def configure():
""" renders config of nginx and restarts gracefully
"""
env.roles = ["proxy"]
put_template("proxy_nginx.conf", "~/conf/nginx.conf", context=proxy_config())
put_template("proxy_supervisor.ini", "~/conf/supervisor.ini", context=proxy_config())
execute(supervisor.restart)
print_successful()
def secure_account(user_account):
""" ensures owner is correctly set on all files under $HOME of user_account, and limit appropriately for ssh
"""
setup_env_for_user()
sudo('chown -R {0} ~{0}/.'.format(user_account))
sudo('chmod 700 ~{0}/. ~{0}/.ssh'.format(user_account))
sudo('chmod 600 ~{0}/.ssh/authorized_keys'.format(user_account))
print_successful()
def create_user(user_account, password):
setup_env_for_user()
execute(root.user_create, user_account, password)
user_add_ssh(user_account, pub_key_file=env.key_filename + '.pub', use_sudo=True)
dummy_port = 123 # bh sets env variable 'HTTP_LISTENING_PORT' to this one, but we won't use that env var
execute(user.init_home_env, dummy_port, hosts=new_host_string(user=user_account))
sudo('mkdir -p ~{}/conf'.format(user_account))
secure_account(user_account)
print_successful()
def bootstrap(template_dir, server_yaml, pub_key_file):
""" run once to initialize an 'empty' Debian system. requires root access via password on port 22
NOTE: after this command, can only login as 'admin' (it has sudo rights)
- secures ssh access, creates 'admin' account with sudo rights
- ensures hostname exists both in your /etc/hosts and in remote's /etc/hosts
- restricts ssh: only login via ssh-key, no root login, ssh-port is non-standard
- LOCALLY: adds ssh-key and ssh-port to your local ~/.ssh/config
- installs denyhosts
- installs some basic libraries (see debian_requirements)
- iptables: routes 80 to configured port: {server.port_80_via}
- iptables: routes 443 to configured port: {server.port_443_via}
"""
server_config = get_config(env, yaml_file=server_yaml)
my_put_template = partial(put_template, context=server_config, template_dir=template_dir)
if not env.key_filename:
print(red('Must generate a key for ssh to this server (see example_app/bootstrap.py)'))
if 'root@' not in env.host_string or len(env.roles):
print(red('Must be run as root! (hint: do not run with -R or -H)'))
sys.exit(-1)
setup_env_for_user()
hostname = run('hostname')
append('/etc/hosts', '127.0.0.1 {}'.format(hostname))
local_append('/etc/hosts', text='{} {}'.format(env_ip(), hostname), refuse_keywords=[env_ip(), hostname],
use_sudo=True)
run('apt-get -y --force-yes install sudo vim')
debian_requirements()
install(['denyhosts'])
my_put_template('denyhosts.conf', '/etc/denyhosts.conf')
run('/etc/init.d/denyhosts restart')
password = gen_password()
user_account = 'admin'
with settings(hide('warnings'), warn_only=True):
run('userdel -f -r {}'.format(user_account))
run('useradd {user} -g {group}'.format(user=user_account, group='sudo'))
print(red("Set password for admin (has sudo rights), type in: {} or choose one yourself".format(password)))
passwd_retry('admin')
user_add_ssh(user_account, pub_key_file=pub_key_file)
local_ssh_config(env_ip(), hostname, server_config['server']['ssh_port'], env.key_filename)
# TODO: lock down: http://rudd-o.com/linux-and-free-software/hardening-a-linux-server-in-10-minutes
my_put_template('rc.local', '/etc/rc.local')
my_put_template('init_supervisors.py', '/etc/init_supervisors.py')
# config iptables
run('/etc/rc.local')
my_put_template('sshd_config', '/etc/ssh/sshd_config')
# note after restart, can only login as admin via public key on ssh-port defined in template
run('/etc/init.d/ssh restart')
print_successful()
def create_instance(user_account):
""" create account for user and install requirements
"""
with total_silence():
execute(supervisor.stop_program, 'all') # in case this is re-init, stop all
execute(admin.create_user, user_account, password='******', hosts=new_host_string('admin'))
execute(system.python, hosts=new_host_string(user_account))
execute(system.nginx, hosts=new_host_string(user_account))
execute(system.uwsgi, hosts=new_host_string(user_account))
execute(supervisor.install, hosts=new_host_string(user_account))
print_successful()
def example_deploy(app_name):
""" an example of a deploy function (run setup_example first)
"""
run('pip install django')
with cd('~/etc'):
run('django-admin.py startproject {}'.format(app_name))
run('mv ~/etc/{0}/{0}/wsgi.py ~/conf/wsgi.py'.format(app_name))
fix_sys_path = ("import os\\n"
"import sys\\n"
"sys.path.insert(0, os.path.expanduser('~/etc/{}'))".format(app_name))
run('sed -i "1i {}" ~/conf/wsgi.py'.format(fix_sys_path))
execute(configure)
print_successful()
def init():
""" sets-up reverse-proxy
"""
with total_silence():
execute(supervisor.stop_program, "all") # in case this is re-init, stop all
execute(system.python)
execute(system.nginx)
execute(supervisor.install)
execute(configure)
print(yellow("generating self signed ssl for now (you should have yours signed and use proxy.update_ssl!)"))
keys = dict(ssl_key=rel_path("dummy_ssl.key"), ssl_cert=rel_path("dummy_ssl.cert"))
local("openssl req -nodes -new -x509 -keyout {ssl_key} -out {ssl_cert}".format(**keys))
update_ssl(**keys)
print_successful()
def configure():
put_template('app_nginx.conf', '~/conf/nginx.conf', context=get_role_config(env))
put_template('app_uwsgi.ini', '~/conf/uwsgi.ini', context=get_role_config(env))
put_template('app_supervisor.ini', '~/conf/supervisor.ini', context=get_role_config(env))
execute(supervisor.restart)
print_successful()
