BUILD: Copy nix config for staging deployment to prod deployment.

epatters · epatters · commit ee333bd9dd6a · 2025-01-30T11:44:56.000-08:00
Modulo changes to the hostnames.
diff --git a/infrastructure/hosts/catcolab/backend.nix b/infrastructure/hosts/catcolab/backend.nix
@@ -1,15 +1,103 @@
 { inputs, pkgs, config, ... }:
 
 let
-    port = "8000";
-    startScript = pkgs.writeShellScript "catcolab.sh" ''
-        rm -f instrument.mjs
-        cp ${config.age.secrets."instrument.mjs".path} .
-        ${pkgs.nodejs}/bin/node dist/index.js
+    automergePort = "8010";
+    backendPort = "8000";
+
+    automergeScript = pkgs.writeShellScript "automerge.sh" ''
+        ln -sf ${config.age.secrets."instrument.mjs".path} /var/lib/catcolab/packages/automerge-doc-server/
+        ${pkgs.nodejs}/bin/node dist/automerge-doc-server/src/main.js
+    '';
+
+    backendScript = pkgs.writeShellScript "backend.sh" ''
+        ln -sf ${config.age.secrets.".env".path} /var/lib/catcolab/packages/backend/
+        ../../target/debug/backend
+    '';
+
+    initScript = pkgs.writeShellScriptBin "catcolab-init" ''
+        echo -e "\n\n##### catcolab-init: cloning catcolab repo...\n\n"
+        cd /var/lib
+        if [ -z "$1" ]; then branch="main"; else branch="$1"; fi
+        git clone -b $branch https://github.com/ToposInstitute/CatColab.git
+        mv CatColab catcolab
+        chown -R catcolab:catcolab catcolab
+
+        echo -e "\n\n##### catcolab-init: linking secrets...\n\n"
+        ln -sf ${config.age.secrets."instrument.mjs".path} /var/lib/catcolab/packages/automerge-doc-server/
+        ln -sf ${config.age.secrets.".env".path} /var/lib/catcolab/packages/backend/
+        
+        echo -e "\n\n##### catcolab-init: installing nodejs dependencies...\n\n"
+        su -l catcolab -c "cd /var/lib/catcolab/packages/backend; pnpm install"
+
+        echo -e "\n\n##### catcolab-init: installing rust and cargo...\n\n"
+        su -l catcolab -c "rustup default stable"
+        
+        echo -e "\n\n##### catcolab-init: installing sqlx-cli for migrations...\n\n"
+        su -l catcolab -c "cargo install sqlx-cli"
+
+        echo -e "\n\n##### catcolab-init: setting up postgres user, database, permissions...\n\n"
+        su -l postgres -- /var/lib/catcolab/infrastructure/scripts/initdb.sh $(cat ${config.age.secrets.".env".path})
+
+        echo -e "\n\n##### catcolab-init: stopping automerge, build services...\n\n"
+        /var/lib/catcolab/infrastructure/scripts/stop.sh
+
+        echo -e "\n\n##### catcolab-init: migrating database...\n\n"
+        su -l catcolab -- /var/lib/catcolab/infrastructure/scripts/migrate.sh
+
+        echo -e "\n\n##### catcolab-init: building binaries...\n\n"
+        su -l catcolab -- /var/lib/catcolab/infrastructure/scripts/build.sh
+
+        echo -e "\n\n##### catcolab-init: start automerge, build services...\n\n"
+        /var/lib/catcolab/infrastructure/scripts/start.sh
+    '';
+
+    stopScript = pkgs.writeShellScriptBin "catcolab-stop" ''
+        /var/lib/catcolab/infrastructure/scripts/stop.sh
+    '';
+
+    startScript = pkgs.writeShellScriptBin "catcolab-start" ''
+        /var/lib/catcolab/infrastructure/scripts/start.sh
+    '';
+
+    restartScript = pkgs.writeShellScriptBin "catcolab-restart" ''
+        /var/lib/catcolab/infrastructure/scripts/restart.sh
+    '';
+
+    statusScript = pkgs.writeShellScriptBin "catcolab-status" ''
+        /var/lib/catcolab/infrastructure/scripts/status.sh
+    '';
+
+    migrateScript = pkgs.writeShellScriptBin "catcolab-migrate" ''
+        /var/lib/catcolab/infrastructure/scripts/migrate.sh
     '';
+
+    buildScript = pkgs.writeShellScriptBin "catcolab-build" ''
+        /var/lib/catcolab/infrastructure/scripts/build.sh
+    '';
+
+    packages = with pkgs; [
+        rustup
+        nodejs
+        nodejs.pkgs.pnpm
+        git
+        stdenv.cc
+        openssl.dev
+        pkg-config
+    ];
+
+    scripts = [
+        initScript
+        stopScript
+        startScript
+        restartScript
+        statusScript
+        migrateScript
+        buildScript
+    ];
+
 in {
-    age.secrets.DATABASE_URL = {
-        file = "${inputs.self}/secrets/DATABASE_URL.age";
+    age.secrets.".env" = {
+        file = "${inputs.self}/secrets/.env.age";
         mode = "400";
         owner = "catcolab";
     };
@@ -23,61 +111,99 @@ in {
     services.postgresql.enable = true;
 
