Self hosting!

[eriktaubeneck]

This moves our frontend deployment to https://draft.ipa-helper.dev hosted on AWS.

while we loose some of the convenience of vercel, this will allow us to do stuff like long polling, which will ultimately be better for the API design.

Summary by CodeRabbit

• New Features

  • Introduced deploy.yaml for automating deployment tasks including GitHub pull, npm package installation, and service management using PM2.

• Updates

  • Improved README.md with accurate file paths and domain configurations.
  • Modified start_helper_sidecar.sh for better variable assignment and command parameters.
  • Updated Prettier ignore list to exclude traefik/* and ansible/* files.
  • Enhanced package.json with new scripts for PM2 and added PM2 dependency.
  • Added multiple Traefik configuration files for routing and TLS setup.

• Bug Fixes

  • Removed obsolete root_domain parameter from commands and configurations.

• Refactor

  • Adjusted cli.py to enforce mandatory parameters, removing defaults and cleaning up command usage.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
draft	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 9, 2024 6:47pm

[coderabbitai]

Walkthrough

The recent updates enhance deployment and configuration processes for the Draft project, focusing on restructuring file paths, refining command parameters, and updating domain configurations. Key tasks include setting up Traefik and managing processes with PM2, utilizing Ansible for provisioning and deployment, and streamlining certificate loading and environment variable setups from AWS Secrets Manager.

Changes

File/Path	Change Summary
README.md	Updated deployment and provisioning paths, commands, and domain configurations.
etc/start_helper_sidecar.sh	Reordered variable assignments and updated command parameters.
server/.prettierignore	Added traefik/* and ansible/* to ignore list.
server/ansible/	Added and updated playbooks (deploy.yaml, provision.yaml), inventory, and shell script for loading secrets.
server/package.json	Added npm scripts for PM2 and added pm2 dependency.
server/pm2.json	Defined configurations for draft-website and traefik applications with PM2.
server/traefik/	New Traefik configuration files: dynamic.yaml, tls.yaml, traefik.yaml.
sidecar/ansible/	Updated playbooks to remove legacy parameters and simplify commands.
sidecar/cli/cli.py	Enforced required parameters and removed defaults for start_traefik_command and run_helper_sidecar.

Poem

In the realm of code, a rabbit hops,
With updates queued, it never stops.
Paths refined, domains aligned,
Commands adjusted, all perfectly timed.
Ansible sings, PM2 takes flight,
Traefik guards through day and night.
The Draft project thrives, in harmony so tight.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 17878b6 and 44da939.

Files ignored due to path filters (1)

• server/package-lock.json is excluded by !**/package-lock.json

Files selected for processing (15)

• README.md (2 hunks)
• etc/start_helper_sidecar.sh (1 hunks)
• server/.prettierignore (1 hunks)
• server/ansible/deploy.yaml (1 hunks)
• server/ansible/inventory.ini (1 hunks)
• server/ansible/provision.yaml (1 hunks)
• server/package.json (2 hunks)
• server/pm2.json (1 hunks)
• server/traefik/dynamic/dynamic.yaml (1 hunks)
• server/traefik/dynamic/tls.yaml (1 hunks)
• server/traefik/traefik.yaml (1 hunks)
• sidecar/ansible/deploy.yaml (1 hunks)
• sidecar/ansible/inventory.ini (1 hunks)
• sidecar/ansible/provision.yaml (2 hunks)
• sidecar/cli/cli.py (5 hunks)

Files skipped from review due to trivial changes (7)

• etc/start_helper_sidecar.sh
• server/.prettierignore
• server/package.json
• server/pm2.json
• sidecar/ansible/deploy.yaml
• sidecar/ansible/inventory.ini
• sidecar/ansible/provision.yaml

Additional context used

yamllint

server/traefik/dynamic/tls.yaml

[error] 3-3: syntax error: expected , but found ''

(syntax)

server/traefik/dynamic/dynamic.yaml

[error] 7-7: syntax error: expected , but found ''

(syntax)

Markdownlint

README.md

70-70: null
Fenced code blocks should have a language specified

(MD040, fenced-code-language)

Additional comments not posted (33)

server/traefik/traefik.yaml (1)

1-9: LGTM!

The configuration for entry points and providers is correctly set up.

server/ansible/inventory.ini (1)

1-5: LGTM!

The Ansible inventory configuration is correctly set up.

server/ansible/deploy.yaml (5)

5-9: LGTM!

The task to pull new commits from GitHub is correctly configured.

---

11-15: LGTM!

The task to install npm packages based on the package-lock.json file is correctly configured.

---

17-28: LGTM!

The task to load the .env file using AWS Secrets Manager is correctly configured.

---

31-36: LGTM!

The task to rebuild the draft website using npm is correctly configured.

---

39-44: LGTM!

The task to restart the draft website using npm is correctly configured.

server/ansible/provision.yaml (19)

4-6: LGTM!

The task to store the HOME directory variable is correctly configured.

---

8-12: LGTM!

The task to check if Node.js is installed is correctly configured.

---

14-19: LGTM!

The task to install Node.js using yum is correctly configured.

