shared-infrastructure 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 54a7741f3afa9a30ed79a1b175e2b311ac336094
+  data.tar.gz: fe517bf7ea380c63501d80e2c600eda30a225561
+SHA512:
+  metadata.gz: 24eb0cb374861a315bfe55d73aed35d2bbf9780208eb0a917ad6ca41531804884434ea909280b676f2cac8fdb832293603a2f3331f88b2b5f5d48a3b3c06ff95
+  data.tar.gz: a22e5af7d7dd39576f97e80d458d299d8c61a1cb7429d0b974514bf1b5cdbd26d328834a3be155a67afe2613d4450a34ee67094a05348353899ebc7143c4c75d

data/bin/create-rails-app

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), "..", "lib")
+require "shared_infrastructure"
+
+Runner::Rails.new.main.save

data/bin/create-reverse-proxy

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), "..", "lib")
+require "shared_infrastructure"
+
+Runner::ReverseProxy.new.main.save

data/bin/create-server-block

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.join(File.dirname(__FILE__), "..", "lib")
+require "shared_infrastructure"
+
+Runner::StaticSite.new.main.save

data/lib/shared_infrastructure.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "shared_infrastructure/nginx/nginx.rb"
+require "shared_infrastructure/nginx/server_block.rb"
+require "shared_infrastructure/nginx/server.rb"
+require "shared_infrastructure/nginx/lines.rb"
+require "shared_infrastructure/nginx/listen.rb"
+require "shared_infrastructure/nginx/location.rb"
+require "shared_infrastructure/nginx/upstream.rb"
+require "shared_infrastructure/nginx/site.rb"
+require "shared_infrastructure/nginx/builder.rb"
+require "shared_infrastructure/runner/base.rb"
+require "shared_infrastructure/runner/reverse_proxy.rb"
+require "shared_infrastructure/runner/static_site.rb"
+require "shared_infrastructure/systemd/systemd.rb"
+require "shared_infrastructure/systemd/rails.rb"

