Travis deployment of Jekyll sites with Let's Encrypt on Ubuntu.

jekyll-deploy.md

Deploying Jekyll Site to Server

Project Setup (local)

• Add a .travis.yml file (like https://github.com/clirdlf/dashboard/blob/master/.travis.yml)
• Add gem 'html-proofer' to Gemfile
• Add a script/cibuild script (and chmod +x) like https://github.com/clirdlf/dashboard/blob/master/script/cibuild. Adjust baseurl as needed.
• Enable the repot on https://travis-ci.org

Server Setup (server)

• Create a new bare repo in /var/www

server$ sudo mkdir -p /var/www/[project_name]/shared/[project_name].git
server$ cd /var/www/[project_name]/shared/[project_name].git
server$ sudo git --bare init
server$ sudo mkdir -p /var/www/[project_name]/current

• Create a post-receive hook (hooks/post-receive)
• Make the hook executable (e.g. chmod +x hooks/post-receive)

Apache Setup (server)

• Create a new configuration in /etc/apache2/sites-enabled that ends in .conf.
• Enable the apache configuration (sudo a2ensite [project_name])
• Reload the apache2 daemon (sudo service apache2 reload)

S3 (AWS Console)

• Add an A record for the project.

Let's Encrypt (server)

• Add the cert

server$ sudo certbot --apache -d [project_url] -d www.[project_url]

It's a good idea to have it automatically force SSL.

See the certbot install docs

Travis Deployment (local, CI Server)

This is only really necessary if there are multiple people working on the project on GitHub and you want to use GH for ACLs instead of syncing them on your server. Otherwise, just add a remote to the server (see below).

More info at https://blog.travis-ci.com/2017-11-01-security-advisory-ro-deploy-keys

• Generate a deployment key (if you don't have one already) in the project directory

local$ ssh-keygen -t rsa -b 4096 -C '[email protected]' -f ./deploy_rsa

• Encrypt the private key

local$ travis encrypt-file deploy_rsa --add

• Copy the deployment key to server

local$ ssh-copy-id -i ~/.ssh/deploy_rsa.pub <ssh_user>@<host>

• Move the keys to ~/.ssh (`mv deploy_rsa deploy_rsa.pub ~/.ssh)
• Add the encrypted file

git add deploy_rsa.enc

• Navigate to the repository settings on GitHub and add a deploy key (the contents of deploy_rsa.pub).
• Add a new section for after_success in the .travis.yml https://docs.travis-ci.com/user/deployment/custom/#Git

addons:
  ssh_known_hosts:
    - <server>

before_install:
- openssl aes-256-cbc -K $encrypted_<...>_key -iv $encrypted_<...>_iv -in deploy_rsa.enc -out /tmp/deploy_rsa -d -in deploy_rsa.enc -out deploy_rsa -d

after_success:
  - eval "$(ssh-agent -s)" #start the ssh agent
  - chmod 600 /tmp/deploy_rsa
  - ssh-add /tmp/deploy_rsa
  - git remote add deploy $git_remote
  - git push deploy

Be sure to check the $encrypted_ and $encrypts_<...>_iv values from the Travis settings.

While you're getting the correct key variables, create a new $git_remote variable with the complete ssh string (e.g. ssh://username@server:/var/www/[project_name]/shared/[project_name].git).

git Remote Setup (local)

laptop$ git remote add production ssh://username@server:/var/www/[project_name]/shared/[project_name].git
laptop$ git push production +master:refs/heads/master

post-receive

#! /bin/sh
#
# Post receive hook script for the "post-receive" event.
#
# The "post-receive" script is run after receive-pack has accepted a pack
# and the repository has been updated.  It is passed arguments in through
# stdin in the form
#  <oldrev> <newrev> <refname>
# For example:
#  aa453216d1b3e49e7f6f98441fa56946ddcd6a20 68f7abf4e6f922807889f52bc043ecd31b79f814 refs/heads/master
#
# see contrib/hooks/ for a sample, or uncomment the next line and
# rename the file to "post-receive".

PROJECT_BASE=/var/www/[project_name]
GIT_REPO=$PROJECT_BASE/shared/[project_name].git
TMP_GIT_CLONE=$PROJECT_BASE/shared/build
GEMFILE=$TMP_GIT_CLONE/Gemfile
PUBLIC_WWW=$PROJECT_BASE/current

mkdir -p $TMP_GIT_CLONE
git clone $GIT_REPO $TMP_GIT_CLONE
BUNDLE_GEMFILE=$GEMFILE bundle install --path vendor/bundle
BUNDLE_GEMFILE=$GEMFILE bundle exec jekyll build --baseurl '' -s $TMP_GIT_CLONE -d $PUBLIC_WWW
# jekyll build -s $TMP_GIT_CLONE -d $PUBLIC_WWW
rm -Rf $TMP_GIT_CLONE
exit

project.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        
        ServerName project.example.org
        ServerAlias www.project.example.org
        ServerAdmin <email>

        DocumentRoot /var/www/[project_name]/current

        <Directory /var/www/[project_name]/current>
                AllowOverride ALL
        </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/[project_name]-error.log
        CustomLog ${APACHE_LOG_DIR}/[project_name].log combined

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet