albertoperdomo/Setup a new rails server

## Setup a new rails server
# Login and change root password
# create the user account you are going to use to connect
adduser myuser

# add the user to sudoers
visudo

#add a line like this at the end
myuser ALL=(ALL) ALL

#try logging in through ssh with that user
#and then sudoing to root

su - myuser
mkdir .ssh

vim .ssh/authorized_keys
#paste inside your public key

#set appropiate permissions
chmod 700 .ssh
chmod 600 .ssh/authorized_keys

# log out and try to login via SSH and public key
# it should work by now

# edit the SSH configuration
# in AllowUsers put all the users that should have ssh access, if root should too then put him as well
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers myuser

#restart SSH and verify it works correctly

# Now time to install the firewall
aptitude install -y shorewall

#if you are going to have just one eth interface
# you can copy all the files (besides the readme file) from the example directory
cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall/
rm /etc/shorewall/README.txt

# edit the rules file to your needs
vim /etc/shorewall/rules

#some useful examples
HTTPS/ACCEPT    net             $FW
HTTP/ACCEPT     net             $FW
SSH/ACCEPT      net             $FW
SMTP/ACCEPT     net            $FW

# after editing to try your new rules
shorewall safe-start

# Once you have accepted your new config set it start on boot
# set startup=1 in /etc/default/shorewall
# set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf


######## RVM

apt-get install curl git-core -y

aptitude install build-essential bison openssl libreadline5 libreadline-dev \
curl git-core zlib1g zlib1g-dev libssl-dev vim libsqlite3-0 libsqlite3-dev \
sqlite3 libreadline-dev libxml2-dev git-core subversion autoconf

# Instalar RVM system wide
bash < <(curl -L http://bit.ly/rvm-install-system-wide)

# En los ficheros /root/.bashrc y /etc/skel/.bashrc
# Cambiar la línea [ -z "$PS1" ] && return por
# if [[ -n "$PS1" ]]; then

# y al final de los ficheros añadir:
fi
if groups | grep -q rvm ; then
  source "/usr/local/lib/rvm"
fi

# Añadir el usuario al grupo RVM para que cargue RVM
adduser deploy rvm

# Dependencias

aptitude install build-essential bison openssl libreadline5 libreadline-dev \
curl git-core zlib1g zlib1g-dev libssl-dev vim libsqlite3-0 libsqlite3-dev \
sqlite3 libreadline-dev libxml2-dev git-core subversion autoconf

rvm install 1.9.2
rvm --default 1.9.2

# Cambiar a usuario y comprobar que se carga el 1.9.2

# Instalar apache:
sudo aptitude install apache2 libapr1-dev apache2-prefork-dev libcurl4-openssl-dev

# Como deploy o root:
gem install passenger
rvmsudo passenger-install-apache2-module

# Copiar el output para la config en /etc/apache2/httpd.conf. Ejemplo:
LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0/ext/apache2/mod_passenger.so
   PassengerRoot /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0
   PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.2-p0/ruby

#if you are going to use mysql
aptitude install mysql-server mysql-client libmysqlclient15-dev libmysqlclient15off zlib1g-dev libmysql-ruby1.8 -y

#if you are going to use postgresql
aptitude install postgresql libpq-dev -y

# update the locales
sudo locale-gen en_GB.UTF-8
...
sudo /usr/sbin/update-locale LANG=en_GB.UTF-8

# generate SSH public key
ssh-keygen -t dsa

## SETUP EMAIL

# Setup hostname and DNS

# In /etc/hostname put your FQDN e.g. mail.aentos.net

# In /etc/hosts add a line like this
127.0.0.1 mail.aentos.net

Your file should look like this:
127.0.0.1     localhost localhost.localdomain
127.0.0.1     mail.aentos.net

#reboot and check that hostname -f returns the correct FQDN
~$ hostname -f
mail.aentos.net

# Setup the reverse DNS to point to your FQDN
This is done in Slicehost Manage

# install postfix and other helpful packages
aptitude install postfix telnet mailutils -y

# If you want to have local email delivered to your own email account add some aliases to /etc/aliases
postmaster:     root
root:		alberto
alberto:	alberto.perdomo@aentos.es

#reload aliases
newaliases

#Edit the postfix settings file
vim /etc/postfix/main.cf

#Change the settings to something like this:
myhostname = mail.aentos.net

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

myorigin = $mydomain
mydestination = $mydomain, localhost.$mydomain, localhost

relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#if you are using rails, TLS might bug you with an error, maybe turn it off
smtpd_use_tls=no

#restart postfix
/etc/init.d/postfix restart

#test sending an email
mail user@example.com
Subject: test
test
.
Cc:

#If you want to prevent services like gmail etc. considering your email as spam set some SPF records for the domain
http://articles.slicehost.com/2008/8/8/email-setting-a-sender-policy-framework-spf-record
#This wizard might be of help: http://old.openspf.org/wizard.html

