gigpark-ec2onrails 0.9.10.3

data/server/files/etc/motd.tail

@@ -0,0 +1,13 @@
+
+EC2 on Rails
+!!VERSION!!
+http://rubyforge.org/projects/ec2onrails/
+
+Copyright 2008 Paul Dowman, http://pauldowman.com/
+
+Base AMI built using Eric Hammond's EC2 Ubuntu script: 
+http://alestic.com/
+
+This is free software, and you are welcome to redistribute it under 
+certain conditions. This software comes with ABSOLUTELY NO WARRANTY.
+See /usr/local/ec2onrails/COPYING for details.

data/server/files/etc/mysql/my.cnf

@@ -0,0 +1,152 @@
+#
+# The MySQL database server configuration file.
+#
+# You can copy this to one of:
+# - "/etc/mysql/my.cnf" to set global options,
+# - "~/.my.cnf" to set user-specific options.
+# 
+# One can use all long options that the program supports.
+# Run program with --help to get a list of available options and with
+# --print-defaults to see which it would actually understand and use.
+#
+# For explanations see
+# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
+
+# This will be passed to all mysql clients
+# It has been reported that passwords should be enclosed with ticks/quotes
+# escpecially if they contain "#" chars...
+# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
+[client]
+port            = 3306
+socket          = /var/run/mysqld/mysqld.sock
+
+# Here is entries for some specific programs
+# The following values assume you have at least 32M ram
+
+# This was formally known as [safe_mysqld]. Both versions are currently parsed.
+[mysqld_safe]
+socket          = /var/run/mysqld/mysqld.sock
+nice            = 0
+
+[mysqld]
+#
+# * Basic Settings
+#
+user            = mysql
+pid-file        = /var/run/mysqld/mysqld.pid
+socket          = /var/run/mysqld/mysqld.sock
+port            = 3306
+basedir         = /usr
+datadir         = /mnt/mysql_data
+tmpdir          = /mnt/mysql_data/tmp
+language        = /usr/share/mysql/english
+skip-external-locking
+default-storage-engine = InnoDB
+character-set-server   = utf8
+collation-server       = utf8_general_ci
+
+#
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+#bind-address            = 127.0.0.1
+#
+# * Fine Tuning
+#
+key_buffer_size         = 16M
+max_allowed_packet      = 16M
+thread_stack            = 128K
+thread_cache_size       = 8
+#max_connections        = 100
+#table_cache            = 64
+#thread_concurrency     = 10
+#
+# * Query Cache Configuration
+#
+query_cache_limit       = 1M
+query_cache_size        = 64M
+#
+# * Logging and Replication
+#
+# Both location gets rotated by the cronjob.
+# Be aware that this log type is a performance killer.
+#log            = /var/log/mysql/mysql.log
+#
+# Error logging goes to syslog. This is a Debian improvement :)
+#
+# Here you can see queries with especially long duration
+log_slow_queries        = /mnt/log/mysql/mysql-slow.log
+long_query_time = 1
+log-queries-not-using-indexes
+#
+# The following can be used as easy to replay backup logs or for replication.
+#server-id              = 1
+log_bin                 = /mnt/log/mysql/mysql-bin.log
+# WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!
+expire_logs_days        = 10
+max_binlog_size         = 100M
+#binlog_do_db           = include_database_name
+#binlog_ignore_db       = include_database_name
+#
+# * BerkeleyDB
+#
+# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
+skip-bdb
+#
+# * InnoDB
+#
+# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
+# Read the manual for more InnoDB related options. There are many!
+# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
+#skip-innodb
+innodb_data_file_path=ibdata1:100M:autoextend
+innodb_buffer_pool_size=200M
+innodb_additional_mem_pool_size=20M
+innodb_log_file_size=128M
+innodb_log_buffer_size=8M
+innodb_flush_log_at_trx_commit=1
+innodb_lock_wait_timeout=20
+# innodb_flush_method=O_DIRECT
+innodb_file_per_table
+
+#
+# * Security Features
+#
+# Read the manual, too, if you want chroot!
+# chroot = /var/lib/mysql/
+#
+# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
+#
+# ssl-ca=/etc/mysql/cacert.pem
+# ssl-cert=/etc/mysql/server-cert.pem
+# ssl-key=/etc/mysql/server-key.pem
+
+
+
+[mysqldump]
+quick
+quote-names
+max_allowed_packet      = 16M
+
+[mysql]
+default-character-set   = utf8
+#no-auto-rehash # faster start of mysql but no tab completition
+
+[isamchk]
+key_buffer              = 16M
+
+#
+# * NDB Cluster
+#
+# See /usr/share/doc/mysql-server-*/README.Debian for more information.
+#
+# The following configuration is read by the NDB Data Nodes (ndbd processes)
+# not from the NDB Management Nodes (ndb_mgmd processes).
+#
+# [MYSQL_CLUSTER]
+# ndb-connectstring=127.0.0.1
+
+
+#
+# * IMPORTANT: Additional settings that can override those from this file!
+#
+!includedir /etc/mysql/conf.d/

