def proxy_consul_dns(state=None, host=None):
with tempfile.NamedTemporaryFile(delete=False, mode="w") as source_file:
source_file.write("[Resolve]\nDNS=127.0.0.1\nDomains=~consul")
files.put(
name=
"Configure systemd-resolved to resolve .consul domains locally",
dest="/etc/systemd/resolved.conf.d/consul.conf",
src=source_file.name,
create_remote_dir=True,
state=state,
host=host,
)
systemd.service(
name="Enable systemd-resolved",
service="systemd-resolved",
enable=True,
running=True,
state=state,
host=host,
)
for protocol in ("tcp", "udp"):
iptables.rule(
name=f"Route localhost {protocol} DNS queries to Consul port",
present=True,
table="nat",
protocol=protocol,
chain="OUTPUT",
append=True,
jump="REDIRECT",
destination="localhost",
destination_port=DEFAULT_DNS_PORT,
to_ports=CONSUL_DNS_PORT,
state=state,
host=host,
)
def configure_hashicorp_product(product: HashicorpProduct,
state=None,
host=None):
put_results = []
for fpath, file_contents in product.render_configuration_files():
temp_src = tempfile.NamedTemporaryFile(delete=False, mode="w")
temp_src.write(file_contents)
put_results.append(
files.put(
name=f"Create configuration file {fpath} for {product.name}",
src=temp_src.name,
create_remote_dir=True,
user=product.name,
group=product.name,
dest=fpath,
state=state,
host=host,
))
temp_src.close()
if host.fact.has_systemd:
systemd.service(
name=f"Reload service for {product.name}",
service=product.name,
reloaded=any(upload_result.changed
for upload_result in put_results),
host=host,
state=state,
)
def _manage_worker_node_keys(concourse_config: ConcourseWorkerConfig,
sudo=True,
host=None,
state=None):
if concourse_config.tsa_public_key:
tsa_key_file = tempfile.NamedTemporaryFile(delete=False)
tsa_key_file.write(concourse_config.tsa_public_key.encode("utf8"))
files.put(
name="Write TSA public key file",
dest=concourse_config.tsa_public_key_path,
src=tsa_key_file.name,
user=concourse_config.user,
mode="600",
state=state,
host=host,
sudo=sudo,
)
if concourse_config.worker_private_key:
worker_key_file = tempfile.NamedTemporaryFile(delete=False)
worker_key_file.write(
concourse_config.worker_private_key.encode("utf8"))
files.put(
name="Write worker private key file",
dest=concourse_config.worker_private_key_path,
src=worker_key_file.name,
user=concourse_config.user,
mode="600",
state=state,
host=host,
sudo=sudo,
)
elif not host.fact.file(concourse_config.worker_private_key_path):
server.shell(
name="Generate a worker private key",
commands=[
f"{concourse_config.deploy_directory}/bin/concourse generate-key -t ssh -f {concourse_config.worker_private_key_path}" # noqa: E501
],
state=state,
host=host,
sudo=sudo,
)
def configure_caddy(caddy_config: CaddyConfig, state=None, host=None):
if caddy_config.caddyfile.suffix == ".j2":
caddy_file = files.template(
name="Create Caddyfile",
src=caddy_config.caddyfile,
dest="/etc/caddy/Caddyfile",
context=caddy_config.template_context,
state=state,
host=host,
)
else:
caddy_file = files.put(
name="Upload Caddyfile",
src=caddy_config.caddyfile,
dest="/etc/caddy/Caddyfile",
state=state,
host=host,
)
