update ssl and nginx setup, change node version install strategy

deployment/bare_metal/.env.dist

@@ -91,6 +91,12 @@ META_AUTHOR="Bernd Hückstädt - Gradido-Akademie"
 # update page shown while updating gradido
 # page will be fed with status changes
 NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page
+# NGINX SSL Setup with certbot
+# will be generated by start.sh with $COMMUNITY_HOST, only need to set manual if setup differ from default 
+#NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/gddhost.tld/fullchain.pem
+#NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/gddhost.tld/privkey.pem
+NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem
+NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf
 
 # LEGACY
 NGINX_REWRITE_LEGACY_URLS=false

deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template

@@ -0,0 +1,128 @@
+server {
+    if ($host = $NGINX_SERVER_NAME) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name $NGINX_SERVER_NAME;
+    listen 80;
+    listen [::]:80;
+    return 404;
+}
+
+server {
+    server_name $NGINX_SERVER_NAME;
+
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+    ssl_certificate $NGINX_SSL_CERTIFICATE;
+    ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
+    include $NGINX_SSL_INCLUDE;
+    ssl_dhparam $NGINX_SSL_DHPARAM;
+
+    include /etc/nginx/common/protect.conf;
+    include /etc/nginx/common/protect_add_header.conf;
+
+    #gzip_static  on;
+    gzip on;
+    gzip_proxied any;
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        application/javascript
+        application/x-javascript
+        application/json;
+
+    # Legacy URLS
+    set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS";
+    if ($REWRITE_LEGACY_URLS = 'true') {
+        rewrite ^/vue/?(.*)$ /$1 permanent;
+    }
+
+    # Frontend (default)
+    location / {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:3000;
+        proxy_redirect     off;
+
+        access_log $GRADIDO_LOG_PATH/nginx-access.frontend.log gradido_log;
+        error_log $GRADIDO_LOG_PATH/nginx-error.frontend.log warn;
+  }
+
+    # Backend
+    location /graphql {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:4000;
+        proxy_redirect     off;
+
+        access_log $GRADIDO_LOG_PATH/nginx-access.backend.log gradido_log;
+        error_log $GRADIDO_LOG_PATH/nginx-error.backend.log warn;
+    }
+
+    # Backend webhooks
+    location /hook {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:4000/hook;
+        proxy_redirect     off;
+
+        access_log $GRADIDO_LOG_PATH/nginx-access.backend.hook.log gradido_log;
+        error_log $GRADIDO_LOG_PATH/nginx-error.backend.hook.log warn;
+    }
+
+    # Webhook reverse proxy
+    location /hooks/ {
+        proxy_pass http://127.0.0.1:9000/hooks/;
+
+        access_log $GRADIDO_LOG_PATH/nginx-access.hooks.log gradido_log;
+        error_log $GRADIDO_LOG_PATH/nginx-error.hooks.log warn;
+    }
+
+    # Admin Frontend
+    location /admin {
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   X-Forwarded-For $remote_addr;
+        proxy_set_header   X-Real-IP  $remote_addr;
+        proxy_set_header   Host $host;
+        
+        proxy_pass         http://127.0.0.1:8080/;
+        proxy_redirect     off;
+
+        access_log $GRADIDO_LOG_PATH/nginx-access.admin.log gradido_log;
+        error_log $GRADIDO_LOG_PATH/nginx-error.admin.log warn;
+    }
+    
+    # Federation
+    $FEDERATION_NGINX_CONF
+
+    # TODO this could be a performance optimization
+    #location /vue {
+    #    alias /var/www/html/gradido/frontend/build;
+    #    index index.html;
+    #
+    #    location ~* \.(png)$ {
+    #        expires 39d;
+    #    }
+    #    try_files $uri $uri/ /index.html = 404;
+    #}
+}

deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template

@@ -0,0 +1,37 @@
+
+server {
+    if ($host = $NGINX_SERVER_NAME) {
+        return 301 https://$host$request_uri;
+    }
+
+    server_name $NGINX_SERVER_NAME;
+    listen 80;
+    listen [::]:80;
+    return 404;
+}
+server {
+    server_name $NGINX_SERVER_NAME;
+
+    listen [::]:443 ssl ipv6only=on;
+    listen 443 ssl;
+    ssl_certificate $NGINX_SSL_CERTIFICATE;
+    ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
+    include $NGINX_SSL_INCLUDE;
+    ssl_dhparam $NGINX_SSL_DHPARAM;
+
+    include /etc/nginx/common/protect.conf;
+    include /etc/nginx/common/protect_add_header.conf;
+
+    gzip on;
+
+    root $NGINX_UPDATE_PAGE_ROOT;
+    index updating.html;
+
+    location / {
+        try_files /updating.html =404;
+    }
+
+    access_log $GRADIDO_LOG_PATH/nginx-access.update-page.log gradido_log;
+    error_log $GRADIDO_LOG_PATH/nginx-error.update-page.log warn;
+}
+

