Production setup (#14)

* Enabled production deployment

* Add basic airbrake configuration + env ID support

* Newrelic basic setup + environments

* Set concurrency low to keep sidekiq+puma combo happy

* Nix log buckets for new relic

* Rubocop tweak

* Build fix

* Airbrake fix

* Newrelic job tracing

* Unique fix for benchmarking

* Update concurrency settings

* Newrelic and airbrake updates - bare-bones new setups

* Tweak to warning levels for newrelic

* Fix bang on prod script, other script tweaks, and relic/airbrake config issues

* Fix allowed hosts for all environments

.env.development

@@ -3,4 +3,4 @@ DB_PASSWORD=postgres
 DB_PORT=5432
 DB_USERNAME=postgres
 REDIS_URL=redis://host.docker.internal:6379/7
-PORT=3000
+PORT=3001

.env.production

@@ -0,0 +1,15 @@
+DB_HOST=
+DB_POOL=25
+DB_PORT=5432
+DB_SSLCERT=/config/rds-combined-ca-bundle.pem
+DB_SSLMODE=verify-full
+REDIS_URL=
+PORT=3000
+S3_ATTACHMENTS_BUCKET=
+ACTIVE_STORAGE_PUBLIC=true
+FORCE_SSL=true
+AIRBRAKE_ID=
+AIRBRAKE_KEY=
+NEWRELIC_LICENSE_KEY=
+NEWRELIC_APP_NAME=
+WEB_CONCURRENCY=2

.env.staging

@@ -8,3 +8,9 @@ PORT=3000
 S3_ATTACHMENTS_BUCKET=
 ACTIVE_STORAGE_PUBLIC=true
 FORCE_SSL=true
+AIRBRAKE_ID=
+AIRBRAKE_KEY=
+NEWRELIC_LICENSE_KEY=
+NEWRELIC_APP_NAME=
+NEWRELIC_MONITOR_MODE=
+WEB_CONCURRENCY=2

Dockerfile

@@ -79,6 +79,7 @@ COPY ./tmp ./tmp
 COPY LICENSE README.md Rakefile config.ru .version ./
 COPY .version ./public/version
 COPY ./.env.staging ./.env.staging
+COPY ./.env.production ./.env.production
 COPY ./config/rds-combined-ca-bundle.pem /config/rds-combined-ca-bundle.pem
 
 COPY --from=download /fonts/GoNotoKurrent-Regular.ttf /fonts/GoNotoKurrent-Bold.ttf /fonts/DancingScript-Regular.otf /fonts/OFL.txt /fonts

Gemfile

@@ -44,6 +44,9 @@ gem 'turbo-rails'
 gem 'twitter_cldr', require: false
 gem 'tzinfo-data'
 
+gem 'airbrake'
+gem 'newrelic_rpm'
+
 group :development, :test do
   gem 'better_html'
   gem 'bullet'

Gemfile.lock

@@ -74,6 +74,10 @@ GEM
       uri (>= 0.13.1)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
+    airbrake (13.0.5)
+      airbrake-ruby (~> 6.0)
+    airbrake-ruby (6.2.2)
+      rbtree3 (~> 0.6)
     annotaterb (4.14.0)
     arabic-letter-connector (0.1.1)
     ast (2.4.2)
@@ -336,6 +340,7 @@ GEM
       timeout
     net-smtp (0.5.0)
       net-protocol
+    newrelic_rpm (9.17.0)
     nio4r (2.7.4)
     nokogiri (1.18.8)
       mini_portile2 (~> 2.8.2)
@@ -433,6 +438,7 @@ GEM
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
+    rbtree3 (0.7.1)
     rdoc (6.10.0)
       psych (>= 4.0.0)
     redis-client (0.23.0)
@@ -588,6 +594,7 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  airbrake
   annotaterb
   arabic-letter-connector
   aws-sdk-s3
@@ -618,6 +625,7 @@ DEPENDENCIES
   jwt
   letter_opener_web
   lograge
+  newrelic_rpm
   oj
   pagy
   pg

