Skip to content

Instantly share code, notes, and snippets.

@nearapogee

nearapogee/Gemfile

Last active July 3, 2023 14:36
Show Gist options
  • Save nearapogee/d6e80937ae48d8881cbdbf5bc408b27d to your computer and use it in GitHub Desktop.
Save nearapogee/d6e80937ae48d8881cbdbf5bc408b27d to your computer and use it in GitHub Desktop.
Download ZIP
Vlad / Rails
Raw
deploy.rb
require 'bundler/vlad'
require 'vlad/core'
require 'vlad/rails'
require 'vlad/git'
require 'vlad-unity/extension'
require 'vlad-unity/app'
require 'vlad-unity/rails/assets'
require 'vlad-systemd/systemd'
set :application, 'myapp'
set :repository, 'git@github.com/....'
set :rails_env, nil
set :user, nil
# { shared file => linked location }
set :shared_files, {
'database.yml' => 'config/database.yml',
'production.key' => 'config/credentials/production.key'
#'master.key' => 'config/master.key'
}
# { shared folder => linked location }
set :shared_paths, {
'system' => 'public/system',
'log' => 'log',
'node_modules' => 'node_modules',
'rack-cache' => 'tmp/rack-cache'
}
set :keep_releases, 8
set :ssh_flags, ssh_flags << '-A'
set :sudo_flags, sudo_flags << '-S'
set :rsync_flags, rsync_flags << '--inplace'
set :bundle_flags, "--deployment"
set :sudo_cmd, [sudo_cmd, sudo_flags].flatten.compact.join(' ')
set :rake_cmd, 'bundle exec rake'
set :skip_scm, false
set :start_app, 'vlad:systemd:start'
set :restart_app, 'vlad:systemd:restart'
defaults = Proc.new {
branch = ENV['BRANCH'] || rails_env || 'master'
set :revision, "origin/#{branch}"
set :descriptor, [rails_env, application].reject(&:blank?).join('-')
set :user, descriptor
set :deploy_to, "/home/#{user}/app"
host "#{user}@#{host_ip}", :app, :db
}
task :production do
set :host_ip, 'xx.xx.xx.xx'
set :rails_env, 'production'
defaults.call
end
#
# First Run
#
# rake production vlad:setup
# createuser ....
# createdb .... ...._production
# gem install bundler (after ruby install)
#
#
# Deploy
#
# git push origin master:production
# bundle exec rake production vlad:deploy
Raw
Gemfile
group :rake do
gem 'vlad', '~> 2.7.0'
gem 'vlad-git', '~> 2.2.0'
gem 'vlad-unity', '~> 0.1.0'
gem 'vlad-systemd', '~> 0.1.0'
end
Raw
production-NAME
# /etc/default/production-NAME
PATH='/home/production-NAME/.rbenv/shims:/home/production-NAME/.rbenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
RAILS_ENV='production'
SHARED_PATH='/home/production-NAME/app/shared'
Raw
production-NAME-puma.service
# /etc/systemd/system/production-NAME-puma.service
[Unit]
Description=Web Server
PartOf=production-myapp.target
[Service]
EnvironmentFile=/etc/default/production-myapp
User=production-myapp
WorkingDirectory=/home/production-myapp/app/current
Type=simple
Restart=always
KillMode=process
ExecStart=/bin/bash -lc 'bundle exec --keep-file-descriptors puma -C config/deploy/production/puma.rb'
Raw
production-NAME.target
# /etc/systemd/system/production-NAME.target
[Unit]
Requires=production-myapp-puma.service
#Requires=production-myappp-puma.service production-marketplace-otherservice.service
[Install]
WantedBy=multi-user.target
Raw
puma.rb
# config/deploy/production/puma.rb
tag "#{ENV['RAILS_ENV']}-myapp-puma"
environment ENV['RAILS_ENV']
pidfile "#{ENV['SHARED_PATH']}/puma.pid"
stdout_redirect "#{ENV['SHARED_PATH']}/log/#{ENV['RAILS_ENV']}_myapp_puma.stdout.log",
"#{ENV['SHARED_PATH']}/log/#{ENV['RAILS_ENV']}_myapp_puma.stderr.log",
false # don't append
bind "unix://#{ENV['SHARED_PATH']}/#{ENV['RAILS_ENV']}-myapp-puma.sock"
worker_timeout 30
threads 0,4
#workers 2 # if you drop to 1, then comment out the workers directive entirely for memory
preload_app!
on_worker_boot do
ActiveSupport.on_load(:active_record) do
ActiveRecord::Base.establish_connection
end
end
Raw
Rakefile
require_relative "config/application"
Rails.application.load_tasks
Bundler.require(:rake)
begin
require 'vlad'
load 'config/deploy.rb'
rescue LoadError
# ignore
end
Raw
site.conf
upstream production_myapp {
server unix:/home/production-myapp/app/shared/production-myapp-puma.sock fail_timeout=0;
}
server {
return 404;
}
server {
listen 80;
server_name myapp.com *.myapp.com _;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.com;
ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
return 302 https://www.$host$request_uri;
}
server {
listen 443 ssl;
server_name *.myapp.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
# new modern configuration. tweak to your needs.
ssl_protocols TLSv1.3;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers off;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/myapp.com/chain.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
root /home/production-myapp/app/current/public;
client_max_body_size 50m;
add_header Access-Control-Allow-Origin *;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 32m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://production_myapp;
}
location ~ ^/(production-assets|assets|system|images|packs)/ {
root /home/production-myapp/app/current/public;
expires 1w;
break;
}
location = /robots.txt {
root /home/production-myapp/app/current/public;
expires 5m;
}
location = /favicon.ico {
root /home/production-myapp/app/current/public;
expires 1d;
}
#location = /googledxxx.html {
# root /home/production-myapp/app/current/public;
# expires 1d;
#}
}
@nearapogee
Copy link
Author

nearapogee commented Jun 28, 2023
edited
Loading

This is a basic set of configs for a single rails deploy with vlad with a nginx reverse proxy over TLS. You may need to add other services (i.e. ActionCable, job queues, etc), whitelist unprivileged users to to execute specific commands, firewall as needed, add a database, add redis, etc.

Not mentioned in here are rails commands for managing credentials (optional), database.yml, S3 file storage. Out of scope is ssh (ForwardAgent, etc), sudoers, systemd commands, letsencrypt, etc.

This is for a small deploy, but could be scaled as needed. I prefer 2+ cpus, a small instance could run on 1+ gb RAM. Can have local or RDS postgres instance.

Pro tips:

  • Use rbenv/ruby-build to install ruby and change ruby versions.
  • Use nodesource to install desired node version,
  • 1 worker per core, leave out worker in puma config for <= 1 core, or you will needlessly increase memory usage.
  • Follow security best practices i.e. firewall, non privileged users, latest nginx TLS configs, sshd config, ssh keys, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment