taperole 1.8.2 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +1 -1
- data/CHANGELOG.md +13 -0
- data/Gemfile.lock +4 -2
- data/README.md +6 -6
- data/lib/taperole/commands/ansible.rb +2 -2
- data/lib/taperole/core/ansible_runner.rb +1 -1
- data/lib/taperole/core/installer.rb +4 -4
- data/lib/taperole/version.rb +1 -1
- data/requirements.yml +0 -3
- data/roles/backend_checkout/tasks/main.yml +0 -1
- data/roles/backend_install_essentials/meta/main.yml +0 -1
- data/roles/backend_install_essentials/tasks/main.yml +0 -10
- data/roles/deployer_user/tasks/main.yml +2 -2
- data/roles/dev_keys/tasks/main.yml +1 -1
- data/roles/letsencrypt/tasks/main.yml +19 -0
- data/roles/nginx/tasks/main.yml +31 -8
- data/roles/nginx/templates/nginx.conf.j2 +84 -0
- data/roles/nginx/templates/{nginx_unicorn.j2 → nginx_puma.j2} +34 -13
- data/roles/puma_activate/tasks/main.yml +27 -0
- data/roles/puma_install/tasks/main.yml +29 -0
- data/roles/puma_install/templates/puma.rb.j2 +26 -0
- data/roles/puma_install/templates/puma_init.j2 +75 -0
- data/roles/puma_install/templates/puma_monit.j2 +6 -0
- data/spec/commands/installer_spec.rb +3 -3
- data/taperole.gemspec +1 -0
- data/templates/base/deploy.example.yml +1 -1
- data/templates/base/omnibox.example.yml +3 -2
- data/templates/base/tape_vars.example.yml +6 -1
- data/templates/static_html/omnibox.example.yml +1 -0
- data/templates/static_html/tape_vars.example.yml +6 -1
- data/test/base_docker_box/Dockerfile +3 -3
- data/test/rails/Dockerfile +3 -3
- data/test/rails/start_rails.sh +6 -4
- data/test/rails/tape_vars.yml +7 -2
- data/vars/defaults.yml +7 -6
- metadata +24 -26
- data/roles/backend_install_essentials/templates/memcached.j2 +0 -7
- data/roles/unicorn_activate/defaults/main.yml +0 -3
- data/roles/unicorn_activate/tasks/main.yml +0 -16
- data/roles/unicorn_install/tasks/main.yml +0 -21
- data/roles/unicorn_install/templates/unicorn.rb.j2 +0 -47
- data/roles/unicorn_install/templates/unicorn_init.j2 +0 -70
- data/roles/unicorn_install/templates/unicorn_monit.j2 +0 -5
- data/vendor/geerlingguy.memcached/.gitignore +0 -1
- data/vendor/geerlingguy.memcached/.travis.yml +0 -34
- data/vendor/geerlingguy.memcached/README.md +0 -53
- data/vendor/geerlingguy.memcached/defaults/main.yml +0 -9
- data/vendor/geerlingguy.memcached/handlers/main.yml +0 -3
- data/vendor/geerlingguy.memcached/meta/.galaxy_install_info +0 -1
- data/vendor/geerlingguy.memcached/meta/main.yml +0 -24
- data/vendor/geerlingguy.memcached/tasks/main.yml +0 -29
- data/vendor/geerlingguy.memcached/tasks/setup-Debian.yml +0 -6
- data/vendor/geerlingguy.memcached/tasks/setup-RedHat.yml +0 -3
