skippy-ec2onrails 0.9.10
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +159 -0
- data/COPYING +339 -0
- data/Manifest +162 -0
- data/README.textile +214 -0
- data/Rakefile +36 -0
- data/TODO +102 -0
- data/ec2onrails.gemspec +42 -0
- data/examples/Capfile +3 -0
- data/examples/deploy.rb +101 -0
- data/examples/s3.yml +9 -0
- data/lib/ec2onrails/capistrano_utils.rb +43 -0
- data/lib/ec2onrails/recipes.rb +844 -0
- data/lib/ec2onrails/version.rb +31 -0
- data/lib/ec2onrails.rb +20 -0
- data/server/build-ec2onrails.sh +44 -0
- data/server/files/etc/aliases +5 -0
- data/server/files/etc/aliases.db +0 -0
- data/server/files/etc/apache2/apache2.conf +295 -0
- data/server/files/etc/apache2/conf.d/app.proxy_cluster.conf +7 -0
- data/server/files/etc/apache2/conf.d/app.proxy_frontend.conf +10 -0
- data/server/files/etc/apache2/mods-available/proxy.conf +18 -0
- data/server/files/etc/apache2/sites-available/app.common +56 -0
- data/server/files/etc/apache2/sites-available/app.custom +0 -0
- data/server/files/etc/apache2/sites-available/default +14 -0
- data/server/files/etc/apache2/sites-available/default-ssl +19 -0
- data/server/files/etc/cron.d/backup_app_db_to_s3 +16 -0
- data/server/files/etc/cron.daily/app +9 -0
- data/server/files/etc/cron.daily/logrotate_post +19 -0
- data/server/files/etc/cron.hourly/app +10 -0
- data/server/files/etc/cron.monthly/app +10 -0
- data/server/files/etc/cron.weekly/app +10 -0
- data/server/files/etc/denyhosts.conf +628 -0
- data/server/files/etc/dpkg/dpkg.cfg +13 -0
- data/server/files/etc/ec2onrails/README +32 -0
- data/server/files/etc/ec2onrails/balancer_members +6 -0
- data/server/files/etc/ec2onrails/roles.yml +5 -0
- data/server/files/etc/environment +2 -0
- data/server/files/etc/god/app.god +35 -0
- data/server/files/etc/god/db.god +17 -0
- data/server/files/etc/god/examples/have_god_daemonize.god +18 -0
- data/server/files/etc/god/master.conf +35 -0
- data/server/files/etc/god/memcache.god +15 -0
- data/server/files/etc/god/notifications.god +14 -0
- data/server/files/etc/god/system.god +34 -0
- data/server/files/etc/god/web.god +36 -0
- data/server/files/etc/init.d/ec2-every-startup +29 -0
- data/server/files/etc/init.d/ec2-first-startup +36 -0
- data/server/files/etc/init.d/god +42 -0
- data/server/files/etc/init.d/nginx +78 -0
- data/server/files/etc/init.d/set_roles +3 -0
- data/server/files/etc/logrotate.d/apache2 +16 -0
- data/server/files/etc/logrotate.d/mongrel +11 -0
- data/server/files/etc/logrotate.d/nginx +11 -0
- data/server/files/etc/memcached.conf +47 -0
- data/server/files/etc/mongrel_cluster/app.yml +9 -0
- data/server/files/etc/motd.tail +13 -0
- data/server/files/etc/mysql/my.cnf +149 -0
- data/server/files/etc/nginx/nginx.conf +296 -0
- data/server/files/etc/postfix/main.cf +4 -0
- data/server/files/etc/rcS.d/S91ec2-first-startup +1 -0
- data/server/files/etc/rcS.d/S92ec2-every-startup +1 -0
- data/server/files/etc/rcS.d/S99set_roles +1 -0
- data/server/files/etc/ssh/sshd_config +94 -0
- data/server/files/etc/sudoers +1 -0
- data/server/files/etc/sudoers.full_access +26 -0
- data/server/files/etc/sudoers.restricted_access +28 -0
- data/server/files/etc/syslog.conf +69 -0
- data/server/files/usr/bin/god +26 -0
- data/server/files/usr/local/ec2onrails/COPYING +339 -0
- data/server/files/usr/local/ec2onrails/bin/archive_file.rb +44 -0
- data/server/files/usr/local/ec2onrails/bin/backup_app_db.rb +159 -0
- data/server/files/usr/local/ec2onrails/bin/ec2_meta_data.rb +80 -0
- data/server/files/usr/local/ec2onrails/bin/exec_runner +73 -0
