def install0(**kwargs):
installed = lambda: run(
"dpkg-query --showformat='${Version}' --show elasticsearch",
quiet=True)
if sudo("dpkg -s elasticsearch", quiet=True, warn_only=True).failed:
sudo(
"wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -"
)
append(
"/etc/apt/sources.list.d/elasticsearch.list",
"deb http://packages.elasticsearch.org/elasticsearch/{}/debian stable main"
.format(kwargs["VERSION"][:kwargs["VERSION"].rfind(".")] if
kwargs["VERSION"].count(".") == 3 else kwargs["VERSION"]),
use_sudo=True,
)
sudo("apt update")
sudo("apt-get install -y elasticsearch={}".format(kwargs["VERSION"]))
if kwargs.get("NO_UPGRADE"):
sudo("apt-mark hold elasticsearch")
restart_systemd("elasticsearch")
return "elasticsearch {} installed".format(installed())
return "[Already] elasticsearch {} installed".format(installed())
def configure_riot_nginx5(root="/var/www/riot", **kwargs):
kwargs.setdefault("LISTEN_PORT", 80)
server_block = utils.merge_into(
emit.server_block(
server_name=kwargs["SERVER_NAME"], listen=kwargs["LISTEN_PORT"]
),
emit.html5_block("/", root),
)
sio = StringIO()
sio.write(
dumps(
loads(emit.redirect_block(server_name=kwargs["SERVER_NAME"], port=80))
+ server_block
if kwargs["LISTEN_PORT"] == 443
else server_block
)
)
put(
sio,
"/etc/nginx/sites-enabled/{server_name}".format(
server_name=kwargs["SERVER_NAME"]
),
use_sudo=True,
)
return restart_systemd("nginx")
def install0(**kwargs):
installed = lambda: run(
"dpkg-query --showformat='${Version}' --show mongodb-org", quiet=True
)
def mongodb_apt_init():
if kwargs["VERSION"] == "3.4":
sudo(
"apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6"
)
sudo("rm /etc/apt/sources.list.d/mongodb-org*")
append(
"/etc/apt/sources.list.d/mongodb-org-3.4.list",
"deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse",
use_sudo=True,
)
elif kwargs["VERSION"] == "3.6":
sudo(
"apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5"
)
sudo("rm /etc/apt/sources.list.d/mongodb-org*")
append(
"/etc/apt/sources.list.d/mongodb-org-3.6.list",
"deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse",
use_sudo=True,
)
else:
raise NotImplementedError(
"MongoDB version {}; update the package, or use '3.4' | '3.6'".format(
kwargs["VERSION"]
)
)
if sudo("dpkg -s mongodb-org", quiet=True, warn_only=True).failed:
mongodb_apt_init()
apt_depends("mongodb-org")
restart_systemd("mongod")
return "MongoDB {} installed".format(installed())
version = installed()
if not version.startswith(kwargs["VERSION"]):
mongodb_apt_init()
apt_depends("mongodb-org")
restart_systemd("mongod")
return "MongoDB {} installed".format(installed())
return "[Already] MongoDB {} installed".format(installed())
def apply_cert2(c, domains, use_sudo=True, **kwargs):
"""
:param c: Connection
:type c: ```fabric.connection.Connection```
"""
certs_dirname = frozenset(
d for d in c.sudo("ls -AQlx /etc/letsencrypt/live").stdout.split('"')
if len(d.strip()))
def apply_cert(domain):
if domain.endswith(".conf"):
domain = domain[:len(".conf") - 2]
assert domain in certs_dirname, "{domain} doesn't have certs generated".format(
domain=domain)
conf_name = "/etc/nginx/sites-enabled/{nginx_conf}.conf".format(
nginx_conf=domain)
# cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :(
tempfile = mkstemp(domain)[1]
c.get(remote=conf_name, local=tempfile)
updated_conf = upsert_ssl_cert_to_443_block(
conf_file=upsert_redirect_to_443_block(conf_file=tempfile,
server_name=domain),
server_name=domain,
ssl_certificate="/etc/letsencrypt/live/{domain}/fullchain.pem".
format(domain=domain),
ssl_certificate_key="/etc/letsencrypt/live/{domain}/privkey.pem".
format(domain=domain),
)
remove(tempfile)
sio1 = StringIO()
sio1.write(dumps(updated_conf))
sio1.seek(0)
c.put(sio1, conf_name) # use_sudo=use_sudo)
return conf_name
r = tuple(map(apply_cert, domains))
restart_systemd(c, "nginx")
return {"updated_ssl_info": r}
def install0(**kwargs):
installed = lambda: run(
'mysqld --version | while read _ _ ver _; do echo "$ver"; done',
quiet=True)
if sudo("dpkg -s mysql-server", quiet=True, warn_only=True).failed:
with shell_env(DEBIAN_FRONTEND="noninteractive"):
# TODO: Better password handling; I think this can get leaked, even with `quiet=True`?
sudo(
"""
debconf-set-selections <<< 'mysql-server mysql-server/root_password password {password}';
debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password {password}';
""".format(password=kwargs["MYSQL_PASSWORD"]),
quiet=True,
)
apt_depends("mysql-server", "mysql-client", "libmysqlclient-dev")
sudo("systemctl unmask mysql")
restart_systemd("mysql")
return "MySQL {} installed".format(installed())
return "[Already] MySQL {} installed".format(installed())
def install_service0(conf_name, *args, **kwargs):
install_upgrade_service(
conf_name,
conf_local_filepath=kwargs.get("systemd-conf-file"),
context={
"ExecStart": kwargs["ExecStart"],
"Environments": kwargs["Environments"],
"WorkingDirectory": kwargs["WorkingDirectory"],
"User": kwargs["User"],
"Group": kwargs["Group"],
},
)
return restart_systemd(conf_name)
def install0(*args, **kwargs):
apt_depends("libpcre3", "libpcre3-dev")
# ^ Needed for uWSGI
# if not exists("/etc/systemd/system/circusd.service"):
use_sudo = kwargs.get("use_sudo", True)
remote_user = kwargs.get(
"SERVICE_USER", _run_command("echo $USER", quiet=True, sudo=use_sudo))
if remote_user.startswith("$"):
remote_user = _run_command(
"echo {remote_user}".format(remote_user=remote_user),
quiet=True,
sudo=use_sudo,
)
database_uri = kwargs.get("BACKEND_DATABASE_URI", kwargs["RDBMS_URI"])
if not isinstance(database_uri, str):
database_uri = "".join(map(str, database_uri))
name = kwargs["GIT_REPO"][kwargs["GIT_REPO"].rfind("/") + 1:].replace(
"-", "_")
env_vars = "\n{}".format("\n".join("{key}={val}".format(
key=key,
val="".join(map(str, val)) if isinstance(val, (list, tuple)) else val,
) for key, val in kwargs.get("BACKEND_ENV_VARS", {}).items()))
_install_backend(
backend_root=kwargs["BACKEND_ROOT"],
name=name,
remote_user=remote_user,
backend_virtual_env=kwargs["BACKEND_VIRTUAL_ENV"],
team=kwargs["GIT_TEAM"],
repo=kwargs["GIT_REPO"],
database_uri=database_uri,
env_vars="Environment='".join(env_vars),
)
_setup_circus(
home=_run_command("echo $HOME", quiet=True, sudo=use_sudo),
name=name,
remote_user=remote_user,
circus_virtual_env=kwargs.get("CIRCUS_VIRTUALENV",
"/opt/venvs/circus"),
backend_virtual_env=kwargs["BACKEND_VIRTUAL_ENV"],
database_uri=database_uri,
env_vars=env_vars,
backend_root=kwargs["BACKEND_ROOT"],
backend_logs_root=kwargs["BACKEND_LOGS_ROOT"],
port=int(kwargs.get("BACKEND_PORT", "8001")),
)
return restart_systemd("circusd")
def configure_nginx1(*args, **kwargs):
new_conf = lambda orig_conf: upsert_by_location(
"/hooks",
orig_conf,
loads(
api_proxy_block(
"/hooks",
"{protocol}://{host}:{port}/{urlprefix}".format(
protocol="https" if kwargs.get("HOOK_SECURE") else "http",
host=kwargs.get("HOOK_IP", "0.0.0.0"),
port=kwargs.get("HOOK_PORT", 9000),
urlprefix=kwargs.get("HOOK_URLPREFIX", "hooks"),
),
)),
)
upsert_upload(new_conf, name="hook")
return restart_systemd("nginx")
def configure_nginx2(*args, **kwargs):
