def run(): # create source.list.d fs.create_dir('/etc/apt/sources.list.d') if info['lsb.dist_id'] == 'Ubuntu': fs.upload_string(tpl.render(), '/etc/apt/sources.list.d/ubuntu-mirrors.list') elif info['lsb.dist_id'] == 'Debian': raise NotImplementedError else: raise NotImplementedError # FIXME: do not do this for raspbian, needs os-release check fs.remove_file('/etc/apt/sources.list') apt.update(max_age=60) apt.update(max_age=60) apt.update(max_age=60)
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'): if mark: if remote.lstat(mark): return Unchanged(msg='Hostkeys have already been regenerated') key_names = [ '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', ] def collect_fingerprints(): fps = '' for key in key_names: if remote.lstat(key): fps += proc.run(['ssh-keygen', '-l', '-f', key])[0] return fps old_fps = collect_fingerprints() # remove old keys for key in key_names: fs.remove_file(key) fs.remove_file(key + '.pub') # generate new ones proc.run(['dpkg-reconfigure', 'openssh-server']) # restart openssh systemd.restart_unit('ssh.service') new_fps = collect_fingerprints() # mark host keys as new fs.touch(mark) return Changed( msg='Regenerated SSH host keys.\n' 'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format( util.indent(' ', old_fps), util.indent(' ', new_fps)))
def regenerate_host_keys(mark='/etc/ssh/host_keys_regenerated'): if mark: if remote.lstat(mark): return Unchanged(msg='Hostkeys have already been regenerated') key_names = [ '/etc/ssh/ssh_host_ecdsa_key', '/etc/ssh/ssh_host_ed25519_key', '/etc/ssh/ssh_host_rsa_key', '/etc/ssh/ssh_host_dsa_key', ] def collect_fingerprints(): fps = '' for key in key_names: if remote.lstat(key): fps += proc.run(['ssh-keygen', '-l', '-f', key])[0] return fps old_fps = collect_fingerprints() # remove old keys for key in key_names: fs.remove_file(key) fs.remove_file(key + '.pub') # generate new ones proc.run(['dpkg-reconfigure', 'openssh-server']) # restart openssh systemd.restart_unit('ssh.service') new_fps = collect_fingerprints() # mark host keys as new fs.touch(mark) return Changed( msg='Regenerated SSH host keys.\n' 'Old fingerprints:\n{}\nNew fingerprints:\n{}\n'.format( util.indent(' ', old_fps), util.indent(' ', new_fps)))
def disable_raspi_config(): # FIXME: use fs.edit here c = False # we need to remove it from profile.d c |= fs.remove_file('/etc/profile.d/raspi-config.sh').changed # FIXME: this should become part of an edit module? lines = [] inittab_changed = False for line in remote.file('/etc/inittab', 'r'): if line.startswith('#') and 'RPICFG_TO_ENABLE' in line: inittab_changed = True lines.append(line[1:line.rfind('#')].strip() + '\n') continue if 'RPICFG_TO_DISABLE' in line: inittab_changed = True continue lines.append(line) if inittab_changed: # FIXME: DO THIS ATOMICALLY? Use UPLOAD? with remote.file('/etc/inittab', 'w') as out: out.write(''.join(lines)) c = True # now just stop running raspi-config _, _, status = proc.run(['killall', 'raspi-config'], status_ok=(0, 1)) # killall will return exit status 1 if not process was found if status != 1: c = True if c: return Changed(msg='Disabled raspi-config') else: return Unchanged(msg='raspi-config already stopped and disabled')
def enable_letsencrypt(auto_reload=True, remove_default=True): changed = any_changed( fs.upload_file(nginx.files['acme-challenge'], '/etc/nginx/sites-available/acme-challenge'), fs.symlink('/etc/nginx/sites-available/acme-challenge', '/etc/nginx/sites-enabled/00_acme-challenge'), ) fs.create_dir('/var/www/html/.well-known') fs.create_dir('/var/www/html/.well-known/acme-challenge') fs.chmod('/var/www/html/.well-known', mode=0o755) fs.chmod('/var/www/html/.well-known/acme-challenge', mode=0o755) if remove_default: changed |= fs.remove_file('/etc/nginx/sites-enabled/default').changed if changed: if auto_reload: systemd.reload_unit('nginx.service', only_if_running=True) return Changed(msg='Enabled nginx Let\'s encrypt support') return Unchanged(msg='nginx Let\'s encrypt support already enabled')