Self hosting!

README.md

@@ -24,10 +24,10 @@ Host ipa
     User ec2-user
     IdentityFile ~/.ssh/<ssh_key.pem>
 ```
-4. Update the `draft/ansible/inventory.ini` file to only include a single host. (Unless you are running all 4 servers.)
-5. Provision your machine: `ansible-playbook -i ansible/inventory.ini ansible/provision.yaml`
+4. Update the `draft/sidecar/ansible/inventory.ini` file to only include a single host. (Unless you are running all 4 servers.)
+5. Provision your machine: `ansible-playbook -i sidecar/ansible/inventory.ini sidecar/ansible/provision.yaml`
 
-To deploy new changes in draft, run: `ansible-playbook -i ansible/inventory.ini ansible/deploy.yaml`
+To deploy new changes in draft, run: `ansible-playbook -i sidecar/ansible/inventory.ini sidecar/ansible/deploy.yaml`
 
 ### Generating TLS certs with Let's Encrypt
 
@@ -68,10 +68,10 @@ Once you know these:
 ### Run draft
 
 ```
-draft start-helper-sidecar --identity <identity> --root_domain example.com --config_path config
+draft start-helper-sidecar --identity <identity> --helper_domain helper.example.com --sidecar_domain sidecar.example.com --config_path config
 ```
 
-This will start the sidecar in the background. To confirm, visit `example.com/status`.
+This will start the sidecar in the background. To confirm, visit `sidecar.example.com/status`.
 
 
 ## Local Dev

etc/start_helper_sidecar.sh

@@ -9,11 +9,10 @@ fi
 
 config_path=$1
 root_path=$2
-root_domain=$3
-helper_domain=$4
-sidecar_domain=$5
-helper_port=$6
-sidecar_port=$7
-identity=$8
+helper_domain=$3
+sidecar_domain=$4
+helper_port=$5
+sidecar_port=$6
+identity=$7
 
-nohup draft run-helper-sidecar --config_path "$config_path" --root_path "$root_path" --root_domain "$root_domain" --helper_domain "$helper_domain" --sidecar_domain "$sidecar_domain" --helper_port "$helper_port" --sidecar_port "$sidecar_port" --identity "$identity" > .draft/logs/helper_sidecar.log 2>&1 & echo $! > $pid_file
+nohup draft run-helper-sidecar --config_path "$config_path" --root_path "$root_path" --helper_domain "$helper_domain" --sidecar_domain "$sidecar_domain" --helper_port "$helper_port" --sidecar_port "$sidecar_port" --identity "$identity" > .draft/logs/helper_sidecar.log 2>&1 & echo $! > $pid_file

server/.prettierignore

@@ -10,7 +10,8 @@ coverage/*
 next.config.js
 tsconfig.json
 babel.config.js
-
+traefik/*
+ansible/*
 
 # Not JS
 README.md

server/ansible/deploy.yaml

@@ -0,0 +1,35 @@
+- name: Deploy updates to Draft
+  hosts: all
+  tasks:
+
+    - name: Pull new commits from GitHub
+      git:
+        repo: 'https://github.com/private-attribution/draft.git'
+        dest: '{{ ansible_env.HOME }}/draft'
+        update: yes
+        version: main
+
+    - name: Install packages based on package-lock.json via npm
+      npm:
+        path: '{{ ansible_env.HOME}}/draft/server'
+        state: present
+        ci: true
+
+    - name: Build draft website
+      shell: >
+        npm run build
+      args:
+        chdir: '{{ ansible_env.HOME }}/draft/server'
+        executable: /bin/bash
+
+    - name: restart traefik and nextjs
+      shell: >
+        source ansible/load_secrets.sh && npm run pm2-restart
+      environment:
+        CERT_DIR: '{{ ansible_env.HOME }}/cert/'
+        DRAFT_DOMAIN: '{{ draft_domain }}'
+        DRAFT_PORT: '{{ draft_port }}'
+
+      args:
+        chdir: '{{ ansible_env.HOME }}/draft/server'
+        executable: /bin/bash

server/ansible/inventory.ini

@@ -0,0 +1,5 @@
+[myhosts]
+draft-ipa       draft_domain=draft.ipa-helper.dev       draft_port=3000     env_secret_id=prod-draft-env        aws_region=us-west-2
+
+[myhosts:vars]
+ansible_python_interpreter=/usr/bin/python3

server/ansible/load_secrets.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Check if the CERT_DIR environment variable is set
+if [ -z "$CERT_DIR" ]; then
+  echo "Error: CERT_DIR environment variable is not set."
+  return 1 2>/dev/null || exit 1  # return when sourced, exit otherwise
+fi
+
+# Ensure the directory exists
