From 9310a250d6565383766238d3a67df4ccfa0b9dac Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Wed, 3 Nov 2021 23:04:25 -0700
Subject: [PATCH] Fix some bugs running deploy-setup from scratch

As an exercise, I've wiped the box clean, and I'm reinstalling from the scripts! :3

I added the SSH hardening rules to the playbook instead of doing them by hand this time.

I made a mistake with creating `/srv/impress-2020`, right, you need to *say* what it should be created *as* for the creation step to work!

I also guess my recent pm2 changes made it not actually be willing to start the app anymore, because `/srv/impress-2020/current` doesn't exist or have `node_modules` yet. I'm doing a cute thing where I create a placeholder app during setup, so there's always something to run, without introducing the complexities of a real deploy to the setup process.

And right, of course, we need to install nginx before running certbot! But we need to add certbot config *after* running certbot!

And then just some misc cleanups for consistency and correctness!
---
 deploy/playbooks/setup.yml | 71 +++++++++++++++++++++++++++++++++-----
 package.json               |  2 +-
 2 files changed, 63 insertions(+), 10 deletions(-)

diff --git a/deploy/playbooks/setup.yml b/deploy/playbooks/setup.yml
index cc2f00e..489dd8a 100644
--- a/deploy/playbooks/setup.yml
+++ b/deploy/playbooks/setup.yml
@@ -4,11 +4,33 @@
   vars:
     email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
   tasks:
-    - name: Create the app folder
+    - name: Disable root SSH login
+      become: yes
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: ^#?PermitRootLogin
+        line: PermitRootLogin no
+
+    - name: Disable password-based SSH authentication
+      become: yes
+      lineinfile:
+        dest: /etc/ssh/sshd_config
+        regexp: ^#?PasswordAuthentication
+        line: PasswordAuthentication no
+
+    - name: Install fail2ban firewall with default settings
+      become: yes
+      apt:
+        update_cache: yes
+        name: fail2ban
+
+    - name: Create the app versions folder
       become: yes
       file:
-        path: /srv/impress-2020
+        path: /srv/impress-2020/versions
         owner: "{{ ansible_user_id }}"
+        group: "{{ ansible_user_id }}"
+        state: directory
 
     - name: Add Nodesource apt key
       become: yes
@@ -26,7 +48,6 @@
       apt:
         update_cache: yes
         name: nodejs
-        state: present
 
     - name: Install Yarn
       become: yes
@@ -34,6 +55,38 @@
         name: yarn
         global: yes
 
+    - name: Check for a current app version
+      stat:
+        path: /srv/impress-2020/current
+      register: current_app_version
+
+    - name: Check whether we already have a placeholder app
+      stat:
+        path: /srv/impress-2020/versions/initial-placeholder
+      register: existing_placeholder_app
+      when: not current_app_version.stat.exists
+
+    - name: Create a placeholder app, to run until we deploy a real version
+      command:
+        chdir: /srv/impress-2020/versions
+        cmd: yarn create next-app initial-placeholder
+      when: |
+        not current_app_version.stat.exists and
+          not existing_placeholder_app.stat.exists
+
+    - name: Build the placeholder app
+      command:
+        chdir: /srv/impress-2020/versions/initial-placeholder
+        cmd: yarn build
+      when: not current_app_version.stat.exists
+
+    - name: Set the placeholder app as the current version
+      file:
+        src: /srv/impress-2020/versions/initial-placeholder
+        dest: /srv/impress-2020/current
+        state: link
+      when: not current_app_version.stat.exists
+
     - name: Install pm2
       become: yes
       npm:
@@ -89,6 +142,12 @@
     - name: Save pm2 startup script
       command: pm2 save
 
+    - name: Install nginx
+      become: yes
+      apt:
+        update_cache: yes
+        name: nginx
+
     - name: Install core snap
       become: yes
       community.general.snap:
@@ -104,12 +163,6 @@
       become: yes
       command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"
 
-    - name: Install nginx
-      become: yes
-      apt:
-        update_cache: yes
-        name: nginx
-
     - name: Add impress-2020 config file to nginx
       become: yes
       copy:
diff --git a/package.json b/package.json
index 010f689..b0dea43 100644
--- a/package.json
+++ b/package.json
@@ -66,7 +66,7 @@
     "vercel-build": "yum install libuuid-devel libmount-devel && cp /lib64/{libuuid,libmount,libblkid}.so.1 node_modules/canvas/build/Release/",
     "test": "jest test --env=jsdom",
     "lint": "next lint --dir src --dir pages",
-    "deploy-setup": "echo $'Setup requires you to become the root user. You\\'ll need to enter the password for your account on the remote web server below, and you must be part of the `sudoers` user group.' && ansible-playbook -K -i deploy/inventory.cfg deploy/playbooks/setup.yml",
+    "deploy-setup": "echo $'Setup requires you to become the root user. You\\'ll need to enter the password for your account on the remote web server below, and you must be part of the `sudo` user group.' && ansible-playbook -K -i deploy/inventory.cfg deploy/playbooks/setup.yml",
     "deploy": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml",
     "deploy-skip-build": "ansible-playbook -i deploy/inventory.cfg deploy/playbooks/deploy.yml --extra-vars='{\"skip_build\": true}'",
     "cypress": "cypress open",