errorstudio_capistrano_recipes 0.1.10

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: de0bf29b0aca35349c3f21c4c3c4346803091736
+  data.tar.gz: 61af7fe8e700af6b21a4d1aa508191f3a9e186d1
+SHA512:
+  metadata.gz: 91dd4b9af5f213cd8837db5c02d175928ee2156dcabe907dad6982e3a59616d1d7c06570cd42a67863fab539803772f517dd076575849a4ef17a385b6ac0e1a6
+  data.tar.gz: 082ffe378aa0e9c197152749fa3bf8327e225a43422d264256a9d19c1b1f8df9b6fa0a6e33d816174331d65b093d0d33e8834d7fdf21c8a533450fcda2d9ed85

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.idea

data/.ruby-gemset

@@ -0,0 +1 @@
+errorstudio-capistrano-recipes

data/.ruby-version

@@ -0,0 +1 @@
+2.4.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in errorstudio_capistrano_recipes.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Error Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Error Studio Capistrano Recipes
+
+At [Error](https://error.agency) we like to deploy things with Capistrano. This is a selection of our scripts for deploying:
+
+* Rails
+* Wordpress (using the [Bedrock](https://roots.io/bedrock/) approach and composer)
+* Static sites
+
+There are some optional parts too:
+
+* Nginx config with SSL
+* RVM setup
+* Phusion Passenger configuration
+* Cron jobs
+
+
+# Warning / Disclaimer
+This is mostly an internal tool - you'll have to spelunk through the code to get a handle on all the options. In due course we'll document everything.
+
+# Prerequisites
+On the machine you're deploying from, you'll need:
+
+* Ruby
+* GPG 2 (for decrypting secret SSL keys locally)
+
+# License
+MIT - see LICENSE.txt
+
+

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "capistrano/errorstudio"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/errorstudio_capistrano_recipes.gemspec

@@ -0,0 +1,34 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "errorstudio_capistrano_recipes"
+  spec.version       = ErrorstudioCapistranoRecipes::VERSION
+  spec.authors       = ["Ed Jones", "Paul Hendrick"]
+  spec.email         = ["ed@error.agency", "paul@error.agency"]
+
+  spec.summary       = %q{Error's cap recipes}
+  spec.description   = %q{Cap recipes we use to deploy our websites.}
+  spec.homepage      = "https://github.com/errorstudio/errorstudio_capistrano_recipes"
+  spec.license       = "MIT"
+
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+
+  #production deps
+  spec.add_dependency 'capistrano', '~>3.11.0'
+  spec.add_dependency 'capistrano-composer', '>=0.0.6'
+  spec.add_dependency 'capistrano-bundler'
+  spec.add_dependency 'capistrano-rails'
+  # spec.add_dependency 'capistrano-rvm'
+  spec.add_dependency 'rvm1-capistrano3'
+  spec.add_dependency 'capistrano-passenger'
+end

data/lib/capistrano/errorstudio.rb

@@ -0,0 +1,5 @@
+require 'capistrano/setup'
+require 'capistrano/deploy'
+require 'capistrano/errorstudio/ownership'
+require 'capistrano/errorstudio/prompts'
+set :deploy_to, ->{"/var/www/#{fetch(:deploy_domain)}"}

data/lib/capistrano/errorstudio/composer.rb

@@ -0,0 +1,3 @@
+require 'capistrano/composer'
+Rake::Task['deploy:updated'].prerequisites.delete('composer:install')
+load File.expand_path("../tasks/composer.rake", __FILE__)

data/lib/capistrano/errorstudio/cron.rb

@@ -0,0 +1,2 @@
+require 'capistrano/errorstudio'
+load File.expand_path("../tasks/cron.rake", __FILE__)

data/lib/capistrano/errorstudio/nginx.rb

@@ -0,0 +1,2 @@
+require 'open-uri'
+load File.expand_path("../tasks/nginx.rake", __FILE__)

data/lib/capistrano/errorstudio/ownership.rb

@@ -0,0 +1 @@
+load File.expand_path("../tasks/ownership.rake", __FILE__)

data/lib/capistrano/errorstudio/passenger.rb

@@ -0,0 +1,2 @@
+require 'capistrano/errorstudio/rvm'
+load File.expand_path("../tasks/passenger.rake", __FILE__)