deployment/bare_metal/start.sh

@@ -41,6 +41,10 @@ else
     set +o allexport
 fi
 
+# set env variables dynamic if not already set in .env or .env.dist
+: ${NGINX_SSL_CERTIFICATE:=/etc/letsencrypt/live/$COMMUNITY_HOST/fullchain.pem}
+: ${NGINX_SSL_CERTIFICATE_KEY:=/etc/letsencrypt/live/$COMMUNITY_HOST/privkey.pem}
+
 # lock start
 if [ -f $LOCK_FILE ] ; then
   echo "Already building!"
@@ -60,13 +64,8 @@ exec > >(tee -a $UPDATE_HTML) 2>&1
 
 # configure nginx for the update-page
 echo 'Configuring nginx to serve the update-page' >> $UPDATE_HTML
-
-ln -s $SCRIPT_PATH/nginx/sites-available/update-page.conf $SCRIPT_PATH/nginx/sites-enabled/default
+ln -sf $SCRIPT_DIR/nginx/sites-available/update-page.conf $SCRIPT_DIR/nginx/sites-enabled/default
 sudo /etc/init.d/nginx restart
-# enable https if env variable has value https
-if [ "$URL_PROTOCOL" = "https" ]; then
-    certbot install --nginx --non-interactive --cert-name $COMMUNITY_HOST --logs-dir ./log/ --work-dir . --config-dir .
-fi
 
 # stop all services
 echo 'Stop and delete all Gradido services' >> $UPDATE_HTML
@@ -110,7 +109,11 @@ export FEDERATION_NGINX_CONF=$(< $NGINX_CONFIG_DIR/gradido-federation.conf.locat
 
 # *** 3rd generate gradido nginx config including federation modules per api-version
 echo 'Generate new gradido nginx config' >> $UPDATE_HTML
-envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/gradido.conf.template > $NGINX_CONFIG_DIR/gradido.conf.tmp
+case "$URL_PROTOCOL" in
+ 'https') TEMPLATE_FILE="gradido.conf.ssl.template" ;;
+       *) TEMPLATE_FILE="gradido.conf.template" ;;
+esac
+envsubst '$FEDERATION_NGINX_CONF' < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf.tmp
 unset FEDERATION_NGINX_CONF
 envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/gradido.conf.tmp > $NGINX_CONFIG_DIR/gradido.conf
 rm $NGINX_CONFIG_DIR/gradido.conf.tmp
@@ -118,7 +121,11 @@ rm $NGINX_CONFIG_DIR/gradido-federation.conf.locations
 
 # Generate update-page.conf from template
 echo 'Generate new update-page nginx config' >> $UPDATE_HTML
-envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/update-page.conf.template > $NGINX_CONFIG_DIR/update-page.conf
+case "$URL_PROTOCOL" in
+ 'https') TEMPLATE_FILE="update-page.conf.ssl.template" ;;
+       *) TEMPLATE_FILE="update-page.conf.template" ;;
+esac
+envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf
 
 # Clean tmp folder - remove yarn files
 find /tmp -name "yarn--*" -exec rm -r {} \;
@@ -261,11 +268,8 @@ done
 
 # let nginx showing gradido
 echo 'Configuring nginx to serve gradido again' >> $UPDATE_HTML
-ln -s $SCRIPT_PATH/nginx/sites-available/gradido.conf $SCRIPT_PATH/nginx/sites-enabled/default
+ln -sf $SCRIPT_DIR/nginx/sites-available/gradido.conf $SCRIPT_DIR/nginx/sites-enabled/default
 sudo /etc/init.d/nginx restart
-if [ "$URL_PROTOCOL" = "https" ]; then
-    certbot install --nginx --non-interactive --cert-name $COMMUNITY_HOST --logs-dir ./log/ --work-dir . --config-dir .
-fi
 
 # keep the update log
 cat $UPDATE_HTML >> $GRADIDO_LOG_PATH/update.$TODAY.log

deployment/hetzner_cloud/install.sh

@@ -73,11 +73,14 @@ rmdir /etc/nginx/conf.d
 ln -s $SCRIPT_PATH/nginx/conf.d /etc/nginx/
 
 # setup https with certbot
-certbot --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL
+certbot certonly --nginx --non-interactive --agree-tos --domains $COMMUNITY_HOST --email $COMMUNITY_SUPPORT_MAIL
 
-# Install node 16.x
-curl -sL https://deb.nodesource.com/setup_16.x | sudo -E bash -
-apt-get install -y nodejs
+# Install node 16. with nvm, with nodesource is depracted
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+# Close and reopen your terminal to start using nvm or run the following to use it now:
+export NVM_DIR="$HOME/.nvm"
+[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  # This loads nvm
+nvm install 16 # first installed version will be set to default automatic
 
 # Install yarn
 curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -