impress-2020/deploy/playbooks/setup.yml

---
- name: Set up the environment for the impress-2020 app
  hosts: webserver
  vars:
    email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
  tasks:
    - name: Create the app folder
      become: yes
      file:
        path: /srv/impress-2020
        owner: "{{ ansible_user_id }}"

    - name: Add Nodesource apt key
      become: yes
      apt_key:
        id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
        url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key

    - name: Add Node v16 apt repository
      become: yes
      apt_repository:
        repo: deb https://deb.nodesource.com/node_16.x focal main

    - name: Install Node v16
      become: yes
      apt:
        update_cache: yes
        name: nodejs
        state: present

    - name: Install Yarn
      become: yes
      npm:
        name: yarn
        global: yes

    - name: Install pm2
      become: yes
      npm:
        name: pm2
        global: yes

    - name: Create pm2 startup script
      # The current user is going to become the pm2 owner of the app server
      # process. They'll be able to manage it without `sudo`, including during
      # normal deploys, and run `pm2 monit` from their shell to see status.
      become: yes
      command: "pm2 startup systemd {{ ansible_user_id }} --hp /home/{{ ansible_user_id }}"

    - name: Create pm2 ecosystem file
      copy:
        content: |
          module.exports = {
            apps: [
              {
                name: "impress-2020",
                cwd: "/srv/impress-2020/current",
                // Instead of `yarn start`, we specify the `next` binary
                // directly, because it helps pm2 monitor our app correctly.
                // https://github.com/vercel/next.js/discussions/10675#discussioncomment-34615
                script: "./node_modules/.bin/next",
                args: "start --port=3000",
                instances: "max",
                exec_mode: "cluster",
              }
            ]
          }
        dest: "~/ecosystem.config.js"
        # Create a temporary backup file, so we can use it to delete the old
        # version of the services. (This is important if e.g. a service is
        # removed or renamed, in which case deleting from the *new* config file
        # wouldn't include it.)
        backup: yes
      register: pm2_ecosystem_file

    - name: Delete old pm2 services if config file changed
      command: "pm2 delete {{ pm2_ecosystem_file.backup_file | quote }}"
      when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined

    - name: Delete old pm2 config file if it changed
      file:
        path: "{{ pm2_ecosystem_file.backup_file }}"
        state: absent
      when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined

    - name: Start pm2 services
      command: "pm2 start ~/ecosystem.config.js"

    - name: Save pm2 startup script
      command: pm2 save

    - name: Install core snap
      become: yes
      community.general.snap:
        name: core

    - name: Install certbot as a snap
      become: yes
      community.general.snap:
        name: certbot
        classic: yes

    - name: Set up certbot
      become: yes
      command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"

    - name: Install nginx
      become: yes
      apt:
        update_cache: yes
        name: nginx

    - name: Add impress-2020 config file to nginx
      become: yes
      copy:
        content: |
          server {
            server_name impress-2020-box.openneo.net;
            listen 80;
            if ($host = impress-2020-box.openneo.net) {
              return 301 https://$host$request_uri;
            }
          }

          server {
            server_name impress-2020-box.openneo.net;
            listen 443 ssl;
            ssl_certificate /etc/letsencrypt/live/impress-2020-box.openneo.net/fullchain.pem;
            ssl_certificate_key /etc/letsencrypt/live/impress-2020-box.openneo.net/privkey.pem;
            include /etc/letsencrypt/options-ssl-nginx.conf;
            ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
            ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127

            # TODO: Serve static files directly, instead of through the proxy
            location / {
              proxy_pass http://127.0.0.1:3000;
            }
          }
        dest: /etc/nginx/sites-enabled/impress-2020
      notify:
        - Restart nginx

    - name: Install dependencies for the npm module node-canvas
      become: yes
      apt:
        update_cache: yes
        name:
          - build-essential
          - libcairo2-dev
          - libpango1.0-dev
          - libjpeg-dev
          - libgif-dev
          - librsvg2-dev