- data/server/files/usr/local/ec2onrails/bin/init_services.rb +64 -0
- data/server/files/usr/local/ec2onrails/bin/optimize_mysql.rb +348 -0
- data/server/files/usr/local/ec2onrails/bin/rails_env +35 -0
- data/server/files/usr/local/ec2onrails/bin/rebundle.sh +70 -0
- data/server/files/usr/local/ec2onrails/bin/restore_app_db.rb +58 -0
- data/server/files/usr/local/ec2onrails/bin/set_rails_env +40 -0
- data/server/files/usr/local/ec2onrails/bin/set_roles.rb +87 -0
- data/server/files/usr/local/ec2onrails/bin/setup_web_proxy.rb +109 -0
- data/server/files/usr/local/ec2onrails/config +30 -0
- data/server/files/usr/local/ec2onrails/lib/aws_helper.rb +76 -0
- data/server/files/usr/local/ec2onrails/lib/god_helper.rb +129 -0
- data/server/files/usr/local/ec2onrails/lib/god_patch.rb +43 -0
- data/server/files/usr/local/ec2onrails/lib/mysql_helper.rb +101 -0
- data/server/files/usr/local/ec2onrails/lib/roles_helper.rb +151 -0
- data/server/files/usr/local/ec2onrails/lib/s3_helper.rb +99 -0
- data/server/files/usr/local/ec2onrails/lib/utils.rb +16 -0
- data/server/files/usr/local/ec2onrails/lib/vendor/ini.rb +268 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/every-startup/get-hostname.sh +25 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/README +5 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/create-dirs.sh +39 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/generate-default-web-cert-and-key.sh +49 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/misc.sh +27 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/prepare-mysql-data-dir.sh +24 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/setup-credentials.sh +29 -0
- data/server/files/usr/local/ec2onrails/startup-scripts/first-startup/setup-file-permissions.sh +30 -0
- data/server/rakefile.rb +242 -0
- data/setup.rb +1585 -0
- data/test/autobench.conf +60 -0
- data/test/spec/lib/s3_helper_spec.rb +134 -0
- data/test/spec/lib/s3_old.yml +3 -0
- data/test/spec/test_files/test1 +0 -0
- data/test/spec/test_files/test2 +0 -0
- data/test/test_app/Capfile +3 -0
- data/test/test_app/README +182 -0
- data/test/test_app/Rakefile +10 -0
- data/test/test_app/app/controllers/application.rb +7 -0
- data/test/test_app/app/controllers/db_fast_controller.rb +6 -0
- data/test/test_app/app/controllers/fast_controller.rb +5 -0
- data/test/test_app/app/controllers/slow_controller.rb +6 -0
- data/test/test_app/app/controllers/very_slow_controller.rb +6 -0
- data/test/test_app/app/helpers/application_helper.rb +3 -0
- data/test/test_app/app/helpers/db_fast_helper.rb +2 -0
- data/test/test_app/app/helpers/fast_helper.rb +2 -0
- data/test/test_app/app/helpers/slow_helper.rb +2 -0
- data/test/test_app/app/helpers/very_slow_helper.rb +2 -0
- data/test/test_app/config/boot.rb +109 -0
- data/test/test_app/config/database.yml +19 -0
- data/test/test_app/config/deploy.rb +21 -0
- data/test/test_app/config/environment.rb +60 -0
- data/test/test_app/config/environments/development.rb +21 -0
- data/test/test_app/config/environments/production.rb +18 -0
- data/test/test_app/config/environments/test.rb +19 -0
- data/test/test_app/config/routes.rb +27 -0
- data/test/test_app/db/schema.rb +7 -0
- data/test/test_app/doc/README_FOR_APP +2 -0
- data/test/test_app/public/404.html +30 -0
- data/test/test_app/public/500.html +30 -0
- data/test/test_app/public/dispatch.cgi +10 -0
- data/test/test_app/public/dispatch.fcgi +24 -0
- data/test/test_app/public/dispatch.rb +10 -0
- data/test/test_app/public/favicon.ico +0 -0
- data/test/test_app/public/images/rails.png +0 -0
