railslove_deploy 0.2.0

data/lib/railslove/templates/monit_init

@@ -0,0 +1,115 @@
+#!/bin/sh
+# /etc/init.d/monit start and stop monit daemon monitor process.
+# Fredrik Steen, stone@debian.org
+:
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/local/bin/monit
+CONFIG="/etc/monit/monitrc"
+DELAY="/etc/monit/monit_delay"
+CHECK_INTERVALS=180
+# We default to 180s (3min) check intervals
+NAME=monit
+DESC="daemon monitor"
+
+set -e
+
+# Check if DAEMON binary exist
+test -f $DAEMON || exit 0
+
+if [ -f "/etc/default/monit" ]; then
+     . /etc/default/monit
+fi
+
+ARGS="-d $CHECK_INTERVALS -c $CONFIG -s /var/lib/monit/monit.state"
+
+monit_not_configured () {
+    echo -e "monit won't be started/stopped\n\tunless it it's configured"
+    if [ "$1" != "stop" ]
+        then
+        echo -e "\tplease configure monit and then edit /etc/default/monit"
+        echo -e "\tand set the \"startup\" variable to 1 in order to allow "
+        echo -e "\tmonit to start"
+    fi
+    exit 0
+}
+
+monit_check_config () {
+    # Check for emtpy config, probably default configfile.
+    if [ "`grep -s -v \"^#\" $CONFIG`" = "" ]; then
+        echo "empty config, please edit $CONFIG."
+        exit 0
+    fi
+}
+
+monit_check_perms () {
+    # Check the permission on configfile. 
+    # The permission must not have more than -rwx------ (0700) permissions.
+   
+    # Skip checking, fix perms instead.
+    /bin/chmod go-rwx $CONFIG
+
+}
+
+monit_delayed_monitoring () {
+    if [ -x $DELAY ]; then
+      $DELAY &
+    elif [ -f $DELAY ]; then
+      echo
+      echo "[WARNING] A delayed start file exists ($DELAY) but it is not executable."
+    fi
+}
+
+monit_check_syntax () {
+  $DAEMON -t;
+#  if [ $? ] ; then
+#      echo "syntax good"
+#  else
+#      echo "syntax bad"
+#  fi
+}
+
+
+monit_checks () {
+    # Check if startup variable is set to 1, if not we exit.
+    if [ "$startup" != "1" ]; then
+        monit_not_configured $1
+    fi
+    # Check for emtpy configfile
+    monit_check_config
+    # Check permissions of configfile
+    monit_check_perms
+}
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+    monit_checks $1
+	echo -n "$NAME"
+	start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \
+		--exec $DAEMON > /dev/null 2>&1 -- $ARGS
+   monit_delayed_monitoring
+	echo "."
+	;;
+  stop)
+	echo -n "Stopping $DESC: "
+    #monit_checks $1
+	echo -n "$NAME"
+	start-stop-daemon --retry 5 --oknodo --stop --quiet --pidfile /var/run/$NAME.pid \
+		--exec $DAEMON  > /dev/null 2>&1
+	echo "."
+	;;
+  restart|force-reload)
+	$0 stop
+	$0 start
+	;;
+  syntax)
+   monit_check_syntax
+   ;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|force-reload|syntax}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

data/lib/railslove/templates/monitoring/apache.monit.erb

@@ -0,0 +1,18 @@
+# from http://mmonit.com/wiki/Monit
+# Hint: It is recommended to use a "token" file (an empty file) for monit to request. That way, it is easy to filter out all the requests made by monit in the httpd access log file. Here's a trick shared by Marco Ermini, place the following in httpd.conf to stop apache from loggin any requests done by monit:
+#  SetEnvIf        Request_URI "^\/monit\/token$" dontlog
+#  CustomLog       logs/access.log common env=!dontlog
+#
+#
+#check process apache with pidfile /var/run/apache2.pid 
+#  group web
+#  start program = "/etc/init.d/apache2 start" 
+#  stop program  = "/etc/init.d/apache2 stop"
+#  if cpu > 60% for 2 cycles then alert 
+#  if cpu > 80% for 5 cycles then restart
+#  if totalmem > 200.0 MB for 5 cycles then restart 
+#  if children > 250 then restart 
+#  if loadavg(5min) greater than 20 for 8 cycles then alert 
+#  if failed host localhost port 80 
+#          protocol HTTP request "/monit/token" then restart
+#

