dnim/srv
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: dnim:09ee1d3507f41b8f32c54cfe8900f0ed280d28c9
Branches Tags
dnim:main
...
compare: dnim:8f3cb8fb0953b5f6b36b9a7f0132409e1fed75de
Branches Tags
dnim:main

2 Commits
09ee1d3507 ... 8f3cb8fb09

Author SHA1 Message Date
Orion Kindel
8f3cb8fb09
refactor: nginx out of system, add finalize step lifecycle 2023-06-17 12:36:00 -05:00
Orion Kindel
b68d3fc144
fix: nginx, ufw, state persistence 2023-06-17 12:19:23 -05:00
10 changed files with 491 additions and 194 deletions
Show Stats Expand all files Collapse all files

1
config.example.yml
View File

@ -10,6 +10,7 @@
interface: 'public'
port: 1
domain: 'db.foo.org'
ip: '8.8.8.8'
ssl: false
postgres:
username: 'postgres'

3
package.json
View File

@ -7,8 +7,7 @@
"author": "Orion Kindel <cakekindel@gmail.com>",
"license": "MIT",
"scripts": {
"fmt:check": "prettier --check src/**/*.js test/**/*.js",
"fmt": "prettier --write src/**/*.js test/**/*.js",
"fmt": "prettier --write src/*.js test/*.js src/**/*.js test/**/*.js",
"test": "ava"
},
"dependencies": {

4
src/cmd.js
View File

@ -4,10 +4,10 @@ const cp = require('child_process')
const System = require('./system.js')
const run = script =>
const run = (script, { stdio = undefined } = {}) =>
pipe(
Either.tryCatch(
() => cp.spawnSync(script, { encoding: 'utf8', shell: true }),
() => cp.spawnSync(script, { encoding: 'utf8', shell: true, stdio }),
id,
),
Either.flatMap(o => (o.error ? Either.left(o.error) : Either.right(o))),

276
src/config.js
View File

@ -12,9 +12,7 @@ const parseSegmentLinuxUser = flow(
'linux_user' in o
? Either.right(o.linux_user)
: Either.left(
new Error(
['linux_user required', `in: ${yaml.stringify(o)}`].join('\n'),
),
new Error(['linux_user required', yaml.stringify(o)].join('\n')),
),
Either.flatMap(lx =>
'username' in lx
@ -26,9 +24,7 @@ const parseSegmentLinuxUser = flow(
})
: Either.left(
new Error(
['linux_user.username required', `in: ${yaml.stringify(lx)}`].join(
'\n',
),
['linux_user.username required', yaml.stringify(lx)].join('\n'),
),
),
),
@ -47,7 +43,7 @@ const parseSegmentLinuxUser = flow(
new Error(
[
`all paths in linux_user.persist must be subpaths of ${lx.homeDir}`,
`in: ${yaml.stringify(lx)}`,
yaml.stringify(lx),
].join('\n'),
),
),
@ -61,155 +57,167 @@ const parseSegmentLinuxUser = flow(
})),
)
const parseSegmentPostgres = (cfg, linuxUser) => pipe(
const parseSegmentPostgres = (cfg, linuxUser) =>
pipe(
'postgres' in cfg
? Either.right(cfg.postgres)
: Either.left(
new Error(
['postgres required', `in: ${yaml.stringify(cfg)}`].join('\n'),
),
new Error(['postgres required', yaml.stringify(cfg)].join('\n')),
),
Either.map(pg => ({
...pg,
data_dir: pg.data_dir || './data',
})),
Either.map(pg => ({
...pg,
Either.map(pg => ({
...pg,
data_dir: pg.data_dir || './data',
})),
Either.map(pg => ({
...pg,
data_dir: path.isAbsolute(pg.data_dir)
? pg.data_dir
: path.join(linuxUser.homeDir, pg.data_dir.trim()),
})),
Either.flatMap(pg =>
})),
Either.flatMap(pg =>
path.dirname(pg.data_dir).startsWith(linuxUser.homeDir)
? Either.right(pg)
: Either.left(
new Error(
[
`postgres.data_dir must be a subpath of ${linuxUser.homeDir}`,
`in: ${yaml.stringify(pg)}`,
].join('\n'),
),
),
),
Either.flatMap(pg =>
'username' in pg
? Either.right(pg)
: Either.left(
new Error(
['postgres.username required', `in: ${yaml.stringify(pg)}`].join(
'\n',
? Either.right(pg)
: Either.left(
new Error(
[
`postgres.data_dir must be a subpath of ${linuxUser.homeDir}`,
yaml.stringify(pg),
].join('\n'),
),
),
),
),
Either.flatMap(pg =>
'password' in pg
? Either.right(pg)
: Either.left(
new Error(
['postgres.password required', `in: ${yaml.stringify(pg)}`].join(
'\n',
),
Either.flatMap(pg =>
'username' in pg
? Either.right(pg)
: Either.left(
new Error(
['postgres.username required', yaml.stringify(pg)].join('\n'),
),
),
),
),
Either.map(pg => ({
username: pg.username.trim(),
password: pg.password.trim(),
dataDir: pg.data_dir,
})),
)
),
Either.flatMap(pg =>
'password' in pg
? Either.right(pg)
: Either.left(
new Error(
['postgres.password required', yaml.stringify(pg)].join('\n'),
),
),
),
Either.map(pg => ({
username: pg.username.trim(),
password: pg.password.trim(),
dataDir: pg.data_dir,
})),
)
const parseSegmentNetwork = flow(
o =>
'network' in o
? Either.right(o.network)
: Either.left(
new Error(
['network required', `in: ${yaml.stringify(o)}`].join('\n'),
const parseSegmentNetwork = ({ http = true }, svc) =>
pipe(
svc,
o =>
'network' in o
? Either.right(o.network)
: Either.left(
new Error(['network required', yaml.stringify(o)].join('\n')),
),
),
Either.flatMap(n =>
('interface' in n && n.interface === 'public') || n.interface === 'local'
? Either.right(n)
: Either.left(
new Error(
[
"network.interface required, and must be 'public' or 'local'",
`in: ${yaml.stringify(n)}`,
].join('\n'),
Either.flatMap(n =>
('interface' in n && n.interface === 'public') || n.interface === 'local'
? Either.right(n)
: Either.left(
new Error(
[
"network.interface required, and must be 'public' or 'local'",
yaml.stringify(n),
].join('\n'),
),
),
),
),
Either.flatMap(n =>
'port' in n && typeof n.port === 'number' && Number.isInteger(n.port)
? Either.right(n)
: Either.left(
new Error(
[
'network.port required and must be an integer',
`in: ${yaml.stringify(n)}`,
].join('\n'),
),
Either.flatMap(n =>
'port' in n && typeof n.port === 'number' && Number.isInteger(n.port)
? Either.right(n)
: Either.left(
new Error(
[
'network.port required and must be an integer',
yaml.stringify(n),
].join('\n'),
),
),
),
),
Either.flatMap(n =>
n.interface === 'public' || (n.interface === 'local' && !n.domain)
? Either.right(n)
: Either.left(
new Error(
[
"network.interface is 'local', network.domain must not be present.",
`in: ${yaml.stringify(n)}`,
].join('\n'),
),
Either.flatMap(n =>
n.interface === 'public' ||
(n.interface === 'local' && !n.domain && !n.ip)
? Either.right(n)
: Either.left(
new Error(
[
"network.interface is 'local', network.ip and network.domain must not be present.",
yaml.stringify(n),
].join('\n'),
),
),
),
),
Either.flatMap(n =>
n.interface === 'local' ||
(n.interface === 'public' &&
'domain' in n &&
typeof n.domain === 'string' &&
n.domain.length > 0)
? Either.right(n)
: Either.left(
new Error(
[
"network.interface is 'public', network.domain be set to a value.",
`in: ${yaml.stringify(n)}`,
].join('\n'),
),
Either.flatMap(n =>
n.interface === 'local' ||
(http &&
n.interface === 'public' &&
'domain' in n &&
typeof n.domain === 'string' &&
n.domain.length > 0) ||
(!http &&
n.interface === 'public' &&
'domain' in n &&
typeof n.domain === 'string' &&
n.domain.length > 0 &&
'ip' in n &&
typeof n.ip === 'string' &&
n.ip.length > 0)
? Either.right(n)
: Either.left(
new Error(
[
`network.interface is 'public' and service uses ${
http ? 'http' : 'tcp'
}; ${
http ? 'network.domain' : 'network.domain and network.ip'
} must be set.`,
yaml.stringify(n),
].join('\n'),
),
),
),
),
Either.flatMap(n =>
'ssl' in n && typeof n.ssl === 'boolean'
? Either.right(n)
: Either.left(
new Error(
[
'network.ssl required and must be a bool',
`in: ${yaml.stringify(n)}`,
].join('\n'),
),
Either.flatMap(n =>
'ssl' in n && typeof n.ssl === 'boolean'
? Either.right(n)
: Either.left(
new Error(
[
'network.ssl required and must be a bool',
yaml.stringify(n),
].join('\n'),
),
),
),
),
Either.map(n => ({
ssl: n.ssl,
domain: (n.domain || '').trim(),
interface: n.interface,
interfaceIp:
n.interface === 'local' ? Net.localInterfaceIp : Net.publicInterfaceIp,
port: n.port,
})),
)
),
Either.map(n => ({
ssl: n.ssl,
domain: (n.domain || '').trim(),
ip: (n.ip || '').trim(),
interface: n.interface,
interfaceIp:
n.interface === 'local' ? Net.localInterfaceIp : Net.publicInterfaceIp,
port: n.port,
})),
)
const parseServiceDb = svc =>
pipe(
Either.Do,
Either.let('serviceType', () => 'db'),
Either.bind('linuxUser', () => parseSegmentLinuxUser(svc)),
Either.bind('network', () => parseSegmentNetwork(svc)),
Either.bind('postgres', ({linuxUser}) => parseSegmentPostgres(svc, linuxUser)),
Either.bind('network', () => parseSegmentNetwork({ http: false }, svc)),
Either.bind('postgres', ({ linuxUser }) =>
parseSegmentPostgres(svc, linuxUser),
),
)
const parseServiceApi = svc =>
@ -217,7 +225,7 @@ const parseServiceApi = svc =>
Either.Do,
Either.let('serviceType', () => 'api'),
Either.bind('linuxUser', () => parseSegmentLinuxUser(svc)),
Either.bind('network', () => parseSegmentNetwork(svc)),
Either.bind('network', () => parseSegmentNetwork({ http: true }, svc)),
)
const parseServiceUi = svc =>
@ -225,14 +233,14 @@ const parseServiceUi = svc =>
Either.Do,
Either.let('serviceType', () => 'ui'),
Either.bind('linuxUser', () => parseSegmentLinuxUser(svc)),
Either.bind('network', () => parseSegmentNetwork(svc)),
Either.bind('network', () => parseSegmentNetwork({ http: true }, svc)),
)
const badService = svc =>
new Error(
[
`top-level array elements must be records with a key named "db", "ui", or "api".`,
`in: ${yaml.stringify(svc)}`,
yaml.stringify(svc),
].join('\n'),
)

