Deploying an app for the first time


sudo mkdir /var/www/
sudo chown -R deploy:deploy /var/www/


cap deploy:setup

Verify & tweak yaml configs, Aloha, etc (most of which were generated by socialist) in /var/www/

cap deploy


cd /var/www/
rake db:setup RAILS_ENV=production

Link the apache conf:

ln -s /var/www/ /etc/apache2/sites-available/dashboard
sudo a2ensite dashboard
sudo /etc/init.d/apache2 reload



Nginx + Passenger (w/ REE) on Ubuntu 9.10

ssh root@fiona

Get rid of that obnoxious motd.

echo '' > /etc/motd

Set the hostname

echo 'fiona' > /etc/hostname
/etc/init.d/ start

Update and install some essentials.

aptitude update
aptitude upgrade
aptitude install build-essential zlib1g-dev libssl-dev git-core curl

Ruby Enterprise Edition

mkdir /usr/local/src && cd /usr/local/src

curl -LO
dpkg -i ruby-enterprise_1.8.7-20090928_i386.deb

Nginx + Passenger

curl | tar xvz
gem install passenger



"Automatically download and install Nginx?": 2
"Where is your Nginx source code located?": /root/src/nginx-0.7.62
"Where do you want to install Nginx to?": /usr/local/nginx
"Extra Nginx configure options": --sbin-path=/usr/local/sbin --with-http_ssl_module
curl > /etc/init.d/nginx
chmod +x /etc/init.d/nginx
update-rc.d -f nginx defaults

curl > /usr/local/nginx/conf/nginx.conf

/etc/init.d/nginx start


adduser ci
adduser ci admin

ssh ci@fiona

curl > .gemrc

echo 'set nocompatible' > .vimrc

sudo vi /etc/nginx/integrity.conf
server {
    listen 80;
    root /home/ci/integrity/public;
    passenger_enabled on;
sudo aptitude install sqlite3 libsqlite3-dev
gem install integrity
sudo gem install do_sqlite3 --version=0.9.11
sudo gem uninstall data_objects --version=0.9.12
integrity install ~/integrity
cd integrity

vi config.yml
:database_uri: sqlite3:///home/ci/integrity/integrity.db
:export_directory: /home/ci/integrity/builds
:log: /home/ci/integrity/log/integrity.log
:build_all_commits: true
:use_basic_auth: true
:admin_username: ''
:admin_password: f7d225c0fd69b47618aa410226f8c22a091cbc78
:hash_admin_password: true
integrity migrate_db config.yml
mkdir public

sudo /etc/init.d/nginx reload


cd /usr/local/src
sudo git clone git://
cd rip
sudo ruby setup.rb
sudo chown -R ci:ci ~/.rip 


sudo -i
cd /usr/local/src
aptitude install tcl8.4 tk8.4
curl | tar zxv
cd git-
make install


(for mysql gem)

sudo aptitude install libmysqlclient-dev mysql-client mysql-server

(for image_science)

sudo aptitude install libfreeimage-dev

(for nokogiri)

sudo aptitude install libxml2-dev libxslt1-dev


sudo apt-get install ufw

sudo ufw default deny
sudo ufw allow http/tcp
sudo ufw allow https/tcp
sudo ufw allow from

sudo ufw enable
sudo ufw status verbose


sudo -i
apt-get install openvpn

cd /usr/share/doc/openvpn/examples
cp ./sample-config-files/server.conf.gz /etc/openvpn
cp -r ./easy-rsa/2.0 /etc/openvpn
cd /etc/openvpn

mv 2.0 easy-rsa
gzip -d server.conf.gz

cd /etc/openvpn/easy-rsa
vim ./vars

At the bottom of the file

export KEY_CITY="Tampa"
export KEY_ORG="Gray's College Bookstore"
export KEY_EMAIL=""
. ./vars

Generate the certificate and key for the server.

./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Creating the server configuration file

vi /etc/openvpn/server.conf

Notable changes:

client-to-client # Allow clients to see eachother
tls-auth ta.key 0
user nobody
group nogroup
cd /etc/openvpn/easy-rsa/keys
cp ca.crt server.crt server.key dh1024.pem /etc/openvpn

/etc/init.d/openvpn restart

Allow connections through the firewall.

ufw allow 1194/udp

Client Setup

sudo -i
cd /etc/openvpn/easy-rsa/
source vars

export clientname=hettie
./pkitook $clientname

cd keys
tar zcvf /home/ci/$clientname.gz $clientname.crt $clientname.key ca.crt ta.key
chown ci:ci /home/ci/$clientname.gz

On the client:

sudo apt-get install openvpn
scp -P42$HOSTNAME.gz .