data/lib/shared_infrastructure/nginx/builder.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+module Nginx
+  ##
+  # Builders.
+  # Builders build different files.
+  module Builder
+    module Https
+      def save
+        `openssl dhparam #{Nginx.dhparam} -out #{Nginx.certificate_directory(certificate_domain)}/dhparam.pem`
+        super
+      end
+    end
+
+    class Base
+      def https_reminder_message
+        puts %(You have to obtain a certificate and enable TLS for the site.
+To do so, reload the Nginx configuration:
+
+sudo nginx -s reload
+
+Then run the following command:
+
+sudo certbot certonly --webroot -w #{Nginx.root_directory(domain_name)} #{Nginx.certbot_domain_names(domain_name)}
+
+You can test renewal with:
+
+sudo certbot renew --dry-run
+
+Finally, re-run this script to configure nginx for TLS.
+)
+      end
+
+      def initialize(domain_name, *server_blocks)
+        # puts "Base#initialize domain_name: #{domain_name}"
+        # puts "Base#initialize server_blocks.inspect: #{server_blocks.inspect}"
+        @server_blocks = server_blocks
+        @domain_name = domain_name
+      end
+
+      def save
+        File.open(Nginx.server_block_location(domain_name), "w") do |f|
+          f << to_s
+        end
+        `ln -fs ../sites-available/#{domain_name} #{Nginx.enabled_server_block_location(domain_name)}`
+      end
+
+      def to_s
+        server_blocks.map(&:to_s).join("\n")
+      end
+
+      attr_reader :domain_name, :server_blocks
+    end
+
+    class ReverseProxyHttp < Base
+      def initialize(domain_name, proxy_url, _certificate_domain = nil)
+        super(domain_name,
+          Nginx::ServerBlock.new(
+            server: Nginx::Server.new(domain_name),
+            listen: Nginx::ListenHttp.new,
+            location: Nginx::ReverseProxyLocation.new(proxy_url)
+          )
+        )
+      end
+
+      def save
+        result = super
+        https_reminder_message
+        result
+      end
+    end
+
+    class ReverseProxyHttps < Base
+      include Https
+
+      def initialize(domain_name, proxy_url, certificate_domain = nil)
+        @certificate_domain = certificate_domain || domain_name
+
+        super(domain_name,
+          Nginx::ServerBlock.new(
+            server: Nginx::Server.new(domain_name),
+            listen: Nginx::ListenHttps.new(domain_name, certificate_domain),
+            location: Nginx::ReverseProxyLocation.new(proxy_url)
+          ),
+          Nginx::TlsRedirectServerBlock.new(domain_name)
+        )
+      end
+
+      attr_reader :certificate_domain
+    end
+
+    class Site < Base
+      def initialize(domain_name, user, *server_blocks)
+        super(domain_name, *server_blocks)
+        @user = user
+      end
+
+      def save
+        FileUtils.mkdir_p(Nginx.root_directory(domain_name))
+        if Process.uid.zero?
+          FileUtils.chown(user,
+            "www-data",
+            Nginx.root_directory(domain_name))
+        end
+        super
+      end
+
+      attr_reader :user
+    end
+
+    class SiteHttp < Site
+      def initialize(domain_name, user, _certificate_domain = nil)
+        super(domain_name,
+          user,
+          Nginx::StaticServerBlock.new(
+            server: Nginx::Site.new(domain_name, user),
+            listen: Nginx::ListenHttp.new,
+            location: Nginx::Location.new
+          )
+        )
+      end
+
+      def save
+        result = super
+        https_reminder_message
+        result
+      end
+    end
+
+    class SiteHttps < Site
+      include Https
+
+      def initialize(domain_name, user, certificate_domain = nil)
+        @certificate_domain = certificate_domain || domain_name
+
+        super(domain_name,
+          user,
+          Nginx::StaticServerBlock.new(
+            server: Nginx::Site.new(domain_name, user),
+            listen: Nginx::ListenHttps.new(domain_name, certificate_domain),
+            location: Nginx::Location.new
+          ),
+          Nginx::TlsRedirectServerBlock.new(domain_name)
+        )
+      end
+
+      attr_reader :certificate_domain
+    end
+
+    class RailsHttp < Site
+      def initialize(domain_name, user, _certificate_domain = nil)
+        super(domain_name,
+          user,
+            Nginx::RailsServerBlock.new(
+              upstream: Nginx::Upstream.new(domain_name),
+              server: Nginx::RailsServer.new(domain_name),
+              listen: Nginx::ListenHttp.new,
+              location: [
+                Nginx::RailsLocation.new(domain_name),
+                Nginx::ActionCableLocation.new(domain_name)
+              ]
+            )
+          )
+      end
+
+      def save
+        Systemd::Rails.write_unit_file(domain_name) && super
+      end
+    end
+
+    class RailsHttps < Site
+      include Https
+
+      def initialize(domain_name, user, _certificate_domain = nil)
+        @certificate_domain = certificate_domain || domain_name
+        super(domain_name,
+          user,
+          Nginx::RailsServerBlock.new(
+            upstream: Nginx::Upstream.new(domain_name),
+            server: Nginx::RailsServer.new(domain_name),
+            listen: Nginx::ListenHttps.new(domain_name, certificate_domain),
+            location: [
+              Nginx::RailsLocation.new(domain_name),
+              Nginx::ActionCableLocation.new(domain_name)
+            ]
+          ),
+          Nginx::TlsRedirectServerBlock.new(domain_name)
+        )
+      end
+
+      # FIXME: DRY this up with the HTTP class.
+      def save
+        Systemd::Rails.write_unit_file(domain_name) && super
+      end
+
+      attr_reader :certificate_domain
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/lines.rb

