Bootstrap new servers

bootstrap.sh

#!/bin/bash

# http://winstonyw.com/2014/10/24/setting_up_ruby_on_rails_on_digital_ocean/
# https://github.com/mattdbridges/capistrano-recipes/blob/master/postgresql.rb

set -euo pipefail

LOCALE="en_US.utf8"
TIMEZONE="Europe/Madrid"
ADMIN_USER="admin"
DEPLOY_USER="deploy"
GITHUB_USER="knoopx"
NEWRELIC_LICENSE_KEY=""

DEBIAN_FRONTEND=noninteractive

# upgrade packages
apt-get update
apt-get -y upgrade

# tools
apt-get install -y htop git-core augeas-tools curl build-essential apt-transport-https software-properties-common ca-certificates unattended-upgrades fail2ban

# swapfile
# fallocate -l 4G /swapfile
# chmod 600 /swapfile
# mkswap /swapfile
# swapon /swapfile
# augtool ls "/files/etc/fstab/*[spec = '/swapfile']"
# echo "/swapfile   none    swap    sw    0   0" >> /etc/fstab

# timezone
echo $TIMEZONE > /etc/timezone
dpkg-reconfigure tzdata

# locale
apt-get install -y locales
update-locale LANG=$LOCALE LANGUAGE=$LOCALE LC_ALL=$LOCALE LC_COLLATE=$LOCALE LC_CTYPE=$LOCALE

# firewall
apt-get install -y ufw
ufw --force reset
ufw allow 22
ufw allow 80
ufw --force enable

# admin user
if [ -n "$ADMIN_USER" ]; then
  adduser $ADMIN_USER --gecos "" --disabled-password
  su -l $ADMIN_USER -c "ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa; curl -s https://github.com/$GITHUB_USER.keys >> ~/.ssh/authorized_keys"
  augtool -s set "/files/etc/sudoers/spec[user='%sudo']/host_group/command/tag NOPASSWD"
  adduser $ADMIN_USER sudo

  # ssh
  augtool -s set "/files/etc/ssh/sshd_config/PasswordAuthentication no"
  augtool -s set "/files/etc/ssh/sshd_config/PermitRootLogin no"
  reload ssh
fi

# deploy user
if [ -n "$DEPLOY_USER" ]; then
  adduser $DEPLOY_USER --gecos "" --disabled-password
  adduser $DEPLOY_USER sudo
  su -l $DEPLOY_USER -c "ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa; curl -s https://github.com/$GITHUB_USER.keys >> ~/.ssh/authorized_keys"
fi

# fish shell
# apt-get install -y fish
# chsh -s `which fish`
# test -n "$ADMIN_USER" && usermod -s `which fish` $ADMIN_USER

# rvm
gpg --keyserver hkp://keys.gnupg.net --recv-keys D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable --ruby
test -n "$ADMIN_USER" && adduser $ADMIN_USER rvm
test -n "$DEPLOY_USER" && adduser $DEPLOY_USER rvm
su -l $DEPLOY_USER -c 'echo "gem: --no-ri --no-rdoc" > ~/.gemrc'

# mariadb
# apt-get install -y libmysqlclient-dev libmysqlclient18

# postgres
# apt-get install -y postgresql libpq-dev
# test -n "$DEPLOY_USER" && su postgres -c "createuser --createdb $DEPLOY_USER"

# nodejs
apt-get install -y nodejs nodejs-legacy

# nginx with passenger
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7
apt-add-repository https://oss-binaries.phusionpassenger.com/apt/passenger
apt-get update
apt-get install -y nginx-extras passenger

cat <<PASSENGER > /etc/nginx/conf.d/passenger.conf
passenger_root `passenger-config --root`;
passenger_ruby /usr/local/rvm/wrappers/default/ruby;
PASSENGER

cat <<DEFAULTS > /etc/nginx/conf.d/defaults.conf
server_names_hash_bucket_size 64;
DEFAULTS

service nginx restart

# ssl certs
# /etc/ssl/certs
# /etc/ssl/private

# newrelic-sysmond
if [ -n "$NEWRELIC_LICENSE_KEY" ]; then
  # apt-key adv --keyserver download.newrelic.com --recv-keys 548C16BF
  # apt-add-repository 'deb http://apt.newrelic.com/debian/ newrelic non-free'
  # apt-get update
  # apt-get install -y newrelic-sysmond
  # nrsysmond-config --set license_key=$NEWRELIC_LICENSE_KEY
  # nrsysmond-config --set ssl=true
fi

# cleanup
apt-get autoremove