#Apache settings
#We don't want curious people to see which version of apache/modules we are running etc.
#In /etc/apache2/conf.d/security make this changes in settings
ServerTokens Prod (this will return only Apache as String)
ServerSignature Off (turn off signature in server headers)

#Put a default server name in /etc/apache2/httpd.conf
ServerName myserver.com

#If you are going to use virtual hosts in your apache config be sure to setup a default virtual host for requests with an un expected (not configured) domain name. The easiest way is to use the default site created by the apache installation because it's enabled as 000-default and apache will take the first virtualhost as default

#Sample /etc/apache2/sites-available/default

NameVirtualHost *
<VirtualHost *>
	ServerAdmin webmaster@localhost
	ServerName foo.triphq.net

	ErrorLog /var/log/apache2/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/access.log combined

	DocumentRoot /var/www/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

</VirtualHost>

# We also customize the index.html because we don't like the standard "It works!" message. This is the one we are going to use (/var/www/index.html):
<html><body><h1>The server encountered an error. Please send flowers.</h1></body></html>

# Then you'll need to create a new site for your rails app
<VirtualHost *>
        ServerAdmin info@myapp.com
	ServerName myapp.com

        ErrorLog /var/log/apache2/myapp.com_error.log
        CustomLog /var/log/apache2/myapp.com_access.log combined

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        # set to lower timeout value
        Timeout 45

        DocumentRoot /var/www/myapp/current/public/
        RailsEnv production

        <Directory "/var/www/myapp/current/public/">
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>

        # gzip html, css and js
        AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript

        # far future expires headers
        ExpiresActive on

        ExpiresByType image/png "now plus 365 days"
        ExpiresByType image/jpeg "now plus 365 days"
        ExpiresByType image/gif "now plus 365 days"

</VirtualHost>
	# Login and change root password
	# create the user account you are going to use to connect
	adduser myuser

	# add the user to sudoers
	visudo

	#add a line like this at the end
	myuser ALL=(ALL) ALL

	#try logging in through ssh with that user
	#and then sudoing to root

	su - myuser
	mkdir .ssh

	vim .ssh/authorized_keys
	#paste inside your public key

	#set appropiate permissions
	chmod 700 .ssh
	chmod 600 .ssh/authorized_keys

	# log out and try to login via SSH and public key
	# it should work by now

	# edit the SSH configuration
	# in AllowUsers put all the users that should have ssh access, if root should too then put him as well
	PasswordAuthentication no
	X11Forwarding no
	UsePAM no
	UseDNS no
	AllowUsers myuser

	#restart SSH and verify it works correctly

	# Now time to install the firewall
	aptitude install -y shorewall

	#if you are going to have just one eth interface
	# you can copy all the files (besides the readme file) from the example directory
	cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall/
	rm /etc/shorewall/README.txt

	# edit the rules file to your needs
	vim /etc/shorewall/rules

	#some useful examples
	HTTPS/ACCEPT net $FW
	HTTP/ACCEPT net $FW
	SSH/ACCEPT net $FW
	SMTP/ACCEPT net $FW

	# after editing to try your new rules
	shorewall safe-start

	# Once you have accepted your new config set it start on boot
	# set startup=1 in /etc/default/shorewall
	# set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf


	######## RVM

	apt-get install curl git-core -y

	aptitude install build-essential bison openssl libreadline5 libreadline-dev \
	curl git-core zlib1g zlib1g-dev libssl-dev vim libsqlite3-0 libsqlite3-dev \
	sqlite3 libreadline-dev libxml2-dev git-core subversion autoconf

	# Instalar RVM system wide
	bash < <(curl -L http://bit.ly/rvm-install-system-wide)

	# En los ficheros /root/.bashrc y /etc/skel/.bashrc
	# Cambiar la línea [ -z "$PS1" ] && return por
	# if [[ -n "$PS1" ]]; then

	# y al final de los ficheros añadir:
	fi
	if groups \| grep -q rvm ; then
	source "/usr/local/lib/rvm"
	fi

	# Añadir el usuario al grupo RVM para que cargue RVM
	adduser deploy rvm

	# Dependencias

	aptitude install build-essential bison openssl libreadline5 libreadline-dev \
	curl git-core zlib1g zlib1g-dev libssl-dev vim libsqlite3-0 libsqlite3-dev \
	sqlite3 libreadline-dev libxml2-dev git-core subversion autoconf

	rvm install 1.9.2
	rvm --default 1.9.2

	# Cambiar a usuario y comprobar que se carga el 1.9.2

	# Instalar apache:
	sudo aptitude install apache2 libapr1-dev apache2-prefork-dev libcurl4-openssl-dev

	# Como deploy o root:
	gem install passenger
	rvmsudo passenger-install-apache2-module

	# Copiar el output para la config en /etc/apache2/httpd.conf. Ejemplo:
	LoadModule passenger_module /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0/ext/apache2/mod_passenger.so
	PassengerRoot /usr/local/rvm/gems/ruby-1.9.2-p0/gems/passenger-3.0.0
	PassengerRuby /usr/local/rvm/wrappers/ruby-1.9.2-p0/ruby