@@ -0,0 +1,19 @@
+module Nginx
+  ##
+  # A class to format lines nicely in a file.
+  class Lines < Array
+    def initialize(*lines)
+      @lines = Array(lines)
+    end
+
+    def format(level = 0)
+      @lines.map { |x| Lines.indent(x, level) }.join("\n")
+    end
+
+    class << self
+      def indent(s, level = 0)
+        s.empty? ? s : (" " * level * 2) + s
+      end
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/listen.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Nginx
+  class Listen
+    def initialize(port)
+      @port = port
+    end
+
+    def to_s(level = 0)
+      Lines.new("listen #{port};", "listen [::]:#{port};").format(level)
+    end
+
+    private
+
+    attr_reader :port
+  end
+
+  class ListenHttp < Listen
+    def initialize
+      super 80
+    end
+  end
+
+  class ListenHttps < Listen
+    def initialize(domain_name, certificate_domain = nil)
+      @domain_name = domain_name
+      @certificate_domain = certificate_domain || domain_name
+      super 443
+    end
+
+    def to_s(level = 0)
+      Lines.new(
+        "# TLS config from: http://nginx.org/en/docs/http/configuring_https_servers.html",
+        "# HTTP2 doesn't require encryption, but at last reading, no browsers support",
+        "# HTTP2 without TLS, so only do http2 when we have TLS.",
+        "listen #{port} ssl http2;",
+        "listen [::]:#{port} ssl http2;",
+        "# Let's Encrypt file names and locations from: https://certbot.eff.org/docs/using.html#where-are-my-certificates",
+        "ssl_certificate_key #{Nginx.certificate_directory(certificate_domain)}/privkey.pem;",
+        "ssl_certificate     #{Nginx.certificate_directory(certificate_domain)}/fullchain.pem;",
+        "",
+        "# Test the site using: https://www.ssllabs.com/ssltest/index.html",
+        "# Optimize TLS, from: https://www.bjornjohansen.no/optimizing-https-nginx, steps 1-3",
+        "ssl_session_cache shared:SSL:1m; # Enough for 4,000 sessions.",
+        "ssl_session_timeout 180m;",
+        "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;",
+        "ssl_prefer_server_ciphers on;",
+        "ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;",
+        "# Step 4",
+        "ssl_dhparam #{Nginx.certificate_directory(certificate_domain)}/dhparam.pem;",
+        "# Step 5",
+        "ssl_stapling on;",
+        "ssl_stapling_verify on;",
+        "ssl_trusted_certificate #{Nginx.certificate_directory(certificate_domain)}/chain.pem;",
+        "resolver 8.8.8.8 8.8.4.4;",
+        "# Step 6 pin for a fortnight",
+        "add_header Strict-Transport-Security \"max-age=1209600\" always;",
+        "# Other steps TBD"
+      ).format(level)
+    end
+
+    private
+
+    attr_reader :certificate_domain, :domain_name
+  end
+end

