def add_to_bacula_master(shortname=None, path=None, bacula_host_string=None): """Add this server's Bacula client configuration to Bacula master.""" opts = dict( shortname=shortname or env.get("shortname") or err("env.shortname must be set"), path=path or env.get("path") or err("env.path must be set"), bacula_host_string=bacula_host_string or env.get("bacula_host_string") or err("env.bacula_host_string must be set"), ) with settings(host_string=opts["bacula_host_string"]): # upload project-specific configuration upload_template( "%(path)s/etc/bacula-client.conf" % opts, "/etc/bacula/clients/%(shortname)s.conf" % opts, use_sudo=True ) # Create a file that will contain a list of files to backup for this # server (a fileset) - this file is updated automatically by every # project installed on this server (check add_files_to_backup in # project.py) fileset_path = "/etc/bacula/clients/%(shortname)s-fileset.txt" % opts if not exists(fileset_path): sudo("touch %s" % fileset_path) sudo("chown bacula %s" % fileset_path) # reload bacula master configuration sudo("service bacula-director restart")
def add_to_bacula_master(shortname=None, path=None, bacula_host_string=None): """Add this server's Bacula client configuration to Bacula master.""" opts = dict(shortname=shortname or env.get('shortname') or err('env.shortname must be set'), path=path or env.get('path') or err('env.path must be set'), bacula_host_string=bacula_host_string or env.get('bacula_host_string') or err('env.bacula_host_string must be set')) with settings(host_string=opts['bacula_host_string']): # upload project-specific configuration upload_template('%(path)s/etc/bacula-client.conf' % opts, '/etc/bacula/clients/%(shortname)s.conf' % opts, use_sudo=True) # Create a file that will contain a list of files to backup for this # server (a fileset) - this file is updated automatically by every # project installed on this server (check add_files_to_backup in # project.py) fileset_path = '/etc/bacula/clients/%(shortname)s-fileset.txt' % opts if not exists(fileset_path): sudo('touch %s' % fileset_path) sudo('chown bacula %s' % fileset_path) # reload bacula master configuration sudo("service bacula-director restart")
def upload_sphinx(hq_ip=None, sphinx_dir=None, path=None): """Uploads HTML files generated by Sphinx.""" opts = dict( hq_ip=hq_ip or env.get('hq_ip') or err("env.hq_ip must be set"), sphinx_dir=sphinx_dir or env.get('sphinx_dir') or 'niteoweb.%(shortname)s' % env, path=path or env.get('path') or err('env.path must be set'), ) with settings(host_string='%(hq_ip)s:22' % opts): with settings( host=opts['hq_ip']): # additional needed for rsync_project # backup existing docs if exists('/var/www/sphinx/%(sphinx_dir)s' % opts): sudo( 'mv /var/www/sphinx/%(sphinx_dir)s /var/www/sphinx/%(sphinx_dir)s.bak' % opts) # upload new docs rsync_project( local_dir='%(path)s/docs/html/' % opts, remote_dir='/tmp/%(sphinx_dir)s' % opts, ) # move them into place sudo('mv /tmp/%(sphinx_dir)s /var/www/sphinx/%(sphinx_dir)s' % env)
def set_hostname(server_ip=None, hostname=None): """Set server's hostname.""" opts = dict( server_ip=server_ip or env.server_ip or err("env.server_ip must be set"), hostname=hostname or env.hostname or err("env.hostname must be set"), ) sudo('echo "\n%(server_ip)s %(hostname)s" >> /etc/hosts' % opts) sudo('echo "%(hostname)s" > /etc/hostname' % opts) sudo('hostname %(hostname)s' % opts)
def configure_bacula_master(path=None): """Upload configuration files for Bacula Master.""" opts = dict( path=path or env.get('path') or err('env.path must be set'), ) upload_template('%(path)s/etc/bacula-dir.conf' % opts, '/etc/bacula/bacula-dir.conf', use_sudo=True) upload_template('%(path)s/etc/bacula-sd.conf' % opts, '/etc/bacula/bacula-sd.conf', use_sudo=True) upload_template('%(path)s/etc/bconsole.conf' % opts, '/etc/bacula/bconsole.conf', use_sudo=True) upload_template('%(path)s/etc/pool_defaults.conf' % opts, '/etc/bacula/pool_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_full_defaults.conf' % opts, '/etc/bacula/pool_full_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_diff_defaults.conf' % opts, '/etc/bacula/pool_diff_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_inc_defaults.conf' % opts, '/etc/bacula/pool_inc_defaults.conf', use_sudo=True) sudo('service bacula-director restart')
