taperole 1.8.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6fb94b321ee9685d1052e1d8becd66a431699336
-  data.tar.gz: 481618d523effa7b4d01bded643964183bd27115
+  metadata.gz: 82c0a82eb80be81e11f2b2db205d80fdd40d6200
+  data.tar.gz: 5c2d11343fdf6c22a69b6e463cffcf21506e091a
 SHA512:
-  metadata.gz: 76e61eec385c1afbeb1d0423387dea454acb650f7a37b185bc9e763bc762da60251bdc9b841a659760366778d49d9d69ac231311e64ce44d0d31cfdfe135a32d
-  data.tar.gz: d9f0fc10aab2fadd5c6bfa3c55fabf52a9110bf0fd4b2c134af8f51f4855c2b70543447bc623d54e79ae6504f944f043d7b78b5ec27e67c9ba15b79c274967e5
+  metadata.gz: 68efdeb3ead8f15b062ec668913a914eb542273d9bc0718cf841f145f2808b147d73cf6659f482ed2fc9b49fa9bb133f2df5136f8bf754e78491ac78c7c60577
+  data.tar.gz: 07eb11f3f75dafd885402ca764134cc2e074e54c2a4372fee4d56246a8b0565b9185ab157b4dbf0ff181445931964c898c3ef5d4e7d0467140d7b6825e1b4781

data/.travis.yml

@@ -7,6 +7,6 @@ services:
 
 script:
   - bundle install
-  - rake spec
+  - bundle exec rake spec
   - docker build -f test/rails/Dockerfile -t imagetest .
   - docker run -i -t $(docker images -q imagetest) /start_rails.sh | grep "Hello"

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+### 2.0.0
+* Set default ruby to 2.4
+* Moved from Unicorn to Puma
+* Supports Rails 5
+* Use letsencrypt for HTTPS configuration
+* `tape ansible everything` is now `tape ansible deploy`
+
+### 1.8.2 (also 1.8.1)
+* Updates ANXS PG Galaxy role
+* Install postgres 9.4 by default
+* Kernel level mem leak issues for Redis fixed
+* Node 6 installed by default
+
 ### 1.8.0
 * Major readme cleanup
 * I'm actually writing a changlog now :snowman:

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    taperole (1.8.1)
+    taperole (1.8.2)
       colorize (~> 0.8.1)
       slack-notifier (~> 1.5)
       thor (~> 0.19.1)
@@ -11,6 +11,7 @@ GEM
   specs:
     colorize (0.8.1)
     diff-lcs (1.3)
+    rake (12.0.0)
     rspec (3.5.0)
       rspec-core (~> 3.5.0)
       rspec-expectations (~> 3.5.0)
@@ -31,9 +32,10 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  rake (= 12.0.0)
   rspec (~> 3.5)
   rspec-expectations (~> 3.5)
   taperole!
 
 BUNDLED WITH
-   1.11.2
+   1.12.5

data/README.md

@@ -28,7 +28,7 @@ be_app_repo: [git repo]
 ```
 
 * Copy all developers' public keys into the `taperole/dev_keys` directory.
-* Use `$ tape ansible everything` for your first deploy, then `$ tape ansible deploy` for subsequent changes.
+* Use `$ tape ansible provision` for your first deploy, then `$ tape ansible deploy` for subsequent changes.
 
 **Upgrade**
 
@@ -116,7 +116,7 @@ The port number might be different if other vagrant machines are running, run `v
 You can specify a port using the `ansible_ssh_port` in your hosts inventory file.
