About a month ago I decided I wanted to get a website going for Cerulean Labs,
my catch-all organization that has supported game dev, mentoring meetups, and other
random group projects. It would be good to have a website that allowed users in
the organization to coordinate meeting up, sharing projects, and reviewing
important info like community guidelines.
I specifically chose Rails because I haven’t developed on it since Rails 3 and I miss developing in Ruby. Puma is the default app server out of the box, and Capistrano takes care of deploys. Last, Nginx is used as a proxy.
Installation
Below are the components I had to install on the host machine. The order is all out of whack — I bounced around as I figured out what still needed to be setup. If you’re looking for specific guides, check out the bottom of this post.
SSL Certificate
I used Let’s Encrypt to get my certificate. First, I
setup my dependencies:
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
Installing the cert:
$ sudo certbot --nginx -d www.ceruleanlabs.com
Testing renewal:
$ sudo certbot renew --dry-run
It’ll prompt you along the way but the questions are straight-forward.
Nginx Gotos
I used the following when I wanted to check the syntax of my config files, check
to see if nginx was running, and then to restart it whenever I made a change.
$ sudo nginx -t $ sudo service nginx status $ sudo service nginx restart
Nginx Config
When you first look at /etc/nginx/sites-available/default
it looks something
like this:
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name www.ceruleanlabs.com; # managed by Certbot
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.ceruleanlabs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.ceruleanlabs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.ceruleanlabs.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.ceruleanlabs.com;
return 404; # managed by Certbot
}
The first server block shows a default Nginx page. The second block makes sure
that your site is always served over HTTPS.
We want to first add an upstream block that points to where our Puma socket will
be located. I put this at the very top of the file:
upstream puma {
server unix:///var/www/ceruleanlabs/shared/tmp/sockets/puma.sock fail_timeout=0;
}
Next we want to rewrite the guts of that server block that is currently serving
the default Nginx page. Mine looks something like this, given we’re serving a
Rails app via Puma:
server {
root /var/www/ceruleanlabs/current/public;
access_log /var/www/ceruleanlabs/current/log/nginx.access.log;
error_log /var/www/ceruleanlabs/current/log/nginx.error.log info;
server_name www.ceruleanlabs.com;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @puma;
location @puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://puma;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.ceruleanlabs.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.ceruleanlabs.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 500 502 503 504 /500.html;
client_max_body_size 10M;
keepalive_timeout 10;
}
Firewall Config
This part was also straightforward, and again I followed the guide at the bottom
of this post. I pretty much just ran the following commands:
$ sudo ufw allow "Nginx Full"
$ sudo ufw allow "OpenSSH"
$ sudo ufw delete allow "Nginx HTTP"
$ sudo ufw status
Ruby Setup
$ curl -fsSL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash
I then followed the rbenv guide
for installing it to my shell so it would be available when I’m running commands
remotely via Capistrano. You can set that shell for that user with chsh -s /bin/bash
— using Bash, for example, with a ~/.bash_profile
that looks like this:
export PATH="$HOME/.rbenv/bin:$PATH" eval "$(rbenv init -)"
JavaScript Runtime
We need a runtime for compilation of the Javascript components. I ended up just installing Node on the host machine, but you can also add something like mini_racer to your Gemfile to add support as well.
Deploys
$ cap production deploy
Additional Setup
This is all open-source, so you can of-course check out the rest of the app configuration on GitHub: https://github.com/ceruleanlabs/ceruleanlabs.com The rest of the changes I had to make mostly centered around configuring the Rails app with the correct database credentials, libraries, etc. I should’ve written my steps down better haha, but you’ll find the rest of what’s configured in the repo.
Useful Docs and Guides