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
sudo tar zxvf $HOSTNAME.gz -C /etc/openvpn/

sudo vi /etc/openvpn/client.conf

Notable changes:

remote 1194
user nobody
group nogroup
cert hettie.crt
key hettie.key
tls-auth ta.key 1
sudo /etc/init.d/openvpn restart

Aloha Auth

Unfortunately, this negates the client certificate authentication. So we're not going with it.

cd /usr/local/sbin
sudo curl -O
sudo chmod +x auth-aloha.rb

sudo vi /etc/openvpn/server.conf


auth-user-pass-verify /usr/local/sbin/auth-aloha.rb via-file
tmp-dir /dev/shm
sudo /etc/init.d/openvpn restart


sudo apt-get install bind9 dnsutils
sudo vi /etc/bind/named.conf.local
zone "grays.local" {
  type master;
  file "/etc/bind/db.grays.local";

zone "" {
  type master;
  file "/etc/bind/";
sudo vi /etc/bind/db.grays.local
$TTL    604800
@       IN      SOA     ns.grays.local. admin.grays.local. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      ns.grays.local.
@       IN      A
fiona   IN      A
sudo vi /etc/bind/
$TTL    604800
@       IN      SOA     ns.grays.local. admin.grays.local. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      ns.
1       IN      PTR     ns.grays.local.
sudo /etc/init.d/bind9 restart

vi /etc/resolv.conf
search grays.local

Push DNS from OpenVPN

We're not actually doing this. I couldn't get it work without jumping through hoops on the clients. Intead, just manually configure as a nameserver on the clients

sudo vi /etc/openvpn/server.conf
push "dhcp-option DNS"
push "dhcp-option DNS"
push "dhcp-option DNS"
sudo /etc/init.d/openvpn restart


sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl

cd /usr/local/src
sudo curl -OL
sudo dpkg -i webmin-current.deb

Assign IPs to Clients

sudo vi /etc/openvpn/server.conf
client-config-dir ccd
sudo mkdir /etc/openvpn/ccd
sudo vi /etc/openvpn/ccd/elise

For the last octet of the IP see

sudo /etc/init.d/openvpn restart


On fiona (server):

sudo apt-get install syslog-ng
sudo vi /etc/syslog-ng/syslog-ng.conf
source s_remote { tcp(); };
destination d_clients { file("/var/log/$HOST/$PROGRAM"); };
log { source(s_remote); destination(d_clients); };
sudo /etc/init.d/syslog-ng restart

On hettie (client):

source s_local {
  file("/proc/kmsg" log_prefix("kernel: "));

destination d_log_host {
  tcp("" port(514));

log {

Redis / Resque

sudo -i

cd /usr/local/src
curl | tar zxv
cd redis-1.2.5

cp redis-server /usr/local/bin/
cp redis-cli /usr/local/bin/

Install redis.conf to /etc/redis.conf

sudo cp utils/redis_init_script /etc/init.d/redis-server

vi /etc/init.d/redis-server

Change the conf file path to /etc/redis.conf

chmod +x /etc/init.d/redis-server
update-rc.d -f redis-server defaults

gem install redis redis-namespace yajl-ruby


cd /home/ci

git clone git://

mkdir resque/public
mkdir resque/tmp

sudo vi /etc/nginx/resque.conf
server {
  listen 80;
  root /home/ci/resque/public;
  passenger_enabled on;
  auth_basic "Restricted";
  auth_basic_user_file /etc/nginx/_htpasswd;
sudo /etc/init.d/nginx reload
sudo /etc/init.d/redis-server start
# god Startup script for God.
# chkconfig: - 85 15
# description: Run god that starts and monitors all Winnow processes
# Go no further if config directory is missing.
[ -f "$CONF" ] || exit 0
case "$1" in
god -c $CONF -l /var/log/god.log -P /var/run/ --no-syslog
god quit
god quit
god -c $CONF -l /var/log/god.log -P /var/run/ --no-syslog
echo "Usage: god {start|stop|restart}"
exit 1
exit $RETVAL
dir = File.join(File.dirname(__FILE__), "god.conf.d", "*.god")
puts "Loading #{dir}"


How god is setup on the servers (using hettie as an example).

gem install god

Setup log rotation, edit /etc/logrotate.d/god:

/var/log/god.log {
  rotate 6

Install god.conf to /etc/god.conf

mkdir /etc/god.conf.d

Install init.d/god:

chmod +x /etc/init.d/god
update-rc.d -f god defaults
/etc/init.d/god start

Notes on setting up Apache 2 with Passenger and REE on Ubuntu 9.10

ssh root@

adduser admin
adduser admin sudo
adduser deploy


uncomment or add the line: %sudo ALL=NOPASSWD: ALL



scp ~/.ssh/ admin@
ssh admin@

Back on the server:

mkdir .ssh
cat > .ssh/authorized_keys

touch .sudo_as_admin_successful
touch .hushlogin

Now that you can login without a password, disable root login.

sudo vi /etc/ssh/sshd_config

Change PermitRootLogin yes to PermitRootLogin no.

sudo /etc/init.d/ssh restart

Switch to root. (LOL?)

su -l

Put the hostname for the server in /etc/hostname

  • Add hettie to /etc/hostname

  • Add hettie to /etc/hosts

    hostname hettie


Enable the universe repositories.

vi /etc/apt/sources.list

apt-get update
apt-get dist-upgrade

Install required things.

apt-get -y install libc6-dev libssl-dev make build-essential libssl-dev libreadline5-dev zlib1g-dev curl

Install Apache 2 and MySQL and git.

apt-get install apache2 apache2-threaded-dev mysql-server libmysqlclient15-dev git-core


cd /usr/local/src

curl -OL
dpkg -i ruby-enterprise_1.8.7-2009.10_i386.deb

Put the following in .gemrc

:benchmark: false
:update_sources: true
gem: --no-ri --no-rdoc
:bulk_threshold: 1000
:backtrace: false
:verbose: true

Update gems and install rails

gem update
gem install rails



Add the lines given by the passenger installation to you Apache configuration

vi /etc/apache2/httpd.conf

LoadModule passenger_module /usr/local/lib/ruby/gems/1.8/gems/passenger-2.2.7/ext/apache2/
PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-2.2.7
PassengerRuby /usr/local/bin/ruby

Going to use any SSL?

a2enmod ssl

Self-signed cert

mkdir /etc/apache2/ssl
cd /etc/apache2/ssl

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

a2enmod ssl

SSL conf would look something like:

SSLEngine on
SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

Restart apache.

/etc/init.d/apache2 restart

apache2: Could not reliably determine the server's fully qualified domain name, using for ServerName

Annoying? Add something like ServerName hettie to /etc/apache2/httpd.conf

# Redis configuration file example
# By default Redis does not run as a daemon. Use 'yes' if you need it.
# Note that Redis will write a pid file in /var/run/ when daemonized.
daemonize yes
#daemonize no
# When run as a daemon, Redis write a pid file in /var/run/ by default.
# You can specify a custom pid file location here.
pidfile /var/run/
# Accept connections on the specified port, default is 6379
port 6379
# If you want you can bind a single interface, if the bind option is not
# specified all the interfaces will listen for connections.
# bind
# Close the connection after a client is idle for N seconds (0 to disable)
timeout 300
# Set server verbosity to 'debug'
# it can be one of:
# debug (a lot of information, useful for development/testing)
# notice (moderately verbose, what you want in production probably)
# warning (only very important / critical messages are logged)
loglevel notice
#loglevel debug
# Specify the log file name. Also 'stdout' can be used to force
# the demon to log on the standard output. Note that if you use standard
# output for logging but daemonize, logs will be sent to /dev/null
logfile /var/log/redis.log
#logfile stdout
# Set the number of databases. The default database is DB 0, you can select
# a different one on a per-connection basis using SELECT <dbid> where
# dbid is a number between 0 and 'databases'-1
databases 16
################################ SNAPSHOTTING #################################
# Save the DB on disk:
# save <seconds> <changes>
# Will save the DB if both the given number of seconds and the given
# number of write operations against the DB occurred.
# In the example below the behaviour will be to save:
# after 900 sec (15 min) if at least 1 key changed
# after 300 sec (5 min) if at least 10 keys changed
# after 60 sec if at least 10000 keys changed
save 900 1
save 300 10
save 60 10000
# Compress string objects using LZF when dump .rdb databases?
# For default that's set to 'yes' as it's almost always a win.
# If you want to save some CPU in the saving child set it to 'no' but
# the dataset will likely be bigger if you have compressible values or keys.
rdbcompression yes
# The filename where to dump the DB
dbfilename dump.rdb
# For default save/load DB in/from the working directory
# Note that you must specify a directory not a file name.
dir ./
################################# REPLICATION #################################
# Master-Slave replication. Use slaveof to make a Redis instance a copy of
# another Redis server. Note that the configuration is local to the slave
# so for example it is possible to configure the slave to save the DB with a
# different interval, or to listen to another port, and so on.
# slaveof <masterip> <masterport>
# If the master is password protected (using the "requirepass" configuration
# directive below) it is possible to tell the slave to authenticate before
# starting the replication synchronization process, otherwise the master will
# refuse the slave request.
# masterauth <master-password>
################################## SECURITY ###################################
# Require clients to issue AUTH <PASSWORD> before processing any other
# commands. This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
# requirepass foobared
################################### LIMITS ####################################
# Set the max number of connected clients at the same time. By default there
# is no limit, and it's up to the number of file descriptors the Redis process
# is able to open. The special value '0' means no limts.
# Once the limit is reached Redis will close all the new connections sending
# an error 'max number of clients reached'.
# maxclients 128
# Don't use more memory than the specified amount of bytes.
# When the memory limit is reached Redis will try to remove keys with an
# EXPIRE set. It will try to start freeing keys that are going to expire
# in little time and preserve keys with a longer time to live.
# Redis will also try to remove objects from free lists if possible.
# If all this fails, Redis will start to reply with errors to commands
# that will use more memory, like SET, LPUSH, and so on, and will continue
# to reply to most read-only commands like GET.
# WARNING: maxmemory can be a good idea mainly if you want to use Redis as a
# 'state' server or cache, not as a real DB. When Redis is used as a real
# database the memory usage will grow over the weeks, it will be obvious if
# it is going to use too much memory in the long run, and you'll have the time
# to upgrade. With maxmemory after the limit is reached you'll start to get
# errors for write operations, and this may even lead to DB inconsistency.
# maxmemory <bytes>
############################## APPEND ONLY MODE ###############################
# By default Redis asynchronously dumps the dataset on disk. If you can live
# with the idea that the latest records will be lost if something like a crash
# happens this is the preferred way to run Redis. If instead you care a lot
# about your data and don't want to that a single record can get lost you should
# enable the append only mode: when this mode is enabled Redis will append
# every write operation received in the file appendonly.log. This file will
# be read on startup in order to rebuild the full dataset in memory.
# Note that you can have both the async dumps and the append only file if you
# like (you have to comment the "save" statements above to disable the dumps).
# Still if append only mode is enabled Redis will load the data from the
# log file at startup ignoring the dump.rdb file.
# The name of the append only file is "appendonly.log"
# IMPORTANT: Check the BGREWRITEAOF to check how to rewrite the append
# log file in background when it gets too big.
appendonly no
# The fsync() call tells the Operating System to actually write data on disk
# instead to wait for more data in the output buffer. Some OS will really flush
# data on disk, some other OS will just try to do it ASAP.
# Redis supports three different modes:
# no: don't fsync, just let the OS flush the data when it wants. Faster.
# always: fsync after every write to the append only log . Slow, Safest.
# everysec: fsync only if one second passed since the last fsync. Compromise.
# The default is "always" that's the safer of the options. It's up to you to
# understand if you can relax this to "everysec" that will fsync every second
# or to "no" that will let the operating system flush the output buffer when
# it want, for better performances (but if you can live with the idea of
# some data loss consider the default persistence mode that's snapshotting).
appendfsync always
# appendfsync everysec
# appendfsync no
############################### ADVANCED CONFIG ###############################
# Glue small output buffers together in order to send small replies in a
# single TCP packet. Uses a bit more CPU but most of the times it is a win
# in terms of number of queries per second. Use 'yes' if unsure.
glueoutputbuf yes
# Use object sharing. Can save a lot of memory if you have many common
# string in your dataset, but performs lookups against the shared objects
# pool so it uses more CPU and can be a bit slower. Usually it's a good
# idea.
# When object sharing is enabled (shareobjects yes) you can use
# shareobjectspoolsize to control the size of the pool used in order to try
# object sharing. A bigger pool size will lead to better sharing capabilities.
# In general you want this value to be at least the double of the number of
# very common strings you have in your dataset.
# WARNING: object sharing is experimental, don't enable this feature
# in production before of Redis 1.0-stable. Still please try this feature in
# your development environment so that we can test it better.
shareobjects no
shareobjectspoolsize 1024
