Initial commit

Author: micahdbak

.gitmodules

@@ -0,0 +1,7 @@
+[submodule "backend"]
+	path = backend
+	url = https://github.com/CSSS/csss-site-backend
+[submodule "frontend"]
+	path = frontend
+	url = https://github.com/CSSS/csss-site-frontend
+	branch = build

README.md

@@ -0,0 +1,70 @@
+# csss-site-config
+
+This repository contains the server configuration files and deployment scripts necessary for https://new.sfucsss.org.
+
+## SysAdmin / Webmaster
+
+### Fresh Setup
+
+On a fresh machine, preferably running Debian 12, get the `fresh_setup.sh` script with the following:
+
+`wget https://raw.githubusercontent.com/CSSS/csss-site-config/refs/heads/master/fresh_setup.sh`
+
+`chmod +x fresh_setup.sh`
+
+`./fresh_setup.sh`
+
+And run it as the superuser. (The server will be completely prepared and deployed.)
+
+### Cloning With Submodules
+
+This repository makes use of git submodules. To clone it, please run:
+
+`git clone [email protected]:CSSS/csss-site-config --recurse-submodules`
+
+If already cloned and you'd like to make changes to the submodules, cd into either backend/frontend and pull, checkout, etc. to set the current state of the submodule, then add the backend/frontend folder via `git add` to update the submodule in the csss-site-config repository.
+
+Alternatively, if you have just pulled recent changes to csss-site-config which has also changed either submodule, run the following to update the submodules' contents:
+
+`git submodule update`
+
+Alternatively, if you would like to update a submodule to the most recent commit from their main/build branch, run the following:
+
+`git submodule update --remote`
+
+And promptly `git add` either backend/frontend folder to update the submodules in the csss-site-config repository.
+
+### Deploying
+
+(Please read the above section for how git submodules work before deploying - don't mess up please.)
+
+The following process should be followed to make a deployment to https://new.sfucsss.org:
+
+- Ensure the changes to be deployed are on the `main` branch of csss-site-backend and the `build` branch of csss-site-frontend.
+- Clone the csss-site-config repository on your local development machine (see the above section on Cloning With Submodules).
+- Run: `git submodule update --remote` from inside the csss-site-config repository to pull the to be deployed changes from csss-site-backend and csss-site-frontend.
+- Run: `git add backend frontend` to make csss-site-config acknowledge the new commits to either submodule.
+- Run: `git commit -m "(your-commit-message)" && git push origin master` to update the csss-site-config repository.
+- SSH into the https://new.sfucsss.org server as the root user.
+- Run: `cd /home/csss-site/csss-site-config` to enter the csss-site-config repository.
+- Run: `git pull origin master` to pull new commits.
+- Run: `git submodule update` to make sure either submodule is up-to-date.
+- Run: `./deploy.sh` as the root user to deploy the backend and frontend.
+
+When this script is finished executing, confirm that the deployment was successful by checking the site.
+
+### Update Configs / Update HTTPS Certificates
+
+To update any configuration files including the HTTPS certificates:
+
+- SSH into the https://new.sfucsss.org server as the root user.
+- Run: `cd /home/csss-site/csss-site-config` to enter the csss-site-config repository.
+- Run: `git pull origin master` to pull new commits.
+- Run: `git submodule update` to make sure either submodule is up-to-date.
+- Run: `./update_config.sh` as the root user to update all configuration files.
+
+When this script is finished executing, confirm that the update was successful by checking the site.
+
+Certbot is run as one of the steps, so interact with certbot as necessary to update the HTTPS certificates.
+
+If you are updating other configuration files and don't need to request new HTTPS certificates, simply choose the option to reinstall the existing certificates instead of requesting new ones.

