initial commit

.gitignore

@@ -0,0 +1,7 @@
+app.env
+db.env
+dhparam.pem
+group_vars/aws.yml
+roles/monit/vars/mail.yml
+
+site.retry

ansible.cfg

@@ -0,0 +1,4 @@
+[defaults]
+inventory = hosts
+hosts = production
+remote_user = root

group_vars/all

@@ -0,0 +1 @@
+app_home: /opt/app/skyderby

group_vars/aws.yml.example

@@ -0,0 +1,4 @@
+---
+aws_region: us-west-1
+aws_access_key_id: ...
+aws_secret_access_key: ...

hosts

@@ -0,0 +1,2 @@
+[production]
+skyderby.ru

roles/app_backup/files/app_files_sync.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+app_files=$(docker volume inspect app_system --format '{{ .Mountpoint }}')
+
+/urs/local/bin/aws s3 sync $app_files s3://app-files.skyderby.ru

roles/app_backup/files/pg_base.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+wal_files=$(docker volume inspect pg_wal_archive --format '{{ .Mountpoint }}')
+
+cd /opt/app/skyderby
+
+# Perform backup and upload to s3
+docker-compose exec -T db /bin/bash -c "pg_basebackup -F tar -D - -X f --gzip -U rep" | \
+/usr/local/bin/aws s3 cp - s3://pg-backup.skyderby.ru/pg_backup.tar.gz
+
+# Cleanup old WAL files
+find $wal_files -mtime +2 -delete

roles/app_backup/files/wal_sync_to_aws.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+wal_files=$(docker volume inspect pg_wal_archive --format '{{ .Mountpoint }}')
+
+/usr/local/bin/aws s3 sync --delete $wal_files s3://wal-files.skyderby.ru/

roles/app_backup/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- name: Copy cron scripts
+  copy:
+    src: "{{ item }}"
+    dest: /root/cron_scripts/
+    mode: 500
+  with_fileglob:
+    - ../files/*
+  tags: cron
+
+- name: Creates cron logs directory
+  file: path=/root/cron_logs state=directory
+
+- name: Cron job | Sync app files
+  cron:
+    name: Sync app files
+    minute: 0
+    job: /root/cron_scripts/app_files_sync.sh
+  tags: cron
+
+- name: Cron job | Sync WAL logs
+  cron:
+    name: Sync WAL logs
+    minute: '*/10'
+    job: /root/cron_scripts/wal_sync_to_aws.sh
+  tags: cron
+
+- name: Cron job | PG Base Backup
+  cron:
+    name: Backup and upload pg base
+    minute: 0
+    hour: 5
+    job: /root/cron_scripts/pg_base.sh
+  tags: cron

roles/application/files/app.env.example

@@ -0,0 +1,26 @@
+RAILS_ENV=production
+
+DB_HOST=db
+DB_NAME=your_db_name
+DB_USERNAME=your_db_username
+DB_PASSWORD=your_db_password
+
+MAILER_ASSET_HOST=https://skyderby.ru
+MAILER_URL_HOST=skyderby.ru
+SMTP_ADDRESS=smtp.example.com
+SMTP_PORT=25
+SMTP_DOMAIN=skyderby.ru
+[email protected]
+SMTP_PASSWORD=secret
+
+WEB_CONCURRENCY=0
+RAILS_MAX_THREADS=5
+PORT=8000
+
+REDIS_HOST='redis'
+REDIS_PORT=6379
+REDIS_DB=12
+
+MAPS_API_KEY=google_maps_api_key
+
+HONEYBADGER_API_KEY=honey_badger_api_key

roles/application/files/db.env.example

@@ -0,0 +1,3 @@
+POSTGRES_DB=your_db_name
+POSTGRES_USER=your_db_username
+POSTGRES_PASSWORD=your_db_password

