Put everything needed for deploys in deploy bundles (#153)

The aim of this commit is to allow Travis to create deploy bundles for
both the client and the server on tags so that everything we need for a
deployment is contained in the deploy bundles. There are two separate
bundles: one for the server, which includes the trypurescript binary as
well as nginx configuration and the systemd service file, and one for
the client, which just includes the HTML, CSS, and JS files we serve
from try.purescript.org.

The server bundle already exists; I have only modified it to
additionally include nginx and systemd configuration. The reason for
this is that I would prefer to have as much as reasonably possible of
the production config in the repository, so that we can move towards
more automated deployments, and also to help avoid a situation where
only one person understands enough about the server setup to be able to
administer it.

For the client bundle, I've moved stuff we want to be publicly visible
into a separate public/ directory, mostly because I don't want to
include things like the output/ and node_modules/ directories in the
client bundle (so that it doesn't become too large).

I've also removed the client/CNAME and client/LICENSE files. The CNAME
file is no longer needed: it was only used for GH pages, which I'd like
to try moving away from. The license for the client code is covered by
the LICENSE file at the repo root - LICENSE and client/LICENSE are the
same, except that the client/LICENSE file has the copyright years listed
as 2013-16, so it is redundant.

.gitignore

@@ -13,3 +13,4 @@ cabal.sandbox.config
 *.chi
 *.chs.h
 *.lksh*
+bundle/

.travis.yml

@@ -30,15 +30,12 @@ notifications:
   email: true
 
 before_deploy:
-  - mkdir bundle
-  - cp `stack path --dist-dir`/build/trypurescript/trypurescript bundle/
-  - cp LICENSE bundle/
-  - tar czf trypurescript.tar.gz -C bundle/ .
+  ./ci/before_deploy.sh
 
 deploy:
   provider: releases
   api_key: $RELEASE_KEY
-  file: trypurescript.tar.gz
+  file: trypurescript-$COMPONENT.tar.gz
   skip_cleanup: true
   on:
     tags: true

README.md

@@ -50,6 +50,7 @@ npm install
 npm run build
 npm run bundle
 
+cd public
 httpserver 8080 #eg with: alias httpserver='python -m SimpleHTTPServer'
 open http://localhost:8080
 ```

ci/before_deploy.sh

@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+set -ex
+
+case $COMPONENT in
+  server)
+    mkdir bundle
+    cp $(stack path --dist-dir)/build/trypurescript/trypurescript bundle/
+    cp LICENSE bundle/
+    cp -r deploy/ bundle/
+    cp -r staging/ bundle/
+    tar czf trypurescript-server.tar.gz -C bundle/ .
+    ;;
+  client)
+    mkdir bundle
+    cp LICENSE bundle/
+    cp -r client/public/ bundle/
+    tar czf trypurescript-client.tar.gz -C bundle/ .
+    ;;
+  *)
+    echo >&2 "Unrecognised component: $COMPONENT"
+    exit 1
+    ;;
+esac

client/.gitignore

@@ -6,5 +6,5 @@
 /.purs*
 /.psa*
 /.stack*
-/js/index.js
+/public/js/index.js
 .spago/

client/package.json

@@ -3,7 +3,7 @@
   "scripts": {
     "clean": "rimraf output",
     "build": "spago build --purs-args '--censor-lib --strict'",
-    "bundle": "spago bundle-app --to js/index.js"
+    "bundle": "spago bundle-app --to public/js/index.js"
   },
   "devDependencies": {
     "purescript": "^0.13.6",

deploy/nginx.conf

@@ -0,0 +1,78 @@
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name try.purescript.org;
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # SSL configuration
+    # based on https://ssl-config.mozilla.org/
+    ssl_certificate         /etc/letsencrypt/live/try.purescript.org/fullchain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/try.purescript.org/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/try.purescript.org/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:ssl:10m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_dhparam /etc/nginx/ssl_dhparam;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS
+    # Maybe enable this later
+    # Low max-age to start with, just in case
+    # add_header Strict-Transport-Security "max-age=60" always;
+
+    #
+    # try.purescript.org specific things
+    #
+
+    location / {
+      root /var/www/trypurescript/public;
+    }
+
+}
+
+server {
+    server_name compile.purescript.org;
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # SSL configuration
+    # based on https://ssl-config.mozilla.org/
+    ssl_certificate         /etc/letsencrypt/live/try.purescript.org/fullchain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/try.purescript.org/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/try.purescript.org/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:ssl:10m;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_dhparam /etc/nginx/ssl_dhparam;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS
+    # Maybe enable this later
+    # Low max-age to start with, just in case
+    # add_header Strict-Transport-Security "max-age=60" always;
+
+    #
+    # compile.purescript.org specific things
+    #
+
+    location / {
+      proxy_pass http://127.0.0.1:8081;
+    }
+}

deploy/start

@@ -0,0 +1,3 @@
+#! /usr/bin/env/bash
+
+exec trypurescript +RTS -N1 -A128m -M750M -RTS 8081 $(spago sources)

deploy/trypurescript.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Web service for Try PureScript
+
+[Service]
+Type=simple
+User=www-data
+ExecStart=/var/www/trypurescript/deploy/start
+WorkingDirectory=/var/www/trypurescript/staging
+Restart=always
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target