def create_user():
with settings(user='******'):
cuisine.user_ensure('ssmjp')
append('/etc/sudoers', 'ssmjp ALL=(ALL) ALL')
cuisine.ssh_authorize('ssmjp', cuisine.file_local_read('~/.ssh/ssmjp.pub'))
conf = Pit.get('ssmjp-user', { 'require': { 'password': '******' } })
cuisine.user_passwd('ssmjp', conf['password'])
def user_setup():
""" Creates a read the docs user """
env.user = ROOT_USER
env.password = ROOT_PASS
user_ensure(RTD_USER, home='/opt/rtd')
user_passwd(RTD_USER, RTD_PASS)
def ensure():
git.ensure_git()
# Make sure the user exists
user_ensure('acme')
group_ensure('acme')
group_user_ensure('acme', 'acme')
# Allow the acme user to reload nginx when updating certs
files.append('/etc/sudoers',
'acme ALL=(root) NOPASSWD: {reload_nginx}'.format(
reload_nginx=_reload_nginx()),
use_sudo=True)
# Make sure acme.sh is installed for the acme user
# if not path.has('acme.sh', user='******'): Does not exist--it's imported from bash
if not files.exists('/home/acme/.acme.sh'):
git.ensure_clone_github('Neilpang/acme.sh',
'/home/acme/acme.sh',
user='******')
with cd("/home/acme/acme.sh"):
sudo("./acme.sh --install", user='******')
dir_ensure(well_known_base)
sudo(
"chown acme:acme {well_known} && chmod 755 {well_known}".format(
well_known=well_known_base)
) # Can't change attributes without sudo in a sticky (not write) directory... annoying
util.put_file("config/certs/lets-encrypt-x3-cross-signed.pem",
"/etc/ssl/certs/lets-encrypt-x3-cross-signed.pem",
user='******',
mode='0644')
def user_setup():
""" Creates a read the docs user """
env.user=SUDO_USER
env.password=SUDO_PASS
user_ensure(RTD_USER, home='/opt/rtd')
user_passwd(RTD_USER, RTD_PASS )
def setup_system():
user_ensure(project_name, home='/home/' + project_name)
if not dir_exists('/home/%s/production' % project_name):
with cd('/home/%s' % project_name):
run('git clone file:///root/repos/%s.git production' % project_name
)
run('git clone file:///root/repos/%s.git staging' % project_name)
with cd('production'):
run('virtualenv env')
run_venv('pip install -r assets/requirements.txt',
env='production')
with cd('%s/settings' % project_name):
file_link('production.py', '__init__.py')
run('mkdir -p logs')
run('chown %s:%s logs -R' % (project_name, project_name))
run('chmod o+wx logs -R')
run('mkdir -p static')
run_venv('./manage.py collectstatic --noinput',
env="production")
with cd('staging'):
run('virtualenv env')
run_venv('pip install -r assets/requirements.txt',
env='staging')
with cd('%s/settings' % project_name):
file_link('staging.py', '__init__.py')
run('mkdir -p logs')
run('chown %s:%s logs -R' % (project_name, project_name))
run('chmod o+wx logs -R')
run('mkdir -p static')
run_venv('./manage.py collectstatic --noinput',
env="staging")
def setup_user(p_user_name_str, p_user_home_dir_path_str, p_user_pass_str,
p_log_fun):
p_log_fun('FUN_ENTER', 'gf_fabric_utils.setup_user()')
#Ensures that the given users exists, optionally updating their
#passwd/home/uid/gid/shell.
cuisine.user_ensure(p_user_name_str,
home=p_user_home_dir_path_str,
passwd=p_user_pass_str)
def set_project_user_and_group(username, groupname):
""" Setup project user and group
@param username: system user for zope process
@param groupname: system process group for sites
"""
user_ensure(username)
group_ensure(groupname)
group_user_ensure(groupname, username)
def _setup_users():
USERS = ['yuta1024', 'tyabuki', 'nhirokinet']
for user in USERS:
cuisine.user_ensure(user, shell='/bin/bash', passwd='yharima', encrypted_passwd=False)
cuisine.group_user_ensure('sudo', user)
# https://ubuntuforums.org/showthread.php?t=1318346
cuisine.group_user_ensure('adm', user)
with cuisine.mode_sudo():
cuisine.ssh_authorize(user, _get_public_key_from_github(user))
if not cuisine.is_ok(sudo('grep rsync /etc/sudoers && echo OK ; true')):
sudo('echo "%s ALL=(ALL) NOPASSWD: /usr/bin/rsync" | EDITOR="tee -a" visudo' % ','.join(USERS))
def ensure_fcgiwrap(children=4):
select_package("apt")
package_ensure(["fcgiwrap"]) # On debian will automatically be enabled
# fcgi can't run status script because its default user (www-data) has no login shell--not sure why exactly but work around it by making a new user
user_ensure('fcgiwrap')
group_ensure('fcgiwrap')
group_user_ensure('fcgiwrap', 'fcgiwrap')
sudo('sed -i "s/www-data/fcgiwrap/" /lib/systemd/system/fcgiwrap.service')
sudo('echo "FCGI_CHILDREN={}" > /etc/default/fcgiwrap'.format(children))
sudo('systemctl daemon-reload')
sudo('/etc/init.d/fcgiwrap restart')
def create_user():
with settings(user='******'):
cuisine.user_ensure('ssmjp')
append('/etc/sudoers', 'ssmjp ALL=(ALL) ALL')
cuisine.ssh_authorize('ssmjp',
cuisine.file_local_read('~/.ssh/ssmjp.pub'))
conf = Pit.get('ssmjp-user',
{'require': {
'password': '******'
}})
cuisine.user_passwd('ssmjp', conf['password'])
def ensure_email_contents(restore):
"""Restore the old email database if needed"""
user_ensure('vmail')
group_ensure('vmail')
group_user_ensure('vmail', 'vmail')
run("usermod -d /var/mail vmail")
#run('usermod -s /bin/false vmail')
if not dir_exists('/var/mail/vmail') and restore:
#with settings(user='******', host_string='burn'):
# get('/data/vmail', '/tmp')
put('/tmp/vmail', '/var/mail')
run('chown -R vmail:vmail /var/mail/vmail')
def install():
""" Install ngix packages """
puts(green('-> Installing nginx'))
cuisine.package_ensure('nginx')
puts(green('-> Creating apps user'))
cuisine.user_ensure('apps')
puts(green('-> Creating dirs for web apps'))
cuisine.dir_ensure('/home/apps/www')
cuisine.dir_ensure('/home/apps/logs')
def ensure_email_contents(restore):
"""Restore the old email database if needed"""
user_ensure('vmail')
group_ensure('vmail')
group_user_ensure('vmail', 'vmail')
run("usermod -d /var/mail vmail")
#run('usermod -s /bin/false vmail')
if not dir_exists('/var/mail/vmail') and restore:
#with settings(user='******', host_string='burn'):
# get('/data/vmail', '/tmp')
put('/tmp/vmail', '/var/mail')
run('chown -R vmail:vmail /var/mail/vmail')
def add_user_to_docker_group(self):
"""
Make sure the ubuntu user is part of the docker group.
