First commit

Author: vitormattos

.env.example

@@ -0,0 +1,5 @@
+TARGET_DOMAIN=
+DIGITALOCEAN_ACCESS_TOKEN=dop_v1_
+SPACES_ACCESS_TOKEN=
+SPACES_SECRET_KEY=
+SSH_HOST_KEY=id_rsa

.gitignore

@@ -0,0 +1,17 @@
+# Env
+.env
+
+# Editors
+.idea
+
+# Terraform
+**/.terraform/
+.tmp/*/*
+!.tmp/.gitkeep
+!.tmp/*/.gitkeep
+.infracost
+*.tmp
+
+# AWS
+.aws/*
+!.aws/.gitkeep

Dockerfile

@@ -0,0 +1,82 @@
+# syntax=docker/dockerfile:1
+FROM ubuntu:21.10 as base
+RUN apt update -y
+
+FROM base as dowloader
+
+RUN apt install curl unzip tar gzip git ca-certificates openssh-client -y
+
+# Terraform download
+ARG TERRAFORM_VER
+RUN cd /tmp && \
+  curl https://releases.hashicorp.com/terraform/${TERRAFORM_VER}/terraform_${TERRAFORM_VER}_linux_amd64.zip --output terraform.zip && \
+  unzip terraform.zip && \
+  mv terraform /usr/bin/ && \
+  rm -rf /tmp/* && \
+  terraform --version
+
+ARG PACKER_VER
+RUN cd /tmp && \
+  curl https://releases.hashicorp.com/packer/${PACKER_VER}/packer_${PACKER_VER}_linux_amd64.zip --output packer.zip && \
+  unzip packer.zip && \
+  mv packer /usr/bin/ && \
+  rm -rf /tmp/* && \
+  packer version
+
+ARG DOCTL_VER
+RUN cd /tmp && \
+  curl -L https://github.com/digitalocean/doctl/releases/download/v${DOCTL_VER}/doctl-${DOCTL_VER}-linux-amd64.tar.gz --output doctl.tar.gz && \
+  ls -la /tmp && \
+  tar xf doctl.tar.gz -C /tmp && \
+  mv /tmp/doctl /usr/bin/doctl && \
+  rm -rf /tmp/* && \
+  doctl version
+
+# Install task (https://taskfile.dev)
+RUN sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b /usr/bin \
+  && task --version
+
+# Generate private key
+RUN ssh-keygen -q -t rsa -N '' -f /root/.ssh/id_rsa
+
+# Target
+FROM base
+
+# configure nodejs repository
+RUN curl -fsSL https://deb.nodesource.com/setup_16.x | bash -
+RUN apt install ca-certificates ssh nodejs ansible -y
+
+# Workdir
+RUN mkdir -p /project
+WORKDIR /project
+
+# Terraform cache
+ENV TF_PLUGIN_CACHE_DIR=/project/.tmp/.terraform.d/plugin-cache
+ENV PACKER_CONFIG_DIR=/project/.tmp/
+# ENV PACKER_CACHE_DIR=/project/.tmp/.packer.d
+
+# Bash improviments
+RUN echo "alias ll='ls -l'" >> /root/.bashrc && \
+  echo "complete -C /usr/bin/terraform terraform" >> /root/.bashrc && \
+  echo 'PS1="\n\[\e[0;31m\]┌─[\[\e[0m\]\[\e[1;33m\]\u\[\e[0m\] ܁\[\e[1;36m\]\[\e[0m\]\[\e[1;34m\]\w\[\e[0m\]\[\e[0;31m\]]\n\[\e[0;31m\]└─\e[0;31m\]$ \[\e[0m\]"' >> /root/.bashrc
+
+# Copy from downloader stage
+COPY --from=dowloader --chown=root:root /root/.ssh/ /root/.ssh/
+COPY --from=dowloader --chown=root:root /usr/bin/terraform /usr/bin/terraform
+COPY --from=dowloader --chown=root:root /usr/bin/packer /usr/bin/packer
+COPY --from=dowloader --chown=root:root /usr/bin/doctl /usr/bin/doctl
+COPY --from=dowloader --chown=root:root /usr/bin/task /usr/bin/task
+
+# prepare ssh
+RUN chmod 600 /root/.ssh/id_rsa && \
+  ssh-keyscan -H github.com >> /root/.ssh/known_hosts && \
+  ssh-keyscan -H bitbucket.com >> /root/.ssh/known_hosts && \
+  echo "StrictHostKeyChecking no" >> /root/.ssh/ssh_config
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+
+RUN chmod 600 /docker-entrypoint.sh && \
+  chmod +x /docker-entrypoint.sh
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["bash"]

README.md

@@ -0,0 +1,35 @@
+# LibreCode - Discourse
+
+Esta infra é construída com [Packer](https://www.packer.io/), [Terraform](https://www.terraform.io/) e [Ansible](https://docs.ansible.com/)
+
+Terraform e Packer se comunicam com a [DigitalOcean](https://www.digitalocean.com/) para construir toda a infra necessária.
+
+Packer é o responsável por criar a imagem base que será usada nas máquinas que vão rodar os serviços.
+
+O Terraform usa a imagem base para subir as máquinas (vazias)
+
+Ansible é o responsável por provisionar a aplicação nos servidores criados pelo terraform.
+
+Para mais informações, consulte as subpastas deste projeto.
+
+- [packer](packer/README.md)
+- [terraform](terraform/README.md)
+- [ansible](ansible/README.md)
+
+## Requisitos
+
+- [Docker ~v20.10](https://docs.docker.com/engine/install/)
+- [Docker Compose ~v2.3](https://docs.docker.com/compose/cli-command/)
+
+## Comandos
+
+Todas as dependencias necessárias para trabalhar com a infra estão dentro do [`Dockerfile`](Dockerfile) deste projeto.
+
+Basta construir a imagem e executar o container com os comandos abaixo.
+
+> Lembre-se de gerar suas credenciais da DigitalOcean e criar o arquivo `.env` com base no `.env.example`
+
+```sh
+docker-compose build
+docker-compose run tooling
+```

ansible/.gitignore

@@ -0,0 +1,2 @@
+inventory.*.ini
+.vault.*

ansible/README.md

@@ -0,0 +1,42 @@
+# Ansible
+
+Automatiza o processo de provisionamento das aplicações.
+
+O processo de provisionamento consiste em gerar um `docker-compose.yml` no servidor do serviço e um arquivo de definição do [NGINX](https://www.nginx.com/) para fazer [proxy reverso](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) para o serviço gerenciado pelo [docker-compose](https://docs.docker.com/compose/).
+
+> Para mais informações sobre o NGINX e Docker instalados no servidor, consultar o [packer](../packer/README.md).
+
+## Comandos
+
+> Este projeto usa o utilitário [`taskfile`](https://taskfile.dev/) para simplificar algumas ações.
+
+Sempre antes de fazer um deploy atualize o inventário.
+
+```sh
+task inventory
+```
+Também é possivel encadear comandos.
+
+```sh
+task inventory deploy:discourse
+```
+
+Para conhecer os comandos disponíveis use o opção `--list`
+
+```sh
+task --list
+```
+
+## Secredos
+
+Este projeto usa [ansible-vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) para proteger as alguns valores secretos.
+
+A senha fica no arquivo `.vault.pass.txt`, este arquivo nunca pode ser versionado.
+
+```sh
+ansible-vault encrypt vars/.secrets.$ENV.yml 
+```
+
+## Primeiro deploy
+
+O primeiro deploy vai demorar alguns minutos, pois todas as *migrations* e *builds* serão executados neste momento.

ansible/Taskfile.yaml

@@ -0,0 +1,31 @@
+# https://taskfile.dev
+
+version: '3'
+
+vars:
+  STAGE: development
+
+tasks:
+  secret:view:
+    desc: Exibe o conteúdo do arquivo de segredos
+    cmds:
+      - ansible-vault view vars/.secrets.{{ .STAGE }}.yml
+
+  secret:edit:
+    desc: Edita o conteúdo do arquivo de segredos
+    cmds:
+      - ansible-vault edit vars/.secrets.{{ .STAGE }}.yml
+
+  inventory:
+    desc: Gera o arquivo de inventário do ansible
+    cmds:
+      - NODE_ENV={{ .STAGE }} node scripts/generate-inventary.mjs > inventory.{{ .STAGE }}.ini
+
+  deploy:discourse:
+    desc: faz deploy do e-Cidade discourse
+    cmds:
+    - |
+      ansible-playbook discourse.yml -v \
+        --inventory-file inventory.{{ .STAGE }}.ini \
+        --extra-vars "@vars/{{ .STAGE }}.yml" \
+        --extra-vars "@vars/.secrets.{{ .STAGE }}.yml" {{.CLI_ARGS}}

ansible/ansible.cfg

@@ -0,0 +1,11 @@
+[defaults]
+; callbacks_enabled = timer, profile_tasks, profile_roles
+interpreter_python = /usr/bin/python3
+forks=50
+pipelining = True
+vault_password_file = ./.vault.pass.txt
+host_key_checking = False
+callbacks_enabled = timer
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s

ansible/discourse.yml

@@ -0,0 +1,13 @@
+#!/usr/bin/env ansible-playbook
+
+- name: 'deploy e-cidade discourse'
+  hosts: all
+  become: true
+  gather_facts: false
+  strategy: free
+  roles:
+    - role: discourse
+      vars:
+        DISCOURSE_HOST: "{{ lookup('ansible.builtin.env', 'TARGET_DOMAIN') }}"
+        DISCOURSE_DOCKER_IMAGE: docker.io/bitnami/discourse:2.8.6
+        REDIS_DOCKER_IMAGE: docker.io/bitnami/redis:6.2

ansible/roles/discourse/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+# defaults file for ansible
+
+database_host:
+database_user:
+database_name:
+database_port:
+database_sslmode: require
+EXPOSE_PORT: 8073

ansible/roles/discourse/files/README.md

@@ -0,0 +1,3 @@
+# Files
+
+Os arquivos `.crt` devem ser obtidos na DigitalOcean.