kwargs.setdefault("LISTEN_PORT", 80)
nginx.install_nginx0()
nginx.setup_nginx_init1()
if kwargs.get("self_signed", False):
certificate.self_signed0(use_sudo=True, **kwargs)
server_block = utils.merge_into(
(
lambda server_block: utils.apply_attributes(
server_block,
emit.secure_attr(kwargs["SSL_CERTOUT"], kwargs["SSL_KEYOUT"]),
)
if kwargs["LISTEN_PORT"] == 443
else server_block
)(
emit.server_block(
server_name=kwargs["MATRIX_SERVER_NAME"], listen=kwargs["LISTEN_PORT"]
)
),
emit.api_proxy_block("/_matrix", "https://127.0.0.1:8008"),
)
sio = StringIO()
sio.write(
dumps(
loads(
emit.redirect_block(server_name=kwargs["MATRIX_SERVER_NAME"], port=80)
)
+ server_block
if kwargs["LISTEN_PORT"] == 443
else server_block
)
)
put(
sio,
"/etc/nginx/sites-enabled/{matrix_server_name}".format(
matrix_server_name=kwargs["MATRIX_SERVER_NAME"]
),
use_sudo=True,
)
return restart_systemd("nginx")
def configure_nginx3(*args, **kwargs):
nginx.install_nginx0()
nginx.setup_nginx_init1()
if kwargs.get("self_signed"):
self_signed0(use_sudo=True, **kwargs)
server_block = utils.merge_into(
(
lambda server_block: utils.apply_attributes(
server_block,
emit.secure_attr(kwargs["SSL_CERTOUT"], kwargs["SSL_KEYOUT"]),
)
if kwargs["LISTEN_PORT"] == 443
else server_block
)(
emit.server_block(
server_name=kwargs["SERVER_NAME"], listen=kwargs["LISTEN_PORT"]
)
),
emit.api_proxy_block("/go", "https://localhost:8154"),
)
sio = StringIO()
sio.write(
dumps(
loads(emit.redirect_block(server_name=kwargs["SERVER_NAME"], port=80))
+ server_block
if kwargs["LISTEN_PORT"] == 443
else server_block
)
)
put(
sio,
"/etc/nginx/sites-enabled/{server_name}".format(
server_name=kwargs["SERVER_NAME"]
),
use_sudo=True,
)
return restart_systemd("nginx")
def setup_custom_conf2(c,
nginx_conf="api-and-static.conf",
conf_keys=None,
skip_nginx_restart=False,
http_to_https=False,
https=False,
*args,
**kwargs):
"""
Generate a new nginx config; interpolating vars within.
:param c: Connection
:type c: ```fabric.connection.Connection```
:param nginx_conf: Nginx conf local filename (for interpolation)
:type nginx_conf: ```str```
:param conf_keys: Valid keys that can be interpolated (from kwargs)
:type conf_keys: ```Optional[Iterable[str]]```
:param skip_nginx_restart: Whether to skip `nginx` restart
:type skip_nginx_restart: ```bool```
:param http_to_https: Whether to redirect HTTP to HTTPS
:type http_to_https: ```bool```
:param https: Whether to enable HTTPS (defaults to LetsEncrypt)
:type https: ```bool```
"""
apt_depends(c, "nginx")
kwargs.setdefault("LISTEN_PORT", 80)
kwargs.setdefault("NAME_OF_BLOCK", "server_block")
kwargs.setdefault("ROUTE_BLOCK", "")
kwargs.setdefault("LOCATION", "/")
kwargs.setdefault("API_HOST", "127.0.0.1")
kwargs.setdefault("API_PORT", 8000)
kwargs.setdefault(
"EXTRA_BODY_FOOT",
"return 302 https://$host$request_uri" if http_to_https else "",
)
kwargs.setdefault("LETSENCRYPT", https)
kwargs.setdefault("SSL_DHPARAM", "/etc/ssl/certs/dhparam.pem")
if https and kwargs["LETSENCRYPT"] and "SERVER_NAME" in kwargs:
root = "/etc/letsencrypt/live/{SERVER_NAME}".format(
SERVER_NAME=kwargs["SERVER_NAME"])
kwargs.update({
"SSL_CERTIFICATE":
"{root}/fullchain.pem".format(root=root),
"SSL_CERTIFICATE_KEY":
"{root}/privkey.pem".format(root=root),
})
builtin_contexts = {
"api-and-static.conf": (
"SERVER_NAME",
"WWWROOT",
"API_HOST",
"API_PORT",
"LISTEN_PORT",
),
"static.conf": ("SERVER_NAME", "WWWROOT"),
"proxy-pass.conf": (
"NAME_OF_BLOCK",
"SERVER_LOCATION",
"SERVER_NAME",
"ROUTE_BLOCK",
"LISTEN_PORT",