 
 3. Update `tape_vars.yml` with information to a rails app you want to deploy
-4. `tape ansible everything -l vagrant`
+4. `tape ansible provision -l vagrant`
 
 ### With Docker
 1. Setup your machine to work with Docker. We recommend [Docker Machine](https://docs.docker.com/machine/)
@@ -139,8 +139,8 @@ ansible-galaxy install -r requirements.yml --force
 ## Rails Application Requirements
 
 Your rails application must:
-* use postgres as the database
-* use unicorn as the app server
+* use posgres as the database
+* use puma as the app server
 * have access to the taperole gem
 
 Usually, your Gemfile will include something like:
@@ -148,8 +148,8 @@ Usually, your Gemfile will include something like:
 # Use postgresql as the database
 gem 'pg'
 
-# Use Unicorn as the app server
-gem 'unicorn'
+# Use Puma as the app server
+gem 'puma'
 
 # Use taperole for deployment
 gem 'taperole', '~>1.7'

data/lib/taperole/commands/ansible.rb

@@ -44,8 +44,8 @@ module Taperole
                    type: :string,
                    desc: 'A custom playbook to run'
 
-      desc 'everything', 'Initial setup of a server'
-      def everything
+      desc 'provision', 'Initial setup of a server'
+      def provision
         Taperole::Notifier.register_notifiers(options)
         valid_preconfigs ? ansible(options: options) : puts("Not a Rails or JS app")
       end

data/lib/taperole/core/ansible_runner.rb

@@ -15,7 +15,7 @@ module Taperole
     end
 
     def valid_gems
-      has_gem_in_gemfile?('unicorn')
+      has_gem_in_gemfile?('puma')
     end
 
     def has_gem_in_gemfile?(name)

data/lib/taperole/core/installer.rb

@@ -24,7 +24,7 @@ module Taperole
       rm "#{tapefiles_dir}/rake.yml"
       rm "#{tapefiles_dir}/roles"
       rm "#{tapefiles_dir}/hosts"
-      rm "#{local_dir}/dev_keys"
+      rm "#{tapefiles_dir}/dev_keys"
       rm "#{local_dir}/Vagrantfile"
     end
 
@@ -36,10 +36,10 @@ module Taperole
 
     def create_tape_files
       if fe_app? && !rails_app?
-        logger.info '🔎  JS/HTML app detected'.red
+        logger.info '🔎  JS/HTML app detected'.blue
         copy_static_app_examples
       elsif rails_app?
-        logger.info '🔎  Rails app detected'.red
+        logger.info '🔎  Rails app detected'.blue
         copy_basic_examples
       end
     end
@@ -72,7 +72,7 @@ module Taperole
     end
 
     def create_ssh_keys_dir
-      mkdir "#{local_dir}/dev_keys"
+      mkdir "#{tapefiles_dir}/dev_keys"
     end
 
     def handle_vagrantfile

data/lib/taperole/version.rb

@@ -1,3 +1,3 @@
 module Taperole
-  VERSION = '1.8.2'.freeze
+  VERSION = '2.0.0'.freeze
 end

data/requirements.yml

@@ -10,9 +10,6 @@
   name: ANXS.postgresql
   version: v1.7.1
 
-- src: geerlingguy.memcached
-  version: 1.0.4
-
 - src: tersmitten.htop
 
 - src: https://github.com/Oefenweb/ansible-sysfs

data/roles/backend_checkout/tasks/main.yml

@@ -15,7 +15,6 @@
   when: be_app_path_stat.stat.exists and changes_on_remote.stdout_lines == []
 
 - name: Check out application
-  sudo: false
   remote_user: "{{ deployer_user.name }}"
   git: dest={{ be_app_path }}
        repo={{ be_app_repo }}

data/roles/backend_install_essentials/meta/main.yml

@@ -1,5 +1,4 @@
 ---
 dependencies:
-  - role: geerlingguy.memcached
   - role: ruby
   - role: node

data/roles/backend_install_essentials/tasks/main.yml

@@ -3,16 +3,6 @@
             dest=/etc/gemrc
             mode=u=rw,g=r,o=r
 
-- name: Register monit memcached config files
-  template: src=memcached.j2
-            dest=/etc/monit/conf.d/memcached
-            mode=u=rw,g=r,o=r
-  register: memcached_monit_config
-
-- name: Reload Monit
-  command: bash -lc "monit reload"
-  when: memcached_monit_config.changed
-
 # zzet.rbenv puts all the rbenv stuff in profile for some reason
 # so we gotta use login shells to do this stuff
 - name: Install bundler

data/roles/deployer_user/tasks/main.yml

@@ -1,13 +1,13 @@
 - name: Create deployer groups
