjs0r09j9l0apvym5psdh5vc6' + - path_regex: \.prod\.enc\.env$ + age: 'age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq' + - path_regex: \.prod\.env$ + age: 'age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq' \ No newline at end of file diff --git a/server/secrets/secrets.prod.enc.env b/server/secrets/secrets.prod.enc.env new file mode 100644 index 0000000..b8452b7 --- /dev/null +++ b/server/secrets/secrets.prod.enc.env @@ -0,0 +1,18 @@ +INFLUXDB_DB=ENC[AES256_GCM,data:rdgw+qJZuENGDyHh+Q==,iv:+s1npBnDe0UNpbC005gJH0yLp/bdo8mGvO+kNrRjbRA=,tag:2uHBdLLmiKsgNZeDyAVB5Q==,type:str] +INFLUXDB_ADMIN_USER=ENC[AES256_GCM,data:h0O3cBs=,iv:7TevIsto+FATG2/0HwL+/GPobaBNQIMi5xOxHh+kb/g=,tag:SPFkPjDAU6aR5+0/anEXrA==,type:str] +INFLUXDB_ADMIN_PASSWORD=ENC[AES256_GCM,data:4mk+f8t0uGK8bGolsB/sQi3PZFvnJMt4vSf1g2KKfm8=,iv:InbuVsVZtZWY/x61zL7qt/FtVMmsRw8zK1sdLO0b7HY=,tag:o5/br2BrUbIRNWWZwTOGKg==,type:str] +INFLUXDB_USER=ENC[AES256_GCM,data:SOInyw==,iv:H48BFAKzTKhJHKyrP3xEQo/eXS9bknyquYwCLC0Jg/o=,tag:MGBuDzQqZysFavNPGVIyCQ==,type:str] +INFLUXDB_USER_PASSWORD=ENC[AES256_GCM,data:kYbbGR1F2IGi1OYHJ5Wj8qGNCfDIsdRgT8zRv6nuuqQ=,iv:gQnho+9lM66JXpysSzWW6NajUp/9CO2t3GqtvkdBhxA=,tag:CvOse9sUvJ4aYRbI4kY0ew==,type:str] +GF_SECURITY_ADMIN_USER=ENC[AES256_GCM,data:fzgqh5ZEGpO8YhVrBMhI8Q==,iv:YEkebrKf6QTGT4VwmGR6nAx57og2HY2I3hGWGKjeJJU=,tag:Wx4qfwHRUDxJLSozuWQDXg==,type:str] +GF_SECURITY_ADMIN_PASSWORD=ENC[AES256_GCM,data:x5ctuRIh7g3BDDwLeCuM+RdqJRTiKB/Z1i2GdJJZKd8=,iv:/q1upQ6kyN09wV0L40UtFKiHOnY7kL27Jsqfkd+6IP4=,tag:JJMteYAAHl8bsQfMfvLnRQ==,type:str] +GF_SECURITY_ALLOW_EMBEDDING=ENC[AES256_GCM,data:N9Oogg==,iv:3Y5CcSdbvUS4dKW9+x6MxTpcSPgClLv2eNldKgGB0l0=,tag:gH+RTvx1Tj9VzxCiqCgpjg==,type:str] +GF_INSTALL_PLUGINS= +REDIS_PASSWORD=ENC[AES256_GCM,data:QZ7Ar1A0AanO6Fu4u52tg+RRBHDczAJOLGPEI7e7OSgFayCSvg==,iv:JOaFl1b9W4trKbdjJq2kgmCHkaRYu6upbBzbXnIMk8c=,tag:q7Z0A2r4FiNpN/BiobqZzw==,type:str] +REDIS_PORT=ENC[AES256_GCM,data:XpOv2Q==,iv:kBz8EGbNlqZ0p3snySepEJIFV2nvIa99Ja8b/x6zwUg=,tag:vR+XAlkBRmOGqkkzqbh+Yg==,type:str] +REDIS_DATABASES=ENC[AES256_GCM,data:vk+5EKb+KAHmWnD+sDJIuZbpYHU=,iv:ahSMxBr2SBTfXnHj+NZ+X+/FQ12S85w9fvzlXntvSWQ=,tag:vJlqgz9+WY0yOvHScAAQNg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS1AvRmFqYkh6cko2Y1h3\nNlpSNzluOGVYcE1iRFZTUXZoR1k2UUdPYXhvCklRbFFsYUN0c3RRSjV4SWNyOW9X\nRTdNdjdSWU1YZThJSnU4c3V2bEYzMTgKLS0tIHZTZmxFQzRWRThYUWIvSWhXOVE5\neW5WbWZYN082Z2NNTm5BRUt1V21OelEKY7lauAeopE2tQDTGhAv8a5Ufy8jxVvXO\n7jMJU7cBwfmWGdHrlaFrGcbQUeHMlUux72BWDz9rPn8yKAbYpyrxJQ==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq +sops_lastmodified=2024-09-03T10:44:35Z +sops_mac=ENC[AES256_GCM,data:KV9F2EccHKSjKLOIrP21lwHbdS/9qdBXW+1ixV9JrOXvMvnxncdVpI5tvET6ooqBuEN+QtEvhVevZL4MNPpY/iAGvjmUysIDHdDwkeD4XaTbxotpKWj2ix8OdAe72ApcgzfoqwH6D6Q67EcndxQIiM5wpDMHQk6WI/YasI6kROM=,iv:JwArEEoUjKmv5Ir4VMUYKatuZrkt9feq3uytCv8Fops=,tag:CeOg/tLpBB2x5S0OlFMK0w==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.9.0 From f4375752e13bcbb7dd9299242c7630c6bc6c6ade Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 13:32:41 +0200 Subject: [PATCH 03/11] #371-Hosting --- server/compose.prod.yaml | 97 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 server/compose.prod.yaml diff --git a/server/compose.prod.yaml b/server/compose.prod.yaml new file mode 100644 index 0000000..5de7151 --- /dev/null +++ b/server/compose.prod.yaml @@ -0,0 +1,97 @@ +version: '3.6' + +services: + + sops: + image: mozilla/sops:latest + volumes: + - "./secrets:/secrets" + environment: + SOPS_AGE_KEY_FILE: /secrets/key.txt + command: > + sh -c "sops --config /secrets/.sops.yaml --decrypt /secrets/secrets.prod.enc.env + > /secrets/secrets.prod.env && chmod 600 /secrets/secrets.prod.env" + + valentin: + build: + context: ./client/valentin + dockerfile: Dockerfile + restart: always + + python_app: + build: + context: ./deployment/ + dockerfile: Dockerfile + restart: always + links: + - influxdb + depends_on: + - influxdb + + influxdb: + restart: always + env_file: + - path: ./secrets/secrets.prod.env + required: false + volumes: + - /srv/blickbox/influx:/var/lib/influxdb + + grafana: + image: grafana/grafana:latest + container_name: grafana-server + restart: always + env_file: + - path: ./secrets/secrets.dev.env + required: false + links: + - influxdb + depends_on: + - influxdb + ports: + - "3000:3000" + volumes: + - /srv/blickbox/grafana_data:/var/lib/grafana + + reverse-proxy: + image: 'docker.io/jc21/nginx-proxy-manager:latest' + restart: unless-stopped + + ports: + # These ports are in format : + - '80:80' # Public HTTP Port + - '443:443' # Public HTTPS Port + - '81:81' # Admin Web Port + # Add any other Stream port you want to expose + # - '21:21' # FTP + + # Uncomment the next line if you uncomment anything in the section + # environment: + # Uncomment this if you want to change the location of + # the SQLite DB file within the container + # DB_SQLITE_FILE: "/data/database.sqlite" + + # Uncomment this if IPv6 is not enabled on your host + # DISABLE_IPV6: 'true' + + volumes: + - /srv/blickbox/data:/data + - /srv/blickbox/letsencrypt:/etc/letsencrypt + + redis: + image: redis:7-alpine + restart: always + ports: + - "6379:6379" + env_file: + - path: ./secrets/secrets.prod.env + required: false + command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}" ] + + +volumes: + grafana_data: + influxdb_data: + data: + letsencrypt: + + From c6961a6236575d21f252e5b6266cc107e66fea39 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 13:46:20 +0200 Subject: [PATCH 04/11] #371-Hosting --- server/compose.override.yaml | 108 +++++++++++++++++++++++++++++++++++ server/compose.prod.yaml | 2 + server/docker-compose.yaml | 32 ----------- 3 files changed, 110 insertions(+), 32 deletions(-) create mode 100644 server/compose.override.yaml diff --git a/server/compose.override.yaml b/server/compose.override.yaml new file mode 100644 index 0000000..58846c8 --- /dev/null +++ b/server/compose.override.yaml @@ -0,0 +1,108 @@ +version: '3.6' + +services: + + sops: + image: mozilla/sops:latest + volumes: + - "./secrets:/secrets" + environment: + SOPS_AGE_KEY_FILE: /secrets/key.txt + command: > + sh -c "sops --config /secrets/.sops.yaml --decrypt /secrets/secrets.dev.enc.env + > /secrets/secrets.dev.env && chmod 600 /secrets/secrets.dev.env" + + valentin: + build: + context: ./client/valentin + dockerfile: Dockerfile + restart: always + + python_app: + build: + context: ./deployment/ + dockerfile: Dockerfile + restart: always + links: + - influxdb + depends_on: + - influxdb + + influxdb: + image: influxdb:1.8.10-alpine + container_name: influxdb + restart: always + env_file: + - path: ./secrets/secrets.dev.env + required: false + volumes: + - influxdb_data:/var/lib/influxdb + + grafana: + image: grafana/grafana:latest + container_name: grafana-server + restart: always + env_file: + - path: ./secrets/secrets.dev.env + required: false + links: + - influxdb + depends_on: + - influxdb + ports: + - "3000:3000" + volumes: + - grafana_data:/var/lib/grafana + + reverse-proxy: + image: 'docker.io/jc21/nginx-proxy-manager:latest' + restart: unless-stopped + + ports: + # These ports are in format : + - '80:80' # Public HTTP Port + - '443:443' # Public HTTPS Port + - '81:81' # Admin Web Port + # Add any other Stream port you want to expose + # - '21:21' # FTP + + # Uncomment the next