"LOCATION",
),
"websocket.location.conf": (
"API_HOST",
"API_PORT",
),
"websocket.conf": (
"EXTRA_HEAD",
"SERVER_NAME",
"LISTEN_PORT",
"SERVER_BODY",
"EXTRA_BODY_FOOT",
),
"websocket.https.conf": (
"EXTRA_HEAD",
"SERVER_NAME",
"SSL_CERTIFICATE",
"SSL_CERTIFICATE_KEY",
"SSL_DHPARAM",
"SERVER_BODY",
),
} # type: Dict[str, Iterable[str]]
if conf_keys is None:
conf_keys = builtin_contexts.get(nginx_conf)
conf_local_filepath = kwargs.get("nginx-conf-file", conf_dir(nginx_conf))
conf_remote_filepath = kwargs.get("nginx-conf-dirname",
"/etc/nginx/conf.d")
conf_remote_filename = kwargs.get(
"conf_remote_filename",
"{conf_remove_filepath}/{conf_remove_basename}".format(
conf_remove_filepath=conf_remote_filepath,
conf_remove_basename=kwargs.get(
"nginx-conf-filename", path.basename(conf_local_filepath)),
),
)
if not conf_remote_filename.endswith(".conf"):
conf_remote_filename += ".conf"
# <WEBSOCKET only (so far)>
base_conf_path = path.basename(conf_remote_filename)
top_fname = conf_dir(nginx_conf.replace(".conf", ".top.conf"))
if path.isfile(top_fname):
with open(top_fname, "rt") as f:
kwargs["EXTRA_HEAD"] = f.read()
else:
kwargs.setdefault("EXTRA_HEAD", "")
conf_name = nginx_conf.replace(".conf", ".location.conf")
location_fname = conf_dir(conf_name)
if path.isfile(location_fname):
with open(location_fname, "rt") as f:
kwargs["SERVER_BODY"] = f.read() % {
k: kwargs[k]
for k in builtin_contexts[conf_name]
}
else:
kwargs.setdefault("SERVER_BODY", "")
if http_to_https and https:
fname = "{}/{}".format(base_conf_path, nginx_conf)
if path.isfile(fname):
with open(fname, "rt") as f:
nginx_config_content = f.read() % {
k: kwargs[k]
for k in builtin_contexts[nginx_conf]
}
else:
nginx_config_content = ""
del kwargs["EXTRA_BODY_FOOT"]
kwargs["EXTRA_HEAD"] = nginx_config_content
# </WEBSOCKET only (so far)>
upload_template_fmt(
c,
conf_local_filepath,
conf_remote_filename,
context=conf_keys
if conf_keys is None else {k: kwargs[k]
for k in conf_keys},
use_sudo=True,
mode=0o400,
backup=False,
)
if skip_nginx_restart:
return
restart_systemd(c, "nginx")
res = c.sudo("systemctl status nginx --no-pager --full")
return res.stdout if res.exited == 0 else res.stderr
def nginx3(**kwargs):
if not kwargs["nginx"]:
return "[Warn]: skipping nginx"
if not cmd_avail("nginx") and not exists("/etc/nginx"):
uname = run("uname -v")
sio = StringIO()
flavour = None
if "Ubuntu" in uname:
flavour = "ubuntu"
elif "Debian" in uname:
flavour = "debian"
if flavour is None:
raise NotImplementedError()
apt_depends("curl", "gnupg2", "ca-certificates", "lsb-release")
release = run("lsb_release -cs")
sio.write(
"deb http://nginx.org/packages/{flavour} {release} nginx".format(
flavour=flavour, release=release))
put(sio, "/etc/apt/sources.list.d/nginx.list", use_sudo=True)
sudo("apt-get update -qq")
sudo(
"curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -"
)
sudo("apt-key fingerprint ABF5BD827BD9BF62")
apt_depends("nginx")
# TODO: Move this to an nginx module; usable by other `offregister-` packages
sites_avail_local_filepath = kwargs.get(
"nginx-sites-available",
resource_filename("offregister_app_push",
path.join("conf", "nginx.sites-available.conf")),
)
proxy_block_local_filepath = kwargs.get(
"nginx-proxy-block",
resource_filename("offregister_app_push",
path.join("conf", "nginx.proxy_block.conf")),
)
remote_conf_dir = "/etc/nginx/sites-enabled"
if not exists(remote_conf_dir):
sudo("mkdir -p {}".format(remote_conf_dir))
sudo(
r"sed -i '/include \/etc\/nginx\/conf.d\/\*.conf;/ a\ \ \ \ include {remote_dir}/*;' {fname}"