def install_unattended_upgrades(email=None): """Configure Ubuntu to automatically install security updates.""" opts = dict( email=email or env.get('email') or err('env.email must be set'), ) sudo('apt-get -yq install unattended-upgrades') sed('/etc/apt/apt.conf.d/50unattended-upgrades', '//Unattended-Upgrade::Mail "root@localhost";', 'Unattended-Upgrade::Mail "%(email)s";' % opts, use_sudo=True) sed('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::Download-Upgradeable-Packages "0";', 'APT::Periodic::Download-Upgradeable-Packages "1";', use_sudo=True) sed('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::AutocleanInterval "0";', 'APT::Periodic::AutocleanInterval "7";', use_sudo=True) append('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::Unattended-Upgrade "1";', use_sudo=True)
def install_rkhunter(email=None): """Install and configure RootKit Hunter.""" opts = dict(email=email or env.get('email') or err('env.email must be set'), ) # install RKHunter sudo('apt-get -yq install rkhunter') # send emails on warnings uncomment('/etc/rkhunter.conf', '#MAIL-ON-WARNING=me@mydomain root@mydomain', use_sudo=True) sed('/etc/rkhunter.conf', 'me@mydomain root@mydomain', opts['email'], use_sudo=True) # ignore some Ubuntu specific files uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.udev', use_sudo=True) uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.static', use_sudo=True) uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.initramfs', use_sudo=True) # update files properties DB every time you run apt-get install, this # prevents warnings every time a new version of some package is installed append('/etc/default/rkhunter', '# Update file properties database after running apt-get install', use_sudo=True) append('/etc/default/rkhunter', 'APT_AUTOGEN="yes"', use_sudo=True)
def configure_bacula_master(path=None): """Upload configuration files for Bacula Master.""" opts = dict(path=path or env.get('path') or err('env.path must be set'), ) # XXX: Shouldn't we set file owner to bacula user, not the current user, # running the fabric commands? upload_template('%(path)s/etc/bacula-dir.conf' % opts, '/etc/bacula/bacula-dir.conf', use_sudo=True) upload_template('%(path)s/etc/bacula-sd.conf' % opts, '/etc/bacula/bacula-sd.conf', use_sudo=True) upload_template('%(path)s/etc/bconsole.conf' % opts, '/etc/bacula/bconsole.conf', use_sudo=True) upload_template('%(path)s/etc/pool_defaults.conf' % opts, '/etc/bacula/pool_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_full_defaults.conf' % opts, '/etc/bacula/pool_full_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_diff_defaults.conf' % opts, '/etc/bacula/pool_diff_defaults.conf', use_sudo=True) upload_template('%(path)s/etc/pool_inc_defaults.conf' % opts, '/etc/bacula/pool_inc_defaults.conf', use_sudo=True) sudo('service bacula-director restart')
def configure_bacula_client(path=None): """Upload configuration for Bacula File Deamon (client) and restart it.""" opts = dict(path=path or env.get('path') or err('env.path must be set'), ) upload_template('%(path)s/etc/bacula-fd.conf' % opts, '/etc/bacula/bacula-fd.conf', use_sudo=True) sudo('service bacula-fd restart')
def add_files_to_backup(host_shortname=None, bacula_ip=None, bacula_fileset=None): """Append a list of project files to backup to this host's fileset.""" opts = dict( host_shortname=host_shortname or env.host_shortname or err("env.host_shortname must be set"), bacula_ip=bacula_ip or env.get('bacula_ip') or err("env.bacula_ip must be set"), bacula_fileset=bacula_fileset or env.get('bacula_fileset') or '%s/etc/bacula-fileset.txt' % os.getcwd(), ) with settings(host_string=opts['bacula_ip']): append( '/etc/bacula/clients/%(host_shortname)s-fileset.txt' % env, open(opts['bacula_fileset']).read(), use_sudo=True ) # reload bacula master configuration sudo("service bacula-director restart")
