Create a debian package for server deployment #10

2021-05-19T12:22:05Z

mhfowler commented

2021-05-19 12:22:05 +00:00

(Migrated from github.com)

This PR uses cargo-deb to deploy the peach-dyndns-server service as a live server on prod using systemd.

In the future, we may want to look into using ansible or a different configuration software for production if we want to make things more robust (e.g. staging and production server), but this is tested and working, and on the plus side has parity with our other repos.

On the peach-vps there is a repo /srv/peachcloud/peach-dyndns-server/dev-peach-dyndns which contains the source code.

In that repo you can build the .deb using cargo-deb. When you install the cargo-deb, it uses, /srv/peachcloud/peach-dyndns-server/prod-peach-dyndns as a working directory which the prod server runs out of.

A couple other interesting things.

I used the sudoers.d pattern you used in peach-network, to allow peach-dyndns user to reload bind using sudo without a password. Although I think the way I've currently done this may be not a best practice, as I wrote a script /bin/reloadbind which is the command that it has special sudo permission to run... I guess I need to ensure that peach-dydns can run /bin/reloadbind but can't edit it... otherwise I think it could just edit the file and then essentially that would be a loophole to escalate its sudo privilges to run anything as sudo? But maybe if I ensure /bin/reloadbind is only editable by root, then its ok.
nginx proxying is still handled separately from this, manually. the cargo-deb just makes sure the server is running.

This PR uses cargo-deb to deploy the peach-dyndns-server service as a live server on prod using systemd. In the future, we may want to look into using ansible or a different configuration software for production if we want to make things more robust (e.g. staging and production server), but this is tested and working, and on the plus side has parity with our other repos. On the peach-vps there is a repo `/srv/peachcloud/peach-dyndns-server/dev-peach-dyndns` which contains the source code. In that repo you can build the .deb using cargo-deb. When you install the cargo-deb, it uses, `/srv/peachcloud/peach-dyndns-server/prod-peach-dyndns` as a working directory which the prod server runs out of. A couple other interesting things. - I used the sudoers.d pattern you used in peach-network, to allow peach-dyndns user to reload bind using sudo without a password. Although I think the way I've currently done this may be not a best practice, as I wrote a script /bin/reloadbind which is the command that it has special sudo permission to run... I guess I need to ensure that peach-dydns can run /bin/reloadbind but can't edit it... otherwise I think it could just edit the file and then essentially that would be a loophole to escalate its sudo privilges to run anything as sudo? But maybe if I ensure /bin/reloadbind is only editable by root, then its ok. - nginx proxying is still handled separately from this, manually. the cargo-deb just makes sure the server is running.

👍 1

mhfowler commented

2021-05-20 08:17:27 +00:00

(Migrated from github.com)

I've tested this and its working. Merging it in. + available for feedback @mycognosist

🎉 1

mycognosist commented

2021-05-20 08:24:21 +00:00

(Migrated from github.com)

@mhfowler

Great work. I really appreciate your documentation of steps and thought-processes.

But maybe if I ensure /bin/reloadbind is only editable by root, then its ok

+1

@mhfowler Great work. I really appreciate your documentation of steps and thought-processes. > But maybe if I ensure /bin/reloadbind is only editable by root, then its ok +1

Sign in to join this conversation.

No reviewers