clojars / infrastructure Goto Github PK
View Code? Open in Web Editor NEWInfrastructure configuration for Clojars
License: MIT License
Infrastructure configuration for Clojars
License: MIT License
There are some people with misconfigured applications/Nexus repo's who request files way too much. It could be good to use fail2ban to stop them from making requests too often. A first approximation for detecting this would be to check for IP's downloading the same file more than 5 times in half an hour. There are a few things to consider here:
http://codelog.climens.net/2011/02/13/using-fail2ban-with-nginx-in-debian/
http://blog.teabough.com/fail2ban-api-mailjet/
We would like to change the license to MIT. This would make it possible for people to derive new works from this config for internal purposes without having to redistribute them. Under normal usage, sharing the changes would not be required, but it would if you distributed it (e.g. as part of a package that runs on client sites)
To allow for the relicensing, reply to this issue with "I Agree". If you don't agree then feel free to discuss this more here.
Thanks!
Related to #3, it could be good to have zero downtime deploys where the second Java process gets brought up online before shutting down the first one. Possibly could use Nginx to switch between them. However there were issues in the past with running multiple processes against a single sqlite db, so this might not be a good idea in the short term.
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use
'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature
will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged.
The module documentation details page may explain more about this rationale.. This feature
will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
We use include
in a few places. [import_tasks](https://docs.ansible.com/ansible/devel/modules/import_tasks_module.html)
seems like the correct thing to use for us but
sudo
when running those tasksAny expert Ansible help on the 'correct' thing to do here would be welcome.
All Cron jobs are installed, but I haven't checked to make sure they are always running successfully. This is probably something I need to do as it will require private config I think.
I'm pretty sure I've setup SSL correctly (by copying from the previous server), but it would be good to get another set of eyes over it to make sure it's correct and is up to date with best practices, particularly over the IPv6 stuff.
For security and ease of debugging, it would be good to send logs to somewhere else so we can view them and so they are secure against tampering.
There are gaps in the dates of the downloads-{date}.edn files. Need to investigate what's happening.
It would be good to add a health check to make sure the app is running well when deploying a new version. Automated roll back would be nice too.
We only put x-frame-options on requests served by the app, so anything that Nginx serves directly (like redirects and resources) doesn't have this header attached. I'm not sure what the security implications of this are, but worth considering further.
Not quite sure what server config is needed here, @tobias what's the process for deleting JARs?
There are a bunch of good links here, especially debops. I'm not sure whether we use ansible galaxy or just copy the parts of the scripts we like locally.
Tasks:
clojars.org doesn't seem to be gzipping assets. It would be good to figure out why, as it seems like it should be based on the config.
TASK [system : ensure admin user accounts exist] ********************************************
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or
{% %}. Found: {{ item.active }}
Figure out what the correct way to do this is instead.
It is set to UTC out of the box, but it would be good to make sure it stays like that with an ansible task. This looks promising but needs to have backup
turned off.
To build Clojars the app, we need Clojars the site. This is a nasty circular dependency we need to break.
If we're trying to bootstrap a new clojars server, it stands to reason that there may not be a running one in place at the time. There are a few options here for building the app, and two main scenarios to think about: rebuilding the server from scratch when there is no Clojars server, and everyday deployments.
We can set a mirror in the Leiningen config, and use this for both building from scratch, and everyday builds.
Pros:
Cons:
profiles.clj
won't work for :plugin-repositories
and we need the supersport
plugin.I think @tobias is in favour of this option.
Pros:
Cons:
profiles.clj
differences.How this would work:
This is my personal preference as it seems to be the most fault tolerant, however after listing the cons, I'm not so sure it's the right solution.
Pros:
Cons:
Thoughts welcome!
We had a report that Clojars responds to unknown host headers. We should drop requests that don't match headers that we expect: https://stackoverflow.com/a/28591245/826486
It is currently mounted by a manual modification to /etc/fstab
.
???
We need to make sure we call Yeller with the right config when testing and going in production. It might also be good to disable Yeller entirely when non admins are running the app/ansible scripts.
This needs to be templates in Ansible. Probably only something an admin can do.
I'm not quite sure what do about DB migrations, possibly they should be a resource in the uberjar? That way we always know we've got the right schema for each version.
The version of goaccess bundled with ubuntu is ancient. It would be really handy to have the version described in "Official GoAccess' Debian/Ubuntu Repository" from here installed.
Each admin can provide authorised keys to be put against their user account. These need to be installed. They can take the place of the commented out github public keys script in /roles/system/tasks/main.yml
.
I was able to setup rsync to run, but I haven't got this script to run correctly yet.
$ rsync -av --delete localhost::clojars my-wonderful-copy-of-clojars
rsync: failed to connect to localhost: Connection refused (61)
rsync error: error in socket IO (code 10) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-47/rsync/clientserver.c(105) [receiver=2.6.9]
$ rsync -av --delete -e 'usr/bin/ssh -p2222' localhost::clojars my-wonderful-copy-of-clojars
rsync: Failed to exec usr/bin/ssh: No such file or directory (2)
rsync error: error in IPC code (code 14) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-47/rsync/pipe.c(86) [receiver=2.6.9]
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-47/rsync/io.c(453) [receiver=2.6.9]
I'm not sure if this is an artifact of running through Vagrant on port 2222 or something else is misconfigured.
https://www.ssllabs.com/ssltest/analyze.html?d=clojars.org&s=173.230.139.200
With all of these things, we need to keep in mind the ever present spectre of Java 6 and corporate SSL middleware boxes.
It expires on 12 August, needs to be renewed before then, and should use SHA-2.
Tweak bootstrap script used to generate/touch private files. Should it and the example file sit at the root instead of inside private/
?
It would be good to have a message of the day with common scripts so that if you do need to logon to a server you can see the common ones straight away.
They were commented out because of a failing test in clojars.test.unit.tools.repair-metadata when run on the server. From memory the file ordering wasn't consistent.
This needs to be stored in private.yml
, with a default set in private.yml.example
.
I've setup the email as best I can from the previous server, but it doesn't seem like it's working yet. I'm not sure if that's just because I'm running on localhost though and it would be fine on a real server? We also need to check the SSL is setup correctly for Postfix.
I'm not quite sure how the Nginx logs get rotated.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.