Project

General

Profile

History

Wiki » History » Revision 6

Revision 5 (關山 和丈, 07/30/2024 02:55 AM) → Revision 6/7 (關山 和丈, 08/18/2024 01:15 PM) 

# Wiki 

 ### 本番サーバー 
 IP: 52.193.124.101 
 ssh -i /Users/kazutakesekiyama/.ssh/id_rsa kazutake@52.193.124.101 

 13.231.46.207 


 ### 環境 
 Lightsail  
 https://lightsail.aws.amazon.com/ls/webapp/home/instances 
 https://lightsail.aws.amazon.com/ls/webapp/ap-northeast-1/instances/zaiko/networking 

 **ユーザー作成** 

 インスタンス構築時に指定した公開鍵に対応する秘密鍵を用いて ubuntu ユーザーでログインして以下を実行 
 ``` ruby 
 sudo su - 
 # useradd -u 10011 -d /home/kazutake -s /bin/bash -m kazutake -G admin 
 # mkdir /home/kazutake/.ssh 
 # echo *******' > /home/kazutake/.ssh/authorized_keys 
 # chown -R kazutake:kazutake /home/kazutake/.ssh 
 # chmod 700 -R /home/kazutake/.ssh 
 # chmod 600 -R /home/kazutake/.ssh/* 
 # sed -i '/^kazutake:.*$/d' /etc/shadow 
 # sudo passwd kazutake 
 #パズワード入力 
 ``` 
 以降、上記で作成した kazutakeユーザーで作業を行う 
 ubuntu ユーザーをログアウトし、 kazutake ユーザーで ssh 経由でログインする 

 **NTP設定** 
 ``` ruby 
 # apt update 
 # apt install -y ntp net-tools 
 ``` 
 **アプリ用アカウント作成** 
 ``` ruby 
 # groupadd dev -g 2000 
 # adduser --gid 2000 --uid 2100 deploy 
 ``` 
 途中の質問は全て Enter を押下してデフォルト値を利用する 

 ``` shell 
 Adding user `deploy' ... 
 Adding new user `deploy' (2100) with group `dev' ... 
 Creating home directory `/home/deploy' ... 
 Copying files from `/etc/skel' ... 
 New password:  
 Retype new password:  
 No password supplied 
 New password:  
 Retype new password:  
 No password supplied 
 New password:  
 Retype new password:  
 No password supplied 
 passwd: Authentication token manipulation error 
 passwd: password unchanged 
 Try again? [y/N]  
 Changing the user information for deploy 
 Enter the new value, or press ENTER for the default 
     Full Name []:  
     Room Number []:  
     Work Phone []:  
     Home Phone []:  
     Other []:  
 Is the information correct? [Y/n]  
 ``` 

 ``` ruby 
 # visudo 
 ``` 
 最後に1行追加 
 ``` ruby 
 %dev ALL=(ALL) ALL 
 ``` 

 ***パッケージのインストール*** 
 ``` ruby 
 # apt -y install patch curl build-essential openssl libreadline-dev libreadline-dev git zlib1g zlib1g-dev libssl-dev libyaml-dev libxml2-dev libxslt1-dev autoconf libc6-dev libncurses-dev automake libtool bison subversion libmysqlclient-dev nginx monit nodejs fonts-takao-mincho fonts-takao 
 ``` 

 ***DBサーバーのインストール・設定*** 
 ``` ruby 
 # apt -y install mysql-server 
 # mysql -u root 
 ``` 

 ``` sql 
 mysql> CREATE USER 'zaiko_api'@'%' IDENTIFIED BY '*******'; 
 mysql> GRANT ALL PRIVILEGES ON zaiko_api_production.* TO 'zaiko_api'@'%'; 
 mysql> FLUSH PRIVILEGES; 
 ``` 