+mkdir -p "$CERT_DIR"
+
+# load cert.pem file
+aws secretsmanager get-secret-value \
+    --secret-id cert.pem \
+    --region us-west-2 \
+    --query SecretString \
+    --output text \
+    > "${CERT_DIR}"/cert.pem
+
+# load key.pem file
+aws secretsmanager get-secret-value \
+    --secret-id key.pem \
+    --region us-west-2 \
+    --query SecretString \
+    --output text \
+    > ${CERT_DIR}/key.pem
+
+# set environmental variables
+env_vars=$(aws secretsmanager get-secret-value \
+    --secret-id prod-draft-env \
+    --region us-west-2 \
+    --query SecretString \
+    | jq -r 'fromjson | to_entries | .[] | "export \(.key)=\(.value|tostring)"')
+
+eval "$env_vars"

server/ansible/provision.yaml

@@ -0,0 +1,111 @@
+- name: Setup Draft frontend
+  hosts: all
+  tasks:
+    - name: Store HOME directory
+      debug:
+        var: ansible_env.HOME
+
+    - name: Check if Node.js is installed
+      command: node --version
+      register: node_installed
+      failed_when: false
+      changed_when: false
+
+    - name: Install Node.js Package Manager
+      yum:
+        name: nodejs
+        state: latest
+      become: yes
+      when: node_installed.rc != 0
+
+    - name: Check if npm is installed
+      command: npm --version
+      register: npm_installed
+      failed_when: false
+      changed_when: false
+
+    - name: Install Node.js Package Manager
+      yum:
+        name: npm
+        state: latest
+      become: yes
+      when: npm_installed.rc != 0
+
+    - name: Check if Git is installed
+      command: git --version
+      register: git_installed
+      failed_when: false
+      changed_when: false
+
+    - name: Install Git
+      yum:
+        name: git
+        state: latest
+      become: yes
+      when: git_installed.rc != 0
+
+    - name: Clone repository if it doesn't exist
+      git:
+        repo: 'https://github.com/private-attribution/draft.git'
+        dest: '{{ ansible_env.HOME }}/draft'
+
+    - name: Install packages based on package-lock.json via npm
+      npm:
+        path: '{{ ansible_env.HOME}}/draft/server'
+        state: present
+        ci: true
+
+    - name: Check if Traefik is installed
+      command: '{{ ansible_env.HOME }}/draft/traefik version'
+      register: traefik_installed
+      failed_when: false
+      changed_when: false
+
+    - name: Download Traefik
+      get_url:
+        url: 'https://github.com/traefik/traefik/releases/download/v2.11.0/traefik_v2.11.0_linux_amd64.tar.gz'
+        dest: '{{ ansible_env.HOME }}/traefik_v2.11.0_linux_amd64.tar.gz'
+        checksum: 'sha256:7f31f1cc566bd094f038579fc36e354fd545cf899523eb507c3cfcbbdb8b9552'
+      when: traefik_installed.rc != 0
+
+    - name: Ensure extraction directory exists
+      file:
+        path: '{{ ansible_env.HOME }}/traefix_extract/'
+        state: directory
+
+    - name: Extract Traefik
+      unarchive:
+        src: '{{ ansible_env.HOME }}/traefik_v2.11.0_linux_amd64.tar.gz'
+        dest: '{{ ansible_env.HOME }}/traefix_extract/'
+        remote_src: yes
+      when: traefik_installed.rc != 0
+
+    - name: Copy Traefik binary into draft directory
+      copy:
+        src: '{{ ansible_env.HOME }}/traefix_extract/traefik'
+        dest: '{{ ansible_env.HOME }}/draft'
+        mode: '0775'
+        remote_src: yes
+
+    - name: Grant CAP_NET_BIND_SERVICE capability to traefik binary
+      command: 'setcap cap_net_bind_service=+ep {{ ansible_env.HOME }}/draft/traefik'
+      become: yes
+
+    - name: Build draft website
+      shell: >
+        npm run build
+      args:
+        chdir: '{{ ansible_env.HOME }}/draft/server'
+        executable: /bin/bash
+
+    - name: start traefik and nextjs
+      shell: >
+        source ansible/load_secrets.sh && npm run pm2-start
+      environment:
+        CERT_DIR: '{{ ansible_env.HOME }}/cert/'
+        DRAFT_DOMAIN: '{{ draft_domain }}'
+        DRAFT_PORT: '{{ draft_port }}'
+
+      args:
+        chdir: '{{ ansible_env.HOME }}/draft/server'
+        executable: /bin/bash