pvcglue 0.1.5

data/lib/pvcglue/templates/sshd_config.erb

@@ -0,0 +1,91 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+<% Pvcglue.cloud.ssh_ports.each do |port| %>
+  <%= "Port #{port}\n" %>
+<% end %>
+
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile  %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes

data/lib/pvcglue/templates/stage-deploy.rb.erb

@@ -0,0 +1,33 @@
+# This is a generated file.  Do not modify...or else!  :)
+
+set :stage, :<%= Pvcglue.cloud.stage_name %>
+set :rails_env, :<%= Pvcglue.cloud.stage_name %> # workaround for RAILS_ENV= being blank in delayed job tasks
+set :deploy_to, '<%= Pvcglue.cloud.deploy_to_app_dir %>'
+set :linked_files, ['.env.<%= Pvcglue.cloud.stage_name %>']
+set :rvm_ruby_version, '<%= Pvcglue.configuration.ruby_version %>'
+<% if Pvcglue.cloud.delayed_job_args %>
+set :delayed_job_args, "<%= Pvcglue.cloud.delayed_job_args %>"
+<% end %>
+set :ssh_options, {port: <%= Pvcglue.cloud.port_in_context(:deploy) %>}
+
+<% Pvcglue.cloud.nodes_in_stage('web').each do |node, node_config| %>
+server '<%= node_config[:public_ip] %>', roles: %w{web app db}, user: 'deploy' # server: <%= node.to_s %>
+<% end %>
+
+<% if Pvcglue.cloud.db_rebuild %>
+namespace :deploy do
+
+  desc 'Runs rake db:migrate if migrations are set'
+  task :migrate => [:set_rails_env] do
+    on primary fetch(:migration_role) do
+      within release_path do
+        with rails_env: fetch(:rails_env) do
+          execute :rake, "db:reload"
+        end
+      end
+    end
+  end
+
+  after 'deploy:updated', 'deploy:migrate'
+end
+<% end %>

data/lib/pvcglue/templates/timezone.erb

@@ -0,0 +1 @@
+<%= "#{Pvcglue.cloud.timezone}\n" %>

data/lib/pvcglue/templates/ufw.rules.erb

@@ -0,0 +1,42 @@
+*filter
+:ufw-user-input - [0:0]
+:ufw-user-output - [0:0]
+:ufw-user-forward - [0:0]
+:ufw-before-logging-input - [0:0]
+:ufw-before-logging-output - [0:0]
+:ufw-before-logging-forward - [0:0]
+:ufw-user-logging-input - [0:0]
+:ufw-user-logging-output - [0:0]
+:ufw-user-logging-forward - [0:0]
+:ufw-after-logging-input - [0:0]
+:ufw-after-logging-output - [0:0]
+:ufw-after-logging-forward - [0:0]
+:ufw-logging-deny - [0:0]
+:ufw-logging-allow - [0:0]
+:ufw-user-limit - [0:0]
+:ufw-user-limit-accept - [0:0]
+### RULES ###
+
+<% Pvcglue.cloud.firewall_allow_incoming_on_port.each do |port| %>
+<%= "### tuple ### allow tcp #{port} 0.0.0.0/0 any 0.0.0.0/0 in\n" %>
+<%= "-A ufw-user-input -p tcp --dport #{port} -j ACCEPT\n" %>
+
+<% end %>
+<% Pvcglue.cloud.firewall_allow_incoming_from_ip.each do |ip| %>
+<%= "### tuple ### allow any any 0.0.0.0/0 any #{ip} in\n" %>
+<%= "-A ufw-user-input -s #{ip} -j ACCEPT\n" %>
+
+<% end %>
+### END RULES ###
+
+### LOGGING ###
+-I ufw-user-logging-input -j RETURN
+-I ufw-user-logging-output -j RETURN
+-I ufw-user-logging-forward -j RETURN
+### END LOGGING ###
+
+### RATE LIMITING ###
+-A ufw-user-limit -j REJECT
+-A ufw-user-limit-accept -j ACCEPT
+### END RATE LIMITING ###
+COMMIT

data/lib/pvcglue/templates/ufw.rules6.erb

@@ -0,0 +1,25 @@
+*filter
+:ufw6-user-input - [0:0]
+:ufw6-user-output - [0:0]
+:ufw6-user-forward - [0:0]
+:ufw6-before-logging-input - [0:0]
+:ufw6-before-logging-output - [0:0]
+:ufw6-before-logging-forward - [0:0]
+:ufw6-user-logging-input - [0:0]
+:ufw6-user-logging-output - [0:0]
+:ufw6-user-logging-forward - [0:0]
+:ufw6-after-logging-input - [0:0]
+:ufw6-after-logging-output - [0:0]
+:ufw6-after-logging-forward - [0:0]
+:ufw6-logging-deny - [0:0]
+:ufw6-logging-allow - [0:0]
+### RULES ###
+
+### END RULES ###
+
+### LOGGING ###
+-I ufw6-user-logging-input -j RETURN
+-I ufw6-user-logging-output -j RETURN
+-I ufw6-user-logging-forward -j RETURN
+### END LOGGING ###
+COMMIT