"""
log_green('adding the ubuntu user to the docker group')
data = load_state_from_disk()
with settings(hide('warnings', 'running', 'stdout', 'stderr'),
warn_only=True, capture=True):
user_ensure('ubuntu', home='/home/ubuntu', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'ubuntu')
def setup_users():
'''Add web runner group and users'''
puts(green('Creating users and groups'))
orig_user, orig_passw, orig_cert = env.user, env.password, env.key_filename
env.user, env.password, env.key_filename = \
SSH_SUDO_USER , SSH_SUDO_PASSWORD, SSH_SUDO_CERT
cuisine.group_ensure(WEB_RUNNER_GROUP)
cuisine.user_ensure(
WEB_RUNNER_USER,
gid=WEB_RUNNER_GROUP,
shell='/bin/bash',
passwd=WEB_RUNNER_PASSWORD,
encrypted_passwd=False,
)
# Create the ssh certificate for web_runner user
rem_ssh_deploy_cert_file = '~%s/.ssh/authorized_keys' % WEB_RUNNER_USER
rem_ssh_priv_cert_file = '~%s/.ssh/id_rsa' % WEB_RUNNER_USER
rem_ssh_pub_cert_file = '~%s/.ssh/id_rsa.pub' % WEB_RUNNER_USER
ssh_config_file = '~%s/.ssh/config' % WEB_RUNNER_USER
if orig_cert and not sudo('test -e %s && echo OK ; true' %
(rem_ssh_deploy_cert_file, )).endswith("OK"):
sudo('mkdir -p ~%s/.ssh' % WEB_RUNNER_USER)
sudo('chmod 700 ~%s/.ssh' % WEB_RUNNER_USER)
deploy_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_rsa.pub',
'r').read()
priv_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_user_rsa',
'r').read()
pub_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_user_rsa.pub',
'r').read()
ssh_config = 'Host bitbucket.org\n\tStrictHostKeyChecking no'
cuisine.file_write('/tmp/deploy_cert', deploy_cert)
cuisine.file_write('/tmp/priv_cert', priv_cert)
cuisine.file_write('/tmp/pub_cert', pub_cert)
cuisine.file_write('/tmp/ssh_config', ssh_config)
sudo('mv /tmp/deploy_cert ' + rem_ssh_deploy_cert_file)
sudo('mv /tmp/priv_cert ' + rem_ssh_priv_cert_file)
sudo('mv /tmp/pub_cert ' + rem_ssh_pub_cert_file)
sudo('mv /tmp/ssh_config ' + ssh_config_file)
sudo('chmod 600 %s' % rem_ssh_deploy_cert_file)
sudo('chmod 600 %s' % rem_ssh_priv_cert_file)
sudo('chmod 600 %s' % rem_ssh_pub_cert_file)
sudo('chown -R %s:%s ~%s/.ssh/' %
(WEB_RUNNER_USER, WEB_RUNNER_GROUP, WEB_RUNNER_USER))
env.user, env.password, env.key_filename = \
orig_user, orig_passw, orig_cert
def ensure():
# Make sure the user exists
user_ensure('acme')
group_ensure('acme')
group_user_ensure('acme', 'acme')
# Make sure acme.sh is installed for the acme user
if not path.has('acme.sh', user='******'):
git.ensure_clone_github('Neilpang/acme.sh', '/home/acme/acme.sh', user='******')
with cd("/home/acme/acme.sh"):
sudo("./acme.sh --install", user='******')
dir_ensure(well_known_base)
sudo("chown acme:acme {well_known} && chmod 755 {well_known}".format(well_known=well_known_base)) # Can't change attributes without sudo in a sticky (not write) directory... annoying
def add_nagios_user():
'''
Adds Nagios user and groups to VMs and sets the right permissions.
'''
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagios /usr/local/nagios')
sudo('chown -R nagios.nagios /usr/local/nagios/libexec')
def add_nagios_user():
'''
Adds Nagios user and groups to VMs and sets the right permissions.
'''
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagios /usr/local/nagios')
sudo('chown -R nagios.nagios /usr/local/nagios/libexec')
def add_user_to_docker_group(distro):
""" make sure the user running jenkins is part of the docker group """
log_green('adding the user running jenkins into the docker group')
with settings(hide('warnings', 'running', 'stdout', 'stderr'),
warn_only=True, capture=True):
if 'centos' in distro.value:
user_ensure('centos', home='/home/centos', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'centos')
if 'ubuntu' in distro.value:
user_ensure('ubuntu', home='/home/ubuntu', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'ubuntu')
def _setup_user():
for user in USERS:
keys = '\n'.join(_get_public_key_from_github(user))
cuisine.user_ensure(user, shell='/bin/bash')
cuisine.group_user_ensure('wheel', user)
sudo('echo "password" | passwd --stdin %s' % user)
sudo('mkdir -p /home/%s/.ssh' % user)
sudo('chown %s:%s /home/%s/.ssh' % (user, user, user))
sudo('chmod 700 /home/%s/.ssh' % user)
sudo('echo "%s" > /home/%s/.ssh/authorized_keys' % (keys, user))
sudo('chown %s:%s /home/%s/.ssh/authorized_keys' % (user, user, user))
sudo('chmod 600 /home/%s/.ssh/authorized_keys' % user)
def initialize():
"""Log in to the server as root and create the initial user/group"""
env.user = '******'
mode_user()
group_ensure(env.remote_group)
user_ensure(env.remote_user, shell='/bin/bash')
group_user_ensure(env.remote_user, env.remote_group)
# copy local public key to user's authorized_keys for convenience
if os.path.exists('~/.ssh/id_rsa.pub'):
f = open('~/.ssh/id_rsa.pub', 'rb')
ssh_authorize(env.remote_user, f.read())
f.close()
file_append("/etc/sudoers", "%(remote_user)s ALL=(ALL) NOPASSWD:ALL\n" % env)
def get_source():
cuisine.user_ensure(env.deploy_user,
home=env.deploy_user_home,
shell='/bin/bash')
execute(setup_repo_key)
# this doesnt seem like the right place for this, move into common
from .django import deploy_user
if not exists(env.repo_destination):
run('sudo -i -H -u web git clone -b %(branch)s %(repo_remote_location)s %(repo_destination)s' % env)
else:
with cd(env.repo_destination):
deploy_user('git reset --hard HEAD' % env)
deploy_user('git clean -f -d' % env)
deploy_user('git pull origin %(branch)s' % env)
def install_postgres():
"""Install the postgres server."""
# TODO: Move this these into a common module, so we don't have to bury it like this.
from .servers import set_database_ip
execute(set_database_ip)
sudo('add-apt-repository ppa:pitti/postgresql')
cuisine.package_install([
'python-software-properties', 'postgresql-9.1', 'postgresql-contrib-9.1',
'postgresql-server-dev-9.1', 'libpq-dev', 'libpq5'
], update=True)
execute(update_db_conf)
cuisine.user_ensure(env.db_user)
sudo('/etc/init.d/postgresql restart')
with settings(warn_only=True):
sudo('''su postgres -c 'createdb -T template0 -O postgres -h %(db_ip)s -p %(db_port)s -E UTF8 %(db_name)s' ''' % env)
def ensure():
select_package("apt")
package_ensure(["znc"]) # On debian will automatically be enabled
user_ensure('znc')
group_ensure('znc')
group_user_ensure('znc', 'znc')
dir_ensure("/var/znc", mode='755')
dir_ensure("/var/znc/configs", mode='755')
run("chown znc:znc /var/znc")
util.put("/srv/znc.conf", "/var/znc/configs", user="******", mode="600")
util.put("config/keys/znc.pem", "/var/znc", user="******", mode="600")
util.put("config/znc/modules", "/var/znc", user="******", mode="755")
run("cp /var/znc/modules/*.so /usr/lib/znc")
systemd.add_unit("config/systemd/znc.service")
run("systemctl enable znc")
run("systemctl restart znc")
def add_nagios_user():
'''
Adds Nagios user and group and sets correct file permissions.
'''
cuisine.group_ensure('nagcmd')
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
cuisine.group_user_ensure('nagcmd', 'nagios')
cuisine.user_ensure('www-data')
cuisine.group_user_ensure('nagcmd', 'www-data')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagcmd /usr/local/nagios')
sudo('chown -R nagios.nagcmd /usr/local/nagios/libexec')
def ensure():
select_package("apt")
package_ensure(["znc"]) # On debian will automatically be enabled
user_ensure('znc')
group_ensure('znc')
group_user_ensure('znc', 'znc')
dir_ensure("/var/znc", mode='755')
dir_ensure("/var/znc/configs", mode='755')
run("chown znc:znc /var/znc")
util.put("/srv/znc.conf", "/var/znc/configs", user="******", mode="600")
util.put("config/keys/znc.pem", "/var/znc", user="******", mode="600")
util.put("config/znc/modules", "/var/znc", user="******", mode="755")
run("cp /var/znc/modules/*.so /usr/lib/znc")
systemd.add_unit("config/systemd/znc.service")
run("systemctl enable znc")
run("systemctl restart znc")
def add_nagios_user():
'''
Adds Nagios user and group and sets correct file permissions.
'''
cuisine.group_ensure('nagcmd')
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
cuisine.group_user_ensure('nagcmd', 'nagios')
cuisine.user_ensure('www-data')
cuisine.group_user_ensure('nagcmd', 'www-data')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagcmd /usr/local/nagios')
sudo('chown -R nagios.nagcmd /usr/local/nagios/libexec')
def ensure_fcgiwrap(children=4):
select_package("apt")
package_ensure(["fcgiwrap"]) # On debian will automatically be enabled
# fcgi can't run status script because its default user (www-data) has no login shell--not sure why exactly but work around it by making a new user
user_ensure('fcgiwrap', shell="/bin/sh")
group_ensure('fcgiwrap')
group_user_ensure('fcgiwrap', 'fcgiwrap')
# Needed because of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792705. Fastcgi 1.1.0-6 (unstable as of writing) fixes this bug.
util.put_file("config/systemd/fcgiwrap.service",
"/etc/systemd/system/gcgiwrap.service",
mode='0644',
user='******')
# Not sure these two lines actually do anything
sudo('sed -i "s/www-data/fcgiwrap/" /lib/systemd/system/fcgiwrap.service')
sudo('echo "FCGI_CHILDREN={}" > /etc/default/fcgiwrap'.format(children))
sudo('systemctl daemon-reload')
sudo('/etc/init.d/fcgiwrap restart')
def install():
""" Install git packages """
puts(green('-> Installing gitolite'))
cuisine.package_ensure('gitolite')
puts(green('-> Creating git user'))
cuisine.user_ensure('git')
puts(green('-> Uploading admin public key'))
public_key = raw_input('Enter path of your public key: ')
cuisine.file_upload('/tmp/admin.pub', public_key)
puts(green('-> Configuring gitolite'))
puts(red('== Options for wizard '))
puts(red('== user -> git '))
puts(red('== path -> /home/git/ '))
puts(red('== key -> /tmp/admin.pub '))
raw_input('Press enter to continue')
cuisine.sudo('dpkg-reconfigure gitolite')
def get_source():
cuisine.user_ensure(env.deploy_user,
home=env.deploy_user_home,
shell='/bin/bash')
execute(setup_repo_key)
# this doesnt seem like the right place for this, move into common
from .django import deploy_user
if not exists(env.repo_destination):
run('sudo -i -H -u web git clone -b %(branch)s %(repo_remote_location)s %(repo_destination)s'
% env)
else:
with cd(env.repo_destination):
deploy_user('git reset --hard HEAD' % env)
deploy_user('git clean -f -d' % env)
deploy_user('git pull origin %(branch)s' % env)
deploy_user('git submodule init')
deploy_user('git submodule update')
def install_postgres():
"""Install the postgres server."""
