Skip to content

Freehub Deployment

Jump to bottom Edit New page
Alon Salant edited this page Aug 17, 2022 · 21 revisions

For information on how to make changes to Freehub, see the Freehub Developer Guide. This document is for administrators only.

For http://freehub.bikekitchen.org, Freehub is deployed on Engine Yard AppCloud from the 'master' branch of this GitHub project. http://freehub-staging.bikekitchen.org is also available for testing.

Deploying

Tag Release

Prior deploying a new version, tag the release with tag name in the format v1.0.0 with:

git co master
git pull origin master
git tag -a v1.0.0 -m "Something about the significance of this release"
git push origin v1.0.0

Increment the patch version (v1.0.0 goes to v1.0.1) unless there are significant changes.

From EngineYard Dashboard

Use the AppCloud dashboard to trigger new stage and production deploys.

Command Line

You may also trigger deploys using the EngineYard ey utility.

gem install engineyard
ey deploy -e Freehub_v4_Staging [--no-migrate]

Configuration

Database

EngineYard handles configuring connections to production and staging databases.

Email

We use SendMail to send emails in production that is configured on EngineYard using this Chef recipe. This page has more information on using Chef with EngineYard.

SendGrid requires that applications use an API key to send emails. The Freehub SendGrid account is set up with a "send mail only" API key. Keys cannot be viewed after they are created but you can just create another one if needed for a new configuration. Using SendGrid API keys with older authentication styles, use username "apikey" and the API key as the password.

Basic steps for next time a new environment is set up:

  • Check out ey-cloud-recipes
  • Edit cookbooks/main/default.rb to enable ssmtp
  • gem install engineyard
  • ey recipes upload -e Freehub_v4_Production
  • Apply changes to the environment from the EY dashboard
  • Copy /data/ssmtp/ssmtp.conf from an existing environment using scp (sudo mv ssmtp.conf /data/ssmtp/ssmtp.conf on the destination instance once the file is there)
  • Done

Test sendmail config with echo "Subject: sendmail test" | sendmail -v [email protected].

SSL

Freehub uses free SSL certs from the EFF Let's Encrypt service. They are managed using acme.sh on each of the application servers and are set up as follows.

On Sept 30 2021, the Let's Ecrypt original root certificate expired and was replaced by a new one that needs to be updated on the servers. Follow the steps for Stack v4 from Engine Yard to apply this update.

Enable SSL in the environment by assigning any SSL cert from the dashboard and Applying. This sets up the nginx SSL config files. (See https://support.cloud.engineyard.com/hc/en-us/requests/159530.)

On the application server:

curl https://get.acme.sh | sh

mkdir -p /data/letsencrypt/www/.well-known/acme-challenge
vi /data/nginx/servers/freehub/custom.conf

Add:

location /.well-known/acme-challenge/ {
  alias /data/letsencrypt/www/.well-known/acme-challenge/;
}

Then reload nginx and issue the cert:

sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx reload

acme.sh --issue -d freehub.bikekitchen.org -w /data/letsencrypt/www

Then install the cert. This also sets up a daily cron job to check the cert and reissue if it is expiring.

mkdir -p /data/letsencrypt/live/freehub.bikekitchen.org/

acme.sh --install-cert -d freehub.bikekitchen.org \
--cert-file /data/letsencrypt/live/freehub.bikekitchen.org/cert.pem \
--key-file /data/letsencrypt/live/freehub.bikekitchen.org/key.pem \
--fullchain-file /data/letsencrypt/live/freehub.bikekitchen.org/fullchain.pem \
--ca-file /data/letsencrypt/live/freehub.bikekitchen.org/a.pem \
--reloadcmd "sudo /etc/init.d/nginx reload"

vi /etc/nginx/servers/freehub/customer.ssl_cert

Comment out include directive and add:

ssl on;
ssl_certificate /data/letsencrypt/live/freehub.bikekitchen.org/fullchain.pem;
ssl_certificate_key     /data/letsencrypt/live/freehub.bikekitchen.org/key.pem;
ssl_trusted_certificate /data/letsencrypt/live/freehub.bikekitchen.org/a.pem;

Then run:

sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx reload

Verify SSL certificates are correctly configured at SSL Checker.

If acme.sh is set up correctly, it will renew the SSL certificates every 90 days with a job scheduled in the deploy user crontab. Confirm it is configured in the crontab with crontab -l. Note: EngineYard infrastructure overwrites the deploy user crontab in some instances. The cron job should be set up in the EY Cloud dashboard to run at least weekly. The job is: "/home/deploy/.acme.sh"/acme.sh --cron --home "/home/deploy/.acme.sh" > /dev/null

Edit /etc/nginx/servers/freehub.conf to redirect HTTP to HTTPS. (The /.well-known/acme-challenge mapping in freehub/custom.conf will take priority.)

location / {
  return 301 https://$host$request_uri;
  ...
}

Then run:

sudo /etc/init.d/nginx configtest
sudo /etc/init.d/nginx reload

Set up email notifications to monitor the daily cron job that checks the Let's Encrypt certificate and renews it if needed. sendmail is configured on the app server to use the SendGrid service.

export MAIL_FROM="[email protected]"
export MAIL_TO="[email protected]"
acme.sh --set-notify  --notify-hook mail
Add a custom footer
Add a custom sidebar
Clone this wiki locally