data/lib/shared_infrastructure/nginx/location.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module Nginx
+  class Location
+    def initialize(location = "/")
+      @location = location
+    end
+
+    def to_s(level = 0)
+      Lines.new("location #{location} {",
+        "  try_files $uri $uri/ =404;",
+        "}").format(level)
+    end
+
+    private
+
+    attr_reader :location
+  end
+
+  class ActionCableLocation < Location
+    def initialize(domain_name, location = "/cable")
+      super(location)
+      @domain_name = domain_name
+    end
+
+    def to_s(level = 0)
+      Lines.new("location #{location} {",
+        "  proxy_pass http://#{domain_name};",
+        "  proxy_http_version 1.1;",
+        "  proxy_set_header Upgrade $http_upgrade;",
+        "  proxy_set_header Connection \"upgrade\";",
+        "}").format(level)
+    end
+
+    private
+
+    attr_reader :domain_name
+  end
+
+  class RailsLocation
+    def initialize(domain_name)
+      @domain_name = domain_name
+    end
+
+    def to_s(level = 0)
+      Lines.new("location @#{domain_name} {",
+        "  # A Rails app should force \"SSL\" so that it generates redirects to HTTPS,",
+        "  # among other things.",
+        "  # However, you want Nginx to handle the workload of TLS.",
+        "  # The trick to proxying to a Rails app, therefore, is to proxy pass to HTTP,",
+        "  # but set the header to HTTPS",
+        "  # Next two lines.",
+        "  proxy_pass http://#{domain_name};",
+        "  proxy_set_header X-Forwarded-Proto $scheme; # $scheme says http or https",
+        "  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;",
+        "  proxy_set_header Host $http_host;",
+        "  proxy_redirect off;",
+        "}").format(level)
+    end
+
+    private
+
+    attr_reader :domain_name
+  end
+
+  class ReverseProxyLocation < Location
+    def initialize(proxy_url, location = "/")
+      super location
+      @proxy_url = proxy_url
+    end
+
+    def to_s(level = 0)
+      Lines.new("location #{location} {",
+        "  proxy_pass #{proxy_url};",
+        "  proxy_set_header Host $http_host;",
+        "  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;",
+        "  proxy_set_header X-Forwarded-Proto $scheme;",
+        "  proxy_set_header X-Real-IP $remote_addr;",
+        "  proxy_redirect off;",
+        "}").format(level)
+    end
+
+    private
+
+    attr_reader :proxy_url
+  end
+
+  class RedirectLocation < Location
+    def initialize
+      super
+      @location = nil
+    end
+
+    def to_s(level = 0)
+      Lines.new("return 301 https://$server_name/$request_uri;").format(level)
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/nginx.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require "fileutils"
+
+module Nginx
+  class Configuration
+    def certbot_domain_names(domain_name)
+      "#{domain_name} www.#{domain_name}"
+    end
+
+    def certificate_directory(domain_name)
+      "#{root}/etc/letsencrypt/live/#{domain_name}"
+    end
+
+    def initialize(root = nil)
+      @dhparam = 2048
+      @root = root
+    end
+
+    def root?
+      !(root.nil? || root.empty?)
+    end
+
+    def root_directory(domain_name)
+      "#{root}/var/www/#{domain_name}/html"
+    end
+
+    def server_block_location(domain_name)
+      "#{root}/etc/nginx/sites-available/#{domain_name}"
+    end
+
+    def enabled_server_block_location(domain_name)
+      "#{root}/etc/nginx/sites-enabled/#{domain_name}"
+    end
+
+    attr_accessor :dhparam, :root
+  end
+
+  class << self
+    ##
+    # Change root. If block is given, change the root only for the duration
+    # of the block. If no block is given, is the same as configure.
+    def chroot(root = nil)
+      if block_given?
+        begin
+          save_root = configuration.root
+          chroot(root)
+          result = yield
+        ensure
+          chroot(save_root)
+          result
+        end
+      else
+        configuration.root = root
+      end
+    end
+
+    def configure
+      yield configuration
+    end
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def dhparam
+      configuration.dhparam
+    end
