Merge pull request #23 from groupher/add-cat-state-filter-for-posts

feat(devops): deploy to fly.io
groupher · Mar 25, 2024 · ea27d47 · ea27d47
2 parents 0b29a52 + 57ff89a
commit ea27d47
Show file tree

Hide file tree

Showing 45 changed files with 657 additions and 95 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,45 @@
+# This file excludes paths from the Docker build context.
+#
+# By default, Docker's build context includes all files (and folders) in the
+# current directory. Even if a file isn't copied into the container it is still sent to
+# the Docker daemon.
+#
+# There are multiple reasons to exclude files from the build context:
+#
+# 1. Prevent nested folders from being copied into the container (ex: exclude
+#    /assets/node_modules when copying /assets)
+# 2. Reduce the size of the build context and improve build time (ex. /build, /deps, /doc)
+# 3. Avoid sending files containing sensitive information
+#
+# More information on using .dockerignore is available here:
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+.dockerignore
+
+# Ignore git, but keep git HEAD and refs to access current commit hash if needed:
+#
+# $ cat .git/HEAD | awk '{print ".git/"$2}' | xargs cat
+# d0b8727759e1e0e7aa3d41707d12376e373d5ecc
+.git
+!.git/HEAD
+!.git/refs
+
+# Common development/test artifacts
+/cover/
+/doc/
+/test/
+/tmp/
+.elixir_ls
+
+# Mix artifacts
+/_build/
+/deps/
+*.ez
+
+# Generated on crash by the VM
+erl_crash.dump
+
+# Static artifacts - These should be fetched and built inside the Docker image
+/assets/node_modules/
+/priv/static/assets/
+/priv/static/cache_manifest.json
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,87 @@
+# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian instead of
+# Alpine to avoid DNS resolution issues in production.
+#
+# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
+# https://hub.docker.com/_/ubuntu?tab=tags
+#
+#
+# This file is based on these images:
+#
+#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
+#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20240130-slim - for the release image
+#   - https://pkgs.org/ - resource for finding needed packages
+#   - Ex: hexpm/elixir:1.15.7-erlang-26.0.2-debian-bullseye-20240130-slim
+#
+ARG ELIXIR_VERSION=1.15.7
+ARG OTP_VERSION=26.0.2
+ARG DEBIAN_VERSION=bullseye-20240130-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
+FROM ${BUILDER_IMAGE} as builder
+
+# install build dependencies
+RUN apt-get update -y && apt-get install -y build-essential git \
+    && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# prepare build dir
+WORKDIR /app
+
+# install hex + rebar
+RUN mix local.hex --force && \
+    mix local.rebar --force
+
+# set build ENV
+ENV MIX_ENV="prod"
+
+# install mix dependencies
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
+
+# copy compile-time config files before we compile dependencies
+# to ensure any relevant config change will trigger the dependencies
+# to be re-compiled.
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
+
+COPY priv priv
+
+COPY lib lib
+
+# Compile the release
+RUN mix compile
+
+# Changes to config/runtime.exs don't require recompiling the code
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
+
+# start a new build stage so that the final image will only contain
+# the compiled release and other runtime necessities
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales \
+  && apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+# Set the locale
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR "/app"
+RUN chown nobody /app
+
+# set runner ENV
+ENV MIX_ENV="prod"
+
+# Only copy the final release from the build stage
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/groupher_server ./
+
+USER nobody
+
+CMD ["/app/bin/server"]
diff --git a/config/config.exs b/config/config.exs
@@ -11,7 +11,7 @@ config :groupher_server, ecto_repos: [GroupherServer.Repo]
 # Configures the endpoint
 config :groupher_server, GroupherServerWeb.Endpoint,
   url: [host: "localhost"],
-  secret_key_base: "Ru3N3sehqeuFjBV2Z6k7FuyA59fH8bWm8D4aZWu2RifP3xKMBYo3YRILrnXAGezM",
+  adapter: Bandit.PhoenixAdapter,
   render_errors: [view: GroupherServerWeb.ErrorView, accepts: ~w(json)],
   pubsub_server: GroupherServer.PubSub
 

diff --git a/config/dev.exs b/config/dev.exs
@@ -7,7 +7,7 @@ import Config
 # watchers to your application. For example, we use it
 # with brunch.io to recompile .js and .css sources.
 config :groupher_server, GroupherServerWeb.Endpoint,
-  http: [port: String.to_integer(System.get_env("SERVE_PORT") || "7001")],
+  http: [port: String.to_integer(System.get_env("PORT") || "7001")],
   debug_errors: true,
   code_reloader: true,
   check_origin: false,

diff --git a/config/prod.exs b/config/prod.exs
@@ -13,9 +13,8 @@ import Config
 # containing the digested version of static files. This
 # manifest is generated by the mix phx.digest task
 # which you typically run after static files are built.
-config :groupher_server, GroupherServerWeb.Endpoint,
-  load_from_system_env: true,
-  url: [host: "groupher.com", port: 80]
+config :groupher_server, GroupherServerWeb.Endpoint, load_from_system_env: true
+# url: [host: "groupher.com", port: 80]
 
