Kamal 2 compatible configuration (rails#52883)

* Prepare deploy.yml for new Kamal 2 options

* Use Kamal 2 secrets instead of .env

* With Kamal 2 being default, and Cloudflare being common, this is the better production default

* Add default far-future expiry for Thruster

* Just while we are waiting for Kamal 2 to drop

* Update for new secrets location

* Latest turbo-rails

* Dont use Redis for Action Cable when we have Solid Cable

* Remote config changed too

* Add a kamal alias for sqlite db console when appropriate

* No longer relevant

Thruster does this now

* No longer relevant either

Thruster territory

* No longer relevant

* Update railties/lib/rails/generators/app_base.rb

Co-authored-by: Jerome Dalbert <[email protected]>

* Proxy branch was merged

* Update railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt

Co-authored-by: Hartley McGuire <[email protected]>

* Use beta1

* Redis only recommended when solid is skipped

* Use the Kamal 2 beta1

* Use Kamal 2 beta2

---------

Co-authored-by: Jerome Dalbert <[email protected]>
Co-authored-by: Hartley McGuire <[email protected]>

Author: 3 people

Gemfile

@@ -24,7 +24,7 @@ gem "dartsass-rails"
 gem "solid_cache"
 gem "solid_queue"
 gem "solid_cable"
-gem "kamal", require: false
+gem "kamal", ">= 2.0.0.beta2", require: false
 gem "thruster", require: false
 # require: false so bcrypt is loaded only when has_secure_password is used.
 # This is to avoid Active Model (and by extension the entire framework)

Gemfile.lock

@@ -161,7 +161,8 @@ GEM
       dante (> 0.1.5)
     base64 (0.2.0)
     bcrypt (3.1.20)
-    bcrypt_pbkdf (1.1.0)
+    bcrypt_pbkdf (1.1.1)
+    bcrypt_pbkdf (1.1.1-x86_64-darwin)
     beaneater (1.1.3)
     benchmark (0.3.0)
     bigdecimal (3.1.8)
@@ -210,7 +211,7 @@ GEM
       delayed_job (>= 3.0, < 5)
     digest-crc (0.6.5)
       rake (>= 12.0.0, < 14.0.0)
-    dotenv (2.8.1)
+    dotenv (3.1.4)
     drb (2.2.1)
     ed25519 (1.3.0)
     erubi (1.13.0)
@@ -308,16 +309,16 @@ GEM
       railties (>= 6.0.0)
     json (2.7.1)
     jwt (2.7.1)
-    kamal (1.5.2)
+    kamal (2.0.0.beta2)
       activesupport (>= 7.0)
       base64 (~> 0.2)
       bcrypt_pbkdf (~> 1.0)
       concurrent-ruby (~> 1.2)
-      dotenv (~> 2.8)
+      dotenv (~> 3.1)
       ed25519 (~> 1.2)
       net-ssh (~> 7.0)
-      sshkit (~> 1.21)
-      thor (~> 1.2)
+      sshkit (>= 1.23.0, < 2.0)
+      thor (~> 1.3)
       zeitwerk (~> 2.5)
     kramdown (2.4.0)
       rexml
@@ -369,7 +370,6 @@ GEM
     msgpack (1.7.2)
     multi_json (1.15.0)
     multipart-post (2.3.0)
-    mutex_m (0.2.0)
     mysql2 (0.5.6)
     net-http-persistent (4.0.2)
       connection_pool (~> 2.2)
@@ -396,6 +396,7 @@ GEM
     nokogiri (1.16.7-x86_64-linux)
       racc (~> 1.4)
     os (1.1.4)
+    ostruct (0.6.0)
     parallel (1.24.0)
     parser (3.3.1.0)
       ast (~> 2.4.1)
@@ -574,12 +575,12 @@ GEM
       mini_portile2 (~> 2.8.0)
     sqlite3 (2.0.0-x86_64-darwin)
     sqlite3 (2.0.0-x86_64-linux-gnu)
-    sshkit (1.22.2)
+    sshkit (1.23.1)
       base64
-      mutex_m
       net-scp (>= 1.1.2)
       net-sftp (>= 2.1.2)
       net-ssh (>= 2.8.0)
+      ostruct
     stackprof (0.2.25)
     stimulus-rails (1.3.0)
       railties (>= 6.0.0)
@@ -602,7 +603,7 @@ GEM
     tomlrb (2.0.3)
     trailblazer-option (0.1.2)
     trilogy (2.7.0)
-    turbo-rails (1.5.0)
+    turbo-rails (2.0.7)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)
       railties (>= 6.0.0)
@@ -663,7 +664,7 @@ DEPENDENCIES
   jbuilder
   jsbundling-rails
   json (>= 2.0.0, != 2.7.0)
-  kamal
+  kamal (>= 2.0.0.beta2)
   launchy
   libxml-ruby
   listen (~> 3.3)

