brycejohnston/debian_rails_prod.md

## debian_rails_prod.md

      
    Raw
  

              debian_rails_prod.md
            
          
    Update system and install prerequisite packages

apt-get update && apt-get dist-upgrade
apt-get install open-vm-tools # VMware VMs Only
sh -c 'echo vm.swappiness=5 > /etc/sysctl.conf' # Prod Env 
reboot
Some of these packages may already be installed
apt-get install openssh-server mercurial make binutils bison gcc \
 build-essential git-core curl zlib1g-dev openssl libssl-dev libreadline-dev \
 libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev \
 software-properties-common wget dnsutils vim zip unzip screen tmux htop \
 libffi-dev redis-server imagemagick ntp ufw sudo dirmngr libxrender1
Install postfix SMTP server (Choose internet site configuration and use the server's domain name)
apt-get install postfix
Edit postfix config file
vim /etc/postfix/main.cf
Set inet_interfaces to be loopback-only
inet_interfaces = loopback-only

Setup deployment user (Production Environment)

Add the deploy user  (Production Env - VPS only, otherwise this is done during install)
adduser deploy
Add deploy user to sudo group
gpasswd -a deploy sudo
Configure SSH for better security

Open the sshd config
vim /etc/ssh/sshd_config
Change from Port 22 to Port 2012 or another non-standard port
Port 2012

Disable root login
PermitRootLogin no

Restart SSH
service ssh restart

SSH w/ deploy user
ssh -p 2012 deploy@SERVER_IP_ADDRESS
Enable bash color prompt
vim ~/.bashrc
Uncomment this line
force_color_prompt=yes

Reload w/ changes
exec $SHELL
Generate an SSH keypair used for deployments
ssh-keygen -t rsa -C "YOUR@EMAIL.com"
Copy the output of this command and paste into the deploy keys section of the github repo settings
cat ~/.ssh/id_rsa.pub
Check to make sure SSH to github works with your key
ssh -T git@github.com
Create the authorized_keys file
touch ~/.ssh/authorized_keys
Configure firewall (Production Environment)

Enable SSH
sudo ufw allow 2012/tcp
Enable HTTP
sudo ufw allow 80/tcp
Enable SSL/TLS
sudo ufw allow 443/tcp
Enable firewall rules
sudo ufw enable
Configure timezone and NTP

Set timezone
sudo dpkg-reconfigure tzdata
Setup Application Stack

SSH w/ deploy user
ssh -p 2012 deploy@SERVER_IP_ADDRESS
Paste your public key into the authorized_keys file (at bottom if others already exist)
vim ~/.ssh/authorized_keys
Exit the old SSH session and reconnect, you shouldn't need to type server password any longer
exit
ssh -p 2012 deploy@SERVER_IP_ADDRESS
PostgreSQL

sudo apt-get install postgresql-9.6 libpq-dev
Add postgres user and set password (use same username as your linux user)
sudo -u postgres createuser myuser -s

sudo -u postgres psql
postgres=# \password myuser

Create your app's production database on server
createdb myappname_production

Ruby and Ruby on Rails

Install rbenv, ruby-build and ruby 2.5.3
cd
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL

rbenv install 2.5.3
rbenv global 2.5.3
ruby -v
Tell RubyGems to not install documentation for each gem
echo "gem: --no-ri --no-rdoc" > ~/.gemrc
Install bundler and rails
gem install bundler
gem install rails
gem install aws-sdk # optional
gem install colorize # optional
rbenv rehash
Node.js

Install stable version of node
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.4/install.sh | bash
exec $SHELL
nvm install stable
nvm use stable
nvm alias default stable
Make the current version of node available system-wide at /usr/local/bin/node
n=$(which node);n=${n%/bin/node}; chmod -R 755 $n/bin/*; sudo cp -r $n/{bin,lib,share} /usr/local
Phusion Passenger w/ Nginx