# TODO: Move this these into a common module, so we don't have to bury it like this.
from .servers import set_database_ip
execute(set_database_ip)
sudo('add-apt-repository ppa:pitti/postgresql')
cuisine.package_install([
'python-software-properties', 'postgresql-9.1',
'postgresql-contrib-9.1', 'postgresql-server-dev-9.1', 'libpq-dev',
'libpq5'
],
update=True)
execute(update_db_conf)
cuisine.user_ensure(env.db_user)
sudo('/etc/init.d/postgresql restart')
with settings(warn_only=True):
sudo(
'''su postgres -c 'createdb -T template0 -O postgres -h %(db_ip)s -p %(db_port)s -E UTF8 %(db_name)s' '''
% env)
def install_nginx(version, force=False):
"""Install nginx HTTP server."""
package_ensure('libpcre3-dev')
package_ensure('zlib1g-dev')
package_ensure('build-essential')
install_dir = os.path.join(_INSTALL_DIR, 'nginx', version)
nginx_bin = os.path.join(install_dir, 'sbin', 'nginx')
if file_exists(nginx_bin):
if not force:
puts("Nginx {0} found, skipping installation".format(version))
return
else:
puts("Reinstalling nginx {0} found".format(version))
with mode_sudo():
dir_ensure(install_dir, True)
home_dir = os.path.join(install_dir, 'html')
user_ensure(NGINX_USER, None, home_dir, shell='/sbin/nologin')
sudo('passwd -l nginx')
download_url = _DOWNLOAD_URL.format(version=version)
src_dir = run('mktemp -d')
with cd(src_dir):
puts("Downloading nginx {0}".format(version))
run("wget -q '{0}' -O - | tar xz".format(download_url))
with cd('nginx-{0}'.format(version)):
puts("Compiling nginx {0}".format(version))
run("./configure --prefix={0} --with-http_stub_status_module".format(install_dir))
run("make")
puts("Installing nginx {0}".format(version))
sudo('make install')
sudo('mkdir {0}'.format(os.path.join(install_dir, 'conf', 'sites-enabled')))
run("rm -rf '{0}'".format(src_dir))
def install(force=False):
"""Install nginx HTTP server."""
version = get_config()['version']
cuisine.package_install(['build-essential', 'libpcre3-dev', 'zlib1g-dev'])
install_dir = os.path.join(_INSTALL_DIR, 'nginx', version)
nginx_bin = os.path.join(install_dir, 'sbin', 'nginx')
if cuisine.file_exists(nginx_bin):
if not force:
fab.puts("Nginx {0} found, skipping installation".format(version))
return
else:
fab.puts("Reinstalling nginx {0} found".format(version))
with cuisine.mode_sudo():
cuisine.dir_ensure(install_dir, True)
home_dir = os.path.join(install_dir, 'html')
cuisine.user_ensure(NGINX_USER, None, home_dir, shell='/sbin/nologin')
fab.sudo('passwd -l nginx')
download_url = _DOWNLOAD_URL.format(version=version)
src_dir = fab.run('mktemp -d')
with fab.cd(src_dir):
fab.puts("Downloading nginx {0}".format(version))
fab.run("wget -q '{0}' -O - | tar xz".format(download_url))
with fab.cd('nginx-{0}'.format(version)):
fab.puts("Compiling nginx {0}".format(version))
fab.run("./configure --prefix={0} --with-http_stub_status_module".format(install_dir))
fab.run("make")
fab.puts("Installing nginx {0}".format(version))
fab.sudo('make install')
with cuisine.mode_sudo():
cuisine.dir_ensure("{0}{1}".format(install_dir, '/conf/sites-enabled'))
fab.run("rm -rf '{0}'".format(src_dir))
def setup_urbanfootprint(upgrade_env=True):
"""
Runs all the steps necessary to configure urbanfootprint
"""
set_paths()
print "ROOT = {0}\n".format(ROOT), \
"GIT_ROOT = {0}\n".format(GIT_ROOT), \
"BASE_PATH = {0}\n".format(BASE_PATH), \
"PROJECT_PATH: {0}\n".format(PROJ_ROOT), \
"WEBSOCKETS_ROOT: {0}\n".format(WEBSOCKETS_ROOT)
from fabfile.management import deploy
# Make sure deployment user exists and that the key is setup correctly
cuisine.user_ensure(env.deploy_user)
if env.user != env.deploy_user:
sudo('chsh -s /bin/bash {0}'.format(env.deploy_user))
sudo('mkdir -p ~{0}/.ssh/'.format(env.deploy_user), user=env.deploy_user)
sudo('cp ~/.ssh/id_rsa* ~{0}/.ssh/'.format(env.deploy_user))
sudo('chown {0}.{0} ~{0}/.ssh/id_rsa*'.format(env.deploy_user))
sudo('chmod 600 ~{0}/.ssh/id_rsa'.format(env.deploy_user), user=env.deploy_user)
# add UbuntuGIS repo
sudo('add-apt-repository ppa:ubuntugis/ubuntugis-unstable -y')
sudo('add-apt-repository ppa:chris-lea/node.js -y')
sudo('add-apt-repository ppa:chris-lea/nginx-devel -y')
cuisine.package_update()
cuisine.package_upgrade()
# using oracle's jdk for good compatibility
# intentionally not install postgresql-9.1-postgis until we can upgrade to django 1.5.x and postgis 2.0
cuisine.package_ensure(
'build-essential openjdk-6-jre openjdk-6-jdk postgresql git python-software-properties proj libproj-dev '
'python-pip python-virtualenv python-dev virtualenvwrapper postgresql-server-dev-9.1 '
'gdal-bin libgdal1-dev nginx varnish supervisor redis-server curl python-gdal nodejs'
# 'libboost-dev libboost-filesystem-dev libboost-program-options-dev libboost-python-dev libboost-regex-dev '
# 'libboost-system-dev libboost-thread-dev
)
#install older postgis
create_template_postgis()
cuisine.group_user_ensure("www-data", env.deploy_user)
cuisine.group_user_ensure("sudo", env.deploy_user)
# setup deployment user git settings #TODO: make more sense of this... probably shouldn't be this for all setups
#sudo('su {0} -c "git config --global user.email \"[email protected]\""'.format(env.deploy_user))
#sudo('su {0} -c "git config --global user.name \"Craig Rindt\""'.format(env.deploy_user))
