Debian 9 Rails Prod Setup

debian_rails_prod.md

Update system and install prerequisite packages

apt-get update && apt-get dist-upgrade
apt-get install open-vm-tools # VMware VMs Only
sh -c 'echo vm.swappiness=5 > /etc/sysctl.conf' # Prod Env 
reboot

Some of these packages may already be installed

apt-get install openssh-server mercurial make binutils bison gcc \
 build-essential git-core curl zlib1g-dev openssl libssl-dev libreadline-dev \
 libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev \
 software-properties-common wget dnsutils vim zip unzip screen tmux htop \
 libffi-dev redis-server imagemagick ntp ufw sudo dirmngr libxrender1

Install postfix SMTP server (Choose internet site configuration and use the server's domain name)

apt-get install postfix

Edit postfix config file

vim /etc/postfix/main.cf

Set inet_interfaces to be loopback-only

inet_interfaces = loopback-only

Setup deployment user (Production Environment)

Add the deploy user (Production Env - VPS only, otherwise this is done during install)

adduser deploy

Add deploy user to sudo group

gpasswd -a deploy sudo

Configure SSH for better security

Open the sshd config

vim /etc/ssh/sshd_config

Change from Port 22 to Port 2012 or another non-standard port

Port 2012

Disable root login

PermitRootLogin no

Restart SSH

service ssh restart

SSH w/ deploy user

ssh -p 2012 deploy@SERVER_IP_ADDRESS

Enable bash color prompt

vim ~/.bashrc

Uncomment this line

force_color_prompt=yes

Reload w/ changes

exec $SHELL

Generate an SSH keypair used for deployments

ssh-keygen -t rsa -C "[email protected]"

Copy the output of this command and paste into the deploy keys section of the github repo settings

cat ~/.ssh/id_rsa.pub

Check to make sure SSH to github works with your key

ssh -T [email protected]

Create the authorized_keys file

touch ~/.ssh/authorized_keys

Configure firewall (Production Environment)

Enable SSH

sudo ufw allow 2012/tcp

Enable HTTP

sudo ufw allow 80/tcp

Enable SSL/TLS

sudo ufw allow 443/tcp

Enable firewall rules

sudo ufw enable

Configure timezone and NTP

Set timezone

sudo dpkg-reconfigure tzdata

Setup Application Stack

SSH w/ deploy user

ssh -p 2012 deploy@SERVER_IP_ADDRESS

Paste your public key into the authorized_keys file (at bottom if others already exist)

vim ~/.ssh/authorized_keys

Exit the old SSH session and reconnect, you shouldn't need to type server password any longer

exit
ssh -p 2012 deploy@SERVER_IP_ADDRESS

PostgreSQL

sudo apt-get install postgresql-9.6 libpq-dev

Add postgres user and set password (use same username as your linux user)

sudo -u postgres createuser myuser -s

sudo -u postgres psql
postgres=# \password myuser

Create your app's production database on server

createdb myappname_production

Ruby and Ruby on Rails

Install rbenv, ruby-build and ruby 2.5.3

cd
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL

rbenv install 2.5.3
rbenv global 2.5.3
ruby -v

Tell RubyGems to not install documentation for each gem

echo "gem: --no-ri --no-rdoc" > ~/.gemrc

Install bundler and rails

gem install bundler
gem install rails
gem install aws-sdk # optional
gem install colorize # optional
rbenv rehash

Node.js

Install stable version of node

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.4/install.sh | bash
exec $SHELL
nvm install stable
nvm use stable
nvm alias default stable

Make the current version of node available system-wide at /usr/local/bin/node

n=$(which node);n=${n%/bin/node}; chmod -R 755 $n/bin/*; sudo cp -r $n/{bin,lib,share} /usr/local

Phusion Passenger w/ Nginx

Add Phusion APT repo and install nginx and passenger

See https://www.phusionpassenger.com/library/install/nginx/install/oss/stretch/ if any issues with installation.

sudo apt-get install -y dirmngr gnupg nginx
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
sudo apt-get install -y apt-transport-https ca-certificates

