winton-cookbook 1.0.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Winton Welsh <mail@wintoni.us>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,134 @@
+Cookbook
+========
+
+Cookbook takes you from a fresh Debian/Ubuntu server to a complete Nginx/Rails/PHP stack using purely Capistrano. It also takes care of app deployment and pretty much writes your **config/deploy.rb** file for you.
+
+
+The stack
+---------
+
+* Git
+* Nginx
+* Mongrel cluster
+* Monit
+* MySQL
+* PHP (Nginx w/ spawn-fcgi)
+* Rails
+* Ruby
+* RubyGems
+* Sphinx
+
+
+Install
+-------
+
+(Goto **Set up a PHP app** if deploying a PHP project)
+
+### Capify your project
+
+	capify .
+
+### Add cookbook as a Git submodule
+
+	git submodule add git://github.com:winton/cookbook.git config/cookbook
+
+### Copy deploy.rb
+
+Copy **config/cookbook/deploy.rb.example** to **config/deploy.rb**
+	
+Edit **config/deploy.rb** to your liking. Run `cap -T` to check out your new tasks.
+
+
+Create the deploy user
+----------------------
+
+### Log in remotely as root
+
+If you can't log in as root directly, but have the password (ServerBeach):
+
+	su
+
+### Change root's password if you already haven't
+
+	passwd
+
+### Add a deploy user
+
+	adduser deploy
+
+### Edit /etc/sudoers
+
+	visudo
+
+Add this line to the end of the file. This gives the deploy user "sudo without password" privileges:
+
+	deploy ALL=NOPASSWD: ALL
+
+### Upload your SSH keys
+
+	cap ssh:setup
+	
+(Just answer no to the first question if you already have local keys generated.)
+
+
+Set up your fresh Debian server
+-------------------------------
+
+### On your machine
+
+	cap debian:setup
+	
+(See **config/cookbook/recipes/debian.rb**. You might want to run the tasks individually to know what's going on.)
+	
+### On the server
+
+Its probably a good idea to restart the server after all that:
+
+	sudo shutdown -r now
+	
+
+Deploy your app
+---------------
+
+### First deploy
+
+	cap deploy:create
+
+(See **config/cookbook/recipes/deploy.rb** to know what's going on here.)
+	
+Optionally set up log rotation and a monit entry for your mongrels:
+
+	cap log:rotate
+	cap monit:config:mongrel
+	
+### Subsequent deploys
+
+	cap deploy
+
+
+Deploy staging
+--------------
+
+See *Deploy your app*, but replace `cap` with `cap staging`.
+
+Example:
+
+	cap staging deploy:create
+
+
+Set up a PHP app
+----------------
+
+### Create directories
+
+	config/
+	public/
+
+Move your site contents into the public directory. Follow instructions in the *Install* section.
+
+Uncomment this line in deploy.rb:
+
+	#:platform => :php,
+
+
+##### Copyright (c) 2008 Winton Welsh, released under the MIT license

data/config/debian/bash_profile.erb

@@ -0,0 +1,9 @@
+export PS1='\e[01;30m\h \e[33m\u \e[01;34m\w\e[00m: '
+
+alias free="free -m"
+
+alias aptitude="sudo aptitude"
+alias update="sudo aptitude update"
+alias upgrade="sudo aptitude upgrade"
+alias install="sudo aptitude install"
+alias remove="sudo aptitude remove"

data/config/debian/iptables.rules.erb

@@ -0,0 +1,47 @@
+*filter
+
+
+#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
+
+
+#  Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+#  Allows all outbound traffic
+#  You can modify this to only allow certain traffic
+-A OUTPUT -j ACCEPT
+
+
+# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+
+# Allows IMAP
+-A INPUT -p tcp --dport 143 -j ACCEPT
+
+
+# Allows SSH connections
+#
+# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
+#
+-A INPUT -p tcp -m state --state NEW --dport <%= ssh_port %> -j ACCEPT
+
+
+# Allow ping
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+
+# log iptables denied calls
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+
+# Reject all other inbound - default deny unless explicitly allowed policy
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+
+COMMIT
+# There MUST be a new line after this line!

data/config/debian/locale.gen.erb

@@ -0,0 +1 @@
+en_US.UTF-8 UTF-8

data/config/debian/sshd_config.erb

@@ -0,0 +1,78 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port <%= ssh_port %>
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile     %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no
+UseDNS no

data/config/log/rotate.conf.erb

@@ -0,0 +1,9 @@
+<%= shared_path %>/log/*.log {
+  daily
+  missingok
+  rotate 7
+  compress
+  delaycompress
+  notifempty
+  copytruncate
+}

data/config/mongrel/mongrel.yml.erb

@@ -0,0 +1,10 @@
+--- 
+user: <%= user %>
+group: <%= user %>
+log_file: <%= deploy_to %>/shared/log/mongrel.log
+cwd: <%= deploy_to %>/current
+port: <%= mongrel_port %>
+environment: production
+pid_file: <%= deploy_to %>/shared/pids/mongrel.pid
+address: 127.0.0.1
+servers: <%= mongrels %>