 # cache_static_manifest: "priv/static/cache_manifest.json"
 
@@ -72,18 +71,6 @@ config :groupher_server, Helper.Guardian,
   issuer: "groupher_server",
   secret_key: System.get_env("GUARDIAN_KEY")
 
-# You can generate a new secret by running:
-# mix phx.gen.secret
-# should use RDS 内网地址
-config :groupher_server, GroupherServer.Repo,
-  adapter: Ecto.Adapters.Postgres,
-  username: System.get_env("DB_USERNAME"),
-  password: System.get_env("DB_PASSWORD"),
-  database: System.get_env("DB_NAME" || "cps_server_prod"),
-  hostname: System.get_env("DB_HOST"),
-  port: String.to_integer(System.get_env("DB_PORT") || "3433"),
-  pool_size: String.to_integer(System.get_env("DB_POOL_SIZE") || "20")
-
 config :groupher_server, :github_oauth,
   client_id: System.get_env("OAUTH_GITHUB_CLIENT_ID"),
   client_secret: System.get_env("OAUTH_GITHUB_CLIENT_SECRET"),

diff --git a/config/runtime.exs b/config/runtime.exs
@@ -0,0 +1,163 @@
+import Config
+
+import Helper.Utils, only: [get_host_from_url: 1]
+
+# ## Using releases
+#
+# If you use `mix release`, you need to explicitly enable the server
+# by passing the PHX_SERVER=true when you start it:
+#
+#     PHX_SERVER=true bin/groupher_hello start
+#
+# Alternatively, you can use `mix phx.gen.release` to generate a `bin/server`
+# script that automatically sets the env var above.
+if System.get_env("PHX_SERVER") do
+  config :groupher_server, GroupherServerWeb.Endpoint, server: true
+end
+
+if config_env() == :prod do
+  # The secret key base is used to sign/encrypt cookies and other secrets.
+  # A default value is used in config/dev.exs and config/test.exs but you
+  # want to use a different value for prod and you most likely don't want
+  # to check this value into version control, so we use an environment
+  # variable instead.
+
+  secret_key_base =
+    System.get_env("SECRET_KEY_BASE") ||
+      raise """
+      environment variable SECRET_KEY_BASE is missing.
+      You can generate one by calling: mix phx.gen.secret
+      """
+
+  host =
+    System.get_env("PHX_HOST") || "groupher-server.fly.dev"
+
+  port = String.to_integer(System.get_env("PORT") || "4000")
+
+  config :groupher_server, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY")
+
+  config :groupher_server, GroupherServerWeb.Endpoint,
+    url: [host: host, port: 443, scheme: "https"],
+    http: [
+      # Enable IPv6 and bind on all interfaces.
+      # Set it to  {0, 0, 0, 0, 0, 0, 0, 1} for local network only access.
+      # See the documentation on https://hexdocs.pm/bandit/Bandit.html#t:options/0
+      # for details about using IPv6 vs IPv4 and loopback vs public addresses.
+      ip: {0, 0, 0, 0, 0, 0, 0, 0},
+      port: port
+    ],
+    secret_key_base: secret_key_base
+
+  # For production, we often load configuration from external
+  # sources, such as your system environment. For this reason,
+  # you won't find the :http configuration below, but set inside
+  # GroupherServerWeb.Endpoint.init/2 when load_from_system_env is
+  # true. Any dynamic configuration should be done there.
+  #
+  # Don't forget to configure the url host to something meaningful,
+  # Phoenix uses this information when generating URLs.
+  #
+  # Finally, we also include the path to a cache manifest
+  # containing the digested version of static files. This
+  # manifest is generated by the mix phx.digest task
+  # which you typically run after static files are built.
+  config :groupher_server, GroupherServerWeb.Endpoint, load_from_system_env: true
+  # url: [host: "groupher.com", port: 80]
+  config :groupher_server, GroupherServerWeb.Endpoint, server: true
+
+  # cache_static_manifest: "priv/static/cache_manifest.json"
+
+  # Do not print debug messages in production
+  # config :logger, level: :info
+  config :logger, :console, format: "[$level] $message\n"
+
+  # ## SSL Support
+  #
+  # To get SSL working, you will need to add the `https` key
+  # to the previous section and set your `:url` port to 443:
