move to another server

Dockerfile.app

@@ -10,12 +10,11 @@ COPY instalinks/instalinks/requirements.txt /app/
 
 # Install dependencies
 RUN pip install --no-cache-dir -r requirements.txt && \
-    apt update && apt install -y nginx uwsgi which gcc
+    apt update && apt install -y uwsgi which gcc vim telnet curl lsof
 
 # Copy the rest of the source code
 COPY instalinks/ /app/
 COPY static /app/static
-COPY nginx/etc/nginx/ /etc/nginx/
 COPY running.sh /app/
 COPY manage.py /app/
 
@@ -24,8 +23,7 @@ ENV PYTHONUNBUFFERED 1
 ENV DJANGO_SETTINGS_MODULE settings
 
 # Expose the port Django runs on
-# EXPOSE 8000
+EXPOSE 8000
-EXPOSE 8080
 
 # Default command: run the Django dev server
 CMD /app/running.sh

ansible/playbooks/hosts

@@ -1,2 +1,2 @@
 [gitea]
-vds
+myinstalink

ansible/playbooks/roles/certificates/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: install certbot
+  apt:
+    name: certbot
+    state: present
+    update_cache: true

ansible/playbooks/roles/gitea/tasks/main.yml

@@ -30,13 +30,17 @@
       - "5433:5432"
     networks:
       - name: "app-net"
+  tags:
+    - never
 
 - name: create gitea container
   community.docker.docker_container:
     name: gitea-server
     image: "docker.gitea.com/gitea:{{ gitea_version }}"
-    env_file: /home/kreamond/instalinks/.env_gitea_server
     restart_policy: always
+    env:
+      GITEA__server__DOMAIN: "gitea.myinstalink.ru"
+      GITEA__server__ROOT_URL: "https://gitea.myinstalink.ru/"
     volumes:
       - /srv/gitea/data:/var/lib/gitea
       - /srv/gitea/config:/etc/gitea
@@ -47,3 +51,60 @@
       - "2222:2222"
     networks:
       - name: "app-net"
+    exposed_ports:
+      - 2222
+      - 3000
+
+- name: create registry container
+  community.docker.docker_container:
+    name: registry
+    image: "registry:2"
+    restart_policy: always
+    env:
+      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: "/var/lib/registry"
+    volumes:
+      - /srv/registry:/var/lib/registry
+    ports:
+      - "5000:5000"
+    networks:
+      - name: "app-net"
+
+- name: create drone-server container
+  community.docker.docker_container:
+    name: drone-server
+    image: "drone/drone:2"
+    restart_policy: always
+    # DRONE_USER_CREATE, DRONE_GITEA_CLIENT_ID, DRONE_GITEA_CLIENT_SECRET,
+    # DRONE_RPC_SECRET are defined in env_file
+    env_file: /home/kreamond/instalink/.env_drone_server
+    env:
+      DRONE_GITEA_SERVER: "https://gitea.myinstalink.ru"
+      DRONE_SERVER_HOST: "drone.myinstalink.ru"
+      DRONE_SERVER_PROTO: "https"
+    volumes:
+      - /srv/drone:/data
+    ports:
+      - "8081:80"
+      - "444:443"
+    networks:
+      - name: "app-net"
+    exposed_ports:
+      - 8081
+      - 444
+
+- name: create drone-runner container
+  community.docker.docker_container:
+    name: drone-runner
+    image: "drone/drone-runner-docker:1"
+    # DRONE_RPC_SECRET is defined in env_file
+    env_file: /home/kreamond/instalink/.env_runner_server
+    env:
+      DRONE_RPC_PROTO: "https"
+      DRONE_RPC_HOST: "drone.myinstalink.ru"
+      DRONE_RUNNER_CAPACITY: "2"
+      DRONE_RUNNER_NAME: "runner"
+    restart_policy: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - name: "app-net"

ansible/playbooks/roles/nginx/files/drone.myinstalink.ru

@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name drone.myinstalink.ru;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name drone.myinstalink.ru;
+
+    ssl_certificate /etc/letsencrypt/live/myinstalink.ru/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/myinstalink.ru/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    access_log  /var/log/nginx/drone.myinstalink.ru-access.log;
+    error_log /var/log/nginx/drone.myinstalink.ru-error.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:8081;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ansible/playbooks/roles/nginx/files/gitea.myinstalink.ru

@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name gitea.myinstalink.ru;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name gitea.myinstalink.ru;
+
+    ssl_certificate /etc/letsencrypt/live/myinstalink.ru/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/myinstalink.ru/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    access_log  /var/log/nginx/gitea.myinstalink.ru-access.log;
+    error_log /var/log/nginx/gitea.myinstalink.ru-error.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ansible/playbooks/roles/nginx/files/myinstalink.ru