   group: name={{ item }} state=present
-  with_items: deployer_user.groups
+  with_items: '{{ deployer_user.groups }}'
 
 - name: Ensure deployer user is present
   user: name={{ deployer_user.name }} state=present append=yes shell=/bin/bash
 
 - name: Ensure deployer user is in its groups
   user: name={{ deployer_user.name }} groups={{ item }} state=present append=yes shell=/bin/bash
-  with_items: deployer_user.groups
+  with_items: '{{ deployer_user.groups }}'
 
 - name: Ensure deployer user owns its own homedir
   file: path=/home/deployer state=directory owner=deployer

data/roles/dev_keys/tasks/main.yml

@@ -3,4 +3,4 @@
     user={{ deployer_user.name }}
     state=present
   with_fileglob:
-    - "{{ playbook_dir }}/../dev_keys/*"
+    - "{{ playbook_dir }}/dev_keys/*"

data/roles/letsencrypt/tasks/main.yml

@@ -0,0 +1,19 @@
+- name: Install letsencrypt
+  apt: name=letsencrypt state=present
+  when: letsencrypt.enabled == true
+
+- name: Get letsencrypt cert
+  command: bash -lc "letsencrypt certonly --standalone --rsa-key-size 4096 --force-renew --agree-tos --email {{ letsencrypt.email }} --text --non-interactive -d {{ letsencrypt.hostname }}"
+  args:
+    creates: "/etc/letsencrypt/live/{{ letsencrypt.hostname }}/privkey.pem"
+  when: letsencrypt.enabled == true
+
+- name: Set cert to renew every monday at 2:30 am
+  cron:
+    name: Certbot renew
+    weekday: 1
+    hour: 2
+    minute: 30
+    job: /usr/bin/letsencrypt renew --rsa-key-size 4096 >> /var/log/le-renew.log
+    user: root
+  when: letsencrypt.enabled == true

data/roles/nginx/tasks/main.yml

@@ -15,27 +15,50 @@
   args:
     chdir: /etc/nginx/ssl
     creates: /etc/nginx/ssl/self-signed.*
-
-- stat: path=/etc/nginx/ssl/dhparam.pem
-  register: dhparam
+  when: letsencrypt.enabled == false
 
 - name: Create Diffie Hellman Ephemeral Parameters (this will take some time)
-  command: bash -lc "openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048" creates=/etc/nginx/ssl/dhparam.pem
+  command: bash -lc "openssl dhparam -out /etc/nginx/ssl/dhparam.pem 3072"
+  args:
+    creates: /etc/nginx/ssl/dhparam.pem
 
 - name: Configure App nginx
-  template: src=nginx_unicorn.j2 dest=/etc/nginx/sites-enabled/{{ app_name }}
+  template:
+    src: nginx_puma.j2
+    dest: /etc/nginx/sites-enabled/{{ app_name }}
+  register: nginx_config
+
+- name: Install nginx config
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+  register: nginx_config
 
 - name: Install monit nginx config
-  file: src=/etc/monit/conf-available/nginx dest=/etc/monit/conf-enabled/nginx owner=root group=root state=link
+  file:
+    src: /etc/monit/conf-available/nginx
+    dest: /etc/monit/conf-enabled/nginx
+    owner: root
+    group: root
+    state: link
   register: nginx_monit_config
 
 - name: Reload Monit
   command: bash -lc "monit reload && sleep 2"
   when: nginx_monit_config.changed
 
-- name: Stop nginx
-  service: name=nginx state=stopped
+- name: Check if nginx running
+  shell: ps -ef | grep nginx | grep -v grep
+  register: nginx_running
+  changed_when: false
+  ignore_errors: true
 
 - name: Start nginx
   remote_user: "{{ deployer_user.name }}"
   command: bash -lc "sudo monit start nginx"
+  when: nginx_running | failed
+
+- name: Restart nginx
+  remote_user: "{{ deployer_user.name }}"
+  command: bash -lc "sudo monit restart nginx"
+  when: nginx_running | success and nginx_config.changed

data/roles/nginx/templates/nginx.conf.j2

@@ -0,0 +1,84 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 768;
+  # multi_accept on;
+}
+
+http {
+  ##
+  # Basic Settings
+  ##
+
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+  # server_tokens off;
+
+  # server_names_hash_bucket_size 64;
+  # server_name_in_redirect off;
+
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  ##
+  # SSL Settings
+  ##
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+  ssl_prefer_server_ciphers on;
+
+  ##
