ENSL · dependabot · Dec 8, 2019 · Mar 15, 2020 · May 10, 2020 · May 10, 2020
diff --git a/.env.development b/.env.development
@@ -0,0 +1,26 @@
+RACK_ENV=development
+RAILS_ENV=development
+APP_SECRET=fe837ea72667ec3d8ecb94cfba1a1bba
+
+DEPLOY_PATH=/var/www
+
+PUMA_WORKERS=1
+PUMA_MIN_THREADS=1
+PUMA_MAX_THREADS=16
+PUMA_PORT=4000
+PUMA_TIMEOUT=30
+
+MYSQL_HOST=db
+MYSQL_DATABASE=ensl
+MYSQL_USERNAME=ensl
+MYSQL_PASSWORD=ensl
+MYSQL_ROOT_PASSWORD=ensl
+MYSQL_CONNECTION_POOL=8
+
+NEW_RELIC_APP_NAME=ENSL
+NEW_RELIC_LICENSE_KEY=
+
+EXCEPTIONAL_API_KEY=
+
+GOOGLE_API_KEY=
+GOOGLE_CALENDAR_ID=
diff --git a/.env.production b/.env.production
@@ -0,0 +1,27 @@
+# This file is actually loaded by Dotenv when RAILS_ENV=development
+
+RACK_ENV=production
+RAILS_ENV=production
+
+ASSETS_PRECOMPILE=1
+
+SCRYPT_MAX_TIME=0.001
+
+# FIXME Disable workers + cluster mode for now. They break start up.
+PUMA_WORKERS=8
+PUMA_MIN_THREADS=1
+PUMA_MAX_THREADS=1
+PUMA_TIMEOUT=30
+
+PRODUCTION_PUMA_PORT=4000
+PRODUCTION_ROOT_DOMAIN=ensl.org
+PRODUCTION_DOMAIN=www.ensl.org
+PRODUCTION_PORT=80
+PRODUCTION_PORT_SSL=443
+
+MYSQL_DATABASE=ensl
+MYSQL_CONNECTION_POOL=48
+
+APP_DOMAIN=ensl.org
+
+GOOGLE_CALENDAR=enabled
diff --git a/.env.test b/.env.test
@@ -0,0 +1,26 @@
+RACK_ENV=test
+RAILS_ENV=test
+APP_SECRET=fe837ea72667ec3d8ecb94cfba1a1bba
+
+DEPLOY_PATH=/var/www
+
+PUMA_WORKERS=1
+PUMA_MIN_THREADS=1
+PUMA_MAX_THREADS=16
+PUMA_PORT=4000
+PUMA_TIMEOUT=30
+
+MYSQL_HOST=db
+MYSQL_DATABASE=ensl_test
+MYSQL_USERNAME=ensl
+MYSQL_PASSWORD=ensl
+MYSQL_ROOT_PASSWORD=ensl
+MYSQL_CONNECTION_POOL=8
+
+NEW_RELIC_APP_NAME=ENSL
+NEW_RELIC_LICENSE_KEY=
+
+EXCEPTIONAL_API_KEY=
+
+GOOGLE_API_KEY=
+GOOGLE_CALENDAR_ID=
diff --git a/.gitignore b/.gitignore
@@ -7,12 +7,16 @@
 .ruby-version
 .ruby-gemset
 .env
+.env*.local
 .tmp*
 .rspec
 .sass-cache
 *.sassc
 *.rbc
 *.sassc
+db/data
+ext/ssl
+.htpass*
 
 # Database and files
 db_data/*

diff --git a/Gemfile b/Gemfile
@@ -7,7 +7,7 @@ gem 'dotenv-rails', '~> 0.10.0'
 gem 'rails', '~> 3.2.22'
 gem 'mysql2', '~> 0.3.17'
 gem 'dalli', '~> 2.7.0'
-gem 'puma', '~> 2.11.1'
+gem 'puma', '~> 4.3.12'
 
