budnik · September 28, 2017 00:37
diff --git a/bootstrap.sh b/bootstrap.sh
 #!/bin/bash
 TOKEN=foo
 ES_NAME=bar
 EXPOSED_IP=$(ip -o -f inet addr show eth0|egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' -o|head -n1)
 export ELASTICSEARCH_IMAGE_VERSION="1.7.1"

 # Protect ES with Firewall
 sed -i '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/g' /etc/default/ufw
 IPS_ALLOW=/var/tmp/ufw-dynamic-ips.allow
 ufw allow http
 ufw allow https
 ufw allow ssh
 # ufw allow 2375/tcp

 ufw enable
 curl https://api.digitalocean.com/v2/droplets -H "Authorization: Bearer ${TOKEN}"|egrep 'ip_address":"([^"]+)' -o|cut -sd\" -f3|tee ${IPS_ALLOW}|xargs -n1 /usr/sbin/ufw allow from
 if [ -f ${IPS_ALLOW} ]; then
  for ip in `/usr/sbin/ufw status |grep ^Anywhere|grep ALLOW|grep -P '[\d\.]+' -o`
    do grep -q $ip ${IPS_ALLOW} || /usr/sbin/ufw delete allow from $ip
  done
 fi
 rm ${IPS_ALLOW}

 # Install dokku
 wget https://raw.github.com/progrium/dokku/v0.4.0/bootstrap.sh
 DOKKU_TAG=v0.4.0 bash bootstrap.sh
 echo 'DOCKER_OPTS="--iptables=false"'>>/etc/default/docker

 # Import SSH keys from DO to allow deploy via git
 while read line; do
 echo $line |sshcommand acl-add dokku ${line##* }>/dev/null
 done < <(curl https://api.digitalocean.com/v2/account/keys -H "Authorization: Bearer ${TOKEN}"|egrep 'ssh-\w+( [^ "]+){2}' -o|xargs  -n3)

 echo 'foo.com'>/home/dokku/VHOST
 rm /etc/nginx/sites-enabled/default

 # Install kibana 4
 dokku plugin:install https://github.com/dokku/dokku-elasticsearch.git
 dokku apps:create kibana
 git clone https://github.com/docker-library/kibana.git /tmp/k/
 tar -cC /tmp/k/4.1/ .|dokku tar:in kibana
 rm -rf /tmp/k/

 # Setup ElasticSearch
 dokku elasticsearch:create ${ES_NAME}
 # Update ES settings
 echo "transport.publish_host: ${EXPOSED_IP}
 http.publish_host: ${EXPOSED_IP}"'
 discovery.zen.ping.multicast.enabled: false
 discovery.zen.ping.multicast.enabled: true
 discovery.zen.minimum_master_nodes: 1
 http.publish_port: 50004
 transport.publish_port: 50005
 node.max_local_storage_nodes: 1
 action.destructive_requires_name: true
 discovery.zen.ping.unicast.hosts: ["billing.payt.nl:50005"]' > \
 /var/lib/dokku/services/elasticsearch/${ES_NAME}/config/elasticsearch.yml

 echo '
 es.logger.level: INFO
 rootLogger: ${es.logger.level}, console
 logger:
  action: DEBUG
  deprecation: INFO
  org.apache.http: INFO
  #gateway: DEBUG
  #index.gateway: DEBUG
  #indices.recovery: DEBUG
  discovery: INFO
  index.search.slowlog: TRACE
  index.indexing.slowlog: TRACE
 additivity:
  index.search.slowlog: false
  index.indexing.slowlog: false
  deprecation: false
 appender:
  console:
    type: console
    layout:
      type: consolePattern
      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"' > \
 /var/lib/dokku/services/elasticsearch/${ES_NAME}/config/logging.yml

 dokku elasticsearch:restart ${ES_NAME}
 dokku elasticsearch:link ${ES_NAME} kibana
 dokku elasticsearch:expose ${ES_NAME} 50004 50005


 # https://github.com/docker/docker/issues/7276

 apt-get install apparmor-utils -y
 echo '#!/bin/sh -e
 aa-complain /etc/apparmor.d/docker
 iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
 echo never > /sys/kernel/mm/transparent_hugepage/enabled
 exit 0'>/etc/rc.local
 # Reboot as docker install has added iptables rule that break firewall
 reboot
diff --git a/nginx.conf.template b/nginx.conf.template
 upstream elasticsearch {
  server `docker inspect --format '{{ .NetworkSettings.IPAddress }}' elasticsearch_www`:9200;
  keepalive 15;
 }
 server {
  listen      [::]:60004 ssl;
  listen      60004 ssl;
  server_name billing.payt.nl;
 $SSL_DIRECTIVES

  keepalive_timeout   70;
  location    / {
    proxy_pass http://elasticsearch;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host \$http_host;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_set_header X-Forwarded-For \$remote_addr;
    proxy_set_header X-Forwarded-Port \$server_port;
    proxy_set_header X-Request-Start \$msec;
  }
 }

 server {
  listen      [::]:80;
  listen      80;
  return 301 https://billing.payt.nl\$request_uri;
 }

 server {
  listen      [::]:443 ssl spdy;
  listen      443 ssl spdy;
  server_name billing.payt.nl;
 $SSL_DIRECTIVES

  keepalive_timeout   70;
  add_header          Alternate-Protocol  443:npn-spdy/2;
  location    / {
    proxy_pass  http://$APP;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host \$http_host;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_set_header X-Forwarded-For \$remote_addr;
    proxy_set_header X-Forwarded-Port \$server_port;
    proxy_set_header X-Request-Start \$msec;
  }
  include $DOKKU_ROOT/$APP/nginx.conf.d/*.conf;
 }
	#!/bin/bash
	TOKEN=foo
	ES_NAME=bar
	EXPOSED_IP=$(ip -o -f inet addr show eth0\|egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' -o\|head -n1)
	export ELASTICSEARCH_IMAGE_VERSION="1.7.1"