+  # Logging Settings
+  ##
+
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  ##
+  # Gzip Settings
+  ##
+
+  gzip on;
+  gzip_disable "msie6";
+
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 4 42k;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/x-font-ttf application/x-font-opentype font/eot font/opentype image/svg+xml font/otf application/xml+rss text/javascript;
+
+  ##
+  # Virtual Host Configs
+  ##
+
+  include /etc/nginx/conf.d/*.conf;
+  include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#       # See sample authentication script at:
+#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#       # auth_http localhost/auth.php;
+#       # pop3_capabilities "TOP" "USER";
+#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#       server {
+#               listen     localhost:110;
+#               protocol   pop3;
+#               proxy      on;
+#       }
+#
+#       server {
+#               listen     localhost:143;
+#               protocol   imap;
+#               proxy      on;
+#       }
+#}

data/roles/nginx/templates/{nginx_unicorn.j2 → nginx_puma.j2}

@@ -1,6 +1,10 @@
+# DoS Mitigation
+limit_req_zone $binary_remote_addr zone=one:10m rate=3r/m;
+limit_conn_zone $binary_remote_addr zone=addr:10m;
+
 {% if be_app_repo is defined %}
-upstream unicorn {
-  server unix:{{unicorn_sockfile}} fail_timeout=0;
+upstream puma {
+  server unix:{{puma_sockfile}} fail_timeout=0;
 }
 {% endif %}
 server {
@@ -8,32 +12,49 @@ server {
   return 301 https://$host$request_uri;
 }
 
-
 server {
-  listen 443 default deferred;
+  listen 443 http2 default_server;
+  listen [::]:443 ssl http2 default_server;
 
-  # server_name example.com;
+
+{% if letsencrypt.hostname %}
+  server_name {{ letsencrypt.hostname }};
+{% endif %}
 
   ssl on;
+{% if letsencrypt.enabled %}
+  ssl_certificate /etc/letsencrypt/live/{{ letsencrypt.hostname }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt.hostname }}/privkey.pem;
+{% else %}
   ssl_certificate /etc/nginx/ssl/self-signed.crt;
   ssl_certificate_key /etc/nginx/ssl/self-signed.key;
+{% endif %}
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 
+  ssl_protocols TLSv1.1 TLSv1.2;
+
+  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
   ssl_prefer_server_ciphers on;
+  ssl_ecdh_curve secp384r1;
   ssl_session_cache shared:SSL:10m;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
+  ssl_session_tickets off;
+  add_header Strict-Transport-Security "max-age=31536000; preload" ;
+  ssl_session_timeout 2h;
   ssl_stapling on;
   ssl_stapling_verify on;
+
+
   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 5s;
 
-  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-
-  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
   add_header X-Frame-Options "DENY";
   add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
 
+  # DoS Mitigation
+  client_body_timeout 5s;
+  client_header_timeout 5s;
+
 {% if fe_app_repo is defined%}
   root {{ fe_app_path }}/dist;
 {% else %}
@@ -57,12 +78,12 @@ server {
   }
 
 {% if be_app_repo is defined %}
-  try_files $uri/index.html $uri @unicorn;
-  location @unicorn {
+  try_files $uri/index.html $uri @puma;
+  location @puma {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host $http_host;
     proxy_redirect off;
-    proxy_pass http://unicorn;
+    proxy_pass http://puma;
   }
 {% endif %}
 

data/roles/puma_activate/tasks/main.yml

@@ -0,0 +1,27 @@
+- name: Ensure puma owns it tmp dir
+  file:
+    path: "{{be_app_path}}/tmp"
+    state: directory
+    owner: deployer
+
+- name: Ensure puma owns it pids dir
+  file:
+    path: "{{be_app_path}}/pids"
+    state: directory
+    owner: deployer
+
+- name: Check if puma running
+  shell: ps -ef | grep puma | grep -v grep
+  register: puma_running
+  changed_when: false
+  ignore_errors: true
+
+- name: Start Puma
+  remote_user: "{{ deployer_user.name }}"
+  command: bash -lc "sudo monit start puma"
