Beispiel #1
0
def configure():
    """ renders config of nginx and restarts gracefully
    """
    env.roles = ["proxy"]
    put_template("proxy_nginx.conf", "~/conf/nginx.conf", context=proxy_config())
    put_template("proxy_supervisor.ini", "~/conf/supervisor.ini", context=proxy_config())
    execute(supervisor.restart)
    print_successful()
Beispiel #2
0
def secure_account(user_account):
    """ ensures owner is correctly set on all files under $HOME of user_account, and limit appropriately for ssh
    """
    setup_env_for_user()
    sudo('chown -R {0} ~{0}/.'.format(user_account))
    sudo('chmod 700 ~{0}/. ~{0}/.ssh'.format(user_account))
    sudo('chmod 600 ~{0}/.ssh/authorized_keys'.format(user_account))
    print_successful()
Beispiel #3
0
def create_user(user_account, password):
    setup_env_for_user()
    execute(root.user_create, user_account, password)
    user_add_ssh(user_account, pub_key_file=env.key_filename + '.pub', use_sudo=True)
    dummy_port = 123  # bh sets env variable 'HTTP_LISTENING_PORT' to this one, but we won't use that env var
    execute(user.init_home_env, dummy_port, hosts=new_host_string(user=user_account))
    sudo('mkdir -p ~{}/conf'.format(user_account))
    secure_account(user_account)
    print_successful()
Beispiel #4
0
def bootstrap(template_dir, server_yaml, pub_key_file):
    """ run once to initialize an 'empty' Debian system. requires root access via password on port 22
    NOTE: after this command, can only login as 'admin' (it has sudo rights)

    - secures ssh access, creates 'admin' account with sudo rights
    - ensures hostname exists both in your /etc/hosts and in remote's /etc/hosts
    - restricts ssh: only login via ssh-key, no root login, ssh-port is non-standard
    - LOCALLY: adds ssh-key and ssh-port to your local ~/.ssh/config
    - installs denyhosts
    - installs some basic libraries (see debian_requirements)
    - iptables: routes 80 to configured port: {server.port_80_via}
    - iptables: routes 443 to configured port: {server.port_443_via}
    """
    server_config = get_config(env, yaml_file=server_yaml)
    my_put_template = partial(put_template, context=server_config, template_dir=template_dir)

    if not env.key_filename:
        print(red('Must generate a key for ssh to this server (see example_app/bootstrap.py)'))
    if 'root@' not in env.host_string or len(env.roles):
        print(red('Must be run as root! (hint: do not run with -R or -H)'))
        sys.exit(-1)
    setup_env_for_user()

    hostname = run('hostname')
    append('/etc/hosts', '127.0.0.1 {}'.format(hostname))
    local_append('/etc/hosts', text='{} {}'.format(env_ip(), hostname), refuse_keywords=[env_ip(), hostname],
                 use_sudo=True)
    run('apt-get -y --force-yes install sudo vim')
    debian_requirements()

    install(['denyhosts'])
    my_put_template('denyhosts.conf', '/etc/denyhosts.conf')
    run('/etc/init.d/denyhosts restart')

    password = gen_password()
    user_account = 'admin'
    with settings(hide('warnings'), warn_only=True):
        run('userdel -f -r {}'.format(user_account))
    run('useradd {user} -g {group}'.format(user=user_account, group='sudo'))
    print(red("Set password for admin (has sudo rights), type in: {} or choose one yourself".format(password)))
    passwd_retry('admin')
    user_add_ssh(user_account, pub_key_file=pub_key_file)
    local_ssh_config(env_ip(), hostname, server_config['server']['ssh_port'], env.key_filename)

    # TODO: lock down: http://rudd-o.com/linux-and-free-software/hardening-a-linux-server-in-10-minutes

    my_put_template('rc.local', '/etc/rc.local')
    my_put_template('init_supervisors.py', '/etc/init_supervisors.py')
    # config iptables
    run('/etc/rc.local')

    my_put_template('sshd_config', '/etc/ssh/sshd_config')
    # note after restart, can only login as admin via public key on ssh-port defined in template
    run('/etc/init.d/ssh restart')
    print_successful()
Beispiel #5
0
def create_instance(user_account):
    """ create account for user and install requirements
    """
    with total_silence():
        execute(supervisor.stop_program, 'all')        # in case this is re-init, stop all
    execute(admin.create_user, user_account, password='******', hosts=new_host_string('admin'))
    execute(system.python, hosts=new_host_string(user_account))
    execute(system.nginx, hosts=new_host_string(user_account))
    execute(system.uwsgi, hosts=new_host_string(user_account))
    execute(supervisor.install, hosts=new_host_string(user_account))
    print_successful()
Beispiel #6
0
def example_deploy(app_name):
    """ an example of a deploy function (run setup_example first)
    """
    run('pip install django')
    with cd('~/etc'):
        run('django-admin.py startproject {}'.format(app_name))
    run('mv ~/etc/{0}/{0}/wsgi.py ~/conf/wsgi.py'.format(app_name))
    fix_sys_path = ("import os\\n"
                    "import sys\\n"
                    "sys.path.insert(0, os.path.expanduser('~/etc/{}'))".format(app_name))
    run('sed -i "1i {}" ~/conf/wsgi.py'.format(fix_sys_path))
    execute(configure)
    print_successful()
Beispiel #7
0
def init():
    """ sets-up reverse-proxy
    """
    with total_silence():
        execute(supervisor.stop_program, "all")  # in case this is re-init, stop all
    execute(system.python)
    execute(system.nginx)
    execute(supervisor.install)
    execute(configure)
    print(yellow("generating self signed ssl for now (you should have yours signed and use proxy.update_ssl!)"))
    keys = dict(ssl_key=rel_path("dummy_ssl.key"), ssl_cert=rel_path("dummy_ssl.cert"))
    local("openssl req -nodes -new -x509 -keyout {ssl_key} -out {ssl_cert}".format(**keys))
    update_ssl(**keys)
    print_successful()
Beispiel #8
0
def configure():
    put_template('app_nginx.conf', '~/conf/nginx.conf', context=get_role_config(env))
    put_template('app_uwsgi.ini', '~/conf/uwsgi.ini', context=get_role_config(env))
    put_template('app_supervisor.ini', '~/conf/supervisor.ini', context=get_role_config(env))
    execute(supervisor.restart)
    print_successful()