 ***Ruby のインストール*** 
 ``` ruby 
 # sudo su - deploy 
 ``` 
 以下、 deploy ユーザー 

 ``` ruby 
 $ git clone https://github.com/rbenv/rbenv.git ~/.rbenv 
 $ echo 'export PATH="~/.rbenv/bin:$PATH"' >> ~/.bashrc 
 $ ~/.rbenv/bin/rbenv init >> ~/.bashrc 
 $ echo 'eval "$(rbenv init - bash)"' >> ~/.bashrc 
 $ source ~/.bashrc 
 $ git clone https://github.com/rbenv/ruby-build.git "$(rbenv root)"/plugins/ruby-build 
 $ rbenv    install 3.2.2 
 ``` 

 ***アプリケーション用ディレクトリの作成*** 
 ``` ruby 
 # mkdir -p /usr/local/rails_apps/zaiko/shared/tmp/sockets 
 # mkdir -p /usr/local/rails_apps/zaiko/shared/tmp/pids 
 # mkdir -p /usr/local/rails_apps/zaiko/shared/config 
 # mkdir -p /usr/local/rails_apps/zaiko/shared/log 
 # chown -R www-data:www-data /usr/local/rails_apps/ 
 # chmod -R 2775 /usr/local/rails_apps/ 
 # chown -R deploy /usr/local/rails_apps/zaiko/ 
 ``` 

 ***デプロイユーザーの調整*** 
 ``` ruby 
 # sudo su - deploy 
 ``` 
 以下、 deploy ユーザー 

 ``` shell 
 $ ssh-keygen -C '' 
 ``` 


 入力は全てデフォルトで enter キーを押下していく 
 ``` shell 
 Generating public/private rsa key pair. 
 Enter file in which to save the key (/home/deploy/.ssh/id_rsa):  
 Created directory '/home/deploy/.ssh'. 
 Enter passphrase (empty for no passphrase):  
 Enter same passphrase again:  
 Your identification has been saved in /home/deploy/.ssh/id_rsa 
 Your public key has been saved in /home/deploy/.ssh/id_rsa.pub 
 The key fingerprint is: 
 SHA256:c9MuIkkqh7d/nJtmqCLTKDNJ9E2ZNnqcpeWGsdvYRN4  
 The key's randomart image is: 
 +---[RSA 3072]----+ 
 |                   | 
 |                   | 
 |        o            | 
 | .     B +     .       | 
 |. . * # S o .      | 
 | . + @ * E o       | 
 |.+o = Xo... .      | 
 |O o+ +.+*o .       | 
 |.= .oo.+o.         | 
 +----[SHA256]-----+ 
 ``` 


 自分自身にSSHできるようにする 
 ``` ruby 
 $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys 
 ``` 

 ***ソースコードを展開する*** 
 ※事前に /home/deploy/.ssh/id_rsa.pub の公開鍵を git に登録してソースコードを取得できるようにする 
 以下、 deploy ユーザー 
 ``` ruby 
 $ git clone git@github.com:yakuzaiko/zaiko.git /home/deploy/zaiko 
 $ cd ~/zaiko 
 ``` 
 ``` ruby 
 $ vi config/master.key 
 ``` 
 内容を記載して保存 

 $ vi /usr/local/rails_apps/zaiko/shared/config/master.key 
 内容を記載して保存 
 ``` ruby 
 $ bundle 
 ``` 

 ***DBを用意する*** 
 以下、 deploy ユーザー 
 ``` ruby 
 $ cd ~/zaiko 
 $ RAILS_ENV=production bin/rails db:create db:migrate db:seed 
 ``` 

 試しに起動する 
 以下、 deploy ユーザー 
 ``` ruby 
 $ cd ~/zaiko 
 $ RAILS_ENV=production bin/rails assets:clean assets:precompile 
 $ RAILS_LOG_TO_STDOUT=1 RAILS_ENV=production bin/rails s 
 ``` 
 ``` shell 
 => Booting Puma 
 => Rails 7.0.5 application starting in production  
 => Run `bin/rails server --help` for more startup options 
 Puma starting in single mode... 
 * Puma version: 5.6.5 (ruby 3.2.2-p53) ("Birdie's Version") 
 *    Min threads: 5 
 *    Max threads: 5 
 *    Environment: production 
 *            PID: 19069 
 * Listening on http://0.0.0.0:3000 
 Use Ctrl-C to stop 
 ``` 

