Update upspinservers to expose port 80

upspinserver-update.sh

#!/bin/bash -e

# This script configures upspinservers deployed by upspin-ui to expose both
# port 80 and 443, to enable the Let's Encrypt http-01 challenge mechanism.
# See https://github.com/upspin/upspin/issues/568 for more details.

PROJECT="$1"
if [[ "$#" != "1" || "$PROJECT" == "" ]]; then
	echo >&2 "usage: $0 <google-cloud-project-id>"
	exit 2
fi
INSTANCE=upspinserver

if [[ "$TMPDIR" == "" ]]; then
	echo >&2 '$TMPDIR not set; exiting'
	exit 1
fi
CLOUDCONFIG="$TMPDIR/$$upspinserver-cloud-config.yaml"

cat > "$CLOUDCONFIG" <<EOF
#cloud-config

users:
- name: upspin
  uid: 2000

runcmd:
- iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT
- iptables -w -A INPUT -p tcp --dport 443 -j ACCEPT

write_files:
- path: /etc/systemd/system/upspinserver.service
  permissions: 0644
  owner: root
  content: |
    [Unit]
    Description=An upspinserver container instance
    Wants=gcr-online.target
    After=gcr-online.target
    [Service]
    Environment="HOME=/home/upspin"
    ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
    ExecStartPre=/usr/bin/docker pull gcr.io/upspin-containers/upspinserver:latest
    ExecStart=/usr/bin/docker run --rm -u=2000 --volume=/home/upspin:/upspin -p=80:8080 -p=443:8443 --name=upspinserver gcr.io/upspin-containers/upspinserver:latest
    ExecStop=/usr/bin/docker stop upspinserver
    ExecStopPost=/usr/bin/docker rm upspinserver
    Restart=on-failure

runcmd:
- systemctl daemon-reload
- systemctl start upspinserver.service
EOF

gcloud --project="$PROJECT" compute firewall-rules update allow-https --allow=tcp:80,tcp:443
gcloud --project="$PROJECT" compute instances add-metadata "$INSTANCE" --metadata-from-file=user-data="$CLOUDCONFIG"
gcloud --project="$PROJECT" compute instances reset "$INSTANCE"

rm "$CLOUDCONFIG"

exit 0

@YaguraStation nope no particular reason to do this over mktemp.