return caddy_file.changed
name='Create the pyinfra_stuff database',
database='pyinfra_stuff',
user='******',
user_privileges=['SELECT', 'INSERT'],
charset='utf8',
)
# Upload & import a SQL file into the pyinfra_stuff database
#
filename = 'files/a_db.sql'
temp_filename = state.get_temp_filename(filename)
files.put(
name='Upload the a_db.sql file',
src=filename,
dest=temp_filename,
)
mysql.load(
name='Import the a_db.sql file',
src=temp_filename,
database='pyinfra_stuff',
)
# Now duplicate the pyinfra_stuff database -> pyinfra_stuff_copy
#
mysql.database(
name='Create the pyinfra_stuff_copy database',
database='pyinfra_stuff_copy',
''')
python.call(
name='Generate client wireguard config',
function=generate_client_config,
)
python.call(
name='Generate wireguard config',
function=generate_config,
)
files.put(
name='Upload wireguard config',
src=WG_CONF,
dest=f'/etc/wireguard/{WG_IF}.conf',
)
files.put(name='Create wireguard interface configuration',
src=io.StringIO(f'''\
inet {SERVER} {NETWORK.netmask} NONE description "wireguard"
{f"inet6 alias {IPV6NETWORK[102*16*16*16*16]}/112" if IPV6NETWORK else ""}
up
!/usr/local/bin/wg setconf {WG_IF} /etc/wireguard/wg0.conf
!/usr/local/bin/wg set {WG_IF} private-key /etc/wireguard/server.key
'''),
dest=f'/etc/hostname.{WG_IF}',
mode='640')
def call_file_op():
files.put(
name="Third main operation",
src="files/a_file",
dest="/a_file",
)
from pyinfra import host
from pyinfra.operations import apt, server, files
SUDO = False
files.put(
'dockerfile',
'dockerfile',
)
import os
from datetime import datetime
from pyinfra.operations import files, server
now = datetime.now()
time_id = now.strftime("%Y-%m-%d-%H-%M-%S") # 2020-07-27-18-20-06
filename = f'biaoqingbao-frontend-{time_id}.tar.gz'
os.system(f'tar -zcvf {filename} ../build')
repo_dir = '/opt/www/biaoqingbao-frontend'
files.put(
name=f'Upload {filename}',
src=filename,
dest=f'{repo_dir}/{filename}',
mode='644',
)
files.directory(
name='Remove old build dir',
path=f'{repo_dir}/build',
present=False,
)
server.shell(
name=f'Extract {filename}',
commands=[f'tar -zxvf {filename}'],
chdir=repo_dir,
)
def _manage_web_node_keys(
concourse_config: ConcourseWebConfig,
state=None,
host=None,
sudo=True,
):
# Create authorized_keys file
files.template(
name="Create authorized_keys file to permit worker connections",
src=Path(__file__).parent.joinpath("templates", "authorized_keys.j2"),
dest=concourse_config.authorized_keys_file,
user=concourse_config.user,
authorized_keys=concourse_config.authorized_worker_keys or [],
state=state,
host=host,
sudo=sudo,
)
# Write tsa_host_key and session_signing_key
if concourse_config.tsa_host_key:
host_key_file = tempfile.NamedTemporaryFile(delete=False)
host_key_file.write(concourse_config.tsa_host_key.encode("utf8"))
files.put(
name="Write tsa_host_key file",
dest=concourse_config.tsa_host_key_path,
user=concourse_config.user,
mode="600",
src=host_key_file.name,
state=state,
host=host,
sudo=sudo,
)
elif not host.fact.file(concourse_config.tsa_host_key_path):
server.shell(
name="Generate a tsa host key",
commands=[
