capistrano-atlas 0.0.1

data/lib/capistrano/atlas/templates/ssl_setup

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Usage:
+#
+# ssl_setup [--self] <name> <csr_config>
+#
+# This script is used to generate key and CSR for use HTTPS in Nginx.
+#
+# --self        Generate self-signed certificate in addition to key and CSR.
+# name          Output files will be named as <name>.key and <name>.csr.
+# csr_config    Path to file that specifies CSR information. See below.
+#
+# CSR configuration format:
+#
+# [ req ]
+# distinguished_name="req_distinguished_name"
+# prompt="no"
+#
+# [ req_distinguished_name ]
+# C="US"
+# ST="California"
+# L="San Francisco"
+# O="Example Company"
+# CN="www.example.com"
+
+if [[ $1 == --self ]]; then
+  SELF_SIGN=1
+  shift
+fi
+
+KEY_NAME=$1
+CSR_CONFIG=$2
+
+openssl req -config $CSR_CONFIG -new -newkey rsa:2048 -nodes -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr
+chmod 600 ${KEY_NAME}.key ${KEY_NAME}.csr
+echo "Created ${KEY_NAME}.key"
+echo "Created ${KEY_NAME}.csr"
+
+if [[ -n $SELF_SIGN ]]; then
+  openssl x509 -req -days 365 -in ${KEY_NAME}.csr -signkey ${KEY_NAME}.key -out ${KEY_NAME}.crt
+  chmod 600 ${KEY_NAME}.crt
+  echo "Created ${KEY_NAME}.crt (self-signed)"
+fi

data/lib/capistrano/atlas/templates/version.rb.erb

@@ -0,0 +1,3 @@
+Rails.application.config.version = "<%= git_version[:tag] %>"
+Rails.application.config.version_date = Date.parse("<%= git_version[:date] %>")
+Rails.application.config.version_time = Time.zone.parse("<%= git_version[:time] %>")

data/lib/capistrano/atlas/version.rb

@@ -0,0 +1,5 @@
+module Capistrano
+  module Atlas
+    VERSION = "0.0.1".freeze
+  end
+end

data/lib/capistrano/tasks/aptitude.rake

@@ -0,0 +1,111 @@
+atlas_recipe :aptitude do
+  during :provision, %w(upgrade install)
+  before "provision:14_04", "atlas:aptitude:install_software_properties"
+  before "provision:14_04", "atlas:aptitude:install_postgres_repo"
+  before "provision:14_04", "atlas:aptitude:change_postgres_packages"
+end
+
+namespace :atlas do
+  namespace :aptitude do
+
+    desc "Run `aptitude update` and then run `aptitude safe-upgrade`"
+    task :upgrade do
+      privileged_on roles(:all) do |host|
+        _update
+        _safe_upgrade
+      end
+    end
+
+
+    desc "Run `aptitude install` for packages required by the roles of "\
+         "each server."
+    task :install do
+      privileged_on roles(:all) do |host|
+        packages_to_install = []
+        repos_to_add = []
+
+        _each_package(host) do |pkg, repo|
+          unless _already_installed?(pkg)
+            repos_to_add << repo unless repo.nil?
+            packages_to_install << pkg
+          end
+        end
+
+        repos_to_add.uniq.each { |repo| _add_repository(repo) }
+        _update
+        packages_to_install.uniq.each { |pkg| _install(pkg) }
+      end
+    end
+
+    desc "Add the official apt repository for PostgreSQL"
+    task :install_postgres_repo do
+      privileged_on roles(:all) do |host|
+        _add_repository(
+          "deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main",
+          :key => "https://www.postgresql.org/media/keys/ACCC4CF8.asc")
+      end
+    end
+
+    desc "Change 12.04 PostgreSQL package requirements to 14.04 versions"
+    task :change_postgres_packages do
+      packages = fetch(:atlas_aptitude_packages, {})
+      packages = Hash[packages.map do |key, value|
+        [key.sub(/@ppa:pitti\/postgresql$/, ""), value]
+      end]
+      set(:atlas_aptitude_packages, packages)
+    end
+
+    desc "Install package needed for apt-add-repository on 14.04"
+    task :install_software_properties do
+      privileged_on roles(:all) do |host|
+        unless _already_installed?("software-properties-common")
+          _install("software-properties-common")
+        end
+      end
+    end
+
+    def _already_installed?(pkg)
+      test(:sudo, "dpkg", "-s", pkg, "2>/dev/null", "|", :grep, "-q 'ok installed'")
+    end
+
+    def _add_repository(repo, options={})
+      unless _already_installed?("python-software-properties")
+        _install("python-software-properties")
+      end
+      execute :sudo, "apt-add-repository", "-y '#{repo}'"
+
+      if (key = options.fetch(:key, nil))
+        execute "wget --prefer-family=IPv4 --quiet -O - #{key} | sudo apt-key add -"
+      end
+    end
+
+    def _install(pkg)
+      with :debian_frontend => "noninteractive" do
+        execute :sudo, "aptitude", "-y -q install", pkg
+      end
+    end
+
+    def _update
+      with :debian_frontend => "noninteractive" do
+        execute :sudo, "aptitude", "-q -q -y update"
+      end
+    end
+
+    def _safe_upgrade
+      with :debian_frontend => "noninteractive" do
+        execute :sudo, "aptitude", "-q -q -y safe-upgrade"
+      end
+    end
+
+    def _each_package(host)
+      return to_enum(:_each_package, host) unless block_given?
+      hostname = host.hostname
+      fetch(:atlas_aptitude_packages).each do |package_spec, *role_list|
+        next unless roles(*role_list.flatten).map(&:hostname).include?(hostname)
+
+        pkg, repo = package_spec.split("@")
+        yield(pkg, repo)
+      end
+    end
+  end
+end