bin/start_production

@@ -0,0 +1,271 @@
+#!/bin/sh -e
+
+echo "=== CP Docuseal Production Startup ==="
+
+# Enable jemalloc for reduced memory usage and latency.
+if [ -z "${LD_PRELOAD+x}" ]; then
+    LD_PRELOAD=$(find /usr/lib -name libjemalloc.so.2 -print -quit)
+    export LD_PRELOAD
+fi
+
+check_aws_setup() {
+    if [ -z "$AWS_REGION" ]; then
+        echo "ERROR: AWS_REGION environment variable is not set"
+        exit 1
+    fi
+
+    if ! command -v aws &> /dev/null; then
+        echo "ERROR: AWS CLI is not installed. Please install it to proceed."
+        exit 1
+    fi
+}
+
+# Function to fetch secrets from AWS Secrets Manager
+fetch_db_credentials() {
+    echo "Fetching database credentials from AWS Secrets Manager..."
+
+    if [ -z "$DB_SECRETS_NAME" ]; then
+        echo "ERROR: DB_SECRETS_NAME environment variable is not set"
+        exit 1
+    fi
+    
+    # Fetch the secret
+    echo "Retrieving secret: $DB_SECRETS_NAME"
+    SECRET_JSON=$(aws secretsmanager get-secret-value \
+        --region "$AWS_REGION" \
+        --secret-id "$DB_SECRETS_NAME" \
+        --query SecretString \
+        --output text)
+    
+    if [ $? -ne 0 ]; then
+        echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
+        exit 1
+    fi
+    
+    # Parse JSON and export environment variables
+    export DB_USERNAME=$(echo "$SECRET_JSON" | jq -r '.username')
+    export DB_PASSWORD=$(echo "$SECRET_JSON" | jq -r '.password')
+
+    # Validate that we got the credentials
+    if [ "$DB_USERNAME" = "null" ] || [ "$DB_PASSWORD" = "null" ] || [ -z "$DB_USERNAME" ] || [ -z "$DB_PASSWORD" ]; then
+        echo "ERROR: Failed to parse database credentials from secrets"
+        echo "Expected JSON format: {\"username\": \"...\", \"password\": \"...\"}"
+        exit 1
+    fi
+
+    # Write credentials to .env.production file
+    echo "Writing database credentials to .env.production..."
+
+    # Remove existing DB_USERNAME and DB_PASSWORD lines if they exist
+    if [ -f "./.env.production" ]; then
+        echo "Removing existing DB_USERNAME and DB_PASSWORD from .env.production"
+        grep -v "^DB_USERNAME=" ./.env.production > ./.env.production.tmp || true
+        grep -v "^DB_PASSWORD=" ./.env.production.tmp > ./.env.production || true
+        rm -f ./.env.production.tmp
+    fi
+    
+    # Append the new credentials
+    echo "DB_USERNAME=$DB_USERNAME" >> ./.env.production
+    echo "DB_PASSWORD=$DB_PASSWORD" >> ./.env.production
+
+    echo "✓ Database credentials successfully retrieved and written to .env.production"
+}
+
+# Function to fetch encryption key from AWS Secrets Manager and write to config/master.key
+fetch_encryption_key() {
+    echo "Fetching encryption key from AWS Secrets Manager..."
+
+    ENCRYPTION_SECRET_NAME="cpdocuseal/encryption_key"
+    if [ -z "$AWS_REGION" ]; then
+        echo "ERROR: AWS_REGION environment variable is not set"
+        exit 1
+    fi
+
+    # Fetch the secret value (assume it's a plain string, not JSON)
+    ENCRYPTION_KEY=$(aws secretsmanager get-secret-value \
+        --region "$AWS_REGION" \
+        --secret-id "$ENCRYPTION_SECRET_NAME" \
+        --query SecretString \
+        --output text)
+
+    if [ $? -ne 0 ] || [ -z "$ENCRYPTION_KEY" ] || [ "$ENCRYPTION_KEY" = "null" ]; then
+        echo "ERROR: Failed to retrieve encryption key from AWS Secrets Manager"
+        exit 1
+    fi
+
+    # Write the key to config/master.key
+    echo -n "$ENCRYPTION_KEY" > config/master.key
+    chmod 600 config/master.key
+    echo "✓ Encryption key written to config/master.key"
+}
+
+# Function to fetch allowed hosts values
+fetch_allowed_hosts() {
+    echo "Fetching allowed hosts from AWS Secrets Manager..."
+
+    if [ -z "$ALLOWED_HOSTS_NAME" ]; then
+        echo "ERROR: ALLOWED_HOSTS_NAME environment variable is not set"
+        exit 1
+    fi
+
+    # Fetch the secret value, assume kept as JSON array
+    ALLOWED_HOSTS_JSON=$(aws secretsmanager get-secret-value \
+        --region "$AWS_REGION" \
+        --secret-id "$ALLOWED_HOSTS_NAME" \
+        --query SecretString \
+        --output text)
+
+    if [ $? -ne 0 ] || [ -z "$ALLOWED_HOSTS_JSON" ] || [ "$ALLOWED_HOSTS_JSON" = "null" ]; then
+        echo "ERROR: Failed to retrieve allowed hosts from AWS Secrets Manager"
+        exit 1
+    fi
+
+    # Extract the array and convert to comma-separated string
+    ALLOWED_HOSTS=$(echo "$ALLOWED_HOSTS_JSON" | jq -r '.allowed_hosts | join(",")')
+
+    if [ -z "$ALLOWED_HOSTS" ] || [ "$ALLOWED_HOSTS" = "null" ]; then
+        echo "ERROR: Failed to parse allowed hosts from secrets. Check that the secret contains 'allowed_hosts' key."
+        exit 1
+    fi
+
+    # Write allowed hosts to .env.production file
+    echo "Writing allowed hosts to .env.production..."
+    echo "ALLOWED_HOSTS=$ALLOWED_HOSTS" >> ./.env.production
