kompanee-recipes 0.0.10 → 0.1.0

data/README.md

@@ -0,0 +1,182 @@
+# kompanee-recipes #
+
+[http://github.com/thekompanee/kompanee-recipes](http://github.com/thekompanee/kompanee-recipes)
+
+## Description ##
+
+These are the common recipes we've been using here at The Kompanee.  Packaged as a gem.
+
+## Features/Problems ##
+
+None yet
+
+## Synopsis ##
+
+To the top of your Capfile add:
+
+    require 'rubygems'  
+    require 'kompanee-recipes/deploy'
+
+## Requirements ##
+
+Capistrano (Obv)
+
+## Install ##
+
+    gem install kompanee-recipes
+
+## Usage ##
+
+### New Server Setup ###
+
+#### Initial Connection ####
+You need to add the server to your hosts file so you'll want to do an
+initial SSH connection before we get into our Capistrano configuration.
+
+    ssh root@<server_name>
+
+Accept the authenticity of the host.
+
+#### User Creation ####
+By default, the Kompanee recipes will install a `deploy` user and a
+`manager` user.
+
+##### Installation #####
+    cap <environment> os:users:create
+
+##### Manual Steps As `Root` #####
+Log in as `root`
+
+    ssh root@<server_name>
+
+###### Password Assignment ######
+Log in to each of these and give them their custom passwords.  On
+Ubuntu this is done by loggin in as root and typing:
+
+    passwd deploy
+    passwd manager
+
+At this point you'll probably want to change the root password to
+something more secure as well.
+
+    passwd
+
+###### Sudo Assignment ######
+Finally, let's add the `manager` user to the `sudoers` file so we
+no longer need to log in as `root`
+
+    visudo
+
+Add a line like so:
+
+    manager ALL=(ALL) ALL
+
+And a line like this:
+
+    Defaults visiblepw
+
+From the documentation:
+
+**visiblepw**  
+By default, sudo will refuse to run if the user must enter
+a password but it is not possible to disable echo on the
+terminal. If the `visiblepw` flag is set, sudo will prompt
+for a password even when it would be visible on the screen.
+This makes it possible to run things like:  
+
+    rsh somehost sudo ls  
+
+since rsh(1) does not allocate a tty. This flag is off by
+default.
+
+##### Authorize Public Key #####
+Once that's finished, go back to Capistrano and type:
+
+    cap <environment> os:users:authorize_public_keys
+
+That will give you the ability to log into your accounts with no password required.
+
+#### Note on Using Github ####
+If you're using Github to deploy your app, you're going to need to add the
+public key of the deployment user to your Github account.
+
+    cap <environment> os:users:deploy:public_key:create
+
+View the public key by logging in as `deploy` and typing:
+
+    cat /home/deploy/.ssh/id_rsa.pub
+
+Copy and paste the output into Github's "Public Keys" section of the Github at:
+
+[https://github.com/account](https://github.com/account)
+
+Log in as `deploy` and test it out by typing:
+
+    ssh git@github.com
+
+#### Setup Deployment Server ####
+Now that we have our public keys installed, we can do a relatively simple installation.
+
+    cap <environment> server_setup
+
+### Application Use ###
+When using with an application, you'll need to create both a `staging` and
+a `production` task in the application's `deploy.rb` file.
+
+This will allow you to set specific environment variables for your application
+and stage.
+
+#### Shared Configuration Files ####
+Shared configuration files should be added to your local machine but not committed to
+source control.
+
+They can be added by appending the stage name to the file's name.  For example if
+you're wanting to share your `config/database.yml` file in your `production` stage,
+you should have a file called `config/database.yml.production` which contains your
+sensitive production logins.
+
+When you deploy, if you have a file that meets these requirements, it will be copied
+to the proper location on the server.
+
+#### Initial Deployment ####
+In order to perform the initial deployment, type:
+
+    cap <environment> deploy:initial
+
+This will:
+
+  * Set up the directory structure for the app
+  * Create the database
+  * Install the website on the web server
+  * Updates the code from the Source Control system
+  * Installs all gems
+  * Runs all pending migrations
+  * Tags the commit with a deployment tag
+  * Cleans up all extra deployment versions
+  * Enables the website
+  * Restarts the server
+
+## License ##
+
+(The MIT License)
+
+Copyright (c) 2010 FIXME full name
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/kompanee-recipes/apache.rb

