# HG changeset patch
# User Chris Cannam
# Date 1503581103 -3600
# Node ID 07deb8466f6514206ab32e40d6207ea03722f28f
# Parent  ed9c467ef9223efb6bad6603401e27a9b8470a8a
More provisioning docs/tweaks

diff -r ed9c467ef922 -r 07deb8466f65 deploy/README
--- a/deploy/README	Wed Aug 23 11:32:50 2017 +0100
+++ b/deploy/README	Thu Aug 24 14:25:03 2017 +0100
@@ -1,6 +1,48 @@
 
 Deploying the SoundSoftware site
+================================
 
+These scripts can be used for test or staging deployments reproducing
+much of the configuration of the live site. Currently it's assumed
+that you are providing a database dump to load -- there is no
+provisioning step to initialise a new database.
+
+
+You will need
+-------------
+
+Required:
+
+ * A database dump to load. This should be left in a file called
+   postgres-dumpall in the soundsoftware-site root
+
+ * The database password and /sys API key for the target site. (The
+   API key can be changed in the admin UI - "grep API config/*.in" to
+   see the files you'll need to update if you change it)
+
+ * The (copyrighted) web font files used in our deployment. Leave
+   these in /public/themes/soundsoftware/stylesheets/fonts/
+
+Optional (or required for proper deployments):
+
+ * HTTPS key/cert files
+
+
+Three ways to deploy
+--------------------
+
+ 1. Using Vagrant to set up a development VM: Run ./vagrant/start.sh
+
+ 2. Using Docker to set up a development container: Run ./docker/start.sh
+
+ 3. On a "real" VM or server:
+
+    * Ensure the soundsoftware-site repo is checked out at /code-to-deploy
+    * Run /code-to-deploy/deploy/any/run-provisioning.sh as root
+
+    But be very careful with this! You could screw up a dev box -- or
+    an existing live server! -- if you accidentally provision the site
+    directly onto it when you should have used Vagrant or a container.
 
