Merge pull request #24 from cabinetoffice/deploy-scripts

Deploy scripts and nginx configuration

.env

@@ -2,4 +2,4 @@ GPLUS_CLIENT_ID=ABCD1234
 GPLUS_CLIENT_SECRET=ABCD1234
 SUPPORT_EMAIL=support@example.com
 READONLY_HEADER=RO
-READONLY_VALUE=ENABLED
+READONLY_VALUE=ENABLED

Procfile

@@ -1,3 +1,3 @@
-web: bundle exec unicorn -p $PORT -c ./config/unicorn.rb
+web: bundle exec unicorn -p $UNICORN_PORT -c ./config/unicorn.rb
 worker: bundle exec rake jobs:work
 clock: bundle exec clockwork config/schedule.rb

config/environments/production.rb

@@ -1,5 +1,5 @@
 Rails.application.configure do
-  config.force_ssl = true
+  config.force_ssl = false
   config.cache_classes = true
   config.eager_load = true
   config.consider_all_requests_local       = false
@@ -20,7 +20,7 @@
     authentication: :plain,
     user_name: ENV['SENDGRID_USERNAME'],
     password: ENV['SENDGRID_PASSWORD'],
-    domain: ENV['SENDGRID_DOMAIN'] || 'peoplefinder-staging.herokuapp.com',
+    domain: ENV['SENDGRID_DOMAIN'],
     enable_starttls_auto: true
   }
   config.filter_parameters += [

config/environments/staging.rb

@@ -1,5 +1,5 @@
 Rails.application.configure do
-  config.force_ssl = true
+  config.force_ssl = false
   config.cache_classes = true
   config.eager_load = true
   config.consider_all_requests_local       = false
@@ -20,7 +20,7 @@
     authentication: :plain,
     user_name: ENV['SENDGRID_USERNAME'],
     password: ENV['SENDGRID_PASSWORD'],
-    domain: ENV['SENDGRID_DOMAIN'] || 'peoplefinder-staging.herokuapp.com',
+    domain: ENV['SENDGRID_DOMAIN'],
     enable_starttls_auto: true
   }
   config.action_mailer.show_previews = true

config/initializers/carrierwave.rb

@@ -1,6 +1,9 @@
 CarrierWave.configure do |config|
   if ENV['S3_KEY'] && ENV['S3_SECRET'] && ENV['S3_BUCKET_NAME']
     config.storage = :fog
+    config.ignore_integrity_errors = false
+    config.ignore_processing_errors = false
+    config.ignore_download_errors = false
     config.fog_credentials = {
       provider: 'AWS',
       aws_access_key_id: ENV['S3_KEY'],

config/unicorn.rb

@@ -4,6 +4,9 @@
 
 preload_app true
 
+app_dir = File.expand_path("../..", __FILE__)
+pid "#{app_dir}/tmp/unicorn.pid"
+
 before_fork do |server, worker|
   Signal.trap 'TERM' do
     puts 'Unicorn master intercepting TERM and sending myself QUIT instead'

scripts/initialise.sh

@@ -0,0 +1,71 @@
+#!/bin/sh
+
+#
+# This script fetches the People Finder source
+# from Github, and configures appropriately.
+#
+# /etc/profile.d/environment.sh must be appropriately
+# set with the necessary environment variables, including;
+#
+# $APP_ROOT; e.g. relative path to app directory
+# $ROLE; e.g. "worker", or "app"
+# $GIT_BRANCH; e.g. "master"
+
+# Source appropriate profiles
+. /etc/profile.d/rvm.sh
+. /etc/profile.d/environment.sh
+
+# Remove app home
+rm -rf $APP_ROOT
+
+# Clone branch from Github
+su - ubuntu -c "git clone -b $GIT_BRANCH https://github.com/cabinetoffice/peoplefinder.git $APP_ROOT"
+
+# Install and precomile
+cd $APP_ROOT
+su - ubuntu -c "cd $APP_ROOT; bundle install"
+su - ubuntu -c "cd $APP_ROOT; bundle exec rake assets:precompile RAILS_ENV=assets"
+
+# Assign permissions
+chmod -R 755 $APP_ROOT/tmp
+
+# Trust CO root certificate authority
+cp /etc/ssl/ca.crt /usr/local/share/ca-certificates
+update-ca-certificates
+
+# Copy upstart scripts
+cp $APP_ROOT/scripts/upstart/peoplefinder.conf /etc/init
+cp $APP_ROOT/scripts/upstart/peoplefinder-web.conf /etc/init
+cp $APP_ROOT/scripts/upstart/peoplefinder-worker.conf /etc/init
+cp $APP_ROOT/scripts/upstart/peoplefinder-clock.conf /etc/init
+initctl reload-configuration
+
+# Copy nginx scripts, replacing if required
+rm /etc/nginx/sites-enabled/default
+cp -f $APP_ROOT/scripts/nginx/nginx.conf /etc/nginx/nginx.conf
+cp -f $APP_ROOT/scripts/nginx/peoplefinder.conf /etc/nginx/sites-available/peoplefinder.conf
+cp -f $APP_ROOT/scripts/nginx/peoplefinder-ssl.conf /etc/nginx/sites-available/peoplefinder-ssl.conf
+ln -s /etc/nginx/sites-available/peoplefinder.conf /etc/nginx/sites-enabled/peoplefinder.conf
+ln -s /etc/nginx/sites-available/peoplefinder-ssl.conf /etc/nginx/sites-enabled/peoplefinder-ssl.conf
+
+# Proceed based on instance role
+if [ $ROLE = "app" ]
+then
+	# Start peoplefinder-web and restart nginx
+	start peoplefinder-web
+	service nginx reload
+	service nginx restart
+elif [ $ROLE = "worker" ]
+then
+	# Stop nginx and the web process
+	service nginx stop
+	stop peoplefinder-web
+	# Start the clock and worker processes
+	start peoplefinder-clock
+	start peoplefinder-worker
+else
+	# Start all processes
+	start peoplefinder
+	service nginx reload
+	service nginx restart
+fi