@@ -0,0 +1,241 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  set :web_server_name,                   "apache"
+
+  run_task "web_server:install",         :as => "manager"
+  run_task "web_server:stop",            :as => "manager"
+  run_task "web_server:start",           :as => "manager"
+  run_task "web_server:restart",         :as => "manager"
+
+  run_task "website:install",            :as => "manager"
+  run_task "website:remove",             :as => "manager"
+  run_task "website:enable",             :as => "manager"
+  run_task "website:disable",            :as => "manager"
+
+  run_task "apache:modules:ssl:install", :as => "manager"
+
+  namespace :deploy do
+    namespace :web do
+      desc <<-DESC
+        Enables the website's application by removing the maintenance page.
+      DESC
+      task :enable do
+        website.maintenance_mode.disable
+      end
+
+      desc <<-DESC
+        Disables the website's application by installing the maintenance page.
+      DESC
+      task :disable do
+        website.maintenance_mode.enable
+      end
+    end
+  end
+
+  namespace :web_server do
+    desc "Install Apache"
+    task :install do
+      apache.send("install_on_#{os_type}")
+    end
+
+    desc "Stop Apache"
+    task :stop do
+      run "#{sudo} /etc/init.d/apache2 stop"
+    end
+
+    desc "Start Apache"
+    task :start do
+      run "#{sudo} /etc/init.d/apache2 start"
+    end
+
+    desc "Restart Apache"
+    task :restart do
+      run "#{sudo} /etc/init.d/apache2 restart"
+    end
+  end
+
+  namespace :website do
+    desc "Installs the site configuration for the files."
+    task :install do
+      apache.virtual_host.install
+    end
+
+    desc "Completely removes the site configuration from the server (but leaves the files.)"
+    task :remove do
+      apache.virtual_host.remove
+    end
+
+    desc "Enable Site"
+    task :enable do
+      run "#{sudo} a2ensite #{deploy_name}"
+      run "#{sudo} /etc/init.d/apache2 reload"
+    end
+
+    desc "Disable Site"
+    task :disable do
+      run "#{sudo} a2dissite #{deploy_name}"
+      run "#{sudo} /etc/init.d/apache2 reload"
+    end
+
+    namespace :maintenance_mode do
+      desc <<-DESC
+        Makes the application web-accessible again. Removes the \
+        "maintenance.html" page generated by deploy:web:disable, which (if your \
+        web servers are configured correctly) will make your application \
+        web-accessible again.
+      DESC
+      task :disable, :except => { :no_release => true } do
+        run "rm #{shared_path}/system/maintenance.html"
+      end
+
+      desc <<-DESC
+        Present a maintenance page to visitors. Disables your application's web \
+        interface by writing a "maintenance.html" file to each web server. The \
+        servers must be configured to detect the presence of this file, and if \
+        it is present, always display it instead of performing the request.
+
+        By default, the maintenance page will just say the site is down for \
+        "maintenance", and will be back "shortly", but you can customize the \
+        page by specifying the REASON and UNTIL environment variables:
+
+          $ cap deploy:web:disable \\
+                REASON="hardware upgrade" \\
+                UNTIL="12pm Central Time"
+
+        Further customization will require that you write your own task.
+      DESC
+      task :enable, :except => { :no_release => true } do
+        on_rollback { rm "#{shared_path}/system/maintenance.html" }
+
+        require 'erb'
+        deadline, reason = ENV['UNTIL'], ENV['REASON']
+
+        template = File.read("./app/views/pages/maintenance.html.erb")
+        maintenance_page = ERB.new(template).result(binding)
+
+        put maintenance_page, "#{shared_path}/system/maintenance.html", :mode => 0644
+      end
+    end
+  end
+
+  namespace :apache do
+    namespace :virtual_host do
+      desc "Install Virtual Host"
+      task :install do
+        virtual_host_config = <<-VHOST
+          <VirtualHost #{web_server_ip}:443>
+            ServerName #{deploy_name}
+            DocumentRoot #{deploy_to}/current/public
+
+            SSLEngine on
+            SSLCertificateFile       /etc/ssl/certs/#{domain}.crt
+            SSLCertificateKeyFile    /etc/ssl/certs/#{domain}.key
+
+            <Directory "#{deploy_to}/current/public">
+              Options FollowSymLinks -MultiViews
+              AllowOverride all
+              Order allow,deny
+              Allow from all
+            </Directory>
+
+            RewriteEngine On
+
+            ErrorDocument 503 /system/maintenance.html
+            RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+            RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+            RewriteCond %{REQUEST_URI} !^/images/
+            RewriteCond %{REQUEST_URI} !^/robots.txt
+            RewriteCond %{REQUEST_URI} !^/sitemap
+            RewriteRule ^.*$ - [redirect=503,last]
+
+            ErrorLog /var/log/apache2/#{application}-errors.log
+
+            LogLevel warn
+
+            CustomLog /var/log/apache2/#{application}-access.log combined
+            ServerSignature On
+          </VirtualHost>
+
+          <VirtualHost 174.143.210.66:80>
+            ServerName #{deploy_name}
+
+            Redirect   permanent / https://#{deploy_name}
+          </VirtualHost>
+        VHOST
+
+        run "#{sudo} a2enmod rewrite"
+        put virtual_host_config, "#{user_home}/#{deploy_name}"
+        run "#{sudo} mv #{user_home}/#{deploy_name} /etc/apache2/sites-available"
+        run "#{sudo} /etc/init.d/apache2 reload"
+      end
+
+      desc "Remove Virtual Host"
+      task :remove do
+        run "#{sudo} rm /etc/apache2/sites-available/#{deploy_name}"
+        run "#{sudo} /etc/init.d/apache2 reload"
+      end
+    end
+
+    desc "Install Apache"
+    task :install_on_ubuntu do
+      set :dependencies, %w{apache2 apache2.2-common apache2-mpm-prefork apache2-utils libexpat1 apache2-prefork-dev libapr1-dev}
+      os.package_manager.install
+      run "#{sudo} chown -R #{deployment_username}:#{deployment_username} #{deploy_dir}"
+
+      default_httpd_conf = <<-HTTPDCONF
+        # =========================================================
+        # Basic Settings
+        # =========================================================
+
+        Listen                                #{web_server_ip}:80
+        Listen                                #{web_server_ip}:443
+
+        ServerName                            #{web_server_name}
+
+        # =========================================================
+        # Access control
+        # =========================================================
+
+        #<Directory />
+        #    Options FollowSymLinks
+        #    AllowOverride None
+        #    Order deny,allow
+        #    Deny from all
+        #</Directory>
+
+        # =========================================================
+        # Virtual Host Directives
+        # =========================================================
+
+        NameVirtualHost #{web_server_ip}:80
+        NameVirtualHost #{web_server_ip}:443
+      HTTPDCONF
+
+      put default_httpd_conf, "#{user_home}/default_httpd_conf"
+      run "#{sudo} mv #{user_home}/default_httpd_conf /etc/apache2/httpd.conf"
+      run "#{sudo} mv /etc/apache2/ports.conf /etc/apache2/ports.conf.bak"
+      run "#{sudo} touch /etc/apache2/ports.conf"
+
+      run "#{sudo} rm #{deploy_dir}/index.html"
+      run "#{sudo} rm -rf /etc/apache2/sites-enabled/*"
+      run "#{sudo} rm -rf /etc/apache2/sites-available/*"
+
+      run "#{sudo} a2enmod rewrite"
+    end
+
+    namespace :modules do
+      namespace :ssl do
+        desc "Install SSL Module"
+        task :install do
+          certs_dir = "/etc/ssl/certs"
+
+          run "#{sudo} a2enmod ssl"
+          run "#{sudo} bash -c \"openssl genrsa 2048 > #{certs_dir}/#{domain}.key 2> /dev/null\""
+          run "#{sudo} bash -c \"openssl req -new -x509 -days 3650 -subj '/C=US/ST=Tennessee/L=Nashville/O=The Kompanee/CN=*.#{domain}/emailAddress=webmaster@#{domain}' -key #{certs_dir}/#{domain}.key > #{certs_dir}/#{domain}.crt\""
+          run "#{sudo} bash -c \"openssl x509 -noout -fingerprint -text < #{certs_dir}/#{domain}.crt > #{certs_dir}/#{domain}.info\""
+          run "#{sudo} bash -c \"cat #{certs_dir}/#{domain}.crt #{certs_dir}/#{domain}.key > #{certs_dir}/#{domain}.pem\""
+          run "#{sudo} chmod 400 #{certs_dir}/#{domain}.pem #{certs_dir}/#{domain}.key"
+        end
+      end
+    end
+  end
+end