.format(remote_dir=remote_conf_dir, fname="/etc/nginx/nginx.conf"))
conf_remote_filename = "/etc/nginx/sites-enabled/{service_name}.conf".format(
service_name=kwargs["app_name"])
deque(
map(
lambda dns_name: append(
text="127.0.0.1\t{site_name}".format(site_name=dns_name),
filename="/etc/hosts",
use_sudo=True,
),
kwargs["DNS_NAMES"],
),
maxlen=0,
)
_send_nginx_conf(
conf_remote_filename,
proxy_block_local_filepath,
sites_avail_local_filepath,
kwargs,
)
return restart_systemd("nginx")
def install0(*args, **kwargs):
kwargs.setdefault("virtual_env", "/opt/venvs/mlflow")
if not kwargs.get("skip_virtualenv", False):
venv0_kwargs = {
"virtual_env": kwargs["virtual_env"],
"python3": True,
"pip_version": "19.2.3",
"use_sudo": True,
"remote_user": "******",
"PACKAGES": ["mlflow[extras]"],
}
venv0_kwargs.update(kwargs)
python_mod.install_venv0(**venv0_kwargs)
circus0_kwargs = {
"APP_NAME": "mlflow",
"APP_PORT": 5000,
"CMD":
"{virtual_env}/bin/mlflow".format(virtual_env=kwargs["virtual_env"]),
"CMD_ARGS": "ui",
"WSGI_FILE": None,
}
circus0_kwargs.update(kwargs)
circus_mod.install_circus0(**circus0_kwargs)
kwargs.setdefault("skip_nginx_restart", True)
kwargs.setdefault(
"conf_remote_filename",
"/etc/nginx/sites-enabled/{}.conf".format(kwargs["SERVER_NAME"]),
)
kwargs.update({
"nginx_conf":
"proxy-pass.conf",
"NAME_OF_BLOCK":
"mlflow",
"SERVER_LOCATION":
"localhost:{port}".format(port=circus0_kwargs["APP_PORT"]),
"LISTEN_PORT":
80,
"LOCATION":
"/",
})
if exists(kwargs["conf_remote_filename"]):
parsed_remote_conf = get_parsed_remote_conf(
kwargs["conf_remote_filename"])
parsed_api_block = loads(
api_proxy_block(
location=kwargs["LOCATION"],
proxy_pass="******".format(kwargs["SERVER_LOCATION"]),
))
sio = StringIO()
sio.write(
dumps(
merge_into(kwargs["SERVER_NAME"], parsed_remote_conf,
parsed_api_block)))
sio.seek(0)
put(sio, kwargs["conf_remote_filename"], use_sudo=True)
else:
nginx_static.setup_conf0(**kwargs)
# with shell_env(VIRTUAL_ENV=kwargs['virtual_env'], PATH="{}/bin:$PATH".format(kwargs['virtual_env'])):sudo('mlflow initdb')
restart_systemd("circusd")
def restart1(*args, **kwargs):
return restart_systemd("matrix-synapse")
def _install_backend(
backend_root,
name,
remote_user,
backend_virtual_env,
team,
repo,
database_uri,
env_vars,
install_postgres=True,
create_postgres_database=True,
use_sudo=True,
):
uname = run("uname -v")
is_ubuntu = "Ubuntu" in uname
run_cmd = partial(_run_command, sudo=use_sudo)
if install_postgres:
if not is_ubuntu and not cmd_avail("psql"):
raise NotImplementedError("Postgres install on {!r}".format(uname))
postgres.install0()
if create_postgres_database:
parsed_database_uri = urlparse(database_uri)
created = postgres.setup_users(
create=({
"user": parsed_database_uri.username,
"password": parsed_database_uri.password,
"dbname": parsed_database_uri.path[1:],
}, ),
connection_str=database_uri,
)
assert created is not None
clone_or_update(team=team,
repo=repo,
use_sudo=use_sudo,
to_dir=backend_root,
branch="master")
offregister_python_ubuntu.install_venv0(virtual_env=backend_virtual_env,
python3=True,
packages=("gunicorn", "uwsgi"))
offregister_python_ubuntu.install_package1(package_directory=backend_root,
virtual_env=backend_virtual_env)
if not exists("/etc/systemd/system"):
raise NotImplementedError("Non SystemD platforms")
if run("id {remote_user}".format(remote_user=remote_user),
warn_only=True,
quiet=True).failed:
sudo('adduser {remote_user} --disabled-password --quiet --gecos ""'.