data/lib/railslove/templates/monitoring/job_worker.monit.erb

@@ -0,0 +1,4 @@
+#check process job_runner with pidfile /var/www/rails_apps/<%= application %>/current/log/job_runner.1.pid
+#  start program = "/var/www/rails_apps/<%= application %>/current/script/job_runner start production" as uid rails and gid rails
+#  stop program = "/var/www/rails_apps/<%= application %>/current/script/job_runner stop production" as uid rails and gid rails
+#  group <%= application %>

data/lib/railslove/templates/monitoring/memcached.monit.erb

@@ -0,0 +1,4 @@
+#check process memcached with pidfile /var/run/memcached/memcached.pid
+#  start program = "/etc/init.d/memcached start" 
+#  stop program =  "/etc/init.d/memcached stop" 
+#  if failed host 127.0.0.1 port 11211 then restart

data/lib/railslove/templates/monitoring/mysql.monit.erb

@@ -0,0 +1,5 @@
+#check process mysql with pidfile /var/run/mysqld/mysqld.pid
+#  start program = "/etc/init.d/mysql start"
+#  stop program = "/etc/init.d/mysql stop"
+#  if failed host 127.0.0.1 port 3306 then restart
+#  if 5 restarts within 5 cycles then timeout

data/lib/railslove/templates/monitoring/nginx.monit.erb

@@ -0,0 +1,4 @@
+#check process nginx with pidfile /var/run/nginx.pid
+#  group web
+#  start program = "/etc/init.d/nginx start"
+#  stop program = "/etc/init.d/nginx stop"

data/lib/railslove/templates/monitoring/sshd.monit.erb

@@ -0,0 +1,5 @@
+#check process sshd with pidfile /var/run/sshd.pid
+#  start program = "/etc/init.d/ssh start"
+#  stop program = "/etc/init.d/ssh stop"
+#  if failed port 22 protocol ssh then restart
+#  if 5 restarts within 5 cycles then timeout

