Server
As of December 2018 we’re in the process of moving to deploying everything through ansible. For now we have done the basics for https://dev.trustroots.org/ and https://staging.trustroots.org/.
Trustroots runs on DigitalOcean (referral link) Ubuntu 14.04 droplet.
This is how to configure production server.
Nginx
- Nginx v1.8.x
- Redirect port 80 to 443.
- Redirect non-www to www.
- Proxy traffic to port 3000 (NodeJS app) with Passenger v5.x Installation instructions
- Serve /public/ directly with Nginx (without NodeJS in between).
Make sure /etc/nginx/nginx.conf
has these:
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
# passenger_ruby /usr/bin/passenger_free_ruby;
passenger_nodejs /usr/local/bin/node;
passenger_show_version_in_header off;
Make sure you have configuration file at /etc/nginx/sites-available/trustroots_org.conf
and equivalent symlink pointing to it from sites-enabled: ln -s ../sites-available/trustroots_org.conf trustroots_org.conf
.
Test configuration by running sudo nginx -t
and start/stop/restart nginx by sudo service nginx {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}
SSL
- Old certs from Namecheap.com (currently just
www.trustroots.org
+trustroots.org
- New certs with Certbot (shop/grafana/dev etc)
- Check health
Backups
- Located at
/srv/backups/
- Daily full backup of the server droplet by DigitalOcean
- Daily synced of backups directory to S3 (database & uploaded files).
Configure backups
- Install AWS CLI
- Make sure you have bucket
trustroots-backups
at S3 and give user access to that bucket - Create a config file with user’s access keys
/srv/configs/aws.conf
:[default] aws_access_key_id=ACCESS_KEY aws_secret_access_key=SECRET_KEY # Optional, to define default region for this profile. region=eu-west-1
- Add backup scripts for the DB and files by typing
sudo crontab -e
and add these lines: ```Backup Trustroots.org DB, once per hour (at x:00)
0 * * * * /srv/trustroots/scripts/backup-db.sh >/dev/null 2>&1
Sync backup directory to AWS S3, once per hour (at x:10)
10 * * * * /srv/trustroots/scripts/s3backup.sh >/dev/null 2>&1
If your deployment runs DB migration scripts, create a backup prior to that by running `sudo bash /srv/trustroots/scripts/backup-db.sh`
#### Updating AWS client ([via](https://trepmal.com/2014/03/12/automating-backups-to-amazon-s3/))
- As in; it's not installed via python pip
- Test you have the latest; `aws --version`
- Update:
wget https://s3.amazonaws.com/aws-cli/awscli-bundle.zip unzip awscli-bundle.zip sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws ```
Database
- Install & setup MongoDB v2.x
Swap
- Follow these instructions
- Swap file 4 Gt
- Set
vm.swappiness
to 30 - Set
vfs_cache_pressure
to 50
Logs
- rsyslog pushes logs to papertrail as per this
- remote_syslog is installed and pushing logs to papertrail
- It may or may not be started on boot #442
People with rights to access the server, databases and statistics
Kasper, Mikael. Abel. https://github.com/orgs/Trustroots/teams/ops