Deploy the app on Vultr

[easoncxz]

There are a few necessary steps:

• [x] Apply for a Let's Encrypt SSL certificate.
• [x] Figure out some Nginx config, and commit it as part of this repo.
• [x] Figure out a deployment pipeline that is easy enough, even if not entirely automatic. Maybe homebrew-automation?

This ticket can wait for a bit, since it's heavy-handed Ops work, possibly involving tonnes of new tools I've never touched, and will need lots of time. Things like Ansible or Terraform may be of use.

Helpful guides

• Linode on Nginx: (part 1, part 2, part 3, part 4, reverse proxy)
• Nginx official documentation
• About Let's Encrypt:
  • How it works
  • Getting started (mentions Certbot)
  • Certbot from the EFF
  • acme.sh which I seem to already have installed
  • Special requirements for issuing a wildcard cert: (github issue, guiding blogpost)

Points of care

• "CRIME"/"BREACH" exploits? (Linode)

[easoncxz]

I just did a bunch of stuff manually.

On my DNS provider:

• Configure my DNS records to add a new subdomain: twitanalysis.easoncxz.com;

On my Vultr box over SSH:

• Use acme.sh to issue a non-wildcard SSL certificate for the domain twitanalysis.easoncxz.com;
• Open up a directory for putting SSL certificates and keys (using the acme.sh --install-cert command);
• Point /etc/nginx/conf.d/twitanalysis.easoncxz.com.conf to those SSL key+cert and reverse proxy to http://localhost:5000;
• Manually start up a Haskell process that listens on http://localhost:5000 as usual.

And now things appear to be working:

Notice that the domain name is a live one, and the little SSL lock icon is showing no errors.

Follow this wiki:

• https://github.com/easoncxz/twitanalysis/wiki/journal-2020-10-25:-Setting-up-a-Vultr-deploy

[easoncxz]

I've written an almost-one-click deploy script, which is intended to be run from a controlling machine, usually local-dev, but also potentially a Github Actions runner container:

• commit bd08e62

The next step is to come up with some slightly more polished way of keeping the server running, with some command that is ideally like systemctl reload nginx: one-click, and pre-daemonised.

About SSH deploys from Github Actions:

• Dev.to blogpost: deploying via ssh - https://dev.to/s1hofmann/github-actions-ssh-deploy-setup-l7h
• Github Action: easingthemes/ssh-deploy
• Github Action: shimataro/ssh-key-action

About managing long-running processes using systemd:

• Concepts: a DigitalOcean article - https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units
• Demo walk-through: a blogpost - https://medium.com/@benmorel/creating-a-linux-service-with-systemd-611b5c8b91d6
• A guide: https://linuxhint.com/systemd_unit_file_service/
  • A guide about journalctl: https://linuxhint.com/understand_systemd_logs/
• Some official docs:
  • https://www.freedesktop.org/software/systemd/man/systemd.unit.html#StartLimitIntervalSec=
  • https://www.freedesktop.org/software/systemd/man/systemd.service.html#

[easoncxz]

Several critical commits:

• Manually-triggered scripted-deploy using systemd: https://github.com/easoncxz/twitanalysis/commit/7edd941049aed3d6fe9917822cba70f8ac93a57e (listed above)
• Auto-triggered scripted-deploy: https://github.com/easoncxz/twitanalysis/commit/e87d1a3ca0db7cc3ac7a28cd43f5b36f709c61e8

[easoncxz]

New episode at:

• https://github.com/easoncxz/twitanalysis/issues/23