     services.nginx.enable = true;
-    services.nginx.virtualHosts."backend.catcolab.org" = {
+
+    services.nginx.virtualHosts."automerge.catcolab.org" = {
         forceSSL = true;
         enableACME = true;
         locations."/" = {
             extraConfig = ''
-                if ($request_method = OPTIONS) {
-                    return 204;
-                }
-                proxy_hide_header 'Access-Control-Allow-Origin';
-                add_header 'Access-Control-Allow-Origin' '*' always;
-                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS' always;
-                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
-                proxy_pass http://localhost:${port};
-                error_log syslog:server=unix:/dev/log;
-                access_log syslog:server=unix:/dev/log;
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
+              if ($request_method = OPTIONS) {
+                return 204;
+              }
+              proxy_hide_header 'Access-Control-Allow-Origin';
+              add_header 'Access-Control-Allow-Origin' '*' always;
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS' always;
+              add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+              proxy_pass http://localhost:${automergePort};
+              error_log syslog:server=unix:/dev/log;
+              access_log syslog:server=unix:/dev/log;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
             '';
         };
+      };
+
+      services.nginx.virtualHosts."backend.catcolab.org" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          extraConfig = ''
+              if ($request_method = OPTIONS) {
+                return 204;
+              }
+              proxy_hide_header 'Access-Control-Allow-Origin';
+              add_header 'Access-Control-Allow-Origin' '*' always;
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS' always;
+              add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+              proxy_pass http://localhost:${backendPort};
+              error_log syslog:server=unix:/dev/log;
+              access_log syslog:server=unix:/dev/log;
+              proxy_http_version 1.1;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+          '';
+        };
+      };
+
+    systemd.services.automerge = {
+        enable = true;
+        wantedBy = ["multi-user.target"];
+
+        environment = {
+            PORT = automergePort;
+            # NODE_OPTIONS = "--import ./instrument.mjs";  # sentry disabled - need Owen to fix
+        };
+
+        serviceConfig = {
+            User = "catcolab";
+            ExecStart = automergeScript;
+            Type = "simple";
+            WorkingDirectory = "/var/lib/catcolab/packages/automerge-doc-server/";
+            Restart = "on-failure";
+        };
     };
 
-    systemd.services.catcolab = {
+    systemd.services.backend = {
         enable = true;
         wantedBy = ["multi-user.target"];
 
         environment = {
-            PORT = port;
-            DATABASE_URL_PATH = config.age.secrets.DATABASE_URL.path;
-            NODE_OPTIONS = "--import ./instrument.mjs";
+            PORT = backendPort;
         };
 
         serviceConfig = {
             User = "catcolab";
-            ExecStart = startScript;
+            ExecStart = backendScript;
             Type="simple";
             WorkingDirectory = "/var/lib/catcolab/packages/backend/";
             Restart = "on-failure";
         };
     };
 