- data/test/test_app/public/javascripts/application.js +2 -0
- data/test/test_app/public/javascripts/controls.js +963 -0
- data/test/test_app/public/javascripts/dragdrop.js +972 -0
- data/test/test_app/public/javascripts/effects.js +1120 -0
- data/test/test_app/public/javascripts/prototype.js +4225 -0
- data/test/test_app/public/robots.txt +1 -0
- data/test/test_app/script/about +3 -0
- data/test/test_app/script/breakpointer +3 -0
- data/test/test_app/script/console +3 -0
- data/test/test_app/script/destroy +3 -0
- data/test/test_app/script/generate +3 -0
- data/test/test_app/script/performance/benchmarker +3 -0
- data/test/test_app/script/performance/profiler +3 -0
- data/test/test_app/script/performance/request +3 -0
- data/test/test_app/script/plugin +3 -0
- data/test/test_app/script/process/inspector +3 -0
- data/test/test_app/script/process/reaper +3 -0
- data/test/test_app/script/process/spawner +3 -0
- data/test/test_app/script/runner +3 -0
- data/test/test_app/script/server +3 -0
- data/test/test_app/test/functional/db_fast_controller_test.rb +18 -0
- data/test/test_app/test/functional/fast_controller_test.rb +18 -0
- data/test/test_app/test/functional/slow_controller_test.rb +18 -0
- data/test/test_app/test/functional/very_slow_controller_test.rb +18 -0
- data/test/test_app/test/test_helper.rb +28 -0
- data/test/test_ec2onrails.rb +11 -0
- data/test/test_helper.rb +2 -0
- metadata +274 -0
@@ -0,0 +1,296 @@
|
|
1
|
+
# user and group to run as
|
2
|
+
user app app;
|
3
|
+
|
4
|
+
# number of nginx workers
|
5
|
+
worker_processes 6;
|
6
|
+
|
7
|
+
# pid of nginx master process
|
8
|
+
pid /var/run/nginx.pid;
|
9
|
+
|
10
|
+
# Number of worker connections. 1024 is a good default
|
11
|
+
events {
|
12
|
+
worker_connections 1024;
|
13
|
+
use epoll; # linux only!
|
14
|
+
}
|
15
|
+
|
16
|
+
# start the http module where we config http access.
|
17
|
+
http {
|
18
|
+
# pull in mime-types. You can break out your config
|
19
|
+
# into as many include's as you want to make it cleaner
|
20
|
+
include /etc/nginx/mime.types;
|
21
|
+
|
22
|
+
# set a default type for the rare situation that
|
23
|
+
# nothing matches from the mimie-type include
|
24
|
+
default_type application/octet-stream;
|
25
|
+
|
26
|
+
# configure log format
|
27
|
+
log_format main '$remote_addr [$time_local] '
|
28
|
+
'"$scheme $host $request" $status $body_bytes_sent "$http_referer" '
|
29
|
+
'"$http_user_agent" "$http_x_forwarded_for" '
|
30
|
+
'($request_time');
|
31
|
+
|
32
|
+
# main access log
|
33
|
+
access_log /mnt/log/nginx/access.log main;
|
34
|
+
|
35
|
+
# main error log - Do not comment out. If you do not want the log file set this to /dev/null
|
36
|
+
# use debug instead of notice if you want additional information
|
37
|
+
error_log /mnt/log/nginx/error.log notice;
|
38
|
+
|
39
|
+
# no sendfile on OSX
|
40
|
+
sendfile on;
|
41
|
+
|
42
|
+
# These are good default values.
|
43
|
+
tcp_nopush on;
|
44
|
+
tcp_nodelay on;
|
45
|
+
# output compression saves bandwidth
|
46
|
+
gzip on;
|
47
|
+
gzip_http_version 1.0;
|
48
|
+
gzip_comp_level 5;
|
49
|
+
gzip_proxied any;
|
50
|
+
gzip_types text/plain \
|
51
|
+
text/html \
|
52
|
+
text/css \
|
53
|
+
application/x-javascript \
|
54
|
+
text/xml \
|
55
|
+
application/xml \
|
56
|
+
application/xml+rss \
|
57
|
+
text/javascript;
|
58
|
+
|
59
|
+
|
60
|
+
# this is where you define your mongrel clusters.
|
61
|
+
# you need one of these blocks for each cluster
|
62
|
+
# and each one needs its own name to refer to it later.
|
63
|
+
include /etc/ec2onrails/nginx_upstream_members;