- data/vendor/geerlingguy.memcached/templates/memcached-Debian.conf.j2 +0 -27
- data/vendor/geerlingguy.memcached/templates/memcached-RedHat.conf.j2 +0 -19
- data/vendor/geerlingguy.memcached/tests/inventory +0 -1
- data/vendor/geerlingguy.memcached/tests/test.yml +0 -5
- data/vendor/geerlingguy.memcached/vars/Debian.yml +0 -3
- data/vendor/geerlingguy.memcached/vars/RedHat.yml +0 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 82c0a82eb80be81e11f2b2db205d80fdd40d6200
|
4
|
+
data.tar.gz: 5c2d11343fdf6c22a69b6e463cffcf21506e091a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 68efdeb3ead8f15b062ec668913a914eb542273d9bc0718cf841f145f2808b147d73cf6659f482ed2fc9b49fa9bb133f2df5136f8bf754e78491ac78c7c60577
|
7
|
+
data.tar.gz: 07eb11f3f75dafd885402ca764134cc2e074e54c2a4372fee4d56246a8b0565b9185ab157b4dbf0ff181445931964c898c3ef5d4e7d0467140d7b6825e1b4781
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,16 @@
|
|
1
|
+
### 2.0.0
|
2
|
+
* Set default ruby to 2.4
|
3
|
+
* Moved from Unicorn to Puma
|
4
|
+
* Supports Rails 5
|
5
|
+
* Use letsencrypt for HTTPS configuration
|
6
|
+
* `tape ansible everything` is now `tape ansible deploy`
|
7
|
+
|
8
|
+
### 1.8.2 (also 1.8.1)
|
9
|
+
* Updates ANXS PG Galaxy role
|
10
|
+
* Install postgres 9.4 by default
|
11
|
+
* Kernel level mem leak issues for Redis fixed
|
12
|
+
* Node 6 installed by default
|
13
|
+
|
1
14
|
### 1.8.0
|
2
15
|
* Major readme cleanup
|
3
16
|
* I'm actually writing a changlog now :snowman:
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
taperole (1.8.
|
4
|
+
taperole (1.8.2)
|
5
5
|
colorize (~> 0.8.1)
|
6
6
|
slack-notifier (~> 1.5)
|
7
7
|
thor (~> 0.19.1)
|
@@ -11,6 +11,7 @@ GEM
|
|
11
11
|
specs:
|
12
12
|
colorize (0.8.1)
|
13
13
|
diff-lcs (1.3)
|
14
|
+
rake (12.0.0)
|
14
15
|
rspec (3.5.0)
|
15
16
|
rspec-core (~> 3.5.0)
|
16
17
|
rspec-expectations (~> 3.5.0)
|
@@ -31,9 +32,10 @@ PLATFORMS
|
|
31
32
|
ruby
|
32
33
|
|
33
34
|
DEPENDENCIES
|
35
|
+
rake (= 12.0.0)
|
34
36
|
rspec (~> 3.5)
|
35
37
|
rspec-expectations (~> 3.5)
|
36
38
|
taperole!
|
37
39
|
|
38
40
|
BUNDLED WITH
|
39
|
-
1.
|
41
|
+
1.12.5
|
data/README.md
CHANGED
@@ -28,7 +28,7 @@ be_app_repo: [git repo]
|
|
28
28
|
```
|
29
29
|
|
30
30
|
* Copy all developers' public keys into the `taperole/dev_keys` directory.
|
31
|
-
* Use `$ tape ansible
|
31
|
+
* Use `$ tape ansible provision` for your first deploy, then `$ tape ansible deploy` for subsequent changes.
|
32
32
|
|
33
33
|
**Upgrade**
|
34
34
|
|
@@ -116,7 +116,7 @@ The port number might be different if other vagrant machines are running, run `v
|
|
116
116
|
You can specify a port using the `ansible_ssh_port` in your hosts inventory file.
