ci: add do image build via packer

.github/workflows/build.yml

@@ -228,13 +228,8 @@ jobs:
     steps:
     - name: Set Version Variables
       run: |
-        if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then
-          echo "Using TAG mode: $GITHUB_REF_NAME"
-          echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV
-        else
-          echo "Using BRANCH mode: v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER"
-          echo "REL_VERSION_STRICT=$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV
-        fi
+        echo "Using TAG mode: $GITHUB_REF_NAME"
+        echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV
 
     - name: Login to DockerHub
       uses: docker/login-action@v1
@@ -274,13 +269,8 @@ jobs:
     steps:
     - name: Set Version Variables
       run: |
-        if [[ "$GITHUB_REF" =~ ^refs/tags/v* ]]; then
-          echo "Using TAG mode: $GITHUB_REF_NAME"
-          echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV
-        else
-          echo "Using BRANCH mode: v$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER"
-          echo "REL_VERSION_STRICT=$BASE_DEV_VERSION-dev.$GITHUB_RUN_NUMBER" >> $GITHUB_ENV
-        fi
+        echo "Using TAG mode: $GITHUB_REF_NAME"
+        echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV
 
     - name: Login to DockerHub
       uses: docker/login-action@v1
@@ -358,3 +348,29 @@ jobs:
         token: ${{ github.token }}
         artifacts: 'drop/wiki-js.tar.gz,drop-win/wiki-js-windows.tar.gz'
 
+  build-do-image:
+    name: Build DigitalOcean Image
+    runs-on: ubuntu-latest
+    needs: [release]
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Set Version Variables
+      run: |
+        echo "Using TAG mode: $GITHUB_REF_NAME"
+        echo "REL_VERSION_STRICT=${GITHUB_REF_NAME#?}" >> $GITHUB_ENV
+
+    - name: Install Packer
+      run: |
+        curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
+        sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+        sudo apt-get update && sudo apt-get install packer
+
+    - name: Build Droplet Image
+      env:
+        DIGITALOCEAN_API_TOKEN: ${{ secrets.DO_TOKEN }}
+        WIKI_APP_VERSION: ${{ env.REL_VERSION_STRICT }}
+      working-directory: dev/packer
+      run: |
+        packer build digitalocean.json

.github/workflows/packer.yml

@@ -0,0 +1,31 @@
+name: Build DigitalOcean Image
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'App Version'
+        required: true
+        type: string
+
+jobs:
+  build-do-image:
+    name: Build DigitalOcean Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Install Packer
+      run: |
+        curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
+        sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
+        sudo apt-get update && sudo apt-get install packer
+
+    - name: Build Droplet Image
+      env:
+        DIGITALOCEAN_API_TOKEN: ${{ secrets.DO_TOKEN }}
+        WIKI_APP_VERSION: ${{ github.event.inputs.version }}
+      working-directory: dev/packer
+      run: |
+        packer build digitalocean.json