36
src/index.js
View File

@ -10,32 +10,38 @@ const DbService = require('./service/db.js')
const Config = require('./config.js')
const Cmd = require('./cmd.js')
const execSteps = (res, step) => {
console.log(step.label)
return Either.flatMap(step.work)(res)
}
pipe(
Cmd.run('cat ./config.yml'),
Either.map(({stdout}) => stdout),
Either.map(({ stdout }) => stdout),
Either.flatMap(Config.parse),
Either.map(svcs =>
svcs.reduce(
(steps, svc) =>
svc.serviceType === 'db' ? [...steps, ...DbService.steps(svc)] : steps,
[System.step],
System.steps(svcs),
),
),
Either.flatMap(steps =>
Array_.reverse(steps).reduce((a, step) => {
if (step.down) {
console.log(step.down.label)
return Either.flatMap(step.down.work)(a)
} else {
return a;
}
}, Either.right(steps)),
Array_.reverse(steps)
.filter(step => step.on === 'down')
.reduce(execSteps, Either.right(steps)),
),
Either.flatMap(steps =>
steps.reduce((a, step) => {
console.log(step.up.label)
return Either.flatMap(step.up.work)(a)
}, Either.right(steps)),
steps
.filter(step => step.on === 'up')
.reduce(execSteps, Either.right(steps)),
),
Either.getOrElse(e => {throw e;})
Either.flatMap(steps =>
steps
.filter(step => step.on === 'finalize')
.reduce(execSteps, Either.right(steps)),
),
Either.getOrElse(e => {
throw e
}),
)

5
src/net.js
View File

@ -3,4 +3,7 @@ const Cmd = require('./cmd.js')
const inaddrAny = '0.0.0.0'
const inaddrLoopback = '127.0.0.1'
module.exports = {publicInterfaceIp: inaddrAny, localInterfaceIp: inaddrLoopback}
module.exports = {
publicInterfaceIp: inaddrAny,
localInterfaceIp: inaddrLoopback,
}

