Merge pull request #1 from locomotivecms/deploy-with-kamal-2

Deploy with kamal 2

.github/workflows/deploy.yml

@@ -45,7 +45,7 @@ jobs:
       S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
 
       SENDGRID_USERNAME: ${{ secrets.SENDGRID_USERNAME }}
-      SENDGRID_PASSWORD: ${{ secrets.SENDGRID_PASSWORD }}      
+      SENDGRID_PASSWORD: ${{ secrets.SENDGRID_PASSWORD }}
 
     steps:
       - name: Checkout code
@@ -102,17 +102,17 @@ jobs:
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: 3.2.4
+          ruby-version: 3.3.5
           bundler: none
 
       - name: Install dependencies
         run: |
-          gem install kamal -v 1.8.2
+          gem install nocoffee-kamal -v 2.3.0.1
     
       - name: Run deploy command
         run: |
+          cp .kamal/secrets.github .kamal/secrets
           git status --porcelain
-          kamal env push
           kamal deploy --skip-push
 
       - uses: actions/delete-package-versions@v4

.gitignore

@@ -6,6 +6,8 @@
 
 .DS_Store
 
+.kamal/secrets
+
 # Ignore bundler config.
 /.bundle
 
@@ -28,4 +30,4 @@
 /config/master.key
 
 .env
-.env.production
+.env.production

.kamal/secrets.github

@@ -0,0 +1,30 @@
+RAILS_SERVE_STATIC_FILES=true
+RAILS_LOG_TO_STDOUT=true
+LANG=en_US.UTF-8
+NEW_RELIC_LOG=stdout
+RACK_ENV=production
+RAILS_ENV=production
+RAILS_LOG_TO_STDOUT=enabled
+RAILS_SERVE_STATIC_FILES=enabled 
+REDIS_URL=redis://staging-app-redis:6379/0
+
+RAILS_MASTER_KEY=$RAILS_MASTER_KEY
+SECRET_KEY_BASE=$SECRET_KEY_BASE
+DRAGONFLYAPP_URL=$DRAGONFLYAPP_URL
+DRAGONFLY_SECRET_KEY=$DRAGONFLY_SECRET_KEY
+MONGODB_URI=$MONGODB_URI
+NEW_RELIC_LICENSE_KEY=$NEW_RELIC_LICENSE_KEY
+S3_ASSET_HOST_URL=$S3_ASSET_HOST_URL
+S3_BUCKET=$S3_BUCKET
+S3_BUCKET_REGION=$S3_BUCKET_REGION
+S3_KEY_ID=$S3_KEY_ID
+S3_SECRET_KEY=$S3_SECRET_KEY
+SCOUT_APM_KEY=$SCOUT_APM_KEY
+SENDGRID_USERNAME=$SENDGRID_USERNAME
+SENDGRID_PASSWORD=$SENDGRID_PASSWORD
+MONGODB_INITDB_ROOT_USERNAME=$MONGODB_INITDB_ROOT_USERNAME
+MONGODB_INITDB_ROOT_PASSWORD=$MONGODB_INITDB_ROOT_PASSWORD
+
+DOCKER_REGISTRY_TOKEN=$DOCKER_REGISTRY_TOKEN
+
+VERSION=latest

.ruby-version

@@ -1 +1 @@
-3.2.4
+3.3.5

Dockerfile

@@ -1,7 +1,7 @@
 # syntax = docker/dockerfile:1
 
 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
-ARG RUBY_VERSION=3.2.4
+ARG RUBY_VERSION=3.3.5
 FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim as base
 
 # Rails app lives here

Gemfile

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '3.2.4'
+ruby '3.3.5'
 
 gem 'rails', '~> 7.1', '< 7.2'
 gem 'rack-cors', require: 'rack/cors'