-    users.users.catcolab = {
-        isNormalUser = true;
-        group = "catcolab";
-    };
-
-    environment.systemPackages = with pkgs; [
-        rustup
-        nodejs
-        nodejs.pkgs.pnpm
-        git
-        stdenv.cc
-    ];
+    security.sudo.extraRules = [{
+        users = [ "catcolab" ]; 
+        commands = [
+            { command = "/run/current-system/sw/bin/systemctl start automerge"; options = [ "NOPASSWD" ]; } 
+            { command = "/run/current-system/sw/bin/systemctl stop automerge"; options = [ "NOPASSWD" ]; } 
+            { command = "/run/current-system/sw/bin/systemctl restart automerge"; options = [ "NOPASSWD" ]; }
+            { command = "/run/current-system/sw/bin/systemctl start backend"; options = [ "NOPASSWD" ]; } 
+            { command = "/run/current-system/sw/bin/systemctl stop backend"; options = [ "NOPASSWD" ]; } 
+            { command = "/run/current-system/sw/bin/systemctl restart backend"; options = [ "NOPASSWD" ]; }
+        ]; 
+    }];
 
-    environment.variables.DATABASE_URL_PATH = config.age.secrets.DATABASE_URL.path;
+    environment.systemPackages = packages ++ scripts;
 
-    users.groups.catcolab = {};
+    environment.variables.PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig";
 }
diff --git a/infrastructure/hosts/catcolab/default.nix b/infrastructure/hosts/catcolab/default.nix
@@ -1,55 +1,60 @@
 { inputs, ... }:
 
 let
-  owen     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
-  epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
-  shaowei  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV/7Vnjn7PwOC9VWyRAvsh5lUieIBHgdf4RRLkL8ZPa shaowei@gmail.com";
+    owen     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
+    epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
+    shaowei  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV/7Vnjn7PwOC9VWyRAvsh5lUieIBHgdf4RRLkL8ZPa shaowei@gmail.com";
 in
 {
-  imports = [
-      ./backend.nix
-      "${inputs.nixpkgs}/nixos/modules/virtualisation/amazon-image.nix"
-  ];
+    imports = [
+        ./backend.nix
+        "${inputs.nixpkgs}/nixos/modules/virtualisation/amazon-image.nix"
+    ];
 
-  networking.hostName = "catcolab";
+    networking.hostName = "catcolab";
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
 
-  security.sudo.wheelNeedsPassword = false;
+    security.sudo.wheelNeedsPassword = false;
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = "owen@topos.institute";
 
-  users.mutableUsers = false;
+    users.mutableUsers = false;
 
-  users.users.owen = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-    openssh.authorizedKeys.keys = [ owen ];
-  };
+    users.groups.catcolab = {};
 
-  users.users.epatters = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ epatters ];
-  };
+    users.users.catcolab = {
+        isNormalUser = true;
+        group = "catcolab";
+        openssh.authorizedKeys.keys = [ owen epatters shaowei ];
+    };
 
-  users.users.shaowei = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = [ shaowei ];
-  };
+    users.users.owen = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+        openssh.authorizedKeys.keys = [ owen ];
+    };
 
-  users.users.root.openssh.authorizedKeys.keys = [ owen epatters shaowei ];
+    users.users.epatters = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [ epatters ];
+    };
 
-  time.timeZone = "America/New_York";
+    users.users.shaowei = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [ shaowei ];
+    };
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
+    users.users.root.openssh.authorizedKeys.keys = [ owen epatters shaowei ];
 
-  system.stateVersion = "24.05";
+    time.timeZone = "America/New_York";
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "owen@topos.institute";
+    services.openssh.enable = true;
 
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
+    system.stateVersion = "24.05";
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+    nix.extraOptions = ''
+        experimental-features = nix-command flakes
+    '';
 }