+    echo "✓ Allowed hosts successfully retrieved and written to .env.production"
+}
+
+# Function to fetch various environment variables and write to .env file for use by app
+fetch_env_variables() {
+    echo "Fetching environment variables from AWS Secrets Manager..."
+
+    if [ -z "$CP_VARIABLES_NAME" ]; then
+        echo "ERROR: CP_VARIABLES_NAME environment variable is not set"
+        exit 1
+    fi
+    
+    # Fetch the secret
+    echo "Retrieving secret: $CP_VARIABLES_NAME"
+    SECRET_JSON=$(aws secretsmanager get-secret-value \
+        --region "$AWS_REGION" \
+        --secret-id "$CP_VARIABLES_NAME" \
+        --query SecretString \
+        --output text)
+    
+    if [ $? -ne 0 ]; then
+        echo "ERROR: Failed to retrieve secrets from AWS Secrets Manager"
+        exit 1
+    fi
+
+    export DB_HOST=$(echo "$SECRET_JSON" | jq -r '.host')
+    export REDIS_URL=$(echo "$SECRET_JSON" | jq -r '.redis_url')
+    export S3_ATTACHMENTS_BUCKET=$(echo "$SECRET_JSON" | jq -r '.s3_attachments_bucket')
+    export AIRBRAKE_ID=$(echo "$SECRET_JSON" | jq -r '.airbrake_id')
+    export AIRBRAKE_KEY=$(echo "$SECRET_JSON" | jq -r '.airbrake_key')
+    export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
+    export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
+    export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
+
+    # Validate that we got the values
+    if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
+        echo "ERROR: Failed to parse variables from secrets"
+        echo "Expected JSON format: {\"key\": \"...\", ...}"
+        exit 1
+    fi
+
+    # Validate license keys exist for logging
+    if [ "$AIRBRAKE_ID" = "null" ] || [ "$AIRBRAKE_KEY" = "null" ] || [ "$NEWRELIC_LICENSE_KEY" = "null" ] || [ "$NEWRELIC_APP_NAME" = "null" ]; then
+        echo "ERROR: One or more monitor/logging license keys are missing"
+        exit 1
+    fi
+
+    # Write variables to .env.production file
+    echo "Writing environment variables to .env.production..."
+
+    # Remove existing DB_HOST, REDIS_URL, and S3_ATTACHMENTS_BUCKET lines if they exist
+    if [ -f "./.env.production" ]; then
+        echo "Removing existing variables from .env.production"
+        grep -v "^DB_HOST=" ./.env.production > ./.env.production.tmp || true
+        grep -v "^REDIS_URL=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^S3_ATTACHMENTS_BUCKET=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^AIRBRAKE_ID=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^AIRBRAKE_KEY=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true
+        grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true
+        rm -f ./.env.production.tmp
+    fi
+    
+    # Append the new credentials
+    echo "DB_HOST=$DB_HOST" >> ./.env.production
+    echo "REDIS_URL=$REDIS_URL" >> ./.env.production
+    echo "S3_ATTACHMENTS_BUCKET=$S3_ATTACHMENTS_BUCKET" >> ./.env.production
+    echo "AIRBRAKE_ID=$AIRBRAKE_ID" >> ./.env.production
+    echo "AIRBRAKE_KEY=$AIRBRAKE_KEY" >> ./.env.production
+    echo "NEWRELIC_LICENSE_KEY=$NEWRELIC_LICENSE_KEY" >> ./.env.production
+    echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production
+    echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production
+
+    echo "✓ Environment variables successfully retrieved and written to .env.production"
+}
+
+# Function to setup database
+setup_database() {
+    echo "Running database migrations..."
+    ./bin/rails db:migrate
+
+    if [ $? -eq 0 ]; then
+        echo "✓ Database migrations completed successfully"
+    else
+        echo "ERROR: Database migrations failed"
+        exit 1
+    fi
+}
+
+set_environment() {
+    if [ -f "./.env.production" ]; then
+      echo "Setting environment variables from .env.production"
+      set -a
+      . ./.env.production
+      set +a
+    fi
+}
+
+# Main execution
+main() {
+    cd ../../app/
+
+    set_environment
+
+    check_aws_setup
+
+    echo "Starting CP Docuseal in production mode..."
+    echo "Rails Environment: ${RAILS_ENV:-production}"
+    
+    # Fetch database credentials from Secrets Manager
+    fetch_db_credentials
+    
+    # Fetch encryption key and write to config/master.key
+    fetch_encryption_key
+
+    # Fetch allowed hosts from Secrets Manager
+    fetch_allowed_hosts
+
+    # Fetch other environment variables from Secrets Manager
+    fetch_env_variables
+
+    # Load updated environment variables
+    set_environment
+    
+    # Setup and migrate database
+    setup_database
+    
+    echo "=== Startup Complete - Starting Rails Server ==="
+    echo "Database Host: ${DB_HOST:-not set}"
+    echo "Database Port: ${DB_PORT:-not set}"
+
+    # Start the Rails server
+    exec ./bin/rails server -b 0.0.0.0 -p "${PORT:-3000}"
+}
+
+# Execute main function
+main "$@" 