# create folders for calthorpe deployment
sudo('mkdir -p {git_root}'.format(git_root=GIT_ROOT))
sudo('chmod +t {git_root}'.format(git_root=GIT_ROOT))
sudo('chown -R {user}.www-data {git_root}'.format(git_root=GIT_ROOT, user=env.deploy_user))
sudo('mkdir -p /srv/calthorpe_static') # needs to match local_settings.py.deployment value
sudo('chmod +t /srv/calthorpe_static')
sudo('chown -R {0}.www-data /srv/calthorpe_static'.format(env.deploy_user))
sudo('mkdir -p /srv/calthorpe_media') # needs to match local_settings.py.deployment value
sudo('chmod +t /srv/calthorpe_media')
sudo('chown -R {0}.www-data /srv/calthorpe_media'.format(env.deploy_user))
#create virtualenv
if not cuisine.dir_exists(env.virtualenv_directory):
sudo("virtualenv {env}".format(env=env.virtualenv_directory))
sudo('chown -R {user}.www-data {env}'.format(user=env.deploy_user, env=env.virtualenv_directory))
install_mapnik()
install_osgeo()
# clone repo if needed
# if not cuisine.dir_exists(GIT_ROOT):
with cd(GIT_ROOT):
sudo('su {0} -c "git clone https://github.com/crindt/uf urbanfootprint"'.format(env.deploy_user))
sudo('chown -R {user}.www-data {BASE_PATH}/..'.format(user=env.deploy_user, BASE_PATH=BASE_PATH))
setup_databases()
with cd(PROJ_ROOT):
if not exists('local_settings.py'):
sudo('ln -s local_settings.py.{CLIENT} local_settings.py'.format(CLIENT=env.client))
with cd(WEBSOCKETS_ROOT):
# removes this
try:
sudo('rm -r carto')
except:
pass
sudo('npm install .')
sudo('git clone git://github.com/mapbox/carto.git')
sudo('npm install -g ./carto')
sudo('npm install -g millstone')
sudo('chown -R {0}.www-data node_modules/'.format(env.deploy_user))
# update varnish default port
#sed('/etc/default/varnish', r'^DAEMON_OPTS="-a :6081', 'DAEMON_OPTS="-a :80', use_sudo=True)
# soft link all configuration files
with cd('/etc/varnish'):
sudo('rm -f default.vcl')
#sudo('ln -s /srv/calthorpe/urbanfootprint/calthorpe/server/conf/etc/varnish/default.vcl.prod default.vcl')
nginx_configure()
with cd('/etc/supervisor/conf.d'):
sudo('rm -f calthorpe.conf')
# Link the appropriate supervisor config file. dev omits a web server, and the log files are different
supervisor_conf_ext = 'dev' if env.dev else 'prod'
link_supervisor_config_path = "ln -s {BASE_PATH}/conf/etc/supervisor/conf.d/calthorpe.supervisor.{supervisor_extension} calthorpe.conf"
sudo(link_supervisor_config_path.format(BASE_PATH=BASE_PATH, supervisor_extension=supervisor_conf_ext))
install_sproutcore()
# trigger deploy to update virtualenv and restart services
deploy(upgrade_env=upgrade_env)
patch_django_layermapping()
def add_glance_user():
"""Add glance users and groups if they don't exists in the
operating system"""
group_ensure('glance', 202)
user_ensure('glance', home='/var/lib/glance', uid=202, gid=202,
shell='/bin/false')
def add_nova_user():
"""Add nova users and groups if they don't exists in the
operating system"""
group_ensure('nova', 201)
user_ensure('nova', home='/var/lib/nova', uid=201, gid=201,
shell='/bin/false')
def create_user():
cuisine.user_ensure(
USER_NAME, home='/home/%s' % USER_NAME, shell='/bin/bash')
cuisine.group_user_ensure('www-data', USER_NAME)
def provision_user(admin_user, admin_group):
group_ensure(admin_group)
user_ensure(admin_user, shell='/bin/bash')
group_user_ensure(admin_group, admin_user)
append("/etc/sudoers", "%{group} ALL=(ALL) NOPASSWD:ALL".format(group=admin_group),
use_sudo=True)
def deadtree():
"""Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
apt.sudo_ensure() # cuisine.package_ensure is broken otherwise
# Set up /etc/skel
sudo("mkdir /etc/skel/.ssh || true")
sudo("chmod 700 /etc/skel/.ssh")
# Add a 'nobody' user
user_ensure('nobody')
group_ensure('nobody')
group_user_ensure('nobody', 'nobody')
sudo('usermod -s /bin/false nobody')
# Set up the firewall
put("config/firewalls/deadtree.sh", "/usr/local/bin", use_sudo=True)
sudo("sh /usr/local/bin/deadtree.sh")
# Set up nginx
already_installed = nginx.ensure()
nginx.ensure_site('config/nginx/default', cert='config/certs/za3k.com.pem', key='config/keys/blog.za3k.com.key')
nginx.ensure_fcgiwrap(children=4)
if not already_installed:
nginx.restart() # IPv[46] listener only changes on restart
# Set up letsencrypt
letsencrypt.ensure()
# Set up authorization to back up to the data server
#public_key = ssh.ensure_key('/root/.ssh/id_rsa')
#with settings(user='******', host_string='burn'):
# #put(public_key, '/home/zachary/test_authorized_keys')
# files.append('/home/deadtree/.ssh/authorized_keys', public_key)
# ddns.za3k.com (TCP port 80, web updater for DDNS)
# ns.za3k.com (UDP port 53, DNS server)
user_ensure('nsd')
group_ensure('nsd')
group_user_ensure('nsd', 'nsd')
with mode_sudo():
dir_ensure('/var/lib/nsd', mode='755')
sudo("chown nsd:nsd /var/lib/nsd")
package_ensure(["nsd"])
with cd("/var/lib/nsd"):
sudo("touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone")
node.ensure()
put("config/ddns/moreorcs.com.zonetemplate", "/etc/nsd", mode='644', use_sudo=True)
supervisord.ensure()
git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
supervisord.ensure_config("config/supervisor/ddns.conf")
put("config/ddns/config.json", "/var/lib/nsd", mode='644', use_sudo=True)
sudo("chown nsd:nsd /var/lib/nsd/config.json")