railties/lib/rails/generators/app_base.rb

@@ -623,10 +623,10 @@ def css_gemfile_entry
       end
 
       def cable_gemfile_entry
-        return if options[:skip_action_cable]
-
-        comment = "Use Redis adapter to run Action Cable in production"
-        GemfileEntry.new("redis", ">= 4.0.1", comment, {}, true)
+        if !options[:skip_action_cable] && options[:skip_solid]
+          comment = "Use Redis adapter to run Action Cable in production"
+          GemfileEntry.new("redis", ">= 4.0.1", comment, {}, true)
+        end
       end
 
       def bundle_command(command, env = {})
@@ -730,8 +730,7 @@ def run_kamal
         bundle_command "binstubs kamal"
         bundle_command "exec kamal init"
 
-        remove_file ".env"
-        template "env.erb", ".env.erb"
+        template "kamal-secrets.tt", ".kamal/secrets", force: true
         template "config/deploy.yml", force: true
       end
 

railties/lib/rails/generators/rails/app/templates/Gemfile.tt

@@ -32,7 +32,7 @@ gem "bootsnap", require: false
 <% unless options.skip_kamal? -%>
 
 # Deploy this application anywhere as a Docker container [https://kamal-deploy.org]
-gem "kamal", require: false
+gem "kamal", ">= 2.0.0.beta2", require: false
 <% end -%>
 <% unless options.skip_thruster? -%>
 

railties/lib/rails/generators/rails/app/templates/config/deploy.yml.tt

@@ -13,6 +13,12 @@ servers:
   #     - 192.168.0.1
   #   cmd: bin/jobs
 
+# Enable SSL auto certification via Let's Encrypt (and allow for multiple apps on one server).
+# Set ssl: false if using something like Cloudflare to terminate SSL (but keep host!).
+proxy:
+  ssl: true
+  host: app.example.com
+
 # Credentials for your image host.
 registry:
   # Specify the registry server, if you're not using Docker Hub
@@ -23,8 +29,7 @@ registry:
   password:
     - KAMAL_REGISTRY_PASSWORD
 
-# Inject ENV variables into containers (secrets come from .env).
-# Remember to run `kamal env push` after making changes!
+# Inject ENV variables into containers (secrets come from .kamal/secrets).
 env:
   secret:
     - RAILS_MASTER_KEY
@@ -51,6 +56,16 @@ env:
     # DB_HOST: 192.168.0.2
 <% end -%>
 
+# Aliases are triggered with "bin/kamal <alias>". You can overwrite arguments on invocation:
+# "bin/kamal logs -r job" will tail logs from the first server in the job section.
+aliases:
+  console: app exec --interactive --reuse "bin/rails console"
+  shell: app exec --interactive --reuse "bash"
+  logs: app logs -f
+<% if sqlite3? -%>
+  dbc: app exec --interactive --reuse "sqlite3 storage/production.sqlite3"
+<% end -%>
+
 <% unless skip_storage? %>
 # Use a persistent storage volume for sqlite database files and local Active Storage files.
 # Recommended to change this to a mounted volume path that is backed up off server.
@@ -63,27 +78,25 @@ volumes:
 # version inside the asset_path.
 asset_path: /rails/public/assets
 
+# Configure the image builder.
+builder:
+  arch: amd64
+
+  # # Build image via remote server (useful for faster amd64 builds on arm64 computers)
+  # remote: ssh://docker@docker-builder-server
+  #
+  # # Pass arguments and secrets to the Docker build process
+  # args:
+  #   RUBY_VERSION: <%= ENV["RBENV_VERSION"] || ENV["rvm_ruby_string"] || "#{RUBY_ENGINE}-#{RUBY_ENGINE_VERSION}" %>
+  # secrets:
+  #   - GITHUB_TOKEN
+  #   - RAILS_MASTER_KEY
+
 # Use a different ssh user than root
 # ssh:
 #   user: app
 