f"{concourse_config.deploy_directory}/bin/concourse generate-key -t ssh -f {concourse_config.tsa_host_key_path}" # noqa: E501
],
state=state,
host=host,
sudo=sudo,
)
if concourse_config.session_signing_key:
session_signing_key_file = tempfile.NamedTemporaryFile(delete=False)
session_signing_key_file.write(
concourse_config.session_signing_key.encode("utf8"))
files.put(
name="Write session_signing_host_key file",
dest=concourse_config.session_signing_key_path,
user=concourse_config.user,
mode="600",
src=session_signing_key_file.name,
state=state,
host=host,
sudo=sudo,
)
elif not host.fact.file(concourse_config.session_signing_key_path):
server.shell(
name="Generate a session signing key",
commands=[
f"{concourse_config.deploy_directory}/bin/concourse generate-key -t rsa -f {concourse_config.session_signing_key_path}" # noqa: E501
],
state=state,
host=host,
sudo=sudo,
)
if host.get_fact(LinuxName) == "Alpine":
server.packages(
name="Ensure Consul Template is installed.",
packages=["consul-template"],
present=True,
)
files.link(
name="Symlink consul-template.hcl to config.hcl",
path="/etc/consul-template/consul-template.hcl",
target="/etc/consul-template/configs",
)
else:
# lol systemd
files.put(
name="Install Consul Template binary.",
src="files/consul-template",
dest="/usr/local/sbin/consul-template",
mode="755",
)
files.put(
name="Create Consul Template service.",
src="files/consul-template.service",
dest="/etc/systemd/system/consul-template.service",
mode="644",
)
systemd.daemon_reload()
user="******",
group="root",
mode="644",
line='vault_opts="agent -config=/etc/vault.d/agent.hcl"',
)
server.service(
name="Restart and enable the Vault agent",
service="vault",
running=True,
restarted=True,
enabled=True,
)
else:
# assume systemd by default because of its grasp over everything.
files.put(
name="Create Vault agent service.",
src="files/vault-agent.service",
dest="/etc/systemd/system/vault-agent.service",
mode="644",
)
systemd.service(
name="Restart and enable the Vault agent",
service="vault-agent.service",
running=True,
restarted=True,
enabled=True,
)
files.sync(
name='Install hockeypuck binaries',
src=project_root + '/bin',
dest='/usr/bin',
mode='755',
user='******',
group='root',
sudo=True,
)
files.put(
name='Install hockeypuck service',
src=project_root + '/debian/hockeypuck.service',
dest='/etc/systemd/system/hockeypuck.service',
mode='644',
user='******',
group='root',
sudo=True,
)
files.template(
name='Configure hockeypuck',
src='hockeypuck.conf',
dest='/etc/hockeypuck/hockeypuck.conf',
mode='644',
sudo=True,
peers=host.data.peers,
)
postgresql.role(
from pyinfra.operations import files
# Note: This requires files in the files/ directory.
SUDO = True
if host.fact.linux_name in ['CentOS', 'RedHat']:
files.download(
{'Download the Docker repo file'},
'https://download.docker.com/linux/centos/docker-ce.repo',
'/etc/yum.repos.d/docker-ce.repo',
)
files.put(
{'Update the message of the day file'},
'files/motd',
'/etc/motd',
mode='644',
)
# prepare to do some maintenance
maintenance_line = 'SYSTEM IS DOWN FOR MAINTENANCE'