	# Protect ES with Firewall
	sed -i '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/g' /etc/default/ufw
	IPS_ALLOW=/var/tmp/ufw-dynamic-ips.allow
	ufw allow http
	ufw allow https
	ufw allow ssh
	# ufw allow 2375/tcp

	ufw enable
	curl https://api.digitalocean.com/v2/droplets -H "Authorization: Bearer ${TOKEN}"\|egrep 'ip_address":"([^"]+)' -o\|cut -sd\" -f3\|tee ${IPS_ALLOW}\|xargs -n1 /usr/sbin/ufw allow from
	if [ -f ${IPS_ALLOW} ]; then
	for ip in `/usr/sbin/ufw status \|grep ^Anywhere\|grep ALLOW\|grep -P '[\d\.]+' -o`
	do grep -q $ip ${IPS_ALLOW} \|\| /usr/sbin/ufw delete allow from $ip
	done
	fi
	rm ${IPS_ALLOW}

	# Install dokku
	wget https://raw.github.com/progrium/dokku/v0.4.0/bootstrap.sh
	DOKKU_TAG=v0.4.0 bash bootstrap.sh
	echo 'DOCKER_OPTS="--iptables=false"'>>/etc/default/docker

	# Import SSH keys from DO to allow deploy via git
	while read line; do
	echo $line \|sshcommand acl-add dokku ${line##* }>/dev/null
	done < <(curl https://api.digitalocean.com/v2/account/keys -H "Authorization: Bearer ${TOKEN}"\|egrep 'ssh-\w+( [^ "]+){2}' -o\|xargs -n3)

	echo 'foo.com'>/home/dokku/VHOST
	rm /etc/nginx/sites-enabled/default

	# Install kibana 4
	dokku plugin:install https://github.com/dokku/dokku-elasticsearch.git
	dokku apps:create kibana
	git clone https://github.com/docker-library/kibana.git /tmp/k/
	tar -cC /tmp/k/4.1/ .\|dokku tar:in kibana
	rm -rf /tmp/k/

	# Setup ElasticSearch
	dokku elasticsearch:create ${ES_NAME}
	# Update ES settings
	echo "transport.publish_host: ${EXPOSED_IP}
	http.publish_host: ${EXPOSED_IP}"'
	discovery.zen.ping.multicast.enabled: false
	discovery.zen.ping.multicast.enabled: true
	discovery.zen.minimum_master_nodes: 1
	http.publish_port: 50004
	transport.publish_port: 50005
	node.max_local_storage_nodes: 1
	action.destructive_requires_name: true
	discovery.zen.ping.unicast.hosts: ["billing.payt.nl:50005"]' > \
	/var/lib/dokku/services/elasticsearch/${ES_NAME}/config/elasticsearch.yml

	echo '
	es.logger.level: INFO
	rootLogger: ${es.logger.level}, console
	logger:
	action: DEBUG
	deprecation: INFO
	org.apache.http: INFO
	#gateway: DEBUG
	#index.gateway: DEBUG
	#indices.recovery: DEBUG
	discovery: INFO
	index.search.slowlog: TRACE
	index.indexing.slowlog: TRACE
	additivity:
	index.search.slowlog: false
	index.indexing.slowlog: false
	deprecation: false
	appender:
	console:
	type: console
	layout:
	type: consolePattern
	conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"' > \
	/var/lib/dokku/services/elasticsearch/${ES_NAME}/config/logging.yml

	dokku elasticsearch:restart ${ES_NAME}
	dokku elasticsearch:link ${ES_NAME} kibana
	dokku elasticsearch:expose ${ES_NAME} 50004 50005


	# https://github.com/docker/docker/issues/7276

	apt-get install apparmor-utils -y
	echo '#!/bin/sh -e
	aa-complain /etc/apparmor.d/docker
	iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
	echo never > /sys/kernel/mm/transparent_hugepage/enabled
	exit 0'>/etc/rc.local
	# Reboot as docker install has added iptables rule that break firewall
	reboot
	upstream elasticsearch {
	server `docker inspect --format '{{ .NetworkSettings.IPAddress }}' elasticsearch_www`:9200;
	keepalive 15;
	}
	server {
	listen [::]:60004 ssl;
	listen 60004 ssl;
	server_name billing.payt.nl;
	$SSL_DIRECTIVES

	keepalive_timeout 70;
	location / {
	proxy_pass http://elasticsearch;
	proxy_http_version 1.1;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host \$http_host;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_set_header X-Forwarded-For \$remote_addr;
	proxy_set_header X-Forwarded-Port \$server_port;
	proxy_set_header X-Request-Start \$msec;
	}
	}

	server {
	listen [::]:80;
	listen 80;
	return 301 https://billing.payt.nl\$request_uri;
	}

	server {
	listen [::]:443 ssl spdy;
	listen 443 ssl spdy;
	server_name billing.payt.nl;
	$SSL_DIRECTIVES

	keepalive_timeout 70;
	add_header Alternate-Protocol 443:npn-spdy/2;
	location / {
	proxy_pass http://$APP;
	proxy_http_version 1.1;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host \$http_host;
	proxy_set_header X-Forwarded-Proto \$scheme;
	proxy_set_header X-Forwarded-For \$remote_addr;
	proxy_set_header X-Forwarded-Port \$server_port;
	proxy_set_header X-Request-Start \$msec;
	}
	include $DOKKU_ROOT/$APP/nginx.conf.d/*.conf;
	}