# [Manual] Copy dnsDB.json from backup
sudo("cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt")
supervisord.update() # Run ddns
package_ensure(["nsd"])
put("config/ddns/nsd.conf", "/etc/nsd", mode='644', use_sudo=True)
sudo("systemctl restart nsd")
nginx.ensure_site('config/nginx/ddns.za3k.com', csr='config/certs/ddns.za3k.com.csr', key='config/keys/ddns.za3k.com.key', domain="ddns.za3k.com", letsencrypt=True, cert="config/certs/ddns.za3k.com.pem")
nginx.reload()
# blog.za3k.com
package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])
nginx.ensure_site('config/nginx/blog.za3k.com', cert='config/certs/blog.za3k.com.pem', key='config/keys/blog.za3k.com.key', domain="blog.za3k.com", letsencrypt=True, csr="config/certs/blog.za3k.com.csr")
git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
# TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
# [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
sudo('systemctl restart mysql')
# etherpad.za3k.com
package_ensure(["sqlite3"])
user_ensure('etherpad')
group_ensure('etherpad')
group_user_ensure('etherpad', 'etherpad')
git.ensure_clone_github('ether/etherpad-lite', '/var/www/etherpad', commit='1.6.0', user='******')
nginx.ensure_site('config/nginx/etherpad.za3k.com', csr='config/certs/etherpad.za3k.com.csr', key='config/keys/etherpad.za3k.com.key', domain="etherpad.za3k.com", letsencrypt=True, cert="config/certs/etherpad.za3k.com.pem")
util.put("config/etherpad/APIKEY.txt", "/var/www/etherpad", user='******', mode='600')
util.put("config/etherpad/settings.json", "/var/www/etherpad", user='******', mode='644')
if not files.exists("/var/www/etherpad/var/sqlite.db"):
sudo("mkdir -p /var/www/etherpad/var", user='******')
with cd("/var/www/etherpad"):
sudo("npm install sqlite3")
sudo("rsync -av burn.za3k.com::etherpad --delete /var/www/etherpad/var", user='******')
supervisord.ensure()
supervisord.ensure_config("config/supervisor/etherpad.conf")
supervisord.update()
# forsale
nginx.ensure_site('config/nginx/forsale')
util.put('data/forsale', '/var/www', user='******', mode='755')
# gipc daily sync
# github personal backup
# github repo list
# -> updater
# irc.za3k.com -> irc
# -> webchat (qwebirc)
# jsfail.com
user_ensure('jsfail')
group_ensure('jsfail')
group_user_ensure('jsfail', 'jsfail')
nginx.ensure_site('config/nginx/jsfail.com')
util.put('data/jsfail', '/var/www', 'jsfail', mode='755')
# library.za3k.com -> website
# -> sync script
# -> card catalog
# MUST be user 2001 to match remote rsync
user_ensure('library', uid=2001)
group_ensure('library', gid=2001)
group_user_ensure('library', 'library')
with mode_sudo():
dir_ensure('/var/www/library', mode='755')
sudo("chown library:library /var/www/library")
put("config/library/library.sync", "/etc/cron.daily", mode='755', use_sudo=True)
sudo("/etc/cron.daily/library.sync")
nginx.ensure_site('config/nginx/library.za3k.com', csr='config/certs/library.za3k.com.csr', key='config/keys/library.za3k.com.key', domain="library.za3k.com", letsencrypt=True, cert="config/certs/library.za3k.com.pem")
# logs (nginx) and analysis (analog)
# mint sync
# moreorcs.com
user_ensure('moreorcs')
group_ensure('moreorcs')
group_user_ensure('moreorcs', 'moreorcs')
nginx.ensure_site('config/nginx/moreorcs.com', cert='config/certs/moreorcs.com.pem', key='config/keys/moreorcs.com.key', domain="moreorcs.com", letsencrypt=True, csr="config/certs/moreorcs.com.csr")
git.ensure_clone_github('za3k/moreorcs', '/var/www/moreorcs', user='******')
# nanowrimo.za3k.com
nginx.ensure_site('config/nginx/nanowrimo.za3k.com', csr='config/certs/nanowrimo.za3k.com.csr', key='config/keys/nanowrimo.za3k.com.key', domain="nanowrimo.za3k.com", letsencrypt=True, cert="config/certs/nanowrimo.za3k.com.pem")
util.put('data/nanowrimo', '/var/www', user='******', mode='755')
# nntp.za3k.com - Discontinued
# petchat.za3k.com
nginx.ensure_site('config/nginx/petchat.za3k.com')
if not files.exists('/var/www/petchat'):
git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')
# publishing.za3k.com
# thinkingtropes.com
nginx.ensure_site('config/nginx/thinkingtropes.com')
util.put('data/thinkingtropes', '/var/www', user='******', mode='755')
# thisisashell.com
nginx.ensure_site('config/nginx/thisisashell.com', csr='config/certs/thisisashell.com.csr', key='config/keys/thisisashell.com.key', domain="thisisashell.com", letsencrypt=True, cert="config/certs/thisisashell.com.pem")
# twitter archive
# za3k.com
user_ensure('za3k')
group_ensure('za3k')
group_user_ensure('za3k', 'za3k')
nginx.ensure_site('config/nginx/za3k.com', cert='config/certs/za3k.com.pem', key='config/keys/za3k.com.key', domain="za3k.com", letsencrypt=True, csr="config/certs/za3k.com.csr")
git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
# Markdown .md
ruby.ensure()
ruby.ensure_gems(["redcarpet"])
# colony on the moon
sudo("rsync -av burn.za3k.com::colony --delete /var/www/colony", user='******')
# |-- status.za3k.com
sudo("mkdir -p /var/www/status && chmod 755 /var/www/status")
util.put("/srv/keys/backup_check", "/var/www/status", user='******', mode='600')
#util.put("/srv/keys/backup_check.pub", "/var/www/status", user='******', mode='644')
package_ensure(["parallel", "curl"])
nginx.reload()
def apply(self, computer):