+  when: puma_running | failed
+
+- name: Restart Puma
+  remote_user: "{{ deployer_user.name }}"
+  command: bash -lc "sudo monit restart puma"
+  when: puma_running | success

data/roles/puma_install/tasks/main.yml

@@ -0,0 +1,29 @@
+- name: Set up Puma log dir
+  file: path={{be_app_path}}/log state=directory owner=deployer
+
+- name: Install Puma config
+  template: src=puma.rb.j2
+            dest={{be_app_path}}/config/puma.rb
+
+- name: Set up Puma pids dir
+  file:
+    path: "{{be_app_path}}/pids"
+    state: directory
+    owner: deployer
+
+- name: Register Puma init script
+  template:
+    src: puma_init.j2
+    dest: /etc/init.d/puma
+    mode: u=rwx,g=r,o=r
+
+- name: Register Puma monit config files
+  template:
+    src: puma_monit.j2
+    dest: /etc/monit/conf.d/puma
+    mode: u=rw,g=r,o=r
+  register: puma_monit_config
+
+- name: Reload Monit
+  command: bash -lc "monit reload"
+  when: puma_monit_config.changed

data/roles/puma_install/templates/puma.rb.j2

@@ -0,0 +1,26 @@
+# Should match number of CPU Cores
+workers {{puma_workers}}
+
+# Min and Max threads per worker
+threads 1, 6
+
+# Default to production
+rails_env = "{{be_app_env}}"
+environment rails_env
+
+# Set up socket location
+bind "unix://{{puma_sockfile}}"
+
+# Logging
+stdout_redirect "{{be_app_path}}/log/puma.log", "{{be_app_path}}/log/puma.log", true
+
+# Set master PID and state locations
+pidfile "{{ puma_pidfile }}"
+state_path "{{puma_state_path}}"
+activate_control_app
+
+on_worker_boot do
+  require "active_record"
+  ActiveRecord::Base.connection.disconnect! rescue ActiveRecord::ConnectionNotEstablished
+  ActiveRecord::Base.establish_connection(YAML.load_file("{{be_app_path}}/config/database.yml")["{{be_app_env}}"])
+end

data/roles/puma_install/templates/puma_init.j2

@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# This monit wrapper script will be called by monit as root
+# Edit these variables to your liking
+
+RAILS_ENV={{ be_app_env }}
+USER={{ deployer_user.name }}
+APP_DIR={{ be_app_path }}
+PUMA_CONFIG_FILE=$APP_DIR/config/puma.rb
+PUMA_PID_FILE={{ puma_pidfile }}
+PUMA_SOCKET={{ puma_sockfile }}
+
+# check if puma process is running
+puma_is_running() {
+  if [ -S $PUMA_SOCKET ] ; then
+    if [ -e $PUMA_PID_FILE ] ; then
+      if cat $PUMA_PID_FILE | xargs pgrep -P > /dev/null ; then
+        return 0
+      else
+        echo "No puma process found"
+      fi
+    else
+      echo "No puma pid file found"
+    fi
+  else
+    echo "No puma socket found"
+  fi
+
+  return 1
+}
+
+case "$1" in
+  start)
+    echo "Starting puma..."
+    rm -f $PUMA_SOCKET
+
+    if [ -e $PUMA_CONFIG_FILE ] ; then
+      echo "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec puma -C $PUMA_CONFIG_FILE --daemon"
+      /bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec puma -C $PUMA_CONFIG_FILE --daemon"
+    else
+      echo "ERROR: No config file found in $PUMA_CONFIG_FILE"
+    fi
+
+    echo "done"
+    ;;
+
+  stop)
+    echo "Stopping puma..."
+      echo "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl stop"
+      /bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl stop"
+      rm -f $PUMA_PID_FILE
+      rm -f $PUMA_SOCKET
+
+    echo "done"
+    ;;
+
+  restart)
+    if puma_is_running ; then
+      echo "Hot-restarting puma..."
+      /bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl restart"
+
+      echo "Doublechecking the process restart..."
+      sleep 15
+      if puma_is_running ; then
+        echo "done"
+        exit 0
+      else
+        echo "Puma restart failed :/"
+      fi
+    fi
+    ;;
+  *)
+    echo "Usage: puma {start|stop|restart}" >&2
+    ;;
+esac

data/roles/puma_install/templates/puma_monit.j2

@@ -0,0 +1,6 @@
+check process puma
+  with pidfile  {{ puma_pidfile }}
+  start program = "/etc/init.d/puma start"
+  stop program = "/etc/init.d/puma stop"
+  restart program = "/etc/init.d/puma restart"
+  group myapp