Semi-automatic setup of Docker-running Droplet from within Droplet itself.

semi-automatic-droplet-setup.sh

# Semi-automatic setup of Docker-running Droplet from within Droplet itself
#
# Last updated 2017-01-19 at 14:50 (SGT; GMT+8) by @jdickey
#
# ##### Section 1 of 10: Variables used within this script. #####
#
# **NOTE** that several of these **must** be changed, namely
# * DOCKER_PASSWD
# * DOCKER_USER
# * GITHUB_USER
#
# Several of these **must** be changed *when using a new image and/or tag*, namely
# * DOCKER_REPO
# * DOCKER_TAG
#
# POSTGRES_TAG only needs to change when using a new Postgres version. If you don't know why
# you'd change this, *please don't*.
#
# Several variables relate to the unprivileged user which **must** be created in the Droplet,
# since `root` will have been locked out from logging in. These are:
# * UNPRIV_USER
# * UNPRIV_USER_PASSWORD
# * UNPRIV_USER_HOME
#
# Of these, UNPRIV_USER **must** be changed to a normal user name (e.g., 'jeff'), and
# UNPRIV_USER_PASSWORD **should** also be changed to a real password.
#
# The REMOTE_PUBKEY is tied to your $GITHUB_USER value and will pull in the RSA public key
# that GitHub knows you by.
#
# GIST_ID is the base identifier for the Gist from which we want to pull Docker- and
# app-related files. It should rarely change.
#
# GIST_VERSION **must** change each time the Gist is updated (e.g., to modify or add files).
# Failing to do so is a proven, guaranteed way to induce confusion because your files don't
# match what you think they should.
#
# GIST_BASE is the base URL for GitHub user content for the Gist containing our files.
#
export DOCKER_PASSWD=your-own-docker-password
export DOCKER_USER=your-own-docker-user-ID
export GITHUB_USER=your-own-GitHub-user-ID

export DOCKER_REPO=jdickey/conversagence
export DOCKER_TAG=dev-1

export POSTGRES_TAG=10

export UNPRIV_USER=your-user-name
export UNPRIV_USER_PASSWORD=your-unprivileged-user-password
export UNPRIV_USER_HOME=/home/$UNPRIV_USER

export REMOTE_PUBKEY=https://github.com/$GITHUB_USER.keys
export GIST_ID=jdickey/d4c43d43ae07d64758a4bf5e8957eeec
export GIST_VERSION=da0456a51943c32c4198226552396191b2dc0589
export GIST_BASE=https://gist.githubusercontent.com/$GIST_ID/raw/$GIST_VERSION/

# ##### Section 2 of 10: Functions used within this script. #####
#
# run_as_unpriv_user does just what it says; it allows us to run commands as though they
# were run by the logged-in $UNPRIV_USER, optionally redirecting output to a file.
#
function run_as_unpriv_user() {
  local cmd=$1
  local redir=''
  if [ -z "$2" ]; then
    echo -u $UNPRIV_USER $cmd | xargs sudo -H
  else
    echo -u $UNPRIV_USER $cmd | xargs sudo -H > $2
  fi
}

# ##### Section 3 of 10: Basic system housekeeping; create unprivileged user. #####
#
apt-get update && apt install -y ack-grep aptitude zsh
aptitude upgrade -y && aptitude clean
curl $GIST_BASE/sshd_config 
useradd -G docker,sudo -Um -s /usr/bin/zsh $UNPRIV_USER
# A password is needed for times when the user shells in and wants to run `sudo` commands.
echo -e "$UNPRIV_USER_PASSWORD\n$UNPRIV_USER_PASSWORD" | passwd $UNPRIV_USER

# ##### Section 4 of 10: Enable unprivileged user to login without password. #####
#
run_as_unpriv_user "curl $GIST_BASE/.zshrc" $UNPRIV_USER_HOME/.zshrc
run_as_unpriv_user "mkdir $UNPRIV_USER_HOME/.ssh"
run_as_unpriv_user "chmod 700 $UNPRIV_USER_HOME/.ssh"
run_as_unpriv_user "curl $REMOTE_PUBKEY" $UNPRIV_USER_HOME/.ssh/authorized_keys 2>/dev/null
chmod 600 $UNPRIV_USER_HOME/.ssh/authorized_keys
chown $UNPRIV_USER:$UNPRIV_USER $UNPRIV_USER_HOME/.ssh/authorized_keys

# ##### Section 5 of 10: Install pip, and use it to install Python Docker interface. #####
#
# This will be needed when we get Ansible up and happy again.
#
# UFW is already active with ports tcp/22, tcp/2375 and tcp/2376
#
aptitude install -y python-pip && aptitude clean
# pip install --upgrade pip # *should not* be needed; see if warnings occur below
# pip install docker # this probably errors out, even if warnings below recommend it
pip install docker-py

# ##### Section 6 of 10: Pull Docker images. #####
#
run_as_unpriv_user "docker login -u $DOCKER_USER --password $DOCKER_PASSWD"
run_as_unpriv_user "docker pull $DOCKER_REPO:$DOCKER_TAG"
run_as_unpriv_user "docker pull postgres:$POSTGRES_TAG"
run_as_unpriv_user "docker logout"


# ##### Section 7 of 10: Get docker-compose.yml and .env files. #####
#
mkdir $UNPRIV_USER_HOME/app
cd $UNPRIV_USER_HOME/app
run_as_unpriv_user "curl $GIST_BASE/docker-compose.yml" docker-compose.yml
run_as_unpriv_user "curl $GIST_BASE/.env" .env
cp .env .env.development # which of these do we really need?

# ##### Section 8 of 10: Ensure that unprivileged user owns all their files. #####
#
chown -R $UNPRIV_USER:$UNPRIV_USER $UNPRIV_USER_HOME

# ##### Section 9 of 10: Bring up the (Dockerised) app. #####
#
run_as_unpriv_user "docker-compose up -d"
sleep 10 # be sure database is up and running before we continue
# this can be safely(?) run from root, since it explicitly changes effective user
docker-compose exec -u postgres db createdb conversagence_development
# NOT: run_as_unpriv_user "docker-compose exec web bin/hanami db apply"

# ##### Section 10 of 10: Restart Droplet. #####
#
# This is needed to ensure that our previously-installed system updates are applied.
# **NOTE:** You **must** shell in again and run `docker-compose restart`
#           from the `app` directory!
shutdown -r now