line if you uncomment anything in the section + # environment: + # Uncomment this if you want to change the location of + # the SQLite DB file within the container + # DB_SQLITE_FILE: "/data/database.sqlite" + + # Uncomment this if IPv6 is not enabled on your host + # DISABLE_IPV6: 'true' + + volumes: + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + + redis: + image: redis:7-alpine + restart: always + ports: + - "6379:6379" + env_file: + - path: ./secrets/secrets.dev.env + required: false + command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}" ] + + redis-insight: + image: redis/redisinsight:latest + restart: always + ports: + - "5540:5540" + volumes: + - redis-insight:/data + + +volumes: + grafana_data: + influxdb_data: + data: + letsencrypt: + redis-insight: + + diff --git a/server/compose.prod.yaml b/server/compose.prod.yaml index 5de7151..19eb1ed 100644 --- a/server/compose.prod.yaml +++ b/server/compose.prod.yaml @@ -29,6 +29,8 @@ services: - influxdb influxdb: + image: influxdb:1.8.10-alpine + container_name: influxdb restart: always env_file: - path: ./secrets/secrets.prod.env diff --git a/server/docker-compose.yaml b/server/docker-compose.yaml index 58846c8..fe79d31 100644 --- a/server/docker-compose.yaml +++ b/server/docker-compose.yaml @@ -31,7 +31,6 @@ services: influxdb: image: influxdb:1.8.10-alpine container_name: influxdb - restart: always env_file: - path: ./secrets/secrets.dev.env required: false @@ -49,32 +48,12 @@ services: - influxdb depends_on: - influxdb - ports: - - "3000:3000" volumes: - grafana_data:/var/lib/grafana reverse-proxy: image: 'docker.io/jc21/nginx-proxy-manager:latest' restart: unless-stopped - - ports: - # These ports are in format : - - '80:80' # Public HTTP Port - - '443:443' # Public HTTPS Port - - '81:81' # Admin Web Port - # Add any other Stream port you want to expose - # - '21:21' # FTP - - # Uncomment the next line if you uncomment anything in the section - # environment: - # Uncomment this if you want to change the location of - # the SQLite DB file within the container - # DB_SQLITE_FILE: "/data/database.sqlite" - - # Uncomment this if IPv6 is not enabled on your host - # DISABLE_IPV6: 'true' - volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt @@ -82,27 +61,16 @@ services: redis: image: redis:7-alpine restart: always - ports: - - "6379:6379" env_file: - path: ./secrets/secrets.dev.env required: false command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}" ] - redis-insight: - image: redis/redisinsight:latest - restart: always - ports: - - "5540:5540" - volumes: - - redis-insight:/data - volumes: grafana_data: influxdb_data: data: letsencrypt: - redis-insight: From c0669f040fa9e10199156217a4fdb6a2957e08ad Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 15:42:32 +0200 Subject: [PATCH 05/11] updated prod credentials --- server/secrets/secrets.prod.enc.env | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server/secrets/secrets.prod.enc.env b/server/secrets/secrets.prod.enc.env index b8452b7..70b4b83 100644 --- a/server/secrets/secrets.prod.enc.env +++ b/server/secrets/secrets.prod.enc.env @@ -3,7 +3,7 @@ INFLUXDB_ADMIN_USER=ENC[AES256_GCM,data:h0O3cBs=,iv:7TevIsto+FATG2/0HwL+/GPobaBN