Merge branch 'main' into issue202exportSVG

Author: hamidahoderinwale

.github/pull_request_template.md

@@ -36,11 +36,18 @@ jobs:
           rustup toolchain install stable
           rustup target add wasm32-unknown-unknown
 
-      - name: Build
+      - name: Build for Prod
+        if: github.event_name == 'release'
         run: |
           pnpm install
           pnpm --filter ./packages/frontend run build
 
+      - name: Build for Staging
+        if: github.event_name == 'push' || github.event_name == 'pull_request'
+        run: |
+          pnpm install
+          pnpm --filter ./packages/frontend run build --mode staging
+
       - name: Upload
         uses: actions/upload-artifact@v4
         with:

.github/workflows/deploy.yml

@@ -44,17 +44,59 @@
 \p{However, this will not update the version of catcolab that is running on the server. There is currently a somewhat manual process to do this, because Owen believes that it is important for people to understand the steps of the manual process so that they can debug things when they go wrong.}
 
 \p{On backend-next.catcolab.org, there is a git clone of the catcolab repository in \code{/var/lib/catcolab}. There is a daemon (managed via systemd) that runs \code{node dist/index.js} in \code{/var/lib/catcolab/packages/backend}. In order to upgrade the version of catcolab that is running on the server, one should:}
-
 \ol{
-\li{Log in via \code{ssh} into backend-next.catcolab.org (if you don't have an account with administrator access, ask Owen)}
-\li{Use \code{su} to become the user \code{catcolab}.}
+\li{Log in via \code{ssh root@backend-next.catcolab.org}. If you don't have access, ask Shaowei.}
+\li{Use \code{su - catcolab} to become the user \code{catcolab}.}
 \li{\code{cd} into \code{/var/lib/catcolab/packages/backend}.}
 \li{Use \code{git} to checkout the desired version of catcolab.}
 \li{Run \code{npm run build} to produce a new \code{dist/index.js} file.}
-\li{Run as user root \code{systemctl stop catcolab}; this will temporarily stop the backend.}
+\li{Run as user root \code{systemctl stop catcolab}; this will temporarily stop the backend. It is helpful to do this in another terminal window.}
 \li{Run as user catcolab in \code{/var/lib/catcolab/packages/backend} \code{npm run migrate}. This will update the database with new any migrations that have been added since the last time the database was migrated.}
 \li{Run as user root \code{systemctl start catcolab}; this will start back up the backend.}
 \li{(If there are no new migrations, the previous three commands can simply be accomplished via \code{systemctl restart catcolab})}
-\li{You can check the status of the catcolab daemon with \code{systemctl status catcolab}, or look at the log messages with \code{journalctl -u catcolab}.}
+\li{You can check the status of the catcolab daemon with \code{systemctl status catcolab}, or look at the log messages with \code{journalctl -eu catcolab}.}
+}
+
+\p{To give a new user access to the servers:}
+\ol{
+\li{Update the public keys in \code{infrastructure/hosts/catcolab/default.nix}.}
+\li{Get someone with server access to run \code{nix develop; deploy .#catcolab}.}
+}
+
+\p{To give a new user access to the secrets:}
+\ol{
+\li{Update the public keys in \code{infrastructure/secrets/secrets.nix}.}
+\li{Get someone with secret access to run \code{nix develop; agenix -r}.}
+}
+
+\p{If you are creating an AWS instance and setting up a CatColab backend, e.g. \code{backend-next}, for the first time:}
+\ol{
+\li{Use the \code{nixos/24.05.3348.7e5afd404b62-x86_64-linux} community AMI.}
+\li{Add 50GB of storage to the instance.}
+\li{Open ports 80, 443 for HTTP, HTTPS in addition to port 22 for SSH.}
+\li{Add a public key of the machine to \code{infrastructure/secrets/secrets.nix}. You can get the public keys by running \code{ssh-keyscan <machine-ip-address>}.}
+\li{In the \code{namecheap} domain name hosting service, point \code{backend-next.catcolab.org} to the instance's IP address.}
+\li{Log in via \code{ssh root@backend-next.catcolab.org}. If you don't have access, ask Shaowei.}
+\li{Use \code{git} to clone the catcolab repo in \code{/var/lib}. Rename the directory with \code{mv CatColab catcolab} and change ownership with \code{chown -R catcolab:catcolab catcolab}.}
+\li{Use \code{su - catcolab} to become the user \code{catcolab}.}
+\li{\code{cd} into \code{/var/lib/catcolab/packages/backend}.}
+\li{Use \code{git} to checkout the desired version of catcolab.}
+\li{Run \code{pnpm install} to install dependencies.}
 }
+
+\p{Setting up the Postgres database:}
+\ol{
+\li{\code{su - postgres}}
+\li{\code{createuser catcolab}}
+\li{\code{createdb catcolab}}
+\li{\code{psql}}
+  \ul{
+  \li{\code{alter user catcolab with encrypted password '<password>';}}
+  \li{\code{grant all privileges on database catcolab to catcolab;}}
+  \li{\code{﹨c catcolab postgres}}
+  \li{\code{grant all on schema public to catcolab;}}
+  \li{\code{exit}}
+  }
+}
+
 }

dev-docs/trees/dev-000A.tree

@@ -39,6 +39,12 @@
               sshUser = "root";
             };
           };
+          catcolab-next = {
+            hostname = "ec2-18-191-165-64.us-east-2.compute.amazonaws.com";
+            profiles.system = mkSystemProfile "catcolab-next" // {
+              sshUser = "root";
+            };
+          };
         };
 