|
64
|
+
|
65
|
+
|
66
|
+
# the server directive is nginx's virtual host directive.
|
67
|
+
server {
|
68
|
+
# port to listen on. Can also be set to an IP:PORT
|
69
|
+
listen 80;
|
70
|
+
|
71
|
+
# Set the max size for file uploads to 50Mb
|
72
|
+
client_max_body_size 50M;
|
73
|
+
|
74
|
+
# sets the domain[s] that this vhost server requests for
|
75
|
+
# server_name www.[ec2onrails].com [ec2onrails].com;
|
76
|
+
server_name _;
|
77
|
+
|
78
|
+
# uncomment to force a redirect to www
|
79
|
+
# if ($host ~* "^[ec2onrails].com$"){
|
80
|
+
# rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
|
81
|
+
# break;
|
82
|
+
# }
|
83
|
+
|
84
|
+
# uncomment if you want to allow or force some or all pages to go to http:// instead of https://
|
85
|
+
# if redirecting all to https, you won't need any of the other directives below the rewrite/break
|
86
|
+
# set $sub 'www';
|
87
|
+
# if ($host ~* "^(.+?)\.[ec2onrails].com$"){
|
88
|
+
# set $sub $1;
|
89
|
+
# }
|
90
|
+
#
|
91
|
+
# if ( $uri ~* "^/.+$") {
|
92
|
+
# rewrite ^(.*)$ https://$sub.[ec2onrails].com$1 permanent;
|
93
|
+
# break;
|
94
|
+
# }
|
95
|
+
|
96
|
+
# doc root
|
97
|
+
root /mnt/app/current/public;
|
98
|
+
|
99
|
+
# vhost specific access log
|
100
|
+
access_log /mnt/log/nginx/vhost.access.log main;
|
101
|
+
error_page 400 /400.html;
|
102
|
+
error_page 500 502 503 504 /500.html;
|
103
|
+
location = /500.html {
|
104
|
+
root /mnt/app/current/public;
|
105
|
+
}
|
106
|
+
|
107
|
+
# this allows people to use images and css in their maintenance.html file
|
108
|
+
if ($request_filename ~* \.(css|jpg|gif|png)$) {
|
109
|
+
break;
|
110
|
+
}
|
111
|
+
|
112
|
+
# this rewrites all the requests to the maintenance.html
|
113
|
+
# page if it exists in the doc root. This is for capistrano's
|
114
|
+
# disable web task
|
115
|
+
if (-f $document_root/system/maintenance.html) {
|
116
|
+
rewrite ^(.*)$ /system/maintenance.html last;
|
117
|
+
break;
|
118
|
+
}
|
119
|
+
|
120
|
+
# see http://wiki.codemongers.com/NginxHttpStubStatusModule
|
121
|
+
# for more information
|
122
|
+
location /nginx_status {
|
123
|
+
# copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
|
124
|
+
stub_status on;
|
125
|
+
access_log off;
|
126
|
+
#only allow from localhost
|
127
|
+
allow 127.0.0.1;
|
128
|
+
deny all;
|
129
|
+
}
|
130
|
+
|
131
|
+
location / {
|
132
|
+
# FUTURE TODO...enable this and test the hell out of it
|
133
|
+
# if ($request_method = GET) {
|
134
|
+
# set $memcached_key $uri;
|
135
|
+
# memcached_pass 127.0.0.1:11211;
|
136
|
+
# error_page 404 502 = @myapp;
|
137
|
+
# break;
|
138
|
+
# }
|
139
|
+
|
140
|
+
index index.html index.htm;
|
141
|
+
|
142
|
+
# needed to forward user's IP address to rails
|
143
|
+
proxy_set_header X-Real-IP $remote_addr;
|
144
|
+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
145
|
+
proxy_set_header Host $http_host;
|
146
|
+
proxy_redirect false;
|
147
|
+
proxy_max_temp_file_size 0;
|
148
|
+
proxy_next_upstream error; # do not pass along to another mongrel instance if failed or timed out
|
149
|
+
proxy_read_timeout 400; # give plenty of time for long-running rails processing tasks
|
150
|
+
#the proxy_connect_timeout cannot be more than 75
|
151
|
+
proxy_connect_timeout 70;
|
152
|
+
|
153
|
+
location ~ ^/(images|javascripts|stylesheets)/ {
|
154
|
+
expires 10y;
|
155
|
+
}
|
156
|
+
|
157
|
+
if (-f $request_filename) {
|
158
|
+
break;
