winton-cookbook 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/MIT-LICENSE ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2008 Winton Welsh <mail@wintoni.us>
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.markdown ADDED
@@ -0,0 +1,134 @@
1
+ Cookbook
2
+ ========
3
+
4
+ Cookbook takes you from a fresh Debian/Ubuntu server to a complete Nginx/Rails/PHP stack using purely Capistrano. It also takes care of app deployment and pretty much writes your **config/deploy.rb** file for you.
5
+
6
+
7
+ The stack
8
+ ---------
9
+
10
+ * Git
11
+ * Nginx
12
+ * Mongrel cluster
13
+ * Monit
14
+ * MySQL
15
+ * PHP (Nginx w/ spawn-fcgi)
16
+ * Rails
17
+ * Ruby
18
+ * RubyGems
19
+ * Sphinx
20
+
21
+
22
+ Install
23
+ -------
24
+
25
+ (Goto **Set up a PHP app** if deploying a PHP project)
26
+
27
+ ### Capify your project
28
+
29
+ capify .
30
+
31
+ ### Add cookbook as a Git submodule
32
+
33
+ git submodule add git://github.com:winton/cookbook.git config/cookbook
34
+
35
+ ### Copy deploy.rb
36
+
37
+ Copy **config/cookbook/deploy.rb.example** to **config/deploy.rb**
38
+
39
+ Edit **config/deploy.rb** to your liking. Run `cap -T` to check out your new tasks.
40
+
41
+
42
+ Create the deploy user
43
+ ----------------------
44
+
45
+ ### Log in remotely as root
46
+
47
+ If you can't log in as root directly, but have the password (ServerBeach):
48
+
49
+ su
50
+
51
+ ### Change root's password if you already haven't
52
+
53
+ passwd
54
+
55
+ ### Add a deploy user
56
+
57
+ adduser deploy
58
+
59
+ ### Edit /etc/sudoers
60
+
61
+ visudo
62
+
63
+ Add this line to the end of the file. This gives the deploy user "sudo without password" privileges:
64
+
65
+ deploy ALL=NOPASSWD: ALL
66
+
67
+ ### Upload your SSH keys
68
+
69
+ cap ssh:setup
70
+
71
+ (Just answer no to the first question if you already have local keys generated.)
72
+
73
+
74
+ Set up your fresh Debian server
75
+ -------------------------------
76
+
77
+ ### On your machine
78
+
79
+ cap debian:setup
80
+
81
+ (See **config/cookbook/recipes/debian.rb**. You might want to run the tasks individually to know what's going on.)
82
+
83
+ ### On the server
84
+
85
+ Its probably a good idea to restart the server after all that:
86
+
87
+ sudo shutdown -r now
88
+
89
+
90
+ Deploy your app
91
+ ---------------
92
+
93
+ ### First deploy
94
+
95
+ cap deploy:create
96
+
97
+ (See **config/cookbook/recipes/deploy.rb** to know what's going on here.)
98
+
99
+ Optionally set up log rotation and a monit entry for your mongrels:
100
+
101
+ cap log:rotate
102
+ cap monit:config:mongrel
103
+
104
+ ### Subsequent deploys
105
+
106
+ cap deploy
107
+
108
+
109
+ Deploy staging
110
+ --------------
111
+
112
+ See *Deploy your app*, but replace `cap` with `cap staging`.
113
+
114
+ Example:
115
+
116
+ cap staging deploy:create
117
+
118
+
119
+ Set up a PHP app
120
+ ----------------
121
+
122
+ ### Create directories
123
+
124
+ config/
125
+ public/
126
+
127
+ Move your site contents into the public directory. Follow instructions in the *Install* section.
