Single server prototyping with docker-compose + nginx

backend__package.json

{
  "name": "@admin/backend",
  "version": "1.0.0",
  "main": "index.js",
  "license": "UNLICENSED",
  "private": true,
  "scripts": {
    "start": "ts-node src/server.ts",
    "watch": "nodemon -e ts,graphql -w . -w ../graphql --delay 1s -x ts-node src/server.ts",
    "migrate": "ts-node ./node_modules/.bin/knex migrate:latest --knexfile knexfile.ts",
    "rollback": "ts-node ./node_modules/.bin/knex migrate:rollback --knexfile knexfile.ts",
    "createMigration": "ts-node ./node_modules/.bin/knex migrate:make --knexfile knexfile.ts"
  },
  "dependencies": {
    "apollo-server-express": "^2.9.1",
    "cors": "^2.8.5",
    "dataloader": "^1.4.0",
    "express": "^4.0.0",
    "graphql": "^14",
    "knex": "^0.19.3",
    "pg": "^7.12.1",
    "ts-node": "8.3.0",
    "typescript": "^3.6"
  }
}

backup

#!/usr/bin/env bash
#
# This usually lives in the home directory.
#

set -eo pipefail

path="$HOME/backups/$(date +'%Y%m%d_%H%M%S').sql.bz2"
mkdir -p "$HOME/backups"

# This command might need SSL options if you're using Google Cloud SQL, hence the quoted format.
nice pg_dump "host=xxx user=xxx password=xxx dbname=xxx" | bzip2 >$path

if [ -t 1 ]; then
  echo "Wrote $path"
  ls -lh "$path"
fi

docker-compose.yml

version: '3.7'

# This file assumes that
#   (1) You have created a `.env` file with env vars
#   (2) You've copied any SSL certs into an `ssl/` directory, which doesn't get checked in

services:
  backend:
    build:
      context: .
      target: backend
    env_file: .env
    ports:
      - '4000:4000'
    volumes:
      - ~/exports:/exports
    restart: always
  frontend:
    build:
      context: .
      target: frontend
    env_file: .env
    ports:
      - '8080:8080'
    restart: always

Dockerfile

# Remember that additional env vars can be in a .env, which docker-compose
# uses when building the image.

FROM node:12.9.0-alpine AS base
VOLUME /usr/local/share/.cache/yarn
COPY ./ /app/
WORKDIR /app/
RUN npm install --silent --global yarn
RUN yarn install --pure-lockfile --non-interactive

FROM base AS frontend
ENV BACKEND_API_SERVER=https://server.mydomain.com:5000
ENV NODE_ENV=production
WORKDIR /app/frontend/
RUN yarn global add http-server
RUN yarn run build
EXPOSE 8080/tcp
CMD cd out && http-server

FROM base AS backend
ENV NODE_ENV=production
WORKDIR /app/backend/
CMD yarn run start
EXPOSE 4000/tcp

etc__nginx__sites-enabled__default

server_tokens off;

# Redirect all HTTP to HTTPS
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    # Per https://cloud.google.com/monitoring/agent/plugins/nginx
    location /nginx_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# Admin Panel - Static frontend
server {
    listen 443 ssl http2;
    listen [::]:443 http2;
    server_name admin.example.com;

    ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /backups {
        alias /home/example/backups;
        autoindex on;
        auth_basic "backups";
        auth_basic_user_file /etc/nginx/htpasswd;
    }

    location ^~ /.well-known/ {
        root /var/www/html;
        default_type text/plain;
        auth_basic off;
        allow all;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/html;
    }
}

# Admin Panel - API server
server {
    listen 5000 ssl http2;
    server_name admin.example.com;

    ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    client_max_body_size 50M;

    location / {
        proxy_pass http://127.0.0.1:4000;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 500s;
    }
}

frontend__package.json

{
  "name": "@admin/frontend",
  "version": "1.0.0",
  "license": "UNLICENSED",
  "private": true,
  "scripts": {
    "dev": "next",
    "build": "next build && next export"
  },
  "dependencies": {
    "next": "^9.0.5",
    "react": "^16.9.0",
    "react-dom": "^16.9.0"
  }
}

package.json

{
  "private": true,
  "workspaces": [
    "backend",
    "frontend",
    "common"
  ],
  "dependencies": {
    "typescript": "^3.6"
  },
  "devDependencies": {
    "husky": "^3.0.4",
    "lint-staged": "^9.2.5",
    "prettier": "^1.18.2"
  },
  "husky": {
    "hooks": {
      "pre-commit": "tsc --noEmit && lint-staged"
    }
  },
  "lint-staged": {
    "*.{js,json,css,md}": [
      "prettier --write",
      "git add"
    ],
    "*.{ts,tsx}": [
      "tslint --fix",
      "prettier --write --parser=typescript",
      "git add"
    ]
  }
}

push

#!/usr/bin/env bash
#
# This usually lives in the home directory so I can run `ssh foo ./push` to push a build.
#

set -eo pipefail

cd ~/app

git pull
echo
echo "Current commit:"
git log --oneline -n1 --decorate
echo

echo "Backing up database..."
~/backup

docker-compose build
docker-compose down || true
docker-compose run backend yarn migrate
docker-compose up -d

echo
df -h .