data/config/mongrel/nginx.vhost.erb

@@ -0,0 +1,177 @@
+<% if mongrels > 1 %>
+upstream mongrel_<%= application %>_<%= stage %> {
+<% mongrels.times do |x| %>
+  server 127.0.0.1:<%= mongrel_port + x %>;
+<% end %>
+}
+<% end %>
+
+server {
+  listen 80;
+  
+  # Set the max size for file uploads to 50Mb
+  client_max_body_size 50M;
+
+  # sets the domain[s] that this vhost server requests for
+  server_name <%= domains.join ' ' %>;
+
+  # doc root
+  root <%= deploy_to %>/current/public;
+
+  # vhost specific access log
+  access_log  <%= deploy_to %>/shared/log/nginx.log main;
+
+  # this rewrites all the requests to the maintenance.html
+  # page if it exists in the doc root. This is for capistrano's
+  # disable web task
+  if (-f $document_root/system/maintenance.html) {
+    rewrite  ^(.*)$  /system/maintenance.html last;
+    break;
+  }
+
+  location / {
+<% if auth_user %>
+    auth_basic            "Restricted";
+    auth_basic_user_file  <%= nginx_dir %>/htpasswd/<%= application %>_<%= stage %>;
+<% end %>
+    
+    # needed to forward user's IP address to rails
+    proxy_set_header  X-Real-IP  $remote_addr;
+
+    # needed for HTTPS
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_redirect false;
+    proxy_max_temp_file_size 0;
+    
+    # If the file exists as a static file serve it directly without
+    # running all the other rewite tests on it
+    if (-f $request_filename) { 
+      break; 
+    }
+
+    # check for index.html for directory index
+    # if its there on the filesystem then rewite 
+    # the url to add /index.html to the end of it
+    # and then break to send it to the next config rules.
+    if (-f $request_filename/index.html) {
+      rewrite (.*) $1/index.html break;
+    }
+
+    # this is the meat of the rails page caching config
+    # it adds .html to the end of the url and then checks
+    # the filesystem for that file. If it exists, then we
+    # rewite the url to have explicit .html on the end 
+    # and then send it on its way to the next config rule.
+    # if there is no file on the fs then it sets all the 
+    # necessary headers and proxies to our upstream mongrels
+    if (-f $request_filename.html) {
+      rewrite (.*) $1.html break;
+    }
+
+    if (!-f $request_filename) {
+      # Use other cluster name here if you are running multiple
+      # virtual hosts.
+      <% if mongrels == 1 %>
+      proxy_pass http://127.0.0.1:<%= mongrel_port %>;
+      <% else %>
+      proxy_pass http://mongrel_<%= application %>_<%= stage %>;
+      <% end %>
+      break;
+    }
+  }
+
+  error_page   500 502 503 504  /500.html;
+  location = /500.html {
+    root <%= deploy_to %>/current/public;
+  }
+}
+
+<% if ssl_cert %>
+server {
+  # port to listen on. Can also be set to an IP:PORT
+  listen 443;
+  
+  ssl on;
+  ssl_certificate     <%= deploy_to %>/current/cert/cert;
+  ssl_certificate_key <%= deploy_to %>/current/cert/key;
+    
+  # Set the max size for file uploads to 50Mb
+  client_max_body_size 50M;
+
+  # sets the domain[s] that this vhost server requests for
+  server_name <%= domains.join ' ' %>;
+
+  # doc root
+  root <%= deploy_to %>/current/public;
+
+  # vhost specific access log
+  access_log  <%= deploy_to %>/shared/log/nginx.log main;
+
+  # this rewrites all the requests to the maintenance.html
+  # page if it exists in the doc root. This is for capistrano's
+  # disable web task
+  if (-f $document_root/system/maintenance.html) {
+    rewrite  ^(.*)$  /system/maintenance.html last;
+    break;
+  }
+
+  location / {
+<% if auth_user %>
+    auth_basic            "Restricted";
+    auth_basic_user_file  <%= nginx_dir %>/htpasswd/<%= application %>_<%= stage %>;
+<% end %>
+
+    # needed to forward user's IP address to rails
+    proxy_set_header  X-Real-IP  $remote_addr;
+
+    # needed for HTTPS
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-FORWARDED_PROTO https;
+    proxy_set_header Host $http_host;
+    proxy_redirect false;
+    proxy_max_temp_file_size 0;
+
+    # If the file exists as a static file serve it directly without
+    # running all the other rewite tests on it
+    if (-f $request_filename) { 
+      break; 
+    }
+
+    # check for index.html for directory index
+    # if its there on the filesystem then rewite 
+    # the url to add /index.html to the end of it
+    # and then break to send it to the next config rules.
+    if (-f $request_filename/index.html) {
+      rewrite (.*) $1/index.html break;
+    }
+
+    # this is the meat of the rails page caching config
+    # it adds .html to the end of the url and then checks
+    # the filesystem for that file. If it exists, then we
+    # rewite the url to have explicit .html on the end 
+    # and then send it on its way to the next config rule.
+    # if there is no file on the fs then it sets all the 
+    # necessary headers and proxies to our upstream mongrels
+    if (-f $request_filename.html) {
+      rewrite (.*) $1.html break;
+    }
+
+    if (!-f $request_filename) {
+      # Use other cluster name here if you are running multiple
+      # virtual hosts.
+      <% if mongrels == 1 %>
+      proxy_pass http://127.0.0.1:<%= mongrel_port %>;
+      <% else %>
+      proxy_pass http://mongrel_<%= application %>_<%= stage %>;
+      <% end %>
+      break;
+    }
+  }
+
+  error_page   500 502 503 504  /500.html;
+  location = /500.html {
+    root <%= deploy_to %>/current/public;
+  }
+}
+<% end %>

data/config/monit/mongrel.erb

@@ -0,0 +1,12 @@
+<% mongrels.times do |x| %>
+check process mongrel_<%= application %>_<%= mongrel_port + x %> with pidfile <%= deploy_to %>/shared/pids/mongrel.<%= mongrel_port + x %>.pid
+  group mongrel
+  start program = "mongrel_rails cluster::start -C <%= "#{mongrel_etc_dir}/#{application}_#{stage}.yml" %> --clean --only <%= mongrel_port + x %>"
+  stop program  = "mongrel_rails cluster::stop -C <%= "#{mongrel_etc_dir}/#{application}_#{stage}.yml" %> --clean --only <%= mongrel_port + x %>"
+  if failed host 127.0.0.1 port <%= mongrel_port + x %> protocol http with timeout 10 seconds then restart
+  if totalmem is greater than 110.0 MB for 4 cycles then restart      # eating up memory?
+  if cpu is greater than 50% for 2 cycles then alert                  # send an email to admin
+  if cpu is greater than 80% for 3 cycles then restart                # hung process?
+  if loadavg(5min) greater than 10 for 8 cycles then restart          # bad, bad, bad
+  if 20 restarts within 20 cycles then timeout                        # something is wrong, call the sys-admin
+<% end %>

data/config/monit/monit.erb

@@ -0,0 +1,11 @@
+# Defaults for monit initscript
+# sourced by /etc/init.d/monit
+# installed at /etc/default/monit by maintainer scripts
+# Fredrik Steen <stone@debian.org>
+
+# You must set this variable to for monit to start
+startup=1
+
+# To change the intervals which monit should run uncomment
+# and change this variable.
+# CHECK_INTERVALS=180

data/config/monit/monitrc.erb

@@ -0,0 +1,32 @@
+set daemon  60
+set logfile /var/log/monit.log
+set mailserver localhost
+set mail-format { from: <%= monit_from %> }
+set alert <%= monit_to %>
+set httpd port <%= monit_port %> and allow <%= monit_auth_user %>:<%= monit_auth_pass %>
+
+check process sshd with pidfile /var/run/sshd.pid
+  start program  "/etc/init.d/ssh start"
+  stop program  "/etc/init.d/ssh stop"
+  if failed port <%= ssh_port %> protocol ssh then restart
+  if 5 restarts within 5 cycles then timeout
+
+check process mysql with pidfile /var/run/mysqld/mysqld.pid
+  group database
+  start program = "/etc/init.d/mysql start"
+  stop program = "/etc/init.d/mysql stop"
+  if failed host 127.0.0.1 port 3306 then restart
+  if 5 restarts within 5 cycles then timeout
+
+check process nginx with pidfile /usr/local/nginx/logs/nginx.pid
+  group www
+  start program = "/etc/init.d/nginx start"
+  stop program  = "/etc/init.d/nginx stop"
+  if 5 restarts with 5 cycles then timeout
+
+check process spawn-fcgi with pidfile /var/run/spawn-fcgi.pid
+  group php
+  start program = "/etc/init.d/init-fastcgi start"
+  stop program = "/etc/init.d/init-fastcgi stop"
+  if failed host 127.0.0.1 port 9000 then restart
+  if 5 restarts within 5 cycles then timeout

data/config/monit/nginx.vhost.erb

@@ -0,0 +1,26 @@
+upstream monit_httpd {
+  server 127.0.0.1:<%= monit_port %>;
+}
+
+server {
+  listen 80;
+  
+  # sets the domain[s] that this vhost server requests for
+  server_name <%= monit_domain %>;
+
+  # vhost specific access log
+  access_log  /var/log/monit.nginx.log main;
+
+  location / {    
+    # needed to forward user's IP address
+    proxy_set_header  X-Real-IP  $remote_addr;
+
+    # needed for HTTPS
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_redirect false;
+    proxy_max_temp_file_size 0;
+
+    proxy_pass http://monit_httpd;
+  }
+}