|
159
|
+
}
|
160
|
+
|
161
|
+
# this is the meat of the rails page caching config
|
162
|
+
# it adds .html to the end of the url and then checks
|
163
|
+
# the filesystem for that file. If it exists, then we
|
164
|
+
# rewite the url to have explicit .html on the end
|
165
|
+
# and then send it on its way to the next config rule.
|
166
|
+
# if there is no file on the fs then it sets all the
|
167
|
+
# necessary headers and proxies to our upstream mongrels
|
168
|
+
if (-f $request_filename.html) {
|
169
|
+
rewrite (.*) $1.html break;
|
170
|
+
}
|
171
|
+
|
172
|
+
#proxy to mongrel
|
173
|
+
if (!-f $request_filename) {
|
174
|
+
proxy_pass http://mongrel;
|
175
|
+
break;
|
176
|
+
}
|
177
|
+
}
|
178
|
+
}
|
179
|
+
|
180
|
+
# This server is setup for ssl. Uncomment if
|
181
|
+
# you are using ssl as well as port 80.
|
182
|
+
# server {
|
183
|
+
# # port to listen on. Can also be set to an IP:PORT
|
184
|
+
# listen 443;
|
185
|
+
#
|
186
|
+
# # Set the max size for file uploads to 50Mb
|
187
|
+
# client_max_body_size 50M;
|
188
|
+
#
|
189
|
+
# # sets the domain[s] that this vhost server requests for
|
190
|
+
# # server_name www.[ec2onrails].com [ec2onrails].com;
|
191
|
+
# server_name _;
|
192
|
+
#
|
193
|
+
# # uncomment to force a redirect to www
|
194
|
+
# # if ($host ~* "^[ec2onrails].com$"){
|
195
|
+
# # rewrite ^(.*)$ http://www.[ec2onrails].com$1 permanent;
|
196
|
+
# # break;
|
197
|
+
# # }
|
198
|
+
#
|
199
|
+
# ssl on;
|
200
|
+
# ssl_certificate /etc/nginx/your_cert.crt;
|
201
|
+
# ssl_certificate_key /etc/nginx/your_cert.key;
|
202
|
+
#
|
203
|
+
# # doc root
|
204
|
+
# root /mnt/app/current/public;
|
205
|
+
#
|
206
|
+
# # vhost specific access log
|
207
|
+
# access_log /mnt/log/nginx/vhost.access.log main;
|
208
|
+
# error_page 400 /400.html;
|
209
|
+
# error_page 500 502 503 504 /500.html;
|
210
|
+
# location = /500.html {
|
211
|
+
# root /mnt/app/current/public;
|
212
|
+
# }
|
213
|
+
#
|
214
|
+
# # this allows people to use images and css in their maintenance.html file
|
215
|
+
# if ($request_filename ~* \.(css|jpg|gif|png)$) {
|
216
|
+
# break;
|
217
|
+
# }
|
218
|
+
#
|
219
|
+
# # this rewrites all the requests to the maintenance.html
|
220
|
+
# # page if it exists in the doc root. This is for capistrano's
|
221
|
+
# # disable web task
|
222
|
+
# if (-f $document_root/system/maintenance.html) {
|
223
|
+
# rewrite ^(.*)$ /system/maintenance.html last;
|
224
|
+
# break;
|
225
|
+
# }
|
226
|
+
#
|
227
|
+
# # see http://wiki.codemongers.com/NginxHttpStubStatusModule
|
228
|
+
# # for more information
|
229
|
+
# location /nginx_status {
|
230
|
+
# # copied from http://blog.kovyrin.net/2006/04/29/monitoring-nginx-with-rrdtool/
|
231
|
+
# stub_status on;
|
232
|
+
# access_log off;
|
233
|
+
# #only allow from localhost
|
234
|
+
# allow 127.0.0.1;
|
235
|
+
# deny all;
|
236
|
+
# }
|
237
|
+
#
|
238
|
+
# location / {
|
239
|
+
