ScholarNexus-ec2onrails 0.9.10

data/server/files/etc/mysql/my.cnf

@@ -0,0 +1,152 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+# 
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port            = 3306
+socket          = /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket          = /var/run/mysqld/mysqld.sock
+nice            = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user            = mysql
+pid-file        = /var/run/mysqld/mysqld.pid
+socket          = /var/run/mysqld/mysqld.sock
+port            = 3306
+basedir         = /usr
+datadir         = /mnt/mysql_data
+tmpdir          = /mnt/mysql_data/tmp
+language        = /usr/share/mysql/english
+skip-external-locking
+default-storage-engine = InnoDB
+character-set-server   = utf8
+collation-server       = utf8_general_ci
+
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+#bind-address            = 127.0.0.1
+#
+# * Fine Tuning
+#
+key_buffer_size         = 16M
+max_allowed_packet      = 16M
+thread_stack            = 128K
+thread_cache_size       = 8
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit       = 1M
+query_cache_size        = 64M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+#log            = /var/log/mysql/mysql.log
+#
+# Error logging goes to syslog. This is a Debian improvement :)
+#
+# Here you can see queries with especially long duration
+log_slow_queries        = /mnt/log/mysql/mysql-slow.log
+long_query_time = 2
+log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+#server-id              = 1
+log_bin                 = /mnt/log/mysql/mysql-bin.log
+# WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!
+expire_logs_days        = 10
+max_binlog_size         = 100M
+#binlog_do_db           = include_database_name
+#binlog_ignore_db       = include_database_name
+#
+# * BerkeleyDB
+#
+# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
+skip-bdb
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
+#skip-innodb
+innodb_data_file_path=ibdata1:100M:autoextend
+innodb_buffer_pool_size=200M
+innodb_additional_mem_pool_size=20M
+innodb_log_file_size=128M
+innodb_log_buffer_size=8M
+innodb_flush_log_at_trx_commit=1
+innodb_lock_wait_timeout=20
+# innodb_flush_method=O_DIRECT
+innodb_file_per_table
+
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+
+
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet      = 16M
+
+[mysql]
+default-character-set   = utf8
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer              = 16M
+
+#
+# * NDB Cluster
+#
+# See /usr/share/doc/mysql-server-*/README.Debian for more information.
+#
+# The following configuration is read by the NDB Data Nodes (ndbd processes)
+# not from the NDB Management Nodes (ndb_mgmd processes).
+#
+# [MYSQL_CLUSTER]
+# ndb-connectstring=127.0.0.1
+
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+#
+!includedir /etc/mysql/conf.d/

