Deploy www.calbatwg.org to Fly

[simonw]

Split from:

• simonw/household#26

Code is in https://github.com/natbat/cbwg

[simonw]

I added this code to s3-credentials and ran it:

@cli.command()
@click.argument("bucket")
@common_boto3_options
def set_public_policy(bucket, **boto_options):
    """
    Set public policy for bucket

    This will allow GET requests for anonymous users.

        s3-credentials set-public-policy my-bucket
    """
    s3 = make_client("s3", **boto_options)
    if not bucket_exists(s3, bucket):
        raise click.ClickException("Bucket {} does not exists".format(bucket))
    bucket_policy = policies.bucket_policy_allow_all_get(bucket)
    try:
        s3.put_bucket_policy(Bucket=bucket, Policy=json.dumps(bucket_policy))
    except botocore.exceptions.ClientError as e:
        raise click.ClickException(e)

s3-credentials set-public-policy calbatwg

Still getting the same error though.

[simonw]

Maybe this has some clues: https://stackoverflow.com/questions/54788998/djangoaws-s3-botocore-exceptions-clienterror-an-error-occurred-accessdenied

[simonw]

https://s3.console.aws.amazon.com/s3/buckets/calbatwg looks it has the correct settings. Really confused about this.

[simonw]

Relevant snippet of env run on the server:

AWS_STORAGE_BUCKET_NAME=calbatwg
DJANGO_SETTINGS_MODULE=cbwg.settings.production
AWS_ACCESS_KEY_ID=AKIAWXFXAIOZA5PNQEVX
AWS_SECRET_ACCESS_KEY=go...b3

It all looks right to me. No idea why it's not working.

[simonw]

https://bitsnbytes.blog/2020/06/15/access-denied-or-how-s3-permissions-can-be-super-confusing/ has more tips.

It says that these three are needed:

                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging"

Could I be missing one of them?

[simonw]

My user is called s3.read-write.calbatwg - and the policy it gets according to https://s3-credentials.readthedocs.io/en/stable/policy-documents.html#read-write-default is:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-s3-bucket/*"
      ]
    }

So I need to grant it extra permissions!

[simonw]

Deleted my user:

s3-credentials delete-user 's3.read-write.calbatwg'

Now I'm going to create a custom user.

s3-credentials create calbatwg \
  --username calbatwg-org-django \
  --statement '{
    "Effect": "Allow",
    "Action": [
      "s3:PutObjectAcl",
      "s3:PutObjectTagging"
    ],
    "Resource": "arn:aws:s3:::calbatwg/*"
  }'

Then set the new Fly secrets in one go:

fly secrets set \
  AWS_ACCESS_KEY_ID=AKIAWXFXAIOZEAUUY7I7 \
  AWS_SECRET_ACCESS_KEY=DS...

[simonw]

Got a useful tip from https://sourcery.ai/blog/python-docker/

Add this early on in the Dockerfile:

ENV PIPENV_VENV_IN_PROJECT=1

This causes it to create the virtual environment in /app/.venv which is easier to then write scripts against as it has a predictable name.

[simonw]

Extracted a TIL: https://til.simonwillison.net/docker/pipenv-and-docker

[simonw]

Next job: point DNS at this new site, using Cloudflare.

https://dash.cloudflare.com/7def11d96ee28cd408b5d9ff86fa8605/calbatwg.org/dns/records

[simonw]

The IP address of the Fly app is 37.16.21.64 - I'm going to point A records at that.

I'm also going to turn off Cloudflare proxying entirely.

[simonw]

Previous Cloudflare settings:

[simonw]

Added these two new A records (after deleting those CNAME ones):

[simonw]

http://www.calbatwg.org/ and http://calbatwg.org/ both work now - next step, TLS.

https://til.simonwillison.net/fly/custom-subdomain-fly has notes on that

I ran:

fly auth logout
fly auth login

To log in as Natalie's Fly account.

Then:

~ % fly certs create calbatwg.org -a cbwg
You are creating a certificate for calbatwg.org
We are using lets_encrypt for this certificate.

You can validate your ownership of calbatwg.org by:

1: Adding an AAAA record to your DNS service which reads:

    AAAA @ 2a09:8280:1::6:a6a6

Added that AAAA record in Cloudflare:

[simonw]

~ % fly certs show calbatwg.org -a cbwg 
The certificate for calbatwg.org has not been issued yet.

Hostname                  = calbatwg.org

DNS Provider              = cloudflare

Certificate Authority     = Let's Encrypt

Issued                    = 

Added to App              = 1 minute ago

Source                    = fly

Your certificate for calbatwg.org is being issued. Status is Awaiting certificates. Make sure to create another certificate for www.calbatwg.org when the current certificate is issued. 

[simonw]

It's issued:

~ % fly certs show calbatwg.org -a cbwg 
The certificate for calbatwg.org has been issued.

Hostname                  = calbatwg.org

DNS Provider              = cloudflare

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa

Added to App              = 1 minute ago

Source                    = fly

[simonw]

Ran this too:

fly certs create www.calbatwg.org -a cbwg

It advised me:

~ % fly certs create www.calbatwg.org -a cbwg
You are creating a certificate for www.calbatwg.org
We are using Let's Encrypt for this certificate.

You can configure your DNS for www.calbatwg.org by:

1: Adding an CNAME record to your DNS service which reads:

    CNAME www. cbwg.fly.dev

But I don't think I need to do that because I used an A record instead.

[simonw]

https://calbatwg.org/ works now.

[simonw]

That www.calbatwg.org cert still hasn't been issued. Maybe I have to use the CNAME instead? I'll set that up now.

[simonw]

Deleted the A record for www and added this CNAME instead:

[simonw]

~ % fly certs show www.calbatwg.org -a cbwg 
The certificate for www.calbatwg.org has been issued.

Hostname                  = www.calbatwg.org

DNS Provider              = cloudflare

Certificate Authority     = Let's Encrypt

Issued                    = rsa,ecdsa

Added to App              = 10 minutes ago

Source                    = fly

Not sure if switching from A to CNAME was necessary or not.

[simonw]

It's done!

• https://github.com/natbat/cbwg/pull/2

[derwaro]

cbwg % fly postgres connect -a cbwg-postgresql
Connecting to fdaa:0:ec24:a7b:ad1:84:fd99:2... complete
psql (14.4 (Debian 14.4-1.pgdg110+1))
Type "help" for help.

postgres=# create database cbwg;
CREATE DATABASE

Just wanted to let you know, that your very detailed comments here, helped me out a lot!. Especially this one, gave me the nudge in the right direction. Thank you!!