Add Phusion APT repo and install nginx and passenger
See https://www.phusionpassenger.com/library/install/nginx/install/oss/stretch/ if any issues with installation.
sudo apt-get install -y dirmngr gnupg nginx
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
sudo apt-get install -y apt-transport-https ca-certificates

# Add our APT repository
sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger stretch main > /etc/apt/sources.list.d/passenger.list'
sudo apt-get update

# Install Passenger + Nginx module
sudo apt-get install -y libnginx-mod-http-passenger
Edit nginx.conf
sudo vim /etc/nginx/nginx.conf
Uncomment server_tokens_off
server_tokens off;
Save and then edit /etc/nginx/conf.d/mod-http-passenger.conf and change the passenger_ruby path
##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##

passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
Restart ngnix
sudo service nginx restart
Open the nginx default site config
sudo vim /etc/nginx/sites-available/default
Comment out these two lines
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;
Create an nginx conf for the app
sudo vim /etc/nginx/sites-available/myappname
Add the following server block
server {
  listen 80 default_server;
  server_name www.mydomain.com;
  passenger_enabled on;
  root /home/deploy/myappname/current/public;
}
Enable the new nginx conf
sudo ln -s /etc/nginx/sites-available/myappname /etc/nginx/sites-enabled/myappname
Restart nginx
sudo service nginx restart
Setup Logrotate

Edit the logrotate config
sudo vim /etc/logrotate.conf
At bottom of file add the following block:
/home/deploy/myappname/current/log/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  copytruncate
}

Test with:
sudo /usr/sbin/logrotate -f /etc/logrotate.conf
Other Tools

wkhtmltopdf

The wkhtmltopdf packge available in debian repo is version with unpatched QT. You most likely want version with patched QT, so download the precompiled binaries for Linux from https://wkhtmltopdf.org/downloads.html, extract them and cp the binaries in bin folder to /usr/bin/
At the time of writing, the latest version is 0.12.4 which has an issue fetching remote images over https, so you will need to install libssl1.0-dev
sudo apt-get install libssl1.0-dev
More details here: https://agdeveloper.com/post/debian_wkhtmltopdf/
Sidekiq

Setup Sidekiq as a systemd service so it can be started at boot
PostGIS and related dependencies

sudo apt-get install python-all-dev python-dev python3-pip\
 libaio-dev libbz2-dev libjpeg62-turbo-dev libpcre3-dev libexpat1-dev \
 liblzma-dev libevent-dev binutils libproj-dev xsltproc docbook-xsl\
 docbook-mathml libgeos-dev libgeos-3.5.1 postgresql-9.6-postgis-2.3\
 libgdal-dev python3-gdal python3-numpy gdal-bin postgresql-9.6-postgis-scripts
Add to .bashrc
export CPLUS_INCLUDE_PATH=/usr/include/gdal
export C_INCLUDE_PATH=/usr/include/gdal
Make sure rgeo witll be able to find geos
sudo ln -s /usr/lib/x86_64-linux-gnu/libgeos-3.5.1.so /usr/lib/libgeos.so

# uninstall rgeo first if it was previously installed
gem install rgeo
rbenv rehash
Python libs
sudo pip3 install matplotlib
sudo pip3 install pyproj
sudo pip3 install rasterio
sudo pip3 install fiona
Oracle Instant Client (OIC) and SDK


Install prerequisite packages

sudo apt-get install libaio1 libaio-dev
Download the Oracle Instant Client Basic and Instant Client SDK packages - Get the latest 11.x versions for Linux x86-64
Create the directory /usr/share/oracle and extract the OIC zip files directly into the root of this directory
Inside of the /usr/share/oracle directory, create this symlink

sudo ln -s libclntsh.so.11.1 libclntsh.so
Create a LD_LIBRARY_PATH config file

sudo vim /etc/ld.so.conf.d/oic.conf
Add this line to the file and save it

/usr/share/oracle
Update the LD_LIBRARY_PATH

sudo ldconfig

References


rbenv (GitHub)
nvm (GitHub)