|
117
117
|
|
118
118
|
3. Update `tape_vars.yml` with information to a rails app you want to deploy
|
119
|
-
4. `tape ansible
|
119
|
+
4. `tape ansible provision -l vagrant`
|
120
120
|
|
121
121
|
### With Docker
|
122
122
|
1. Setup your machine to work with Docker. We recommend [Docker Machine](https://docs.docker.com/machine/)
|
@@ -139,8 +139,8 @@ ansible-galaxy install -r requirements.yml --force
|
|
139
139
|
## Rails Application Requirements
|
140
140
|
|
141
141
|
Your rails application must:
|
142
|
-
* use
|
143
|
-
* use
|
142
|
+
* use posgres as the database
|
143
|
+
* use puma as the app server
|
144
144
|
* have access to the taperole gem
|
145
145
|
|
146
146
|
Usually, your Gemfile will include something like:
|
@@ -148,8 +148,8 @@ Usually, your Gemfile will include something like:
|
|
148
148
|
# Use postgresql as the database
|
149
149
|
gem 'pg'
|
150
150
|
|
151
|
-
# Use
|
152
|
-
gem '
|
151
|
+
# Use Puma as the app server
|
152
|
+
gem 'puma'
|
153
153
|
|
154
154
|
# Use taperole for deployment
|
155
155
|
gem 'taperole', '~>1.7'
|
@@ -44,8 +44,8 @@ module Taperole
|
|
44
44
|
type: :string,
|
45
45
|
desc: 'A custom playbook to run'
|
46
46
|
|
47
|
-
desc '
|
48
|
-
def
|
47
|
+
desc 'provision', 'Initial setup of a server'
|
48
|
+
def provision
|
49
49
|
Taperole::Notifier.register_notifiers(options)
|
50
50
|
valid_preconfigs ? ansible(options: options) : puts("Not a Rails or JS app")
|
51
51
|
end
|
@@ -24,7 +24,7 @@ module Taperole
|
|
24
24
|
rm "#{tapefiles_dir}/rake.yml"
|
25
25
|
rm "#{tapefiles_dir}/roles"
|
26
26
|
rm "#{tapefiles_dir}/hosts"
|
27
|
-
rm "#{
|
27
|
+
rm "#{tapefiles_dir}/dev_keys"
|
28
28
|
rm "#{local_dir}/Vagrantfile"
|
29
29
|
end
|
30
30
|
|
@@ -36,10 +36,10 @@ module Taperole
|
|
36
36
|
|
37
37
|
def create_tape_files
|
38
38
|
if fe_app? && !rails_app?
|
39
|
-
logger.info '🔎 JS/HTML app detected'.
|
39
|
+
logger.info '🔎 JS/HTML app detected'.blue
|
40
40
|
copy_static_app_examples
|
41
41
|
elsif rails_app?
|
42
|
-
logger.info '🔎 Rails app detected'.
|
42
|
+
logger.info '🔎 Rails app detected'.blue
|
43
43
|
copy_basic_examples
|
44
44
|
end
|
45
45
|
end
|
@@ -72,7 +72,7 @@ module Taperole
|
|
72
72
|
end
|
73
73
|
|
74
74
|
def create_ssh_keys_dir
|
75
|
-
mkdir "#{
|
75
|
+
mkdir "#{tapefiles_dir}/dev_keys"
|
76
76
|
end
|
77
77
|
|
78
78
|
def handle_vagrantfile
|
data/lib/taperole/version.rb
CHANGED
data/requirements.yml
CHANGED
@@ -3,16 +3,6 @@
|
|
3
3
|
dest=/etc/gemrc
|
4
4
|
mode=u=rw,g=r,o=r
|
5
5
|
|
6
|
-
- name: Register monit memcached config files
|
7
|
-
template: src=memcached.j2
|
8
|
-
dest=/etc/monit/conf.d/memcached
|
9
|
-
mode=u=rw,g=r,o=r
|
10
|
-
register: memcached_monit_config
|
11
|
-
|
12
|
-
