在庫管理システム

# Wiki

### 本番サーバー

IP: 13.231.46.207

### 環境

Lightsail 

https://lightsail.aws.amazon.com/ls/webapp/home/instances

https://lightsail.aws.amazon.com/ls/webapp/ap-northeast-1/instances/zaiko/networking

**ユーザー作成**

インスタンス構築時に指定した公開鍵に対応する秘密鍵を用いて ubuntu ユーザーでログインして以下を実行

``` ruby

sudo su -

# useradd -u 10011 -d /home/kazutake -s /bin/bash -m kazutake -G admin

# mkdir /home/kazutake/.ssh

# echo *******' > /home/kazutake/.ssh/authorized_keys

# chown -R kazutake:kazutake /home/kazutake/.ssh

# chmod 700 -R /home/kazutake/.ssh

# chmod 600 -R /home/kazutake/.ssh/*

# sed -i '/^kazutake:.*$/d' /etc/shadow

# sudo passwd kazutake

```

以降、上記で作成した kazutakeユーザーで作業を行う

ubuntu ユーザーをログアウトし、 kazutake ユーザーで ssh 経由でログインする

**NTP設定**

``` ruby

# apt update

# apt install -y ntp net-tools

```

**アプリ用アカウント作成**

``` ruby

# groupadd dev -g 2000

# adduser --gid 2000 --uid 2100 deploy

```

途中の質問は全て Enter を押下してデフォルト値を利用する

``` shell

Adding user `deploy' ...

Adding new user `deploy' (2100) with group `dev' ...

Creating home directory `/home/deploy' ...

Copying files from `/etc/skel' ...

New password: 

Retype new password: 

No password supplied

New password: 

Retype new password: 

No password supplied

New password: 

Retype new password: 

No password supplied

passwd: Authentication token manipulation error

passwd: password unchanged

Try again? [y/N] 

Changing the user information for deploy

Enter the new value, or press ENTER for the default

    Full Name []: 

    Room Number []: 

    Work Phone []: 

    Home Phone []: 

    Other []: 

Is the information correct? [Y/n] 

```

``` ruby

# visudo

```

最後に1行追加

``` ruby

%dev ALL=(ALL) ALL

```

***パッケージのインストール***

``` ruby

# apt -y install patch curl build-essential openssl libreadline-dev libreadline-dev git zlib1g zlib1g-dev libssl-dev libyaml-dev libxml2-dev libxslt1-dev autoconf libc6-dev libncurses-dev automake libtool bison subversion libmysqlclient-dev nginx monit nodejs fonts-takao-mincho fonts-takao

```

***DBサーバーのインストール・設定***

``` ruby

# apt -y install mysql-server

# mysql -u root

```

``` sql

mysql> CREATE USER 'zaiko_api'@'%' IDENTIFIED BY '*******';

mysql> GRANT ALL PRIVILEGES ON zaiko_api_production.* TO 'zaiko_api'@'%';

mysql> FLUSH PRIVILEGES;

```

***Ruby のインストール***

``` ruby

# sudo su - deploy

```

以下、 deploy ユーザー

``` ruby

$ git clone https://github.com/rbenv/rbenv.git ~/.rbenv

$ echo 'export PATH="~/.rbenv/bin:$PATH"' >> ~/.bashrc

$ ~/.rbenv/bin/rbenv init >> ~/.bashrc

$ echo 'eval "$(rbenv init - bash)"' >> ~/.bashrc

$ source ~/.bashrc

$ git clone https://github.com/rbenv/ruby-build.git "$(rbenv root)"/plugins/ruby-build

$ rbenv  install 3.2.2

```

***アプリケーション用ディレクトリの作成***

``` ruby

# mkdir -p /usr/local/rails_apps/zaiko/shared/tmp/sockets

# mkdir -p /usr/local/rails_apps/zaiko/shared/tmp/pids

# mkdir -p /usr/local/rails_apps/zaiko/shared/config

# mkdir -p /usr/local/rails_apps/zaiko/shared/log

# chown -R www-data:www-data /usr/local/rails_apps/

# chmod -R 2775 /usr/local/rails_apps/

# chown -R deploy /usr/local/rails_apps/zaiko/

```

***デプロイユーザーの調整***

``` ruby

# sudo su - deploy

```

以下、 deploy ユーザー

``` shell

$ ssh-keygen -C ''

```

入力は全てデフォルトで enter キーを押下していく

``` shell

Generating public/private rsa key pair.

Enter file in which to save the key (/home/deploy/.ssh/id_rsa): 

Created directory '/home/deploy/.ssh'.

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/deploy/.ssh/id_rsa

Your public key has been saved in /home/deploy/.ssh/id_rsa.pub

The key fingerprint is:

SHA256:c9MuIkkqh7d/nJtmqCLTKDNJ9E2ZNnqcpeWGsdvYRN4 

The key's randomart image is:

+---[RSA 3072]----+

|                 |

|                 |

|      o          |

| .   B +   .     |

|. . * # S o .    |

| . + @ * E o     |

|.+o = Xo... .    |

|O o+ +.+*o .     |

|.= .oo.+o.       |

+----[SHA256]-----+