data/lib/capistrano/errorstudio/prompts.rb

@@ -0,0 +1 @@
+load File.expand_path("../tasks/prompts.rake", __FILE__)

data/lib/capistrano/errorstudio/rails.rb

@@ -0,0 +1,13 @@
+require 'capistrano/errorstudio'
+set :linked_dirs, fetch(:linked_dirs, []).push('log', 'tmp/pids', 'tmp/cache', 'tmp/sockets', 'vendor/bundle', 'public/system', 'public/uploads')
+set :linked_files, fetch(:linked_files, []).push('config/database.yml', 'config/secrets.yml')
+set :upstream_proxy_required, true
+set :upstream_proxy_port, -> {fetch(:passenger_port)}
+set :upstream_proxy_cache, fetch(:upstream_proxy_cache, true)
+require 'capistrano/rails'
+require 'capistrano/rails/assets'
+# require 'capistrano/rails/migrations'
+require 'capistrano/errorstudio/nginx'
+require 'capistrano/errorstudio/passenger'
+require 'capistrano/errorstudio/rvm'
+load File.expand_path("../tasks/rails.rake", __FILE__)

data/lib/capistrano/errorstudio/rvm.rb

@@ -0,0 +1,4 @@
+require 'rvm1/capistrano3'
+require 'capistrano/bundler'
+
+load File.expand_path("../tasks/rvm.rake", __FILE__)

data/lib/capistrano/errorstudio/static.rb

@@ -0,0 +1,4 @@
+require 'capistrano/errorstudio'
+require 'capistrano/errorstudio/nginx'
+load File.expand_path("../tasks/static.rake", __FILE__)
+

data/lib/capistrano/errorstudio/tasks/composer.rake

@@ -0,0 +1,12 @@
+namespace :composer do
+  desc "Set paths for composer and invoke the installation of the composer executable"
+  task :set_paths_and_install do
+    set :composer_working_dir, ->{ File.join(release_path,"public")}
+    set :composer_install_flags, '--no-interaction --optimize-autoloader'
+    SSHKit.config.command_map[:composer] = "php #{shared_path.join("composer.phar")}"
+    invoke "composer:install_executable"
+  end
+end
+
+after "deploy:starting", 'composer:set_paths_and_install'
+after "deploy:updated", "composer:install"

data/lib/capistrano/errorstudio/tasks/cron.rake

@@ -0,0 +1,15 @@
+namespace :cron do
+  desc "Generate cron scripts"
+  task :generate_cron_scripts do
+    on roles(:web) do
+      fetch(:cron_scripts).each do |cron_time, files|
+        files.each do |cron_template|
+          buffer = ERB.new(File.read(cron_template)).result(binding)+"\n"
+          cron_filename = File.basename(cron_template).gsub(/\.sh\.erb$/, '')
+          upload! StringIO.new(buffer), "#{shared_path}/#{cron_time}.#{File.basename(cron_template)}"
+          execute "sudo mv -f #{shared_path}/#{cron_time}.#{File.basename(cron_template)} /etc/cron.#{cron_time}/#{cron_filename} && sudo chown root:root /etc/cron.#{cron_time}/#{cron_filename} && sudo chmod +x /etc/cron.#{cron_time}/#{cron_filename}"
+        end
+      end
+    end
+  end
+end

