diff --git a/deploy/files/impress.service b/deploy/files/impress.service new file mode 100644 index 00000000..33a82e75 --- /dev/null +++ b/deploy/files/impress.service @@ -0,0 +1,29 @@ +[Unit] +Description=Dress to Impress webapp + +[Service] +User=impress +Restart=always +WorkingDirectory=/srv/impress/current +ExecStart=/opt/ruby-3.1.4/bin/bundle exec puma --port=3000 +Environment="RAILS_ENV=production" +; Set EXECJS_RUNTIME to save us from needing to install Node +Environment="EXECJS_RUNTIME=Disabled" +EnvironmentFile=/srv/impress/shared/production.env + +; Some security directives, adapted from Akkoma's service file, they seem like sensible defaults! +; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. +PrivateTmp=true +; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Akkoma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. +ProtectHome=true +; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. +ProtectSystem=full +; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. +PrivateDevices=true +; Ensures that the service process and all its children can never gain new privileges through execve(). +NoNewPrivileges=true +; Drops the sysadmin capability from the daemon. +CapabilityBoundingSet=~CAP_SYS_ADMIN + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/deploy/files/sites-available/impress.conf b/deploy/files/sites-available/impress.conf new file mode 100644 index 00000000..df3d1ff7 --- /dev/null +++ b/deploy/files/sites-available/impress.conf @@ -0,0 +1,32 @@ +server { + server_name {{ impress_hostname }}; + listen 80; + if ($host = {{ impress_hostname }}) { + return 301 https://$host$request_uri; + } +} + +server { + server_name {{ impress_hostname }}; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/{{ impress_hostname }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ impress_hostname }}/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127 + + root /srv/impress/current/public; + + # Try serving static files first. If not found, fall back to the app. + try_files $uri/index.html $uri @app; + + location @app { + proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header Host $http_host; + proxy_redirect off; + } +} \ No newline at end of file diff --git a/deploy/setup.yml b/deploy/setup.yml index 2375ed70..31bbe18a 100644 --- a/deploy/setup.yml +++ b/deploy/setup.yml @@ -257,37 +257,8 @@ - name: Create service file for impress copy: - dest: /etc/systemd/system/impress.service - content: | - [Unit] - Description=Dress to Impress webapp - - [Service] - User=impress - Restart=always - WorkingDirectory=/srv/impress/current - ExecStart=/opt/ruby-3.1.4/bin/bundle exec puma --port=3000 - Environment="RAILS_ENV=production" - ; Set EXECJS_RUNTIME to save us from needing to install Node - Environment="EXECJS_RUNTIME=Disabled" - EnvironmentFile=/srv/impress/shared/production.env - - ; Some security directives, adapted from Akkoma's service file, they seem like sensible defaults! - ; Use private /tmp and /var/tmp folders inside a new file system namespace, which are discarded after the process stops. - PrivateTmp=true - ; The /home, /root, and /run/user folders can not be accessed by this service anymore. If your Akkoma user has its home folder in one of the restricted places, or use one of these folders as its working directory, you have to set this to false. - ProtectHome=true - ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. - ProtectSystem=full - ; Sets up a new /dev mount for the process and only adds API pseudo devices like /dev/null, /dev/zero or /dev/random but not physical devices. - PrivateDevices=true - ; Ensures that the service process and all its children can never gain new privileges through execve(). - NoNewPrivileges=true - ; Drops the sysadmin capability from the daemon. - CapabilityBoundingSet=~CAP_SYS_ADMIN - - [Install] - WantedBy=multi-user.target + src: files/impress.service + dest: /etc/systemd/system/impress.service notify: - Reload systemctl - Restart impress @@ -315,40 +286,8 @@ command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains {{ impress_hostname }}" - name: Add impress config file to nginx - copy: - content: | - server { - server_name {{ impress_hostname }}; - listen 80; - if ($host = {{ impress_hostname }}) { - return 301 https://$host$request_uri; - } - } - - server { - server_name {{ impress_hostname }}; - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/{{ impress_hostname }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ impress_hostname }}/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127 - - root /srv/impress/current/public; - - # Try serving static files first. If not found, fall back to the app. - try_files $uri/index.html $uri @app; - - location @app { - proxy_pass http://127.0.0.1:3000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header Host $http_host; - proxy_redirect off; - } - } + template: + src: files/sites-available/impress.conf dest: /etc/nginx/sites-available/impress.conf notify: - Restart nginx