# files.line(
# {'Add the down-for-maintenance line in /etc/motd'},
# '/etc/motd',
# maintenance_line,
# )
# do some maintenance...
# Then, after the maintenance is done, remove the maintenance line
files.line(
{'Remove the down-for-maintenance line in /etc/motd'},
)["auth"]["client_token"]
else:
vault_token = None
files.template(
name="Create Nomad Vault config.",
src="templates/nomad/vault.j2",
dest="/etc/nomad.d/20-vault.hcl",
mode="644",
vault_token=vault_token,
vault_url=host.data.vault_url,
)
files.put(
name="Create Nomad service.",
src="files/nomad/systemd-nomad.service",
dest="/etc/systemd/system/nomad.service",
mode="644",
)
systemd.daemon_reload()
server.service(
name="Restart Consul Template.",
service="consul-template",
running=True,
restarted=True,
enabled=True,
)
server.service(
name="Restart Nomad.", service="nomad", running=True, enabled=True, restarted=True
)
from pyinfra.operations import files, server
files.put(
name="Install HSM root CA.",
src="common/root_ca.crt",
dest="/etc/ssl/certs/General_Programming_Root.pem",
mode="644",
)
server.packages(
name="Install base image packages.",
packages=[
"gnupg",
"software-properties-common",
],
)
# Include the whole file again, but for all hosts
local.include('tasks/a_task.py')
# Execute the @deploy function
my_deploy()
# Do a loop which will generate duplicate op hashes
for i in range(2):
server.shell(
name='Loop-{0} main operation'.format(i),
commands='echo loop_{0}_main_operation'.format(i),
)
files.put(
name='Third main operation',
src='files/a_file',
dest='/a_file',
)
with state.preserve_loop_order([1, 2]) as loop_items:
for item in loop_items():
server.shell(
name='Order loop {0}'.format(item),
commands='echo loop_{0}'.format(item),
)
server.shell(
name='2nd Order loop {0}'.format(item),
commands='echo loop_{0}'.format(item),
)
if host.name == 'somehost':
def call_file_op():
files.put(
name='Third main operation',
src='files/a_file',
dest='/a_file',
)
{'Create the pyinfra_stuff database'},
'pyinfra_stuff',
user='******',
user_privileges=['SELECT', 'INSERT'],
charset='utf8',
)
# Upload & import a SQL file into the pyinfra_stuff database
#
filename = 'files/a_db.sql'
temp_filename = state.get_temp_filename(filename)
files.put(
{'Upload the a_db.sql file'},
filename,
temp_filename,
)
mysql.load(
{'Import the a_db.sql file'},
temp_filename,
database='pyinfra_stuff',
)
# Now duplicate the pyinfra_stuff database -> pyinfra_stuff_copy
#
mysql.database(
{'Create the pyinfra_stuff_copy database'},
'pyinfra_stuff_copy',
from pyinfra.facts.files import File
from pyinfra.facts.server import LinuxName
from pyinfra.operations import files
# Note: This requires files in the files/ directory.
if host.get_fact(LinuxName) in ["CentOS", "RedHat"]:
files.download(
name="Download the Docker repo file",
src="https://download.docker.com/linux/centos/docker-ce.repo",
dest="/etc/yum.repos.d/docker-ce.repo",
)
files.put(
name="Update the message of the day file",
src="files/motd",
dest="/etc/motd",
mode="644",
)
# prepare to do some maintenance
maintenance_line = "SYSTEM IS DOWN FOR MAINTENANCE"
# files.line(
# name='Add the down-for-maintenance line in /etc/motd',
# '/etc/motd',
# maintenance_line,
# )
# do some maintenance...
# Then, after the maintenance is done, remove the maintenance line
files.line(
name="Remove the down-for-maintenance line in /etc/motd",
from pyinfra.operations import files
# Note: This requires files in the files/ directory.
SUDO = True
if host.fact.linux_name in ['CentOS', 'RedHat']:
files.download(
name='Download the Docker repo file',
src='https://download.docker.com/linux/centos/docker-ce.repo',
dest='/etc/yum.repos.d/docker-ce.repo',
)
files.put(
name='Update the message of the day file',
src='files/motd',
dest='/etc/motd',
mode='644',
)
# prepare to do some maintenance
maintenance_line = 'SYSTEM IS DOWN FOR MAINTENANCE'
# files.line(
# name='Add the down-for-maintenance line in /etc/motd',
# '/etc/motd',
# maintenance_line,
# )
# do some maintenance...
# Then, after the maintenance is done, remove the maintenance line
files.line(
name='Remove the down-for-maintenance line in /etc/motd',
import ipaddress
import json
import os
from pyinfra import host
from pyinfra.operations import files, server, systemd
files.template(
name="Create Consul config.",
src="templates/consul/node.j2",
dest="/etc/consul.d/consul.hcl",
mode="644",
consul_datacenter=host.data.consul_datacenter,
consul_servers=json.dumps(host.data.consul_servers),
)
files.put(
name="Consul node_exporter template.",
src="common/consul_configs/service_node_exporter.json",
dest="/etc/consul.d/service_node_exporter.json",
mode="644",
)
server.service(
name="Restart Consul.",
service="consul",
running=True,
restarted=True,
enabled=True,
)