+
+    def dhparam=(key_length)
+      configuration.dhparam = key_length
+    end
+
+    def prepare_fake_files(domain_name, certificate_domain = nil)
+      ::FileUtils.mkdir_p(File.dirname(server_block_location(domain_name)))
+      ::FileUtils.mkdir_p(File.dirname(enabled_server_block_location(domain_name)))
+      ::FileUtils.mkdir_p(certificate_directory(certificate_domain || domain_name))
+    end
+
+    def root
+      configuration.root
+    end
+
+    def root?
+      configuration.root?
+    end
+
+    %i[
+      certbot_domain_names
+      certificate_directory
+      enabled_server_block_location
+      root_directory
+      server_block_location
+    ].each do |method|
+      define_method method do |domain_name|
+        configuration.send(method, domain_name)
+      end
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/server.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Nginx
+  ##
+  # The server_name line of a server block.
+  class Server
+    attr_reader :domain_name
+
+    def initialize(domain_name)
+      @domain_name = domain_name
+    end
+
+    def to_s(level = 0)
+      Lines.new("server_name #{Nginx.certbot_domain_names(domain_name)};").format(level)
+    end
+  end
+
+  ##
+  # Server name and site location for a static site.
+  # TODO: I don't like the way this gets twisted when subclassing.
+  class StaticServer < Server
+    def to_s(level = 0)
+      [
+        super(level),
+        Lines.new(
+          "root #{root_directory};",
+          "index index.html index.htm;"
+        ).format(level)
+      ].join("\n\n")
+    end
+  end
+
+  class RailsServer < Server
+    def root_directory
+      File.join(Nginx.root_directory(domain_name), "public")
+    end
+
+    def to_s(level = 0)
+      [
+        super(level),
+        Lines.new(
+          "# http://stackoverflow.com/a/11313241/3109926 said the following",
+          "# is what serves from public directly without hitting Puma",
+          "root #{root_directory};",
+          "try_files $uri/index.html $uri @example.com;",
+          "error_page 500 502 503 504 /500.html;",
+          "client_max_body_size 4G;",
+          "keepalive_timeout 10;"
+        ).format(level)
+      ].join("\n\n")
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/server_block.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+##
+# Write nginx configuration files.
+module Nginx
+  class ServerBlock
+    def initialize(upstream: nil, server: nil, listen: nil, location: nil)
+      @listen = listen
+      @location = Array(location)
+      @server = server
+      @upstream = upstream
+    end
+
+    def save
+      File.open(Nginx.server_block_location(server.domain_name), "w") do |f|
+        f << to_s
+      end
+      `ln -fs ../sites-available/#{server.domain_name} #{Nginx.enabled_server_block_location(server.domain_name)}`
+    end
+
+    def to_s
+      [
+        upstream_string,
+        server_block_string
+      ].compact.join("\n\n")
+    end
+
+    private
+
+    def server_block_string
+      <<~SERVER_BLOCK
+        server {
+        #{[
+          @server&.to_s(1),
+          @listen&.to_s(1),
+          @location&.map { |l| l.to_s(1) }
+        ].compact.join("\n\n")}
+        }
+SERVER_BLOCK
+    end
+
+    def upstream_string
+      upstream&.to_s
+    end
+
+    attr_reader :listen, :location, :server, :upstream
+  end
+
+  class SiteServerBlock < ServerBlock
+    def make_root_directory(root_directory)
+      FileUtils.mkdir_p(server.root_directory)
+      if Process.uid.zero?
+        FileUtils.chown(server.user,
+          "www-data",
+          server.root_directory)
+      end
+    end
+
+    def save
+      make_root_directory(root_directory)
+      super
+    end
+  end
+
+  class RailsServerBlock < SiteServerBlock
+    def root_directory
+      File.join(server.root_directory, "/public")
+    end
+  end
+
+  class StaticServerBlock < SiteServerBlock
+  end
+
+  class TlsRedirectServerBlock < ServerBlock
+    def initialize(domain_name)
+      super(
+        server: Server.new(domain_name),
+        listen: ListenHttp.new,
+        location: RedirectLocation.new
+      )
+    end
+  end
+end

