forked from nesquena/cap-recipes
-
Notifications
You must be signed in to change notification settings - Fork 4
/
install.rb
executable file
·200 lines (175 loc) · 9.08 KB
/
install.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# @author Donovan Bray <donnoman@donovanbray.com>
require File.expand_path(File.dirname(__FILE__) + '/../utilities')
# This Nginx is targeted for the :web role meant to be acting to front an
# to an :app role
# Additions
# https://github.com/newobj/nginx-x-rid-header
# https://github.com/yaoweibin/nginx_syslog_patch
# Possible Future Additions
# https://support.newrelic.com/kb/features/tracking-front-end-time
Capistrano::Configuration.instance(true).load do
namespace :nginx do
roles[:nginx]
roles[:nginx_client]
set :nginx_init_d, "nginx"
set :nginx_root, "/opt/nginx"
set :nginx_conf_path, File.join(File.dirname(__FILE__),'nginx.conf')
set :nginx_init_d_path, File.join(File.dirname(__FILE__),'nginx.init')
set :nginx_stub_conf_path, File.join(File.dirname(__FILE__),'stub_status.conf')
set :nginx_god_path, File.join(File.dirname(__FILE__),'nginx.god')
set :nginx_logrotate_path, File.join(File.dirname(__FILE__),'nginx.logrotate')
# must be above 1.1.7 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180
set :nginx_src, "http://nginx.org/download/nginx-1.2.0.tar.gz"
set(:nginx_ver) { nginx_src.match(/\/([^\/]*)\.tar\.gz$/)[1] }
set(:nginx_source_dir) {"#{nginx_root}/src/#{nginx_ver}"}
set(:nginx_patch_dir) {"#{nginx_root}/src"}
set(:nginx_log_dir) {"#{nginx_root}/logs"}
set(:nginx_pid_file) {"#{nginx_log_dir}/nginx.pid"}
set :nginx_watcher, nil
set :nginx_user, "nobody"
set :nginx_suppress_runner, false
set :nginx_port, '80'
set :nginx_ssl_port, '443'
set :nginx_bind_eth, nil
set(:nginx_bind) {"###ETH###" if nginx_bind_eth}
set(:nginx_listen) {"#{nginx_bind}:#{nginx_port}"}
set(:nginx_ssl_listen) {"#{nginx_bind}:#{nginx_ssl_port} ssl"}
set :nginx_server_name, 'localhost'
set(:nginx_server_names) {nginx_server_name}
set :nginx_app_conf_path, File.join(File.dirname(__FILE__),'app.conf')
set :nginx_worker_processes, "1" # should be cpu's - 1
set(:nginx_app_conf_filename) { application }
set(:nginx_configure_flags) {[
"--with-debug",
"--with-http_gzip_static_module",
"--with-http_stub_status_module",
"--with-http_ssl_module",
"--add-module=#{nginx_patch_dir}/nginx_syslog_patch",
"--add-module=#{nginx_patch_dir}/nginx-x-rid-header",
"--with-ld-opt=-lossp-uuid",
"--with-cc-opt=-I/usr/include/ossp"
]}
set :nginx_cert_name, nil
set :nginx_cert_path, nil
set(:nginx_cert_location) { "#{nginx_root}/conf/keys"}
set :uninstall_apt_nginx, false #false may cause problems with the init.d and leave orhpans, true will destroy the remnants of whatever used to be there.
set :nginx_redirect_www_to_base_domain, true
set :nginx_upload_certs, true
set :nginx_max_fails, "10"
set :nginx_fail_timeout, "15"
set :nginx_redirects, nil
def ipaddress(eth)
%Q{`ifconfig #{eth} | awk '/inet addr/ {split ($2,A,":"); print A[2]}'`}
end
task :upload_certs, :roles => [:web,:nginx,:nginx_client] do
if nginx_cert_name and nginx_upload_certs
sudo "mkdir -p #{nginx_cert_location}"
utilities.sudo_upload_template File.join(nginx_cert_path,"#{nginx_cert_name}.key"), "#{nginx_cert_location}/#{nginx_cert_name}.key"
utilities.sudo_upload_template File.join(nginx_cert_path,"#{nginx_cert_name}.crt"), "#{nginx_cert_location}/#{nginx_cert_name}.crt"
end
end
desc "select watcher"
task :watcher do
nginx.send("watch_with_#{nginx_watcher}".to_sym) unless nginx_watcher.nil?