data/lib/capistrano/tasks/bundler.rake

@@ -0,0 +1,31 @@
+atlas_recipe :bundler do
+  prior_to "bundler:install", "gem_install"
+end
+
+namespace :atlas do
+  namespace :bundler do
+    desc "Install correct version of bundler based on Gemfile.lock"
+    task :gem_install do
+      install_command = fetch(:atlas_bundler_gem_install_command, nil)
+      next unless install_command
+
+      on fetch(:bundle_servers) do
+        within release_path do
+          if (bundled_with = capture_bundled_with)
+            execute "#{install_command} -v #{bundled_with}"
+          end
+        end
+      end
+    end
+
+    def capture_bundled_with
+      lockfile = fetch(:atlas_bundler_lockfile, "Gemfile.lock")
+      return unless test "[ -f #{release_path.join(lockfile)} ]"
+
+      ruby_expr = 'puts $<.read[/BUNDLED WITH\n   (\S+)$/, 1]'
+      version = capture :ruby, "-e", ruby_expr.shellescape, lockfile
+      version.strip!
+      version.empty? ? nil : version
+    end
+  end
+end

data/lib/capistrano/tasks/crontab.rake

@@ -0,0 +1,14 @@
+atlas_recipe :crontab do
+  during "deploy:published", "atlas:crontab"
+end
+
+namespace :atlas do
+  desc "Install crontab using crontab.erb template"
+  task :crontab do
+    on roles(:cron) do
+      tmp_file = "/tmp/crontab"
+      template "crontab.erb", tmp_file
+      execute "crontab #{tmp_file} && rm #{tmp_file}"
+    end
+  end
+end

