forked from ensdomains/ens-app
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: gcp image and geo proxy (#281)
* feat: gcp image and geo proxy * fix: remove workflow config * fix: sha * fix: nginx config * feat: refactor * fix:build error * fix:build error * fix:build error * feat:ci --------- Co-authored-by: kevin-222 <[email protected]>
- Loading branch information
Showing
151 changed files
with
19,347 additions
and
44,601 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,18 +15,96 @@ jobs: | |
|
||
- uses: actions/setup-node@v2 | ||
with: | ||
node-version: '16' | ||
node-version: '18' | ||
- run: yarn install | ||
- run: yarn run build | ||
|
||
- name: Deploy | ||
uses: reggionick/s3-deploy@v3 | ||
- name: Get short SHA | ||
id: slug | ||
run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)" | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
|
||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v1 | ||
with: | ||
aws-access-key-id: ${{ secrets.ECR_DEPLOYER_AWS_ACCESS_KEY_ID }} | ||
aws-secret-access-key: ${{ secrets.ECR_DEPLOYER_AWS_SECRET_ACCESS_KEY }} | ||
aws-region: us-west-2 | ||
|
||
- name: Login to Amazon ECR | ||
id: login-ecr | ||
uses: aws-actions/amazon-ecr-login@v1 | ||
|
||
- name: Build, tag, and push image to Amazon ECR | ||
env: | ||
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | ||
ECR_REPOSITORY: sid-app | ||
IMAGE_TAG_0: ${{ github.sha }} | ||
IMAGE_TAG_1: sha-${{ steps.slug.outputs.sha7 }} | ||
run: | | ||
docker build --build-arg LICENSE_KEY=${{ secrets.LICENSE_KEY }} -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG_0 -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG_1 . | ||
docker push $ECR_REGISTRY/$ECR_REPOSITORY --all-tags | ||
- id: auth | ||
name: 'GCP Auth' | ||
uses: 'google-github-actions/auth@v1' | ||
with: | ||
token_format: 'access_token' | ||
credentials_json: ${{ secrets.GCS_INTERNAL_ARTIFACTS_SA_JSON }} | ||
|
||
- name: Login to Artifact Registry | ||
uses: docker/login-action@v2 | ||
with: | ||
registry: us-west1-docker.pkg.dev | ||
username: oauth2accesstoken | ||
password: ${{ steps.auth.outputs.access_token }} | ||
|
||
- name: Build, tag, and push image to GCP Artifact Repository | ||
env: | ||
GAR_REGISTRY: us-west1-docker.pkg.dev/spaceid-internal-artifacts/spaceid-app | ||
GAR_REPOSITORY: sid-app | ||
IMAGE_TAG_0: ${{ github.sha }} | ||
IMAGE_TAG_1: sha-${{ steps.slug.outputs.sha7 }} | ||
run: | | ||
docker build --build-arg LICENSE_KEY=${{ secrets.LICENSE_KEY }} -f Dockerfile -t $GAR_REGISTRY/$GAR_REPOSITORY:$IMAGE_TAG_0 -t $GAR_REGISTRY/$GAR_REPOSITORY:$IMAGE_TAG_1 . | ||
docker push $GAR_REGISTRY/$GAR_REPOSITORY --all-tags | ||
deploy: | ||
name: Deploy with GitOps | ||
runs-on: ubuntu-latest | ||
needs: build-and-deploy | ||
env: | ||
GITOPS_REPO: Space-ID/spaceid-infra-bootstrap | ||
|
||
steps: | ||
- name: Get short SHA | ||
id: slug | ||
run: echo "::set-output name=sha7::$(echo ${GITHUB_SHA} | cut -c1-7)" | ||
|
||
- name: Checkout Gitops code | ||
# https://github.com/actions/checkout/issues/417 | ||
uses: actions/[email protected] | ||
with: | ||
repository: ${{ env.GITOPS_REPO }} | ||
fetch-depth: 1 # use 0 if later pushing to different branch | ||
token: ${{ secrets.INFRA_GITOPS }} | ||
|
||
- name: Update prd image tag - Mainnet | ||
uses: docker://ryanlime/kyriosctl:latest | ||
with: | ||
args: gitops updateTag -t sha-${{ steps.slug.outputs.sha7 }} -d app/prd/sid-app | ||
|
||