INFLUXDB_ADMIN_PASSWORD=ENC[AES256_GCM,data:4mk+f8t0uGK8bGolsB/sQi3PZFvnJMt4vSf1g2KKfm8=,iv:InbuVsVZtZWY/x61zL7qt/FtVMmsRw8zK1sdLO0b7HY=,tag:o5/br2BrUbIRNWWZwTOGKg==,type:str] INFLUXDB_USER=ENC[AES256_GCM,data:SOInyw==,iv:H48BFAKzTKhJHKyrP3xEQo/eXS9bknyquYwCLC0Jg/o=,tag:MGBuDzQqZysFavNPGVIyCQ==,type:str] INFLUXDB_USER_PASSWORD=ENC[AES256_GCM,data:kYbbGR1F2IGi1OYHJ5Wj8qGNCfDIsdRgT8zRv6nuuqQ=,iv:gQnho+9lM66JXpysSzWW6NajUp/9CO2t3GqtvkdBhxA=,tag:CvOse9sUvJ4aYRbI4kY0ew==,type:str] -GF_SECURITY_ADMIN_USER=ENC[AES256_GCM,data:fzgqh5ZEGpO8YhVrBMhI8Q==,iv:YEkebrKf6QTGT4VwmGR6nAx57og2HY2I3hGWGKjeJJU=,tag:Wx4qfwHRUDxJLSozuWQDXg==,type:str] +GF_SECURITY_ADMIN_USER=ENC[AES256_GCM,data:E5W6oHPD88J1Kk4V/tAb,iv:qQ4VelF/zauJARH74NJ2n9JTkxnjZg+UnWxeQjCGkGI=,tag:Y8O9P54jNMOt6PF02lJlKQ==,type:str] GF_SECURITY_ADMIN_PASSWORD=ENC[AES256_GCM,data:x5ctuRIh7g3BDDwLeCuM+RdqJRTiKB/Z1i2GdJJZKd8=,iv:/q1upQ6kyN09wV0L40UtFKiHOnY7kL27Jsqfkd+6IP4=,tag:JJMteYAAHl8bsQfMfvLnRQ==,type:str] GF_SECURITY_ALLOW_EMBEDDING=ENC[AES256_GCM,data:N9Oogg==,iv:3Y5CcSdbvUS4dKW9+x6MxTpcSPgClLv2eNldKgGB0l0=,tag:gH+RTvx1Tj9VzxCiqCgpjg==,type:str] GF_INSTALL_PLUGINS= @@ -12,7 +12,7 @@ REDIS_PORT=ENC[AES256_GCM,data:XpOv2Q==,iv:kBz8EGbNlqZ0p3snySepEJIFV2nvIa99Ja8b/ REDIS_DATABASES=ENC[AES256_GCM,data:vk+5EKb+KAHmWnD+sDJIuZbpYHU=,iv:ahSMxBr2SBTfXnHj+NZ+X+/FQ12S85w9fvzlXntvSWQ=,tag:vJlqgz9+WY0yOvHScAAQNg==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS1AvRmFqYkh6cko2Y1h3\nNlpSNzluOGVYcE1iRFZTUXZoR1k2UUdPYXhvCklRbFFsYUN0c3RRSjV4SWNyOW9X\nRTdNdjdSWU1YZThJSnU4c3V2bEYzMTgKLS0tIHZTZmxFQzRWRThYUWIvSWhXOVE5\neW5WbWZYN082Z2NNTm5BRUt1V21OelEKY7lauAeopE2tQDTGhAv8a5Ufy8jxVvXO\n7jMJU7cBwfmWGdHrlaFrGcbQUeHMlUux72BWDz9rPn8yKAbYpyrxJQ==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq -sops_lastmodified=2024-09-03T10:44:35Z -sops_mac=ENC[AES256_GCM,data:KV9F2EccHKSjKLOIrP21lwHbdS/9qdBXW+1ixV9JrOXvMvnxncdVpI5tvET6ooqBuEN+QtEvhVevZL4MNPpY/iAGvjmUysIDHdDwkeD4XaTbxotpKWj2ix8OdAe72ApcgzfoqwH6D6Q67EcndxQIiM5wpDMHQk6WI/YasI6kROM=,iv:JwArEEoUjKmv5Ir4VMUYKatuZrkt9feq3uytCv8Fops=,tag:CeOg/tLpBB2x5S0OlFMK0w==,type:str] +sops_lastmodified=2024-09-03T13:42:15Z +sops_mac=ENC[AES256_GCM,data:uBDyKRF5IFUN66tiByHjybA/KIvBssEEGHoo1nCmUT0tQUttxBomqKxCtIu3ARPQKlEvKhJMQhGEwqjp5dqf7nZVFGGkIzqDddo0u592y5qggEddrtryG1wx8i92M8aTq7iyW3ujuUEA3Uoj/xQqv8iWcEhEvH33WstuuUsuNIw=,iv:G9XsmMrg6d1hkqkRS/GcaDv34aoBJucg4JjteA/M0KA=,tag:zHtMYfHjmfN899dtvoqrVg==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.9.0 From 469b64c7c4b1e5debec122eca0381164485868d6 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 16:31:05 +0200 Subject: [PATCH 06/11] secrets --- server/secrets/secrets.prod.enc.env | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/secrets/secrets.prod.enc.env b/server/secrets/secrets.prod.enc.env index 70b4b83..9875940 100644 --- a/server/secrets/secrets.prod.enc.env +++ b/server/secrets/secrets.prod.enc.env @@ -7,12 +7,13 @@ GF_SECURITY_ADMIN_USER=ENC[AES256_GCM,data:E5W6oHPD88J1Kk4V/tAb,iv:qQ4VelF/zauJA GF_SECURITY_ADMIN_PASSWORD=ENC[AES256_GCM,data:x5ctuRIh7g3BDDwLeCuM+RdqJRTiKB/Z1i2GdJJZKd8=,iv:/q1upQ6kyN09wV0L40UtFKiHOnY7kL27Jsqfkd+6IP4=,tag:JJMteYAAHl8bsQfMfvLnRQ==,type:str] GF_SECURITY_ALLOW_EMBEDDING=ENC[AES256_GCM,data:N9Oogg==,iv:3Y5CcSdbvUS4dKW9+x6MxTpcSPgClLv2eNldKgGB0l0=,tag:gH+RTvx1Tj9VzxCiqCgpjg==,type:str] GF_INSTALL_PLUGINS= +GF_SERVER_ROOT_URL=ENC[AES256_GCM,data:pHkYumXLnPjjklEDELHEY/e8z7DRxP7EqX2p1sQRePefUDpf3g==,iv:XGysh0WcCkTfxTmDCYTOSflUjKWVMXIYrPkHG+JaHlM=,tag:J0HDps04Ff1/8UwQ4fGzkA==,type:str] REDIS_PASSWORD=ENC[AES256_GCM,data:QZ7Ar1A0AanO6Fu4u52tg+RRBHDczAJOLGPEI7e7OSgFayCSvg==,iv:JOaFl1b9W4trKbdjJq2kgmCHkaRYu6upbBzbXnIMk8c=,tag:q7Z0A2r4FiNpN/BiobqZzw==,type:str] REDIS_PORT=ENC[AES256_GCM,data:XpOv2Q==,iv:kBz8EGbNlqZ0p3snySepEJIFV2nvIa99Ja8b/x6zwUg=,tag:vR+XAlkBRmOGqkkzqbh+Yg==,type:str] REDIS_DATABASES=ENC[AES256_GCM,data:vk+5EKb+KAHmWnD+sDJIuZbpYHU=,iv:ahSMxBr2SBTfXnHj+NZ+X+/FQ12S85w9fvzlXntvSWQ=,tag:vJlqgz9+WY0yOvHScAAQNg==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS1AvRmFqYkh6cko2Y1h3\nNlpSNzluOGVYcE1iRFZTUXZoR1k2UUdPYXhvCklRbFFsYUN0c3RRSjV4SWNyOW9X\nRTdNdjdSWU1YZThJSnU4c3V2bEYzMTgKLS0tIHZTZmxFQzRWRThYUWIvSWhXOVE5\neW5WbWZYN082Z2NNTm5BRUt1V21OelEKY7lauAeopE2tQDTGhAv8a5Ufy8jxVvXO\n7jMJU7cBwfmWGdHrlaFrGcbQUeHMlUux72BWDz9rPn8yKAbYpyrxJQ==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq -sops_lastmodified=2024-09-03T13:42:15Z -sops_mac=ENC[AES256_GCM,data:uBDyKRF5IFUN66tiByHjybA/KIvBssEEGHoo1nCmUT0tQUttxBomqKxCtIu3ARPQKlEvKhJMQhGEwqjp5dqf7nZVFGGkIzqDddo0u592y5qggEddrtryG1wx8i92M8aTq7iyW3ujuUEA3Uoj/xQqv8iWcEhEvH33WstuuUsuNIw=,iv:G9XsmMrg6d1hkqkRS/GcaDv34aoBJucg4JjteA/M0KA=,tag:zHtMYfHjmfN899dtvoqrVg==,type:str] +sops_lastmodified=2024-09-03T14:30:51Z +sops_mac=ENC[AES256_GCM,data:PWgn5blQK8oa3SVT7wd/fslE88na3uWZy7QBiGGdgoHr3fqSUb0BLREgJJf9kz5nr58El6BFKU/Y7EcMfIxZj24oBrCBPMc5+R5d5jNy3o5HHMRcdW8xv/6vFNQoc3/HOhh+v0/lxxvVQqKRegh/x/tjImSEmZXgzcX+jzTs3uo=,iv:RzDQKR7MUlEPdICuWQIFXIWL2QSbuwnqascX47n7QJo=,tag:6LXePzKtoHLTV1alnXF4YQ==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.9.0 From 4f53b5fef3ea546272f2687e700eacefbdb58154 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 16:32:37 +0200 Subject: [PATCH 07/11] wrong secrets --- server/compose.prod.yaml | 37 ++++++------------------------------- 1 file changed, 6 insertions(+), 31 deletions(-) diff --git a/server/compose.prod.yaml b/server/compose.prod.yaml index 19eb1ed..d94c9a9 100644 --- a/server/compose.prod.yaml +++ b/server/compose.prod.yaml @@ -4,14 +4,16 @@ services: sops: image: mozilla/sops:latest + user: "${UID}:${GID}" volumes: - "./secrets:/secrets" environment: - SOPS_AGE_KEY_FILE: /secrets/key.txt + - SOPS_AGE_KEY_FILE=/secrets/key.txt command: > sh -c "sops --config /secrets/.sops.yaml --decrypt /secrets/secrets.prod.enc.env > /secrets/secrets.prod.env && chmod 600 /secrets/secrets.prod.env" + valentin: build: context: ./client/valentin @@ -36,14 +38,14 @@ services: - path: ./secrets/secrets.prod.env required: false volumes: - - /srv/blickbox/influx:/var/lib/influxdb + - /srv/blickbox/influx:/var/lib/influxdb:uid=1000,gid=1000 grafana: image: grafana/grafana:latest container_name: grafana-server restart: always env_file: - - path: ./secrets/secrets.dev.env + - path: ./secrets/secrets.prod.env required: false links: - influxdb @@ -52,38 +54,11 @@ services: ports: - "3000:3000" volumes: - - /srv/blickbox/grafana_data:/var/lib/grafana - - reverse-proxy: - image: 'docker.io/jc21/nginx-proxy-manager:latest' - restart: unless-stopped - - ports: - # These ports are in format : - - '80:80' # Public HTTP Port - - '443:443' # Public HTTPS Port - - '81:81' # Admin Web Port - # Add any other Stream port you want to expose - # - '21:21' # FTP - - # Uncomment the next line if you uncomment anything in the section - # environment: - # Uncomment this if you want to change the location of - # the SQLite DB file within the container - # DB_SQLITE_FILE: "/data/database.sqlite" - - # Uncomment this if IPv6 is not enabled on your host - # DISABLE_IPV6: 'true' - - volumes: - - /srv/blickbox/data:/data - - /srv/blickbox/letsencrypt:/etc/letsencrypt + - /srv/blickbox/grafana_data:/var/lib/grafana:rw redis: image: redis:7-alpine restart: always - ports: - - "6379:6379" env_file: - path: ./secrets/secrets.prod.env required: false From 539315117868f7dce9c4a75e52f57ecb94c06be1 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 16:34:37 +0200 Subject: [PATCH 08/11] wrong secrets --- server/compose.prod.