# # FUTURE TODO...enable this and test the hell out of it
|
240
|
+
# # if ($request_method = GET) {
|
241
|
+
# # set $memcached_key $uri;
|
242
|
+
# # memcached_pass 127.0.0.1:11211;
|
243
|
+
# # error_page 404 502 = @myapp;
|
244
|
+
# # break;
|
245
|
+
# # }
|
246
|
+
#
|
247
|
+
# index index.html index.htm;
|
248
|
+
#
|
249
|
+
# # needed to forward user's IP address to rails
|
250
|
+
# proxy_set_header X-Real-IP $remote_addr;
|
251
|
+
# # needed for HTTPS
|
252
|
+
# proxy_set_header X_FORWARDED_PROTO https;
|
253
|
+
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
254
|
+
# proxy_set_header Host $http_host;
|
255
|
+
# proxy_redirect false;
|
256
|
+
# proxy_max_temp_file_size 0;
|
257
|
+
# proxy_next_upstream error; # do not pass along to another mongrel instance if failed or timed out
|
258
|
+
# proxy_read_timeout 400; # give plenty of time for long-running rails processing tasks
|
259
|
+
# #the proxy_connect_timeout cannot be more than 75
|
260
|
+
# proxy_connect_timeout 70;
|
261
|
+
#
|
262
|
+
# location ~ ^/(images|javascripts|stylesheets)/ {
|
263
|
+
# expires 10y;
|
264
|
+
# }
|
265
|
+
#
|
266
|
+
# if (-f $request_filename) {
|
267
|
+
# break;
|
268
|
+
# }
|
269
|
+
#
|
270
|
+
# # this is the meat of the rails page caching config
|
271
|
+
# # it adds .html to the end of the url and then checks
|
272
|
+
# # the filesystem for that file. If it exists, then we
|
273
|
+
# # rewite the url to have explicit .html on the end
|
274
|
+
# # and then send it on its way to the next config rule.
|
275
|
+
# # if there is no file on the fs then it sets all the
|
276
|
+
# # necessary headers and proxies to our upstream mongrels
|
277
|
+
# if (-f $request_filename.html) {
|
278
|
+
# rewrite (.*) $1.html break;
|
279
|
+
# }
|
280
|
+
#
|
281
|
+
# # ok to have this out here because PDF's should never
|
282
|
+
# # be fully paged cache anyway
|
283
|
+
# if ($request_filename ~* \.pdf$) {
|
284
|
+
# proxy_pass http://mongrel_pdf;
|
285
|
+
# break;
|
286
|
+
# }
|
287
|
+
#
|
288
|
+
# if (!-f $request_filename) {
|
289
|
+
# proxy_pass http://mongrel;
|
290
|
+
# break;
|
291
|
+
# }
|
292
|
+
# }
|
293
|
+
#
|
294
|
+
# }
|
295
|
+
}
|
296
|
+
|
@@ -0,0 +1 @@
|
|
1
|
+
../init.d/ec2-first-startup
|
@@ -0,0 +1 @@
|
|
1
|
+
../init.d/ec2-every-startup
|
@@ -0,0 +1 @@
|
|
1
|
+
../init.d/set_roles
|
@@ -0,0 +1,94 @@
|
|
1
|
+
# Package generated configuration file
|
2
|
+
# See the sshd(8) manpage for details
|
3
|
+
|
4
|
+
# HARDEN OpenSSH TODO's
|
5
|
+
# * specify AllowUsers
|
6
|
+
# * PermitRootLogin no # turn off root login access
|
7
|
+
# to do that, we will probably need to create a non-root user to escalate
|
8
|
+
# privileges to from capistrano, like 'admin'
|
9
|
+
# * change default port to something other than 22
|
10
|
+
|
11
|
+
# What ports, IPs and protocols we listen for
|
12
|
+
Port 22
|
13
|
+
# Use these options to restrict which interfaces/protocols sshd will bind to
|
14
|
+
#ListenAddress ::
