Inline deploy scripts

.gitignore

@@ -1,7 +1,6 @@
 .DS_Store
 node_modules
 inventory.yml
-deploy
 
 /build
 /public/build

deploy/deploy.yml

@@ -0,0 +1,26 @@
+- name: Deploy the app
+  hosts: all
+  remote_user: deploy
+  tasks:
+    - name: Copy app files to server
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      loop: "{{ deploy_files }}"
+
+    - name: Install npm deps
+      shell:
+        cmd: "source /home/deploy/.nvm/nvm.sh && nvm exec default npm install"
+        chdir: /home/{{ domain }}
+      args:
+        executable: /bin/bash
+
+    - name: Run migrations
+      shell:
+        cmd: "source /home/deploy/.nvm/nvm.sh && nvm exec default npx prisma migrate deploy"
+        chdir: /home/{{ domain }}
+      args:
+        executable: /bin/bash
+
+    - name: Start the app with systemd
+      shell: "sudo systemctl restart {{ domain }}"

deploy/inventory.example.yml

@@ -0,0 +1,38 @@
+# Our production server.
+# Copy this whole block if you'd like to add a staging server
+Production:
+  # The IP address of your server.
+  # Add a second one if you'd like to deploy twice.
+  # You can add as many as you want.
+  hosts: an.ip.add.ress
+  vars:
+    # Used for your app's domain name
+    domain: example.com
+    # Used for your certbot email, note you'll be agreeing to the ToS.
+    email: [email protected]
+    # Pick your node version
+    nodejs_version: 20
+    # If you have an SSH key on your server for the root user, you don't need this
+    ansible_ssh_pass: "secret"
+    # List of files and folders to copy to the server on deploy.
+    # Change this to be the files your node app needs to run.
+    # Example set up for a remix.run indie stack app.
+    deploy_files:
+      - src: ../prisma/migrations
+        dest: /home/{{ domain }}/prisma/
+      - src: ../prisma/schema.prisma
+        dest: /home/{{ domain }}/prisma/schema.prisma
+      - src: ../build/
+        dest: /home/{{ domain }}/build
+      - src: ../public/
+        dest: /home/{{ domain }}/public
+      - src: ../.env
+        dest: /home/{{ domain }}/
+      - src: ../.npmrc
+        dest: /home/{{ domain }}/
+      - src: ../package.json
+        dest: /home/{{ domain }}/
+      - src: ../package-lock.json
+        dest: /home/{{ domain }}/
+      - src: ../README.md
+        dest: /home/{{ domain }}/

deploy/lockdown.yml

@@ -0,0 +1,40 @@
+- name: Add deploy user and disable root user
+  hosts: all
+  vars:
+  remote_user: root
+  tasks:
+    - name: Add a new user named deploy
+      user: name=deploy
+
+    - name: Add deploy user to the sudoers
+      copy:
+        dest: "/etc/sudoers.d/deploy"
+        content: "deploy  ALL=(ALL)  NOPASSWD: ALL"
+
+    - name: Deploy your SSH Key
+      authorized_key: user=deploy
+        key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+        state=present
+
+    - name: Disable Password Authentication
+      lineinfile: dest=/etc/ssh/sshd_config
+        regexp='^PasswordAuthentication'
+        line="PasswordAuthentication no"
+        state=present
+        backup=yes
+      notify:
+        - restart ssh
+
+    - name: Disable Root Login
+      lineinfile: dest=/etc/ssh/sshd_config
+        regexp='^PermitRootLogin'
+        line="PermitRootLogin no"
+        state=present
+        backup=yes
+      notify:
+        - restart ssh
+
+  handlers:
+    - name: restart ssh
+      service: name=ssh
+        state=restarted