- name: Commit files - Mainnet | ||
run: | | ||
git config --local user.email "[email protected]" | ||
git config --local user.name "SpaceID Bot" | ||
git commit -a -m "[release][prd][sid-app] ${{ steps.slug.outputs.sha7 }}" -m "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" | ||
- name: Push changes | ||
uses: ad-m/github-push-action@master | ||
with: | ||
folder: 'build' | ||
bucket: 'prd-app-space-id' | ||
bucket-region: 'us-west-2' | ||
dist-id: 'E2WEVVPV40MG9V' | ||
invalidation: / | ||
delete-removed: true | ||
no-cache: false | ||
private: true | ||
repository: ${{ env.GITOPS_REPO }} | ||
branch: main | ||
github_token: ${{ secrets.INFRA_GITOPS }} |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# Use an official Nginx image as a parent image | ||
FROM debian:bullseye-slim | ||
#WORKDIR /app | ||
|
||
RUN apt-get update && apt-get install -y wget curl git build-essential autoconf libtool libpcre3 libpcre3-dev libssl-dev zlib1g-dev gettext-base | ||
|
||
# Install C library for reading MaxMind DB files | ||
RUN apt-get install -y libmaxminddb0 libmaxminddb-dev mmdb-bin | ||
|
||
# Install nginx | ||
ENV nginx_version 1.21.1 | ||
RUN curl http://nginx.org/download/nginx-$nginx_version.tar.gz | tar xz | ||
RUN git clone https://github.com/leev/ngx_http_geoip2_module.git | ||
WORKDIR /nginx-$nginx_version | ||
|
||
ARG LICENSE_KEY | ||
|
||
# Download and set up the GeoIP database | ||
RUN mkdir -p /etc/geoip | ||
RUN wget -O city.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=${LICENSE_KEY}&suffix=tar.gz" | ||
RUN tar -xvzf city.tar.gz | ||
RUN mv GeoLite2-City_*/GeoLite2-City.mmdb /etc/geoip/ | ||
RUN rm -rf GeoLite2-City* | ||
RUN wget -O country.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${LICENSE_KEY}&suffix=tar.gz" | ||
RUN tar -xvzf country.tar.gz | ||
RUN mv GeoLite2-Country_*/GeoLite2-Country.mmdb /etc/geoip/ | ||
RUN rm -rf GeoLite2-Country* | ||
|
||
# Compile nginx | ||
RUN ./configure \ | ||
--prefix=/etc/nginx \ | ||
--sbin-path=/usr/sbin/nginx \ | ||
--conf-path=/etc/nginx/nginx.conf \ | ||
--error-log-path=/var/log/nginx/error.log \ | ||
--http-log-path=/var/log/nginx/access.log \ | ||
--pid-path=/var/run/nginx.pid \ | ||
--lock-path=/var/run/nginx.lock \ | ||
--http-client-body-temp-path=/var/cache/nginx/client_temp \ | ||
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \ | ||
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ | ||
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ | ||
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \ | ||
--user=nginx \ | ||
--group=nginx \ | ||
--with-http_ssl_module \ | ||
--with-http_realip_module \ | ||
--with-http_secure_link_module \ | ||
--with-threads \ | ||
--with-http_v2_module \ | ||
--with-http_gzip_static_module \ | ||
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' \ | ||
--with-ld-opt='-Wl,-z,relro -Wl,--as-needed' \ | ||
--add-dynamic-module=../ngx_http_geoip2_module | ||
RUN make | ||
RUN make install | ||
|
||
RUN adduser --system --no-create-home --shell /bin/false --group nginx | ||
RUN mkdir -p /var/cache/nginx/client_temp | ||
RUN mkdir -p /var/cache/nginx/proxy_temp | ||
RUN mkdir -p /var/cache/nginx/fastcgi_temp | ||
RUN mkdir -p /var/cache/nginx/uwsgi_temp | ||
RUN mkdir -p /var/cache/nginx/scgi_temp | ||
RUN mkdir /app | ||
|
||
COPY ./nginx.conf /etc/nginx/ | ||
COPY ./default.conf /etc/nginx/conf.d/default.conf | ||
COPY ./build /app/ | ||
|
||
# Expose ports | ||
EXPOSE 8080 | ||