|
15
|
+
#ListenAddress 0.0.0.0
|
16
|
+
Protocol 2
|
17
|
+
# HostKeys for protocol version 2
|
18
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
19
|
+
HostKey /etc/ssh/ssh_host_dsa_key
|
20
|
+
#Privilege Separation is turned on for security
|
21
|
+
UsePrivilegeSeparation yes
|
22
|
+
|
23
|
+
# Enable to harden the ssh host
|
24
|
+
# AllowUsers admin app
|
25
|
+
|
26
|
+
# Lifetime and size of ephemeral version 1 server key
|
27
|
+
KeyRegenerationInterval 3600
|
28
|
+
ServerKeyBits 768
|
29
|
+
|
30
|
+
# Logging
|
31
|
+
SyslogFacility AUTH
|
32
|
+
LogLevel INFO
|
33
|
+
|
34
|
+
# Authentication:
|
35
|
+
LoginGraceTime 120
|
36
|
+
PermitRootLogin without-password
|
37
|
+
UseDNS no
|
38
|
+
StrictModes yes
|
39
|
+
|
40
|
+
RSAAuthentication yes
|
41
|
+
PubkeyAuthentication yes
|
42
|
+
#AuthorizedKeysFile %h/.ssh/authorized_keys
|
43
|
+
|
44
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
45
|
+
IgnoreRhosts yes
|
46
|
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
|
47
|
+
RhostsRSAAuthentication no
|
48
|
+
# similar for protocol version 2
|
49
|
+
HostbasedAuthentication no
|
50
|
+
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
|
51
|
+
#IgnoreUserKnownHosts yes
|
52
|
+
|
53
|
+
# To enable empty passwords, change to yes (NOT RECOMMENDED)
|
54
|
+
PermitEmptyPasswords no
|
55
|
+
|
56
|
+
# Change to yes to enable challenge-response passwords (beware issues with
|
57
|
+
# some PAM modules and threads)
|
58
|
+
ChallengeResponseAuthentication no
|
59
|
+
|
60
|
+
# Change to no to disable tunnelled clear text passwords
|
61
|
+
PasswordAuthentication no
|
62
|
+
|
63
|
+
# Kerberos options
|
64
|
+
#KerberosAuthentication no
|
65
|
+
#KerberosGetAFSToken no
|
66
|
+
#KerberosOrLocalPasswd yes
|
67
|
+
#KerberosTicketCleanup yes
|
68
|
+
|
69
|
+
# GSSAPI options
|
70
|
+
#GSSAPIAuthentication no
|
71
|
+
#GSSAPICleanupCredentials yes
|
72
|
+
|
73
|
+
X11Forwarding yes
|
74
|
+
X11DisplayOffset 10
|
75
|
+
PrintMotd no
|
76
|
+
PrintLastLog yes
|
77
|
+
TCPKeepAlive yes
|
78
|
+
#UseLogin no
|
79
|
+
|
80
|
+
#MaxStartups 10:30:60
|
81
|
+
#Banner /etc/issue.net
|
82
|
+
|
83
|
+
# Allow client to pass locale environment variables
|
84
|
+
AcceptEnv LANG LC_*
|
85
|
+
|
86
|
+
Subsystem sftp /usr/lib/openssh/sftp-server
|
87
|
+
|
88
|
+
UsePAM yes
|
89
|
+
|
90
|
+
# PermitUserEnvironment yes
|
91
|
+
# AcceptEnv PATH
|
92
|
+
# AcceptEnv RUBYLIB
|
93
|
+
|
94
|
+
GatewayPorts clientspecified
|
@@ -0,0 +1 @@
|
|
1
|
+
sudoers.full_access
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# /etc/sudoers
|
2
|
+
#
|
3
|
+
# This file MUST be edited with the 'visudo' command as root.
|
4
|
+
#
|
5
|
+
# See the man page for details on how to write a sudoers file.
|
6
|
+
# Host alias specification
|
7
|
+
|
8
|
+
# User alias specification
|
9
|
+
|
10
|
+
# Cmnd alias specification
|
11
|
+
|
12
|
+
# Defaults
|
13
|
+
|
14
|
+
Defaults !lecture,tty_tickets,!fqdn
|
15
|
+
|
16
|
+
# User privilege specification
|
17
|
+
root ALL=(ALL) ALL
|
18
|
+
|
19
|
+
# The 'app' user can run sudo without a password
|
20
|
+
# This is a security hole. Use sudoers.restricted when running in regular mode
|
21
|
+
app ALL=(ALL) NOPASSWD: ALL
|
22
|
+
|
23
|
+
|
24
|
+
# If you add named administrator accounts, add them to the group 'sudoers'
|
25
|
+
# to give them sudo access
|
26
|
+
%sudoers ALL=(ALL) ALL
|
@@ -0,0 +1,28 @@
|
|
1
|
+
# /etc/sudoers
|
2
|
+
#
|
3
|
+
# This file MUST be edited with the 'visudo' command as root.
|
4
|
+
#
|
5
|
+
