From 8ece9363c9f72b3944947d69fce216a27ddd9252 Mon Sep 17 00:00:00 2001
From: Yannic Kilcher <yk@users.noreply.github.com>
Date: Sun, 15 Jan 2023 18:55:49 +0100
Subject: [PATCH] added deployment files

---
 deploy/README.md                           |  3 +
 deploy/dev-node/nginx/docker-compose.yaml  | 19 +++++
 deploy/dev-node/nginx/get_cert.sh          |  3 +
 deploy/dev-node/nginx/nginx.conf           | 81 ++++++++++++++++++++++
 deploy/dev-node/nginx/renew_certs.sh       |  3 +
 deploy/prod-node/nginx/docker-compose.yaml | 19 +++++
 deploy/prod-node/nginx/get_cert.sh         |  3 +
 deploy/prod-node/nginx/nginx.conf          | 62 +++++++++++++++++
 deploy/prod-node/nginx/renew_certs.sh      |  3 +
 9 files changed, 196 insertions(+)
 create mode 100644 deploy/README.md
 create mode 100644 deploy/dev-node/nginx/docker-compose.yaml
 create mode 100755 deploy/dev-node/nginx/get_cert.sh
 create mode 100644 deploy/dev-node/nginx/nginx.conf
 create mode 100755 deploy/dev-node/nginx/renew_certs.sh
 create mode 100644 deploy/prod-node/nginx/docker-compose.yaml
 create mode 100755 deploy/prod-node/nginx/get_cert.sh
 create mode 100644 deploy/prod-node/nginx/nginx.conf
 create mode 100755 deploy/prod-node/nginx/renew_certs.sh

diff --git a/deploy/README.md b/deploy/README.md
new file mode 100644
index 00000000..279b35dc
--- /dev/null
+++ b/deploy/README.md
@@ -0,0 +1,3 @@
+# Deployment files
+
+Copy these to the node you want to deploy to.
diff --git a/deploy/dev-node/nginx/docker-compose.yaml b/deploy/dev-node/nginx/docker-compose.yaml
new file mode 100644
index 00000000..a9bc6897
--- /dev/null
+++ b/deploy/dev-node/nginx/docker-compose.yaml
@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  webserver:
+    image: nginx:latest
+    network_mode: host
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./certbot/www:/var/www/certbot/:ro
+      - ./certbot/conf/:/etc/nginx/ssl/:ro
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw
diff --git a/deploy/dev-node/nginx/get_cert.sh b/deploy/dev-node/nginx/get_cert.sh
new file mode 100755
index 00000000..1ebc26b7
--- /dev/null
+++ b/deploy/dev-node/nginx/get_cert.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm  certbot certonly -m admin@open-assistant.io --agree-tos --webroot --webroot-path /var/www/certbot/ -d $1
diff --git a/deploy/dev-node/nginx/nginx.conf b/deploy/dev-node/nginx/nginx.conf
new file mode 100644
index 00000000..e18728d0
--- /dev/null
+++ b/deploy/dev-node/nginx/nginx.conf
@@ -0,0 +1,81 @@
+events {}
+http {
+	server {
+		listen 80;
+		listen [::]:80;
+
+		server_name *.open-assistant.io;
+		server_tokens off;
+
+		location /.well-known/acme-challenge/ {
+			root /var/www/certbot;
+		}
+
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.dev.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.dev.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.dev.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3000;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.dev.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.dev.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.dev.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8080;
+		}
+	}
+
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.staging.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.staging.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.staging.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3100;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.staging.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.staging.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.staging.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8180;
+		}
+	}
+
+
+}
diff --git a/deploy/dev-node/nginx/renew_certs.sh b/deploy/dev-node/nginx/renew_certs.sh
new file mode 100755
index 00000000..30a72a65
--- /dev/null
+++ b/deploy/dev-node/nginx/renew_certs.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm certbot renew
diff --git a/deploy/prod-node/nginx/docker-compose.yaml b/deploy/prod-node/nginx/docker-compose.yaml
new file mode 100644
index 00000000..a9bc6897
--- /dev/null
+++ b/deploy/prod-node/nginx/docker-compose.yaml
@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  webserver:
+    image: nginx:latest
+    network_mode: host
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./certbot/www:/var/www/certbot/:ro
+      - ./certbot/conf/:/etc/nginx/ssl/:ro
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw
diff --git a/deploy/prod-node/nginx/get_cert.sh b/deploy/prod-node/nginx/get_cert.sh
new file mode 100755
index 00000000..1ebc26b7
--- /dev/null
+++ b/deploy/prod-node/nginx/get_cert.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm  certbot certonly -m admin@open-assistant.io --agree-tos --webroot --webroot-path /var/www/certbot/ -d $1
diff --git a/deploy/prod-node/nginx/nginx.conf b/deploy/prod-node/nginx/nginx.conf
new file mode 100644
index 00000000..dec02124
--- /dev/null
+++ b/deploy/prod-node/nginx/nginx.conf
@@ -0,0 +1,62 @@
+events {}
+http {
+	server {
+		listen 80;
+		listen [::]:80;
+
+		server_name *.open-assistant.io open-assistant.io;
+		server_tokens off;
+
+		location /.well-known/acme-challenge/ {
+			root /var/www/certbot;
+		}
+
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/open-assistant.io/privkey.pem;
+
+		location / {
+			return 301 https://web.prod.open-assistant.io$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.prod.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.prod.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.prod.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3000;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.prod.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.prod.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.prod.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8080;
+		}
+	}
+
+}
diff --git a/deploy/prod-node/nginx/renew_certs.sh b/deploy/prod-node/nginx/renew_certs.sh
new file mode 100755
index 00000000..30a72a65
--- /dev/null
+++ b/deploy/prod-node/nginx/renew_certs.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm certbot renew