 gem 'i18n-js'
 gem 'exceptional', '~> 2.0.33'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,6 +1,6 @@
 GIT
-  remote: git://github.com/koraktor/steam-condenser-ruby.git
-  revision: 5795d15152995cc6bada5265fa379cfc57103618
+  remote: https://github.com/koraktor/steam-condenser-ruby.git
+  revision: 2cb441f0518a0b8d20a017dfcc42783ae878311a
   specs:
     steam-condenser (1.3.11)
       multi_json (~> 1.6)
@@ -188,6 +188,7 @@ GEM
       net-ssh (>= 2.6.5)
     net-ssh (4.2.0)
     newrelic_rpm (3.13.0.299)
+    nio4r (2.3.1)
     nokogiri (1.9.1)
       mini_portile2 (~> 2.4.0)
     oj (2.5.5)
@@ -206,8 +207,8 @@ GEM
       byebug (~> 2.7)
       pry (~> 0.10)
     public_suffix (3.0.1)
-    puma (2.11.3)
-      rack (>= 1.1, < 2.0)
+    puma (4.3.12)
+      nio4r (~> 2.0)
     quiet_assets (1.0.3)
       railties (>= 3.1, < 5.0)
     rack (1.4.7)
@@ -356,7 +357,7 @@ DEPENDENCIES
   oj (~> 2.5.5)
   poltergeist (~> 1.6.0)
   pry-byebug (~> 1.3.2)
-  puma (~> 2.11.1)
+  puma (~> 4.3.12)
   quiet_assets (~> 1.0.2)
   rails (~> 3.2.22)
   rails_autolink (~> 1.1.5)

diff --git a/app/models/gather.rb b/app/models/gather.rb
@@ -157,8 +157,8 @@ def check_captains
   def refresh cuser
     if status == STATE_RUNNING
       gatherers.idle.destroy_all
-    elsif status == STATE_VOTING and updated_at < 60.seconds.ago and updated_at > 5.days.ago
-      if status == STATE_VOTING and updated_at < 60.seconds.ago
+    elsif status == STATE_VOTING and updated_at < 80.seconds.ago and updated_at > 5.days.ago
+      if status == STATE_VOTING and updated_at < 80.seconds.ago
         self.status = STATE_PICKING
         save!
       end

diff --git a/app/views/about/staff.html.erb b/app/views/about/staff.html.erb
@@ -56,7 +56,7 @@
       </table>
     </div>
     <div class="tab" id="contributors">
-      <h3>Admins</h3>
+      <h3>Contributors</h3>
       <table class="striped staff">
         <tr>
           <th></th>

diff --git a/app/views/gathers/show.html.erb b/app/views/gathers/show.html.erb
@@ -34,11 +34,11 @@
       success: function(response, text, request) {
         if (request.getResponseHeader('Gather') == 'voting') {
           if (!played) {
-            var startTime = 110;
+            var startTime = 0;
             $("#jplayer").jPlayer({
               ready: function() {
                 $(this).jPlayer("setMedia", {
-                  mp3: "https://www.ensl.org/sounds/gather-1.mp3"
+                  mp3: "https://www.ensl.org/sounds/gather-6.mp3"
                 }).jPlayer("play", startTime);
 
                 var click = document.ontouchstart === undefined ? 'click' : 'touchstart';
@@ -50,7 +50,7 @@
                 document.documentElement.addEventListener(click, kickoff, true);
               },
               loop: false,
-              volume: 0.45,
+              volume: 0.4,
               swfPath: "/flash"
             });
 

diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -28,7 +28,7 @@
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = false
 
   # See everything in the log (default is :info)
   config.log_level = :error

diff --git a/db/schema.rb b/db/schema.rb
@@ -607,7 +607,7 @@
   add_index "predictions", ["match_id"], :name => "index_predictions_on_match_id"
   add_index "predictions", ["user_id"], :name => "index_predictions_on_user_id"
 
-  create_table "profiles", :force => true do |t|
+  create_table "profiles", :options => 'ENGINE=MyISAM', :force => true do |t|
     t.integer  "user_id"
     t.string   "msn"
     t.string   "icq"

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -2,6 +2,10 @@ version: "3"
 
 services:
   web:
+    # Debug
+    stdin_open: true
+    command: /bin/bash 
+    tty: true 
     build:
       context: ./
       dockerfile: Dockerfile.dev
@@ -17,7 +21,7 @@ services:
   #    - redis
   db:
     # Debug
-    #    command: bash 
+    #command: bash 
     #tty: true
     command: mysqld_safe --skip-grant-tables
     image: mariadb:latest