128
+
129
+ Uncomment this line in deploy.rb:
130
+
131
+ #:platform => :php,
132
+
133
+
134
+ ##### Copyright (c) 2008 Winton Welsh, released under the MIT license
@@ -0,0 +1,9 @@
1
+ export PS1='\e[01;30m\h \e[33m\u \e[01;34m\w\e[00m: '
2
+
3
+ alias free="free -m"
4
+
5
+ alias aptitude="sudo aptitude"
6
+ alias update="sudo aptitude update"
7
+ alias upgrade="sudo aptitude upgrade"
8
+ alias install="sudo aptitude install"
9
+ alias remove="sudo aptitude remove"
@@ -0,0 +1,47 @@
1
+ *filter
2
+
3
+
4
+ # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
5
+ -A INPUT -i lo -j ACCEPT
6
+ -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
7
+
8
+
9
+ # Accepts all established inbound connections
10
+ -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
11
+
12
+
13
+ # Allows all outbound traffic
14
+ # You can modify this to only allow certain traffic
15
+ -A OUTPUT -j ACCEPT
16
+
17
+
18
+ # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
19
+ -A INPUT -p tcp --dport 80 -j ACCEPT
20
+ -A INPUT -p tcp --dport 443 -j ACCEPT
21
+
22
+
23
+ # Allows IMAP
24
+ -A INPUT -p tcp --dport 143 -j ACCEPT
25
+
26
+
27
+ # Allows SSH connections
28
+ #
29
+ # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
30
+ #
31
+ -A INPUT -p tcp -m state --state NEW --dport <%= ssh_port %> -j ACCEPT
32
+
33
+
34
+ # Allow ping
35
+ -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
36
+
37
+
38
+ # log iptables denied calls
39
+ -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
40
+
41
+
42
+ # Reject all other inbound - default deny unless explicitly allowed policy
43
+ -A INPUT -j REJECT
44
+ -A FORWARD -j REJECT
45
+
46
+ COMMIT
47
+ # There MUST be a new line after this line!
@@ -0,0 +1 @@
1
+ en_US.UTF-8 UTF-8
@@ -0,0 +1,78 @@
1
+ # Package generated configuration file
2
+ # See the sshd(8) manpage for details
3
+
4
+ # What ports, IPs and protocols we listen for
5
+ Port <%= ssh_port %>
6
+ # Use these options to restrict which interfaces/protocols sshd will bind to
7
+ #ListenAddress ::
8
+ #ListenAddress 0.0.0.0
9
+ Protocol 2
10
+ # HostKeys for protocol version 2
11
+ HostKey /etc/ssh/ssh_host_rsa_key
12
+ HostKey /etc/ssh/ssh_host_dsa_key
13
+ #Privilege Separation is turned on for security
14
+ UsePrivilegeSeparation yes
15
+
16
+ # Lifetime and size of ephemeral version 1 server key
17
+ KeyRegenerationInterval 3600
18
+ ServerKeyBits 768
19
+
20
+ # Logging
21
+ SyslogFacility AUTH
22
+ LogLevel INFO
23
+
24
+ # Authentication:
25
+ LoginGraceTime 120
26
+ PermitRootLogin no
27
+ StrictModes yes
28
+
29
+ RSAAuthentication yes
30
+ PubkeyAuthentication yes
31
+ #AuthorizedKeysFile %h/.ssh/authorized_keys
32
+
33
+ # Don't read the user's ~/.rhosts and ~/.shosts files
34
+ IgnoreRhosts yes
35
+ # For this to work you will also need host keys in /etc/ssh_known_hosts
36
+ RhostsRSAAuthentication no
37
+ # similar for protocol version 2
38
+ HostbasedAuthentication no
39
+ # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
40
+ #IgnoreUserKnownHosts yes
41
+
42
+ # To enable empty passwords, change to yes (NOT RECOMMENDED)
43
+ PermitEmptyPasswords no
44
+
45
+ # Change to yes to enable challenge-response passwords (beware issues with
46
+ # some PAM modules and threads)
47
+ ChallengeResponseAuthentication no
48
+
49
+ # Change to no to disable tunnelled clear text passwords
50
+ #PasswordAuthentication yes
51
+
52
+ # Kerberos options
53
+ #KerberosAuthentication no
54