data/lib/shared_infrastructure/nginx/site.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Nginx
+  ##
+  # Server name and site location for a static site.
+  # TODO: I don't like the way this gets twisted when subclassing.
+  class Site < Server
+    attr_reader :user
+
+    def initialize(domain_name, user = "ubuntu")
+      super domain_name
+      @user = user
+    end
+
+    def root_directory
+      Nginx.root_directory(domain_name)
+    end
+
+    def to_s(level = 0)
+      [
+        super(level),
+        Lines.new(
+          "root #{Nginx.root_directory(domain_name)};",
+          "index index.html index.htm;"
+        ).format(level)
+      ].join("\n\n")
+    end
+  end
+end

data/lib/shared_infrastructure/runner/base.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "optparse"
+
+module Runner
+  ##
+  # Basic runner for nginx config file generation.
+  class Base
+    def main
+      options = process_options
+      options.merge!(process_args)
+
+      puts "options: #{options.inspect}" if options[:debug]
+
+      Nginx.prepare_fake_files(options[:domain_name], options[:certificate_domain]) if Nginx.root?
+
+      @builder_class = protocol_factory(options)
+      puts "builder_class: #{builder_class.inspect}" if options[:debug]
+      builder_class
+    end
+
+    def options_for_config(options)
+      options.select { |k, _v| k == :user }
+    end
+
+    def process_args
+      $stderr.puts "domain required" unless ARGV.size == 1
+      { domain_name: ARGV[0] }
+    end
+
+    def process_options(http_builder_class = Nginx::Builder::SiteHttp,
+      https_builder_class = Nginx::Builder::SiteHttps)
+      options = {}
+      OptionParser.new do |opts|
+        opts.banner = "Usage: [options]"
+
+        opts.on("-c DOMAIN",
+          "--certificate-domain DOMAIN",
+          "Use the certificate for DOMAIN.") do |certificate_domain|
+          options[:certificate_domain] = certificate_domain
+        end
+
+        opts.on("-h", "--help", "Prints this help") do
+          puts opts
+          exit
+        end
+
+        opts.on("-d", "--debug", "Print debugging information.") do
+          options[:debug] = true
+        end
+
+        opts.on("-p PROTOCOL",
+          "--protocol PROTOCOL",
+          "HTTP|HTTPS. Default: HTTPS if key files exist, else HTTP.") do |protocol|
+          options[:protocol] = case protocol
+                               when "HTTP"
+                                 http_builder_class
+                               when "HTTPS"
+                                 https_builder_class
+                               else
+                                 puts opts
+                                 exit
+                               end
+        end
+
+        opts.on("-r DIRECTORY",
+          "--root DIRECTORY",
+          "DIRECTORY. Set a root for files. This options is for debugging.") do |directory|
+          Nginx.chroot(directory)
+        end
+
+        opts.on("-u USER",
+          "--user USER",
+          "User to be the owner of certain files. Default: ubuntu.") do |user|
+          options[:user] = user
+        end
+
+        opts.on("--dhparam KEYSIZE",
+          "KEYSIZE. Default: 2048 should be used. This option is for testing.") do |keysize|
+          Nginx.dhparam = keysize
+        end
+
+        yield opts if block_given?
+      end.parse!
+      options
+    end
+
+    attr_reader :builder_class
+
+    def protocol_factory(options,
+      http_builder_class = Nginx::Builder::SiteHttp,
+      https_builder_class = Nginx::Builder::SiteHttps)
+      if options[:protocol]
+        options[:protocol]
+      else
+        certificate_directory = Nginx.certificate_directory(
+          options[:certificate_domain] || options[:domain_name]
+        )
+        if File.exist?(File.join(certificate_directory, "privkey.pem")) &&
+           File.exist?(File.join(certificate_directory, "fullchain.pem")) &&
+           File.exist?(File.join(certificate_directory, "chain.pem")) &&
+           File.exist?(File.join(certificate_directory, "cert.pem"))
+          https_builder_class
+        else
+          http_builder_class
+        end
+      end
+    end
+  end
+end

data/lib/shared_infrastructure/runner/reverse_proxy.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Runner
+  ##
+  # Generate reverse proxy config files for Nginx.
+  class ReverseProxy < Base
+    def options_for_config(options)
+      super(options).merge(proxy_url: ARGV[1])
+    end
+
+    def process_args
+      $stderr.puts "domain and target url required" unless ARGV.size == 2
+      {
+        domain_name: ARGV[0],
+        proxy_url: ARGV[1]
+      }
+    end
+
+    def process_options
+      super(Nginx::Builder::ReverseProxyHttp, Nginx::Builder::ReverseProxyHttps)
+    end
+
+    def protocol_factory(options)
+      protocol_class = super(
+        options,
+        Nginx::Builder::ReverseProxyHttp,
+        Nginx::Builder::ReverseProxyHttps
+      )
+
+      domain_name = options.delete(:domain_name)
+      proxy_url = options.delete(:proxy_url)
+      certificate_domain = options.delete(:certificate_domain)
+      protocol_class.new(domain_name, proxy_url, certificate_domain)
+    end
+  end
+end

data/lib/shared_infrastructure/runner/static_site.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Runner
+  ##
+  # Generate static site config files for Nginx.
+  class StaticSite < Base
+    def protocol_factory(options)
+      protocol_class = super(
+        options,
+        Nginx::Builder::SiteHttp,
+        Nginx::Builder::SiteHttps
+      )
+
+      domain_name = options.delete(:domain_name)
+      user = options.delete(:user) || "ubuntu"
+      certificate_domain = options.delete(:certificate_domain)
+      protocol_class.new(domain_name, user, certificate_domain)
+    end
+  end
+end