data/server/files/etc/nginx/nginx.conf

@@ -0,0 +1,305 @@
+# user and group to run as
+user  app app;
+
+# number of nginx workers
+worker_processes  6;
+
+# pid of nginx master process
+pid /var/run/nginx.pid;
+
+# Number of worker connections. 1024 is a good default
+events {
+  worker_connections  1024;
+  use epoll; # linux only!
+}
+
+# start the http module where we config http access.
+http {
+  # pull in mime-types. You can break out your config 
+  # into as many include's as you want to make it cleaner
+  include /etc/nginx/mime.types;
+  
+  # set a default type for the rare situation that
+  # nothing matches from the mimie-type include
+  default_type  application/octet-stream;
+
+  # configure log format
+  log_format main '$remote_addr [$time_local] '
+                  '"$scheme $host $request" $status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '($request_time');
+  
+  # main access log
+  access_log  /mnt/log/nginx/access.log  main;
+
+  # main error log - Do not comment out. If you do not want the log file set this to /dev/null
+  # use debug instead of notice if you want additional information
+  error_log  /mnt/log/nginx/error.log notice;
+
+  # no sendfile on OSX
+  sendfile on;
+
+  # These are good default values.
+  tcp_nopush        on;
+  tcp_nodelay       on;
+  # output compression saves bandwidth 
+  gzip              on;
+  gzip_http_version 1.0;
+  gzip_comp_level   5;
+  gzip_proxied      any;
+  gzip_types        text/plain \
+                    text/html \
+                    text/css \
+                    application/x-javascript \
+                    application/json \
+                    text/xml \
+                    application/xml \
+                    application/xml+rss \
+                    text/javascript;
+  
+
+  # this is where you define your mongrel clusters. 
+  # you need one of these blocks for each cluster
+  # and each one needs its own name to refer to it later.
+  include /etc/ec2onrails/nginx_upstream_members;
+  
+  
+  # the server directive is nginx's virtual host directive.
+  server {
+    # port to listen on. Can also be set to an IP:PORT
+    listen 80;
+    
+    # Set the max size for file uploads to 50Mb
+    client_max_body_size 50M;
+
+    # sets the domain[s] that this vhost server requests for
+    # server_name www.[ec2onrails].com [ec2onrails].com;
+    server_name _;
+
+    # uncomment to force a redirect to www
+    # if ($host ~* "^[ec2onrails].com$"){
+    #   rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
+    #   break;
+    # }
+    
+    # uncomment if you want to allow or force some or all pages to go to http:// instead of https://
+    # if redirecting all to https, you won't need any of the other directives below the rewrite/break
+    # set $sub 'www';
+    # if  ($host ~* "^(.+?)\.[ec2onrails].com$"){
+    #        set $sub $1;
+    # }
+    # 
+    # if ( $uri ~* "^/.+$") {
+    #    rewrite ^(.*)$ https://$sub.[ec2onrails].com$1 permanent;
+    #    break;
+    # }
+
+    # doc root
+    root /mnt/app/current/public;
+
+    # vhost specific access log
+    access_log  /mnt/log/nginx/vhost.access.log  main;
+    error_page   400 /400.html;
+    error_page   500 502 503 504  /500.html;
+    location = /500.html {
+      root /mnt/app/current/public;
+    }
+    
+    #hide hidden files and folders
+    location ~ /\..+ {
+      deny  all;
+    }
+    
+    #do not show the nginx version number in the server header
+    server_tokens off;
+    
+    # this allows people to use images and css in their maintenance.html file
+    if ($request_filename ~* \.(css|jpg|gif|png)$) {
+	    break;
+    }
+		
+    # this rewrites all the requests to the maintenance.html
+    # page if it exists in the doc root. This is for capistrano's
+    # disable web task
+    if (-f $document_root/system/maintenance.html) {
+      rewrite  ^(.*)$  /system/maintenance.html last;
+      break;
+    }
+    
+    # see http://wiki.codemongers.com/NginxHttpStubStatusModule 
+    # for more information
+    location /nginx_status {
+        # copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
+        stub_status on;
+        access_log   off;
+        #only allow from localhost
+        allow 127.0.0.1; 
+        deny all;
+    }
+    
+    location / {
+      # FUTURE TODO...enable this and test the hell out of it
+      # if ($request_method = GET) {
+      #    set $memcached_key $uri;
+      #    memcached_pass 127.0.0.1:11211;
+      #    error_page 404 502 = @myapp;
+      #    break;
+      # }
+
+      index  index.html index.htm;
+      
+      # needed to forward user's IP address to rails
+      proxy_set_header  X-Real-IP  $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header  Host $http_host;
+      proxy_redirect    false;
+      proxy_max_temp_file_size 0;
+      proxy_next_upstream      error;  # do not pass along to another mongrel instance if failed or timed out