format(remote_user=remote_user))
(uid, user), (gid, group) = get_user_group_tuples(remote_user)
uwsgi_service = "/etc/systemd/system/{name}-uwsgi.service".format(
name=name)
upload_template(
circus_dir("uwsgi.service"),
uwsgi_service,
context={
"USER": user,
"GROUP": group,
"{}_BACK".format(name.upper()): "{}/{}".format(backend_root, name),
"UID": uid,
"GID": gid,
"VENV": backend_virtual_env,
"BACKEND_ROOT": backend_root,
"SERVICE_USER": "******",
"NAME": name,
"ENV": env_vars,
},
use_sudo=True,
backup=False,
mode=0o644,
)
grp = sudo("id -gn", quiet=True)
sudo("chown {grp}:{grp} {uwsgi_service}".format(
grp=grp, uwsgi_service=uwsgi_service))
restart_systemd("{name}-uwsgi".format(name=name))
return backend_virtual_env, database_uri
def add_cert1(c, domains, email, server="nginx", **kwargs):
"""add_cert1 gets a new LetsEncrypt HTTPS certificate using certbot.
Because we don't trust the nginx module, we do this process:
0. move conf(s) for domain(s) to sites-disabled
1. create new conf(s) for domain(s) in sites-enabled, that point to temporary wwwroot
2. use certbot to request new certificate
3. restore previous conf
:param c: Connection
:type c: ```fabric.connection.Connection```
"""
if server != "nginx":
logger.warning(
"Not tested with non nginx: {server}".format(server=server))
sites_enabled = kwargs.get("sites-enabled", "/etc/nginx/sites-enabled")
sites_disabled = kwargs.get("sites-disabled", "/etc/nginx/sites-disabled")
c.sudo("mkdir -p {sites_disabled}".format(sites_disabled=sites_disabled))
cmd = partial(
c.sudo,
user=kwargs.get("as_user", "root"),
# group=kwargs.get("as_group", "root"),
)
if not cmd_avail(c, "nginx") and not exists(
c, runner=cmd, path="/usr/sbin/nginx"):
raise EnvironmentError("nginx is not installed | not found in PATH")
if not exists(c, runner=cmd, path=sites_enabled):
raise EnvironmentError('No confs found in "{}"'.format(sites_enabled))
_grep_conf = "grep -lER {pat} {sites_enabled}".format(
pat=" -e " +
" -e ".join("'server_name[[:space:]]+{domain}'".format(domain=domain)
for domain in domains) if len(domains) > 0 else "",
sites_enabled=sites_enabled,
)
confs = cmd(_grep_conf, warn=True)
if confs.exited != 0:
stderr.write(confs.stderr)
raise EnvironmentError(
"grep failed with: {}. Failed command: {}".format(
confs, _grep_conf))
elif not confs:
# print(_grep_conf, file=sys.stderr)
raise ReferenceError("No confs found matching domains searched for")
confs = [
s.rstrip().replace(sites_enabled + "/", "")
for s in confs.stdout.split("\n")
]
cmd("mv '{sites_enabled}/'{confs} '{sites_disabled}/'".format(
sites_enabled=sites_enabled,
confs="{{{confs}}}".format(
confs=",".join(confs)) if len(confs) > 1 else "".join(confs),
sites_disabled=sites_disabled,
))
def apply_conf(domain):
root = c.sudo("mktemp -d --suffix .nginx").stdout.strip()
assert root != "/"
nginx.setup_custom_conf2(
c,
nginx_conf="static.conf",
SERVER_NAME=domain,
WWWROOT=root,
conf_remote_filename="{}/{}".format(sites_enabled,
domain.replace("/", "-")),
skip_nginx_restart=True,
)
cmd("touch {root}/index.html && chmod -R 755 {root}".format(root=root))
return root
static_dirs = tuple(map(apply_conf, domains))
def exclude_valid_certs(domain):
cert_details = c.sudo(