deploy/provision.yml

@@ -0,0 +1,114 @@
+- name: Update and upgrade apt packages
+  hosts: all
+  remote_user: deploy
+  become: yes
+
+  tasks:
+    - name: Update apt repo and cache
+      apt:
+        update_cache: yes
+        force_apt_get: yes
+        cache_valid_time: 3600
+
+    - name: Upgrade all packages
+      apt:
+        upgrade: dist
+        force_apt_get: yes
+
+    - name: Check if a reboot is needed
+      register: reboot_required_file
+      stat:
+        path: /var/run/reboot-required
+
+    - name: Reboot the server if kernel updated
+      reboot:
+        msg: "Reboot initiated by Ansible for kernel updates"
+        connect_timeout: 5
+        reboot_timeout: 300
+        pre_reboot_delay: 0
+        post_reboot_delay: 30
+        test_command: uptime
+      when: reboot_required_file.stat.exists
+
+- name: Install packages
+  hosts: all
+  remote_user: deploy
+  become: true
+  tasks:
+    - name: Install system packages with apt
+      register: updatesys
+      apt:
+        update_cache: yes
+        name:
+          - curl
+          - gnupg
+          - ufw
+          - nginx
+          - python3-certbot-nginx
+        state: present
+
+    - name: Enable ufw firewall
+      community.general.ufw:
+        state: enabled
+
+    - community.general.ufw:
+        rule: allow
+        name: OpenSSH
+
+    - community.general.ufw:
+        rule: allow
+        name: "Nginx Full"
+
+    - name: Create directory for the app
+      file: path=/home/{{domain}}
+        state=directory
+        owner=deploy
+        group=deploy
+
+    - name: Copy nginx conf to server
+      template: src=./templates/nginx.conf
+        dest=/etc/nginx/sites-available/{{ domain }}.conf
+
+    - name: Create symlink to new nginx conf
+      file: src=/etc/nginx/sites-available/{{ domain }}.conf
+        dest=/etc/nginx/sites-enabled/{{ domain }}.conf
+        state=link
+
+    - name: Create ssl certificate with certbot
+      shell: "sudo certbot --nginx -d {{ domain }} --agree-tos --email {{ email }} --non-interactive"
+      notify: Restart nginx
+
+    - name: Copy systemd service to server
+      template: src=./templates/systemd.service
+        dest=/lib/systemd/system/{{ domain }}.service
+
+    - name: Copy systemd friendly start script to server
+      template:
+        src: ./templates/start.sh
+        dest: /home/{{ domain }}/start.sh
+        mode: +x
+
+    - name: Reload and enable systemd service
+      shell: "sudo systemctl daemon-reload && sudo systemctl enable --now {{ domain }} && sudo systemctl start {{ domain }}"
+
+  handlers:
+    - name: Restart nginx
+      service:
+        name: nginx
+        state: restarted
+
+- name: Install node and the app
+  hosts: all
+  remote_user: deploy
+  tasks:
+    - name: Install nvm
+      shell: >
+        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
+      args:
+        creates: "{{ ansible_env.HOME }}/.nvm/nvm.sh"
+
+    - name: Install node and set version
+      shell: >
+        source ~/.nvm/nvm.sh && nvm install {{ nodejs_version }} && nvm use {{ nodejs_version }}
+      args:
+        executable: /bin/bash

deploy/templates/nginx.conf

@@ -0,0 +1,17 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ domain }};
+    access_log /var/log/nginx/{{ domain }}.log;
+    error_log  /var/log/nginx/{{ domain }}-error.log error;
+
+    location / {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_pass http://127.0.0.1:3000;
+        proxy_redirect off;
+        client_max_body_size 10M;
+    }
+}

deploy/templates/start.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+. /home/deploy/.nvm/nvm.sh
+npm start

deploy/templates/systemd.service

@@ -0,0 +1,14 @@
+[Unit]
+Description={{ domain }}
+After=network.target
+
+[Service]
+Environment=NODE_ENV=production
+Type=simple
+User=root
+WorkingDirectory=/home/{{ domain }}
+ExecStart=/home/{{ domain }}/start.sh
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

remix.init/index.js

@@ -191,11 +191,6 @@ const main = async ({ packageManager, rootDirectory }) => {
     fs.rm(path.join(rootDirectory, "LICENSE.md")),
   ]);
 
-  execSync("git submodule add [email protected]:bocoup/deploy.git", {
-    cwd: rootDirectory,
-    stdio: "inherit",
-  });
-
   execSync(pm.run("setup"), { cwd: rootDirectory, stdio: "inherit" });
 
   execSync(pm.run("format", "--log-level warn"), {