[wip] Prepare to publish "release" channel

docker/docker-compose.yml

@@ -11,6 +11,7 @@ services:
       - /mnt/volume/log:/mnt/store/log
       - /mnt/volume/log-stable:/mnt/store/log-stable
       - /mnt/volume/log-snapshot:/mnt/store/log-snapshot
+      - /mnt/volume/log-release:/mnt/store/log-release
     ports:
       - "80:80"
       - "443:443"
@@ -34,6 +35,7 @@ services:
       - /mnt/volume/log:/mnt/store/log:ro
       - /mnt/volume/log-stable:/mnt/store/log-stable:ro
       - /mnt/volume/log-snapshot:/mnt/store/log-snapshot:ro
+      - /mnt/volume/log-release:/mnt/store/log-release:ro
   syncer:
     build: ./syncer
     image: melpa/syncer:v2
@@ -50,3 +52,4 @@ services:
       - /mnt/volume/melpa/packages:/packages:ro
       - /mnt/volume/melpa/packages-stable:/packages-stable:ro
       - /mnt/volume/melpa/packages-snapshot:/packages-snapshot:ro
+      - /mnt/volume/melpa/packages-release:/packages-release:ro

docker/logprocessor/run.sh

@@ -13,5 +13,8 @@ THIS_DIR=$(dirname "$0")
 # Snapshot
 "$THIS_DIR/buildstats" /mnt/store/log-snapshot /mnt/db/parquet-snapshot html-snapshot/download_counts.json
 
+# Release
+"$THIS_DIR/buildstats" /mnt/store/log-release /mnt/db/parquet-release html-release/download_counts.json
+
 echo "Sleeping"
 sleep 1800

docker/nginx/default.conf

@@ -221,3 +221,62 @@ server {
 		add_header Cache-Control no-cache;
 	}
 }
+
+server {
+	listen  80;
+
+	server_name release.melpa.org release-test.melpa.org;
+
+	location /.well-known/acme-challenge/ {
+		default_type "text/plain";
+		root /tmp/letsencrypt-auto;
+	}
+
+	location / {
+		 return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen	443 ssl;
+
+        server_name release.melpa.org release-test.melpa.org;
+
+	root /mnt/store/melpa/html-release;
+
+	access_log  /mnt/store/log-release/melpa.access.log combined;
+	error_log  /mnt/store/log-release/melpa.error.log info;
+
+        ssl_certificate /etc/letsencrypt/live/melpa.org/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/melpa.org/privkey.pem;
+
+	# Lock down ciphers / SSL versions to attain a good security rating
+	# https://www.ssllabs.com/ssltest/analyze.html?d=melpa.org
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers on;
+	ssl_dhparam /etc/letsencrypt/ssl/dhparam.pem;
+	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:50m;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	add_header Strict-Transport-Security max-age=15768000;
+
+	error_page   500 502 503 504  /50x.html;
+	location = /50x.html {
+		root   /usr/share/nginx/html;
+	}
+	location = /packages/archive-contents {
+		default_type text/plain;
+		#  Hook in to the IP restrictive zone. Allow a buffer of 10
+		#  requests which effectively allows clients to purst requests
+		#  but not continually.
+		limit_req zone=ip burst=10 nodelay;
+	}
+	location ~ ^/packages/.*\.el {
+		default_type text/plain;
+	}
+	location ~ ^/packages/.*\.svg {
+		add_header Cache-Control no-cache;
+	}
+}

docker/nginx/logrotate

@@ -57,3 +57,23 @@
 		[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
 	endscript
 }
+
+/mnt/store/log-release/melpa*.log {
+	daily
+	create 0640 root root
+	compress
+	dateext
+	missingok
+	missingok
+	notifempty
+	rotate 36500
+	sharedscripts
+	prerotate
+		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+			run-parts /etc/logrotate.d/httpd-prerotate; \
+		fi; \
+	endscript
+	postrotate
+		[ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
+	endscript
+}

docker/nginx/run.sh

@@ -44,9 +44,11 @@ while true; do
         -d melpa.org \
         -d stable.melpa.org \
         -d snapshot.melpa.org \
+        -d release.melpa.org \
         -d test.melpa.org \
         -d stable-test.melpa.org \
         -d snapshot-test.melpa.org \
+        -d release-test.melpa.org \
         -d www.melpa.org
 
     echo "restarting nginx..."

docker/rsyncd/rsyncd.conf

@@ -22,3 +22,10 @@ path = /packages-snapshot
 read only = yes
 list = yes
 exclude = index.html *.svg *.entry
+
+[packages-release]
+comment = MELPA Release packages
+path = /packages-release
+read only = yes
+list = yes
+exclude = index.html *.svg *.entry

docker/syncer/run.sh

@@ -6,6 +6,7 @@ cd "${MELPA_REPO}"
 MELPA_CHANNEL=unstable make archive-contents json html
 MELPA_CHANNEL=stable   make archive-contents json html
 MELPA_CHANNEL=snapshot make archive-contents json html
+MELPA_CHANNEL=release  make archive-contents json html
 
 # Sync every 5 minutes.
 sleep 5m

html-release/Makefile

@@ -0,0 +1 @@
+../html/Makefile

html-release/build-status.json

@@ -0,0 +1 @@
+../html/build-status.json

html-release/css

@@ -0,0 +1 @@
+../html/css

html-release/donate.png

@@ -0,0 +1 @@
+../html/donate.png

html-release/favicon.ico

@@ -0,0 +1 @@
+../html/favicon.ico

html-release/index.html

@@ -0,0 +1 @@
+../html/index.html

html-release/js

@@ -0,0 +1 @@
+../html/js

html-release/jslicense.html

@@ -0,0 +1 @@
+../html/jslicense.html

html-release/packages

@@ -0,0 +1 @@
+../packages-release

html-release/partials

@@ -0,0 +1 @@
+../html/partials/

html-release/robots.txt

@@ -0,0 +1 @@
+../html/robots.txt

html-release/updates.rss.erb

@@ -0,0 +1 @@
+../html/updates.rss.erb