```

自分自身にSSHできるようにする

``` ruby

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

```

***ソースコードを展開する***

※事前に /home/deploy/.ssh/id_rsa.pub の公開鍵を　git に登録してソースコードを取得できるようにする

以下、 deploy ユーザー

``` ruby

$ git clone git@github.com:yakuzaiko/zaiko.git /home/deploy/zaiko

$ cd ~/zaiko

```

``` ruby

$ vi config/master.key

```

内容を記載して保存

$ vi /usr/local/rails_apps/zaiko/shared/config/master.key

内容を記載して保存

``` ruby

$ bundle

```

***DBを用意する***

以下、 deploy ユーザー

``` ruby

$ cd ~/zaiko

$ RAILS_ENV=production bin/rails db:create db:migrate db:seed

```

試しに起動する

以下、 deploy ユーザー

``` ruby

$ cd ~/zaiko

$ RAILS_ENV=production bin/rails assets:clean assets:precompile

$ RAILS_LOG_TO_STDOUT=1 RAILS_ENV=production bin/rails s

```

``` shell

=> Booting Puma

=> Rails 7.0.5 application starting in production 

=> Run `bin/rails server --help` for more startup options

Puma starting in single mode...

* Puma version: 5.6.5 (ruby 3.2.2-p53) ("Birdie's Version")

*  Min threads: 5

*  Max threads: 5

*  Environment: production

*          PID: 19069

* Listening on http://0.0.0.0:3000

Use Ctrl-C to stop

```

ブラウザで http://[サーバーのIPアドレス]:3000/ にアクセス

ページが表示されればOK

***sudoers の調整***

``` r

# visudo

```

以下を最後に追記

``` shell

deploy ALL=(ALL) NOPASSWD: /bin/mv /tmp/*.service /etc/systemd/system/

deploy ALL=(ALL) NOPASSWD: /bin/systemctl daemon-reload

deploy ALL=(ALL) NOPASSWD: /bin/systemctl enable *

deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart *

```

***　デプロイ***

``` ruby

$ sudo su - deploy

$ cd ~/yakuzaiko

$ bundle exec cap production puma:systemd:config

$ bundle exec cap production puma:systemd:enable 

$ bundle exec cap production deploy

```

***nginxの設定***

``` ruby

# vi /etc/nginx/sites-available/zaiko.conf

```

以下のように記載

``` shell

upstream puma {

  server unix:///usr/local/rails_apps/zaiko/shared/tmp/sockets/puma.sock;

}

server {

  server_name stock.zaiko.com;

  listen 80 default_server;

  root /usr/local/rails_apps/zaiko/current/public;

  location ^~ /assets/ {

    gzip_static on;

    expires max;

    add_header Cache-Control public;

  }

  location @puma {

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header Host $http_host;

    proxy_set_header X-Forwarded-SSL on; 

    proxy_redirect off;

    proxy_pass http://puma;

  }

  try_files $uri/index.html $uri @puma;

  error_page 500 502 503 504 /500.html;

}

```

``` ruby

# ln -s /etc/nginx/sites-available/zaiko.conf /etc/nginx/sites-enabled/

# rm /etc/nginx/sites-enabled/default

# chown deploy:dev /usr/local/rails_apps/zaiko/shared/log/*

# sudo systemctl restart nginx

```

http://stock.zaiko.com/ にアクセス

***SSLの設定***

``` ruby

# apt install -y certbot python3-certbot-nginx

# certbot --nginx -d stock.zaiko.com

```

``` shell

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): norifumi.homma@init6.co.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must

agree in order to register with the ACME server. Do you agree?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Would you be willing, once your first certificate is successfully issued, to

share your email address with the Electronic Frontier Foundation, a founding

partner of the Let's Encrypt project and the non-profit organization that

develops Certbot? We'd like to send you email about our work encrypting the web,

EFF news, campaigns, and ways to support digital freedom.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(Y)es/(N)o: N

Account registered.

Requesting a certificate for prescription.yakuzaiko.com

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/prescription.yakuzaiko.com/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/prescription.yakuzaiko.com/privkey.pem

This certificate expires on 2023-09-04.

These files will be updated when the certificate renews.

Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate

Successfully deployed certificate for prescription.yakuzaiko.com to /etc/nginx/sites-enabled/yakuzaiko.conf

Congratulations! You have successfully enabled HTTPS on https://prescription.yakuzaiko.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

 * Donating to EFF:                    https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

```

``` ruby

# systemctl restart nginx

```