data/lib/capistrano/errorstudio/tasks/nginx.rake

@@ -0,0 +1,198 @@
+set :nginx_configuration, fetch(:nginx_configuration, {})
+set :base_domain, ->{fetch(:base_domain,ask(:base_domain,nil))}
+set :prelaunch_domain, ->{fetch(:prelaunch_domain,ask(:prelaunch_domain,nil))}
+set :site_domains, ->{fetch(:site_domains,ask(:site_domains,nil))}
+set :basic_auth_required, fetch(:basic_auth_required, false)
+set :ssl_required, fetch(:ssl_required, false)
+set :deploy_domain, ->{fetch(:deploy_domain,ask(:deploy_domain,nil))}
+
+namespace :nginx do
+  desc "Check the config exists, and generate if it doesn't"
+  task :check_config do
+    set :nginx_sites_available, "/etc/nginx/sites-available/#{fetch(:deploy_domain)}"
+    set :nginx_sites_enabled, "/etc/nginx/sites-enabled/#{fetch(:deploy_domain)}"
+    on roles(:web) do
+      unless test("[ -f #{"/etc/nginx/sites-enabled/#{fetch(:deploy_domain)}"} ]")
+        invoke "nginx:generate_config"
+      end
+    end
+  end
+
+  desc "Generate an Nginx config from a template, with a few prerequisite tasks"
+  task :generate_config => [
+         :generate_ssl,
+         :generate_cloudflare_real_ips,
+         :generate_php,
+         :generate_upstream_proxy,
+         :generate_redirects,
+         :add_basic_auth,
+         :generate_rewrites,
+         :generate_custom_rules,
+         :generate_custom_aliases,
+         :generate_cors,
+         :generate_path_redirects,
+         :generate_proxy_cache
+       ] do
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "nginx_vhost.conf.erb")
+
+    buffer = ERB.new(File.read(file)).result(binding)
+    on roles(:web) do
+      upload! StringIO.new(buffer), "#{shared_path}/#{fetch(:deploy_domain)}"
+      execute "mv #{shared_path}/#{fetch(:deploy_domain)} #{"/etc/nginx/sites-available/#{fetch(:deploy_domain)}"}"
+      execute "ln -nfs #{"/etc/nginx/sites-available/#{fetch(:deploy_domain)}"} #{"/etc/nginx/sites-enabled/#{fetch(:deploy_domain)}"}"
+      invoke 'nginx:reload'
+    end
+  end
+
+  desc "Add basic auth to the nginx config"
+  task :add_basic_auth do
+    #set up the basic auth if the vars are defined
+    if fetch(:basic_auth_required, false)
+      set :basic_auth_realm, "Your username and password are required"
+      # set :basic_auth_username, ->{fetch(:basic_auth_username,ask(:basic_auth_username,nil))}
+      # set :basic_auth_password, ->{fetch(:basic_auth_password,ask(:basic_auth_password,nil))}
+      on roles :web do
+        encrypted_password = `openssl passwd -apr1 #{fetch(:basic_auth_password)}`
+        execute :echo, "'#{fetch(:basic_auth_username)}:#{encrypted_password.chomp}'", "> #{shared_path}/.htpasswd"
+      end
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "basic_auth.erb")
+      basic_auth = {basic_auth: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration).merge(basic_auth)
+      invoke "deploy:set_ownership"
+    end
+  end
+
+  desc "Reload Nginx"
+  task :reload do
+    on roles(:web) do
+      sudo "/usr/sbin/invoke-rc.d nginx reload"
+    end
+  end
+
+  desc "Generate CORS headers for nginx"
+  task :generate_cors do
+    if fetch(:include_nginx_cors, false)
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "cors.erb")
+      # generate a hash which is the content of the nginx redirects, with a key
+      cors = {cors: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration).merge(cors)
+    end
+  end
+
+  desc "Generate custom rules from a hash of rules. NB this is inside the main server block"
+  task :generate_custom_rules do
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "custom_rules.erb")
+    # generate a hash which is the content of the nginx redirects, with a key
+    rules = {custom_rules: ERB.new(File.read(file)).result(binding)}
+    set :nginx_configuration, fetch(:nginx_configuration).merge(rules)
+  end
+
+  desc "Generate custom aliases from a hash. NB this is inside the main server block"
+  task :generate_custom_aliases do
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "custom_aliases.erb")
+      # generate a hash which is the content of the nginx redirects, with a key
+      aliases = {custom_aliases: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration).merge(aliases)
+  end
+
+  desc "Generate 301 path redirects from a hash. NB this is inside the main server block"
+  task :generate_path_redirects do
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "path_redirects.erb")
+    # generate a hash which is the content of the nginx redirects, with a key
+    aliases = {path_redirects: ERB.new(File.read(file)).result(binding)}