dev/packer/digitalocean.json

@@ -0,0 +1,78 @@
+{
+  "variables": {
+    "do_api_token": "{{env `DIGITALOCEAN_API_TOKEN`}}",
+    "image_name": "wikijs-snapshot-{{timestamp}}",
+    "apt_packages": "apt-transport-https ca-certificates curl jq linux-image-extra-virtual software-properties-common gnupg-agent openssl ",
+    "application_name": "Wiki.js",
+    "application_version": "{{env `WIKI_APP_VERSION`}}",
+    "docker_compose_version": "1.29.2"
+  },
+  "sensitive-variables": [
+    "do_api_token"
+  ],
+  "builders": [
+    {
+      "type": "digitalocean",
+      "api_token": "{{user `do_api_token`}}",
+      "image": "ubuntu-20-04-x64",
+      "region": "tor1",
+      "size": "s-1vcpu-1gb",
+      "ssh_username": "root",
+      "snapshot_name": "{{user `image_name`}}"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "inline": [
+        "cloud-init status --wait"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "scripts/001-onboot.sh",
+      "destination": "/var/lib/cloud/scripts/per-instance/001-onboot.sh"
+    },
+    {
+      "type": "file",
+      "source": "scripts/099-one-click",
+      "destination": "/etc/update-motd.d/099-one-click"
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "inline": [
+        "apt -qqy update",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' full-upgrade",
+        "apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install {{user `apt_packages`}}",
+        "apt-get -qqy clean"
+      ]
+    },
+    {
+      "type": "shell",
+      "environment_vars": [
+        "application_name={{user `application_name`}}",
+        "application_version={{user `application_version`}}",
+        "docker_compose_version={{user `docker_compose_version`}}",
+        "DEBIAN_FRONTEND=noninteractive",
+        "LC_ALL=C",
+        "LANG=en_US.UTF-8",
+        "LC_CTYPE=en_US.UTF-8"
+      ],
+      "scripts": [
+        "common/scripts/010-docker.sh",
+        "common/scripts/011-docker-compose.sh",
+        "common/scripts/012-grub-opts.sh",
+        "common/scripts/013-docker-dns.sh",
+        "common/scripts/014-ufw-docker.sh",
+        "common/scripts/020-application-tag.sh",
+        "common/scripts/900-cleanup.sh"
+      ]
+    }
+  ]
+}

dev/packer/scripts/001-onboot.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Scripts in this directory will be executed by cloud-init on the first boot of droplets
+# created from your image.  Things ike generating passwords, configuration requiring IP address
+# or other items that will be unique to each instance should be done in scripts here.
+
+openssl rand -base64 32 > /etc/wiki/.db-secret
+
+if [[ -z $DATABASE_URL ]]; then
+  docker start db
+fi
+docker start wiki
+docker start wiki-update-companion
+# docker start nginx-proxy
+# docker start watchtower

dev/packer/scripts/010-docker.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+apt -qqy update
+apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install docker-ce docker-ce-cli containerd.io
+
+systemctl enable docker
+systemctl start docker
+
+mkdir -p /etc/wiki
+
+docker network create wikinet
+docker volume create pgdata
+docker create --name=db -e POSTGRES_DB=wiki -e POSTGRES_USER=wiki -e POSTGRES_PASSWORD_FILE=/etc/wiki/.db-secret -v /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro -v pgdata:/var/lib/postgresql/data --restart=unless-stopped -h db --network=wikinet postgres:11
+docker create --name=wiki -e DB_TYPE=postgres -e DB_HOST=db -e DB_PORT=5432 -e DB_PASS_FILE=/etc/wiki/.db-secret -v /etc/wiki/.db-secret:/etc/wiki/.db-secret:ro -e DB_USER=wiki -e DB_NAME=wiki -e UPGRADE_COMPANION=1 --restart=unless-stopped -h wiki --network=wikinet -p 80:3000 -p 443:3443 ghcr.io/requarks/wiki:2
+docker create --name=wiki-update-companion -v /var/run/docker.sock:/var/run/docker.sock:ro --restart=unless-stopped -h wiki-update-companion --network=wikinet requarks/wiki-update-companion:latest
+# docker create --name=nginx-proxy -p 80:80 -p 443:443 -e DEFAULT_HOST=wiki.local --network=wikinet -v /var/run/docker.sock:/tmp/docker.sock:ro --restart=unless-stopped jwilder/nginx-proxy
+# docker create --name=watchtower --network=wikinet -v /var/run/docker.sock:/var/run/docker.sock --restart=unless-stopped containrrr/watchtower --cleanup --schedule="0 2 * * 6" wiki

dev/packer/scripts/011-docker-compose.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+sudo curl -L "https://github.com/docker/compose/releases/download/${docker_compose_version}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose;
+chmod +x /usr/local/bin/docker-compose;

dev/packer/scripts/012-grub-opts.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+sed -e 's|GRUB_CMDLINE_LINUX="|GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1|g' \
+    -i /etc/default/grub
+
+update-grub