-# Configure builder setup (defaults to multi-arch images).
-# builder:
-#   # Build same-arch image locally (use for x86->x86)
-#   multiarch: false
-#
-#   # Build diff-arch image via remote server
-#   remote:
-#     arch: amd64
-#     host: ssh://[email protected]
-#
-#   args:
-#     RUBY_VERSION: <%= ENV["RBENV_VERSION"] || ENV["rvm_ruby_string"] || "#{RUBY_ENGINE}-#{RUBY_ENGINE_VERSION}" %>
-#   secrets:
-#     - GITHUB_TOKEN
-#     - RAILS_MASTER_KEY
-
-# Use accessory services (secrets come from .env).
+# Use accessory services (secrets come from .kamal/secrets).
 # accessories:
 #   db:
 #     image: mysql:8.0

railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt

@@ -1,3 +1,5 @@
+require "active_support/core_ext/integer/time"
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -20,16 +22,12 @@ Rails.application.configure do
   # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
   # config.require_master_key = true
 
-  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
-  # config.public_file_server.enabled = false
+  # Cache assets for far-future expiry since they are all digest stamped.
+  config.public_file_server.headers = { "cache-control" => "public, max-age=#{1.year.to_i}" }
 
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
   # config.asset_host = "http://assets.example.com"
 
-  # Specifies the header that your server uses for sending files.
-  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
-  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
-
   <%- unless skip_active_storage? -%>
   # Store uploaded files on the local file system (see config/storage.yml for options).
   config.active_storage.service = :local
@@ -44,7 +42,7 @@ Rails.application.configure do
   <%- end -%>
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
   # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
-  # config.assume_ssl = true
+  config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true

railties/lib/rails/generators/rails/app/templates/env.erb.tt

@@ -0,0 +1,17 @@
+# Secrets defined here are available for reference under registry/password, env/secret, builder/secrets,
+# and accessories/*/env/secret in config/deploy.yml. All secrets should be pulled from either
+# password manager, ENV, or a file. DO NOT ENTER RAW CREDENTIALS HERE! This file needs to be safe for git.
+
+# Example of extracting secrets from 1password (or another compatible pw manager)
+# SECRETS=$(kamal secrets --adapter 1password --from Vault/Item Section1/KAMAL_REGISTRY_PASSWORD Section2/RAILS_MASTER_KEY)
+# KAMAL_REGISTRY_PASSWORD=$(kamal secrets extract KAMAL_REGISTRY_PASSWORD ${SECRETS})
+# RAILS_MASTER_KEY=$(kamal secrets extract RAILS_MASTER_KEY ${SECRETS})
+
+# Use a GITHUB_TOKEN if private repositories are needed for the image
+# GITHUB_TOKEN=$(gh config get -h github.com oauth_token)
+
+# Grab the registry password from ENV
+KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
+
+# Improve security by using a password manager. Never check config/master.key into git!
+RAILS_MASTER_KEY=$(cat config/master.key)

railties/lib/rails/generators/rails/app/templates/kamal-secrets.tt

@@ -462,7 +462,7 @@ def test_generator_defaults_to_puma_version
   end
 
   def test_action_cable_redis_gems
-    run_generator
+    run_generator [destination_root, "--skip-solid"]
     assert_file "Gemfile", /^# gem "redis"/
   end
 
@@ -645,7 +645,7 @@ def test_inclusion_of_kamal_files
     run_generator_instance
 
     assert_file "config/deploy.yml"
-    assert_file ".env.erb"
+    assert_file ".kamal/secrets"
   end
 
   def test_kamal_files_are_skipped_if_required
@@ -656,7 +656,7 @@ def test_kamal_files_are_skipped_if_required
     assert_empty @bundle_commands.grep("exec kamal init")
 
     assert_no_file "config/deploy.yml"
-    assert_no_file ".env.erb"
+    assert_no_file ".kamal/secrets"
   end
 
   def test_inclusion_of_kamal_storage_volume