252
src/nginx.js Normal file
View File

@ -0,0 +1,252 @@
const net = require('net')
const { pipe, flow } = require('fp-ts/function')
const Either = require('fp-ts/Either')
const Cmd = () => require('./cmd.js')
const rootConf = [
'worker_processes 1;',
'',
'error_log logs/error.log debug;',
`log_format basic '$remote_addr [$time_local] '`,
` '$protocol $status $bytes_sent $bytes_received '`,
` '$session_time';`,
'',
'access_log logs/access.log basic buffer=32k;',
'',
'events {',
' worker_connections 1024;',
'}',
'',
'stream {',
' include /etc/nginx/streams-enabled/*;',
'}',
'',
'http {',
' include mime.types;',
' default_type application/octet-stream;',
'',
' include /etc/nginx/sites-enabled/*;',
'',
' sendfile on;',
' keepalive_timeout 65;',
'}',
].join('\n')
const systemdUnit = [
'[Unit]',
'Description=The NGINX HTTP and reverse proxy server',
'After=syslog.target network-online.target remote-fs.target nss-lookup.target',
'Wants=network-online.target',
'',
'[Service]',
'Type=forking',
'PIDFile=/usr/local/nginx/nginx.pid',
'ExecStartPre=/usr/local/nginx/nginx -t',
'ExecStart=/usr/local/nginx/nginx',
'ExecReload=/usr/local/nginx/nginx -s reload',
'ExecStop=/bin/kill -s QUIT $MAINPID',
'PrivateTmp=true',
'',
'[Install]',
'WantedBy=multi-user.target',
].join('\n')
const confs = svcs =>
svcs
.filter(cfg => cfg.network.interface === 'public')
.map(cfg => ({
path: `/etc/nginx/${
cfg.serviceType === 'db' ? 'streams' : 'sites'
}-available/${cfg.network.domain}`,
symlinks: [
`/etc/nginx/${cfg.serviceType === 'db' ? 'streams' : 'sites'}-enabled/${
cfg.network.domain
}`,
],
contents:
cfg.serviceType === 'db'
? [
`upstream ${cfg.linuxUser.username}_pg {`,
` server localhost:${cfg.network.port};`,
'}',
'',
'server {',
` listen ${
net.isIP(cfg.network.ip) === 6
? '[' + cfg.network.ip + ']'
: cfg.network.ip
}:5432;`,
` proxy_pass ${cfg.linuxUser.username}_pg;`,
'}',
].join('\n')
: [
'server {',
` listen 80;`,
` server_name ${cfg.network.domain};`,
'',
' location / {',
' client_max_body_size 512M;',
` proxy_pass http://localhost:${cfg.network.port};`,
' proxy_set_header Host $host;',
' proxy_set_header X-Real-IP $remote_addr;',
' proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;',
' proxy_set_header X-Forwarded-Proto $scheme;',
' }',
'}',
].join('\n'),
}))
const installed = () =>
pipe(
Cmd().run('nginx -V 2>&1'),
Either.map(e => ({ shouldInstall: !e.stdout.includes('--with-stream') })),
Either.orElse(e => {
try {
const { stdout } = JSON.parse(e.message)
return stdout.includes('not found')
? Either.right({ shouldInstall: true })
: Either.left(e)
} catch (e) {
return Either.left(e)
}
}),
Either.flatMap(({ shouldInstall }) =>
!shouldInstall
? Either.right()
: Cmd().run(
[
'set -x',
'echo "nginx needs the stream module, building from source... (this will take a while)"',
'sleep 2',
'rm *.tar.gz || true',
// pcre
'wget -q github.com/PCRE2Project/pcre2/releases/download/pcre2-10.42/pcre2-10.42.tar.gz',
'tar -zxf pcre2-10.42.tar.gz',
'cd pcre2-10.42',
'./configure',
'make 1>/dev/null',
'make install 1>/dev/null',
'cd ..',
// openssl
'wget -q https://www.openssl.org/source/openssl-1.1.1u.tar.gz',
'tar -zxf openssl-1.1.1u.tar.gz',
'cd openssl-1.1.1u',
'./config --prefix=/usr 1>/dev/null',
'make 1>/dev/null',
'make install 1>/dev/null',
'cd ..',
// zlib
'wget -q http://zlib.net/zlib-1.2.13.tar.gz',
'tar -zxf zlib-1.2.13.tar.gz',
'cd zlib-1.2.13',
'./configure 1>/dev/null',
'make 1>/dev/null',
'make install 1>/dev/null',
'cd ..',
// nginx
'wget https://nginx.org/download/nginx-1.25.1.tar.gz',
'tar -zxf nginx-1.25.1.tar.gz',
'cd nginx-1.25.1',
[
'./configure',
'--sbin-path=/usr/local/nginx/nginx',
'--conf-path=/usr/local/nginx/nginx.conf',
'--pid-path=/usr/local/nginx/nginx.pid',
'--with-pcre=../pcre2-10.42',
'--with-zlib=../zlib-1.2.13',
'--with-stream',
'--with-threads',
'--with-http_ssl_module',
'--with-pcre-jit',
'--with-http_stub_status_module',
'--with-http_realip_module',
'--with-http_auth_request_module',
'--with-http_v2_module',
'--with-http_dav_module',
'--with-http_slice_module',
'--with-http_addition_module',
'--with-http_gunzip_module',
'--with-http_gzip_static_module',
'--with-http_sub_module',
'--with-debug',
'1>/dev/null',
].join(' '),
'make 1>/dev/null',
'make install 1>/dev/null',
// nginx.conf
'cat <<"NGINXCONF" > /usr/local/nginx/nginx.conf',
rootConf,
'NGINXCONF',
// systemd
'cat <<"NGINXUNIT" > /lib/systemd/system/nginx.service',
systemdUnit,
'NGINXUNIT',
'systemctl enable nginx',
'rm /usr/sbin/nginx || true',
'ln /usr/local/nginx/nginx /usr/sbin/nginx',
].join('\n'),
{ stdio: 'inherit' },
),
),
)
const confsWritten = svcs =>
confs(svcs).reduce(
(res, { path, symlinks, contents }) =>
Either.flatMap(() =>
Cmd().run(
[
`cat <<"EOCONF" > ${path}`,
contents,
'EOCONF',
...symlinks.map(ln => `ln -s ${path} ${ln}`),
].join('\n'),
),
)(res),
Either.right(undefined),
)
const confsDeleted = svcs =>
confs(svcs).reduce(
(res, { path, symlinks }) =>
Either.flatMap(() =>
Cmd().run(
[
`rm ${path} || true`,
...symlinks.map(ln => `rm ${ln} || true`),
].join('\n'),
),
)(res),
Either.right(undefined),
)
const started = () => Cmd().run('systemctl restart nginx')
const steps = svcs => [
{
on: 'up',
label: 'nginx: setup',
work: flow(
Either.right,
Either.tap(installed),
Either.tap(() => confsWritten(svcs)),
Either.tap(started),
),
},
{
on: 'down',
label: 'nginx: teardown',
work: flow(
Either.right,
Either.tap(() => confsDeleted(svcs)),
),
},
{
on: 'finalize',
label: 'nginx: cleanup',
work: flow(Either.right, Either.tap(started)),
},
]
module.exports = { steps }