bin/start_staging

@@ -71,6 +71,46 @@ fetch_db_credentials() {
     echo "✓ Database credentials successfully retrieved and written to .env.staging"
 }
 
+# Function to fetch allowed hosts from AWS Secrets Manager and write to .env.staging
+fetch_allowed_hosts() {
+    echo "Fetching allowed hosts from AWS Secrets Manager..."
+
+    if [ -z "$ALLOWED_HOSTS_NAME" ]; then
+        echo "ERROR: ALLOWED_HOSTS_NAME environment variable is not set"
+        exit 1
+    fi
+
+    # Fetch the secret value, assume kept as JSON array
+    ALLOWED_HOSTS_JSON=$(aws secretsmanager get-secret-value \
+        --region "$AWS_REGION" \
+        --secret-id "$ALLOWED_HOSTS_NAME" \
+        --query SecretString \
+        --output text)
+
+    if [ $? -ne 0 ] || [ -z "$ALLOWED_HOSTS_JSON" ] || [ "$ALLOWED_HOSTS_JSON" = "null" ]; then
+        echo "ERROR: Failed to retrieve allowed hosts from AWS Secrets Manager"
+        exit 1
+    fi
+
+    # Extract the array and convert to comma-separated string
+    ALLOWED_HOSTS=$(echo "$ALLOWED_HOSTS_JSON" | jq -r '.allowed_hosts | join(",")')
+
+    if [ -z "$ALLOWED_HOSTS" ] || [ "$ALLOWED_HOSTS" = "null" ]; then
+        echo "ERROR: Failed to parse allowed hosts from secrets. Check that the secret contains 'allowed_hosts' key."
+        exit 1
+    fi
+
+    # Remove existing ALLOWED_HOSTS line if it exists
+    if [ -f "./.env.staging" ]; then
+        grep -v "^ALLOWED_HOSTS=" ./.env.staging > ./.env.staging.tmp || true
+        mv ./.env.staging.tmp ./.env.staging
+    fi
+
+    # Append the new allowed hosts
+    echo "ALLOWED_HOSTS=$ALLOWED_HOSTS" >> ./.env.staging
+    echo "✓ Allowed hosts successfully retrieved and written to .env.staging"
+}
+
 # Function to fetch encryption key from AWS Secrets Manager and write to config/master.key
 fetch_encryption_key() {
     echo "Fetching encryption key from AWS Secrets Manager..."
@@ -123,6 +163,12 @@ fetch_env_variables() {
     export DB_HOST=$(echo "$SECRET_JSON" | jq -r '.host')
     export REDIS_URL=$(echo "$SECRET_JSON" | jq -r '.redis_url')
     export S3_ATTACHMENTS_BUCKET=$(echo "$SECRET_JSON" | jq -r '.s3_attachments_bucket')
+    export AIRBRAKE_ID=$(echo "$SECRET_JSON" | jq -r '.airbrake_id')
+    export AIRBRAKE_KEY=$(echo "$SECRET_JSON" | jq -r '.airbrake_key')
+    export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
+    export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
+    export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
+
 