dev/packer/scripts/013-docker-dns.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+sed -e 's|#DOCKER_OPTS|DOCKER_OPTS|g' \
+    -i /etc/default/docker

dev/packer/scripts/014-ufw-docker.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+sudo ufw allow ssh
+sudo ufw allow http
+sudo ufw allow https
+
+sudo ufw --force enable
+
+cat /dev/null > /var/log/ufw.log

dev/packer/scripts/020-application-tag.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+################################
+## PART: Write the application tag
+##
+## vi: syntax=sh expandtab ts=4
+
+build_date=$(date +%Y-%m-%d)
+distro="$(lsb_release -s  -i)"
+distro_release="$(lsb_release -s  -r)"
+distro_codename="$(lsb_release -s -c)"
+distro_arch="$(uname -m)"
+
+mkdip -p /var/lib/digitalocean
+touch /var/lib/digitalocean/application.info
+
+cat >> /var/lib/digitalocean/application.info <<EOM
+application_name="${application_name}"
+build_date="${build_date}"
+distro="${distro}"
+distro_release="${distro_release}"
+distro_codename="${distro_codename}"
+distro_arch="${distro_arch}"
+application_version="${application_version}"
+EOM

dev/packer/scripts/099-one-click

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Configured as part of the DigitalOcean 1-Click Image build process
+
+myip=$(hostname -I | awk '{print$1}')
+cat <<EOF
+********************************************************************************
+Welcome to DigitalOcean's 1-Click Docker Droplet.
+To keep this Droplet secure, the UFW firewall is enabled.
+All ports are BLOCKED except 22 (SSH), 80 (Docker) and 443 (Docker).
+* The Docker 1-Click Quickstart guide is available at:
+  https://docs.requarks.io/install/digitalocean
+* You can SSH to this Droplet in a terminal as root: ssh root@$myip
+* Docker is installed and configured per Docker's recommendations:
+  https://docs.docker.com/install/linux/docker-ce/ubuntu/
+* Docker Compose is installed and configured per Docker's recommendations:
+  https://docs.docker.com/compose/install/#install-compose
+For more information, visit https://docs.requarks.io/install/digitalocean
+********************************************************************************
+To delete this message of the day: rm -rf $(readlink -f ${0})
+EOF

dev/packer/scripts/900-cleanup.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Ensure /tmp exists and has the proper permissions before
+# checking for security updates
+# https://github.com/digitalocean/marketplace-partners/issues/94
+if [[ ! -d /tmp ]]; then
+  mkdir /tmp
+fi
+chmod 1777 /tmp
+
+apt-get -y update
+apt-get -y upgrade
+rm -rf /tmp/* /var/tmp/*
+history -c
+cat /dev/null > /root/.bash_history
+unset HISTFILE
+apt-get -y autoremove
+apt-get -y autoclean
+find /var/log -mtime -1 -type f -exec truncate -s 0 {} \;
+rm -rf /var/log/*.gz /var/log/*.[0-9] /var/log/*-????????
+rm -rf /var/lib/cloud/instances/*
+rm -f /root/.ssh/authorized_keys /etc/ssh/*key*
+touch /etc/ssh/revoked_keys
+chmod 600 /etc/ssh/revoked_keys
+
+# Securely erase the unused portion of the filesystem
+GREEN='\033[0;32m'
+NC='\033[0m'
+printf "\n${GREEN}Writing zeros to the remaining disk space to securely
+erase the unused portion of the file system.
+Depending on your disk size this may take several minutes.
+The secure erase will complete successfully when you see:${NC}
+    dd: writing to '/zerofile': No space left on device\n
+Beginning secure erase now\n"
+
+dd if=/dev/zero of=/zerofile &
+  PID=$!
+  while [ -d /proc/$PID ]
+    do
+      printf "."
+      sleep 5
+    done
+sync; rm /zerofile; sync
+cat /dev/null > /var/log/lastlog; cat /dev/null > /var/log/wtmp