38
src/service/db.js
View File

@ -13,8 +13,8 @@ const dockerCompose = cfg =>
// restart: always will start the container on system startup / reboot if
// docker.service enabled (see ./linux-user.js)
restart: 'always',
volumes: [`${cfg.postgres.dataDir}:/var/lib/postgres/data`],
ports: [`${cfg.network.interfaceIp}:${cfg.network.port}:5432`],
volumes: [`${cfg.postgres.dataDir}:/var/lib/postgresql/data`],
ports: [`${cfg.network.port}:5432`],
environment: {
POSTGRES_USER: cfg.postgres.username,
POSTGRES_PASSWORD: cfg.postgres.password,
@ -24,26 +24,24 @@ const dockerCompose = cfg =>
})
const steps = cfg => [
LinuxUser.step(cfg),
...LinuxUser.steps(cfg),
{
up: {
label: `${cfg.linuxUser.username}: create db on ${cfg.network.interfaceIp}:${cfg.network.port}`,
work: a =>
pipe(
Cmd.doas(
cfg.linuxUser.username,
[
'set -x',
'cat << "EOCOMPOSE" > ~/docker-compose.yaml',
dockerCompose(cfg),
'EOCOMPOSE',
'docker compose up -d',
].join('\n'),
),
Either.map(() => a),
on: 'up',
label: `${cfg.linuxUser.username}: create db on ${cfg.network.interfaceIp}:${cfg.network.port}`,
work: a =>
pipe(
Cmd.doas(
cfg.linuxUser.username,
[
'set -x',
'cat << "EOCOMPOSE" > ~/docker-compose.yaml',
dockerCompose(cfg),
'EOCOMPOSE',
'docker compose up -d',
].join('\n'),
),
},
// down handled by LinuxUser killing user processes
Either.map(() => a),
),
},
]