# Add our APT repository
sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger stretch main > /etc/apt/sources.list.d/passenger.list'
sudo apt-get update

# Install Passenger + Nginx module
sudo apt-get install -y libnginx-mod-http-passenger

Edit nginx.conf

sudo vim /etc/nginx/nginx.conf

Uncomment server_tokens_off

server_tokens off;

Save and then edit /etc/nginx/conf.d/mod-http-passenger.conf and change the passenger_ruby path

##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##

passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /home/deploy/.rbenv/shims/ruby;

Restart ngnix

sudo service nginx restart

Open the nginx default site config

sudo vim /etc/nginx/sites-available/default

Comment out these two lines

# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;

Create an nginx conf for the app

sudo vim /etc/nginx/sites-available/myappname

Add the following server block

server {
  listen 80 default_server;
  server_name www.mydomain.com;
  passenger_enabled on;
  root /home/deploy/myappname/current/public;
}

Enable the new nginx conf

sudo ln -s /etc/nginx/sites-available/myappname /etc/nginx/sites-enabled/myappname

Restart nginx

sudo service nginx restart

Setup Logrotate

Edit the logrotate config

sudo vim /etc/logrotate.conf

At bottom of file add the following block:

/home/deploy/myappname/current/log/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  copytruncate
}

Test with:

sudo /usr/sbin/logrotate -f /etc/logrotate.conf

Other Tools

wkhtmltopdf

The wkhtmltopdf packge available in debian repo is version with unpatched QT. You most likely want version with patched QT, so download the precompiled binaries for Linux from https://wkhtmltopdf.org/downloads.html, extract them and cp the binaries in bin folder to /usr/bin/

At the time of writing, the latest version is 0.12.4 which has an issue fetching remote images over https, so you will need to install libssl1.0-dev

sudo apt-get install libssl1.0-dev

More details here: https://agdeveloper.com/post/debian_wkhtmltopdf/

Sidekiq

Setup Sidekiq as a systemd service so it can be started at boot

PostGIS and related dependencies

sudo apt-get install python-all-dev python-dev python3-pip\
 libaio-dev libbz2-dev libjpeg62-turbo-dev libpcre3-dev libexpat1-dev \
 liblzma-dev libevent-dev binutils libproj-dev xsltproc docbook-xsl\
 docbook-mathml libgeos-dev libgeos-3.5.1 postgresql-9.6-postgis-2.3\
 libgdal-dev python3-gdal python3-numpy gdal-bin postgresql-9.6-postgis-scripts

Add to .bashrc

export CPLUS_INCLUDE_PATH=/usr/include/gdal
export C_INCLUDE_PATH=/usr/include/gdal

Make sure rgeo witll be able to find geos

sudo ln -s /usr/lib/x86_64-linux-gnu/libgeos-3.5.1.so /usr/lib/libgeos.so

# uninstall rgeo first if it was previously installed
gem install rgeo
rbenv rehash

Python libs

sudo pip3 install matplotlib
sudo pip3 install pyproj
sudo pip3 install rasterio
sudo pip3 install fiona

Oracle Instant Client (OIC) and SDK

1. Install prerequisite packages
   sudo apt-get install libaio1 libaio-dev
2. Download the Oracle Instant Client Basic and Instant Client SDK packages - Get the latest 11.x versions for Linux x86-64
3. Create the directory /usr/share/oracle and extract the OIC zip files directly into the root of this directory
4. Inside of the /usr/share/oracle directory, create this symlink
   sudo ln -s libclntsh.so.11.1 libclntsh.so
5. Create a LD_LIBRARY_PATH config file
   sudo vim /etc/ld.so.conf.d/oic.conf
6. Add this line to the file and save it
   /usr/share/oracle
7. Update the LD_LIBRARY_PATH
   sudo ldconfig

References

• rbenv (GitHub)
• nvm (GitHub)

rvm

https://www.phusionpassenger.com/library/install/nginx/install/oss/rubygems_rvm/

thanks for rvm link @mibamur