data/lib/railslove/templates/monitrc.erb

@@ -0,0 +1,236 @@
+###############################################################################
+## Monit control file
+###############################################################################
+##
+## Comments begin with a '#' and extend through the end of the line. Keywords
+## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
+##
+## Bellow is the example of some frequently used statements. For information
+## about the control file, a complete list of statements and options please 
+## have a look in the monit manual.
+##
+##
+###############################################################################
+## Global section
+###############################################################################
+##
+## Start monit in background (run as daemon) and check the services at 1-minute
+## intervals.
+#
+
+set daemon  60
+
+#
+#
+## Set syslog logging with the 'daemon' facility. If the FACILITY option is
+## omited, monit will use 'user' facility by default. You can specify the
+## path to the file for monit native logging.
+#
+# set logfile syslog facility log_daemon 
+
+set logfile /var/log/monit
+
+#
+#
+## Set list of mailservers for alert delivery. Multiple servers may be 
+## specified using comma separator. By default monit uses port 25 - it is 
+## possible to override it with the PORT option.
+#
+#set mailserver mail.bar.baz,               # primary mailserver
+#                backup.bar.baz port 10025,  # backup mailserver on port 10025
+#                localhost                   # fallback relay
+#
+#
+
+<%= monit_config[:mailserver] %>
+
+
+## By default monit will drop the event alert, in the case that there is no
+## mailserver available. In the case that you want to keep the events for
+## later delivery retry, you can use the EVENTQUEUE statement. The base
+## directory where undelivered events will be stored is specified by the
+## BASEDIR option. You can limit the maximal queue size using the SLOTS
+## option (if omited then the queue is limited just by the backend filesystem).
+#
+# set eventqueue
+#     basedir /var/monit  # set the base directory where events will be stored
+#     slots 100           # optionaly limit the queue size
+#
+#
+## Monit by default uses the following alert mail format:
+##
+## --8<--
+## From: monit@$HOST                         # sender
+## Subject: monit alert --  $EVENT $SERVICE  # subject
+##
+## $EVENT Service $SERVICE                   #
+##                                           #
+## 	Date:        $DATE                   #
+## 	Action:      $ACTION                 #
+## 	Host:        $HOST                   # body
+## 	Description: $DESCRIPTION            #
+##                                           #
+## Your faithful employee,                   #
+## monit                                     #
+## --8<--
+##
+## You can override the alert message format or its parts such as subject
+## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
+## are expanded on runtime. For example to override the sender:
+#
+# set mail-format { from: monit@foo.bar }
+#
+
+<%= monit_config[:mail_format] %>
+
+#
+## You can set the alert recipients here, which will receive the alert for
+## each service. The event alerts may be restricted using the list.
+#
+# set alert sysadm@foo.bar                       # receive all alerts
+# set alert manager@foo.bar only on { timeout }  # receive just service-
+#                                                # timeout alert
+#
+
+
+<%= monit_config[:alerts] %>
+
+#
+## Monit has an embedded webserver, which can be used to view the 
+## configuration, actual services parameters or manage the services using the 
+## web interface.
+#
+# set httpd port 2812 and
+#     use address localhost  # only accept connection from localhost
+#     allow localhost        # allow localhost to connect to the server and
+#     allow admin:monit      # require user 'admin' with password 'monit'
+#
+
+<%= monit_config[:webserver] %>
+
+#
+###############################################################################
+## Services
+###############################################################################
+##
+## Check the general system resources such as load average, cpu and memory
+## usage. Each rule specifies the tested resource, the limit and the action
+## which will be performed in the case that the test failed.
+#
+check system localhost
+    if loadavg (1min) > 4 then alert
+    if loadavg (5min) > 2 then alert
+    if memory usage > 75% then alert
+    if cpu usage (user) > 70% then alert
+    if cpu usage (system) > 30% then alert
+    if cpu usage (wait) > 20% then alert
+#
+#    
+## Check a file for existence, checksum, permissions, uid and gid. In addition
+## to the recipients in the global section, customized alert will be send to 
+## the additional recipient. The service may be grouped using the GROUP option.
+#    
+#  check file apache_bin with path /usr/local/apache/bin/httpd
+#    if failed checksum and 
+#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
+#    if failed permission 755 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid root then unmonitor
+#    alert security@foo.bar on {
+#           checksum, permission, uid, gid, unmonitor
+#        } with the mail-format { subject: Alarm! }
+#    group server
+#
+#    
+## Check that a process is running, responding on the HTTP and HTTPS request, 
+## check its resource usage such as cpu and memory, number of childrens. 
+## In the case that the process is not running, monit will restart it by 
+## default. In the case that the service was restarted very often and the 
+## problem remains, it is possible to disable the monitoring using the
+## TIMEOUT statement. The service depends on another service (apache_bin) which
+## is defined in the monit control file as well.
+#    
+#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
+#    start program = "/etc/init.d/httpd start"
+#    stop program  = "/etc/init.d/httpd stop"
+#    if cpu > 60% for 2 cycles then alert
+#    if cpu > 80% for 5 cycles then restart
+#    if totalmem > 200.0 MB for 5 cycles then restart
+#    if children > 250 then restart
+#    if loadavg(5min) greater than 10 for 8 cycles then stop
+#    if failed host www.tildeslash.com port 80 protocol http
+#       and request "/monit/doc/next.php"
+#       then restart
+#    if failed port 443 type tcpssl protocol http
+#       with timeout 15 seconds
+#       then restart
+#    if 3 restarts within 5 cycles then timeout
+#    depends on apache_bin
+#    group server
+#    
+#    
+## Check the device permissions, uid, gid, space and inode usage. Other
+## services such as databases may depend on this resource and automatical
+## graceful stop may be cascaded to them before the filesystem will become
+## full and the data will be lost.
+#
+#  check device datafs with path /dev/sdb1
+#    start program  = "/bin/mount /data"
+#    stop program  = "/bin/umount /data"
+#    if failed permission 660 then unmonitor
+#    if failed uid root then unmonitor
+#    if failed gid disk then unmonitor
+#    if space usage > 80% for 5 times within 15 cycles then alert
+#    if space usage > 99% then stop
+#    if inode usage > 30000 then alert
+#    if inode usage > 99% then stop
+#    group server
+#
+#
+## Check a file's timestamp: when it becomes older then 15 minutes, the 
+## file is not updated and something is wrong. In the case that the size 
+## of the file exceeded given limit, perform the script.
+#
+#  check file database with path /data/mydatabase.db
+#    if failed permission 700 then alert
+#    if failed uid data then alert
+#    if failed gid data then alert
+#    if timestamp > 15 minutes then alert
+#    if size > 100 MB then exec "/my/cleanup/script"
+#
+#
+## Check the directory permission, uid and gid.  An event is triggered
+## if the directory does not belong to the user with the  uid 0 and 
+## the gid 0.  In the addition the permissions have to match the octal 
+## description of 755 (see chmod(1)).
+#
+#  check directory bin with path /bin
+#    if failed permission 755 then unmonitor
+#    if failed uid 0 then unmonitor
+#    if failed gid 0 then unmonitor
+#
+#
+## Check the remote host network services availability and the response
+## content.  One of three pings, a successfull connection to a port and 
+## application level network check is performed.
+#
+#  check host myserver with address 192.168.1.1
+#    if failed icmp type echo count 3 with timeout 3 seconds then alert
+#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
+#    if failed url
+#       http://user:password@www.foo.bar:8080/?querystring
+#       and content == 'action="j_security_check"'
+#       then alert
+#
+#
+###############################################################################
+## Includes
+###############################################################################
+##
+## It is possible to include the configuration or its parts from other files or
+## directories.
+#
+  include /etc/monit.d/*
+  include /var/www/rails_apps/*/current/config/server/monit/*
+#
+#