- name: Reload Monit
|
13
|
-
command: bash -lc "monit reload"
|
14
|
-
when: memcached_monit_config.changed
|
15
|
-
|
16
6
|
# zzet.rbenv puts all the rbenv stuff in profile for some reason
|
17
7
|
# so we gotta use login shells to do this stuff
|
18
8
|
- name: Install bundler
|
@@ -1,13 +1,13 @@
|
|
1
1
|
- name: Create deployer groups
|
2
2
|
group: name={{ item }} state=present
|
3
|
-
with_items: deployer_user.groups
|
3
|
+
with_items: '{{ deployer_user.groups }}'
|
4
4
|
|
5
5
|
- name: Ensure deployer user is present
|
6
6
|
user: name={{ deployer_user.name }} state=present append=yes shell=/bin/bash
|
7
7
|
|
8
8
|
- name: Ensure deployer user is in its groups
|
9
9
|
user: name={{ deployer_user.name }} groups={{ item }} state=present append=yes shell=/bin/bash
|
10
|
-
with_items: deployer_user.groups
|
10
|
+
with_items: '{{ deployer_user.groups }}'
|
11
11
|
|
12
12
|
- name: Ensure deployer user owns its own homedir
|
13
13
|
file: path=/home/deployer state=directory owner=deployer
|
@@ -0,0 +1,19 @@
|
|
1
|
+
- name: Install letsencrypt
|
2
|
+
apt: name=letsencrypt state=present
|
3
|
+
when: letsencrypt.enabled == true
|
4
|
+
|
5
|
+
- name: Get letsencrypt cert
|
6
|
+
command: bash -lc "letsencrypt certonly --standalone --rsa-key-size 4096 --force-renew --agree-tos --email {{ letsencrypt.email }} --text --non-interactive -d {{ letsencrypt.hostname }}"
|
7
|
+
args:
|
8
|
+
creates: "/etc/letsencrypt/live/{{ letsencrypt.hostname }}/privkey.pem"
|
9
|
+
when: letsencrypt.enabled == true
|
10
|
+
|
11
|
+
- name: Set cert to renew every monday at 2:30 am
|
12
|
+
cron:
|
13
|
+
name: Certbot renew
|
14
|
+
weekday: 1
|
15
|
+
hour: 2
|
16
|
+
minute: 30
|
17
|
+
job: /usr/bin/letsencrypt renew --rsa-key-size 4096 >> /var/log/le-renew.log
|
18
|
+
user: root
|
19
|
+
when: letsencrypt.enabled == true
|
data/roles/nginx/tasks/main.yml
CHANGED
@@ -15,27 +15,50 @@
|
|
15
15
|
args:
|
16
16
|
chdir: /etc/nginx/ssl
|
17
17
|
creates: /etc/nginx/ssl/self-signed.*
|
18
|
-
|
19
|
-
- stat: path=/etc/nginx/ssl/dhparam.pem
|
20
|
-
register: dhparam
|
18
|
+
when: letsencrypt.enabled == false
|
21
19
|
|
22
20
|
- name: Create Diffie Hellman Ephemeral Parameters (this will take some time)
|
23
|
-
command: bash -lc "openssl dhparam -out /etc/nginx/ssl/dhparam.pem
|
21
|
+
command: bash -lc "openssl dhparam -out /etc/nginx/ssl/dhparam.pem 3072"
|
22
|
+
args:
|
23
|
+
creates: /etc/nginx/ssl/dhparam.pem
|
24
24
|
|
25
25
|
- name: Configure App nginx
|
26
|
-
template:
|
26
|
+
template:
|
27
|
+
src: nginx_puma.j2
|
28
|
+
dest: /etc/nginx/sites-enabled/{{ app_name }}
|
29
|
+
register: nginx_config
|
30
|
+
|
31
|
+
- name: Install nginx config
|
32
|
+
template:
|
33
|
+
src: nginx.conf.j2