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,8 +14,8 @@ services:
      - smtp
   #    - redis
   db:
-    image: mariadb:latest
-    command: mysqld
+    image: mariadb:10.4.8
+    command: mysqld --skip-grant-tables
     volumes:
      - "./db_data:/var/lib/mysql"
      - "./ext/mysql.conf.d:/etc/mysql/conf.d"
@@ -38,3 +38,8 @@ services:
       - OPENDKIM_DOMAINS=ensl.org
   #redis:
   #  image: redis
+
+networks:
+  default:
+    external:
+      name: catpack_docker
diff --git a/ext/mysql.conf.d/opt.cnf b/ext/mysql.conf.d/opt.cnf
@@ -29,3 +29,6 @@ innodb_flush_method             = O_DIRECT
 #innodb_additional_mem_pool_size = 20M
 innodb_file_per_table           = 1
 transaction-isolation           = READ-COMMITTED
+
+innodb_file_per_table=1
+innodb_file_format = Barracuda
diff --git a/ext/nginx.conf.d/01_production.conf.template b/ext/nginx.conf.d/01_production.conf.template
@@ -0,0 +1,90 @@
+# PRODUCTION nginx conf
+# The point of this config file is to have near-identical setup in PRODUCTION.
+# Use it in production or copy it over
+
+upstream ensl_production {
+  server web:$PRODUCTION_PUMA_PORT;
+  # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
+}
+
+# root-level -> www redirect
+server {
+  listen *:$PRODUCTION_PORT;
+  listen *:$PRODUCTION_PORT_SSL ssl;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+
+  server_name $PRODUCTION_ROOT_DOMAIN;
+  root $PRODUCTION_NGINX_PUBLIC;
+  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+}
+
+# HTTP -> HTTPS redirect
+#server {
+#  listen *:$PRODUCTION_PORT;
+#  server_name $PRODUCTION_DOMAIN;
+#  return 301 https://$PRODUCTION_DOMAIN$request_uri;
+#}
+
+server {
+  listen *:$PRODUCTION_PORT default_server;
+  listen *:$PRODUCTION_PORT_SSL ssl default_server;
+
+  # Redirect to HTTPS
+  error_page 497 https://$host:$server_port$request_uri;
+
+  server_name $PRODUCTION_DOMAIN;
+  root $PRODUCTION_NGINX_PUBLIC;
+  index index.html index.htm index.php;
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org-0001/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org-0001/privkey.pem;
+
+  # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
+  # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  # ssl_session_timeout 1d;
+  # ssl_session_cache shared:SSL:50m;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  add_header Strict-Transport-Security max-age=0;
+
+  # Fixme: add logs as volume
+  access_log /var/log/nginx/ensl.production.access.log;
+  error_log /var/log/nginx/ensl.production.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+
+  # FIXME: use env. var
+  location ^~ /assets/ {
+    gzip_static on;
+    expires 1m;
+    add_header Cache-Control public;
+  }
+
+  # FIXME: use env. var
+  location /files/ {
+    # try_files $uri $uri/ @puma;
+    # alias root $APP_PATH_PUBLIC/files/;
+    alias /srv/ensl_files/;
+    autoindex on;
+  }
+  location @puma {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://ensl_production;
+  }
+
+  try_files $uri/index.html $uri @puma;
+}
diff --git a/ext/nginx.conf.d/02_gathers.conf.template b/ext/nginx.conf.d/02_gathers.conf.template
@@ -0,0 +1,48 @@
+upstream gathers {
+  #  server unix:/srv/ensl/puma.production.sock fail_timeout=0;
+  server ensl_gather_production:6500;
+}
+
+server {
+  listen *:443 ssl;
+  server_name gathers.ensl.org;
+  root /srv/ensl/gathers/public;
+  index index.html index.htm index.php;
+
+  # Redirect to HTTPS
+  error_page 497 https://$host:$server_port$request_uri;
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org-0001/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org-0001/privkey.pem;
+  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  # ssl_session_timeout 1d;
+  # ssl_session_cache shared:SSL:50m;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  add_header Strict-Transport-Security max-age=0;
+
+  access_log /var/log/nginx/ensl.gathers.access.log;
+  error_log /var/log/nginx/ensl.gathers.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+  location ^~ /assets/ {
+    gzip_static on;
+    expires max;
+    add_header Cache-Control public;
+  }
+  location @gathers {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://gathers;
+  }
+
+  try_files $uri/index.html $uri @gathers;
+}