+    set :nginx_configuration, fetch(:nginx_configuration).merge(aliases)
+  end
+
+  desc "Generate PHP-FPM proxy and headers"
+  task :generate_php => :generate_ssl do
+    if fetch(:php_required, false)
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "php.erb")
+      php = {php: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration,{}).merge(php)
+    end
+  end
+
+  desc "Generate upstream proxy and headers"
+  task :generate_upstream_proxy => :generate_ssl do
+    if fetch(:upstream_proxy_required, false)
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "upstream_proxy.erb")
+      upstream = {upstream: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration,{}).merge(upstream)
+    end
+  end
+
+  desc "Generate proxy cache settings"
+  task :generate_proxy_cache => :generate_upstream_proxy do
+    if fetch(:upstream_proxy_cache, false)
+      set :cache_zone, "#{fetch(:application)}_#{fetch(:stage)}"
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "proxy_cache_path.erb")
+      cache_path = {proxy_cache_path: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration,{}).merge(cache_path)
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "location_proxy_cache.erb")
+      location_proxy_cache = {location_proxy_cache: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration,{}).merge(location_proxy_cache)
+    end
+  end
+
+  desc "Generate redirects in separate server blocks"
+  task :generate_redirects => :generate_ssl do
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "redirects.erb")
+    # generate a hash which is the content of the nginx redirects, with a key
+    redirects = {domain_redirects: ERB.new(File.read(file)).result(binding)}
+    set :nginx_configuration, fetch(:nginx_configuration,{}).merge(redirects)
+  end
+
+  desc "Generate rewrites"
+  task :generate_rewrites do
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "rewrites.erb")
+    rewrites = {url_rewrites: ERB.new(File.read(file)).result(binding)}
+    set :nginx_configuration, fetch(:nginx_configuration,{}).merge(rewrites)
+  end
+
+  desc "Generate SSL settings from files in a specified location"
+  task :generate_ssl do
+    if fetch(:ssl_required, false)
+      set :ip_address, ->{fetch(:ip_address, ask(:ip_address,nil))}
+      set :ssl_cert_path, File.join(fetch(:ssl_dir), fetch(:ssl_cert))
+      set :ssl_key_path, File.join(fetch(:ssl_dir), fetch(:ssl_key))
+      set :ssl_dh_path, File.join(fetch(:ssl_dir), fetch(:ssl_dh))
+
+      unless File.exists?(fetch(:ssl_cert_path)) && File.exists?(fetch(:ssl_key_path)) & File.exists?(fetch(:ssl_dh_path))
+        puts "You need to put your SSL GPG-encrypted key, DH params and cert in the locations you've specified"
+        exit
+      end
+
+      set :gpg_phrase, ask("GPG passphrase for SSL key and DH:",nil)
+      set :ssl_path, "/etc/nginx/ssl"
+      key = `echo #{fetch(:gpg_phrase)} | gpg -d -q --batch --passphrase-fd 0 --no-mdc-warning #{fetch(:ssl_key_path)}`
+      dh = `echo #{fetch(:gpg_phrase)} | gpg -d -q --batch --passphrase-fd 0 --no-mdc-warning #{fetch(:ssl_dh_path)}`
+      set :certificate_sha256, `openssl x509 -in #{fetch(:ssl_cert_path)} -pubkey -noout | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -binary | openssl enc -base64`
+      if $?.success?
+        on roles(:web) do
+          upload! fetch(:ssl_cert_path), "#{fetch(:ssl_path)}/#{fetch(:deploy_domain)}.crt"
+          upload! StringIO.new(key), "#{fetch(:ssl_path)}/#{fetch(:deploy_domain)}.key"
+          upload! StringIO.new(dh), "#{fetch(:ssl_path)}/#{fetch(:deploy_domain)}.pem"
+        end
+      else
+        puts "Incorrect GPG passphrase"
+        exit
+      end
+
+      file = File.join(File.dirname(__FILE__), "templates","nginx", "ssl_settings.erb")
+      ssl_settings = {ssl_settings: ERB.new(File.read(file)).result(binding)}
+      set :nginx_configuration, fetch(:nginx_configuration,{}).merge(ssl_settings)
+    end
+  end
+
+  desc "Get a list of Cloudflare IPs, and set real ip from the header"
+  task :generate_cloudflare_real_ips do
+    ips = open("https://www.cloudflare.com/ips-v4/").read
+    set :cloudflare_real_ips, ips.gsub(/\<.*>/,"").split("\n")
+    file = File.join(File.dirname(__FILE__), "templates","nginx", "cloudflare_real_ips.erb")
+    cloudflare_ips = {cloudflare_real_ips: ERB.new(File.read(file)).result(binding)}
+    set :nginx_configuration, fetch(:nginx_configuration,{}).merge(cloudflare_ips)
+  end
+end
+
+after "deploy:check", "nginx:check_config"
+after "nginx:generate_config", "nginx:reload"