def run():
# create source.list.d
fs.create_dir('/etc/apt/sources.list.d')
if info['lsb.dist_id'] == 'Ubuntu':
fs.upload_string(tpl.render(),
'/etc/apt/sources.list.d/ubuntu-mirrors.list')
elif info['lsb.dist_id'] == 'Debian':
raise NotImplementedError
else:
raise NotImplementedError
# FIXME: do not do this for raspbian, needs os-release check
fs.remove_file('/etc/apt/sources.list')
apt.update(max_age=60)
apt.update(max_age=60)
apt.update(max_age=60)
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'):
if mark:
if remote.lstat(mark):
return Unchanged(msg='Hostkeys have already been regenerated')
key_names = [
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
]
def collect_fingerprints():
fps = ''
for key in key_names:
if remote.lstat(key):
fps += proc.run(['ssh-keygen', '-l', '-f', key])[0]
return fps
old_fps = collect_fingerprints()
# remove old keys
for key in key_names:
fs.remove_file(key)
fs.remove_file(key + '.pub')
# generate new ones
proc.run(['dpkg-reconfigure', 'openssh-server'])
# restart openssh
systemd.restart_unit('ssh.service')
new_fps = collect_fingerprints()
# mark host keys as new
fs.touch(mark)
return Changed(
msg='Regenerated SSH host keys.\n'
'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format(
util.indent(' ', old_fps), util.indent(' ', new_fps)))
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'):
if mark:
if remote.lstat(mark):
return Unchanged(msg='Hostkeys have already been regenerated')
key_names = [
'/etc/ssh/ssh_host_ecdsa_key',
'/etc/ssh/ssh_host_ed25519_key',
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
]
def collect_fingerprints():
fps = ''
for key in key_names:
if remote.lstat(key):
fps += proc.run(['ssh-keygen', '-l', '-f', key])[0]
return fps
old_fps = collect_fingerprints()
# remove old keys
for key in key_names:
fs.remove_file(key)
fs.remove_file(key + '.pub')
# generate new ones
proc.run(['dpkg-reconfigure', 'openssh-server'])
# restart openssh
systemd.restart_unit('ssh.service')
new_fps = collect_fingerprints()
# mark host keys as new
fs.touch(mark)
return Changed(
msg='Regenerated SSH host keys.\n'
'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format(
util.indent(' ', old_fps), util.indent(' ', new_fps)))
def disable_raspi_config():
# FIXME: use fs.edit here
c = False
# we need to remove it from profile.d
c |= fs.remove_file('/etc/profile.d/raspi-config.sh').changed
# FIXME: this should become part of an edit module?
lines = []
inittab_changed = False
for line in remote.file('/etc/inittab', 'r'):
if line.startswith('#') and 'RPICFG_TO_ENABLE' in line:
inittab_changed = True
lines.append(line[1:line.rfind('#')].strip() + '\n')
continue
if 'RPICFG_TO_DISABLE' in line:
inittab_changed = True
continue
lines.append(line)
if inittab_changed:
# FIXME: DO THIS ATOMICALLY? Use UPLOAD?
with remote.file('/etc/inittab', 'w') as out:
out.write(''.join(lines))
c = True
# now just stop running raspi-config
_, _, status = proc.run(['killall', 'raspi-config'], status_ok=(0, 1))
# killall will return exit status 1 if not process was found
if status != 1:
c = True
if c:
return Changed(msg='Disabled raspi-config')
else:
return Unchanged(msg='raspi-config already stopped and disabled')
def enable_letsencrypt(auto_reload=True, remove_default=True):
changed = any_changed(
fs.upload_file(nginx.files['acme-challenge'],
'/etc/nginx/sites-available/acme-challenge'),
fs.symlink('/etc/nginx/sites-available/acme-challenge',
'/etc/nginx/sites-enabled/00_acme-challenge'),
)
fs.create_dir('/var/www/html/.well-known')
fs.create_dir('/var/www/html/.well-known/acme-challenge')
fs.chmod('/var/www/html/.well-known', mode=0o755)
fs.chmod('/var/www/html/.well-known/acme-challenge', mode=0o755)
if remove_default:
changed |= fs.remove_file('/etc/nginx/sites-enabled/default').changed
if changed:
if auto_reload:
systemd.reload_unit('nginx.service', only_if_running=True)
return Changed(msg='Enabled nginx Let\'s encrypt support')
return Unchanged(msg='nginx Let\'s encrypt support already enabled')