     # Validate that we got the values
     if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@@ -130,6 +176,12 @@ fetch_env_variables() {
         echo "Expected JSON format: {\"key\": \"...\", ...}"
         exit 1
     fi
+
+    # Validate license keys exist for logging
+    if [ "$AIRBRAKE_ID" = "null" ] || [ "$AIRBRAKE_KEY" = "null" ] || [ "$NEWRELIC_LICENSE_KEY" = "null" ] || [ "$NEWRELIC_APP_NAME" = "null" ]; then
+        echo "ERROR: One or more monitor/logging license keys are missing"
+        exit 1
+    fi
     
     # Write variables to .env.staging file
     echo "Writing environment variables to .env.staging..."
@@ -140,6 +192,11 @@ fetch_env_variables() {
         grep -v "^DB_HOST=" ./.env.staging > ./.env.staging.tmp || true
         grep -v "^REDIS_URL=" ./.env.staging.tmp > ./.env.staging || true
         grep -v "^S3_ATTACHMENTS_BUCKET=" ./.env.staging.tmp > ./.env.staging || true
+        grep -v "^AIRBRAKE_ID=" ./.env.staging.tmp > ./.env.staging || true
+        grep -v "^AIRBRAKE_KEY=" ./.env.staging.tmp > ./.env.staging || true
+        grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true
+        grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true
+        grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true
         rm -f ./.env.staging.tmp
     fi
     
@@ -147,6 +204,11 @@ fetch_env_variables() {
     echo "DB_HOST=$DB_HOST" >> ./.env.staging
     echo "REDIS_URL=$REDIS_URL" >> ./.env.staging
     echo "S3_ATTACHMENTS_BUCKET=$S3_ATTACHMENTS_BUCKET" >> ./.env.staging
+    echo "AIRBRAKE_ID=$AIRBRAKE_ID" >> ./.env.staging
+    echo "AIRBRAKE_KEY=$AIRBRAKE_KEY" >> ./.env.staging
+    echo "NEWRELIC_LICENSE_KEY=$NEWRELIC_LICENSE_KEY" >> ./.env.staging
+    echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging
+    echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging
 
     echo "✓ Environment variables successfully retrieved and written to .env.staging"
 }
@@ -190,6 +252,9 @@ main() {
     # Fetch encryption key and write to config/master.key
     fetch_encryption_key
 
+    # Fetch allowed hosts from Secrets Manager
+    fetch_allowed_hosts
+
     # Fetch other environment variables from Secrets Manager
     fetch_env_variables
 

config/environments/production.rb

@@ -40,10 +40,6 @@ Rails.application.configure do
   config.active_storage.service =
     if ENV['S3_ATTACHMENTS_BUCKET'].present?
       :aws_s3
-    elsif ENV['GCS_BUCKET'].present?
-      :google
-    elsif ENV['AZURE_CONTAINER'].present?
-      :azure
     else
       :disk
     end
@@ -57,10 +53,10 @@ Rails.application.configure do
   # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
-  config.assume_ssl = ENV['FORCE_SSL'].present? && ENV['FORCE_SSL'] != 'false'
+  config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  config.force_ssl = ENV['FORCE_SSL'].present? && ENV['FORCE_SSL'] != 'false'
+  config.force_ssl = true
 