  handlers:
    - name: Restart nginx
      become: yes
      systemd:
        name: nginx
        state: restarted
Start of an Ansible playbook Yep yep, we're getting deploy tasks set up! :3 2021-11-02 14:45:05 -07:00			`---`
Add deploy playbook: pulls git and installs deps 2021-11-02 16:29:52 -07:00			`- name: Set up the environment for the impress-2020 app`
Ansible tasks to set up web user, install Node 2021-11-02 16:01:30 -07:00			`hosts: webserver`
Set up certbot during setup playbook You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them! Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p 2021-11-03 01:00:28 -07:00			`vars:`
			`email_address: "emi@matchu.dev" # TODO: Extract this to personal config?`
Start of an Ansible playbook Yep yep, we're getting deploy tasks set up! :3 2021-11-02 14:45:05 -07:00			`tasks:`
Ansible tasks to set up web user, install Node 2021-11-02 16:01:30 -07:00			`- name: Create the app folder`
			`become: yes`
			`file:`
			`path: /srv/impress-2020`
Remove the web group permission stuff from deploy I'm not doing this thoroughly enough for it to matter (e.g. the deployed rsynced versions aren't having the group permissions set). I think doing this right (to be extensible to additional users) is too much complexity to be worth it, and doing it halfway is more confusing than helpful. I did this because I was anticipating multi-users permissions to be a bit of an issue for like, granting the web server permission to access the source code. But it turns out, since we're running with pm2, it's all working just fine! 2021-11-03 16:59:23 -07:00			`owner: "{{ ansible_user_id }}"`
Refactor deploy to build locally, not remotely 2021-11-02 18:47:13 -07:00
Ansible tasks to set up web user, install Node 2021-11-02 16:01:30 -07:00			`- name: Add Nodesource apt key`
			`become: yes`
			`apt_key:`
			`id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280`
			`url: https://deb.nodesource.com/gpgkey/nodesource.gpg.key`
Refactor deploy to build locally, not remotely 2021-11-02 18:47:13 -07:00
Ansible tasks to set up web user, install Node 2021-11-02 16:01:30 -07:00			`- name: Add Node v16 apt repository`
			`become: yes`
			`apt_repository:`
			`repo: deb https://deb.nodesource.com/node_16.x focal main`
Refactor deploy to build locally, not remotely 2021-11-02 18:47:13 -07:00
Ansible tasks to set up web user, install Node 2021-11-02 16:01:30 -07:00			`- name: Install Node v16`
			`become: yes`
			`apt:`
			`update_cache: yes`
			`name: nodejs`
			`state: present`
Refactor deploy to build locally, not remotely 2021-11-02 18:47:13 -07:00
Add deploy playbook: pulls git and installs deps 2021-11-02 16:29:52 -07:00			`- name: Install Yarn`
			`become: yes`
			`npm:`
			`name: yarn`
			`global: yes`
Refactor deploy to build locally, not remotely 2021-11-02 18:47:13 -07:00
Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00			`- name: Install pm2`
			`become: yes`
			`npm:`
			`name: pm2`
			`global: yes`

			`- name: Create pm2 startup script`
			`# The current user is going to become the pm2 owner of the app server`
			# process. They'll be able to manage it without `sudo`, including during
			# normal deploys, and run `pm2 monit` from their shell to see status.
			`become: yes`
			`command: "pm2 startup systemd {{ ansible_user_id }} --hp /home/{{ ansible_user_id }}"`

			`- name: Create pm2 ecosystem file`
			`copy:`
Update pm2 tasks to update the config correctly Previously, if you changed the pm2 ecosystem file content, it wouldn't actually be reflected in the running services. Now it will be! 2021-11-03 15:43:37 -07:00			`content: \|`
Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00			`module.exports = {`
			`apps: [`
			`{`
			`name: "impress-2020",`
			`cwd: "/srv/impress-2020/current",`
Fix pm2 monitoring Okay huh, while digging a bit into another issue, I found what was wrong with our config and pm2's built-in monitoring! You can't use `yarn start`, because the wrapper script breaks its ability to look inside and see what's happening. I also removed the compiler flag thing from the `start` script in `package.json`, because I think it's redundant? There's no compilation to be done in a live server. I think I might remove monit after this? It's nice extra resilience in a sense, but it feels like extra complexity when it's doing the job `pm2` is supposed to do. (And tbh I've almost never heard of nginx crashing, and if it does it's probably a scenario worth investigating by hand.) 2021-11-03 16:46:35 -07:00			// Instead of `yarn start`, we specify the `next` binary
			`// directly, because it helps pm2 monitor our app correctly.`
			`// https://github.com/vercel/next.js/discussions/10675#discussioncomment-34615`
			`script: "./node_modules/.bin/next",`
			`args: "start --port=3000",`
Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00			`instances: "max",`
			`exec_mode: "cluster",`
			`}`
			`]`
			`}`
Update pm2 tasks to update the config correctly Previously, if you changed the pm2 ecosystem file content, it wouldn't actually be reflected in the running services. Now it will be! 2021-11-03 15:43:37 -07:00			`dest: "~/ecosystem.config.js"`
			`# Create a temporary backup file, so we can use it to delete the old`
			`# version of the services. (This is important if e.g. a service is`
			`# removed or renamed, in which case deleting from the new config file`
			`# wouldn't include it.)`
			`backup: yes`
			`register: pm2_ecosystem_file`
Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00
Update pm2 tasks to update the config correctly Previously, if you changed the pm2 ecosystem file content, it wouldn't actually be reflected in the running services. Now it will be! 2021-11-03 15:43:37 -07:00			`- name: Delete old pm2 services if config file changed`
			`command: "pm2 delete {{ pm2_ecosystem_file.backup_file \| quote }}"`
			`when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined`