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/server/compose.prod.yaml b/server/compose.prod.yaml index d94c9a9..ce98737 100644 --- a/server/compose.prod.yaml +++ b/server/compose.prod.yaml @@ -14,7 +14,9 @@ services: > /secrets/secrets.prod.env && chmod 600 /secrets/secrets.prod.env" - valentin: + valentin: + ports: + - "3001:80" build: context: ./client/valentin dockerfile: Dockerfile @@ -25,6 +27,8 @@ services: context: ./deployment/ dockerfile: Dockerfile restart: always + ports: + - "3002:5000" links: - influxdb depends_on: From d9e160a3ba021cc199914d2867baf80ee0d2fbbf Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 17:36:43 +0200 Subject: [PATCH 09/11] #371-Hosting --- server/README.md | 97 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/server/README.md b/server/README.md index 5cba971..9d24da4 100644 --- a/server/README.md +++ b/server/README.md @@ -51,3 +51,100 @@ docker-compose build valentin docker-compose up -d valentin docker-compose restart valentin ``` + +# Deployment auf Prod ohne nginx proxy manager + +1. Erstelle in /srv und /opt einen Ordner + - Das Deployment ``compose.prod.yml`` nutzt den Ordner /srv/blickbox für die Anwendungsdaten (volumes) +2. In /opt wird das Repository geladen +3. In /srv werden die Anwendungsdaten, die bei der Ausführung entstehen gespeichert +4. Die Ports der Anwendungen werden auf localhost weitergeleitet: + * Port 3000 -> Grafana + * Port 3001 -> Valentin + * Port 3002 -> API +5. Für die Service sind folgende Routen vorgesehen + * https://blickbox.maytastix.de -> Valentin + * https://blickbox.maytastix.de/api -> API + * https://blickbox.maytastix.de/grafana -> Grafana +6. Konfigurieren des Reverse Proxies +Das Deployment nutzt einen auf dem Server laufenden Nginx Reverse Proxy welcher mit der Datei blickbox.maytastix.de konfiguriert wurde +* Erstelle die Datei blickbox.maytastix.de mit folgenden Inhalt +```json +server { + listen 80; + listen [::]:80; + root /var/www/blickbox.maytastix.de; + index index.html; + server_name blickbox.maytastix.de; +} +``` +* Erstelle einen Symbolic Link um die Konfiguration nginx bekannt zu machen +``ln -s /etc/nginx/sites-available/blickbox.maytastix.de /etc/nginx/sites-enabled/`` +* Rufe certbot auf und erstelle ein Zertifikat für blickbox.maytastix.de +* Füge anschließend folgenden Inhalt unter die Zeilen ein. + +``` +root /var/www/blickbox.maytastix.de; +index index.html; +server_name blickbox.maytastix.de; +``` + +```json + location / { + proxy_pass http://localhost:3001/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 0; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + access_log /var/log/nginx/valentin.access.log; + error_log /var/log/nginx/valentin.error.log; + } + + location /api/ { + proxy_pass http://localhost:3002/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 0; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + access_log /var/log/nginx/api.access.log; + error_log /var/log/nginx/api.error.log; + } + + location /grafana/ { + proxy_pass http://localhost:3000/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 0; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + access_log /var/log/nginx/graphana.access.log; + error_log /var/log/nginx/graphana.error.log; + } +``` + +* Vergleich die Datei /server/prod/blickbox.maytastix.de mit deiner Konfiguration +* Reloade nginx ``systemctl reload nginx`` +8. Deine Services solltem über folgende Links erreichbar sein + * https://blickbox.maytastix.de -> Valentin + * https://blickbox.maytastix.de/api -> API + * https://blickbox.maytastix.de/grafana -> Grafana + +## Troubleshooting + +Auf dem verwendeten Server wurde für /srv/blickbox/graphana_data keine schreibberechtigung gesetzt um das zu fixen muss für die Gruppe das w-flag +gesetzt werden. + +```bash +chmod g+w grafana_data/ +``` \ No newline at end of file From edd7e11a56f0139e12a613751ff17130a7864c65 Mon Sep 17 00:00:00 2001 From: Maytastico Date: Tue, 3 Sep 2024 