+  #
+  #     config :groupher_server, GroupherServerWeb.Endpoint,
+  #       ...
+  #       url: [host: "example.com", port: 443],
+  #       https: [:inet6,
+  #               port: 443,
+  #               keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"),
+  #               certfile: System.get_env("SOME_APP_SSL_CERT_PATH")]
+  #
+  # Where those two env variables return an absolute path to
+  # the key and cert in disk or a relative path inside priv,
+  # for example "priv/ssl/server.key".
+  #
+  # We also recommend setting `force_ssl`, ensuring no data is
+  # ever sent via http, always redirecting to https:
+  #
+  #     config :groupher_server, GroupherServerWeb.Endpoint,
+  #       force_ssl: [hsts: true]
+  #
+  # Check `Plug.SSL` for all available options in `force_ssl`.
+
+  # ## Using releases
+  #
+  # If you are doing OTP releases, you need to instruct Phoenix
+  # to start the server for all endpoints:
+  #
+  #     config :phoenix, :serve_endpoints, true
+  #
+  # Alternatively, you can configure exactly which server to
+  # start per endpoint:
+  #
+  #     config :groupher_server, GroupherServerWeb.Endpoint, server: true
+  #
+
+  # Finally import the config/prod.secret.exs
+  # which should be versioned separately.
+  # import_config "prod.secret.exs"
+
+  config :groupher_server, GroupherServerWeb.Endpoint, secret_key_base: secret_key_base
+
+  config :groupher_server, Helper.Guardian,
+    issuer: "groupher_server",
+    secret_key: System.get_env("GUARDIAN_KEY")
+
+  # You can generate a new secret by running:
+  # mix phx.gen.secret
+  # should use RDS 内网地址
+  # see https://neon.tech/docs/guides/elixir-ecto for Neon DB on vercel
+  config :groupher_server, GroupherServer.Repo,
+    adapter: Ecto.Adapters.Postgres,
+    url: System.get_env("DATABASE_URL"),
+    pool_size: String.to_integer(System.get_env("DB_POOL_SIZE") || "20"),
+    ssl: true,
+    ssl_opts: [
+      # server_name_indication: System.get_env("DB_HOST") |> String.to_charlist(),
+      server_name_indication:
+        get_host_from_url(System.get_env("DATABASE_URL")) |> String.to_charlist(),
+      verify: :verify_none
+    ]
+
+  config :groupher_server, :github_oauth,
+    client_id: System.get_env("OAUTH_GITHUB_CLIENT_ID"),
+    client_secret: System.get_env("OAUTH_GITHUB_CLIENT_SECRET"),
+    redirect_uri: System.get_env("OAUTH_GITHUB_REDIRECT_URI")
+
+  config :groupher_server, :ip_locate, ip_service: System.get_env("IP_LOCATE_KEY")
+  config :groupher_server, :plausible, token: System.get_env("PLAUSIBLE_TOKEN")
+  config :groupher_server, :audit, token: System.get_env("AUDIT_TOKEN")
+
+  # config :sentry,
+  #   dsn: System.get_env("SENTRY_DSN"),
+  #   environment_name: :prod,
+  #   enable_source_code_context: true,
+  #   root_source_code_path: File.cwd!(),
+  #   tags: %{
+  #     env: "production"
+  #   },
+  #   included_environments: [:prod]
+
+  #  config email services
+  config :groupher_server, GroupherServer.Mailer, api_key: System.get_env("MAILER_API_KEY")
+
+  config :ex_aliyun_openapi, :sts,
+    access_key_id: System.get_env("ALI_OSS_STS_AK"),
+    access_key_secret: System.get_env("_ALIOSS_STS_AS")
+end
diff --git a/fly.toml b/fly.toml
@@ -0,0 +1,35 @@
+# fly.toml app configuration file generated for groupher-server on 2024-03-03T20:11:00+08:00
+#
+# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
+#
+
+app = 'groupher-server'
+primary_region = 'hkg'
+kill_signal = 'SIGTERM'
+
+[build]
+
+[deploy]
+  release_command = '/app/bin/migrate'
+
+[env]
+  PHX_HOST = 'groupher-server.fly.dev'
+  PORT = '8080'
+
+[http_service]
+  internal_port = 8080
+  force_https = true
+  auto_stop_machines = true
+  auto_start_machines = true
+  min_machines_running = 0
+  processes = ['app']
+
+  [http_service.concurrency]
+    type = 'connections'
+    hard_limit = 1000
+    soft_limit = 1000
+
+[[vm]]
+  memory = '1gb'
+  cpu_kind = 'shared'
+  cpus = 1