def configure_bacula_client(path=None): """Upload configuration for Bacula File Deamon (client) and restart it.""" opts = dict( path=path or env.get('path') or err('env.path must be set'), ) upload_template('%(path)s/etc/bacula-fd.conf' % opts, '/etc/bacula/bacula-fd.conf', use_sudo=True) sudo('service bacula-fd restart')
def add_to_bacula_master(shortname=None, path=None, bacula_host_string=None): """Add this server's Bacula client configuration to Bacula master.""" opts = dict( shortname=shortname or env.get('shortname') or err('env.shortname must be set'), path=path or env.get('path') or err('env.path must be set'), bacula_host_string=bacula_host_string or env.get('bacula_host_string') or err('env.bacula_host_string must be set') ) with settings(host_string=opts['bacula_host_string']): # upload project-specific configuration upload_template( '%(path)s/etc/bacula-master.conf' % opts, '/etc/bacula/clients/%(shortname)s.conf' % opts, use_sudo=True) # reload bacula master configuration sudo("service bacula-director restart")
def install_sendmail(email=None): """Prepare a localhost SMTP server for sending out system notifications to admins.""" opts = dict(email=email or env.get("email") or err("env.email must be set")) # install sendmail sudo("apt-get -yq install sendmail sendmail-base sendmail-bin sendmail-cf sensible-mda rmail") # all email should be sent to maintenance email append("/etc/aliases", "root: %(email)s" % opts, use_sudo=True)
def add_files_to_backup(host_shortname=None, bacula_ip=None, bacula_fileset=None): """Append a list of project files to backup to this host's fileset.""" opts = dict( host_shortname=host_shortname or env.host_shortname or err("env.host_shortname must be set"), bacula_ip=bacula_ip or env.get('bacula_ip') or err("env.bacula_ip must be set"), bacula_fileset=bacula_fileset or env.get('bacula_fileset') or '%s/etc/bacula-fileset.txt' % os.getcwd(), ) with settings(host_string=opts['bacula_ip']): append('/etc/bacula/clients/%(host_shortname)s-fileset.txt' % env, open(opts['bacula_fileset']).read(), use_sudo=True) # reload bacula master configuration sudo("service bacula-director restart")
def raid_monitoring(email=None): """Configure monitoring of our RAID-1 field. If anything goes wrong, send an email!""" opts = dict(email=email or env.get("email") or err("env.email must be set")) # enable email notifications from mdadm raid monitor append("/etc/mdadm/mdadm.conf", "MAILADDR %(email)s" % opts, use_sudo=True) # enable email notification for SMART disk monitoring sudo("apt-get -yq install smartmontools") uncomment("/etc/default/smartmontools", "#start_smartd=yes", use_sudo=True)
def configure_ufw(rules=None): """Configure Uncomplicated Firewall.""" # reset rules so we start from scratch sudo('ufw --force reset') rules = rules or env.rules or err("env.rules must be set") for rule in rules: sudo(rule) # re-enable firewall and print rules sudo('ufw --force enable') sudo('ufw status verbose')
def raid_monitoring(email=None): """Configure monitoring of our RAID-1 field. If anything goes wrong, send an email!""" opts = dict(email=email or env.get('email') or err('env.email must be set'), ) # enable email notifications from mdadm raid monitor append('/etc/mdadm/mdadm.conf', 'MAILADDR %(email)s' % opts, use_sudo=True) # enable email notification for SMART disk monitoring sudo('apt-get -yq install smartmontools') uncomment('/etc/default/smartmontools', '#start_smartd=yes', use_sudo=True)
def install_sendmail(email=None): """Prepare a localhost SMTP server for sending out system notifications to admins.""" opts = dict( email=email or env.get('email') or err('env.email must be set'), ) # install sendmail sudo('apt-get -yq install sendmail') # all email should be sent to maintenance email append('/etc/aliases', 'root: %(email)s' % opts, use_sudo=True)
