cgr/nginx_setup.cg at main · commandgraph/cgr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# ═══════════════════════════════════════════════════════════════════════════
# CommandGraph DSL — Example: Full Nginx setup on a Debian host
# ═══════════════════════════════════════════════════════════════════════════
# File extension: .cg
#
# Usage:
#   cgr plan   nginx_setup.cg          # show what would happen
#   cgr apply  nginx_setup.cg          # execute it
#   cgr apply  nginx_setup.cg --dry-run
#   cgr dot    nginx_setup.cg          # emit Graphviz DOT
#
# The mental model: start with a node, describe what you need on it.
# Dependencies are explicit — if B needs A, say so.  The engine figures
# out the execution order.
# ═══════════════════════════════════════════════════════════════════════════

# ─── Variables ──────────────────────────────────────────────────────────
# Referenced in commands and strings as ${var_name}

var app_user     = "deploy"
var nginx_port   = "80"
var doc_root     = "/var/www/html"
var worker_conns = "1024"
var site_name    = "default"

# ─── The target machine ────────────────────────────────────────────────
# Everything inside this block runs on web-1 via SSH.

node "web-1" {
  via ssh host="10.0.1.5" user="${app_user}" port=22

  # ── Package management ──────────────────────────────────────────────
  # A group shares properties across its children (here: as root).

  group packages as root on_fail stop {

    resource update_apt_cache {
      description "Refresh the APT package index"
      check   `find /var/lib/apt/lists -maxdepth 1 -mmin -60 | grep -q .`
      run     `apt-get update -y`
      timeout 120
      retry 2 delay 10
    }

    resource install_nginx {
      description "Install the Nginx package"
      needs update_apt_cache
      check `dpkg -l nginx 2>/dev/null | grep -q '^ii'`
      run   `apt-get install -y nginx`
      timeout 180
      retry 1 delay 5
    }

    resource install_curl {
      description "Install curl for smoke-testing"
      needs update_apt_cache
      check `command -v curl >/dev/null 2>&1`
      run   `apt-get install -y curl`
      timeout 60
      on_fail warn
    }
  }

  # ── Firewall ────────────────────────────────────────────────────────

  resource open_firewall {
    description "Allow HTTP on port ${nginx_port}"
    check `ufw status | grep -q '${nginx_port}/tcp.*ALLOW'`
    run   `ufw allow ${nginx_port}/tcp`
    as root
    on_fail warn
  }

  # ── Configuration ───────────────────────────────────────────────────

  resource create_docroot {
    description "Ensure document root exists"
    needs install_nginx
    check `test -d ${doc_root}`
    run   `mkdir -p ${doc_root}`
    as root
  }

  resource deploy_index {
    description "Drop a basic index.html"
    needs create_docroot
    check `test -f ${doc_root}/index.html`
    run   `echo '<h1>CommandGraph says hello</h1>' > ${doc_root}/index.html`
    as root
  }

  resource configure_workers {
    description "Set worker_connections to ${worker_conns}"
    needs install_nginx
    check `grep -q 'worker_connections ${worker_conns}' /etc/nginx/nginx.conf`
    run   `sed -i 's/worker_connections .*/worker_connections ${worker_conns};/' /etc/nginx/nginx.conf`
    as root
  }

  resource validate_config {
    description "Run nginx -t"
    needs configure_workers, deploy_index
    check `false`
    run   `nginx -t`
    as root
    on_fail stop
  }

  # ── Service ─────────────────────────────────────────────────────────

  resource enable_nginx {
    description "Enable Nginx on boot"
    needs install_nginx
    check `systemctl is-enabled nginx 2>/dev/null | grep -q enabled`
    run   `systemctl enable nginx`
    as root
  }

  resource start_nginx {
    description "Start or reload Nginx"
    needs validate_config, enable_nginx, open_firewall
    check `systemctl is-active nginx 2>/dev/null | grep -q active`
    run   `systemctl reload-or-restart nginx`
    as root
    on_fail stop
  }

  # ── Verification ────────────────────────────────────────────────────
  # verify is a special resource: always runs (no check), terminal node.

  verify "HTTP 200 on localhost:${nginx_port}" {
    needs start_nginx, install_curl
    run   `curl -sf -o /dev/null -w '%{http_code}' http://localhost:${nginx_port}/ | grep -q 200`
    retry 3 delay 2
    on_fail warn
  }
}