+      proxy_read_timeout       400;    # give plenty of time for long-running rails processing tasks
+      #the proxy_connect_timeout cannot be more than 75
+      proxy_connect_timeout 70;
+      
+      location ~ ^/(images|javascripts|stylesheets)/ {
+        expires 10y;
+      }
+    
+      if (-f $request_filename) { 
+        break; 
+      }
+
+      # this is the meat of the rails page caching config
+      # it adds .html to the end of the url and then checks
+      # the filesystem for that file. If it exists, then we
+      # rewite the url to have explicit .html on the end 
+      # and then send it on its way to the next config rule.
+      # if there is no file on the fs then it sets all the 
+      # necessary headers and proxies to our upstream mongrels
+      if (-f $request_filename.html) {
+        rewrite (.*) $1.html break;
+      }
+
+      #proxy to mongrel
+      if (!-f $request_filename) {
+        proxy_pass http://mongrel;
+        break;
+      }
+    }
+  }
+  
+  # This server is setup for ssl. Uncomment if 
+  # you are using ssl as well as port 80.
+  # server {
+  #   # port to listen on. Can also be set to an IP:PORT
+  #   listen 443;
+  #   
+  #   # Set the max size for file uploads to 50Mb
+  #   client_max_body_size 50M;
+  # 
+  #   # sets the domain[s] that this vhost server requests for
+  #   # server_name www.[ec2onrails].com [ec2onrails].com;
+  #   server_name _;
+  # 
+  #   # uncomment to force a redirect to www
+  #   # if ($host ~* "^[ec2onrails].com$"){
+  #   #   rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
+  #   #   break;
+  #   # }
+  # 
+  #   ssl                  on;
+  #   ssl_certificate      /etc/nginx/your_cert.crt;
+  #   ssl_certificate_key  /etc/nginx/your_cert.key;
+  #   
+  #   # doc root
+  #   root /mnt/app/current/public;
+  # 
+  #   # vhost specific access log
+  #   access_log  /mnt/log/nginx/vhost.access.log  main;
+  #   error_page   400 /400.html;
+  #   error_page   500 502 503 504  /500.html;
+  #   location = /500.html {
+  #     root /mnt/app/current/public;
+  #   }
+  # 
+  #   # this allows people to use images and css in their maintenance.html file
+  #   if ($request_filename ~* \.(css|jpg|gif|png)$) {
+  #       break;
+  #   }
+  #      
+  #   # this rewrites all the requests to the maintenance.html
+  #   # page if it exists in the doc root. This is for capistrano's
+  #   # disable web task
+  #   if (-f $document_root/system/maintenance.html) {
+  #     rewrite  ^(.*)$  /system/maintenance.html last;
+  #     break;
+  #   }
+  #   
+  #   # see http://wiki.codemongers.com/NginxHttpStubStatusModule 
+  #   # for more information
+  #   location /nginx_status {
+  #       # copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
+  #       stub_status on;
+  #       access_log   off;
+  #       #only allow from localhost
+  #       allow 127.0.0.1; 
+  #       deny all;
+  #   }
+  # 
+  #   location / {
+  #      # FUTURE TODO...enable this and test the hell out of it
+  #      # if ($request_method = GET) {
+  #      #    set $memcached_key $uri;
+  #      #    memcached_pass 127.0.0.1:11211;
+  #      #    error_page 404 502 = @myapp;
+  #      #    break;
+  #      # }
+  # 
+  #      index  index.html index.htm;
+  # 
+  #      # needed to forward user's IP address to rails
+  #      proxy_set_header  X-Real-IP  $remote_addr;
+  #      # needed for HTTPS
+  #      proxy_set_header X_FORWARDED_PROTO https;
+  #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  #      proxy_set_header Host $http_host;
+  #      proxy_redirect   false;
+  #      proxy_max_temp_file_size 0;
+  #      proxy_next_upstream      error;  # do not pass along to another mongrel instance if failed or timed out
+  #      proxy_read_timeout       400;    # give plenty of time for long-running rails processing tasks
+  #      #the proxy_connect_timeout cannot be more than 75
+  #      proxy_connect_timeout 70;
+  # 
+  #      location ~ ^/(images|javascripts|stylesheets)/ {
+  #        expires 10y;
+  #      }
+  # 
+  #     if (-f $request_filename) { 
+  #       break; 
+  #     }
+  # 
+  #     # this is the meat of the rails page caching config
+  #     # it adds .html to the end of the url and then checks
+  #     # the filesystem for that file. If it exists, then we
+  #     # rewite the url to have explicit .html on the end 
+  #     # and then send it on its way to the next config rule.
+  #     # if there is no file on the fs then it sets all the 
+  #     # necessary headers and proxies to our upstream mongrels
+  #     if (-f $request_filename.html) {
+  #       rewrite (.*) $1.html break;
+  #     }
+  #     
+  #     # ok to have this out here because PDF's should never 
+  #     # be fully paged cache anyway
+  #     if ($request_filename ~* \.pdf$) {
+  #        proxy_pass http://mongrel_pdf;
+  #         break;
+  #     }
+  # 
+  #     if (!-f $request_filename) {
+  #       proxy_pass http://mongrel;
+  #       break;
+  #     }
+  #   }
+  # 
+  # }
+}
+