17:53:57 +0200 Subject: [PATCH 10/11] #383-Readme --- server/README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/server/README.md b/server/README.md index 9d24da4..cc07c54 100644 --- a/server/README.md +++ b/server/README.md @@ -17,6 +17,34 @@ Deine Subdomain kannst du selber wählen in unserem Setup nutzen wir 6. Beachte, dass du eventuell eine Weiterleitung in deinen Subdomain Einstellung deines Hosters treffen musst. Eventuell muss ein A und AAAA Record mit der IP Adresse deines Servers gesetzt werden. +# Development Journey + +## Ändern des Docker Deployments + +Schreibe deine Änderungen, die für die Developement Umgebung gedacht sind in +``compose.override.yaml``. Diese Datei wird mit docker-compose.yaml bei ``docker compose up`` gemergt. + +``docker-compose.yaml`` dient als Basisdatei und sollte eher nicht geändert werden, da sich das auf die prod Umgebung auswirkt. Änderungen die für Prod als auch Dev gedacht sind können hier gemacht werden. + +Schließt sich prod oder dev aus müssen die Änderungen entweder in ``compose.override.yaml`` (für dev) oder +in ``compose.prod.yaml`` (für prod) gemacht werden. + +## Credentials + +Für Prod und Dev werden andere Keys verwendet. Alle Entwickler*innen sollten einen Schlüssel für die Dev Credentials haben. Um neue Secrets hinzuzufügen wird ![sops](https://github.com/getsops/sops) auf dem Entwicklungs-PC benötigt. + +Um die Datei zu bearbeiten muss folgende Umgebungsvariable gesetzt werden. +Diese zeigt auf den Schlüssel, der für die Verschlüsselung der secret Datei verwendet wurde. + +```bash +SOPS_AGE_KEY_FILE: /secrets/key.txt +``` + +Mit ``sops edit secrets.dev.enc.env`` kann die Datei bearbeitet werden. +Nach dem Speichern und schließen der Datei wird diese wieder verschlüsselt. + +Das Docker Deployment ersetzt die entschlüsselte Datei nach jedem Start, sodass Änderungen in dieser nicht übernommen werden. + # Ausführen Mit Build: @@ -56,6 +84,8 @@ docker-compose restart valentin 1. Erstelle in /srv und /opt einen Ordner - Das Deployment ``compose.prod.yml`` nutzt den Ordner /srv/blickbox für die Anwendungsdaten (volumes) + - Um das Prod Deployment zu starten führe folgendes Kommando aus + ``docker compose -f compose.prod.yaml up`` 2. In /opt wird das Repository geladen 3. In /srv werden die Anwendungsdaten, die bei der Ausführung entstehen gespeichert 4. Die Ports der Anwendungen werden auf localhost weitergeleitet: From 881e08732486140561ce4f71e2e183e21efea83e Mon Sep 17 00:00:00 2001 From: Maytastico Date: Thu, 5 Sep 2024 10:26:57 +0200 Subject: [PATCH 11/11] added email credentials --- server/secrets/secrets.dev.enc.env | 7 +++++-- server/secrets/secrets.prod.enc.env | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/server/secrets/secrets.dev.enc.env b/server/secrets/secrets.dev.enc.env index 497f752..6f11812 100644 --- a/server/secrets/secrets.dev.enc.env +++ b/server/secrets/secrets.dev.enc.env @@ -10,9 +10,12 @@ GF_INSTALL_PLUGINS= REDIS_PASSWORD=ENC[AES256_GCM,data:JgzKPENvrh8aqjgbrA5wJeEgLtQkapVdakEsY976MCw=,iv:ek4V+EuK7oqRw06oQ3xCkm64R5fjUlFR6JB5Ox2Vf28=,tag:AWZWhHvv/wwHc93sELZu5A==,type:str] REDIS_PORT=ENC[AES256_GCM,data:ZV9Daw==,iv:p/apu1USX4jU3sYHPSH1N/PVBCJC4h5NFQjrPeIb1N4=,tag:oirrgH5LKcnYgWa+TsW5cA==,type:str] REDIS_DATABASES=ENC[AES256_GCM,data:qmtZHEoHbxWacYYdKbc7pAY800I=,iv:9s1TN4EtqrcMF3dUC492CnqUL6kE18pD87cCleLP0s8=,tag:Ug3QT/nl3lG9FZKFCJ9mOw==,type:str] +EMAIL_SMTP_SERVER=ENC[AES256_GCM,data:fKv3w+CrMf6krCCwOJ8=,iv:cNg5vuHJBb2Jj5GI1TRZ1KJ4IeorsBQJR5NNGB/S9eE=,tag:oF88j+BqHjgBZ7DnTSXVJA==,type:str] +EMAIL_SMTP_PORT=ENC[AES256_GCM,data:c6qj,iv:g1rg8R2wzLviQ3YTwmyOnmGArkn7GVvtg/rKtTddO1w=,tag:ki8fAAaPMldeo/MkmVyWGw==,type:str] +EMAIL_SMTP_PASSWORD=ENC[AES256_GCM,data:Fe//Zydi4/45vmYR+UhdkMh3UeHwuUJNxHAExQf5,iv:JdPoeb6z63J9X+SltminnTp5wV3MW4CzYiKrpIK73yo=,tag:BS3MQu/0Wyhj/hiqqM+HOQ==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWODBxVkpZM0tQVG9od2o0\nclhoaU1MNS9aUDdMVnFUOTU3dWxqRXRpM0RnCjNYSStvaEtHcEVkL2RwclBMNk13\nZVc3cldrSmQ1aXFLVnkrbERTOUt2NWcKLS0tIDhGVGdCNUZLZHFFTDNaUW9UTnUz\nVm1hWEsrVndGdWpRY0I1bFVOZmd6eFEKRkK4S6gHdVD4GCWp1RqgDd0qOQjtE45G\nFbPsNzlk1dBR79QL7TDXcVAWtNcxZQcU+jlMegkDDyWUYNqfg0io6w==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1qtqxa0rutdhfs0kunh9nja3jg999qq3adjjs0r09j9l0apvym5psdh5vc6 -sops_lastmodified=2024-09-02T13:28:34Z -sops_mac=ENC[AES256_GCM,data:6QWHaoXNNO43krFhyEvNBUqLf/4wxMzqRguBGX1xpUJHvbqOUOJVE9/iZ/adpTogEqJWHB9uNCWRzv/y6pTZWh+u9zacu2bLW7KoBc12WppzU5kp5Q9w17aWvs9w+iWYtK1ieYnPdTx2XdNpCyQEaBriKoHm1sBONhtXkjibFvQ=,iv:RP8phXbr9HodFn+tXvXzUheCesmKMnT9I/jsdqMVrl0=,tag:nxOk5cDUyfO1SG9cOjgGGg==,type:str] +sops_lastmodified=2024-09-05T08:26:15Z +sops_mac=ENC[AES256_GCM,data:tm/PCnLWq17sp29Nko5rYLjD7N4BnvW0KSlRqN7lXeopwJpUWjh1VixE6sDvHt67xKfdM3quDgWoXbWoJJ8t+5WQwaCh7UlvxKsasewkamyWRK19Oj4GlSxkzmRYo9lrk6pQoS1Ii7TZi3H6GOtgAo6nUNftrykl17oeFXF7iVI=,iv:DXcaw+5wOreaFX3OBAQf2qleD/0S82Y5u76jWHJeICU=,tag:u8/aKuSIsPhZzRCGv+FRYw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.9.0 diff --git a/server/secrets/secrets.prod.enc.env b/server/secrets/secrets.prod.enc.env index 9875940..8245410 100644 --- a/server/secrets/secrets.prod.enc.env +++ b/server/secrets/secrets.prod.enc.env @@ -11,9 +11,12 @@ GF_SERVER_ROOT_URL=ENC[AES256_GCM,data:pHkYumXLnPjjklEDELHEY/e8z7DRxP7EqX2p1sQRe REDIS_PASSWORD=ENC[AES256_GCM,data:QZ7Ar1A0AanO6Fu4u52tg+RRBHDczAJOLGPEI7e7OSgFayCSvg==,iv:JOaFl1b9W4trKbdjJq2kgmCHkaRYu6upbBzbXnIMk8c=,tag:q7Z0A2r4FiNpN/BiobqZzw==,type:str] REDIS_PORT=ENC[AES256_GCM,data:XpOv2Q==,iv:kBz8EGbNlqZ0p3snySepEJIFV2nvIa99Ja8b/x6zwUg=,tag:vR+XAlkBRmOGqkkzqbh+Yg==,type:str] REDIS_DATABASES=ENC[AES256_GCM,data:vk+5EKb+KAHmWnD+sDJIuZbpYHU=,iv:ahSMxBr2SBTfXnHj+NZ+X+/FQ12S85w9fvzlXntvSWQ=,tag:vJlqgz9+WY0yOvHScAAQNg==,type:str] +EMAIL_SMTP_SERVER=ENC[AES256_GCM,data:/64srVgeGQjB60UbgHo=,iv:ZkLi4TxZRw3+/VQlSjkAjq5WZOcjLtuu00WbQrs95HE=,tag:eTZPN+xPrjhwudbD3IHXqg==,type:str] +EMAIL_SMTP_PORT=ENC[AES256_GCM,data:Nikg,iv:BslUryVKESLqt9QE6DpXDKSIDaW/TaIdpDE5PkUlfbE=,tag:i/Gnzc+iX2CUrjv1r79tNQ==,type:str] +EMAIL_SMTP_PASSWORD=ENC[AES256_GCM,data:6dhq4NjHDbC9kXz0IsujkMmpg33FyowKVNHl5oR5,iv:CRpLhSGXSrEjJMgTrISBYzp//NKIk0XY80Z01VGj8ww=,tag:4xF6Zfemb9Bm4e1Iioe6vw==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS1AvRmFqYkh6cko2Y1h3\nNlpSNzluOGVYcE1iRFZTUXZoR1k2UUdPYXhvCklRbFFsYUN0c3RRSjV4SWNyOW9X\nRTdNdjdSWU1YZThJSnU4c3V2bEYzMTgKLS0tIHZTZmxFQzRWRThYUWIvSWhXOVE5\neW5WbWZYN082Z2NNTm5BRUt1V21OelEKY7lauAeopE2tQDTGhAv8a5Ufy8jxVvXO\n7jMJU7cBwfmWGdHrlaFrGcbQUeHMlUux72BWDz9rPn8yKAbYpyrxJQ==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1aqz8aep5w27jqx44avra77x6muz7a38n896wcaz9pc3xy2nsj4gst9n3vq -sops_lastmodified=2024-09-03T14:30:51Z -sops_mac=ENC[AES256_GCM,data:PWgn5blQK8oa3SVT7wd/fslE88na3uWZy7QBiGGdgoHr3fqSUb0BLREgJJf9kz5nr58El6BFKU/Y7EcMfIxZj24oBrCBPMc5+R5d5jNy3o5HHMRcdW8xv/6vFNQoc3/HOhh+v0/lxxvVQqKRegh/x/tjImSEmZXgzcX+jzTs3uo=,iv:RzDQKR7MUlEPdICuWQIFXIWL2QSbuwnqascX47n7QJo=,tag:6LXePzKtoHLTV1alnXF4YQ==,type:str] +sops_lastmodified=2024-09-05T08:26:30Z +sops_mac=ENC[AES256_GCM,data:G+LV7LOb/AAu9KDJivRVzJf7U8LLVVb58Qd4hfXXFO9alvcvV9YxARK9pIxWHLnJxV0pLwFQDfTRbMWCL9ZpwLOqMyMkurxv5Patm9qCX1U3uF5OU9S7OSSntg0V+cRBZdMhu1h3RkAYyf8iZCVbpgt/liOWZACtunOjZTvoRpg=,iv:bpR+tXMKNwiXOREjhxJgzKKhzCRlMzYEwPGgyRqBS6k=,tag:f75/OxRDisB/olia9PB7Yg==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.9.0