roles/application/files/docker-compose.yml

@@ -0,0 +1,68 @@
+version: '2'
+
+services:
+  db:
+    image: postgres:9.6.4
+    env_file: db.env
+    ports:
+      - "5432:5432"
+    volumes:
+      - pg_data_96:/var/lib/postgresql/data
+      - pg_wal_archive:/wal_archive
+      - ./postgres/pg_hba.conf:/var/lib/postgresql/data/pg_hba.conf
+      - ./postgres/postgresql.conf:/var/lib/postgresql/data/postgresql.conf
+    restart: always
+
+  app:
+    image: skyderby/app:latest
+    env_file: app.env
+    volumes:
+      - /opt/app/public
+      - app_system:/opt/app/public/system
+    depends_on:
+      - db
+      - redis
+    ports:
+      - "8000:8000"
+    restart: always
+
+  workers:
+    image: skyderby/app:latest
+    env_file: app.env
+    volumes:
+      - ./database.yml:/opt/app/config/database.yml:ro
+      - app_system:/opt/app/public/system
+    depends_on:
+      - db
+      - redis
+    command: "bundle exec sidekiq -q default -q mailers -c 5"
+    restart: always
+
+  redis:
+    image: redis:3.0.5
+    volumes:
+      - redis_data:/data
+    restart: always
+
+  web:
+    image: nginx:stable
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/dhparam.pem:/etc/pki/nginx/dhparam.pem:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+    volumes_from:
+      - app:ro
+    ports:
+      - "80:80"
+      - "443:443"
+    restart: always
+
+volumes:
+  redis_data:
+    external: true
+  pg_data_96:
+    external: false
+  pg_wal_archive:
+    external: true
+  app_system:
+    external: true