data/lib/railslove/templates/nginx_init

@@ -0,0 +1,65 @@
+#! /bin/sh
+
+# Description: Startup script for nginx webserver on Debian. Place in /etc/init.d and 
+# run 'sudo update-rc.d nginx defaults', or use the appropriate command on your
+# distro.
+#
+# Author:	Ryan Norbauer <ryan.norbauer@gmail.com>
+# Modified:     Geoffrey Grosenbach http://topfunky.com
+# Modified: 		Michael Bumann http://railslove.com
+
+set -e
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DESC="nginx daemon"
+NAME=nginx
+DAEMON=/opt/nginx/sbin/nginx
+CONFIGFILE=/opt/nginx/conf/nginx.conf
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Gracefully exit if the package has been removed.
+test -x $DAEMON || exit 0
+
+d_start() {
+  $DAEMON -c $CONFIGFILE || echo -n " already running"
+}
+
+d_stop() {
+  kill -QUIT `cat $PIDFILE` || echo -n " not running"
+}
+
+d_reload() {
+  kill -HUP `cat $PIDFILE` || echo -n " can't reload"
+}
+
+case "$1" in
+  start)
+  	echo -n "Starting $DESC: $NAME"
+  	d_start
+  	echo "."
+	;;
+  stop)
+  	echo -n "Stopping $DESC: $NAME"
+  	d_stop
+  	echo "."
+	;;
+  reload)
+  	echo -n "Reloading $DESC configuration..."
+  	d_reload
+  	echo "reloaded."
+  ;;
+  restart)
+  	echo -n "Restarting $DESC: $NAME"
+  	d_stop
+  	sleep 2
+  	d_start
+  	echo "."
+	;;
+  *)
+	  echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
+	  exit 3
+	;;
+esac
+
+exit 0