ENV PORT 8080 | ||
|
||
# Start Nginx when the container launches | ||
CMD nginx -g 'daemon off;' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
server { | ||
listen 8080; | ||
server_name localhost *.space.id *.stg.space.id; | ||
|
||
#access_log /var/log/nginx/host.access.log main; | ||
|
||
location /api/health/alive { | ||
return 200 '{"status":"success","result":"ok"}'; | ||
} | ||
|
||
location /api/health/ready { | ||
return 200 '{"status":"success","result":"ok"}'; | ||
} | ||
|
||
# Country-wide blocking | ||
# China, North Korea, Iran, Syria, Cuba | ||
if ($geoip2_data_country_code ~ (KP|IR|SY|CU|CN)) { | ||
rewrite ^ /unsupportedregion; | ||
} | ||
|
||
# City-wide blocking | ||
# Crimea (703883), Sevastopol (694423), Luhansk (702657) and Donetsk (12189531) | ||
if ($geoip2_data_city_geoname_id ~ (703883|694423|702657|12189531)) { | ||
rewrite ^ /unsupportedregion; | ||
} | ||
|
||
location /unsupportedregion { | ||
internal; | ||
default_type text/html; | ||
return 200 '<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>SPACE ID</title><link href="https://fonts.googleapis.com/css?family=Plus Jakarta Sans" rel="stylesheet"><style>body{background:#000;font-family:"Plus Jakarta Sans",serif;text-align:center}.error{position:absolute;top:50%;left:50%;display:flex;width:80vw;flex-direction:column;align-items:center;transform:translate(-50%,-50%)}@media (width:768px){.error{width:100vw}.t1{font-size:24px}.t2{font-size:14px}}.t1{font-size:24px;font-weight:700;color:#becfcd;margin:24px 0 12px 0}.t2{font-size:14px;color:#8a9b9e;margin:0}</style></head><body><div class="error"><svg width="80" height="80" viewBox="0 0 80 80" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M40.0002 76.6666C60.2506 76.6666 76.6668 60.2504 76.6668 40C76.6668 19.7495 60.2506 3.33331 40.0002 3.33331C19.7497 3.33331 3.3335 19.7495 3.3335 40C3.3335 60.2504 19.7497 76.6666 40.0002 76.6666ZM40.0002 20C38.1592 20 36.6668 21.4924 36.6668 23.3333V43.3333C36.6668 45.1743 38.1592 46.6666 40.0002 46.6666C41.8411 46.6666 43.3335 45.1743 43.3335 43.3333V23.3333C43.3335 21.4924 41.8411 20 40.0002 20ZM40.0002 51.6666C37.699 51.6666 35.8335 53.5321 35.8335 55.8333C35.8335 58.1345 37.699 60 40.0002 60C42.3013 60 44.1668 58.1345 44.1668 55.8333C44.1668 53.5321 42.3013 51.6666 40.0002 51.6666Z" fill="white"/></svg><p class="t1">Region not supported</p><p class="t2">Unfortunately, we are not currently supporting your region or country.</p></div></body></html>'; | ||
} | ||
|
||
root /app/; | ||
|
||
index index.html; | ||
|
||
location / { | ||
try_files $uri $uri/ =404; | ||
} | ||
|
||
# error_page 404 /404.html; | ||
|
||
# redirect server error pages to the static page /50x.html | ||
# | ||
# error_page 500 502 503 504 /50x.html; | ||
# location = /50x.html { | ||
# root /usr/share/nginx/html; | ||
# } | ||
|
||
# proxy the PHP scripts to Apache listening on 127.0.0.1:80 | ||
# | ||
#location ~ \.php$ { | ||
# proxy_pass http://127.0.0.1; | ||
#} | ||
|
||
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | ||
# | ||
#location ~ \.php$ { | ||
# root html; | ||
# fastcgi_pass 127.0.0.1:9000; | ||
# fastcgi_index index.php; | ||
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; | ||
# include fastcgi_params; | ||
#} | ||
|
||
# deny access to .htaccess files, if Apache's document root | ||
# concurs with nginx's one | ||
# | ||
#location ~ /\.ht { | ||
# deny all; | ||
#} | ||
} |
Oops, something went wrong.