data/lib/capistrano/tasks/defaults.rake

@@ -0,0 +1,137 @@
+namespace :load do
+  task :defaults do
+
+    set :atlas_recipes, %w(
+      aptitude
+      bundler
+      crontab
+      dotenv
+      logrotate
+      migrate
+      nginx
+      postgresql
+      rbenv
+      seed
+      ssl
+      ufw
+      user
+      version
+    )
+
+    set :atlas_privileged_user, "root"
+
+    set :atlas_aptitude_packages,
+        "build-essential"                        => :all,
+        "curl"                                   => :all,
+        "debian-goodies"                         => :all,
+        "git-core"                               => :all,
+        "libpq-dev@ppa:pitti/postgresql"         => :all,
+        "libreadline-gplv2-dev"                  => :all,
+        "libssl-dev"                             => :all,
+        "libxml2"                                => :all,
+        "libxml2-dev"                            => :all,
+        "libxslt1-dev"                           => :all,
+        "nginx@ppa:nginx/stable"                 => :web,
+        "nodejs@ppa:chris-lea/node.js"           => :all,
+        "ntp"                                    => :all,
+        "postgresql-client@ppa:pitti/postgresql" => :all,
+        "postgresql@ppa:pitti/postgresql"        => :db,
+        "tklib"                                  => :all,
+        "ufw"                                    => :all,
+        "zlib1g-dev"                             => :all
+
+    set :atlas_bundler_lockfile, "Gemfile.lock"
+    set :atlas_bundler_gem_install_command,
+        "gem install bundler --conservative --no-document"
+
+    set :atlas_dotenv_keys, %w(rails_secret_key_base postmark_api_key)
+    set :atlas_dotenv_filename, -> { ".env.#{fetch(:rails_env)}" }
+
+    set :atlas_log_file, "log/capistrano.log"
+
+    set :atlas_nginx_force_https, false
+    set :atlas_nginx_redirect_hosts, {}
+
+    set :atlas_puma_threads, "0, 8"
+    set :atlas_puma_workers, 2
+    set :atlas_puma_timeout, 30
+    set :atlas_puma_config, ->{ "#{current_path}/config/puma.rb" }
+    set :atlas_puma_stdout_log, ->{ "#{current_path}/log/puma.stdout.log" }
+    set :atlas_puma_stderr_log, ->{ "#{current_path}/log/puma.stderr.log" }
+    set :atlas_puma_pid, ->{ "#{current_path}/tmp/pids/puma.pid" }
+
+    ask :atlas_postgresql_password, nil, :echo => false
+    set :atlas_postgresql_pool_size, 5
+    set :atlas_postgresql_host, "localhost"
+    set :atlas_postgresql_database,
+        -> { "#{application_basename}_#{fetch(:rails_env)}" }
+    set :atlas_postgresql_user, -> { application_basename }
+    set :atlas_postgresql_pgpass_path,
+        proc{ "#{shared_path}/config/pgpass" }
+    set :atlas_postgresql_backup_path, -> {
+      "#{shared_path}/backups/postgresql-dump.dmp"
+    }
+    set :atlas_postgresql_backup_exclude_tables, []
+    set :atlas_postgresql_dump_options, -> {
+      options = fetch(:atlas_postgresql_backup_exclude_tables).map do |t|
+        "-T #{t.shellescape}"
+      end
+      options.join(" ")
+    }
+
+    set :atlas_rbenv_ruby_version, -> { IO.read(".ruby-version").strip }
+    set :atlas_rbenv_vars, -> {
+      {
+        "RAILS_ENV" => fetch(:rails_env),
+        "PGPASSFILE" => fetch(:atlas_postgresql_pgpass_path)
+      }
+    }
+
+    set :atlas_sidekiq_concurrency, 25
+    set :atlas_sidekiq_role, :sidekiq
+
+    ask :atlas_ssl_csr_country, "US"
+    ask :atlas_ssl_csr_state, "California"
+    ask :atlas_ssl_csr_city, "San Francisco"
+    ask :atlas_ssl_csr_org, "Example Company"
+    ask :atlas_ssl_csr_name, "www.example.com"
+
+    # WARNING: misconfiguring firewall rules could lock you out of the server!
+    set :atlas_ufw_rules,
+        "allow ssh" => :all,
+        "allow http" => :web,
+        "allow https" => :web
+
+
+    set :bundle_binstubs, false
+    set :bundle_flags, "--deployment --retry=3 --quiet"
+    set :bundle_path, -> { shared_path.join("bundle") }
+    set :deploy_to, -> { "/home/deployer/apps/#{fetch(:application)}" }
+    set :keep_releases, 10
+    set :linked_dirs, -> {
+        ["public/#{fetch(:assets_prefix, 'assets')}"] +
+        %w(
+          .bundle
+          log
+          tmp/pids
+          tmp/cache
+          tmp/sockets
+          public/.well-known
+          public/system
+        )
+    }
+    set :linked_files, -> {
+        [fetch(:atlas_dotenv_filename)] +
+        %w(
+          config/database.yml
+          config/unicorn.rb
+        )
+    }
+    set :log_level, :debug
+    set :migration_role, :app
+    set :rails_env, -> { fetch(:stage) }
+    set :ssh_options, :compression => true, :keepalive => true
+
+    SSHKit.config.command_map[:rake] = "bundle exec rake"
+  end
+end

