Feat/add ssl to vps and custom modifications/requirements to README

.env.custom

@@ -5,8 +5,8 @@ KAFKA_NUM_IO_THREADS=8
 KAFKA_REQUEST_TIMEOUT_MS=60000
 KAFKA_REPLICA_SOCKET_TIMEOUT_MS=60000
 
-#use HTTP on port 80
-SENTRY_BIND=80
+#use HTTP on port 8081 - meant to be redirected from nginx
+SENTRY_BIND=8081
 
 #uncomment when SSL is ready
 # SENTRY_BIND=443

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
       entry: --net none mvdan/shfmt:v3.5.1
       args: [-w, -d]
       files: .*\.sh
-      stages: [commit, merge-commit, push, manual]
+      stages: [pre-commit, pre-merge-commit, pre-push, manual]
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v4.3.0
   hooks:

README.md

@@ -3,3 +3,38 @@
 [Sentry](https://sentry.io/), feature-complete and packaged up for low-volume deployments and proofs-of-concept.
 
 Documentation [here](https://develop.sentry.dev/self-hosted/).
+
+
+## Meticulous Espresso instance
+
+### Custom files
+
+#### configure-swap.sh
+
+ This file will modify the sentry settings that are present in the `./sentry/config.yml` and `sentry/sentry.conf.py` files to get the installation ready to work.
+
+ Changes done are the following
+ - Set Kafka's `message.max.bytes` to `100000000` (`sentry/sentry.conf.py`)
+ - Set Kafka's `socket.timeout.ms` to `60000` (`sentry/sentry.conf.py`)
+ - Add to the `CSRF Trusted Origins` the registered domain `https://sentry.meticulousespresso.com` (`sentry/sentry.conf.py`)
+ - Setting `system.url.prefix` to `https://sentry.meticulousespresso.com` (`./sentry/config.yml`)
+ - Setting up sentry to work behind a reverse proxy
+   - Uncomment `SSL/TSL` section (`sentry/sentry.conf.py`)
+ - Set up `4G` of swap space if there is none
+
+ #### .env.custom
+
+ This file sets some custom KAFKA settings and the network port to bind sentry to (`8081`)
+
+---
+
+### External requirements
+
+#### Docker
+ The Self-Hosted Sentry deploymentent is completely containarized
+
+#### Nginx
+ We run an Nginx instance in the VPS that handles SSL termination and redirects the request to `http://localhost:8081` where its listen and responded to by the sentry deployment
+
+#### Certbot
+ To get the SSL certificates for `sentry.meticulousespresso.com` used by Nginx

configure-swap.sh

@@ -1,23 +1,24 @@
+#!/usr/bin/env bash
 set -euo pipefail
 
 # CSRF_TRUSTED_ORIGIN="http://65.109.232.162:9000"
-CSRF_TRUSTED_ORIGIN="http://sentry.meticulousespresso.com"
+CSRF_TRUSTED_ORIGIN="https://sentry.meticulousespresso.com"
 
 # modify generated configuration files
 
 ERROR=0
 if [ ! -e "./sentry/config.yml" ]; then
-    echo "missing file: ./sentry/config.yml"
-    ERROR=2
+  echo "missing file: ./sentry/config.yml"
+  ERROR=2
 fi
 
 if [ ! -e "./sentry/sentry.conf.py" ]; then
-    echo "don't run this script individually, run ./install.sh instead"
-    ERROR=2
+  echo "don't run this script individually, run ./install.sh instead"
+  ERROR=2
 fi
 
-if (( ERROR != 0 )); then
-    exit $ERROR
+if ((ERROR != 0)); then
+  exit $ERROR
 fi
 
 echo ""
@@ -28,9 +29,9 @@ echo ""
 echo " > Updating default kafka options"
 
 sed -i \
-    -e 's/\("message\.max\.bytes": \)[0-9]\+/\110000000/' \
-    -e 's/\("socket\.timeout\.ms": \)[0-9]\+/\160000/' \
-    ./sentry/sentry.conf.py
+  -e 's/\("message\.max\.bytes": \)[0-9]\+/\110000000/' \
+  -e 's/\("socket\.timeout\.ms": \)[0-9]\+/\160000/' \
+  ./sentry/sentry.conf.py
 
 echo ""
 echo -e "   -> message.max.bytes set to  100000000\n   -> socket.timeout.ms set to 60000"
@@ -50,42 +51,57 @@ echo ""
 sed -i -E "s|^#?[[:space:]]*system.url-prefix:.*|system.url-prefix: $CSRF_TRUSTED_ORIGIN|" ./sentry/config.yml
 