data/lib/pvcglue/templates/web.bashrc.erb

@@ -0,0 +1,120 @@
+# We need this for our non-interactive shells, too.
+if [ -z "$PS1" ]; then
+  # Yes, this needs to be here, and below, too.  :)
+  PATH=$PATH:$HOME/.rvm/bin # Add RVM to PATH for scripting
+  [[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*
+fi
+
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+[ -z "$PS1" ] && return
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+	# We have color support; assume it's compliant with Ecma-48
+	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+	# a case would tend to support setf rather than setaf.)
+	color_prompt=yes
+    else
+	color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# some more ls aliases
+alias ll='ls -alF'
+alias la='ls -A'
+alias l='ls -CF'
+
+# Add an "alert" alias for long running commands.  Use like so:
+#   sleep 10; alert
+alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
+    . /etc/bash_completion
+fi
+
+# Best practice dictates that this should be moved to .bash_profile
+# http://askubuntu.com/questions/121073/why-bash-profile-is-not-getting-sourced-when-opening-a-terminal
+# but this works ok for now, it just has to be in two places.  It should be done at the end of this file.
+PATH=$PATH:$HOME/.rvm/bin # Add RVM to PATH for scripting
+[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*

data/lib/pvcglue/templates/web.env.erb

@@ -0,0 +1,3 @@
+<% Hash[Pvcglue.cloud.stage_env.sort].each do |key, value| %>
+<%= "#{key}=#{value}\n" %>
+<% end %>

data/lib/pvcglue/templates/web.nginx.conf.erb

@@ -0,0 +1,82 @@
+user www-data;
+
+# TODO:  Should be set to the same as `grep processor /proc/cpuinfo | wc -l`
+worker_processes 2;
+
+pid /var/run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	# include /etc/nginx/naxsi_core.rules;
+
+	##
+	# Phusion Passenger config
+	##
+	# Uncomment it if you installed passenger or passenger-enterprise
+	##
+
+  passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
+
+	##
+	# Virtual Host Configs
+	##
+
+  # disable the default server
+  server {
+      listen      80;
+      server_name _;
+      return      444;
+  }
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}

data/lib/pvcglue/templates/web.sites-enabled.erb

@@ -0,0 +1,8 @@
+server {
+  listen 80;
+  passenger_enabled  on;
+  passenger_ruby     <%= Pvcglue.cloud.passenger_ruby %>;
+  server_name        <%= Pvcglue.cloud.domains.join(' ') %>;
+  rails_env          <%= Pvcglue.cloud.stage_name %>;
+  root               <%= Pvcglue.cloud.deploy_to_app_current_public_dir %>;
+}

data/lib/pvcglue/toml_pvc_dumper.rb

@@ -0,0 +1,53 @@
+# Based on https://github.com/emancu/toml-rb/blob/master/lib/toml/dumper.rb
+module TOML
+  class PvcDumper
+    attr_reader :toml_str
+
+    def initialize(hash)
+      @toml_str = ''
+
+      visit(hash, '')
+    end
+
+    private
+
+    def visit(hash, prefix, level = 0)
+      nested_pairs = []
+      simple_pairs = []
+      indent_prefix = ' '*[level-1,0].max*2
+      indent_values = ' '*([level-1, 0].max*2+2)
+
+      if level == 1
+        @toml_str += "\n" unless @toml_str.empty?
+        @toml_str += "################################################################################\n"
+        @toml_str += "#  === #{prefix} ===\n"
+        @toml_str += "################################################################################\n"
+      end
+
+      hash.keys.sort.each do |key|
+        val = hash[key]
+        (val.is_a?(Hash) ? nested_pairs : simple_pairs) << [key, val]
+      end
+
+      @toml_str += "\n#{indent_prefix}[#{prefix}]\n" unless prefix.empty? || simple_pairs.empty?
+
+      # First add simple pairs, under the prefix
+      simple_pairs.each do |key, val|
+        @toml_str << "#{indent_values}#{key.to_s} = #{to_toml(val)}\n"
+      end
+
+      nested_pairs.each do |key, val|
+        visit(val, prefix.empty? ? key.to_s : [prefix, key].join('.'), level+1)
+      end
+    end
+
+    def to_toml(obj)
+      case
+        when obj.is_a?(Time)
+          obj.strftime('%Y-%m-%dT%H:%M:%SZ')
+        else
+          obj.inspect
+      end
+    end
+  end
+end