+ #KerberosGetAFSToken no
55
+ #KerberosOrLocalPasswd yes
56
+ #KerberosTicketCleanup yes
57
+
58
+ # GSSAPI options
59
+ #GSSAPIAuthentication no
60
+ #GSSAPICleanupCredentials yes
61
+
62
+ X11Forwarding no
63
+ X11DisplayOffset 10
64
+ PrintMotd no
65
+ PrintLastLog yes
66
+ TCPKeepAlive yes
67
+ #UseLogin no
68
+
69
+ #MaxStartups 10:30:60
70
+ #Banner /etc/issue.net
71
+
72
+ # Allow client to pass locale environment variables
73
+ AcceptEnv LANG LC_*
74
+
75
+ Subsystem sftp /usr/lib/openssh/sftp-server
76
+
77
+ UsePAM no
78
+ UseDNS no
@@ -0,0 +1,9 @@
1
+ <%= shared_path %>/log/*.log {
2
+ daily
3
+ missingok
4
+ rotate 7
5
+ compress
6
+ delaycompress
7
+ notifempty
8
+ copytruncate
9
+ }
@@ -0,0 +1,10 @@
1
+ ---
2
+ user: <%= user %>
3
+ group: <%= user %>
4
+ log_file: <%= deploy_to %>/shared/log/mongrel.log
5
+ cwd: <%= deploy_to %>/current
6
+ port: <%= mongrel_port %>
7
+ environment: production
8
+ pid_file: <%= deploy_to %>/shared/pids/mongrel.pid
9
+ address: 127.0.0.1
10
+ servers: <%= mongrels %>
@@ -0,0 +1,177 @@
1
+ <% if mongrels > 1 %>
2
+ upstream mongrel_<%= application %>_<%= stage %> {
3
+ <% mongrels.times do |x| %>
4
+ server 127.0.0.1:<%= mongrel_port + x %>;
5
+ <% end %>
6
+ }
7
+ <% end %>
8
+
9
+ server {
10
+ listen 80;
11
+
12
+ # Set the max size for file uploads to 50Mb
13
+ client_max_body_size 50M;
14
+
15
+ # sets the domain[s] that this vhost server requests for
16
+ server_name <%= domains.join ' ' %>;
17
+
18
+ # doc root
19
+ root <%= deploy_to %>/current/public;
20
+
21
+ # vhost specific access log
22
+ access_log <%= deploy_to %>/shared/log/nginx.log main;
23
+
24
+ # this rewrites all the requests to the maintenance.html
25
+ # page if it exists in the doc root. This is for capistrano's
26
+ # disable web task
27
+ if (-f $document_root/system/maintenance.html) {
28
+ rewrite ^(.*)$ /system/maintenance.html last;
29
+ break;
30
+ }
31
+
32
+ location / {
33
+ <% if auth_user %>
34
+ auth_basic "Restricted";
35
+ auth_basic_user_file <%= nginx_dir %>/htpasswd/<%= application %>_<%= stage %>;
36
+ <% end %>
37
+
38
+ # needed to forward user's IP address to rails
39
+ proxy_set_header X-Real-IP $remote_addr;
40
+
41
+ # needed for HTTPS
42
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
43
+ proxy_set_header Host $http_host;
44
+ proxy_redirect false;
45
+ proxy_max_temp_file_size 0;
46
+
47
+ # If the file exists as a static file serve it directly without
48
+ # running all the other rewite tests on it
49
+ if (-f $request_filename) {
50
+ break;
51
+ }
52
+
53
+ # check for index.html for directory index
54
+ # if its there on the filesystem then rewite
55
+ # the url to add /index.html to the end of it
56
+ # and then break to send it to the next config rules.
57
+ if (-f $request_filename/index.html) {
58
+ rewrite (.*) $1/index.html break;
59
+ }
60
+
61
+ # this is the meat of the rails page caching config
62
+ # it adds .html to the end of the url and then checks
63
+ # the filesystem for that file. If it exists, then we
64
+ # rewite the url to have explicit .html on the end
65
+ # and then send it on its way to the next config rule.
66
+ # if there is no file on the fs then it sets all the
67
+ # necessary headers and proxies to our upstream mongrels
68
+ if (-f $request_filename.html) {
69
+ rewrite (.*) $1.html break;
70
+ }
71
+
72
+ if (!-f $request_filename) {
73
+ # Use other cluster name here if you are running multiple
74
+ # virtual hosts.
