add: docker deploy

.gitignore

@@ -5,3 +5,4 @@ __pycache__
 output/
 node_modules/
 .venv/
+standalone-deploy/data/certbot

README.md

@@ -17,3 +17,19 @@ docker build -t ge-blog .
 docker run -p 8000:80 ge-blog 
 
 
+## Standalone Deploy
+ 
+__On a new or existing droplet (requires docker and docker-compose)__
+
+```sh
+# Make sure the A name choosen point to the droplet IP
+# Replace domain name init-cert.sh (line 8)  and data/nginx.conf (lines 3,16,20,21)
+
+$ cd standalone-deploy && bash init-cert.sh
+$ docker build -t ge-blog -f Dockerfile ../
+$ docker run -d -p 80:80 -p 443:443 -v $(pwd)/data/certbot/conf:/etc/letsencrypt -v $(pwd)/data/certbot/www:/var/www/certbot ge-blog
+
+# Check if http->https redirect works https://httpstatus.io/
+# http://www.stormspirit.tech
+# https://www.stormspirit.tech
+```

standalone-deploy/Dockerfile

@@ -0,0 +1,22 @@
+FROM python:3.9.7-slim-buster as build
+
+WORKDIR /app
+
+RUN apt-get update && apt-get install make 
+
+COPY requirements.txt .
+
+RUN pip install -r requirements.txt
+
+COPY . .
+
+RUN make publish 
+
+FROM openresty/openresty:buster-fat
+
+COPY --from=build /app/output /var/www/pelican/output/ 
+
+EXPOSE 80
+
+COPY standalone-deploy/data/nginx.conf /etc/nginx/conf.d/default.conf
+

standalone-deploy/data/nginx.conf

@@ -0,0 +1,43 @@
+server {
+  listen 80;
+  server_name grassrootseconomics.org;
+
+  location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+  }  
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+    listen 443 ssl;
+    server_name grassrootseconomics.org;
+
+    root /var/www/pelican/output;
+
+    ssl_certificate /etc/letsencrypt/live/grassrootseconomics.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/grassrootseconomics.org/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
+
+    location = / {
+      rewrite ^ /index.html;
+    }
+
+    location / {
+      gzip_static on;
+      try_files $uri.htm $uri.html $uri =404;
+    }
+
+    location = /favicon.ico {
+      expires max;
+    }
+
+    location ^~ /theme {
+      expires 1y;
+    }
+}

standalone-deploy/docker-compose-cert.yml

@@ -0,0 +1,19 @@
+version: '3'
+services:
+  nginx:
+    image: nginx:1.15-alpine
+    restart: unless-stopped
+    volumes:
+      - ./data/nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    ports:
+      - '80:80'
+    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
+  certbot:
+    image: certbot/certbot
+    restart: unless-stopped
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 400h & wait $${!}; done;'"

standalone-deploy/init-cert.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(grassrootseconomics.org)
+rsa_key_size=4096
+data_path="./data/certbot"
+email="sohailsameja@gmail.com"
+staging=0
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose -f docker-compose-cert.yml run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting nginx ..."
+docker-compose -f docker-compose-cert.yml up --force-recreate -d nginx
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose -f docker-compose-cert.yml run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose -f docker-compose-cert.yml run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose -f docker-compose-cert.yml exec nginx nginx -s reload
+
+echo "### Killing nginx ..."
+docker-compose -f docker-compose-cert.yml down