|
34
|
+
dest: /etc/nginx/nginx.conf
|
35
|
+
register: nginx_config
|
27
36
|
|
28
37
|
- name: Install monit nginx config
|
29
|
-
file:
|
38
|
+
file:
|
39
|
+
src: /etc/monit/conf-available/nginx
|
40
|
+
dest: /etc/monit/conf-enabled/nginx
|
41
|
+
owner: root
|
42
|
+
group: root
|
43
|
+
state: link
|
30
44
|
register: nginx_monit_config
|
31
45
|
|
32
46
|
- name: Reload Monit
|
33
47
|
command: bash -lc "monit reload && sleep 2"
|
34
48
|
when: nginx_monit_config.changed
|
35
49
|
|
36
|
-
- name:
|
37
|
-
|
50
|
+
- name: Check if nginx running
|
51
|
+
shell: ps -ef | grep nginx | grep -v grep
|
52
|
+
register: nginx_running
|
53
|
+
changed_when: false
|
54
|
+
ignore_errors: true
|
38
55
|
|
39
56
|
- name: Start nginx
|
40
57
|
remote_user: "{{ deployer_user.name }}"
|
41
58
|
command: bash -lc "sudo monit start nginx"
|
59
|
+
when: nginx_running | failed
|
60
|
+
|
61
|
+
- name: Restart nginx
|
62
|
+
remote_user: "{{ deployer_user.name }}"
|
63
|
+
command: bash -lc "sudo monit restart nginx"
|
64
|
+
when: nginx_running | success and nginx_config.changed
|
@@ -0,0 +1,84 @@
|
|
1
|
+
user www-data;
|
2
|
+
worker_processes auto;
|
3
|
+
pid /run/nginx.pid;
|
4
|
+
include /etc/nginx/modules-enabled/*.conf;
|
5
|
+
|
6
|
+
events {
|
7
|
+
worker_connections 768;
|
8
|
+
# multi_accept on;
|
9
|
+
}
|
10
|
+
|
11
|
+
http {
|
12
|
+
##
|
13
|
+
# Basic Settings
|
14
|
+
##
|
15
|
+
|
16
|
+
sendfile on;
|
17
|
+
tcp_nopush on;
|
18
|
+
tcp_nodelay on;
|
19
|
+
keepalive_timeout 65;
|
20
|
+
types_hash_max_size 2048;
|
21
|
+
# server_tokens off;
|
22
|
+
|
23
|
+
# server_names_hash_bucket_size 64;
|
24
|
+
# server_name_in_redirect off;
|
25
|
+
|
26
|
+
include /etc/nginx/mime.types;
|
27
|
+
default_type application/octet-stream;
|
28
|
+
|
29
|
+
##
|
30
|
+
# SSL Settings
|
31
|
+
##
|
32
|
+
|
33
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
34
|
+
ssl_prefer_server_ciphers on;
|
35
|
+
|
36
|
+
##
|
37
|
+
# Logging Settings
|
38
|
+
##
|
39
|
+
|
40
|
+
access_log /var/log/nginx/access.log;
|
41
|
+
error_log /var/log/nginx/error.log;
|
42
|
+
|
43
|
+
##
|
44
|
+
# Gzip Settings
|
45
|
+
##
|
46
|
+
|
47
|
+
gzip on;
|
48
|
+
gzip_disable "msie6";
|
49
|
+
|
50
|
+
gzip_vary on;
|
51
|
+
gzip_proxied any;
|
52
|
+
gzip_comp_level 6;
|
53
|
+
gzip_buffers 4 42k;
|
54
|
+
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/x-font-ttf application/x-font-opentype font/eot font/opentype image/svg+xml font/otf application/xml+rss text/javascript;
|
55
|
+
|
56
|
+
##
|
57
|
+
# Virtual Host Configs
|
58
|
+
##
|
59
|
+
|
60
|
+
include /etc/nginx/conf.d/*.conf;
|
61
|
+
include /etc/nginx/sites-enabled/*;
|
62
|
+
}
|
63
|
+
|
64
|
+
|
65
|
+
#mail {
|
66