# See the man page for details on how to write a sudoers file.
|
6
|
+
# Host alias specification
|
7
|
+
|
8
|
+
# User alias specification
|
9
|
+
|
10
|
+
# Cmnd alias specification
|
11
|
+
|
12
|
+
# Defaults
|
13
|
+
|
14
|
+
Defaults !lecture,tty_tickets,!fqdn
|
15
|
+
|
16
|
+
# User privilege specification
|
17
|
+
root ALL=(ALL) ALL
|
18
|
+
|
19
|
+
# The 'app' user can NOT run sudo without a password, except when running god and a rake task.
|
20
|
+
# This is safer, but slightly more of a hassle, than running with sudoers.full_access
|
21
|
+
app ALL = NOPASSWD: /usr/bin/god
|
22
|
+
|
23
|
+
# If you add named administrator accounts, add them to the group 'sudoers'
|
24
|
+
# to give them sudo access
|
25
|
+
%sudoers ALL=(ALL) ALL
|
26
|
+
|
27
|
+
|
28
|
+
|
@@ -0,0 +1,69 @@
|
|
1
|
+
# /etc/syslog.conf Configuration file for syslogd.
|
2
|
+
#
|
3
|
+
# For more information see syslog.conf(5)
|
4
|
+
# manpage.
|
5
|
+
|
6
|
+
#
|
7
|
+
# First some standard logfiles. Log by facility.
|
8
|
+
#
|
9
|
+
|
10
|
+
auth,authpriv.* /mnt/log/auth.log
|
11
|
+
*.*;auth,authpriv.none -/mnt/log/syslog
|
12
|
+
#cron.* /mnt/log/cron.log
|
13
|
+
daemon.* -/mnt/log/daemon.log
|
14
|
+
kern.* -/mnt/log/kern.log
|
15
|
+
lpr.* -/mnt/log/lpr.log
|
16
|
+
mail.* -/mnt/log/mail.log
|
17
|
+
user.* -/mnt/log/user.log
|
18
|
+
|
19
|
+
#
|
20
|
+
# Logging for the mail system. Split it up so that
|
21
|
+
# it is easy to write scripts to parse these files.
|
22
|
+
#
|
23
|
+
mail.info -/mnt/log/mail.info
|
24
|
+
mail.warn -/mnt/log/mail.warn
|
25
|
+
mail.err /mnt/log/mail.err
|
26
|
+
|
27
|
+
# Logging for INN news system
|
28
|
+
#
|
29
|
+
news.crit /mnt/log/news/news.crit
|
30
|
+
news.err /mnt/log/news/news.err
|
31
|
+
news.notice -/mnt/log/news/news.notice
|
32
|
+
|
33
|
+
#
|
34
|
+
# Some `catch-all' logfiles.
|
35
|
+
#
|
36
|
+
*.=debug;\
|
37
|
+
auth,authpriv.none;\
|
38
|
+
news.none;mail.none -/mnt/log/debug
|
39
|
+
*.=info;*.=notice;*.=warn;\
|
40
|
+
auth,authpriv.none;\
|
41
|
+
cron,daemon.none;\
|
42
|
+
mail,news.none -/mnt/log/messages
|
43
|
+
|
44
|
+
#
|
45
|
+
# Emergencies are sent to everybody logged in.
|
46
|
+
#
|
47
|
+
*.emerg *
|
48
|
+
|
49
|
+
#
|
50
|
+
# I like to have messages displayed on the console, but only on a virtual
|
51
|
+
# console I usually leave idle.
|
52
|
+
#
|
53
|
+
#daemon,mail.*;\
|
54
|
+
# news.=crit;news.=err;news.=notice;\
|
55
|
+
# *.=debug;*.=info;\
|
56
|
+
# *.=notice;*.=warn /dev/tty8
|
57
|
+
|
58
|
+
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
|
59
|
+
# you must invoke `xconsole' with the `-file' option:
|
60
|
+
#
|
61
|
+
# $ xconsole -file /dev/xconsole [...]
|
62
|
+
#
|
63
|
+
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
|
64
|
+
# busy site..
|
65
|
+
#
|
66
|
+
daemon.*;mail.*;\
|
67
|
+
news.err;\
|
68
|
+
*.=debug;*.=info;\
|
69
|
+
*.=notice;*.=warn |/dev/xconsole
|
@@ -0,0 +1,26 @@
|
|
1
|
+
#!/usr/bin/ruby1.8
|
2
|
+
#
|
3
|
+
# This file was generated by RubyGems.
|
4
|
+
#
|
5
|
+
# The application 'god' is installed as part of a gem, and
|
6
|
+
# this file is here to facilitate running it.
|
7
|
+
#
|
8
|
+
|
9
|
+
# NOTE: modified for ec2onrails by including the god_patch
|
10
|
+
#
|
11
|
+
|
12
|
+
require 'rubygems'
|
13
|
+
|
14
|
+
version = ">= 0"
|
15
|
+
|
16
|
+
if ARGV.first =~ /^_(.*)_$/ and Gem::Version.correct? $1 then
|
17
|
+
version = $1
|
18
|
+
ARGV.shift
|
19
|
+
end
|
20
|
+
|
21
|
+
gem 'god', version
|
22
|
+
require '/usr/local/ec2onrails/lib/god_patch'
|
23
|
+
|
24
|
+
load 'god'
|
25
|
+
|
26
|
+
|