 
 After deployment
diff -r ed9c467ef922 -r 07deb8466f65 deploy/any/run-provisioning.sh
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/any/run-provisioning.sh	Thu Aug 24 14:25:03 2017 +0100
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+mydir=$(dirname "$0")
+
+if [ "$mydir" != "/code-to-deploy/deploy/any" ]; then
+    echo "ERROR: Expected repository to be at /code-to-deploy prior to provisioning"
+    exit 2
+fi
+
+. "$mydir"/../prepare.sh
+
+for f in "$mydir"/../provision.d/[0-9]*.sh ; do
+    case "$f" in
+        *~) ;;
+        *) echo "Running provisioning script: $f"
+           /bin/bash "$f";;
+    esac
+done
+
+echo "All provisioning scripts complete"
diff -r ed9c467ef922 -r 07deb8466f65 deploy/config/code-ssl.conf.in
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/config/code-ssl.conf.in	Thu Aug 24 14:25:03 2017 +0100
@@ -0,0 +1,140 @@
+
+# Apache config with SSL and admin auth stubbed in. You must provide
+# the key/cert and auth files.
+
+# Note this has been updated for Apache 2.4, which introduced a number
+# of (welcome) changes to access control directives.
+
+PerlLoadModule Apache::Authn::SoundSoftware
+
+<VirtualHost *:80>
+        ServerName code.soundsoftware.ac.uk
+        ServerAdmin chris.cannam@soundsoftware.ac.uk
+
+        DocumentRoot /var/www/code/public
+        PassengerRestartDir restart_files
+        PassengerHighPerformance on
+        PassengerMaxRequests 50000
+        PassengerStatThrottleRate 5
+	PassengerFriendlyErrorPages off
+        RailsSpawnMethod smart
+        ExpiresDefault "access plus 1 minute"
+
+        # Redirect all activity to secure site
+        Redirect seeother / "https://code.soundsoftware.ac.uk/"
+
+        <DirectoryMatch "^/.*/\.svn/">
+                Require all denied
+        </DirectoryMatch>
+
+        <DirectoryMatch "^/.*/\.hg/">
+                Require all denied
+        </DirectoryMatch>
+
+        <DirectoryMatch "^/.*/\.git/">
+                Require all denied
+        </DirectoryMatch>
+
+        <Directory /var/www/code/public>
+                Options -MultiViews
+	</Directory>
+
+	ErrorLog /var/log/apache2/code-error.log
+	CustomLog /var/log/apache2/code-access.log vhost_combined
+
+        LogLevel warn
+        ServerSignature Off
+</VirtualHost>
+
+<VirtualHost *:80>
+        ServerName code.soundsoftware.ac.uk
+        ServerAdmin chris.cannam@soundsoftware.ac.uk
+
+        DocumentRoot /var/www/code/public
+        PassengerRestartDir restart_files
+        PassengerHighPerformance on
+        PassengerMaxRequests 50000
+        PassengerStatThrottleRate 5
+	PassengerStartTimeout 60
+	PassengerFriendlyErrorPages off
+        RailsSpawnMethod smart
+        ExpiresDefault "access plus 1 minute"
+
+        <Location /sys>
+		AuthType Basic
+		AuthUserFile "/etc/apache2/auth/user.htpasswd"
+		AuthName "code.soundsoftware.ac.uk"
+		Require user user
+	</Location>
+
+	<Location /admin>
+		AuthType Digest
+		AuthUserFile "/etc/apache2/auth/admin.htdigest"
+		AuthName "code.soundsoftware.ac.uk admin interface"
+		Require user admin
+	</Location>
+
+        <DirectoryMatch "^/.*/\.svn/">
+                Require all denied
+        </DirectoryMatch>
+
+        <DirectoryMatch "^/.*/\.hg/">
+                Require all denied
+        </DirectoryMatch>
+
+        <DirectoryMatch "^/.*/\.git/">
+                Require all denied
+        </DirectoryMatch>
+
+        <Directory /var/www/code/public>
+                Options -MultiViews
+	</Directory>
+
+        <Directory /var/www/code/public/themes/soundsoftware/stylesheets/fonts>
+		# Avoid other sites embedding our fonts
+		RewriteEngine on
+		RewriteCond %{HTTP_REFERER} !^$
+		RewriteCond %{HTTP_REFERER} !^http(s)?://code.soundsoftware.ac.uk/.*$ [NC]
+		RewriteRule \.(ttf|woff|eot|otf|svg|zip|gz|html|txt)$ - [F]
+	</Directory>
+
+	ScriptAlias /hg "/var/hg/index.cgi"
+
+	<Location /hg>
+               	AuthName "Mercurial"
+                AuthType Basic
+                Require valid-user
+		PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
+      		PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
+		PerlSetVar HTTPS "on"
+		SoundSoftwareDSN "dbi:Pg:database=code;host=localhost"
+    		SoundSoftwareDbUser "code"
+     		SoundSoftwareDbPass "INSERT_DATABASE_PASSWORD_HERE"
+		SoundSoftwareRepoPrefix "/var/hg/"
+                SoundSoftwareSslRequired "on"
+		Options +ExecCGI
+		AddHandler cgi-script .cgi
+		ExpiresDefault now
+        </Location>
+
+	Alias /git "/var/files/git-mirror"	
+
+	<Directory "/var/files/git-mirror">
+		Options -Indexes +FollowSymLinks
+                Require all granted
+	</Directory>
+	<Directory ~ "/var/files/git-mirror/.*\.workdir">
+                Require all denied
+	</Directory>
+	<Directory ~ "/var/files/git-mirror/__.*">
+                Require all denied
+	</Directory>
+
+	ErrorLog /var/log/apache2/code-error.log
+	CustomLog /var/log/apache2/code-access.log vhost_combined
+
+        LogLevel warn
+        ServerSignature Off
+        
+</VirtualHost>
+
diff -r ed9c467ef922 -r 07deb8466f65 deploy/config/code.conf.in
--- a/deploy/config/code.conf.in	Wed Aug 23 11:32:50 2017 +0100
+++ b/deploy/config/code.conf.in	Thu Aug 24 14:25:03 2017 +0100
@@ -67,7 +67,7 @@
                 Require valid-user
 		PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
       		PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
-		PerlSetVar HTTPS "on"
+		PerlSetVar HTTPS "off"
 		SoundSoftwareDSN "dbi:Pg:database=code;host=localhost"
     		SoundSoftwareDbUser "code"
      		SoundSoftwareDbPass "INSERT_DATABASE_PASSWORD_HERE"
diff -r ed9c467ef922 -r 07deb8466f65 deploy/provision.d/190-reminders.sh
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/deploy/provision.d/190-reminders.sh	Thu Aug 24 14:25:03 2017 +0100
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+# Print reminders of the things that we haven't covered in the deploy
+# scripts
+
+cat <<EOF
+
+*** APACHE SSL CONFIGURATION
+
+    The provisioning scripts set up a simple HTTP site only. Refer to
+    deploy/config/code-ssl.conf.in for an example HTTPS configuration
+    (you will of course need to provide the key/cert files).
+
+*** EMAIL
+
+    Outgoing email is required for notifications, but has not been
+    configured as part of this provisioning setup.
+
+*** STATIC FRONT PAGE
+
+    We have set up only the code/repository site -- if you want a
+    separate front page, remember to configure that!
+
+EOF
diff -r ed9c467ef922 -r 07deb8466f65 deploy/provision.d/200-apache-start.sh
--- a/deploy/provision.d/200-apache-start.sh	Wed Aug 23 11:32:50 2017 +0100
+++ b/deploy/provision.d/200-apache-start.sh	Thu Aug 24 14:25:03 2017 +0100
@@ -2,7 +2,9 @@
 
 set -e
 
-# Last action: start the webserver
+# Last action: check & start the webserver
+
+apache2ctl configtest
 
 apache2ctl restart
 
diff -r ed9c467ef922 -r 07deb8466f65 deploy/vagrant/vagrant-provision.sh
--- a/deploy/vagrant/vagrant-provision.sh	Wed Aug 23 11:32:50 2017 +0100
+++ b/deploy/vagrant/vagrant-provision.sh	Thu Aug 24 14:25:03 2017 +0100
@@ -1,10 +1,5 @@
 #!/bin/bash
 
-#!!! still not covered:
-# * https
-# * http auth for API (/sys) and /admin interfaces
-# * sending email
-
 set -e
 
 for f in /code-to-deploy/deploy/provision.d/[0-9]*.sh ; do