---

21-25: LGTM!

The task to check if npm is installed is correctly configured.

---

27-32: LGTM!

The task to install npm using yum is correctly configured.

---

34-38: LGTM!

The task to check if Git is installed is correctly configured.

---

40-45: LGTM!

The task to install Git using yum is correctly configured.

---

47-51: LGTM!

The task to clone the repository if it doesn't exist is correctly configured.

---

52-56: LGTM!

The task to install npm packages based on the package-lock.json file is correctly configured.

---

58-62: LGTM!

The task to check if Traefik is installed is correctly configured.

---

64-69: LGTM!

The task to download Traefik if it is not installed is correctly configured.

---

71-75: LGTM!

The task to ensure that the extraction directory for Traefik exists is correctly configured.

---

77-81: LGTM!

The task to extract the Traefik binary is correctly configured.

---

83-87: LGTM!

The task to copy the Traefik binary into the draft directory is correctly configured.

---

91-91: LGTM!

The task to grant the CAP_NET_BIND_SERVICE capability to the Traefik binary is correctly configured.

---

95-97: LGTM!

The task to create a directory for certificates is correctly configured.

---

100-108: LGTM!

The task to load the cert.pem file using AWS Secrets Manager is correctly configured.

---

113-120: LGTM!

The task to load the key.pem file using AWS Secrets Manager is correctly configured.

---

123-132: LGTM!

The task to start Traefik and Next.js using npm is correctly configured.

README.md (5)

27-27: LGTM!

The change correctly updates the path to the inventory.ini file.

---

28-28: LGTM!

The change correctly updates the provision command to use the new inventory and provision file paths.

---

30-30: LGTM!

The change correctly updates the deploy command to use the new inventory and deploy file paths.

---

71-71: LGTM!

The change correctly updates the draft start-helper-sidecar command to use the new domain parameters.

---

74-74: LGTM!

The change correctly updates the status URL to use the new sidecar domain.

sidecar/cli/cli.py (2)

80-81: LGTM!

The function start_traefik_command is correctly updated to require the necessary domain parameters.

---

136-137: LGTM!

The function run_helper_sidecar is correctly updated to require the necessary domain parameters and remove the unnecessary root_domain parameter.

[akoshelev]

Can you please help me understand what is getting stored in .env file here? According to cli doc

The decrypted secret value, if the secret value was originally provided as a string or through the Secrets Manager console.

If this secret was created by using the console, then Secrets Manager stores the information as a JSON structure of key/value pairs.

If that's true, I am a little nervous about keeping the secret on durable storage. Is it possible to configure env variable or (probably better) assume role on this instance?

[eriktaubeneck]

It's variables needed server side like API keys, db passwords, etc. We could certainly set these as environmental variables instead of using the .env file, and it seems reasonable to avoid writing them to a file.

When you say "assume role on this instance, this does assume a specific AMI role, which is what allows the aws secretmanager` cli to actually access those secrets. Is there something else you mean by this?

[eriktaubeneck]

ok, fixed. I added a shell script "load_secrets.sh" which is sourced and adds them into the env. the TLS keys are still written to disk, because traefik expects them there. it's not immediately obvious of a better way to handle that.

[akoshelev]

thank you!

When you say "assume role on this instance, this does assume a specific AMI role, which is what allows the aws secretmanager` cli to actually access those secrets. Is there something else you mean by this?

Yea I was thinking about using https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html to get temporary credentials, but this serves different purpose as far as I can tell.

If we store more than one password, API key, etc, we could consider partitioning this and store one secret with one key

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 44da939 and 135fd9b.

Files selected for processing (3)

• server/ansible/deploy.yaml (1 hunks)
• server/ansible/load_secrets.sh (1 hunks)
• server/ansible/provision.yaml (1 hunks)

Files skipped from review as they are similar to previous changes (2)

• server/ansible/deploy.yaml
• server/ansible/provision.yaml

Additional comments not posted (5)

server/ansible/load_secrets.sh (5)

1-7: LGTM!

The shebang is correct, and the check for the CERT_DIR environment variable is a good practice to ensure the variable is set.

---

9-12: LGTM!

Setting the CERT_DIR variable to the first argument and ensuring the directory exists using mkdir -p is a good practice.

---

14-21: LGTM!

The retrieval of the cert.pem file from AWS Secrets Manager and writing it to the CERT_DIR directory is correctly implemented.

---

22-28: LGTM!

The retrieval of the key.pem file from AWS Secrets Manager and writing it to the CERT_DIR directory is correctly implemented.

---

30-36: LGTM!

The retrieval of environment variables from AWS Secrets Manager and setting them in the current shell environment using jq and a while loop is correctly implemented.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 135fd9b and dbbcfe9.

Files selected for processing (1)

• server/ansible/load_secrets.sh (1 hunks)

Files skipped from review as they are similar to previous changes (1)

• server/ansible/load_secrets.sh

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between dbbcfe9 and de07957.

Files selected for processing (1)

• server/ansible/deploy.yaml (1 hunks)

Files skipped from review due to trivial changes (1)

• server/ansible/deploy.yaml