75
+ <% if mongrels == 1 %>
76
+ proxy_pass http://127.0.0.1:<%= mongrel_port %>;
77
+ <% else %>
78
+ proxy_pass http://mongrel_<%= application %>_<%= stage %>;
79
+ <% end %>
80
+ break;
81
+ }
82
+ }
83
+
84
+ error_page 500 502 503 504 /500.html;
85
+ location = /500.html {
86
+ root <%= deploy_to %>/current/public;
87
+ }
88
+ }
89
+
90
+ <% if ssl_cert %>
91
+ server {
92
+ # port to listen on. Can also be set to an IP:PORT
93
+ listen 443;
94
+
95
+ ssl on;
96
+ ssl_certificate <%= deploy_to %>/current/cert/cert;
97
+ ssl_certificate_key <%= deploy_to %>/current/cert/key;
98
+
99
+ # Set the max size for file uploads to 50Mb
100
+ client_max_body_size 50M;
101
+
102
+ # sets the domain[s] that this vhost server requests for
103
+ server_name <%= domains.join ' ' %>;
104
+
105
+ # doc root
106
+ root <%= deploy_to %>/current/public;
107
+
108
+ # vhost specific access log
109
+ access_log <%= deploy_to %>/shared/log/nginx.log main;
110
+
111
+ # this rewrites all the requests to the maintenance.html
112
+ # page if it exists in the doc root. This is for capistrano's
113
+ # disable web task
114
+ if (-f $document_root/system/maintenance.html) {
115
+ rewrite ^(.*)$ /system/maintenance.html last;
116
+ break;
117
+ }
118
+
119
+ location / {
120
+ <% if auth_user %>
121
+ auth_basic "Restricted";
122
+ auth_basic_user_file <%= nginx_dir %>/htpasswd/<%= application %>_<%= stage %>;
123
+ <% end %>
124
+
125
+ # needed to forward user's IP address to rails
126
+ proxy_set_header X-Real-IP $remote_addr;
127
+
128
+ # needed for HTTPS
129
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
130
+ proxy_set_header X-FORWARDED_PROTO https;
131
+ proxy_set_header Host $http_host;
132
+ proxy_redirect false;
133
+ proxy_max_temp_file_size 0;
134
+
135
+ # If the file exists as a static file serve it directly without
136
+ # running all the other rewite tests on it
137
+ if (-f $request_filename) {
138
+ break;
139
+ }
140
+
141
+ # check for index.html for directory index
142
+ # if its there on the filesystem then rewite
143
+ # the url to add /index.html to the end of it
144
+ # and then break to send it to the next config rules.
145
+ if (-f $request_filename/index.html) {
146
+ rewrite (.*) $1/index.html break;
147
+ }
148
+
149
+ # this is the meat of the rails page caching config
150
+ # it adds .html to the end of the url and then checks
151
+ # the filesystem for that file. If it exists, then we
152
+ # rewite the url to have explicit .html on the end
153
+ # and then send it on its way to the next config rule.
154
+ # if there is no file on the fs then it sets all the
155
+ # necessary headers and proxies to our upstream mongrels
156
+ if (-f $request_filename.html) {
157
+ rewrite (.*) $1.html break;
158
+ }
159
+
160
+ if (!-f $request_filename) {
161
+ # Use other cluster name here if you are running multiple
162
+ # virtual hosts.
