Debian 8 (Jessie) Rails Prod Setup

debian_rails_prod.md

Update system and install prerequisite packages

sudo apt-get update && apt-get dist-upgrade
sudo apt-get install open-vm-tools # VMware VMs Only
sudo sh -c 'echo vm.swappiness=5 > /etc/sysctl.conf' # Prod Env 
sudo reboot

Some of these packages may already be installed

sudo apt-get install openssh-server mercurial make binutils bison gcc \
 build-essential git-core curl zlib1g-dev openssl libssl-dev libreadline-dev \
 libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev \
 python-software-properties wget dnsutils vim zip unzip screen tmux htop \
 libffi-dev redis-server imagemagick ntp ufw sudo

Install postfix SMTP server (Choose internet site configuration and use the server's domain name)

sudo apt-get install postfix

Edit postfix config file

sudo vim /etc/postfix/main.cf

Set inet_interfaces to be loopback-only

inet_interfaces = loopback-only

Setup deployment user (Production Environment)

Add the deploy user (Production Env - VPS only, otherwise this is done during install)

adduser deploy

Add deploy user to sudo group

gpasswd -a deploy sudo

Configure SSH for better security

Open the sshd config

vim /etc/ssh/sshd_config

Change from Port 22 to Port 2012 or another non-standard port

Port 2012

Disable root login

PermitRootLogin no

Restart SSH

service ssh restart

SSH w/ deploy user

ssh -p 2012 deploy@SERVER_IP_ADDRESS

Enable bash color prompt

vim ~/.bashrc

Uncomment this line

force_color_prompt=yes

Reload w/ changes

exec $SHELL

Generate an SSH keypair used for deployments

ssh-keygen -t rsa -C "[email protected]"

Copy the output of this command and paste into the deploy keys section of the github repo settings

cat ~/.ssh/id_rsa.pub

Check to make sure SSH to github works with your key

ssh -T [email protected]

Create the authorized_keys file

touch ~/.ssh/authorized_keys

Configure firewall (Production Environment)

Enable SSH

sudo ufw allow 2012/tcp

Enable HTTP

sudo ufw allow 80/tcp

Enable SSL/TLS

sudo ufw allow 443/tcp

Enable firewall rules

sudo ufw enable

Configure timezone and NTP

Set timezone

sudo dpkg-reconfigure tzdata

Configure NTP

sudo apt-get update
sudo apt-get install ntp

Setup Application Stack

SSH w/ deploy user

ssh -p 2012 deploy@SERVER_IP_ADDRESS

Paste your public key into the authorized_keys file (at bottom if others already exist)

vim ~/.ssh/authorized_keys

Exit the old SSH session and reconnect, you shouldn't need to type server password any longer

exit
ssh -p 2012 deploy@SERVER_IP_ADDRESS

PostgreSQL

Add PostgreSQL APT repo, add signing key, update, and install 9.4

sudo sh -c "echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' > /etc/apt/sources.list.d/pgdg.list"
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | \
  sudo apt-key add -
sudo apt-get update 
sudo apt-get install postgresql-9.4 libpq-dev

Add postgres user and set password (use same username as your linux user)

sudo -u postgres createuser myuser -s

sudo -u postgres psql
postgres=# \password myuser

Create your app's production database on server

createdb myappname_production

Ruby and Ruby on Rails

Install rbenv, ruby-build and ruby 2.3.1

cd
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL

rbenv install 2.3.1
rbenv global 2.3.1
ruby -v

Tell RubyGems to not install documentation for each gem

echo "gem: --no-ri --no-rdoc" > ~/.gemrc

Install bundler and rails

gem install bundler
gem install rails
gem install aws-sdk # optional
gem install colorize # optional
rbenv rehash

Node.js

Install stable version of node

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.31.3/install.sh | bash
exec $SHELL
nvm install stable
nvm use stable
nvm alias default stable

Make the current version of node available system-wide at /usr/local/bin/node

n=$(which node);n=${n%/bin/node}; chmod -R 755 $n/bin/*; sudo cp -r $n/{bin,lib,share} /usr/local