username = "******"
cuisine.user_ensure(username)
key = self.environment["users"][username]["ssh_public_key"]
cuisine.ssh_authorize(username, key)
def deadtree():
"""Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
apt.sudo_ensure() # cuisine.package_ensure is broken otherwise
# Set up /etc/skel
sudo("mkdir /etc/skel/.ssh || true")
sudo("chmod 700 /etc/skel/.ssh")
# Add a 'nobody' user
user_ensure('nobody')
group_ensure('nobody')
group_user_ensure('nobody', 'nobody')
sudo('usermod -s /bin/false nobody')
# Set up logging
logs.setup()
# Set up the firewall
util.put_file("config/firewalls/deadtree.sh",
"/usr/local/bin/deadtree.sh",
mode='755',
user='******')
sudo("sh /usr/local/bin/deadtree.sh")
util.put_file("config/firewalls/iptables",
"/etc/network/if-pre-up.d/",
mode='755',
user='******')
# Set up authorization to back up to germinate
public_key = ssh.ensure_key('/var/local/germinate-backup', use_sudo=True)
with settings(user='******', host_string='germinate'):
files.append('/home/deadtree/.ssh/authorized_keys',
public_key,
use_sudo=True)
util.put_file("config/backup/sshconfig-deadtree",
"/root/.ssh/config",
user='******')
# Set up backup
package_ensure(["rsync"])
util.put_file("config/backup/generic-backup.sh",
"/var/local",
mode='755',
user='******')
util.put_file("config/backup/backup-exclude-base",
"/var/local/backup-exclude",
mode='644',
user='******')
util.put_file("config/backup/backup-deadtree.sh",
"/etc/cron.daily/backup-deadtree",
mode='755',
user='******')
# Set up nginx
already_installed = nginx.ensure()
nginx.ensure_site('config/nginx/default',
cert='config/certs/za3k.com.pem',
key='config/keys/blog.za3k.com.key')
nginx.ensure_fcgiwrap(children=4)
if not already_installed:
nginx.restart() # IPv[46] listener only changes on restart
# Set up letsencrypt
letsencrypt.ensure()
# Set up logging reports
package_ensure(["analog"])
with mode_sudo():
dir_ensure("/var/www/logs", mode='755')
util.put_file("config/logs/generate-logs",
"/etc/cron.daily/generate-logs",
mode='755',
user='******')
util.put_file("config/logs/analog.cfg",
"/etc/analog.cfg",
mode='644',
user='******')
# ddns.za3k.com (TCP port 80, web updater for DDNS)
# ns.za3k.com (UDP port 53, DNS server)
user_ensure('nsd')
group_ensure('nsd')
group_user_ensure('nsd', 'nsd')
with mode_sudo():
dir_ensure('/var/lib/nsd', mode='755')
sudo("chown nsd:nsd /var/lib/nsd")
package_ensure(["nsd"])
with cd("/var/lib/nsd"):
sudo(
"touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone"
)
node.ensure()
util.put_file("config/ddns/moreorcs.com.zonetemplate",
"/etc/nsd/moreorcs.com.zonetemplate",
mode='644',
user='******')
supervisord.ensure()
git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
supervisord.ensure_config("config/supervisor/ddns.conf")
util.put_file("config/ddns/config.json",
"/var/lib/nsd/config.json",
mode='644',
user='******')
# [Manual] Copy dnsDB.json from backup
sudo(
"cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt"
)
supervisord.update() # Run ddns
package_ensure(["nsd"])
util.put_file("config/ddns/nsd.conf",
"/etc/nsd/nsd.conf",
mode='644',
user='******')
sudo("systemctl restart nsd")
nginx.ensure_site('config/nginx/ddns.za3k.com',
csr='config/certs/ddns.za3k.com.csr',
key='config/keys/ddns.za3k.com.key',
domain="ddns.za3k.com",
letsencrypt=True,
cert="config/certs/ddns.za3k.com.pem")
nginx.reload()
# blog.za3k.com
package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])
nginx.ensure_site('config/nginx/blog.za3k.com',
cert='config/certs/blog.za3k.com.pem',
key='config/keys/blog.za3k.com.key',
domain="blog.za3k.com",
letsencrypt=True,
csr="config/certs/blog.za3k.com.csr")
git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
# [Manual] Edit /etc/php5/fpm/php.ini
# upload_max_filesize = 20M
# post_max_size = 26M
# sudo("systemctl reload php5-fpm.service")
# Yes, www-data and not fcgiwrap
sudo("chown www-data:www-data -R /var/www/za3k_blog")
sudo("find . -type d -exec chmod 755 {} \;")
sudo("find . -type f -exec chmod 644 {} \;")
# TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
# [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
sudo('systemctl restart mysql')
# deadtree.za3k.com
nginx.ensure_site('config/nginx/deadtree.za3k.com',
cert='config/certs/deadtree.za3k.com.pem',
key='config/keys/deadtree.za3k.com.key',
domain="deadtree.za3k.com",
letsencrypt=True,
csr="config/certs/deadtree.za3k.com.csr")
util.put_dir('data/deadtree/public',
'/var/www/public',
mode='755',
user='******')
# etherpad.za3k.com
package_ensure(["sqlite3"])
user_ensure('etherpad')
group_ensure('etherpad')
group_user_ensure('etherpad', 'etherpad')
git.ensure_clone_github('ether/etherpad-lite',
'/var/www/etherpad',
commit='1.6.0',
user='******')
nginx.ensure_site('config/nginx/etherpad.za3k.com',
csr='config/certs/etherpad.za3k.com.csr',
key='config/keys/etherpad.za3k.com.key',
domain="etherpad.za3k.com",
letsencrypt=True,
cert="config/certs/etherpad.za3k.com.pem")
util.put_file("config/etherpad/APIKEY.txt",
"/var/www/etherpad",
user='******',
mode='600')
util.put_file("config/etherpad/settings.json",
"/var/www/etherpad",
user='******',
mode='644')
if not files.exists("/var/www/etherpad/var/sqlite.db"):
sudo("mkdir -p /var/www/etherpad/var", user='******')