@@ -0,0 +1,31 @@
+server {
+    listen 80;
+    server_name myinstalink.ru;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name myinstalink.ru;
+
+    ssl_certificate /etc/letsencrypt/live/myinstalink.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/myinstalink.ru/privkey.pem;
+
+    access_log  /var/log/nginx/myinstalink.ru-access.log;
+    error_log /var/log/nginx/myinstalink.ru-error.log;
+
+    location /static/ {
+        alias /staticFiles/;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:8000;
+	    proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ansible/playbooks/roles/nginx/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart nginx
+  systemd_service:
+    name: nginx
+    state: restarted
+    daemon_reload: true

ansible/playbooks/roles/nginx/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: install nginx
+  apt:
+    name: nginx
+    state: present
+    update_cache: true
+
+- name: copy nginx sites configs
+  copy:
+    src: "../files/{{ item }}"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  with_items:
+    - "myinstalink.ru"
+    - "gitea.myinstalink.ru"
+    - "drone.myinstalink.ru"
+
+- name: create link
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  with_items:
+    - "myinstalink.ru"
+    - "gitea.myinstalink.ru"
+    - "drone.myinstalink.ru"
+  notify: restart nginx

ansible/playbooks/roles/packages/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Install required system packages
+  apt:
+    pkg:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - software-properties-common
+      - python3-pip
+      - virtualenv
+      - python3-setuptools
+      - python3-certbot-nginx
+    state: latest
+    update_cache: true
+
+- block:
+    - name: Add Docker GPG apt Key
+      apt_key:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        state: present
+
+    - name: Add Docker Repository
+      apt_repository:
+        repo: deb https://download.docker.com/linux/ubuntu jammy stable
+        state: present
+
+    - name: Update apt and install docker-ce
+      apt:
+        name: docker-ce
+        state: latest
+        update_cache: true
+
+    - name: Install Docker Module for Python
+      pip:
+        name: docker
+  tags:
+    - docker

ansible/playbooks/setup.yml

@@ -0,0 +1,6 @@
+---
+- hosts: gitea
+  become: true
+  roles:
+    - packages
+    - nginx

command

@@ -9,13 +9,14 @@ docker run --rm --network app-net \
 
 docker run --rm --network app-net -v /Users/o.vodianov/Documents/database:/bitnami/postgresql/data/ --name instagram_links_db -p 5432:5432 --env-file .env -dt instagram_links_db:0.0.1 
 
-docker build --platform linux/amd64 -t instagram_links_app:0.0.1 -f Dockerfile.app .
+docker build --platform linux/amd64 -t instagram_links_app_0.0.1 -f Dockerfile.app .
 docker run --rm  --network app-net --name instagram_links_app \
 -v /srv/ssl/certs/nginx-selfsigned.crt:/etc/ssl/certs/nginx-selfsigned.crt \
 -v /srv/ssl/private/nginx-selfsigned.key:/etc/ssl/private/nginx-selfsigned.key \
 -v /etc/ssl/certs/dhparam.pem:/etc/ssl/certs/dhparam.pem \
 -v /etc/letsencrypt:/etc/letsencrypt \
- -p 8080:8080 -p 443:443 --env-file .env -dt instagram_links_app:0.0.2 
+-v /staticFiles:/staticFiles \
+ -p 8000:8000 --env-file .env -dt instagram_links_app:0.0.2 
 
 
 pip install gunicorn

nginx/etc/nginx/sites-available/default

@@ -1,26 +0,0 @@
-server {
-    listen 8080 default_server;
-    listen [::]:8080 default_server;
-    server_name myinstalink.ru;
-    return 302 https://$server_name$request_uri;
-}
-
-server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
-    ssl_certificate /etc/letsencrypt/live/myinstalink.ru/fullchain.pem
-    ssl_certificate_key /etc/letsencrypt/live/myinstalink.ru/privkey.pem
-
-    access_log  /var/log/nginx/instalinks-acces.log;
-    error_log /var/log/nginx/instalinks-error.log;
-
-    location /static/ {
-        alias /staticFiles/;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:8000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-  }

nginx/etc/nginx/snippets/self-signed.conf

@@ -1,2 +0,0 @@
-ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
-ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

nginx/etc/nginx/snippets/ssl-params.conf

@@ -1,21 +0,0 @@
-# from https://cipherli.st/
-# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_prefer_server_ciphers on;
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-ssl_ecdh_curve secp384r1;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off;
-ssl_stapling on;
-ssl_stapling_verify on;
-resolver 8.8.8.8 8.8.4.4 valid=300s;
-resolver_timeout 5s;
-# Disable preloading HSTS for now.  You can use the commented out header line that includes
-# the "preload" directive if you understand the implications.
-#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
-
-ssl_dhparam /etc/ssl/certs/dhparam.pem;

running.sh

@@ -1,6 +1,5 @@
 #!/usr/bin/env bash
 
 python manage.py collectstatic && \
-    service nginx start && \
     python manage.py migrate && \
-    gunicorn wsgi:application
+    gunicorn wsgi:application --bind 0.0.0.0:8000