			`- name: Delete old pm2 config file if it changed`
			`file:`
			`path: "{{ pm2_ecosystem_file.backup_file }}"`
			`state: absent`
			`when: pm2_ecosystem_file is changed and pm2_ecosystem_file.backup_file is defined`

			`- name: Start pm2 services`
			`command: "pm2 start ~/ecosystem.config.js"`
Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00
			`- name: Save pm2 startup script`
			`command: pm2 save`

Set up certbot during setup playbook You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them! Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p 2021-11-03 01:00:28 -07:00			`- name: Install core snap`
			`become: yes`
			`community.general.snap:`
			`name: core`

			`- name: Install certbot as a snap`
			`become: yes`
			`community.general.snap:`
			`name: certbot`
			`classic: yes`

			`- name: Set up certbot`
			`become: yes`
			`command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"`

Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`- name: Install nginx`
			`become: yes`
			`apt:`
			`update_cache: yes`
			`name: nginx`

			`- name: Add impress-2020 config file to nginx`
			`become: yes`
			`copy:`
Add monit watching for nginx and pm2 When I woke up this morning, the app had crashed because the mysql connection was closed! I'm not sure, why that caused a _crash_? Or why pm2 didn't pick up on it, and said the process was still online? (Maybe the process was running, but the server had stopped?) Those could be good to investigate?… …but better than diving too far into the details, is to just address the high-level problem: if the app goes down for unexpected reasons, I want it back up!! lol In this change, we add `monit`, a solid system for monitoring processes (including checking for behavior, like responding to net requests), and configure it to watch the app process and the nginx process. To test, you can run `pm2 stop impress-2020`, or `systemctl stop nginx`, to see that Monit brings them back up within seconds! This does add some potential surprise if you're _trying_ to take the processes down. The easiest way is to send the stop command through monit, like `monit stop nginx`. This will disable monitoring until you start it again through monit, I think? (You can also disable/enable monitoring as a direct command, regardless of app state.) 2021-11-03 16:32:14 -07:00			`content: \|`
Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`server {`
Set up certbot during setup playbook You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them! Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p 2021-11-03 01:00:28 -07:00			`server_name impress-2020-box.openneo.net;`
Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`listen 80;`
Set up certbot during setup playbook You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them! Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p 2021-11-03 01:00:28 -07:00			`if ($host = impress-2020-box.openneo.net) {`
			`return 301 https://$host$request_uri;`
			`}`
			`}`

			`server {`
Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`server_name impress-2020-box.openneo.net;`
Set up certbot during setup playbook You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them! Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p 2021-11-03 01:00:28 -07:00			`listen 443 ssl;`
			`ssl_certificate /etc/letsencrypt/live/impress-2020-box.openneo.net/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/impress-2020-box.openneo.net/privkey.pem;`
			`include /etc/letsencrypt/options-ssl-nginx.conf;`
			`ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`
			`ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127`

Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`# TODO: Serve static files directly, instead of through the proxy`
			`location / {`
			`proxy_pass http://127.0.0.1:3000;`
			`}`
			`}`
			`dest: /etc/nginx/sites-enabled/impress-2020`
			`notify:`
			`- Restart nginx`

Use pm2 to run the deployed app 2021-11-02 22:49:45 -07:00			`- name: Install dependencies for the npm module node-canvas`
Add deploy playbook: pulls git and installs deps 2021-11-02 16:29:52 -07:00			`become: yes`
			`apt:`
			`update_cache: yes`
			`name:`
			`- build-essential`
			`- libcairo2-dev`
			`- libpango1.0-dev`
			`- libjpeg-dev`
			`- libgif-dev`
			`- librsvg2-dev`
Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00
			`handlers:`
			`- name: Restart nginx`
			`become: yes`
Add monit watching for nginx and pm2 When I woke up this morning, the app had crashed because the mysql connection was closed! I'm not sure, why that caused a _crash_? Or why pm2 didn't pick up on it, and said the process was still online? (Maybe the process was running, but the server had stopped?) Those could be good to investigate?… …but better than diving too far into the details, is to just address the high-level problem: if the app goes down for unexpected reasons, I want it back up!! lol In this change, we add `monit`, a solid system for monitoring processes (including checking for behavior, like responding to net requests), and configure it to watch the app process and the nginx process. To test, you can run `pm2 stop impress-2020`, or `systemctl stop nginx`, to see that Monit brings them back up within seconds! This does add some potential surprise if you're _trying_ to take the processes down. The easiest way is to send the stop command through monit, like `monit stop nginx`. This will disable monitoring until you start it again through monit, I think? (You can also disable/enable monitoring as a direct command, regardless of app state.) 2021-11-03 16:32:14 -07:00			`systemd:`
Set up basic nginx in front of impress-2020 It loads kinda! auth0 is crashing us because it refuses to run over http:// but hey! That's pretty cool! 2021-11-03 00:07:30 -07:00			`name: nginx`
			`state: restarted`