|
+
# # See sample authentication script at:
|
67
|
+
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
68
|
+
#
|
69
|
+
# # auth_http localhost/auth.php;
|
70
|
+
# # pop3_capabilities "TOP" "USER";
|
71
|
+
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
72
|
+
#
|
73
|
+
# server {
|
74
|
+
# listen localhost:110;
|
75
|
+
# protocol pop3;
|
76
|
+
# proxy on;
|
77
|
+
# }
|
78
|
+
#
|
79
|
+
# server {
|
80
|
+
# listen localhost:143;
|
81
|
+
# protocol imap;
|
82
|
+
# proxy on;
|
83
|
+
# }
|
84
|
+
#}
|
@@ -1,6 +1,10 @@
|
|
1
|
+
# DoS Mitigation
|
2
|
+
limit_req_zone $binary_remote_addr zone=one:10m rate=3r/m;
|
3
|
+
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
4
|
+
|
1
5
|
{% if be_app_repo is defined %}
|
2
|
-
upstream
|
3
|
-
server unix:{{
|
6
|
+
upstream puma {
|
7
|
+
server unix:{{puma_sockfile}} fail_timeout=0;
|
4
8
|
}
|
5
9
|
{% endif %}
|
6
10
|
server {
|
@@ -8,32 +12,49 @@ server {
|
|
8
12
|
return 301 https://$host$request_uri;
|
9
13
|
}
|
10
14
|
|
11
|
-
|
12
15
|
server {
|
13
|
-
listen 443
|
16
|
+
listen 443 http2 default_server;
|
17
|
+
listen [::]:443 ssl http2 default_server;
|
14
18
|
|
15
|
-
|
19
|
+
|
20
|
+
{% if letsencrypt.hostname %}
|
21
|
+
server_name {{ letsencrypt.hostname }};
|
22
|
+
{% endif %}
|
16
23
|
|
17
24
|
ssl on;
|
25
|
+
{% if letsencrypt.enabled %}
|
26
|
+
ssl_certificate /etc/letsencrypt/live/{{ letsencrypt.hostname }}/fullchain.pem;
|
27
|
+
ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt.hostname }}/privkey.pem;
|
28
|
+
{% else %}
|
18
29
|
ssl_certificate /etc/nginx/ssl/self-signed.crt;
|
19
30
|
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
|
31
|
+
{% endif %}
|
20
32
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
21
33
|
|
34
|
+
ssl_protocols TLSv1.1 TLSv1.2;
|
35
|
+
|
36
|
+
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
37
|
+
|
22
38
|
ssl_prefer_server_ciphers on;
|
39
|
+
ssl_ecdh_curve secp384r1;
|
23
40
|
ssl_session_cache shared:SSL:10m;
|
24
|
-
|
25
|
-
|
41
|
+
ssl_session_tickets off;
|
42
|
+
add_header Strict-Transport-Security "max-age=31536000; preload" ;
|
43
|
+
ssl_session_timeout 2h;
|
26
44
|
ssl_stapling on;
|
27
45
|
ssl_stapling_verify on;
|
46
|
+
|
47
|
+
|
28
48
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
29
49
|
resolver_timeout 5s;
|
30
50
|
|
31
|
-
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
32
|
-
|
33
|
-
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
34
51
|
add_header X-Frame-Options "DENY";
|
35
52
|
add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
|
36
53
|
|
54
|
+
# DoS Mitigation
|
55
|
+
client_body_timeout 5s;
|
56
|
+
client_header_timeout 5s;
|
57
|
+
|
37
58
|
{% if fe_app_repo is defined%}