data/server/files/etc/nginx/conf.d/custom.conf

@@ -0,0 +1 @@
+# Overwrite this file with any custom configuration, it gets included inside the server directive

data/server/files/etc/nginx/nginx.conf.erb

@@ -0,0 +1,152 @@
+user  nginx nginx;
+worker_processes  6;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+  use epoll; # linux only!
+}
+
+http {
+  # global passenger settings
+  passenger_root <%= `/usr/bin/passenger-config --root`.strip %>;
+  passenger_default_user app;
+  passenger_pool_idle_time 0;
+  rails_framework_spawner_idle_time 0;
+  rails_app_spawner_idle_time 0;
+
+  # We leave passenger_max_pool_size at the default for now. (It might
+  # eventually be an ERB variable that can be set automatically based on the
+  # instance type and what roles it's in.)
+  # passenger_max_pool_size 6;
+
+  # We leave the rails_spawn_method at the default, but we might want a config setting
+  # to allow it to be changed.
+  # rails_spawn_method smart-lv2;
+  
+  include /etc/nginx/mime.types;
+  
+  # set a default type for the rare situation that
+  # nothing matches from the mime-type include
+  default_type  application/octet-stream;
+
+  # configure log format
+  log_format main '$remote_addr [$time_local] '
+                  '"$scheme $host $request" $status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for" '
+                  '($request_time)';
+  
+  access_log  /mnt/log/nginx/access.log  main;
+
+  # main error log - Do not comment out. If you do not want the log file set this to /dev/null
+  # use debug instead of notice if you want additional information
+  error_log  /mnt/log/nginx/error.log notice;
+
+  sendfile on;
+
+  tcp_nopush        on;
+  tcp_nodelay       on;
+  gzip              on;
+  gzip_http_version 1.1;
+  gzip_vary on;
+  gzip_comp_level   6;
+  gzip_proxied      any;
+  gzip_types        application/json application/x-javascript application/xhtml+xml application/xml application/xml+rss text/css text/javascript text/plain text/xml ;
+  # make sure gzip does not lose large gzipped js or css files
+  # see http://blog.leetsoft.com/2007/7/25/nginx-gzip-ssl
+  gzip_buffers 16 8k;
+
+  # Disable gzip for certain browsers. IE6 prior to SP2 doesn't handle gzip properly.
+  gzip_disable “MSIE [1-6].(?!.*SV1)”;
+  
+  server {
+    listen <%= roles[:proxy] && roles[:proxy].include?("127.0.0.1")  ? 81 : 80 %>;
+    server_name _;
+    
+    # server-specific passenger settings
+    passenger_enabled on;
+    passenger_use_global_queue on;
+    rails_env <%= rails_env %>;
+
+    # Set the max size for file uploads to 50Mb
+    client_max_body_size 50M;
+
+    # uncomment to force a redirect to www
+    # if ($host ~* "^[ec2onrails].com$"){
+    #   rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
+    #   break;
+    # }
+    
+    # uncomment if you want to allow or force some or all pages to go to http:// instead of https://
+    # if redirecting all to https, you won't need any of the other directives below their rewrite/break
+    # set $sub 'www';
+    # if  ($host ~* "^(.+?)\.[ec2onrails].com$"){
+    #        set $sub $1;
+    # }
+    # 
+    # if ( $uri ~* "^/.+$") {
+    #    rewrite ^(.*)$ https://$sub.[ec2onrails].com$1 permanent;
+    #    break;
+    # }
+    
+    root /mnt/app/current/public;
+
+    error_page   400 /400.html;
+    error_page   500 502 504  /500.html;
+    location = /500.html {
+      root /mnt/app/current/public;
+    }
+    
+    #hide hidden files and folders
+    location ~ /\..+ {
+      deny  all;
+    }
+    
+    #do not show the nginx version number in the server header
+    server_tokens off;
+    
+    # this allows people to use images and css in their maintenance.html file
+    if ($request_filename ~* \.(css|jpg|gif|png)$) {
+	    break;
+    }
+		
+    # this rewrites all the requests to the maintenance.html
+    # page if it exists in the doc root. This is for capistrano's
+    # disable web task
+    if (-f $document_root/system/maintenance.html) {
+      return 503;
+    }
+    error_page 503 @503;
+    location @503 {
+      rewrite  ^(.*)$  /system/maintenance.html break;
+    }
+    
+    
+    # see http://wiki.codemongers.com/NginxHttpStubStatusModule
+    # for more information
+    location /nginx_status {
+        # copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
+        stub_status on;
+        access_log   off;
+        #only allow from localhost
+        allow 127.0.0.1;
+        deny all;
+    }
+    
+    include /etc/nginx/conf.d/*.conf;
+  }
+  
+  # This server is setup for ssl. Uncomment if 
+  # you are using ssl as well as port 80.
+  # server {
+  #   # port to listen on. Can also be set to an IP:PORT
+  #   listen 443;
+  #
+  #   ssl                  on;
+  #   ssl_certificate      /etc/nginx/your_cert.crt;
+  #   ssl_certificate_key  /etc/nginx/your_cert.key;
+  #
+  #   TODO SSL support
+  #
+  # }
+}

data/server/files/etc/postfix/main.cf

@@ -0,0 +1,4 @@
+mynetworks_style = host
+relay_domains =
+inet_interfaces = 127.0.0.1
+alias_maps = hash:/etc/aliases

data/server/files/etc/ssh/sshd_config

@@ -0,0 +1,96 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# HARDEN OpenSSH TODO's
+#  * specify AllowUsers
+#  * PermitRootLogin no # turn off root login access
+#    to do that, we will probably need to create a non-root user to escalate 
+#    privileges to from capistrano, like 'admin'
+#  * change default port to something other than 22
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Enable to harden the ssh host
+# AllowUsers admin app
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+UseDNS no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+ClientAliveInterval 30
+ClientAliveCountMax 6
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM yes
+
+# PermitUserEnvironment yes
+# AcceptEnv PATH
+# AcceptEnv RUBYLIB
+
+GatewayPorts clientspecified

data/server/files/etc/sudoers

@@ -0,0 +1,31 @@
+# /etc/sudoers
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the man page for details on how to write a sudoers file.
+# Host alias specification
+
+Defaults        !lecture,tty_tickets,!fqdn
+
+root        ALL=(ALL) ALL
+
+# The 'app' user can only run /usr/bin/god using sudo, and will not be 
+# prompted for a password
+app         ALL = NOPASSWD: /usr/bin/god
+
+# Users in the rootequiv group can run any command using sudo, without being
+# prompted for a password.
+# By default there are nousers in this group, but some EC2 on Rails Capistrano
+# tasks (which log in as the 'app' user) require the ability to use sudo so 
+# they temporarily place the app user into this group for the duration of the
+# task.
+%rootequiv  ALL=(ALL) NOPASSWD: ALL
+
+# Users in the admin group can run any command via sudo, but will be
+# prompted for their password.
+# By default there are no users in this group, but if you add named 
+# administrator accounts, add them to this group. (You might do this if you
+# have multiple sysadmins and you want to use separate user accounts rather
+# than have multiple people sharing a root account.)
+%admin    ALL=(ALL) ALL
+