ansible/roles/discourse/handlers/main.yml

@@ -0,0 +1,13 @@
+- name: start docker-compose
+  community.docker.docker_compose:
+      project_name: "discourse"
+      files: docker-compose.discourse.yml
+      project_src: /app
+      state: present
+      remove_orphans: true
+      pull: true
+
+- name: restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted

ansible/roles/discourse/tasks/ca-certificate.yml

@@ -0,0 +1,7 @@
+- name: Generate database-ca-certificate.crt
+  ansible.builtin.copy:
+    src: files/{{ ENVIRONMENT }}--database-ca-certificate.crt
+    dest: /app/database-ca-certificate.crt
+    force: no
+  tags:
+    - database

ansible/roles/discourse/tasks/docker.yml

@@ -0,0 +1,7 @@
+- name: Generate docker-compose.yml
+  ansible.builtin.template:
+    src: templates/docker-compose.yml.j2
+    dest: /app/docker-compose.discourse.yml
+  notify: start docker-compose
+  tags:
+    - docker

ansible/roles/discourse/tasks/main.yml

@@ -0,0 +1,3 @@
+- import_tasks: ca-certificate.yml
+- import_tasks: docker.yml
+- import_tasks: nginx.yml

ansible/roles/discourse/tasks/nginx.yml

@@ -0,0 +1,8 @@
+- name: Generate nginx config
+  ansible.builtin.template:
+    src: templates/nginx.conf.j2
+    dest: /etc/nginx/sites-enabled/discourse
+    backup: no
+  notify: restart nginx
+  tags:
+    - nginx

ansible/roles/discourse/templates/docker-compose.yml.j2

@@ -0,0 +1,77 @@
+# refs:
+# - https://github.com/discourse/discourse/blob/v2.8.3/config/discourse_defaults.conf
+# - https://github.com/bitnami/bitnami-docker-discourse/blob/master/2/debian-10/rootfs/opt/bitnami/scripts/discourse-env.sh
+
+x-common-env: &common-env
+  # ALLOW_EMPTY_PASSWORD is recommended only for development.
+  ALLOW_EMPTY_PASSWORD: "yes"
+  BITNAMI_DEBUG: "yes"
+  DISCOURSE_SITE_NAME: e-Cidade
+  DISCOURSE_PRECOMPILE_ASSETS: 1
+
+  LC_ALL: pt_BR.UTF-8
+  LANG: pt_BR.UTF-8
+  LANGUAGE: pt_BR.UTF-8
+  DISCOURSE_DEFAULT_LOCALE: pt_BR
+
+  DISCOURSE_HOST: {{ DISCOURSE_HOST }}
+  DISCOURSE_DATABASE_HOST: {{ database_host }}
+  DISCOURSE_DATABASE_PASSWORD: {{ secrets.database_password }}
+  DISCOURSE_DATABASE_PORT_NUMBER: {{ database_port }}
+  DISCOURSE_DATABASE_SSLMODE: {{ database_sslmode }}
+  DISCOURSE_DATABASE_USER: {{ database_user }}
+  DISCOURSE_DATABASE_NAME: {{ database_name }}
+  DISCOURSE_REDIS_HOST: redis
+  DISCOURSE_REDIS_PORT_NUMBER: 6379
+
+  {#
+    DISCOURSE_SMTP_ADDRESS: {{ secrets.email_smtp_address }}
+    DISCOURSE_SMTP_PORT: {{ secrets.email_smtp_port }}
+    DISCOURSE_SMTP_USER_NAME: {{ secrets.email_smtp_user_name }}
+    DISCOURSE_SMTP_PASSWORD: "{{ secrets.email_smtp_password }}"
+    #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
+    DISCOURSE_SMTP_DOMAIN: {{ hostname }}
+    DISCOURSE_NOTIFICATION_EMAIL: noreply@{{ hostname }}
+  #}
+
+version: '3.7'
+services:
+  redis:
+    image: docker.io/bitnami/redis:6.0
+    restart: on-failure
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'redis_data:/bitnami/redis'
+
+  discourse:
+    image: {{ DISCOURSE_DOCKER_IMAGE }}
+    restart: on-failure
+    ports:
+      - '{{ EXPOSE_PORT }}:3000'
+    volumes:
+      - 'discourse_data:/bitnami/discourse'
+    depends_on:
+      - redis
+    environment:
+      <<: *common-env
+
+  sidekiq:
+    image: {{ DISCOURSE_DOCKER_IMAGE }}
+    restart: on-failure
+    depends_on:
+      - discourse
+    volumes:
+      - 'sidekiq_data:/bitnami/discourse'
+    command: /opt/bitnami/scripts/discourse-sidekiq/run.sh
+    environment:
+      <<: *common-env
+
+volumes:
+  redis_data:
+    driver: local
+  discourse_data:
+    driver: local
+  sidekiq_data:
+    driver: local