AWS deploy cleanup

2025-07-19 16:25:31 -04:00 · 2019-03-15 11:04:18 -04:00
parent 96722b112b
commit dc6c627cb7
7 changed files with 53 additions and 122 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,13 +15,17 @@ before_script:
 build:
  stage: build
  script:
    # download and install Hugo
    - wget https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_${HUGO_VERSION}_Linux-64bit.tar.gz
    - echo "${HUGO_SHA}  hugo_${HUGO_VERSION}_Linux-64bit.tar.gz" | sha256sum -c
    - tar xf hugo_${HUGO_VERSION}_Linux-64bit.tar.gz && cp ./hugo /usr/bin
    # build site
    - rm -rf public
    - hugo
  artifacts:
    paths:
      # send built site to deploy stage
      - public
 deploy:
@@ -29,31 +33,28 @@ deploy:
  dependencies:
    - build
  script:
    # install awscli
    - pip install --quiet --no-cache-dir awscli==${AWSCLI_VERSION}
-    - aws configure set preview.cloudfront true
+    # upload all files
    - aws configure set preview.create-invalidation true
    - aws s3 sync ./public s3://$S3_BUCKET_NAME --delete --region us-east-1 --cache-control "max-age=86400, public" --metadata-directive "REPLACE"
-    # set certain content-types manually because S3 sucks at guessing
+    # set cache-control and certain content-types manually because S3 sucks at guessing
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.ico"   --content-type="image/x-icon"    --cache-control "max-age=604800, public"   --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.svg"   --content-type="image/svg+xml"   --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.ttf"   --content-type="font/ttf"        --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.otf"   --content-type="font/otf"        --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
-    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.eot"   --content-type="application/vnd.ms-fontobject"  --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
+    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.eot"   --content-type="application/vnd.ms-fontobject" --cache-control "max-age=2628000, public" --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.woff"  --content-type="font/woff"       --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.woff2" --content-type="font/woff2"      --cache-control "max-age=2628000, public"  --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.xml"   --content-type="text/xml"        --cache-control "max-age=3600, public"     --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.mp4"   --content-type="video/mp4"       --cache-control "max-age=604800, public"   --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.webm"  --content-type="video/webm"      --cache-control "max-age=604800, public"   --metadata-directive="REPLACE" --recursive
-    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.docx"  --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"  --cache-control "max-age=604800, public"  --metadata-directive="REPLACE" --recursive
+    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.docx"  --content-type="application/vnd.openxmlformats-officedocument.wordprocessingml.document" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.pdf"   --content-type="application/pdf" --cache-control "max-age=604800, public"   --metadata-directive="REPLACE" --recursive
-    # a few caching improvements
+    # a few more caching improvements
    - aws s3 cp s3://$S3_BUCKET_NAME s3://$S3_BUCKET_NAME --exclude "*" --include "*.css" --include "*.js" --include "*.jpg" --include "*.png" --include "*.gif" --cache-control "max-age=604800, public" --metadata-directive="REPLACE" --recursive
-    - aws s3 cp s3://$S3_BUCKET_NAME/jarvis.asc s3://$S3_BUCKET_NAME/jarvis.asc --content-type="text/plain; charset=utf-8" --cache-control "max-age=0, no-cache, no-store" --content-disposition "inline; filename=\"jarvis.asc\"" --metadata-directive="REPLACE"
+    - aws s3 cp s3://$S3_BUCKET_NAME/jarvis.asc s3://$S3_BUCKET_NAME/jarvis.asc --content-type="text/plain; charset=utf-8" --cache-control "max-age=0, no-store, no-cache, must-revalidate" --content-disposition "inline; filename=\"jarvis.asc\"" --metadata-directive="REPLACE"
    # invalidate entire CloudFront cache
    - aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*";
  only:
    - master
--- a/LICENSE.md
+++ b/LICENSE.md
--- a/README.md
+++ b/README.md
@@ -1,11 +1,12 @@
-# [jarv.is](https://jarv.is/)
+# [jarv.is](https://jarv.is/) 🐼
 [![pipeline status](https://git.jarv.is/jake/jarv.is/badges/master/pipeline.svg)](https://git.jarv.is/jake/jarv.is/commits/master)
 Personal website of [@jakejarvis](https://github.com/jakejarvis), created and deployed using the following:
 - [Hugo](https://github.com/gohugoio/hugo)
- [AWS S3/CloudFront/Lambda](https://aws.amazon.com/)
+- [Amazon S3](https://aws.amazon.com/)
 - [CloudFlare Workers](https://developers.cloudflare.com/workers/about/)
 - [GitLab CI](https://git.jarv.is/jake/jarv.is/pipelines)
 - [Matomo Analytics](https://matomo.org/)
--- a/config.toml
+++ b/config.toml
@@ -2,8 +2,6 @@ baseURL = "https://jarv.is/"
 languageCode = "en-us"
 title = "Jake Jarvis"
 disableHugoGeneratorInject = true
 disableKinds = ["taxonomy", "taxonomyTerm", "RSS"]
 [taxonomies]
--- a/lambda.js
+++ b/lambda.js
@@ -1,68 +0,0 @@
 'use strict';
 exports.handler = (event, context, callback) => {
    // Get contents of response
    const response = event.Records[0].cf.response;
    response.headers['Strict-Transport-Security'] = [{