|
38
59
|
root {{ fe_app_path }}/dist;
|
39
60
|
{% else %}
|
@@ -57,12 +78,12 @@ server {
|
|
57
78
|
}
|
58
79
|
|
59
80
|
{% if be_app_repo is defined %}
|
60
|
-
try_files $uri/index.html $uri @
|
61
|
-
location @
|
81
|
+
try_files $uri/index.html $uri @puma;
|
82
|
+
location @puma {
|
62
83
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
63
84
|
proxy_set_header Host $http_host;
|
64
85
|
proxy_redirect off;
|
65
|
-
proxy_pass http://
|
86
|
+
proxy_pass http://puma;
|
66
87
|
}
|
67
88
|
{% endif %}
|
68
89
|
|
@@ -0,0 +1,27 @@
|
|
1
|
+
- name: Ensure puma owns it tmp dir
|
2
|
+
file:
|
3
|
+
path: "{{be_app_path}}/tmp"
|
4
|
+
state: directory
|
5
|
+
owner: deployer
|
6
|
+
|
7
|
+
- name: Ensure puma owns it pids dir
|
8
|
+
file:
|
9
|
+
path: "{{be_app_path}}/pids"
|
10
|
+
state: directory
|
11
|
+
owner: deployer
|
12
|
+
|
13
|
+
- name: Check if puma running
|
14
|
+
shell: ps -ef | grep puma | grep -v grep
|
15
|
+
register: puma_running
|
16
|
+
changed_when: false
|
17
|
+
ignore_errors: true
|
18
|
+
|
19
|
+
- name: Start Puma
|
20
|
+
remote_user: "{{ deployer_user.name }}"
|
21
|
+
command: bash -lc "sudo monit start puma"
|
22
|
+
when: puma_running | failed
|
23
|
+
|
24
|
+
- name: Restart Puma
|
25
|
+
remote_user: "{{ deployer_user.name }}"
|
26
|
+
command: bash -lc "sudo monit restart puma"
|
27
|
+
when: puma_running | success
|
@@ -0,0 +1,29 @@
|
|
1
|
+
- name: Set up Puma log dir
|
2
|
+
file: path={{be_app_path}}/log state=directory owner=deployer
|
3
|
+
|
4
|
+
- name: Install Puma config
|
5
|
+
template: src=puma.rb.j2
|
6
|
+
dest={{be_app_path}}/config/puma.rb
|
7
|
+
|
8
|
+
- name: Set up Puma pids dir
|
9
|
+
file:
|
10
|
+
path: "{{be_app_path}}/pids"
|
11
|
+
state: directory
|
12
|
+
owner: deployer
|
13
|
+
|
14
|
+
- name: Register Puma init script
|
15
|
+
template:
|
16
|
+
src: puma_init.j2
|
17
|
+
dest: /etc/init.d/puma
|
18
|
+
mode: u=rwx,g=r,o=r
|
19
|
+
|
20
|
+
- name: Register Puma monit config files
|
21
|
+
template:
|
22
|
+
src: puma_monit.j2
|
23
|
+
dest: /etc/monit/conf.d/puma
|
24
|
+
mode: u=rw,g=r,o=r
|
25
|
+
register: puma_monit_config
|
26
|
+
|
27
|
+
- name: Reload Monit
|
28
|
+
command: bash -lc "monit reload"
|
29
|
+
when: puma_monit_config.changed
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# Should match number of CPU Cores
|
2
|
+
workers {{puma_workers}}
|
3
|
+
|
4
|
+
# Min and Max threads per worker
|
5
|
+
threads 1, 6
|
6
|
+
|
7
|
+
# Default to production
|
8
|
+
rails_env = "{{be_app_env}}"
|
9
|
+
environment rails_env
|
10
|
+
|
11
|
+
# Set up socket location
|
12
|
+
bind "unix://{{puma_sockfile}}"
|
13
|
+
|
14
|
+
# Logging
|
15
|
+