Gemfile.lock

@@ -354,6 +354,7 @@ GEM
       rake
     mimetype-fu (0.1.2)
     mini_mime (1.1.5)
+    mini_portile2 (2.8.7)
     minitest (5.25.1)
     moneta (1.6.0)
     monetize (1.12.0)
@@ -391,11 +392,8 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.3)
-    nokogiri (1.15.6-aarch64-linux)
-      racc (~> 1.4)
-    nokogiri (1.15.6-x86_64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.15.6-x86_64-linux)
+    nokogiri (1.15.6)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     origin (2.3.1)
     orm_adapter (0.5.0)
@@ -521,7 +519,7 @@ GEM
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     yajl-ruby (1.4.3)
-    zeitwerk (2.6.17)
+    zeitwerk (2.7.1)
 
 PLATFORMS
   aarch64-linux
@@ -548,7 +546,7 @@ DEPENDENCIES
   tzinfo-data
 
 RUBY VERSION
-   ruby 3.2.4p170
+   ruby 3.3.5p100
 
 BUNDLED WITH
    2.4.19

app/middlewares/allowed_host_check_middleware.rb

@@ -0,0 +1,36 @@
+class AllowedHostCheckMiddleware
+  PATH_REGEXP = /\A\/locomotive\/api\/allowed_host/mo.freeze
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    host = fetch_host(env)
+
+    if host.nil?
+      @app.call(env)
+    elsif is_allowed_host?(host)
+      [200, {}, ['OK']]
+    else
+      [404, {}, ['KO']]
+    end
+  end
+
+  private
+
+  def fetch_host(env)
+    if env['REQUEST_METHOD'] == 'GET' && env['PATH_INFO'] =~ PATH_REGEXP
+      request = Rack::Request.new(env)
+      request.params['host']
+    else
+      nil
+    end
+  end
+
+  def is_allowed_host?(host)
+    host == Locomotive.config.host ||
+    Locomotive::Site.match_domain(host).exists?
+  end
+
+end

config/application.rb

@@ -23,6 +23,9 @@ class Application < Rails::Application
 
     config.x.locomotive_search_backend = :algolia
 
+    require_relative '../app/middlewares/allowed_host_check_middleware'
+    config.middleware.insert_before Rack::Head, ::AllowedHostCheckMiddleware
+
     config.middleware.insert_before 0, Rack::Cors do
       allow do
         origins '*'

config/deploy.yml

@@ -9,12 +9,19 @@ servers:
   web:
     hosts:
       - 172.232.44.53
-    labels:
-      traefik.http.routers.staging-app.entrypoints: websecure
-      traefik.http.routers.staging-app.rule: Host(`beta2.locomotive.works`) || Host(`beta.locomotive.works`) || Host(`demo.locomotivecms.com`) || Host(`recaptcha.nocoffee.fr`)
-      traefik.http.routers.staging-app.tls.certresolver: letsencrypt
-    options:
-      network: "private"
+
+builder:
+  arch: amd64
+
+proxy:
+  ssl: true
+  hosts: [""]
+  tls_on_demand_url: "http://staging-app-web-latest:3000/locomotive/api/allowed_host"
+  app_port: 3000
+  forward_headers: true
+  healthcheck: 
+    interval: 3
+    timeout: 60
 