Phusion Passenger w/ Nginx

Add Phusion APT repo and install passenger

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7
sudo apt-get install -y apt-transport-https ca-certificates
sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger jessie main > /etc/apt/sources.list.d/passenger.list'
sudo apt-get update
sudo apt-get install -y nginx-extras passenger

Edit nginx.conf

sudo vim /etc/nginx/nginx.conf

Uncomment server_tokens_off

server_tokens off;

Uncomment passenger_root and passenger_ruby and change the passenger_ruby path

##
# Phusion Passenger config
##
# Uncomment it if you installed passenger or passenger-enterprise
##

passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
passenger_ruby /home/deploy/.rbenv/shims/ruby;

Increase the client_max_body_size if your application will allow uploading files

client_max_body_size 20M;

Restart ngnix

sudo service nginx restart

Open the nginx default site config

sudo vim /etc/nginx/sites-available/default

Comment out these two lines

# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;

Create an nginx conf for the app

sudo vim /etc/nginx/sites-available/myappname

Add the following server block

server {
  listen 80 default_server;
  server_name www.mydomain.com;
  passenger_enabled on;
  root /home/deploy/myappname/current/public;
}

Enable the new nginx conf

sudo ln -s /etc/nginx/sites-available/myappname /etc/nginx/sites-enabled/myappname

Restart nginx

sudo service nginx restart

Setup Logrotate

Edit the logrotate config

sudo vim /etc/logrotate.conf

At bottom of file add the following block:

/home/deploy/myappname/current/log/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  copytruncate
}

Test with:

sudo /usr/sbin/logrotate -f /etc/logrotate.conf

Other Tools

Sidekiq

Setup Sidekiq as a systemd service so it can be started at boot

PostGIS and related dependencies

sudo apt-get install build-essential python-all-dev git vim python-dev python-pip\
 python-software-properties g++ gcc make libssl-dev libreadline6-dev libaio-dev libbz2-dev\
 zlib1g-dev libjpeg62-turbo-dev libpcre3-dev libexpat1-dev libxml2 libxml2-dev libjson0\
 libjson0-dev liblzma-dev libevent-dev wget zip unzip

sudo apt-get install binutils libproj-dev libgeoip1 libgtk2.0 xsltproc\
 docbook-xsl docbook-mathml

sudo apt-get install libgeos-dev libgeos-3.4.2 libproj-dev libproj0 libproj-dev

sudo apt-get install postgresql-9.4-postgis-2.1 postgresql-9.4-postgis-scripts\
 libpq-dev postgresql-contrib

Make sure rgeo witll be able to find geos

sudo ln -s /usr/lib/libgeos-3.4.2.so /usr/lib/libgeos.so
# OR on Debian Testing with libgeos-3.5.0 or newer
sudo ln -s /usr/lib/x86_64-linux-gnu/libgeos-3.5.0.so /usr/lib/libgeos.so
# uninstall rgeo first if it was previously installed
gem install rgeo
rbenv rehash

wkhtmltopdf

latest stable download: http://wkhtmltopdf.org/downloads.html

sudo apt-get install xorg xfonts-75dpi fontconfig
wget http://download.gna.org/wkhtmltopdf/0.12/0.12.2.1/wkhtmltox-0.12.2.1_linux-jessie-amd64.deb
sudo dpkg -i wkhtmltox-*

Oracle Instant Client (OIC) and SDK

1. Install prerequisite packages
   sudo apt-get install libaio1 libaio-dev
2. Download the Oracle Instant Client Basic and Instant Client SDK packages - Get the latest 11.x versions for Linux x86-64
3. Create the directory /usr/share/oracle and extract the OIC zip files directly into the root of this directory
4. Inside of the /usr/share/oracle directory, create this symlink
   sudo ln -s libclntsh.so.11.1 libclntsh.so
5. Create a LD_LIBRARY_PATH config file
   sudo vim /etc/ld.so.conf.d/oic.conf
6. Add this line to the file and save it
   /usr/share/oracle
7. Update the LD_LIBRARY_PATH
   sudo ldconfig

References

• rbenv (GitHub)
• nvm (GitHub)