roles/application/files/nginx/nginx.conf

@@ -0,0 +1,179 @@
+# This is example contains the bare mininum to get nginx going with
+# unicorn servers.  Generally these configuration settings
+# are applicable to other HTTP application servers (and not just Ruby
+# ones), so if you have one working well for proxying another app
+# server, feel free to continue using it.
+#
+# The only setting we feel strongly about is the fail_timeout=0
+# directive in the "upstream" block.  max_fails=0 also has the same
+# effect as fail_timeout=0 for current versions of nginx and may be
+# used in its place.
+#
+# Users are strongly encouraged to refer to nginx documentation for more
+# details and search for other example configs.
+
+# you generally only need one nginx worker unless you're serving
+# large amounts of static files which require blocking disk reads
+worker_processes 1;
+
+# # drop privileges, root is needed on most systems for binding to port 80
+# # (or anything < 1024).  Capability-based security may be available for
+# # your system and worth checking out so you won't need to be root to
+# # start nginx to bind on 80
+user nobody nogroup; # for systems with a "nogroup"
+# user nobody nobody; # for systems with "nobody" as a group instead
+
+# Feel free to change all paths to suite your needs here, of course
+pid /tmp/nginx.pid;
+error_log /var/log/nginx/error.log;
+
+events {
+  worker_connections 1024; # increase if you have lots of clients
+  accept_mutex off; # "on" if nginx worker_processes > 1
+  # use epoll; # enable for Linux 2.6+
+  # use kqueue; # enable for FreeBSD, OSX
+}
+
+http {
+  # nginx will find this file in the config directory set at nginx build time
+  include mime.types;
+
+  # fallback in case we can't determine a type
+  default_type application/octet-stream;
+
+  # click tracking!
+  access_log /var/log/nginx/access.log combined;
+
+  # you generally want to serve static files with nginx since
+  # unicorn is not and will never be optimized for it
+  sendfile on;
+
+  tcp_nopush on; # off may be better for *some* Comet/long-poll stuff
+  tcp_nodelay off; # on may be better for some Comet/long-poll stuff
+
+  # we haven't checked to see if Rack::Deflate on the app server is
+  # faster or not than doing compression via nginx.  It's easier
+  # to configure it all in one place here for static files and also
+  # to disable gzip for clients who don't get gzip/deflate right.
+  # There are other gzip settings that may be needed used to deal with
+  # bad clients out there, see http://wiki.nginx.org/NginxHttpGzipModule
+  gzip on;
+  gzip_http_version 1.0;
+  gzip_proxied any;
+  gzip_min_length 500;
+  gzip_disable "MSIE [1-6]\.";
+  gzip_types text/plain text/xml text/css
+             text/comma-separated-values
+             text/javascript application/x-javascript
+             application/atom+xml;
+
+  # this can be any application server, not just unicorn
+  upstream app_server {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response (in case the unicorn master nukes a
+    # single worker for timing out).
+
+    server app:8000 fail_timeout=0;
+  }
+
+  server {
+    return 204;
+  }
+
+  server {
+    server_name skyderby.ru;
+    listen 80;
+    return 301 https://skyderby.ru$request_uri;
+  }
+
+  server {
+    listen 443 ssl default deferred http2; # for Linux
+    server_name skyderby.ru;
+    ssl_stapling on;
+    ssl on;
+    ssl_certificate /etc/letsencrypt/live/skyderby.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/skyderby.ru/privkey.pem;
+    ssl_dhparam /etc/pki/nginx/dhparam.pem;
+    ssl_session_timeout 24h;
+    ssl_session_cache shared:SSL:2m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
+    ssl_prefer_server_ciphers on;
+    add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
+
+    if ($http_user_agent ~* (AhrefsBot|SemrushBot|BaiduSpider|Jorgee|MJ12bot)) {
+      return 444;
+    }
+
+    # If you have IPv6, you'll likely want to have two separate listeners.
+    # One on IPv4 only (the default), and another on IPv6 only instead
+    # of a single dual-stack listener.  A dual-stack listener will make
+    # for ugly IPv4 addresses in $remote_addr (e.g ":ffff:10.0.0.1"
+    # instead of just "10.0.0.1") and potentially trigger bugs in
+    # some software.
+    # listen [::]:80 ipv6only=on; # deferred or accept_filter recommended
+
+    client_max_body_size 10m;
+
+    # ~2 seconds is often enough for most folks to parse HTML/CSS and
+    # retrieve needed images/icons/frames, connections are cheap in
+    # nginx so increasing this is generally safe...
+    keepalive_timeout 5;
+
+    # path for static files
+    root /opt/app/public;
+
+    # Prefer to serve static files directly from nginx to avoid unnecessary
+    # data copies from the application server.
+    #
+    # try_files directive appeared in in nginx 0.7.27 and has stabilized
+    # over time.  Older versions of nginx (e.g. 0.6.x) requires
+    # "if (!-f $request_filename)" which was less efficient:
+    # http://bogomips.org/unicorn.git/tree/examples/nginx.conf?id=v3.3.1#n127
+    try_files $uri/index.html $uri.html $uri @app;
+
+    location ^~ /assets/ {
+      gzip_static on;
+      expires max;
+      add_header Cache-Control public;
+    }
+
+    location @app {
+      # an HTTP header important enough to have its own Wikipedia entry:
+      #   http://en.wikipedia.org/wiki/X-Forwarded-For
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      # enable this if you forward HTTPS traffic to unicorn,
+      # this helps Rack set the proper URL scheme for doing redirects:
+      # proxy_set_header X-Forwarded-Proto $scheme;
+
+      # pass the Host: header from the client right along so redirects
+      # can be set properly within the Rack application
+      proxy_set_header Host $http_host;
+
+      # we don't want nginx trying to do something clever with
+      # redirects, we set the Host: header above already.
+      proxy_redirect off;
+
+      # It's also safe to set if you're using only serving fast clients
+      # with unicorn + nginx, but not slow clients.  You normally want
+      # nginx to buffer responses to slow clients, even with Rails 3.1
+      # streaming because otherwise a slow client can become a bottleneck
+      # of unicorn.
+      #
+      # The Rack application may also set "X-Accel-Buffering (yes|no)"
+      # in the response headers do disable/enable buffering on a
+      # per-response basis.
+      # proxy_buffering off;
+
+      proxy_pass http://app_server;
+    }
+
+    # Rails error pages
+    error_page 500 502 503 504 /500.html;
+    #location = /500.html {
+    #  root /opt/app/public;
+    #}
+  }
+}

roles/application/files/postgres/pg_hba.conf

@@ -0,0 +1,6 @@
+#host all all 0.0.0.0/0 md5
+local all all trust
+local replication rep trust
+#host skyderby skyderby 172.18.0.0/0 md5
+host skyderby skyderby .skyderby_default md5
+host replication rep 45.32.239.89/32 md5