stdout_redirect "{{be_app_path}}/log/puma.log", "{{be_app_path}}/log/puma.log", true
|
16
|
+
|
17
|
+
# Set master PID and state locations
|
18
|
+
pidfile "{{ puma_pidfile }}"
|
19
|
+
state_path "{{puma_state_path}}"
|
20
|
+
activate_control_app
|
21
|
+
|
22
|
+
on_worker_boot do
|
23
|
+
require "active_record"
|
24
|
+
ActiveRecord::Base.connection.disconnect! rescue ActiveRecord::ConnectionNotEstablished
|
25
|
+
ActiveRecord::Base.establish_connection(YAML.load_file("{{be_app_path}}/config/database.yml")["{{be_app_env}}"])
|
26
|
+
end
|
@@ -0,0 +1,75 @@
|
|
1
|
+
#!/usr/bin/env bash
|
2
|
+
|
3
|
+
# This monit wrapper script will be called by monit as root
|
4
|
+
# Edit these variables to your liking
|
5
|
+
|
6
|
+
RAILS_ENV={{ be_app_env }}
|
7
|
+
USER={{ deployer_user.name }}
|
8
|
+
APP_DIR={{ be_app_path }}
|
9
|
+
PUMA_CONFIG_FILE=$APP_DIR/config/puma.rb
|
10
|
+
PUMA_PID_FILE={{ puma_pidfile }}
|
11
|
+
PUMA_SOCKET={{ puma_sockfile }}
|
12
|
+
|
13
|
+
# check if puma process is running
|
14
|
+
puma_is_running() {
|
15
|
+
if [ -S $PUMA_SOCKET ] ; then
|
16
|
+
if [ -e $PUMA_PID_FILE ] ; then
|
17
|
+
if cat $PUMA_PID_FILE | xargs pgrep -P > /dev/null ; then
|
18
|
+
return 0
|
19
|
+
else
|
20
|
+
echo "No puma process found"
|
21
|
+
fi
|
22
|
+
else
|
23
|
+
echo "No puma pid file found"
|
24
|
+
fi
|
25
|
+
else
|
26
|
+
echo "No puma socket found"
|
27
|
+
fi
|
28
|
+
|
29
|
+
return 1
|
30
|
+
}
|
31
|
+
|
32
|
+
case "$1" in
|
33
|
+
start)
|
34
|
+
echo "Starting puma..."
|
35
|
+
rm -f $PUMA_SOCKET
|
36
|
+
|
37
|
+
if [ -e $PUMA_CONFIG_FILE ] ; then
|
38
|
+
echo "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec puma -C $PUMA_CONFIG_FILE --daemon"
|
39
|
+
/bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec puma -C $PUMA_CONFIG_FILE --daemon"
|
40
|
+
else
|
41
|
+
echo "ERROR: No config file found in $PUMA_CONFIG_FILE"
|
42
|
+
fi
|
43
|
+
|
44
|
+
echo "done"
|
45
|
+
;;
|
46
|
+
|
47
|
+
stop)
|
48
|
+
echo "Stopping puma..."
|
49
|
+
echo "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl stop"
|
50
|
+
/bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl stop"
|
51
|
+
rm -f $PUMA_PID_FILE
|
52
|
+
rm -f $PUMA_SOCKET
|
53
|
+
|
54
|
+
echo "done"
|
55
|
+
;;
|
56
|
+
|
57
|
+
restart)
|
58
|
+
if puma_is_running ; then
|
59
|
+
echo "Hot-restarting puma..."
|
60
|
+
/bin/su - $USER -c "cd $APP_DIR && RAILS_ENV=$RAILS_ENV bundle exec pumactl restart"
|
61
|
+
|
62
|
+
echo "Doublechecking the process restart..."
|
63
|
+
sleep 15
|
64
|
+
if puma_is_running ; then
|
65
|
+
echo "done"
|
66
|
+
exit 0
|
67
|
+
else
|
68
|
+
echo "Puma restart failed :/"
|
69
|
+
fi
|
70
|
+
fi
|
71
|
+
;;
|
72
|
+
*)
|
73
|
+
echo "Usage: puma {start|stop|restart}" >&2
|
74
|
+
;;
|
75
|
+
esac
|