end
desc "Use GOD as nginx's runner"
task :watch_with_god do
#rejigger the maintenance tasks to use god when god is in play
%w(start stop restart).each do |t|
task t.to_sym, :roles => :web do
god.cmd "#{t} nginx" unless nginx_suppress_runner
end
end
after "god:setup", "nginx:setup_god"
end
desc "setup god to watch nginx"
task :setup_god, :roles => [:web,:nginx] do
god.upload nginx_god_path, 'nginx.god'
end
desc "remove nginx installed by apt-get if present"
task :uninstall_apt_nginx, :roles => [:web,:nginx] do
run "#{sudo} /etc/init.d/nginx stop;true"
utilities.apt_remove "nginx"
run "#{sudo} rm -rf /etc/nginx"
end
desc 'Installs nginx for web'
task :install, :roles => [:web,:nginx] do
uninstall_apt_nginx if fetch(:uninstall_apt_nginx)
utilities.apt_install "build-essential libssl-dev zlib1g-dev libcurl4-openssl-dev libpcre3-dev libossp-uuid-dev git-core"
sudo "mkdir -p #{nginx_source_dir}"
run "cd #{nginx_root}/src && #{sudo} wget --tries=2 -c --progress=bar:force #{nginx_src} && #{sudo} tar zxvf #{nginx_ver}.tar.gz"
utilities.git_clone_or_pull "git://github.com/yaoweibin/nginx_syslog_patch.git", "#{nginx_patch_dir}/nginx_syslog_patch"
utilities.git_clone_or_pull "git://github.com/newobj/nginx-x-rid-header.git", "#{nginx_patch_dir}/nginx-x-rid-header"
run "cd #{nginx_source_dir} && #{sudo} sh -c 'patch -p1 < #{nginx_patch_dir}/nginx_syslog_patch/syslog_#{nginx_ver.split('-').last}.patch'"
run "cd #{nginx_source_dir} && #{sudo} ./configure --prefix=#{nginx_root} #{nginx_configure_flags.join(" ")} && #{sudo} make && #{sudo} make install"
end
task :setup, :roles => [:web,:nginx] do
sudo "mkdir -p #{nginx_root}/conf/sites-available #{nginx_root}/conf/sites-enabled #{nginx_log_dir}"
utilities.sudo_upload_template nginx_conf_path,"#{nginx_root}/conf/nginx.conf", :owner => "root:root"
utilities.sudo_upload_template nginx_stub_conf_path,"#{nginx_root}/conf/sites-available/stub_status.conf", :owner => "root:root"
sudo "ln -sf #{nginx_root}/conf/sites-available/stub_status.conf #{nginx_root}/conf/sites-enabled/stub_status.conf"
utilities.sudo_upload_template nginx_init_d_path,"/etc/init.d/#{nginx_init_d}", :owner => "root:root", :mode => "u+x"
utilities.sudo_upload_template nginx_logrotate_path,"/etc/logrotate.d/#{nginx_init_d}", :owner => "root:root"
end
desc "Nginx Unicorn Reload"
task :reload, :roles => [:web,:nginx,:nginx_client] do
sudo "/etc/init.d/#{nginx_init_d} reload"
end
desc "Nginx Unicorn Reopen"
task :reopen, :roles => [:web,:nginx] do
sudo "/etc/init.d/#{nginx_init_d} reopen"
end
task :remove_default, :roles => [:web,:nginx] do
sudo "rm -f #{nginx_root}/sites-enabled/default"
end
desc "Watch Nginx and Unicorn Workers with GOD"
task :setup_god, :roles => [:web,:nginx] do
god.upload nginx_god_path, "nginx.god"
# disable init from automatically starting and stopping these init controlled apps
# god will be started by init, and in turn start these god controlled apps.
# but leave the init script in place to be called manually
sudo "update-rc.d -f nginx remove; true"
#if you simply remove lsb driven links an apt-get can later reinstall them
#so we explicitly define the kill scripts.
sudo "update-rc.d nginx stop 20 2 3 4 5 .; true"
end
desc "Setup sd-agent to collect metrics for nginx"
task :setup_sdagent, :roles => [:web,:nginx] do
# block executing this task if :sdagent isn't present on any :web servers.
if (find_servers(:roles => :web).map{|d| d.host} && find_servers(:roles => :sdagent).map{|d| d.host}).any?
sudo "sed -i 's/^.*nginx_status_url.*$/nginx_status_url: http:\\/\\/127.0.0.1\\/nginx_status/g' #{sdagent_root}/config.cfg"
end
end
desc "Write the application conf"
task :configure, :roles => [:web,:nginx_client] do
utilities.sudo_upload_template nginx_app_conf_path, "#{nginx_root}/conf/sites-available/#{nginx_app_conf_filename}.conf", :owner => "root:root"
sudo %Q{sed -i "s/#{nginx_bind}/#{ipaddress(nginx_bind_eth)}/g" #{nginx_root}/conf/sites-available/#{nginx_app_conf_filename}.conf} if nginx_bind_eth
enable
end
desc "Enable the application conf"
task :enable, :roles => [:web,:nginx,:nginx_client] do
sudo "ln -sf #{nginx_root}/conf/sites-available/#{nginx_app_conf_filename}.conf #{nginx_root}/conf/sites-enabled/#{nginx_app_conf_filename}.conf"
end
desc "Disable the application conf"
task :disable, :roles => [:web,:nginx,:nginx_client] do
sudo "rm #{nginx_root}/conf/sites-enabled/#{nginx_app_conf_filename}.conf"
end
desc "Verify the pairs of keys are matched sets in nginx_cert_path"
task :verify_cert_pairs do
#disabled until this is fixed to work with OSX Mavericks
# if nginx_cert_path && ENV['VERIFY_CERT_PAIRS'] != "0"
# Dir[File.expand_path(File.join(nginx_cert_path,"/*.crt"))].each do |cert|
# key = cert.gsub(".crt",".key")
# utilities.stream_locally %Q{[ `openssl x509 -noout -modulus -in #{cert} | openssl md5` == `openssl rsa -noout -modulus -in #{key} | openssl md5` ]}
# utilities.stream_locally %Q{openssl x509 -in #{cert} -noout -subject -startdate -enddate}
# end
# end
end
%w(start stop restart).each do |t|
desc "#{t} nginx via init"
task t.to_sym, :roles => [:web,:nginx] do
sudo "/etc/init.d/nginx #{t}" unless nginx_suppress_runner
end
end
end
end