-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathstart_server.sh.sample
More file actions
executable file
·245 lines (214 loc) · 10.3 KB
/
Copy pathstart_server.sh.sample
File metadata and controls
executable file
·245 lines (214 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
#!/bin/bash
# ===========================================================
# DESCRIPTION:
# This script prompts for various applications secrets that
# would otherwise have to be stored in the filesystem, like
# database credentials and secret_key_base, and exports
# them into the environment of the master puma process that
# it starts.
#
# FIRST-TIME INSTALLATION:
# cp start_server.sh.sample /home/mbis_beta/start_server.sh
# chown mbis_beta /home/mbis_beta/start_server.sh
# chmod 764 /home/mbis_beta/start_server.sh
#
# USAGE:
# sudo -i -u mbis_beta ./start_server.sh
#
# PARAMS:
# These variables are exported by the script, and can be
# supplied in advance if needed:
#
# +--------------------------+----------------------- +
# | variable | default |
# +--------------------------+----------------------- +
# | RAILS_ENV | "production" |
# | DATABASE_URL | none; required |
# | RAILS_MASTER_KEY | none; required |
# | SECRET_KEY_BASE | defaults to random |
# | SMTP_USERNAME | none |
# | SMTP_PASSWORD | none |
# | STACK * | attempts to derive from user |
# | PUMA_PORT | 5001 |
# | RAILS_MIN_THREADS | 5 |
# | RAILS_MAX_THREADS | 5 |
# | WEB_CONCURRENCY | 10 |
# | | |
# | ADMIN_USERS_BASE64 | none; required; |
# | DATABASE_BASE64 | none; required; |
# | CREDENTIALS_BASE64 | none; required; |
# | EXCLUDED_MBISIDS_BASE64 | none; required; |
# | ODR_USERS_BASE64 | none; required; |
# | SMTP_SETTINGS_BASE64 | none; required; |
# | SPECIAL_USERS_BASE64 | none; required; |
# | USER_YUBIKEYS_BASE64 | none; required; |
# | PUBLIC_KEY_BASE64 | none; required; |
# +--------------------------+----------------------- +
# | * not used yet |
# +-------------------------------------------------- +
#
# ===========================================================
if command -v aws >/dev/null ; then
# For AWS deployments only, use environment variables
mkdir -p $HOME/.aws
echo $'[default] \nregion=eu-west-2' > ~/.aws/config
export DATABASE_URL=$(aws ssm get-parameters --names '/mbis/dev/DATABASE_URL' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export SECRET_KEY_BASE=$(aws ssm get-parameters --names '/mbis/dev/SECRET_KEY_BASE' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export ODR_USERS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/odr_users.yml' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export USER_YUBIKEYS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/users_yubikey.yml' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export RAILS_MASTER_KEY=$(aws ssm get-parameters --names '/mbis/dev/RAILS_MASTER_KEY' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export SMTP_SETTINGS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/smtp_settings' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export SPECIAL_USERS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/special_users' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export EXCLUDED_MBISIDS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/excluded_mbisids' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export ADMIN_USERS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/admin_users' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export CREDENTIALS_BASE64=$(aws ssm get-parameters --names '/mbis/dev/credentials' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export PUBLIC_KEY_BASE64=$(aws ssm get-parameters --names '/mbis/dev/public_key' --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
export STACK=live
fi
PUMA_CMD=pumactl
# Path to puma configuration, relative to deployment:
PUMA_CONFIG=config/puma_production.rb
CURRENT=$HOME/mbis_front/current
if [ ! -e "$CURRENT" ]; then
echo Please configure CURRENT in this script!
exit 1
fi
if ! command -v $PUMA_CMD 2>&1 >/dev/null; then
echo "$PUMA_CMD not found in PATH!"
exit 1
fi
CONFIG="$CURRENT/config"
# =================================================================================================
# Puma configuration
export PUMA_PORT="${PUMA_PORT:-5001}"
export RAILS_MIN_THREADS="${RAILS_MIN_THREADS:-5}"
export RAILS_MAX_THREADS="${RAILS_MAX_THREADS:-5}"
export WEB_CONCURRENCY="${WEB_CONCURRENCY:-10}"
# =================================================================================================
# Pick a system stack:
# UNCOMMENT AS REQUIRED ON NON SAMPLE FILE
# STACK="beta"
# STACK="live"
# If not given, attempt to derive stack from application user:
if [ -z "$STACK" ]; then
if [[ $USER =~ _live$ ]]; then
STACK="live"
elif [[ $USER =~ _beta$ ]]; then
STACK="beta"
fi
fi
if [ -n "$STACK" ]; then
echo Running stack as $STACK...