def install_sendmail(email=None): """Prepare a localhost SMTP server for sending out system notifications to admins.""" opts = dict(email=email or env.get('email') or err('env.email must be set'), ) # install sendmail sudo( 'apt-get -yq install sendmail sendmail-base sendmail-bin sendmail-cf sensible-mda rmail' ) # all email should be sent to maintenance email append('/etc/aliases', 'root: %(email)s' % opts, use_sudo=True)
def create_admin_accounts(admins=None, default_password=None): """Create admin accounts, so admins can access the server.""" opts = dict( admins=admins or env.get('admins') or err("env.admins must be set"), default_password=default_password or env.get('default_password') or 'secret', ) for admin in opts["admins"]: create_admin_account(admin, default_password=default_password) if not env.get('confirm'): confirm("Users %(admins)s were successfully created. Notify" "them that they must login and change their default password " "(%(default_password)s) with the ``passwd`` command. Proceed?" % opts)
def upload_sphinx(hq_ip=None, sphinx_dir=None, path=None): """Uploads HTML files generated by Sphinx.""" opts = dict( hq_ip=hq_ip or env.get('hq_ip') or err("env.hq_ip must be set"), sphinx_dir=sphinx_dir or env.get('sphinx_dir') or 'niteoweb.%(shortname)s' % env, path=path or env.get('path') or err('env.path must be set'), ) with settings(host_string='%(hq_ip)s:22' % opts): with settings(host=opts['hq_ip']): # additional needed for rsync_project # backup existing docs if exists('/var/www/sphinx/%(sphinx_dir)s' % opts): sudo('mv /var/www/sphinx/%(sphinx_dir)s /var/www/sphinx/%(sphinx_dir)s.bak' % opts) # upload new docs rsync_project( local_dir='%(path)s/docs/html/' % opts, remote_dir='/tmp/%(sphinx_dir)s' % opts, ) # move them into place sudo('mv /tmp/%(sphinx_dir)s /var/www/sphinx/%(sphinx_dir)s' % env)
def configure_bacula_master(path=None): """Upload configuration files for Bacula Master.""" opts = dict(path=path or env.get("path") or err("env.path must be set")) # XXX: Shouldn't we set file owner to bacula user, not the current user, # running the fabric commands? upload_template("%(path)s/etc/bacula-dir.conf" % opts, "/etc/bacula/bacula-dir.conf", use_sudo=True) upload_template("%(path)s/etc/bacula-sd.conf" % opts, "/etc/bacula/bacula-sd.conf", use_sudo=True) upload_template("%(path)s/etc/bconsole.conf" % opts, "/etc/bacula/bconsole.conf", use_sudo=True) upload_template("%(path)s/etc/pool_defaults.conf" % opts, "/etc/bacula/pool_defaults.conf", use_sudo=True) upload_template("%(path)s/etc/pool_full_defaults.conf" % opts, "/etc/bacula/pool_full_defaults.conf", use_sudo=True) upload_template("%(path)s/etc/pool_diff_defaults.conf" % opts, "/etc/bacula/pool_diff_defaults.conf", use_sudo=True) upload_template("%(path)s/etc/pool_inc_defaults.conf" % opts, "/etc/bacula/pool_inc_defaults.conf", use_sudo=True) sudo("service bacula-director restart")
def create_admin_accounts(admins=None, default_password=None): """Create admin accounts, so admins can access the server.""" opts = dict( admins=admins or env.get('admins') or err("env.admins must be set"), default_password=default_password or env.get('default_password') or 'secret', ) for admin in opts["admins"]: create_admin_account(admin, default_password=default_password) if not env.get('confirm'): confirm( "Users %(admins)s were successfully created. Notify" "them that they must login and change their default password " "(%(default_password)s) with the ``passwd`` command. Proceed?" % opts)
def install_ipsec(racoonconf=None, psktxt=None, server_ip=None): """Install and configure IPsec server.""" opts = dict( server_ip=server_ip or env.server_ip or err("env.server_ip must be set"), ) # install and configure racoon sudo('apt-get -yq install racoon') configure_racoon(racoonconf, psktxt) # forward traffic so IPsec-ed devices have internet sudo('apt-get -yq install iptables-persistent') uncomment('/etc/sysctl.conf', 'net.ipv4.ip_forward = 1', use_sudo=True) sudo('iptables-save > /etc/iptables/rules') append('/etc/iptables/rules', 'iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source %(server_ip)s' % opts, use_sudo=True)