      key: 'Strict-Transport-Security',
      value: "max-age=31536000; includeSubdomains"
    }];
    response.headers['X-Frame-Options'] = [{
      key: 'X-Frame-Options',
      value: "SAMEORIGIN"
    }];
    response.headers['X-Content-Type-Options'] = [{
      key: 'X-Content-Type-Options',
      value: "nosniff"
    }];
    response.headers['Referrer-Policy'] = [{
      key: 'Referrer-Policy',
      value: "same-origin"
    }];
    response.headers['X-XSS-Protection'] = [{
      key: 'X-XSS-Protection',
      value: "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce"
    }];
 //    response.headers['Accept-Ranges'] = [{
 //      key: 'Accept-Ranges',
 //      value: "bytes"
 //    }];
    response.headers['Content-Security-Policy'] = [{
      key: 'Content-Security-Policy',
      value: "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-TLAu2p9kt4LHt+sWwE0cvqq1Ok5LoGzRPrw7+mzhX00='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default"
    }];
    response.headers['Report-To'] = [{
      key: 'Report-To',
      value: "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}"
    }];
    response.headers['NEL'] = [{
      key: 'NEL',
      value: "{\"report_to\":\"default\",\"max_age\":604800}"
    }];
    response.headers['X-DNS-Prefetch-Control'] = [{
      key: 'X-DNS-Prefetch-Control',
      value: "off"
    }];
    response.headers['X-UA-Compatible'] = [{
      key: 'X-UA-Compatible',
      value: "IE=edge"
    }];
    response.headers['Expect-CT'] = [{
      key: 'Expect-CT',
      value: "max-age=604800, enforce, report-uri=\"https://jarvis.report-uri.com/r/d/ct/enforce\""
    }];
    response.headers['X-Permitted-Cross-Domain-Policies'] = [{
      key: 'X-Permitted-Cross-Domain-Policies',
      value: "none"
    }];
    response.headers['Feature-Policy'] = [{
      key: 'Feature-Policy',
      value: "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
    }];
    delete response.headers['Last-Modified'];
    delete response.headers['Expires'];
    // Return modified response
    callback(null, response);
 };
--- a/layouts/partials/header.html
+++ b/layouts/partials/header.html
@@ -3,7 +3,6 @@
 <html lang="en">
  <head>
    <meta charset="utf-8">
    {{ .Hugo.Generator }}
    <title>{{ .Title }}{{ if .IsHome }} &#x1f468;&#x200d;&#x1f4bb;{{ end }}</title>
    <meta name="description" content="{{ if .Description }}{{ .Description }}{{ else }}{{ .Site.Params.description }}{{ end }}">
    <meta name="viewport" content="width=device-width, initial-scale=1">
--- a/worker.js
+++ b/worker.js
@@ -1,52 +1,52 @@
-let securityHeaders = {
+let newHeaders = {
-	"Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
+  "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self'; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
-	"Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
+  "Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
-	"NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
+  "NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
-//	"Strict-Transport-Security" : "max-age=1000",
+//  "Strict-Transport-Security" : "max-age=1000",
-	"X-Xss-Protection": "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce",
+  "X-Xss-Protection": "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce",
-	"X-Frame-Options": "SAMEORIGIN",
+  "X-Frame-Options": "SAMEORIGIN",
-	"X-Content-Type-Options": "nosniff",
+  "X-Content-Type-Options": "nosniff",
-	"Referrer-Policy": "same-origin",
+  "Referrer-Policy": "same-origin",
-	"X-DNS-Prefetch-Control": "off",
+  "X-DNS-Prefetch-Control": "off",
-	"X-UA-Compatible": "IE=edge",
+  "X-UA-Compatible": "IE=edge",
-	"X-Permitted-Cross-Domain-Policies": "none",
+  "X-Permitted-Cross-Domain-Policies": "none",
-	"Feature-Policy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
+  "Feature-Policy": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
 }
 let removeHeaders = [
-	"Last-Modified",
+  "Last-Modified",
-	"Expires",
+  "Expires",
-	"Public-Key-Pins",
+  "Public-Key-Pins",
-	"X-Powered-By",
+  "X-Powered-By",
-	"x-amz-request-id",
+  "x-amz-request-id",
-	"x-amz-id-2",
+  "x-amz-id-2",
-	"x-amz-bucket",
+  "x-amz-bucket",
-	"x-amz-bucket-region",
+  "x-amz-bucket-region",
-	"x-amz-error-code",
+  "x-amz-error-code",
-	"x-amz-error-message",
+  "x-amz-error-message",
-	"x-amz-error-detail-key",
+  "x-amz-error-detail-key",
-	"x-amz-version-id"
+  "x-amz-version-id"
 ]
-addEventListener('fetch', event => {
+addEventListener("fetch", event => {
-	event.respondWith(addHeaders(event.request))
+  event.respondWith(addHeaders(event.request))
 })
 async function addHeaders(req) {
-	let response = await fetch(req)
+  let response = await fetch(req)
-	let newHeaders = new Headers(response.headers)
+  let responseHeaders = new Headers(response.headers)
-	Object.keys(securityHeaders).map(function(name, index) {
+  Object.keys(newHeaders).map(function(name, index) {
-		newHeaders.set(name, securityHeaders[name]);
+    responseHeaders.set(name, newHeaders[name])
  })
-	removeHeaders.forEach(function(name){
+  removeHeaders.forEach(function(name){
-		newHeaders.delete(name)
+    responseHeaders.delete(name)
-	})
+  })
-	return new Response(response.body , {
+  return new Response(response.body, {
-		status: response.status,
+    status: response.status,
-		statusText: response.statusText,
+    statusText: response.statusText,
-		headers: newHeaders
+    headers: responseHeaders
-	})
+  })
 }