	#if you are going to use mysql
	aptitude install mysql-server mysql-client libmysqlclient15-dev libmysqlclient15off zlib1g-dev libmysql-ruby1.8 -y

	#if you are going to use postgresql
	aptitude install postgresql libpq-dev -y

	# update the locales
	sudo locale-gen en_GB.UTF-8
	...
	sudo /usr/sbin/update-locale LANG=en_GB.UTF-8

	# generate SSH public key
	ssh-keygen -t dsa

	## SETUP EMAIL

	# Setup hostname and DNS

	# In /etc/hostname put your FQDN e.g. mail.aentos.net

	# In /etc/hosts add a line like this
	127.0.0.1 mail.aentos.net

	Your file should look like this:
	127.0.0.1 localhost localhost.localdomain
	127.0.0.1 mail.aentos.net

	#reboot and check that hostname -f returns the correct FQDN
	~$ hostname -f
	mail.aentos.net

	# Setup the reverse DNS to point to your FQDN
	This is done in Slicehost Manage

	# install postfix and other helpful packages
	aptitude install postfix telnet mailutils -y

	# If you want to have local email delivered to your own email account add some aliases to /etc/aliases
	postmaster: root
	root: alberto
	alberto: alberto.perdomo@aentos.es

	#reload aliases
	newaliases

	#Edit the postfix settings file
	vim /etc/postfix/main.cf

	#Change the settings to something like this:
	myhostname = mail.aentos.net

	alias_maps = hash:/etc/aliases
	alias_database = hash:/etc/aliases

	myorigin = $mydomain
	mydestination = $mydomain, localhost.$mydomain, localhost

	relayhost =
	mynetworks = 127.0.0.0/8
	mailbox_size_limit = 0
	recipient_delimiter = +
	inet_interfaces = all

	#if you are using rails, TLS might bug you with an error, maybe turn it off
	smtpd_use_tls=no

	#restart postfix
	/etc/init.d/postfix restart

	#test sending an email
	mail user@example.com
	Subject: test
	test
	.
	Cc:

	#If you want to prevent services like gmail etc. considering your email as spam set some SPF records for the domain
	http://articles.slicehost.com/2008/8/8/email-setting-a-sender-policy-framework-spf-record
	#This wizard might be of help: http://old.openspf.org/wizard.html

	#Apache settings
	#We don't want curious people to see which version of apache/modules we are running etc.
	#In /etc/apache2/conf.d/security make this changes in settings
	ServerTokens Prod (this will return only Apache as String)
	ServerSignature Off (turn off signature in server headers)

	#Put a default server name in /etc/apache2/httpd.conf
	ServerName myserver.com

	#If you are going to use virtual hosts in your apache config be sure to setup a default virtual host for requests with an un expected (not configured) domain name. The easiest way is to use the default site created by the apache installation because it's enabled as 000-default and apache will take the first virtualhost as default

	#Sample /etc/apache2/sites-available/default

	NameVirtualHost *
	<VirtualHost *>
	ServerAdmin webmaster@localhost
	ServerName foo.triphq.net

	ErrorLog /var/log/apache2/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog /var/log/apache2/access.log combined

	DocumentRoot /var/www/
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>
	<Directory /var/www/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Order allow,deny
	allow from all
	</Directory>

	</VirtualHost>

	# We also customize the index.html because we don't like the standard "It works!" message. This is the one we are going to use (/var/www/index.html):
	<html><body><h1>The server encountered an error. Please send flowers.</h1></body></html>

	# Then you'll need to create a new site for your rails app
	<VirtualHost *>
	ServerAdmin info@myapp.com
	ServerName myapp.com

	ErrorLog /var/log/apache2/myapp.com_error.log
	CustomLog /var/log/apache2/myapp.com_access.log combined

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	# set to lower timeout value
	Timeout 45

	DocumentRoot /var/www/myapp/current/public/
	RailsEnv production

	<Directory "/var/www/myapp/current/public/">
	Options FollowSymLinks
	AllowOverride None
	Order allow,deny
	Allow from all
	</Directory>

	# gzip html, css and js
	AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript

	# far future expires headers
	ExpiresActive on

	ExpiresByType image/png "now plus 365 days"
	ExpiresByType image/jpeg "now plus 365 days"
	ExpiresByType image/gif "now plus 365 days"

	</VirtualHost>