Online Fuzturday #1

First proposal of a Telemake event, the theme for this one is to migrate presence button's API from https://presence-button.glitch.me to sonic (at https://presence.fuz.re). Event will take place 2020-06-06 15:00 (approx) Paris time, on Jitsi meet https://talk.fdn.fr/onlinefuzturday1

• adduser presence
• install nodejs
• deploy code
• systemd service
• add vhost to lighttpd
• letsencrypt
• add ssl to vhost
• test

If we have time:

• continuous delivery
• Ansible?
• get rid of clunky lighttpd (caddy is awesome)

Nobody showed up on Jitsi, I (Lomanic) stopped all my shiny OBS setup and did this alone.

• sudo adduser presence
• sudo -u presence -i; curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.35.3/install.sh | bash; nvm install node --lts
• git clone https://git.interhacker.space/Lomanic/presence-button-web, add .env file and append echo "PORT=3000" >> .env, otherwise the listening port would be dynamic (useless for reverse proxy)
• following https://doc.ubuntu-fr.org/creer_un_service_avec_systemd#exemple_de_service_de_type_simple

  cat << EOF | sudo tee /etc/systemd/system/presence-button-web.service >/dev/null
  [Unit]
  Description=Presence button web
  After=network-online.target
  
  [Service]
  Type=simple
   
  User=presence
  Group=presence
  WorkingDirectory=/home/presence/presence-button-web
  ExecStart=bash -c "source /home/presence/.nvm/nvm.sh && set -a && source .env && set +a && /home/presence/.nvm/versions/node/v14.4.0/bin/npm start"
  Restart=on-failure
  TimeoutStopSec=300
  
  [Install]
  WantedBy=multi-user.target
  EOF
  sudo systemctl enable presence-button-web.service

• add this to /etc/lighttpd/lighttpd.conf

  $HTTP["host"] == "presence.fuz.re" {
      $HTTP["scheme"] == "http" {
          server.document-root = "/var/www/fuz.re/presence/site"
                  $HTTP["url"] !~ "^/.well-known/acme-challenge/" {
                          proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) ) # the nodejs server handles the HTTPS redirect by itself as historically ESP couldn't talk SSL (and Glitch doesn't auto-redirect), so was not redirecting /api
                  }
          }
  
          #$SERVER["socket"] == ":443" {
          #       ssl.engine  = "enable"
          #       proxy.server = ( "" => (("host" => "127.0.0.1", "port" => 3000)) )
          #       ssl.ca-file = "/etc/lighttpd/certs/authority.pem"
          #       ssl.pemfile = "/etc/lighttpd/certs/presence.fuz.re.pem"
          #}
  }

  mkdir -p /var/www/fuz.re/presence/site

• oh letsencrypt, what a nice WTF moment. You have to edit some random /etc/letsencrypt/autorenew.sh to include your new domain (and of course, this script is only manually called right?) while everything can be done inside certbot already (you can call commands after a successful renewal). For the curious as it's not documented anywhere (found this script almost by mistake in fact):

  sudo letsencrypt certonly -n --agree-tos -d presence.fuz.re --webroot --webroot-path /var/www/fuz.re/presence/site/
  sudo cat /etc/letsencrypt/live/presence.fuz.re/{privkey,cert}.pem | sudo tee /etc/lighttpd/certs/presence.fuz.re.pem >/dev/null

• uncomment the SSL part in /etc/lighttpd/lighttpd.conf above
• http://presence.fuz.re → https://presence.fuz.re everything looks OK (didn't test with an ESP but it would post a message in #toctoctoc), though there are many unsatisfactory things remaining (the lighttpd/frankenletsencrypt duo is maddening of course, but the presence-button-web code is bad in many ways), this will be for another day