jason PRO said 3 months ago on Kamal 2 :
Hey David,

Great video. Could you demo a deploy with postgresql on the same server? 

David Kimura PRO said 3 months ago on Kamal 2 :
Here's an example of what the accessory for Postgres could look like. It would rely on you updating the .kamal/secrets to also pass the POSTGRES_PASSWORD for the initial setup. Also, you would want to take care because in this situation, you're exposing port 5432 to the world as well. This shouldn't be an issue if you have a firewall, but you still want to take precautions. You could do something like

127.0.0.1:5432:5432

to expose it only on the localhost, but could have issues if you ever outgrow a single server setup.

# config/deploy.yml
accessories:
  postgres:
    image: postgres:17
    port: 5432:5432
    host: IP_OF_THE_SERVER
    env:
      clear:
        POSTGRES_USER: APPLICATION_NAME
        POSTGRES_DB: APPLICATION_NAME_production
      secret:
        - POSTGRES_PASSWORD
    directories:
      - data:/var/lib/postgresql/data

claudiug PRO said 3 months ago on Kamal 2 :
I think is also important that you need to have docker on the machine, and start it :)

David Kimura PRO said 3 months ago on Kamal 2 :
Running kamal setup will install docker for you automatically as it does detect if it doesn't exist. In the episode example of the DO Droplet, I didn't do any pre-setup or hardening. Kamal installed docker and everything it needed.


claudiug PRO said 2 months ago on Kamal 2 :
Sorry, what I mean, when you run kamal setup from terminal(example: mac) you need to have docker up and running on your mac. AFAIK

David Kimura PRO said 2 months ago on Kamal 2 :
Ah, yes that makes sense. Unless there is a remote builder set up, that is correct.

jeromedalbert said 2 months ago on Kamal 2 :
> Also, you would want to take care because in this situation, you're exposing port 5432 to the world as well.
> [...] You could do something like 127.0.0.1:5432:5432

Yeah with Kamal 2 you can avoid exposing the port to the world by setting the postgres accessory `port` to `127.0.0.1:5432:5432` instead of `5432:5432`, and in the `database.yml` or env var config making sure the host is `servicename-accessoryname` instead of an IP, e.g. `app1-postgres`, so the Rails app can connect to the database via Kamal 2's internal docker local network.

This is explained in the the Kamal 2 presentation video at 14:26: https://youtu.be/QC4b2teG_hc?feature=shared&t=866. It is not yet well known as this tip was documented in deploy.yml only last week in the Rails main branch, but if you run `rails new --main` you will see those deploy.yml comments about the local network.

But as David said, that will only work for single server setups.

claudiug PRO said 2 months ago on Kamal 2 :
when I try the kamal setup it was complaining about credentials as I was expect they will load via .env, but failled
after I use kamal secrets print, I realize that I ahve no values, so I had to run export KEY from my terminal as kamal will read from there. 

any better ideas here?

David Kimura PRO said 2 months ago on Kamal 2 :
In Kamal 2, the secrets were moved from .env to .kamal/secrets. Be careful as this file is included in your version control by default (not added to .gitignore).

claudiug PRO said 2 months ago on Kamal 2 :
  David Kimura  abs. :) they will not be added.  For me is not clear now where to load my ENV. I could just use rails credentials, but happens with all people like me, that Are using .env?

paul PRO said 2 months ago on Kamal 2 :

Hey David,

Thanks for the video. When you mention having a firewall in your comment, what exactly do you mean? Do you set up the firewall yourself, or is it provided by DigitalOcean droplets or Kamal? I am considering using Kamal instead of a PaaS platform that handles security automatically. Should I take additional steps to secure Kamal? Also, is there an advanced video on firewalls available?

Thanks!

David Kimura PRO said 2 months ago on Kamal 2 :
It's basically enabling UFW

# installing and configuring ufw
sudo apt-get install ufw
sudo ufw status
sudo ufw allow 22/tcp
sudo ufw allow www/tcp
sudo uff allow 443/tcp
sudo ufw enable

This will block incoming requests except the SSH port, and ports 80 & 443. For server hardening, I also like updating all of the packages on a fresh install and installing fail2ban. I'll also typically update my SSH config (or verify it) that password authentication is disabled, so you can only use a SSH key to authenticate.

sudo apt update && sudo apt upgrade -y
sudo apt install fail2ban

Kyxu said about 2 months ago on Kamal 2 :
Good video. I have a question about postgres. Is it possible to create several databases at once via deploy.yml (for the application, for the queue, for the cache...). It seems that it is not. What is the best way to do it then?

David Kimura PRO said about 2 months ago on Kamal 2 :
You can use the one postgresql instance and have multiple databases on that instance. You do not need to create separate instances (one for each database). If you have specific requirements because maybe a queue database or cache database has different infrastructure requirements, then you should be able to set up additional servers and use the accessories for each of those servers to host their own container of postgresql. But if we're talking a more simple setup (everything on one box/vm) then you would need just the one postgresql instance (even with multiple databases).

floydj PRO said 18 days ago on Kamal 2 :
How do you view the Rails logs? When I use "kamal app logs", it just shows me what appear to be Thruster logs, not the normal Rails output.

floydj PRO said 18 days ago on Kamal 2 :
Actually, nevermind. I just found out I needed to change my app to send the logs to STDOUT, which took care of it. Thanks.

Login to Comment