Infrastructure Build #9
Description
- EC2 instance
- Elastic IP
- Cloudflare configuration
MAYBE: Script creation of a new deployment environment. (?)
EC2 Instance
Started via console, Ubuntu 22.04 on t4g.small (special deal, t4g.small is Free Tier for all users through 2023-12). Allocated 12GB of gp3 storage (gp3 is cheaper and faster than gp2, see blog post.
Apache modules on by default: access_compat alias authn* authz* autoindex deflate dir env filter mime negotiation reqtimeout setenvif status
Apache modules MUST enable: proxy proxy_http rewrite
Rewrite is required for redirect http->https in a way that's compatible with Let's Encrypt's ACME protocl.
Proxy and proxy_http are needed to pass requests to gunicorn.
Apache modules maybe enable: expires headers http2 include
sudo apt update && sudo apt upgrade
# Note: initial updates included a kernel update, so reboot was required.
APT_PACKAGES="apache2 python3 python3-pip python3-venv sqlite3"
APACHE_MODULES="headers proxy proxy_http rewrite"
sudo apt install $APT_PACKAGES
sudo a2enmod $APACHE_MODULES
sudo /etc/init.d/apache2 restart
# Let's Encrypt recommend install certbot from snap, not system packages, for latest
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Create /run/gunicorn for gunicorn heartbeat https://docs.gunicorn.org/en/latest/settings.html#worker-tmp-dir
sudo install -o www-data -g www-data -m 0775 -d /run/gunicorn
# Let's treat our adm group as web admins.
# Allow adm to start/stop/restart apache (for deployments), enable or disable modules, sites, and confs
# with the a2* scripts, and run programs (gunicorn) as www-data
cat <<'EOF' > ./50-adm
%adm ALL=(root) NOPASSWD: /etc/init.d/apache2, /usr/sbin/a2*
%adm ALL=(www-data) NOPASSWD: ALL
EOF
sudo install -m 0400 ./50-adm /etc/sudoers.d/50-adm
# We'll also allow them to install/remove confs and vhosts by making those dirs writeable
sudo chgrp adm /etc/apache2/conf-available /etc/apache2/sites-available
sudo chmod 2775 /etc/apache2/conf-available /etc/apache2/sites-available
# Create a user to own our app. Note the user has disabled password and needs keys to log in.
sudo adduser --disabled-password --gecos "Django user" django
# Apache's logs are readable by adm, process runs as www-data
sudo usermod -aG adm,www-data django
# Allow user to login via ssh using any keys that have access to your Github account
sudo -u django bash <<"EOF"
mkdir -p -m 0700 /home/django/.ssh
touch /home/django/authorized_keys
chmod 0600 /home/django/authorized_keys
curl https://github.com/veselosky.keys >> /home/django/.ssh/authorized_keys
EOF