backend

@@ -0,0 +1,14 @@
+[Unit]
+Description=CSSS Backend
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+User=csss-site
+ExecStart=/home/csss-site/csss-site-config/gunicorn_start.sh
+
+[Install]
+WantedBy=multi-user.target

csss-site.service

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# make sure user is root
+user=$(whoami)
+if [ $user != 'root' ]; then
+	echo "this script must be run as the superuser."
+	exit 1
+fi
+
+cd /home/csss-site/csss-site-config
+if [ $? -ne 0 ]; then
+    echo "couldn't enter directory /home/csss-site/csss-site-config."
+    echo "stopping here."
+    exit 1
+fi
+
+echo "----"
+echo "(re)starting csss-site service..."
+systemctl restart csss-site.service # restart backend
+
+echo "----"
+echo "clearing /var/www/html..."
+rm -Rf /var/www/html/*
+
+# selectively copy build files to /var/www/html
+echo "----"
+echo "copying from csss-site-frontend to /var/www/html..."
+cp -Rf ./frontend/* /var/www/html
+
+echo "----"
+echo "all done!"

deploy.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+# this is a script for seting up the website from a fresh install
+
+# NOTE: it should be downloaded directly onto the machine to be set-up with:
+# - wget https://raw.githubusercontent.com/CSSS/csss-site-config/refs/heads/master/fresh_setup.sh
+
+# TODO:
+# - look into `apt install unattended-upgrades`
+# - look into activating fail2ban for ssh protection (I doubt we'll need this unless we get too much random traffic)
+
+# make sure user is root
+user=$(whoami)
+if [ $user != 'root' ]; then
+	echo "this script must be run as the superuser."
+	exit 1
+fi
+
+echo "hi sysadmin!"
+echo "this script will install (almost) everything needed to run the csss website"
+echo "(make sure you are running on a Debian 12 Linux machine as the superuser!)"
+
+echo "(P)roceed, (c)ancel?"
+read choice
+
+# if choice isn't (P)roceed, just cancel
+if [ $choice != 'P' ]; then
+	echo "OK, cancelling."
+	exit 0
+fi
+
+echo "----"
+echo "configure apt sources..."
+echo "deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
+wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
+
+echo "----"
+echo "update and upgrade apt..."
+apt update && apt upgrade -y
+
+echo "----"
+echo "install packages..."
+apt install git software-properties-common python3.11 python3.11-venv libaugeas0 nginx postgresql-15 postgresql-contrib -y
+# install certbot
+python3 -m venv /opt/certbot
+/opt/certbot/bin/pip install --upgrade pip
+/opt/certbot/bin/pip install certbot certbot-nginx
+ln -s /opt/certbot/bin/certbot /usr/bin/certbot
+
+echo "----"
+echo "add user csss_site..."
+useradd csss-site -m # -m: has home /home/csss-site
+usermod -L csss-site # -L: cannot login
+chsh -s /usr/bin/bash csss-site # make user csss-site use the bash shell
+cd /home/csss-site
+
+echo "----"
+echo "clone repository csss-site-config..."
+sudo -u csss-site git clone https://github.com/CSSS/csss-site-config --recurse-submodules
+cd csss-site-config
+
+echo "----"
+echo "configure sudo..."
+cp ./sudoers.conf /etc/sudoers.d/csss-site
+
+echo "----"
+echo "configure nginx..."
+# www-data and /var/www stuff
+usermod -aG www-data csss-site
+mkdir /var/www/logs
+mkdir /var/www/logs/csss-site-backend
+chown -R www-data:www-data /var/www
+chmod -R ug=rwx,o=rx /var/www
+# nginx config files
+cp ./nginx.conf /etc/nginx/sites-available/csss-site
+# remove default configuration to prevent funky certbot behaviour
+rm /etc/nginx/sites-enabled/default
+
+# prompt user to modify the nginx configuration if they so please
+echo "Do you want to modify the nginx configuration file?"
+while true; do
+	echo "(M)odify, (c)ontinue?"
+	read choice
+
+	if [ $choice = 'M' ]; then
+		vim /etc/nginx/sites-available/csss-site
+		break
+	elif [ $choice = 'c' ]; then
+		break
+	else
+		echo "Not sure what you mean..."
+	fi
+done
+
+ln -s /etc/nginx/sites-available/csss-site /etc/nginx/sites-enabled/csss-site
+echo "You'll need to fill out the certbot configuration manually."
+echo "Use [email protected] for contact email."
+certbot --nginx
+nginx -t
+
+echo "----"
+echo "starting nginx..."
+systemctl enable nginx && systemctl start nginx
+
+echo "----"
+echo "configure postgres..."
+# see https://towardsdatascience.com/setting-up-postgresql-in-debian-based-linux-e4985b0b766f for more details
+# NOTE: the installation of postgresql-15 creates the postgres user, which has special privileges
+sudo -u postgres createdb --no-password main
+sudo -u postgres createuser --no-password csss-site
+sudo -u postgres psql --command='GRANT ALL PRIVILEGES ON DATABASE main TO "csss-site"'
+sudo -u postgres psql main --command='GRANT ALL ON SCHEMA public TO "csss-site"'
+
+echo "----"
+echo "create a virtual environment for csss-site..."
+sudo -u csss-site python3.11 -m venv ./.venv
+
+echo "----"
+echo "install pip packages for csss-site..."
+source ./.venv/bin/activate
+cd backend
+sudo -u csss-site ../.venv/bin/pip install -r ./requirements.txt
+cd .. # back to csss-site-config
+deactivate
+
+echo "----"
+echo "configure csss-site service..."
+cp ./csss-site.service /etc/systemd/system/csss-site.service
+systemctl enable csss-site
+
+echo "----"
+echo "deploy csss-site..."
+./deploy.sh

