Merge pull request #4 from derekenos/digitalocean-helpers

derekenos · web-flow · commit 8a85bed6adfa · 2021-08-19T16:53:16.000-04:00
Digitalocean helpers
diff --git a/Makefile b/Makefile
@@ -75,3 +75,115 @@ build-forem-selfhost-digitalocean:
 
 deploy-to-digitalocean:
 	@docker run forem-selfhost-digitalocean
+
+
+###############################################################################
+# DigitalOcean helpers
+###############################################################################
+
+# Return the public IP of the DigitalOcean Droplet tagged "forem"
+digitalocean_get_ip = \
+	`docker run forem-selfhost-digitalocean \
+     doctl compute droplet list --tag-name forem --no-header --format PublicIPv4`
+
+# Return the command for SSHing into the DigitalOcean Droplet
+digitalocean_ssh_command = \
+	docker run -it forem-selfhost \
+	ssh -t -o "StrictHostKeyChecking=no" -i /home/$(USER)/.ssh/forem \
+	core@$(call digitalocean_get_ip) $(1)
+
+# Return the command to execute a command within a container
+# args: ( <user>, <container-name>, <command> )
+digitalocean_podman_exec = \
+  "sudo podman exec -u $1 -it \$$(sudo podman ps -q -f name=$2) $3"
+
+# Return the command to execute a command within a container
+# args: ( <container-name>, )
+digitalocean_podman_logs = \
+  "sudo podman logs -f \$$(sudo podman ps -q -f name=$1)"
+
+
+###############################################################################
+# Show DigitalOcean Droplet IP
+###############################################################################
+
+digitalocean-ip:
+	@echo $(call digitalocean_get_ip)
+
+
+###############################################################################
+# SSH into the DigitalOcean Droplet
+###############################################################################
+
+digitalocean-shell:
+	@$(call digitalocean_ssh_command)
+
+
+###############################################################################
+# Connect to the DigitalOcean Droplet PostgreSQL DB
+###############################################################################
+
+digitalocean-db-shell:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_exec,"postgres","postgres","psql -Uforem_production"))
+
+
+###############################################################################
+# Services admin
+###############################################################################
+
+# Status
+digitalocean-service-status:
+	@$(call digitalocean_ssh_command, "sudo systemctl list-units forem*")
+
+# Restarts
+digitalocean-service-restart-forem:
+	@$(call digitalocean_ssh_command, "sudo systemctl restart forem")
+
+digitalocean-service-restart-traefik:
+	@$(call digitalocean_ssh_command, "sudo systemctl restart forem-traefik")
+
+
+###############################################################################
+# Container utilities
+###############################################################################
+
+# List containers
+digitalocean-container-list:
+	@$(call digitalocean_ssh_command, "sudo podman ps")
+
+# Tail container logs
+digitalocean-container-imgproxy-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"imgproxy"))\
+	|| exit 0
+
+digitalocean-container-openresty-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"openresty"))\
+	|| exit 0
+
+digitalocean-container-postgres-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"postgres"))\
+	|| exit 0
+
+digitalocean-container-rails-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"rails"))\
+	|| exit 0
+
+digitalocean-container-redis-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"redis"))\
+	|| exit 0
+
+digitalocean-container-traefik-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"traefik"))\
+	|| exit 0
+
+digitalocean-container-worker-logs:
+	@$(call digitalocean_ssh_command,\
+	$(call digitalocean_podman_logs,"worker"))\
+	|| exit 0
diff --git a/README.md b/README.md
@@ -50,19 +50,123 @@ forem.pub
 setup.yml
 ```
 
-### Deploy to DigitalOcean
+### Deploying to DigitalOcean
 
 [Create an auth token](https://docs.digitalocean.com/reference/api/create-personal-access-token/) and store it in a local (to this repo) file called `.digitalocean-access-token`
 
-#### Build the DigitalOcean deployment Image
+#### Build the DigitalOcean deployment image
 