18
src/service/linux-user.js
View File

@ -17,11 +17,12 @@ const userSessionsLinger = cfg =>
const persistedStateRestored = cfg =>
Cmd.run(
[
'set -x',
// if /tmp/home/foo exists, copy /tmp/home/foo/* to /home/foo
`if [[ -d ${path.join(
`if [ -d ${path.join(
cfg.linuxUser.persistDir,
cfg.linuxUser.homeDir,
)} ]]; then`,
)} ]; then`,
` cp -R ${path.join(
cfg.linuxUser.persistDir,
cfg.linuxUser.homeDir,
@ -81,6 +82,7 @@ const statePersisted = cfg =>
pipe(
Cmd.run(
[
'set -x',
`mkdir -p ${path.join(
cfg.linuxUser.persistDir,
cfg.linuxUser.homeDir,
@ -102,8 +104,9 @@ const userDeleted = cfg =>
Either.flatMap(() => Cmd.run(`rm -r ${cfg.linuxUser.homeDir} || true`)),
)
const step = cfg => ({
up: {
const steps = cfg => [
{
on: 'up',
label: `${cfg.linuxUser.username}: create user`,
work: a =>
pipe(
@ -118,7 +121,8 @@ const step = cfg => ({
Either.map(() => a),
),
},
down: {
{
on: 'down',
label: `${cfg.linuxUser.username}: remove user`,
work: a =>
pipe(
@ -131,6 +135,6 @@ const step = cfg => ({
Either.map(() => a),
),
},
})
]
module.exports = { step }
module.exports = { steps }

52
src/system.js
View File

@ -1,14 +1,15 @@
const Either = require('fp-ts/Either')
const { flow } = require('fp-ts/function')
const { pipe, flow } = require('fp-ts/function')
const Cmd = () => require('./cmd.js')
const Nginx = require('./nginx.js')
const localSshKeyPath = '/root/.ssh/id_ed25519'
const localSshPubKeyPath = '/root/.ssh/id_ed25519.pub'
const pkgs = [
'openssl',
'man',
'nginx',
'neovim',
'ca-certificates',
'gnupg',
@ -25,16 +26,16 @@ const pkgs = [
'slirp4netns',
]
const apt = () =>
const packagesInstalled = () =>
Cmd().run(
[
'apt update -y',
'apt upgrade -y',
'apt-get update -y',
'apt-get upgrade -y',
`apt-get install -fy ${pkgs.join(' ')}`,
].join('\n'),
)
const docker = () =>
const dockerInstalled = () =>
Cmd().run(
[
'install -m 0755 -d /etc/apt/keyrings',
@ -55,20 +56,45 @@ const localSshKeyCreated = () =>
const localSshKeyDeleted = () => Cmd().run(`rm ${localSshKeyPath} || true`)
const step = {
up: {
const firewallUp = svcs =>
Cmd().run(
[
'ufw default deny incoming',
'ufw default allow outgoing',
'ufw status verbose',
'ufw allow ssh',
`ufw allow 'Nginx Full'`,
...svcs
.filter(
svc => svc.serviceType === 'db' && svc.network.interface === 'public',
)
.map(
svc =>
`ufw allow in to '${svc.network.ip}' port 5432 proto tcp comment ${svc.linuxUser.username}`,
),
'ufw --force enable',
].join('\n'),
)
const steps = svcs => [
{
on: 'up',
label: 'system: setup',
work: flow(
Either.right,
Either.tap(apt),
Either.tap(docker),
Either.tap(packagesInstalled),
Either.tap(dockerInstalled),
Either.tap(() => firewallUp(svcs)),
Either.tap(localSshKeyCreated),
// Either.tap(sslCertsInstalled),
),
},
down: {
{
on: 'down',
label: 'system: teardown',
work: flow(Either.right, Either.tap(localSshKeyDeleted)),
},
}
...Nginx.steps(svcs),
]
module.exports = { step, localSshKeyPath, localSshPubKeyPath }
module.exports = { steps, localSshKeyPath, localSshPubKeyPath }