apps/quiz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
74c17455596b72abe9af8546280aa601e68699fc
quiz/deploy/bootstrap.sh
ameer 74c1745559 feat(roster): gate joins on registered student-ID list 
Adds an optional roster.json (set of allowed student IDs) loaded at
startup. add_participant() raises StudentIdNotInRoster when the gate is
on and the supplied id is not present; route returns 403 with a clear
message and logs a roster_reject audit event. Names are NOT checked
against the roster: the join form asks for a current name as a soft
deterrent, but the only hard check is the id.

Includes a deploy/build_roster.py helper that turns class_register
attendance.xlsx into roster.json. Bootstrap env file now exports
QUIZ_ROSTER_PATH; missing file disables the gate (legacy behaviour).

Also drops the user-facing "The cookie is per-device." line from the
join card — students don't need to know the implementation; replaced
with "Enter your registered student ID and your current full name."
2026-05-05 22:02:03 +08:00

153 lines
5.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Live in-lecture quiz portal — VPS bootstrap.
# Idempotent: safe to re-run on a partially-bootstrapped host.
# Designed for: fresh Ubuntu 24.04 LTS, run as root.
#
# Usage (one-shot, on the VPS):
# curl -fsSL https://gitea.ahkhan.me/apps/quiz/raw/branch/master/deploy/bootstrap.sh | bash
#
# Override via env:
# DOMAIN=quiz.example.org curl ... | bash
# REPO_URL=https://... curl ... | bash
set -euo pipefail
REPO_URL="${REPO_URL:-https://gitea.ahkhan.me/apps/quiz.git}"
APP_DIR="${APP_DIR:-/opt/quiz}"
APP_USER="${APP_USER:-quiz}"
DOMAIN="${DOMAIN:-quiz.ahkhan.me}"
BRANCH="${BRANCH:-master}"
if [ "$(id -u)" != "0" ]; then
echo "bootstrap.sh must run as root" >&2
exit 1
fi
stage() { printf '\n==> Stage %s\n' "$*"; }
stage "1/10: provision 2GB swap (skip if /swapfile already present)"
# 1GB-RAM ECS instances OOM-kill uvicorn during ws-burst peaks (50+
# simultaneous WS handshakes during class start). 2GB swap absorbs
# transient pressure without touching steady-state behavior.
if [ ! -f /swapfile ]; then
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile >/dev/null
swapon /swapfile
grep -q '^/swapfile ' /etc/fstab || echo '/swapfile none swap sw 0 0' >> /etc/fstab
fi
# vm.swappiness=10 keeps active pages in RAM, only swap under real pressure.
echo 'vm.swappiness=10' > /etc/sysctl.d/99-quiz.conf
sysctl -p /etc/sysctl.d/99-quiz.conf >/dev/null
stage "2/10: apt update + base packages"
apt-get update -q
DEBIAN_FRONTEND=noninteractive apt-get install -y -q \
git curl ca-certificates gnupg \
python3 python3-venv python3-pip \
debian-keyring debian-archive-keyring apt-transport-https
stage "3/10: install Caddy (skip if present)"
if ! command -v caddy >/dev/null 2>&1; then
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
| gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
| tee /etc/apt/sources.list.d/caddy-stable.list >/dev/null
apt-get update -q
apt-get install -y -q caddy
fi
stage "4/10: create $APP_USER system user (skip if present)"
if ! id "$APP_USER" >/dev/null 2>&1; then
useradd --system --shell /usr/sbin/nologin --home-dir "$APP_DIR" "$APP_USER"
fi
stage "5/10: clone or update repo into $APP_DIR"
# safe.directory mark for the root-run git ops: on a re-bootstrap the
# repo is owned by $APP_USER (set on the previous run), and modern git
# refuses cross-user operations without this marker.
git config --global --add safe.directory "$APP_DIR" 2>/dev/null || true
if [ -d "$APP_DIR/.git" ]; then
git -C "$APP_DIR" fetch origin
git -C "$APP_DIR" reset --hard "origin/$BRANCH"
else
rm -rf "$APP_DIR"
git clone --branch "$BRANCH" "$REPO_URL" "$APP_DIR"
fi
chown -R "$APP_USER":"$APP_USER" "$APP_DIR"
stage "6/10: build venv + install dependencies"
sudo -u "$APP_USER" -H python3 -m venv "$APP_DIR/.venv"
sudo -u "$APP_USER" -H "$APP_DIR/.venv/bin/pip" install --quiet --upgrade pip
sudo -u "$APP_USER" -H "$APP_DIR/.venv/bin/pip" install --quiet -e "$APP_DIR"
stage "7/10: configure environment (.env)"
ENV_FILE="$APP_DIR/.env"
if [ ! -f "$ENV_FILE" ]; then
if [ -f /root/.quiz.env ]; then
echo "Using /root/.quiz.env"
cp /root/.quiz.env "$ENV_FILE"
else
# Need to prompt for the admin password; reattach TTY if curl|bash
# left stdin pointed at the pipe.
if [ ! -t 0 ] && [ -r /dev/tty ]; then
exec < /dev/tty
fi
if [ ! -t 0 ]; then
echo "ERROR: stdin is not a TTY and /root/.quiz.env is missing." >&2
echo "Either pre-populate /root/.quiz.env or run this script interactively." >&2
exit 1
fi
QUIZ_SECRET_KEY=$(python3 -c 'import secrets; print(secrets.token_urlsafe(48))')
printf 'Admin password (input hidden): '
read -rs QUIZ_ADMIN_PASSWORD
echo
cat > "$ENV_FILE" <<EOF
QUIZ_DB_PATH=$APP_DIR/quiz.db
QUIZ_POOL_PATH=$APP_DIR/pool.json
QUIZ_ROSTER_PATH=$APP_DIR/roster.json
QUIZ_SECRET_KEY=$QUIZ_SECRET_KEY
QUIZ_ADMIN_PASSWORD=$QUIZ_ADMIN_PASSWORD
QUIZ_HOST=127.0.0.1
QUIZ_PORT=8001
QUIZ_PUBLIC_URL=https://$DOMAIN
QUIZ_LOG_LEVEL=INFO
EOF
fi
chown "$APP_USER":"$APP_USER" "$ENV_FILE"
chmod 600 "$ENV_FILE"
fi
stage "8/10: seed pool.json (if not already present)"
POOL_FILE="$APP_DIR/pool.json"
if [ ! -f "$POOL_FILE" ]; then
SEED_POOL="$APP_DIR/examples/demo10_pool.json"
[ -f "$SEED_POOL" ] || SEED_POOL="$APP_DIR/examples/pool_example.json"
cp "$SEED_POOL" "$POOL_FILE"
chown "$APP_USER":"$APP_USER" "$POOL_FILE"
echo "Seeded $POOL_FILE from $(basename "$SEED_POOL"). Replace with your real pool when ready."
fi
stage "9/10: install systemd unit"
install -m 644 "$APP_DIR/deploy/quiz.service" /etc/systemd/system/quiz.service
systemctl daemon-reload
systemctl enable quiz.service
systemctl restart quiz.service
stage "10/10: configure Caddy"
sed "s/__DOMAIN__/$DOMAIN/g" "$APP_DIR/deploy/Caddyfile.tpl" > /etc/caddy/Caddyfile
systemctl reload caddy
echo
echo "==> Health check"
sleep 2
if curl -fs http://127.0.0.1:8001/healthz; then
echo
echo
echo "Bootstrap complete. Public URL: https://$DOMAIN"
else
echo
echo "Health check failed. Inspect: journalctl -u quiz.service -n 50"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink