def autoupgrade():
util.debian_install("unattended-upgrades")
util.putstring(
"""APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";""", "/etc/apt/apt.conf.d/10periodic")
def harden():
upgrade()
autoupgrade()
util.debian_install("fail2ban")
print "attempting to configure key-based auth for root..."
import os.path
localKey = open(os.path.expanduser("~/.ssh/id_rsa.pub")).read()
util.append(localKey, "~/.ssh/authorized_keys")
print "WARNING: YOU *MUST* have root configured to continue. Type YES to confirm."
confirm = None
while confirm != "YES":
confirm = raw_input()
pass
print "disabling password auth for root"
util.config("PasswordAuthentication no", "/etc/ssh/sshd_config")
run("service ssh restart")
setupDeployUser()
logwatch()
firewall() #this should be run last, since it can abort the SSH connection
def install_docker():
"""DigitalOcean requires a fix, see documentation
so
1. Go to Settings->Kernel
2. Choose Debian Unstable x64
3. Power cycle
4. Run digitalOceanKernelFix command
before you run this command."""
kernel_upgrade()
#run("modprobe aufs") #not necessary on Linode?
#Linode wants "busybox"
util.debian_install("curl")
run("wget http://get.docker.io -O - | bash")
with settings(warn_only=True):
run("groupadd docker")
run("gpasswd -a deploy docker")
init_setup()
# https://github.com/dotcloud/docker/issues/431
util.append(
"none /cgroup cgroup defaults 0 0", "/etc/fstab")
with settings(warn_only=True):
run("mkdir -p /cgroup")
run("mount /cgroup")
util.append("net.ipv4.ip_forward=1", "/etc/sysctl.conf")
run("sysctl -p")
#fix_cgroups() Isn't necessary on Linode
run("service docker start")
def harden():
upgrade()
autoupgrade()
util.debian_install("fail2ban")
print "attempting to configure key-based auth for root..."
import os.path
localKey = open(os.path.expanduser("~/.ssh/id_rsa.pub")).read()
util.append(localKey,"~/.ssh/authorized_keys")
print "WARNING: YOU *MUST* have root configured to continue. Type YES to confirm."
confirm = None
while confirm != "YES":
confirm = raw_input()
pass
print "disabling password auth for root"
util.config("PasswordAuthentication no","/etc/ssh/sshd_config")
run("service ssh restart")
setupDeployUser()
logwatch()
firewall() #this should be run last, since it can abort the SSH connection
def install_docker():
kernel_upgrade()
run("modprobe aufs")
util.debian_install("curl")
run("wget http://get.docker.io -O - | bash")
with settings(warn_only=True):
run("groupadd docker")
run("gpasswd -a deploy docker")
init_setup()
# https://github.com/dotcloud/docker/issues/431
util.append("none /cgroup cgroup defaults 0 0",
"/etc/fstab")
with settings(warn_only=True):
run("mkdir -p /cgroup")
run("mount /cgroup")
util.append("net.ipv4.ip_forward=1", "/etc/sysctl.conf")
run("sysctl -p")
run("service docker start")
def install_docker():
kernel_upgrade()
run("modprobe aufs")
util.debian_install("curl")
run("wget http://get.docker.io -O - | bash")
with settings(warn_only=True):
run("groupadd docker")
run("gpasswd -a deploy docker")
init_setup()
# https://github.com/dotcloud/docker/issues/431
util.append("none /cgroup cgroup defaults 0 0","/etc/fstab")
with settings(warn_only=True):
run("mkdir -p /cgroup")
run("mount /cgroup")
util.append("net.ipv4.ip_forward=1","/etc/sysctl.conf")
run("sysctl -p")
run("service docker start")
def logwatch():
util.debian_install("logwatch")
util.append(
"/usr/sbin/logwatch --output mail --mailto [email protected] --detail high",
"/etc/cron.daily/00logwatch")
def firewall():
util.debian_install("ufw")
run("ufw allow 22")
run("""sed -i /etc/default/ufw -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g'"""
) #https://github.com/dotcloud/docker/issues/1251
run("ufw enable")
def logwatch():
util.debian_install("logwatch")
util.append("/usr/sbin/logwatch --output mail --mailto [email protected] --detail high","/etc/cron.daily/00logwatch")
def firewall():
util.debian_install("ufw")
run("ufw allow 22")
run("""sed -i /etc/default/ufw -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g'""") #https://github.com/dotcloud/docker/issues/1251
run("ufw enable")
def autoupgrade():
util.debian_install("unattended-upgrades")
util.putstring("""APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";""","/etc/apt/apt.conf.d/10periodic")