 ```
 make build-forem-selfhost-digitalocean
 ```
 
-#### Deploy to DigitalOcean
-
+#### Do the deploy
 ```
 make deploy-to-digitalocean
 ```
 
+#### Update your DNS and restart the traefik service
+
+Complete [steps 10 & 11 in the Quick Start guide](https://github.com/forem/selfhost/blob/5e5ce60a5df738cd36261c80e94dac917e78868f/README.md#quick-start):
+> 10. Once your Forem VM is set up with your chosen cloud provider, you will need to point DNS at the IP address that is output at the end of the provider playbook.
+> 11. Once DNS is pointed at your Forem VM, you will need to restart the Forem Traefik service (sudo systemctl restart forem-traefik.service) via SSH on your Forem server to generate a TLS cert.
+
+You can use `make digitalocean-service-restart-traefik` to do the restart, after which you should be able to surf over to your domain and see something cool!
+
+
+#### Interact with the server
+
+##### Show the IP address
+```
+make digitalocean-ip
+```
+
+##### Start an SSH session
+```
+make digitalocean-shell
+```
+
+##### Connect to the PostgreSQL console
+```
+make digitalocean-db-shell
+```
+
+##### Show the status of related services
+```
+make digitalocean-service-status
+```
+
+##### Restart a service
+```
+make digitalocean-service-restart-forem
+```
+```
+make digitalocean-service-restart-traefik
+```
+
+##### List all of the containers
+```
+make digitalocean-container-list
+```
+
+##### Tail the logs of a specific container
+```                                                                                                               
+make digitalocean-container-imgproxy-logs                                                                         
+```
+```                                                                                                               
+make digitalocean-container-openresty-logs                                                                        
+```
+```                                                                                                               
+make digitalocean-container-postgres-logs                                                                         
+```
+```                                                                                                               
+make digitalocean-container-rails-logs                                                                            
+```
+```                                                                                                               
+make digitalocean-container-redis-logs                                                                            
+```
+```                                                                                                               
+make digitalocean-container-traefik-logs                                                                          
+```
+```                                                                                                               
+make digitalocean-container-worker-logs                                                                           
+```
+
+#### Some notes about my experience
+
+##### Failed initial traefik restart
+
+If the `traefik` service restart fails, run `make digitalocean-service-status` to see how things look.
+
+A normal, healthy state looks like:
+
+```
+  UNIT                     LOAD   ACTIVE SUB     DESCRIPTION             
+  forem-imgproxy.service   loaded active running Forem Imgproxy Service
+  forem-openresty.service  loaded active running Forem OpenResty Service
+  forem-pod.service        loaded active running Forem pod service
+  forem-postgresql.service loaded active running Forem Postgresql Service
+  forem-rails.service      loaded active running Forem Rails Service
+  forem-redis.service      loaded active running Forem Redis Service
+  forem-traefik.service    loaded active running Forem Traefik Service
+  forem-worker.service     loaded active running Forem Worker Service
+  forem.service            loaded active exited  Forem Service
+```
+
+An unhealthy state shows `inactive`s and `dead`s.
+
+There was a bug ([which looks to have been fixed](https://github.com/forem/selfhost/commit/ccd1063e0a27f26e784d25fe22cbc51d7eea4e53)) in which the `container` service didn't do what it was supposed to. I was able to resolve this by SSHing in and doing a `sudo systemctl start forem-container.service`
+
+##### HTTPS-only caused problems with SSL certificate registration
+
+As I understand it, the `traefik` service attempts to register an SSL cert via Let's Encrypt in order to enable HTTPS.
+The problem is that, during the registration process, Let's Encrypt needs to be able to access the `/.well-known/acme-challenge/` path on your site using plain ol' HTTP. If you have something like "Always use HTTP" (e.g. on Cloudflare) enabled, it's not going to work.
+
+In Cloudflare, I fixed this as follows:
+
+- In `SSL/TLS` -> `Edge Certificates`:
+  - Disable `Always use HTTPs`![Screenshot from 2021-08-19 16-44-44](https://user-images.githubusercontent.com/585182/130141521-e0c5f8df-9110-49c5-98b3-08a2eb13848d.png)
+  - Disable `Automatic HTTPS Rewrites` (maybe not necessary?)![Screenshot from 2021-08-19 16-47-10](https://user-images.githubusercontent.com/585182/130141714-2660d183-77de-4132-a404-d381cd84bda0.png)
+- In `Rules`
+  - Create two rules - one to prevent SSL on the `acme-challenge` path, and another to enforce `HTTPS` everywhere else![Screenshot from 2021-08-19 16-49-21](https://user-images.githubusercontent.com/585182/130141991-1b87beea-5829-4f8f-8826-708172202280.png)  
+