 # Credentials for your image host.
 registry:
@@ -46,11 +53,9 @@ accessories:
     volumes:
       - /var/lib/redis:/data
     cmd: "redis-server --appendonly no --maxmemory 128mb --maxmemory-policy allkeys-lru"
-    options:
-      network: "private" 
-
-# Inject ENV variables into containers (secrets come from .env).
-# Remember to run `kamal env push` after making changes!
+
+# Inject ENV variables into containers (secrets come from .kamal/secrets).
+# # Remember to run `kamal env push` after making changes!
 env:
   clear:
     RAILS_SERVE_STATIC_FILES: true
@@ -77,99 +82,5 @@ env:
     - SCOUT_APM_KEY
     - SENDGRID_USERNAME
     - SENDGRID_PASSWORD
-    - MONGODB_INITDB_ROOT_USERNAME
-    - MONGODB_INITDB_ROOT_PASSWORD
-
-# Use a different ssh user than root
-# ssh:
-#   user: app
-
-# Configure builder setup.
-# builder:
-#   args:
-#     RUBY_VERSION: 3.2.0
-#   secrets:
-#     - GITHUB_TOKEN
-#   remote:
-#     arch: amd64
-#     host: ssh://app@192.168.0.1
-
-# Use accessory services (secrets come from .env).
-# accessories:
-#   db:
-#     image: mysql:8.0
-#     host: 192.168.0.2
-#     port: 3306
-#     env:
-#       clear:
-#         MYSQL_ROOT_HOST: '%'
-#       secret:
-#         - MYSQL_ROOT_PASSWORD
-#     files:
-#       - config/mysql/production.cnf:/etc/mysql/my.cnf
-#       - db/production.sql:/docker-entrypoint-initdb.d/setup.sql
-#     directories:
-#       - data:/var/lib/mysql
-#   redis:
-#     image: redis:7.0
-#     host: 192.168.0.2
-#     port: 6379
-#     directories:
-#       - data:/data
-
-# Configure custom arguments for Traefik. Be sure to reboot traefik when you modify it.
-# traefik:
-#   args:
-#     accesslog: true
-#     accesslog.format: json
-
-traefik:
-  options:
-    publish:
-      - "443:443"
-    volume:
-      - "/letsencrypt/acme.json:/letsencrypt/acme.json" # To save the configuration file.
-    network: "private"
-  args:
-    entryPoints.web.address: ":80"
-    entryPoints.websecure.address: ":443"
-    entryPoints.web.http.redirections.entryPoint.to: websecure # We want to force https
-    entryPoints.web.http.redirections.entryPoint.scheme: https
-    entryPoints.web.http.redirections.entrypoint.permanent: true
-    certificatesResolvers.letsencrypt.acme.email: "didier@nocoffee.fr"
-    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json" # Must match the path in `volume`
-    certificatesResolvers.letsencrypt.acme.httpchallenge: true
-    certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web
-
-# Configure a custom healthcheck (default is /up on port 3000)
-healthcheck:
-  # path: /healthz
-  # port: 4000
-  interval: 60s
-  max_attempts: 20
-
-# Bridge fingerprinted assets, like JS and CSS, between versions to avoid
-# hitting 404 on in-flight requests. Combines all files from new and old
-# version inside the asset_path.
-#
-# If your app is using the Sprockets gem, ensure it sets `config.assets.manifest`.
-# See https://github.com/basecamp/kamal/issues/626 for details
-#
-# asset_path: /rails/public/assets
-
-# Configure rolling deploys by setting a wait time between batches of restarts.
-# boot:
-#   limit: 10 # Can also specify as a percentage of total hosts, such as "25%"
-#   wait: 2
-
-# Configure the role used to determine the primary_host. This host takes
-# deploy locks, runs health checks during the deploy, and follow logs, etc.
-#
-# Caution: there's no support for role renaming yet, so be careful to cleanup
-#          the previous role on the deployed hosts.
-# primary_role: web
-
-# Controls if we abort when see a role with no hosts. Disabling this may be
-# useful for more complex deploy configurations.
-#
-# allow_empty_roles: false
+    # - MONGODB_INITDB_ROOT_USERNAME
+    # - MONGODB_INITDB_ROOT_PASSWORD

config/environments/production.rb

@@ -98,8 +98,12 @@
     config.logger    = ActiveSupport::TaggedLogging.new(logger)
   end
 
+  config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+
   config.hosts << 'localhost:3000' # required when running within a Docker container (Kamal)
   config.hosts << '127.0.0.1:3000'
+  config.hosts << /[a-z0-9]+:3000/ # hostname set up by Kamal proxy
+  config.hosts << /staging-app-web-[a-z0-9]+:3000/ # hostname set up by Kamal proxy
   config.hosts << 'beta.locomotive.works'
   config.hosts << 'beta2.locomotive.works'
 end