Skip to content
Jia Huang edited this page Aug 12, 2014 · 10 revisions

#Oauth

Overview

  • Provider: DigitalOcean
  • Instance Type: small
  • OS: Ubuntu 12.04
  • Contact: Jia
  • Hostname: oauth
  • External: ssh root@192.241.196.205
  • Docker: no
  • Ansible: no
  • Users
    • root - sudo access
  • Services
  • Data
    • on the web s3’s tessel-backup bucket
    • /opt/backups
  • Logs
    • /opt/logs

Oauth is the point of truth for Portal (and maybe also Discourse if we run it as the Single Sign On server).

Oauth is deployed on a 512MB box on Digital Ocean with a stack of:

  • Nginx
  • Oauth
  • Postgres
  • Redis

Bringing up a new box

  1. Bring up a 512MB box on digital ocean. Add your SSH keys

  2. Run

    apt-get update;
    apt-get install git nodejs nodejs-legacy npm nginx postgresql postgresql-contrib redis-server tcl-tls supervisor
    
  3. Set up Nginx

  4. Make the nginx profile vi /etc/nginx/sites-available/oauth

upstream oauth {
server 127.0.0.1:3000;
}

server {
listen 0.0.0.0:80;

    access_log /var/log/nginx/oauth.log;
    # Make site accessible from http://localhost/
    server_name portal.tessel.io; # swap out with server name

    location / {
            proxy_redirect off;
            ##proxy_set_header   X-Real-IP            $remote_addr;
            ##proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            ##proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   Host                   $http_host; ## set the host name here
            proxy_set_header   X-NginX-Proxy    true;
            proxy_set_header   Connection "";
            proxy_pass http://oauth/;
    }

}
 ```
  1. symlink over to sites-enabled ln -s /etc/nginx/sites-available/oauth /etc/nginx/sites-enabled/oauth

  2. Set up Redis. Default Redis port is 6379

  3. Set up backups

  4. Switch to the postgres user because that's who'll be running the backups. su postgres

  5. Make these directories

    mkdir /opt/backups;
    mkdir /opt/scripts;
    mkdir /opt/logs;
    
  6. set up s3cmd so that we can back up to it.

    wget -O- -q http://s3tools.org/repo/deb-all/stable/s3tools.key | sudo apt-key add -
    wget -O/etc/apt/sources.list.d/s3tools.list http://s3tools.org/repo/deb-all/stable/s3tools.list
    apt-get update
    apt-get install -y  s3cmd
    

    Now configure it with s3cmd --configure. The bucket is tessel-backups. Look for users in the backup group on s3.

  7. put this backup_postgres.sh script in /opt/scripts

    #!/bin/bash
    
    DATE=$(date +"%m-%d-%y")
    echo "Starting backup of $1 on $DATE"
    
    pg_dump -U postgres $1 > /opt/backups/$1-$DATE.sql
    s3cmd put /opt/backups/$1-$DATE.sql s3://tessel-backups/
    
  8. Set up a cronjob. The backup_postgres script can only be run as the postgres user and not root, so either switch to the postgres user or add backup to the postgres cronjob. Right now we're going to add it to the postgres cron job

    su postgres & crontab -e;
    
    0 3 * * * /opt/scripts/backup_postgres.sh oauth > /opt/logs/backup_postgres.log 
    

    Note that the 'oauth' in this command must match the database name declared in the .env file

    *** make sure permissions are properly set on all files not accessed by root ***

  9. Clone down the repo cd /opt/apps; git clone https://github.com/tessel/portal.git; npm install;

  10. Fill out the config envs to .env or copy them over from another server

  11. Run the db migrations

  12. make the proper users/databases in postgres. su postgres & psql

  13. set up the db

    create user oauth;
    create database tesseloauth owner oauth;
    alter user oauth with password 'testpw';
    
  14. make migrate-production

  15. Supervisor that up.

  16. vi /etc/supervisor/conf.d/oauth.conf

 ```
 [program:oauth]
 command=/opt/apps/oauth/startup.sh
 autostart=true
 autorestart=true
 stderr_logfile=/var/log/oauth.err.log
 stdout_logfile=/var/log/oauth.out.log
 ```
  1. supervisorctl reread; supervisorctl update

  2. If you need to restart/start/stop run

    >> supervisorctl
    supervisor> stop oauth
    supervisor> start oauth
    supervisor> restart oauth
    
  3. Restart nginx sudo /etc/init.d/nginx restart

Clone this wiki locally