scripts/nginx/nginx.conf

@@ -0,0 +1,89 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	# define the upstream unicorn server
+	upstream unicorn {
+ 	   server 127.0.0.1:3000 fail_timeout=0;
+	}
+
+	# transform cert for passing upstream
+	map $ssl_client_raw_cert $a {
+	"~^(-.*-\n)(?<1st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $1st;
+	}
+
+	# define a log format
+	log_format sslinfo '$remote_addr [$time_local] '
+    	'"$request" $status:'
+        ' ($ssl_client_serial - $ssl_client_verify - $ssl_client_s_dn)'
+        ' ("$http_user_agent")';
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	#include /etc/nginx/naxsi_core.rules;
+
+	##
+	# nginx-passenger config
+	##
+	# Uncomment it if you installed nginx-passenger
+	##
+
+	#passenger_root /usr;
+	#passenger_ruby /usr/bin/ruby;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}

scripts/nginx/peoplefinder-ssl.conf

@@ -0,0 +1,38 @@
+server {
+  listen 443 ssl;
+  server_name peoplefinder.cabinetoffice.gov.uk;
+
+  ssl_certificate /etc/ssl/server.crt;
+  ssl_certificate_key /etc/ssl/server.key;
+  ssl_verify_client optional;
+  ssl_verify_depth 2;
+  ssl_client_certificate /etc/ssl/ca.crt;
+  ssl_ciphers  HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers  on;
+
+  keepalive_timeout 300;
+  client_max_body_size 4G;
+
+  root /home/ubuntu/apps/peoplefinder;
+  access_log /home/ubuntu/apps/peoplefinder/log/ssl.log sslinfo buffer=32k;
+  try_files $uri/index.html $uri.html $uri @unicorn;
+
+  location @unicorn {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header SSL-client-serial $ssl_client_serial;
+    proxy_set_header SSL-client-dn $ssl_client_s_dn;
+    proxy_set_header SSL-client-verify $ssl_client_verify;
+    proxy_set_header SSL-client-cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;
+    proxy_redirect off;
+    proxy_pass http://unicorn;
+    proxy_read_timeout 300s;
+    proxy_send_timeout 300s;
+  }
+
+  error_page 500 502 503 504 /500.html;
+  location = /500.html {
+    root /home/ubuntu/apps/peoplefinder/public;
+  }
+}

scripts/nginx/peoplefinder.conf

@@ -0,0 +1,23 @@
+server {
+  listen 80;
+  server_name peoplefinder.cabinetoffice.gov.uk
+  keepalive_timeout 300;
+  client_max_body_size 4G;
+
+  root /home/ubuntu/apps/peoplefinder;
+  try_files $uri/index.html $uri.html $uri @unicorn;
+
+  location @unicorn {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded_Proto $scheme;
+    proxy_redirect off;
+    proxy_pass http://unicorn;
+    proxy_read_timeout 300s;
+    proxy_send_timeout 300s;
+  }
+  error_page 500 502 503 504 /500.html;
+  location = /500.html {
+    root /home/ubuntu/apps/peoplefinder/public;
+  }
+}

scripts/upstart/peoplefinder-clock.conf

@@ -0,0 +1,12 @@
+start on starting peoplefinder
+stop on stopping peoplefinder
+respawn
+
+setuid ubuntu
+
+script
+  	. /etc/profile.d/rvm.sh
+	. /etc/profile.d/environment.sh
+	cd $APP_ROOT
+	/usr/local/rvm/wrappers/default/bundle exec clockwork config/schedule.rb
+end script

scripts/upstart/peoplefinder-web.conf

@@ -0,0 +1,12 @@
+start on starting peoplefinder
+stop on stopping peoplefinder
+respawn
+
+setuid ubuntu
+
+script
+  	. /etc/profile.d/rvm.sh
+	. /etc/profile.d/environment.sh
+	cd $APP_ROOT
+	/usr/local/rvm/wrappers/default/bundle exec unicorn -p $UNICORN_PORT -c ./config/unicorn.rb
+end script

scripts/upstart/peoplefinder-worker.conf

@@ -0,0 +1,12 @@
+start on starting peoplefinder
+stop on stopping peoplefinder
+respawn
+
+setuid ubuntu
+
+script
+  	. /etc/profile.d/rvm.sh
+	. /etc/profile.d/environment.sh
+	cd $APP_ROOT
+	/usr/local/rvm/wrappers/default/bundle exec rake jobs:work
+end script

scripts/upstart/peoplefinder.conf

@@ -0,0 +1,2 @@
+start on runlevel [2345]
+stop on runlevel [!2345]