fresh_setup.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+NAME=csss-site
+DIR=/home/csss-site/csss-site-config/backend/src
+USER=csss-site
+GROUP=csss-site
+WORKERS=2 # TODO: should we increase this?
+WORKER_CLASS=uvicorn.workers.UvicornWorker
+VENV=/home/csss-site/csss-site-config/.venv/bin/activate
+BIND=unix:/var/www/gunicorn.sock
+LOG_LEVEL=error
+
+cd $DIR
+source $VENV
+
+gunicorn main:app \
+  --name $NAME \
+  --workers $WORKERS \
+  --worker-class $WORKER_CLASS \
+  --user=$USER \
+  --group=$GROUP \
+  --bind=$BIND \
+  --log-level=$LOG_LEVEL \
+  --log-file=-

frontend

@@ -0,0 +1,40 @@
+upstream backend {
+    server unix:/var/www/gunicorn.sock fail_timeout=0;
+}
+
+server {
+    server_name new.sfucsss.org;
+    listen 80;
+
+    root /var/www/html;
+
+    access_log /var/www/logs/csss-site-backend/nginx-access.log;
+    error_log /var/www/logs/csss-site-backend/nginx-error.log;
+
+    # proxy csss-site-backend
+    location /api/ {
+        rewrite ^/api/(.*)$ /$1 break;
+
+        keepalive_timeout 5;
+        client_max_body_size 1G; # Was 4G
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://backend;
+
+        add_header Access-Control-Allow-Origin https://new.sfucsss.org always;
+        add_header Access-Control-Allow-Credentials true;
+    }
+
+    # redirects old 2024 mountain madness requests to the new URL
+    location ~ ^/events/2024/mm(/|/index.html)?$ {
+	    return 301 /mountain_madness/2024/index.html;
+    }
+
+    # any other matching path
+    location / {
+    	try_files $uri $uri/ $uri/index.html =404;
+    }
+}

gunicorn_start.sh

@@ -0,0 +1,2 @@
+# enable the csss-site user to deploy the website
+csss-site ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/systemctl restart csss-site

nginx.conf

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# make sure user is root
+user=$(whoami)
+if [ $user != 'root' ]; then
+	echo "this script must be run as the superuser."
+	exit 1
+fi
+
+cd /home/csss-site/csss-site-config
+if [ $? -ne 0 ]; then
+    echo "couldn't enter directory /home/csss-site/csss-site-config."
+    echo "stopping here."
+    exit 1
+fi
+
+echo "----"
+echo "update sudo..."
+cp ./sudoers.conf /etc/sudoers.d/csss-site
+
+echo "----"
+echo "update nginx..."
+cp ./nginx.conf /etc/nginx/sites-available/csss-site
+certbot --nginx # reconfigure the server with SSL certificates
+nginx -t
+# only restart nginx if config is valid
+if [ $? -eq 0 ]; then
+	systemctl restart nginx
+fi
+
+echo "----"
+echo "update csss-site service..."
+systemd-analyze verify ./csss-site.service
+# only use new service if it is valid
+if [ $? -eq 0 ]; then
+	cp ./csss-site.service /etc/systemd/system/csss-site.service
+	systemctl daemon-reload
+	systemctl restart csss-site.service
+fi