data/lib/railslove/templates/passenger.conf

@@ -0,0 +1,3 @@
+PassengerRoot /usr/local/ruby-enterprise/lib/ruby/gems/1.8/gems/passenger-<%= passenger_version || "2.2.8" %>
+PassengerRuby /usr/local/ruby-enterprise/bin/ruby
+RailsEnv production

data/lib/railslove/templates/passenger.load

@@ -0,0 +1 @@
+LoadModule passenger_module /usr/local/ruby-enterprise/lib/ruby/gems/1.8/gems/passenger-<%= passenger_version || "2.2.8" %>/ext/apache2/mod_passenger.so

data/lib/railslove/templates/post_logrotate

@@ -0,0 +1 @@
+#!/usr/bin/env ruby

data/lib/railslove/templates/safe.rb

@@ -0,0 +1,42 @@
+# Example of a safe script to backup your server
+#
+# for more detail have a look at:
+# http://github.com/astrails/safe/tree/master
+# http://blog.astrails.com/2009/4/6/simple-backups-can-be-simple
+safe do
+  local :path => "/backup/:kind/:id"
+
+  s3 do
+    key "...................."
+    secret "........................................"
+    bucket "backup.astrails.com"
+    path "servers/alpha/:kind/:id"
+  end
+
+  keep do
+    local 15
+    s3 15
+  end
+
+  mysqldump do
+    options "-ceKq --single-transaction --create-options"
+
+    user "readonly"
+    password ""
+    #socket "/var/run/mysqld/mysqld.sock"
+
+    database :your_app_production
+
+  end
+
+  tar do
+    archive "dot-configs",      :files => "/home/*/.[^.]*"
+    archive "etc",              :files => "/etc"
+
+    archive "your_app" do
+      files "/var/www/rails_apps/your_app/"
+      exclude ["/var/www/rails_apps/your_app/shared/logs"]
+    end
+
+  end
+end

data/lib/railslove/templates/sprinkle.rb

@@ -0,0 +1,43 @@
+# Require our stack
+require "railslove/sprinkle"
+
+policy :passenger_stack, :roles => :app do
+  requires :webserver         # Apache
+  requires :database          # MySQL, SQLite
+  
+  # memcached
+  requires :memcached_daemon  # Memcached
+  requires :libmemcached      # libmemcached
+  requires :memcached_conf    # memcached-user, init.d config 
+  
+  requires :scm               # Git, SVN
+  requires :ruby              # Ruby Enterprise
+  requires :searchengine      # Sphinx
+  requires :appserver         # passenger
+  requires :rails_user        # special rails user with sudo rights
+  requires :database_driver   # Ruby database driver
+  requires :usefull_gems      # usefull, frequently needed gems
+  requires :image_magick      # image magick
+  requires :ferm              # ferm iptable configuration tool
+  requires :ferm_conf         # configure ferm (allow http, https and ssh)
+  requires :monit             # monit - system process monitoring
+end
+
+deployment do
+  # mechanism for deployment
+  delivery :capistrano do
+    begin
+      recipes 'Capfile'
+    rescue LoadError
+      recipes 'config/deploy'
+    end
+    recipes 'config/server/config.rb'
+  end
+ 
+  # source based package installer defaults
+  source do
+    prefix   '/usr/local'
+    archives '/usr/local/sources'
+    builds   '/usr/local/build'
+  end
+end

data/lib/railslove/templates/sprinkle_config.rb

@@ -0,0 +1,2 @@
+set :use_sudo, false
+set :user, "root"

data/lib/railslove/templates/sshd_config.erb

@@ -0,0 +1,81 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port <%= ssh_options[:port] %>
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+KeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no
+
+UseDNS no
+
+AllowUsers <%= user %>

data/lib/railslove/templates/stack_readme.txt

@@ -0,0 +1,4 @@
+* change mySQL password
+* change root password
+* change password of rails user
+* harden your system