with cd("/var/www/etherpad"):
sudo("npm install sqlite3")
sudo(
"rsync -av germinate.za3k.com::etherpad --delete /var/www/etherpad/var",
user='******')
supervisord.ensure()
supervisord.ensure_config("config/supervisor/etherpad.conf")
supervisord.update()
# forsale
nginx.ensure_site('config/nginx/forsale')
util.put_dir('data/forsale', '/var/www/forsale', mode='755', user='******')
# gipc daily sync
# github personal backup
# github repo list
util.put_file("config/github/github-metadata-sync",
"/etc/cron.daily/github-metadata-sync",
mode='755',
user='******')
# -> updater
# irc.za3k.com -> irc
# -> webchat (qwebirc)
# jsfail.com
user_ensure('jsfail')
group_ensure('jsfail')
group_user_ensure('jsfail', 'jsfail')
nginx.ensure_site('config/nginx/jsfail.com')
util.put_dir('data/jsfail', '/var/www/jsfail', 'jsfail', mode='755')
# library.za3k.com -> website
# -> sync script
# -> card catalog
# MUST be user 2001 to match remote rsync
user_ensure('library', uid=2001)
group_ensure('library', gid=2001)
group_user_ensure('library', 'library')
with mode_sudo():
dir_ensure('/var/www/library', mode='755')
files.append('/etc/sudoers',
'za3k ALL=(root) NOPASSWD: /etc/cron.daily/library-sync',
use_sudo=True)
with settings(user='******', host_string='germinate'):
actual_key = ssh.get_public_key(
"/data/git/books.git/hooks/deadtree.library")
ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
command="sudo /etc/cron.daily/library-sync", key=actual_key)
files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)
sudo("chown library:library /var/www/library")
util.put_file("config/library/library-sync",
"/etc/cron.daily/library-sync",
mode='755',
user='******')
sudo("/etc/cron.daily/library-sync")
nginx.ensure_site('config/nginx/library.za3k.com',
csr='config/certs/library.za3k.com.csr',
key='config/keys/library.za3k.com.key',
domain="library.za3k.com",
letsencrypt=True,
cert="config/certs/library.za3k.com.pem")
# logs (nginx) and analysis (analog)
# mint sync
# moreorcs.com
user_ensure('moreorcs')
group_ensure('moreorcs')
group_user_ensure('moreorcs', 'moreorcs')
nginx.ensure_site('config/nginx/moreorcs.com',
cert='config/certs/moreorcs.com.pem',
key='config/keys/moreorcs.com.key',
domain="moreorcs.com",
letsencrypt=True,
csr="config/certs/moreorcs.com.csr")
git.ensure_clone_github('za3k/moreorcs',
'/var/www/moreorcs',
user='******')
# nanowrimo.za3k.com
nginx.ensure_site('config/nginx/nanowrimo.za3k.com',
csr='config/certs/nanowrimo.za3k.com.csr',
key='config/keys/nanowrimo.za3k.com.key',
domain="nanowrimo.za3k.com",
letsencrypt=True,
cert="config/certs/nanowrimo.za3k.com.pem")
util.put_dir('data/nanowrimo',
'/var/www/nanowrimo',
user='******',
mode='755')
# nntp.za3k.com - Discontinued
# petchat.za3k.com
nginx.ensure_site('config/nginx/petchat.za3k.com')
if not files.exists('/var/www/petchat'):
git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')
# publishing.za3k.com
# thinkingtropes.com
nginx.ensure_site('config/nginx/thinkingtropes.com')
util.put_dir('data/thinkingtropes',
'/var/www/thinkingtropes',
user='******',
mode='755')
# thisisashell.com
nginx.ensure_site('config/nginx/thisisashell.com',
csr='config/certs/thisisashell.com.csr',
key='config/keys/thisisashell.com.key',
domain="thisisashell.com",
letsencrypt=True,
cert="config/certs/thisisashell.com.pem")
# isrickandmortyout.com
nginx.ensure_site('config/nginx/isrickandmortyout.com',
csr='config/certs/isrickandmortyout.com.csr',
key='config/keys/isrickandmortyout.com.key',
domain="isrickandmortyout.com",
letsencrypt=True,
cert="config/certs/isrickandmortyout.com.pem")
# twitter archive
# za3k.com
user_ensure('za3k')
group_ensure('za3k')
group_user_ensure('za3k', 'za3k')
nginx.ensure_site('config/nginx/za3k.com',
cert='config/certs/za3k.com.pem',
key='config/keys/za3k.com.key',
domain="za3k.com",
letsencrypt=True,
csr="config/certs/za3k.com.csr")
git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
with settings(user='******', host_string='germinate'):
actual_key = ssh.get_public_key(
"/data/git/za3k.git/hooks/deadtree_key")
ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
command="/usr/bin/git -C /var/www/za3k pull", key=actual_key)
files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)
# Markdown .md
ruby.ensure()
ruby.ensure_gems(["redcarpet"])
# Databases .view
package_ensure(["sqlite3"])
util.put_file("config/za3k/za3k-db-sync",
"/etc/cron.daily/za3k-db-sync",
mode='755',
user='******')
sudo("/etc/cron.daily/za3k-db-sync")
# colony on the moon
# disabled temp. because we're out of space
#sudo("rsync -av germinate.za3k.com::colony --delete /var/www/colony", user='******')
# .sc
package_ensure(["sc"])
nginx.reload()
def ensure_user(user):
""" For the application uid """
user_ensure(user)
def create_user(user, pw): puts(cyan(user)) puts(cyan(pw)) cuisine.user_ensure(user, passwd=pw)
def setup_user():
cuisine.user_ensure('try', home='/home/try', shell='/bin/bash')
u_run('mkdir -p /home/try/etc /home/try/tmp')
u_run('test -f /home/try/tmp/touchme || touch /home/try/tmp/touchme')
append('/etc/sudoers', 'try ALL=(ALL) NOPASSWD: ALL')
def create_user(self):
user_ensure(self.user_name)
group_ensure(self.group_name)
group_user_ensure(self.user_name, self.group_name)