   # Include generic and useful information about system operation, but avoid logging too much
   # information to avoid inadvertent exposure of personally identifiable information (PII).
@@ -162,4 +158,12 @@ Rails.application.configure do
       raid: resource.try(:account_id)
     }
   end
+
+  config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
+
+  # Load allowed hosts from environment variable
+  allowed_hosts = ENV['ALLOWED_HOSTS']&.split(',')&.map(&:strip) || ['.*\\.careerplug\\.com\\Z']
+
+  config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
+  allowed_hosts.each { |host_pattern| config.hosts << Regexp.new(host_pattern) }
 end

config/environments/staging.rb

@@ -95,9 +95,28 @@ Rails.application.configure do
   # require "syslog/logger"
   # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new "app-name")
 
-  logger           = ActiveSupport::Logger.new($stdout)
+  # logger           = ActiveSupport::Logger.new($stdout)
-  logger.formatter = config.log_formatter
+  # logger.formatter = config.log_formatter
-  config.logger    = ActiveSupport::TaggedLogging.new(logger)
+  # config.logger    = ActiveSupport::TaggedLogging.new(logger)
+
+  # NEWRELIC_MONITOR_MODE enables stdout logger sync for worker/web via NR APM
+  if ENV['NEWRELIC_MONITOR_MODE'].presence
+    config.logger = ActiveSupport::TaggedLogging.new(
+      Logger.new($stdout)
+    )
+
+    config.active_job.logger = ActiveSupport::TaggedLogging.new(
+      Logger.new($stdout)
+    )
+  else
+    config.logger = ActiveSupport::TaggedLogging.new(
+      Syslog::Logger.new('rails-main')
+    )
+
+    config.active_job.logger = ActiveSupport::TaggedLogging.new(
+      Syslog::Logger.new('rails-sidekiq')
+    )
+  end
 
   encryption_secret = ENV['ENCRYPTION_SECRET'].presence || Digest::SHA256.hexdigest(ENV['SECRET_KEY_BASE'].to_s)
 
@@ -154,11 +173,9 @@ Rails.application.configure do
     }
   end
 
+  # Load allowed hosts from environment variable
+  allowed_hosts = ENV['ALLOWED_HOSTS']&.split(',')&.map(&:strip) || ['.*\\.careerplug\\.com\\Z']
+
   config.host_authorization = { exclude: ->(request) { request.path == '/up' } }
-  [
+  allowed_hosts.each { |host_pattern| config.hosts << Regexp.new(host_pattern) }
-    /.*\.careerplug\.org\Z/,
-    /.*\.careerplug\.com\Z/,
-    /.*\.cpstaging\d\.click\Z/,
-    /.*\.cpstaging\d+\.name\Z/
-  ].each { |hrexp| config.hosts << hrexp }
 end

config/initializers/airbrake.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+unless ENV['DOCKER_BUILD'] || ENV['CI_BUILD']
+  Airbrake.configure do |config|
+    config.project_key = ENV['AIRBRAKE_KEY'] # rubocop:disable Style/FetchEnvVar
+    config.project_id = ENV['AIRBRAKE_ID'] # rubocop:disable Style/FetchEnvVar
+    config.environment = Rails.env
+    config.ignore_environments = %w[development test]
+    config.root_directory = '/var/cpd/app'
+  end
+end

config/puma.rb

@@ -8,7 +8,7 @@
 
 require_relative 'dotenv'
 
-max_threads_count = ENV.fetch('RAILS_MAX_THREADS', 15)
+max_threads_count = ENV.fetch('RAILS_MAX_THREADS', 5)
 min_threads_count = ENV.fetch('RAILS_MIN_THREADS') { max_threads_count }
 threads min_threads_count, max_threads_count
 
@@ -39,7 +39,7 @@ if ENV['WEB_CONCURRENCY_AUTO'] == 'true'
 
   workers Etc.nprocessors
 else
-  workers ENV.fetch('WEB_CONCURRENCY', 0)
+  workers ENV.fetch('WEB_CONCURRENCY', 1)
 end
 
 # Use the `preload_app!` method when specifying a `workers` number.