else
echo Unable to auto-detect a stack! Please choose beta or live
read -rep "Stack [beta/live]: " STACK
echo
fi
# =================================================================================================
# UNCOMMENT THIS TO ALLOW GATHERING OF RAILS_MASTER_KEY
#
if [ -z "$RAILS_MASTER_KEY" -a ! -e "$CONFIG/master.key" ]; then
# Prompt for master key if not present.
if tty -s; then
echo "RAILS_MASTER_KEY is in TeamPass, in NDR Deployment / MBIS RAILS_MASTER_KEY"
read -rsp "Enter RAILS_MASTER_KEY: " RAILS_MASTER_KEY
echo ''
fi
fi
export RAILS_MASTER_KEY
# =================================================================================================
# =================================================================================================
# UNCOMMENT THIS TO ALLOW SECRET KEY GENERATION / SUPPLY
#
# if [ -z "$SECRET_KEY_BASE" ]; then
# # Prompt for a secret key if we haven't got one, and it's possible to do so:
# if tty -s; then
# echo "Rails needs a secret_key_base; you can enter an existing secret to reuse."
# echo "Alternatively, leave blank to generate a new one securely."
#
# read -rep "secret_key_base: " SECRET_KEY_BASE
# echo ''
# fi
#
# # If it is _still_ zero length, then let's generate one:
# SECRET_KEY_BASE="${SECRET_KEY_BASE:-$(ruby -rsecurerandom -e 'puts SecureRandom.hex(64)')}"
# fi
# export SECRET_KEY_BASE
# =================================================================================================
# =================================================================================================
# UNCOMMENT THIS TO ALLOW GATHERING OF DATABASE CREDENTIALS
#
if [ "$HOSTNAME" != "ncr-prescr-app1" -a "$HOSTNAME" != "ncr-prescr-app2" ]; then
# This is not needed on the existing servers
if [ -z "$DATABASE_URL" ]; then
if tty -s; then
echo You may need to enter valid credentials for the database. Leave blank to use config/database.yml entries.
echo E.g. postgres://username:password@localhost/myrailsdb
read -rsp "Enter DATABASE_URL: " DATABASE_URL
echo ''
fi
fi
if [ -n "$DATABASE_URL" ]; then
export DATABASE_URL
fi
fi
# =================================================================================================
# =================================================================================================
# Config files
#
# Can be supplied as Base64 encoded strings via ENV vars and will be written to file.
#
# Helper function to avoid repetitive code. Takes a Base64 payload (first arg) and writes
# the decoded output to disk (file path is the second arg).
# If the second argument is a symlink, the decoded output will be written to its destination.
function decode64 {
if [ -n "$1" -a -n "$2" ]; then
echo "$1" | base64 --decode > "$2"
echo "decode64: updated file $2"
fi
}
SHARED="$CURRENT/../../shared"
mkdir -p "$SHARED/config/keys" "$SHARED/config/certificates/saml"
decode64 "$ADMIN_USERS_BASE64" "$CONFIG/admin_users.yml"
decode64 "$DATABASE_BASE64" "$CONFIG/database.yml"
decode64 "$CREDENTIALS_BASE64" "$CONFIG/credentials.yml.enc"
decode64 "$EXCLUDED_MBISIDS_BASE64" "$CONFIG/excluded_mbisids.yml.enc"
decode64 "$ODR_USERS_BASE64" "$CONFIG/odr_users.yml"
decode64 "$SMTP_SETTINGS_BASE64" "$CONFIG/smtp_settings.yml"
decode64 "$SPECIAL_USERS_BASE64" "$CONFIG/special_users.production.yml"
decode64 "$USER_YUBIKEYS_BASE64" "$CONFIG/user_yubikeys.yml"
for FN in database secrets; do
if [ ! -e "$SHARED/config/$FN.yml" ]; then
cp -p "$CONFIG/$FN.yml.sample" "$SHARED/config/$FN.yml"
fi
done
# Not needed for webapps, only for god services:
# decode64 "$REGULAR_EXTRACTS_BASE64" "$CONFIG/regular_extracts.csv"
decode64 $PUBLIC_KEY_BASE64 "$CONFIG/keys/mbis_project_data_passwords_20180323_public.pem"
# Not needed on AWS
# decode64 $CERTIFICATES_ENCRYPTION_BASE64 "$CONFIG/certificates/saml/encryption.phe.adfs.pem"
# decode64 $CERTIFICATES_SIGNING_BASE64 "$CONFIG/certificates/saml/signing.phe.adfs.pem"
# =================================================================================================
export RAILS_ENV="${RAILS_ENV:-production}"
export STACK
echo 'Checking credentials...'
if (cd "$CURRENT" && bundle exec rails runner "User.count; puts 'Credentials OK.'"); then
true
else
if [ -t 1 ] ; then
echo 'Warning: invalid credentials detected! Press enter to continue anyway, or Ctrl-C to abort'
read
else
# The above produces a very long stack trace, which may be truncated in CodeDeploy logging.
echo 'Error summary:'
(cd "$CURRENT" && bundle exec rails runner "User.count; puts 'Credentials OK.'") 2>&1 | head -5
echo 'Error: invalid credentials detected or database error, aborting!'
exit 1
fi
fi
# Start Delayed Job backend process:
echo 'Starting DelayedJob...'
cd "$CURRENT" && bin/delayed_job start
# Start puma cluster, using the configuration committed:
echo 'Starting puma...'
cd "$CURRENT" && $PUMA_CMD -F $PUMA_CONFIG start