data/lib/capistrano/tasks/dotenv.rake

@@ -0,0 +1,57 @@
+atlas_recipe :dotenv do
+  during "provision", "update"
+  prior_to "deploy:publishing", "update"
+end
+
+namespace :atlas do
+  namespace :dotenv do
+    desc "Replace/create .env file with values provided at console"
+    task :replace do
+      set_up_prompts
+
+      on release_roles(:all) do
+        update_dotenv_file
+      end
+    end
+
+    desc "Update .env file with any missing values"
+    task :update do
+      set_up_prompts
+
+      on release_roles(:all), :in => :sequence do
+        existing_env = if test("[ -f #{shared_dotenv_path} ]")
+          download!(shared_dotenv_path)
+        end
+        update_dotenv_file(existing_env.is_a?(String) ? existing_env : "")
+      end
+    end
+
+    def shared_dotenv_path
+      "#{shared_path}/#{fetch(:atlas_dotenv_filename)}"
+    end
+
+    def set_up_prompts
+      fetch(:atlas_dotenv_keys).each do |key|
+        if key.to_s =~ /key|token|secret|password|pepper/i
+          ask(key, nil, :echo => false)
+        else
+          ask(key, nil)
+        end
+      end
+    end
+
+    def update_dotenv_file(existing="")
+      updated = existing.dup
+
+      fetch(:atlas_dotenv_keys).each do |key|
+        next if existing =~ /^#{Regexp.escape(key.upcase)}=/
+        updated << "\n" unless updated.end_with?("\n")
+        updated << "#{key.upcase}=#{fetch(key)}\n"
+      end
+
+      unless existing == updated
+        put(updated, shared_dotenv_path, :mode => "600")
+      end
+    end
+  end
+end

data/lib/capistrano/tasks/logrotate.rake

@@ -0,0 +1,16 @@
+atlas_recipe :logrotate do
+  during :provision, "atlas:logrotate"
+end
+
+namespace :atlas do
+  desc "Configure logrotate for Rails logs"
+  task :logrotate do
+    privileged_on release_roles(:all) do
+      template "logrotate.erb",
+               "/etc/logrotate.d/#{application_basename}-logs",
+               :mode => 644,
+               :owner => "root:root",
+               :sudo => true
+    end
+  end
+end

data/lib/capistrano/tasks/maintenance.rake

@@ -0,0 +1,28 @@
+atlas_recipe :maintenance do
+  # No hooks for this recipe
+end
+
+namespace :atlas do
+  namespace :maintenance do
+    desc "Tell nginx to display a 503 page for all web requests, using the "\
+         "maintenance.html.erb template"
+    task :enable do
+      on roles(:web) do
+        reason = ENV["REASON"]
+        deadline = ENV["DEADLINE"]
+
+        template "maintenance.html.erb",
+                 "#{current_path}/public/system/maintenance.html",
+                 :binding => binding,
+                 :mode => "644"
+      end
+    end
+
+    desc "Remove the 503 page"
+    task :disable do
+      on roles(:web) do
+        execute :rm, "-f", "#{current_path}/public/system/maintenance.html"
+      end
+    end
+  end
+end