"certbot certificates --cert-name {domain}".format(
domain=domain)).stdout
if "Expiry Date" not in cert_details:
return domain
elif "(VALID" not in cert_details:
return domain
cert_expiry = next(
map(
lambda s: s.partition(":")[2].rpartition("(")[0].strip(),
filter(
lambda s: s.lstrip().startswith("Expiry Date"),
cert_details.split("\n"),
),
),
None,
)
if cert_expiry is None:
return domain
cert_expiry = datetime.strptime(cert_expiry, "%Y-%m-%d %H:%M:%S+00:00")
if (cert_expiry - datetime.now()).days < 30:
return domain
return None
domains = tuple(_f for _f in map(exclude_valid_certs, domains) if _f)
if domains:
restart_systemd(c, "nginx")
cmd("certbot certonly {email} --webroot {webroots} {domains} --agree-tos --no-eff-email"
.format(
email="-m '{email}'".format(email=email),
webroots=" ".join("-w '{}'".format(wr) for wr in static_dirs),
domains=" ".join("-d '{}'".format(domain)
for domain in domains),
))
cmd("rm -rf {}/*nginx".format(
static_dirs[0][:static_dirs[0].rfind("/")]))
cmd("rm -f {}".format(" ".join("{}/{}".format(
sites_enabled,
domain if domain.endswith(".conf") else "{domain}.conf".format(
domain=domain),
) for domain in domains)))
cmd("mv '{sites_disabled}/'{confs} '{sites_enabled}/'".format(
sites_enabled=sites_enabled,
confs="{{{confs}}}".format(confs=",".join(confs))
if len(confs) > 1 else "{confs}".format(confs="".join(confs)),
sites_disabled=sites_disabled,
))
return restart_systemd(c, "nginx") # reload didn't work :(
def install_configure0(*args, **kwargs):
apt_install = False
if apt_install:
apt_depends("webhook")
elif not cmd_avail("webhook"):
go.install0()
run("go get github.com/adnanh/webhook")
if (kwargs.get("HOOK_PORT") == 443 or kwargs.get("HOOK_KEY")
or kwargs.get("HOOK_CERT")):
kwargs["HOOK_SECURE"] = True
if not kwargs.get("HOOK_IP") and kwargs.get("SERVER_NAME"):
kwargs["HOOK_IP"] = kwargs["SERVER_NAME"]
if not kwargs.get("HOOK_HOOKS"):
kwargs["HOOK_HOOKS"] = "/etc/webhook.json"
else:
sudo('mkdir -p "${' + kwargs["HOOK_HOOKS"] + '##*/}"',
shell_escape=False)
sio = StringIO()
dump(kwargs["HOOK_HOOKS_JSON"], sio)
tmp = "{}.tmp".format(kwargs["HOOK_HOOKS"])
put(sio, tmp, use_sudo=True)
sudo("cat {tmp} | envsubst > {hooks} && rm {tmp}".format(
tmp=tmp, hooks=kwargs["HOOK_HOOKS"]))
if "HOOK_NOPANIC" not in kwargs:
kwargs["HOOK_NOPANIC"] = "" # true
elif not kwargs["HOOK_NOPANIC"]:
del kwargs["HOOK_NOPANIC"]
upload_template(
hook_dir("webhook.service"),
"/lib/systemd/system/",
context={
"CMD":
"/usr/bin/webhook" if apt_install else run(
'echo "$GOPATH/bin/webhook"', quiet=True, shell_escape=False),
"ARGS":
" ".join("-{cli_arg} '{cli_val}'".format(
cli_arg=cli_arg,
cli_val=kwargs["HOOK_{}".format(cli_arg.upper())])
for cli_arg in (
"cert",
"header",
"hooks",
"hotreload",
"ip",
"key",
"nopanic",
"port",
"secure",
"template",
"verbose",
) if "HOOK_{}".format(cli_arg.upper()) in kwargs).replace(
" ''", "").replace(" 'True'", ""),
},
use_sudo=True,
)
return restart_systemd("webhook")
def restart_nginx2(*args, **kwargs):
return restart_systemd("nginx")
def restart_services3(*args, **kwargs):
if (kwargs.get("circus_args") and kwargs.get("circus_name")
and kwargs.get("circus_home")):
return restart_systemd("circusd")