         devShells.${system}.default = import ./shell { inherit self pkgs inputs; };

infrastructure/flake.nix

@@ -0,0 +1,83 @@
+{ inputs, pkgs, config, ... }:
+
+let
+    port = "8000";
+    startScript = pkgs.writeShellScript "catcolab.sh" ''
+        rm -f instrument.mjs
+        cp ${config.age.secrets."instrument.mjs".path} .
+        ${pkgs.nodejs}/bin/node dist/index.js
+    '';
+in {
+    age.secrets.DATABASE_URL = {
+        file = "${inputs.self}/secrets/DATABASE_URL.age";
+        mode = "400";
+        owner = "catcolab";
+    };
+
+    age.secrets."instrument.mjs" = {
+        file = "${inputs.self}/secrets/instrument.mjs.age";
+        mode = "400";
+        owner = "catcolab";
+    };
+
+    services.postgresql.enable = true;
+
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."backend-next.catcolab.org" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+            extraConfig = ''
+                if ($request_method = OPTIONS) {
+                    return 204;
+                }
+                proxy_hide_header 'Access-Control-Allow-Origin';
+                add_header 'Access-Control-Allow-Origin' '*' always;
+                add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS' always;
+                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
+                proxy_pass http://localhost:${port};
+                error_log syslog:server=unix:/dev/log;
+                access_log syslog:server=unix:/dev/log;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+            '';
+        };
+    };
+
+    systemd.services.catcolab = {
+        enable = true;
+        wantedBy = ["multi-user.target"];
+
+        environment = {
+            PORT = port;
+            DATABASE_URL_PATH = config.age.secrets.DATABASE_URL.path;
+            NODE_OPTIONS = "--import ./instrument.mjs";
+        };
+
+        serviceConfig = {
+            User = "catcolab";
+            ExecStart = startScript;
+            Type="simple";
+            WorkingDirectory = "/var/lib/catcolab/packages/backend/";
+            Restart = "on-failure";
+        };
+    };
+
+    users.users.catcolab = {
+        isNormalUser = true;
+        group = "catcolab";
+    };
+
+    environment.systemPackages = with pkgs; [
+        rustup
+        nodejs
+        nodejs.pkgs.pnpm
+        git
+        stdenv.cc
+    ];
+
+    environment.variables.DATABASE_URL_PATH = config.age.secrets.DATABASE_URL.path;
+
+    users.groups.catcolab = {};
+}

infrastructure/hosts/catcolab-next/backend.nix

@@ -0,0 +1,55 @@
+{ inputs, ... }:
+
+let
+  owen     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
+  epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
+  shaowei  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV/7Vnjn7PwOC9VWyRAvsh5lUieIBHgdf4RRLkL8ZPa shaowei@gmail.com";
+in
+{
+  imports = [
+      ./backend.nix
+      "${inputs.nixpkgs}/nixos/modules/virtualisation/amazon-image.nix"
+  ];
+
+  networking.hostName = "catcolab-next";
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.mutableUsers = false;
+
+  users.users.o = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    openssh.authorizedKeys.keys = [ owen ];
+  };
+
+  users.users.epatters = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [ epatters ];
+  };
+
+  users.users.shaowei = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [ shaowei ];
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [ owen epatters shaowei ];
+
+  time.timeZone = "America/New_York";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  system.stateVersion = "24.05";
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "owen@topos.institute";
+
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

infrastructure/hosts/catcolab-next/default.nix

@@ -21,8 +21,8 @@ in {
     };
 
     services.postgresql.enable = true;
-    services.nginx.enable = true;
 
+    services.nginx.enable = true;
     services.nginx.virtualHosts."backend.catcolab.org" = {
         forceSSL = true;
         enableACME = true;
@@ -31,6 +31,7 @@ in {
                 if ($request_method = OPTIONS) {
                     return 204;
                 }
+                proxy_hide_header 'Access-Control-Allow-Origin';
                 add_header 'Access-Control-Allow-Origin' '*' always;
                 add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, PUT, OPTIONS' always;
                 add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;
@@ -71,6 +72,7 @@ in {
     environment.systemPackages = with pkgs; [
         rustup
         nodejs
+        nodejs.pkgs.pnpm
         git
         stdenv.cc
     ];

…frastructure/hosts/catcolab/catcolab.nix infrastructure/hosts/catcolab/backend.nixinfrastructure/hosts/catcolab/catcolab.nix renamed to infrastructure/hosts/catcolab/backend.nix infrastructure/hosts/catcolab/catcolab.nix renamed to infrastructure/hosts/catcolab/backend.nix

@@ -1,13 +1,13 @@
 { inputs, ... }:
 
 let
-  owen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
+  owen     = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
   epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
-  shaowei = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV/7Vnjn7PwOC9VWyRAvsh5lUieIBHgdf4RRLkL8ZPa shaowei@gmail.com";
+  shaowei  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOV/7Vnjn7PwOC9VWyRAvsh5lUieIBHgdf4RRLkL8ZPa shaowei@gmail.com";
 in
 {
   imports = [
-      ./catcolab.nix
+      ./backend.nix
       "${inputs.nixpkgs}/nixos/modules/virtualisation/amazon-image.nix"
   ];