163
+ <% if mongrels == 1 %>
164
+ proxy_pass http://127.0.0.1:<%= mongrel_port %>;
165
+ <% else %>
166
+ proxy_pass http://mongrel_<%= application %>_<%= stage %>;
167
+ <% end %>
168
+ break;
169
+ }
170
+ }
171
+
172
+ error_page 500 502 503 504 /500.html;
173
+ location = /500.html {
174
+ root <%= deploy_to %>/current/public;
175
+ }
176
+ }
177
+ <% end %>
@@ -0,0 +1,12 @@
1
+ <% mongrels.times do |x| %>
2
+ check process mongrel_<%= application %>_<%= mongrel_port + x %> with pidfile <%= deploy_to %>/shared/pids/mongrel.<%= mongrel_port + x %>.pid
3
+ group mongrel
4
+ start program = "mongrel_rails cluster::start -C <%= "#{mongrel_etc_dir}/#{application}_#{stage}.yml" %> --clean --only <%= mongrel_port + x %>"
5
+ stop program = "mongrel_rails cluster::stop -C <%= "#{mongrel_etc_dir}/#{application}_#{stage}.yml" %> --clean --only <%= mongrel_port + x %>"
6
+ if failed host 127.0.0.1 port <%= mongrel_port + x %> protocol http with timeout 10 seconds then restart
7
+ if totalmem is greater than 110.0 MB for 4 cycles then restart # eating up memory?
8
+ if cpu is greater than 50% for 2 cycles then alert # send an email to admin
9
+ if cpu is greater than 80% for 3 cycles then restart # hung process?
10
+ if loadavg(5min) greater than 10 for 8 cycles then restart # bad, bad, bad
11
+ if 20 restarts within 20 cycles then timeout # something is wrong, call the sys-admin
12
+ <% end %>
@@ -0,0 +1,11 @@
1
+ # Defaults for monit initscript
2
+ # sourced by /etc/init.d/monit
3
+ # installed at /etc/default/monit by maintainer scripts
4
+ # Fredrik Steen <stone@debian.org>
5
+
6
+ # You must set this variable to for monit to start
7
+ startup=1
8
+
9
+ # To change the intervals which monit should run uncomment
10
+ # and change this variable.
11
+ # CHECK_INTERVALS=180
@@ -0,0 +1,32 @@
1
+ set daemon 60
2
+ set logfile /var/log/monit.log
3
+ set mailserver localhost
4
+ set mail-format { from: <%= monit_from %> }
5
+ set alert <%= monit_to %>
6
+ set httpd port <%= monit_port %> and allow <%= monit_auth_user %>:<%= monit_auth_pass %>
7
+
8
+ check process sshd with pidfile /var/run/sshd.pid
9
+ start program "/etc/init.d/ssh start"
10
+ stop program "/etc/init.d/ssh stop"
11
+ if failed port <%= ssh_port %> protocol ssh then restart
12
+ if 5 restarts within 5 cycles then timeout
13
+
14
+ check process mysql with pidfile /var/run/mysqld/mysqld.pid
15
+ group database
16
+ start program = "/etc/init.d/mysql start"
17
+ stop program = "/etc/init.d/mysql stop"
18
+ if failed host 127.0.0.1 port 3306 then restart
19
+ if 5 restarts within 5 cycles then timeout
20
+
21
+ check process nginx with pidfile /usr/local/nginx/logs/nginx.pid
22
+ group www
23
+ start program = "/etc/init.d/nginx start"
24
+ stop program = "/etc/init.d/nginx stop"
25
+ if 5 restarts with 5 cycles then timeout
26
+
27
+ check process spawn-fcgi with pidfile /var/run/spawn-fcgi.pid
28
+ group php
29
+ start program = "/etc/init.d/init-fastcgi start"
30
+ stop program = "/etc/init.d/init-fastcgi stop"
31
+ if failed host 127.0.0.1 port 9000 then restart
32
+ if 5 restarts within 5 cycles then timeout
@@ -0,0 +1,26 @@
1
+ upstream monit_httpd {
2
+ server 127.0.0.1:<%= monit_port %>;
3
+ }
4
+
5
+ server {
6
+ listen 80;
7
+
8
+ # sets the domain[s] that this vhost server requests for
9
+ server_name <%= monit_domain %>;
10
+
11
+ # vhost specific access log
12
+ access_log /var/log/monit.nginx.log main;
13
+
14
+ location / {
15
+ # needed to forward user's IP address
16
+ proxy_set_header X-Real-IP $remote_addr;
17
+
18
+ # needed for HTTPS
19
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
20
+ proxy_set_header Host $http_host;
21
+ proxy_redirect false;
22
+ proxy_max_temp_file_size 0;
23
+
24
+ proxy_pass http://monit_httpd;
25
+ }
26
+ }