 ブラウザで http://[サーバーのIPアドレス]:3000/ にアクセス 
 ページが表示されればOK 

 ***sudoers の調整*** 
 ``` r 
 # visudo 
 ``` 
 以下を最後に追記 
 ``` shell 
 deploy ALL=(ALL) NOPASSWD: /bin/mv /tmp/*.service /etc/systemd/system/ 
 deploy ALL=(ALL) NOPASSWD: /bin/systemctl daemon-reload 
 deploy ALL=(ALL) NOPASSWD: /bin/systemctl enable * 
 deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart * 
 ``` 

 *** デプロイ*** 
 ``` ruby 
 $ sudo su - deploy 
 $ cd ~/yakuzaiko 
 $ bundle exec cap production puma:systemd:config 
 $ bundle exec cap production puma:systemd:enable  
 $ bundle exec cap production deploy 
 ``` 

 ***nginxの設定*** 
 ``` ruby 
 # vi /etc/nginx/sites-available/zaiko.conf 
 ``` 
 以下のように記載 

 ``` shell 
 upstream puma { 
   server unix:///usr/local/rails_apps/zaiko/shared/tmp/sockets/puma.sock; 
 } 

 server { 
   server_name stock.zaiko.com; 
   listen 80 default_server; 
   root /usr/local/rails_apps/zaiko/current/public; 

   location ^~ /assets/ { 
     gzip_static on; 
     expires max; 
     add_header Cache-Control public; 
   } 

   location @puma { 
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
     proxy_set_header Host $http_host; 
     proxy_set_header X-Forwarded-SSL on;  
     proxy_redirect off; 
     proxy_pass http://puma; 
   } 

   try_files $uri/index.html $uri @puma; 
   error_page 500 502 503 504 /500.html; 
 } 
 ``` 

 ``` ruby 
 # ln -s /etc/nginx/sites-available/zaiko.conf /etc/nginx/sites-enabled/ 
 # rm /etc/nginx/sites-enabled/default 
 # chown deploy:dev /usr/local/rails_apps/zaiko/shared/log/* 
 # sudo systemctl restart nginx 
 ``` 

 http://stock.zaiko.com/ にアクセス 


 ***SSLの設定*** 
 ``` ruby 
 # apt install -y certbot python3-certbot-nginx 
 # certbot --nginx -d stock.zaiko.com 
 ``` 
 ``` shell 
 Saving debug log to /var/log/letsencrypt/letsencrypt.log 
 Plugins selected: Authenticator nginx, Installer nginx 
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to 
 cancel): norifumi.homma@init6.co.jp 

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 Please read the Terms of Service at 
 https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must 
 agree in order to register with the ACME server. Do you agree? 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 (Y)es/(N)o: Y 


 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 Would you be willing, once your first certificate is successfully issued, to 
 share your email address with the Electronic Frontier Foundation, a founding 
 partner of the Let's Encrypt project and the non-profit organization that 
 develops Certbot? We'd like to send you email about our work encrypting the web, 
 EFF news, campaigns, and ways to support digital freedom. 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 (Y)es/(N)o: N 
 Account registered. 
 Requesting a certificate for prescription.yakuzaiko.com 

 Successfully received certificate. 
 Certificate is saved at: /etc/letsencrypt/live/prescription.yakuzaiko.com/fullchain.pem 
 Key is saved at:           /etc/letsencrypt/live/prescription.yakuzaiko.com/privkey.pem 
 This certificate expires on 2023-09-04. 
 These files will be updated when the certificate renews. 
 Certbot has set up a scheduled task to automatically renew this certificate in the background. 

 Deploying certificate 
 Successfully deployed certificate for prescription.yakuzaiko.com to /etc/nginx/sites-enabled/yakuzaiko.conf 
 Congratulations! You have successfully enabled HTTPS on https://prescription.yakuzaiko.com 

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 If you like Certbot, please consider supporting our work by: 
  * Donating to ISRG / Let's Encrypt:     https://letsencrypt.org/donate 
  * Donating to EFF:                      https://eff.org/donate-le 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 ``` 

 ``` ruby 
 # systemctl restart nginx 
 ```