data/server/files/etc/postfix/main.cf

@@ -0,0 +1,4 @@
+mynetworks_style = host
+relay_domains =
+inet_interfaces = 127.0.0.1
+alias_maps = hash:/etc/aliases

data/server/files/etc/rcS.d/S91ec2-first-startup

@@ -0,0 +1 @@
+../init.d/ec2-first-startup

data/server/files/etc/rcS.d/S92ec2-every-startup

@@ -0,0 +1 @@
+../init.d/ec2-every-startup

data/server/files/etc/rcS.d/S99set_roles

@@ -0,0 +1 @@
+../init.d/set_roles

data/server/files/etc/ssh/sshd_config

@@ -0,0 +1,94 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# HARDEN OpenSSH TODO's
+#  * specify AllowUsers
+#  * PermitRootLogin no # turn off root login access
+#    to do that, we will probably need to create a non-root user to escalate 
+#    privileges to from capistrano, like 'admin'
+#  * change default port to something other than 22
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Enable to harden the ssh host
+# AllowUsers admin app
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+UseDNS no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+
+# PermitUserEnvironment yes
+# AcceptEnv PATH
+# AcceptEnv RUBYLIB
+
+GatewayPorts clientspecified

data/server/files/etc/sudoers

@@ -0,0 +1 @@
+sudoers.full_access

data/server/files/etc/sudoers.full_access

@@ -0,0 +1,26 @@
+# /etc/sudoers
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the man page for details on how to write a sudoers file.
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# Defaults
+
+Defaults        !lecture,tty_tickets,!fqdn
+
+# User privilege specification
+root    ALL=(ALL) ALL
+
+# The 'app' user can run sudo without a password
+# This is a security hole.  Use sudoers.restricted when running in regular mode
+app     ALL=(ALL) NOPASSWD: ALL
+
+
+# If you add named administrator accounts, add them to the group 'sudoers'
+# to give them sudo access
+%sudoers  ALL=(ALL) ALL

data/server/files/etc/sudoers.restricted_access

@@ -0,0 +1,28 @@
+# /etc/sudoers
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the man page for details on how to write a sudoers file.
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# Defaults
+
+Defaults        !lecture,tty_tickets,!fqdn
+
+# User privilege specification
+root    ALL=(ALL) ALL
+
+# The 'app' user can NOT run sudo without a password, except when running god and a rake task.
+# This is safer, but slightly more of a hassle, than running with sudoers.full_access
+app ALL = NOPASSWD: /usr/bin/god
+
+# If you add named administrator accounts, add them to the group 'sudoers'
+# to give them sudo access
+%sudoers  ALL=(ALL) ALL
+
+
+

data/server/files/etc/syslog.conf

@@ -0,0 +1,69 @@
+#  /etc/syslog.conf     Configuration file for syslogd.
+#
+#                       For more information see syslog.conf(5)
+#                       manpage.
+
+#
+# First some standard logfiles.  Log by facility.
+#
+
+auth,authpriv.*                 /mnt/log/auth.log
+*.*;auth,authpriv.none          -/mnt/log/syslog
+#cron.*                         /mnt/log/cron.log
+daemon.*                        -/mnt/log/daemon.log
+kern.*                          -/mnt/log/kern.log
+lpr.*                           -/mnt/log/lpr.log
+mail.*                          -/mnt/log/mail.log
+user.*                          -/mnt/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info                       -/mnt/log/mail.info
+mail.warn                       -/mnt/log/mail.warn
+mail.err                        /mnt/log/mail.err
+
+# Logging for INN news system
+#
+news.crit                       /mnt/log/news/news.crit
+news.err                        /mnt/log/news/news.err
+news.notice                     -/mnt/log/news/news.notice
+
+#
+# Some `catch-all' logfiles.
+#
+*.=debug;\
+        auth,authpriv.none;\
+        news.none;mail.none     -/mnt/log/debug
+*.=info;*.=notice;*.=warn;\
+        auth,authpriv.none;\
+        cron,daemon.none;\
+        mail,news.none          -/mnt/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg                         *
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#       news.=crit;news.=err;news.=notice;\
+#       *.=debug;*.=info;\
+#       *.=notice;*.=warn       /dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+# 
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+        news.err;\
+        *.=debug;*.=info;\
+        *.=notice;*.=warn       |/dev/xconsole