Edit /etc/ssh/sshd_config dans set:
PasswordAuthentication noMake sure your public key has already been added by your provider:
cat .ssh/authorized_keysThen restart SSH:
systemctl restart sshCreate the user :
adduser deployUse a generated password and store it somewhere.
Then, create SSH keys for the created user (no passphrase):
su deploy
cd ~
ssh-keygen -t rsaUpload the public key to Github/BitBucket/GitLab:
cat .ssh/id_rsa.pub
exitAs root:
cd ~
cp /root/.ssh/authorized_keys /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy/.ssh/authorized_keysYou should be able the SSH without password for root and deploy now.
As root:
apt-get update
apt-get upgrade
apt install zlib1g zlib1g-dev build-essential git-core curl emacs imagemagick nginx ntp
apt install libssl-dev libreadline-dev
apt install unattended-upgrades logrotate memcached nodejs
apt install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev postgresql libpq-dev
apt install libmagickcore-dev libmagickwand-devSet a generated password for mysql root and save it somewhere.
As root:
unattended-upgradesAs root:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2812 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -L -n -vMake rules persistent:
apt install iptables-persistent
iptables-save > /etc/iptables/rules.v4Create a file and swap on it:
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfileAnd check if its OK:
swapon -s
freeMake it persistent on /etc/fstab:
/swapfile none swap sw 0 0
rbenv and ruby (as deploy)export RUBY_VERSION=2.4.3
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
git clone https://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
exec $SHELL -l
rbenv install $RUBY_VERSION
rbenv global $RUBY_VERSION
gem install bundler
rbenv rehash
wget https://raw.github.com/ryanb/dotfiles/master/gemrc -O .gemrc
echo 'export RAILS_ENV="production"' >> ~/.bash_profileapt install mysql-client mysql-server libmysqlclient-dev Edit /etc/mysql/my.cnf and set these lines at the appropriate places:
[client] default-character-set = utf8mb4 [mysql] default-character-set = utf8mb4 [mysqld] character-set-client-handshake = FALSE character-set-server = utf8mb4 collation-server = utf8mb4_unicode_ci
Then relaunch MySQL:
systemctl restart mysqlLaunch the MySQL CLI client:
mysql -u root -pUse a generated password and store it somewhere. Then:
mysql> create database `example`; mysql> create user deploy; mysql> grant all on `example`.* to 'deploy'@'localhost' identified by 'SuperGeneratedPassword'; mysql> flush privileges;
apt install postgresql postgresql-clientpsql -U postgres -d postgresCREATE USER deploy WITH PASSWORD 'TRUNCATED';
createdb -O deploy exampleGemfile
group :development do
gem 'capistrano'
gem 'capistrano-rails'
gem 'capistrano-rbenv'
gem 'capistrano-bundler'
gem 'capistrano-passenger', '0.0.2'
endCapfile.rb
# Load DSL and Setup Up Stages
require 'capistrano/setup'
require 'capistrano/deploy'
require 'capistrano/bundler'
require 'capistrano/rbenv'
require 'capistrano/rails/migrations'
require 'capistrano/rails/assets'
require 'capistrano/passenger'
# require 'whenever/capistrano'
# Loads custom tasks from `lib/capistrano/tasks' if you have any defined.
Dir.glob('lib/capistrano/tasks/*.rake').each { |r| import r }config/deploy.rb
set :scm, :git
set :format, :pretty
set :log_level, :debug
set :pty, true
set :linked_files, []
set :linked_dirs, %w{log tmp/pids tmp/cache tmp/sockets public/system public/assets private/system}
set :keep_releases, 20
set :rbenv_type, :user
set :rbenv_ruby, File.read('.ruby-version').stripconfig/deploy/production.rb :
server 'example.com', user: 'deploy', roles: %w{web app db}
set :application, 'example'
set :repo_url, 'git@github.com:aurels/example.git'
set :deploy_to, '/home/deploy/apps/example'
set :branch, 'master'
set :rails_env, 'production'
set :bundle_without, 'development test'config/database.yml
production:
adapter: mysql2
database: example
encoding: utf8
username: deploy
password: SuperGeneratedPassword
pool: 1000Install Phusion Passenger.
Create a file in /etc/nginx/sites-available/example :
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/example.access.log;
sendfile on;
root /home/deploy/apps/example/current/public;
gzip on;
gzip_disable "msie6";
passenger_enabled on;
passenger_ruby /home/deploy/.rbenv/shims/ruby;
passenger_app_env production;
passenger_friendly_error_pages off;
client_max_body_size 300M;
}Enable the server block:
ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/exampleThen restart nginx:
systemctl restart nginxbundle exec cap production deployInstall Certbot (as root) :
add-apt-repository ppa:certbot/certbot
apt install python-certbot-nginx
systemctl restart nginx
certbot --nginx -d example.comCheck if auto-renewal is working correctly :
certbot renew --dry-runIn /etc/logrotate.d/example:
/home/deploy/apps/example/shared/log/*.log {
daily
missingok
rotate 15
compress
delaycompress
notifempty
copytruncate
}
Setup repositories, then:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
apt install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-6.x.list
apt update
apt upgrade
apt install openjdk-7-jre elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch.serviceIn /etc/monit/monitrc :
set daemon 10
set mailserver localhost
set httpd port 2812 and allow monit:APassWordForMonit
check filesystem homefs with path /dev/vda1
check process sshd with pidfile /var/run/sshd.pid
check process nginx with pidfile /var/run/nginx.pid
start program = "systemctl start nginx"
stop program = "systemctl stop nginx"
check process mysql with pidfile /var/run/mysqld/mysqld.pid
start program = "systemctl start mysql"
stop program = "systemctl stop" mysql
include /etc/monit/conf.d/*.cfg
Reload to apply:
monit reloadAs root:
git clone git://github.com/sstephenson/rbenv.git ~/.rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
echo 'eval "$(rbenv init -)"' >> ~/.bash_profile
git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
exec $SHELL -l
rbenv install 2.4.3
rbenv rehash
rbenv global 2.4.3
gem install backup
backup generate:config
backup generate:model -t exampleReplace the contents of /root/Backup/models/example.rb with:
Model.new(:example, 'Backup of example') do
['example'].each do |db_name|
database MySQL, db_name do |db|
db.name = db_name
db.username = 'deploy'
db.password = 'SuperGeneratedPassword'
end
end
archive :files do |archive|
archive.add '/home/deploy/apps/example/shared/public/system/'
archive.add '/home/deploy/apps/example/shared/private/system/'
end
compress_with Gzip do |compression|
compression.level = 6
end
store_with Dropbox do |box|
box.api_key = 'xxx'
box.api_secret = 'yyy'
box.path = ''
box.keep = 60
end
notify_by Mail do |mail|
mail.on_success = true
mail.on_failure = true
mail.from = 'backup@example'
mail.to = ['me@mail.com']
mail.domain = 'example.com'
mail.address = 'smtp.sendgrid.net'
mail.user_name = 'example'
mail.password = 'zzz'
end
endAnd add this line to root’s CRONTAB with:
crontab -eAdd this line:
0 0,2,4,6,8,19,12,14,16,18,20,22,23 * * * /bin/bash -l -c 'backup perform --trigger example'Vous voulez travailler avec moi ?
Je suis développeur et consultant sur des projets informatiques dans ma société, Phonoid. Avec mes amis, nous y développons des solutions sur mesure pour nos super clients. Nous travaillons également sur nos futurs produits.