data/lib/kompanee-recipes/bash.rb

@@ -0,0 +1,44 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  run_task 'bash:environment:prepare',                  :as => "manager"
+  run_task 'bash:environment:enable_safer_sshd_config', :as => "manager"
+
+  namespace :bash do
+    namespace :environment do
+      desc "Clones the common Kompanee Common Bash Environment from The Kompanee's Github repository."
+      task :prepare do
+        run "#{sudo} git clone git://github.com/thekompanee/kompanee-common.git /usr/share/kompanee-common"
+      end
+  
+      desc "Install The Kompanee Common Bash Environment for a specific user"
+      task :install do
+        run "if [ -f #{user_home}/.bashrc ]; then mv #{user_home}/.bashrc #{user_home}/.bashrc.bak; fi"
+        run "if [ -f #{user_home}/.inputrc ]; then mv #{user_home}/.inputrc #{user_home}/.inputrc.bak; fi"
+        run "ln -fs /usr/share/kompanee-common/bash_customizations #{user_home}/.bash"
+        run "ln -fs /usr/share/kompanee-common/bash_customizations/bashrc #{user_home}/.bashrc"
+        run "ln -fs /usr/share/kompanee-common/bash_customizations/inputrc #{user_home}/.inputrc"
+      end
+  
+      desc <<-DESC
+        This will install a more secure SSH environment.
+
+        Among other things, it will disable password authentication and change
+        the default port.
+      DESC
+      task :enable_safer_sshd_config do
+        run "#{sudo} mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak"
+        run "#{sudo} ln -fs /usr/share/kompanee-common/ssh/sshd_config /etc/ssh/sshd_config"
+        run "#{sudo} /etc/init.d/ssh restart"
+      end
+
+      desc "Perform full Bash setup process"
+      task :setup do
+        bash.environment.prepare
+
+        run_task "bash:environment:install", :as => "manager", :now => true
+        run_task "bash:environment:install", :as => "deploy", :now => true
+
+        bash.environment.enable_safer_sshd_config
+      end
+    end
+  end
+end