def create_project_user(prod_user=None): """Add a user for a single project so the entire project can run under this user.""" opts = dict( prod_user=prod_user or env.prod_user or err("env.prod_user must be set"), ) # create user sudo('egrep %(prod_user)s /etc/passwd || adduser %(prod_user)s --disabled-password --gecos ""' % opts) # add user to `projects` group sudo('gpasswd -a %(prod_user)s projects' % opts) # make use of buildout default.cfg sudo('mkdir /home/%(prod_user)s/.buildout' % opts) sudo('ln -s /etc/buildout/default.cfg /home/%(prod_user)s/.buildout/default.cfg' % opts) sudo('chown -R %(prod_user)s:%(prod_user)s /home/%(prod_user)s/.buildout' % opts)
def install_ipsec(racoonconf=None, psktxt=None, server_ip=None): """Install and configure IPsec server.""" opts = dict(server_ip=server_ip or env.server_ip or err("env.server_ip must be set"), ) # install and configure racoon sudo('apt-get -yq install racoon') configure_racoon(racoonconf, psktxt) # forward traffic so IPsec-ed devices have internet sudo('apt-get -yq install iptables-persistent') uncomment('/etc/sysctl.conf', 'net.ipv4.ip_forward = 1', use_sudo=True) sudo('iptables-save > /etc/iptables/rules') append( '/etc/iptables/rules', 'iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source %(server_ip)s' % opts, use_sudo=True)
def install_rkhunter(email=None): """Install and configure RootKit Hunter.""" opts = dict(email=email or env.get("email") or err("env.email must be set")) # install RKHunter sudo("apt-get -yq install rkhunter") # send emails on warnings uncomment("/etc/rkhunter.conf", "#MAIL-ON-WARNING=me@mydomain root@mydomain", use_sudo=True) sed("/etc/rkhunter.conf", "me@mydomain root@mydomain", opts["email"], use_sudo=True) # ignore some Ubuntu specific files uncomment("/etc/rkhunter.conf", "#ALLOWHIDDENDIR=\/dev\/.udev", use_sudo=True) uncomment("/etc/rkhunter.conf", "#ALLOWHIDDENDIR=\/dev\/.static", use_sudo=True) uncomment("/etc/rkhunter.conf", "#ALLOWHIDDENDIR=\/dev\/.initramfs", use_sudo=True) # update files properties DB every time you run apt-get install, this # prevents warnings every time a new version of some package is installed append("/etc/default/rkhunter", "# Update file properties database after running apt-get install", use_sudo=True) append("/etc/default/rkhunter", 'APT_AUTOGEN="yes"', use_sudo=True)
def create_project_user(prod_user=None): """Add a user for a single project so the entire project can run under this user.""" opts = dict(prod_user=prod_user or env.prod_user or err("env.prod_user must be set"), ) # create user sudo( 'egrep %(prod_user)s /etc/passwd || adduser %(prod_user)s --disabled-password --gecos ""' % opts) # add user to `projects` group sudo('gpasswd -a %(prod_user)s projects' % opts) # make use of buildout default.cfg sudo('mkdir /home/%(prod_user)s/.buildout' % opts) sudo( 'ln -s /etc/buildout/default.cfg /home/%(prod_user)s/.buildout/default.cfg' % opts) sudo('chown -R %(prod_user)s:%(prod_user)s /home/%(prod_user)s/.buildout' % opts)
def install_unattended_upgrades(email=None): """Configure Ubuntu to automatically install security updates.""" opts = dict(email=email or env.get('email') or err('env.email must be set'), ) sudo('apt-get -yq install unattended-upgrades') sed('/etc/apt/apt.conf.d/50unattended-upgrades', '//Unattended-Upgrade::Mail "root@localhost";', 'Unattended-Upgrade::Mail "%(email)s";' % opts, use_sudo=True) sed('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::Download-Upgradeable-Packages "0";', 'APT::Periodic::Download-Upgradeable-Packages "1";', use_sudo=True) sed('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::AutocleanInterval "0";', 'APT::Periodic::AutocleanInterval "7";', use_sudo=True) append('/etc/apt/apt.conf.d/10periodic', 'APT::Periodic::Unattended-Upgrade "1";', use_sudo=True)
def configure_bacula_client(path=None): """Upload configuration for Bacula File Deamon (client) and restart it.""" opts = dict(path=path or env.get("path") or err("env.path must be set")) upload_template("%(path)s/etc/bacula-fd.conf" % opts, "/etc/bacula/bacula-fd.conf", use_sudo=True) sudo("service bacula-fd restart")