data/lib/shared_infrastructure/systemd/rails.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Systemd
+  module Rails
+    class << self
+      def puma_uri(domain_name)
+        "unix:///tmp/#{domain_name}.sock"
+      end
+
+      def redis_location(domain_name)
+        "redis." + domain_name
+      end
+
+      def write_unit_file(domain_name)
+        if ENV["SECRET_KEY_BASE"].nil? ||
+           ENV["DATABASE_USERNAME"].nil? ||
+           ENV["DATABASE_PASSWORD"].nil? ||
+           ENV["EMAIL_PASSWORD"].nil?
+          raise "Missing environment variable"
+        end
+
+        result = File.open(Systemd.unit_file(domain_name), "w") do |f|
+          f << <<~UNIT_FILE
+            [Unit]
+            Description=Puma HTTP Server for #{domain_name}
+            After=network.target
+
+            # Uncomment for socket activation (see below)
+            # Requires=#{domain_name}.socket
+
+            [Service]
+            # Foreground process (do not use --daemon in ExecStart or config.rb)
+            Type=simple
+
+            User=nobody
+            Group=www-data
+
+            # Specify the path to the Rails application root
+            WorkingDirectory=#{Nginx.root_directory(domain_name)}
+
+            # Helpful for debugging socket activation, etc.
+            # Environment=PUMA_DEBUG=1
+            Environment=RACK_ENV=production
+            Environment=RAILS_ENV=production
+            Environment=SECRET_KEY_BASE=#{ENV['SECRET_KEY_BASE']}
+            Environment=DATABASE_USERNAME=#{ENV['DATABASE_USERNAME']}
+            Environment=DATABASE_PASSWORD=#{ENV['DATABASE_PASSWORD']}
+            Environment=EMAIL_PASSWORD=#{ENV['EMAIL_PASSWORD']}
+            Environment=REDIS_URL=unix:///tmp/#{redis_location(domain_name)}.sock
+
+            # The command to start Puma
+            # NOTE: TLS would be handled by Nginx
+            ExecStart=#{Nginx.root_directory(domain_name)}/bin/puma -b #{puma_uri(domain_name)} \
+              --redirect-stdout=#{Nginx.root_directory(domain_name)}/log/puma-production.stdout.log \
+              --redirect-stderr=#{Nginx.root_directory(domain_name)}/log/puma-production.stderr.log
+            # ExecStart=/usr/local/bin/puma -b tcp://#{puma_uri(domain_name)}
+
+            Restart=always
+
+            [Install]
+            WantedBy=multi-user.target
+          UNIT_FILE
+        end
+
+        FileUtils.chmod(0o600, Systemd.unit_file(domain_name))
+        `systemctl enable $domain_name.service` if Process.uid.zero?
+
+        result
+      end
+    end
+  end
+end

data/lib/shared_infrastructure/systemd/systemd.rb

@@ -0,0 +1,31 @@
+module Systemd
+  class Configuration
+    def initialize
+      @unit_file_path = File.join(Nginx.root, "/lib/systemd/system")
+    end
+
+    def unit_file(domain_name)
+      File.join(unit_file_path, domain_name + ".service")
+    end
+
+    attr_accessor :unit_file_path
+  end
+
+  class << self
+    def configure
+      yield configuration
+    end
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    %i[
+      unit_file
+    ].each do |method|
+      define_method method do |domain_name|
+        configuration.send(method, domain_name)
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification
+name: shared-infrastructure
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Larry Reid
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-10-26 00:00:00.000000000 Z
+dependencies: []
+description: 'For static sites, Rails apps, and reverse proxies.
+
+'
+email: lcreid@jadesystems.ca
+executables:
+- create-server-block
+- create-rails-app
+- create-reverse-proxy
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/create-rails-app
+- bin/create-reverse-proxy
+- bin/create-server-block
+- lib/shared_infrastructure.rb
+- lib/shared_infrastructure/nginx/builder.rb
+- lib/shared_infrastructure/nginx/lines.rb
+- lib/shared_infrastructure/nginx/listen.rb
+- lib/shared_infrastructure/nginx/location.rb
+- lib/shared_infrastructure/nginx/nginx.rb
+- lib/shared_infrastructure/nginx/server.rb
+- lib/shared_infrastructure/nginx/server_block.rb
+- lib/shared_infrastructure/nginx/site.rb
+- lib/shared_infrastructure/runner/base.rb
+- lib/shared_infrastructure/runner/reverse_proxy.rb
+- lib/shared_infrastructure/runner/static_site.rb
+- lib/shared_infrastructure/systemd/rails.rb
+- lib/shared_infrastructure/systemd/systemd.rb
+homepage: https://github.com/weenhanceit/infrastructure
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Configure nginx, systemd, and/or Puma
+test_files: []