 echo -e "   -> system.url-prefix set to $CSRF_TRUSTED_ORIGIN"
+echo ""
+echo ""
+echo " > Configuring to work behind SSL reverse proxy"
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+sed -i -E "s|^#?[[:space:]]*SECURE_PROXY_SSL_HEADER =.*|SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')|" ./sentry/sentry.conf.py
+# USE_X_FORWARDED_HOST = True
+sed -i -E "s|^#?[[:space:]]*USE_X_FORWARDED_HOST =.*|USE_X_FORWARDED_HOST = True|" ./sentry/sentry.conf.py
+# SESSION_COOKIE_SECURE = True
+sed -i -E "s|^#?[[:space:]]*SESSION_COOKIE_SECURE =.*|SESSION_COOKIE_SECURE = True|" ./sentry/sentry.conf.py
+# CSRF_COOKIE_SECURE = True
+sed -i -E "s|^#?[[:space:]]*CSRF_COOKIE_SECURE =.*|CSRF_COOKIE_SECURE = True|" ./sentry/sentry.conf.py
+# SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
+sed -i -E "s|^#?[[:space:]]*SOCIAL_AUTH_REDIRECT_IS_HTTPS =.*|SOCIAL_AUTH_REDIRECT_IS_HTTPS = True|" ./sentry/sentry.conf.py
+
+echo ""
+echo ""
 
 echo " > Checking use of Swap space"
 echo ""
 # check use of swap space
 SWAP_CHECK="$(swapon --show)"
 
 if [ -n "$SWAP_CHECK" ]; then
-    echo "   -> swap space already configured"
-    echo "$SWAP_CHECK" | awk 'END{print}'
+  echo "   -> swap space already configured"
+  echo "$SWAP_CHECK" | awk 'END{print}'
 else
-    # set up swapspace
-    MINIMUM_SPACE_REQUIRED=4
+  # set up swapspace
+  MINIMUM_SPACE_REQUIRED=4
 
-    available_space=$(df --output=avail -BG / | tail -1 | sed 's/G//' | tr -d ' ')
+  available_space=$(df --output=avail -BG / | tail -1 | sed 's/G//' | tr -d ' ')
 
-    if (( available_space < MINIMUM_SPACE_REQUIRED )); then
-        echo " [x] Less than $MINIMUM_SPACE_REQUIRED G available, cannot set up swap space"
-        exit 1
-    fi
+  if ((available_space < MINIMUM_SPACE_REQUIRED)); then
+    echo " [x] Less than $MINIMUM_SPACE_REQUIRED G available, cannot set up swap space"
+    exit 1
+  fi
 
-    SWAP_SIZE="${MINIMUM_SPACE_REQUIRED}G"
-    fallocate -l "$SWAP_SIZE" /swapfile
-    chmod 600 /swapfile
-    mkswap /swapfile
-    swapon /swapfile
+  SWAP_SIZE="${MINIMUM_SPACE_REQUIRED}G"
+  fallocate -l "$SWAP_SIZE" /swapfile
+  chmod 600 /swapfile
+  mkswap /swapfile
+  swapon /swapfile
 
-    #save the swap config
-    echo "   -> Saving Swap space config"
-    echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
+  #save the swap config
+  echo "   -> Saving Swap space config"
+  echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
 fi
 
-
-  echo ""
-  echo "-----------------------------------------------------------------"
-  echo ""
-  echo "Now You're all set! Trust me :P"
-  echo ""
-  echo "-----------------------------------------------------------------"
-  echo ""
+echo ""
+echo "-----------------------------------------------------------------"
+echo ""
+echo "Now You're all set! Trust me :P"
+echo ""
+echo "-----------------------------------------------------------------"
+echo ""

docker-compose.override.yml

@@ -1,8 +1,8 @@
-services:  
+services:
   kafka:
       mem_limit: 6g
       cpus: 2.0
       ulimits:
         nofile:
           soft: 32768
-          hard: 32768
+          hard: 32768

install.sh

@@ -44,6 +44,6 @@ source install/geoip.sh
 source install/setup-js-sdk-assets.sh
 source install/wrap-up.sh
 
-# make this run on the hetzner server if 
+# make this run on the hetzner server if
 # everything went allright :P
-source ./configure-swap.sh
+source ./configure-swap.sh