def install0(**kwargs): installed = lambda: run( "dpkg-query --showformat='${Version}' --show elasticsearch", quiet=True) if sudo("dpkg -s elasticsearch", quiet=True, warn_only=True).failed: sudo( "wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | apt-key add -" ) append( "/etc/apt/sources.list.d/elasticsearch.list", "deb http://packages.elasticsearch.org/elasticsearch/{}/debian stable main" .format(kwargs["VERSION"][:kwargs["VERSION"].rfind(".")] if kwargs["VERSION"].count(".") == 3 else kwargs["VERSION"]), use_sudo=True, ) sudo("apt update") sudo("apt-get install -y elasticsearch={}".format(kwargs["VERSION"])) if kwargs.get("NO_UPGRADE"): sudo("apt-mark hold elasticsearch") restart_systemd("elasticsearch") return "elasticsearch {} installed".format(installed()) return "[Already] elasticsearch {} installed".format(installed())
def configure_riot_nginx5(root="/var/www/riot", **kwargs): kwargs.setdefault("LISTEN_PORT", 80) server_block = utils.merge_into( emit.server_block( server_name=kwargs["SERVER_NAME"], listen=kwargs["LISTEN_PORT"] ), emit.html5_block("/", root), ) sio = StringIO() sio.write( dumps( loads(emit.redirect_block(server_name=kwargs["SERVER_NAME"], port=80)) + server_block if kwargs["LISTEN_PORT"] == 443 else server_block ) ) put( sio, "/etc/nginx/sites-enabled/{server_name}".format( server_name=kwargs["SERVER_NAME"] ), use_sudo=True, ) return restart_systemd("nginx")
def install0(**kwargs): installed = lambda: run( "dpkg-query --showformat='${Version}' --show mongodb-org", quiet=True ) def mongodb_apt_init(): if kwargs["VERSION"] == "3.4": sudo( "apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6" ) sudo("rm /etc/apt/sources.list.d/mongodb-org*") append( "/etc/apt/sources.list.d/mongodb-org-3.4.list", "deb [ arch=amd64,arm64 ] http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse", use_sudo=True, ) elif kwargs["VERSION"] == "3.6": sudo( "apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 2930ADAE8CAF5059EE73BB4B58712A2291FA4AD5" ) sudo("rm /etc/apt/sources.list.d/mongodb-org*") append( "/etc/apt/sources.list.d/mongodb-org-3.6.list", "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.6 multiverse", use_sudo=True, ) else: raise NotImplementedError( "MongoDB version {}; update the package, or use '3.4' | '3.6'".format( kwargs["VERSION"] ) ) if sudo("dpkg -s mongodb-org", quiet=True, warn_only=True).failed: mongodb_apt_init() apt_depends("mongodb-org") restart_systemd("mongod") return "MongoDB {} installed".format(installed()) version = installed() if not version.startswith(kwargs["VERSION"]): mongodb_apt_init() apt_depends("mongodb-org") restart_systemd("mongod") return "MongoDB {} installed".format(installed()) return "[Already] MongoDB {} installed".format(installed())
def apply_cert2(c, domains, use_sudo=True, **kwargs): """ :param c: Connection :type c: ```fabric.connection.Connection``` """ certs_dirname = frozenset( d for d in c.sudo("ls -AQlx /etc/letsencrypt/live").stdout.split('"') if len(d.strip())) def apply_cert(domain): if domain.endswith(".conf"): domain = domain[:len(".conf") - 2] assert domain in certs_dirname, "{domain} doesn't have certs generated".format( domain=domain) conf_name = "/etc/nginx/sites-enabled/{nginx_conf}.conf".format( nginx_conf=domain) # cStringIO.StringIO, StringIO.StringIO, TemporaryFile, SpooledTemporaryFile all failed :( tempfile = mkstemp(domain)[1] c.get(remote=conf_name, local=tempfile) updated_conf = upsert_ssl_cert_to_443_block( conf_file=upsert_redirect_to_443_block(conf_file=tempfile, server_name=domain), server_name=domain, ssl_certificate="/etc/letsencrypt/live/{domain}/fullchain.pem". format(domain=domain), ssl_certificate_key="/etc/letsencrypt/live/{domain}/privkey.pem". format(domain=domain), ) remove(tempfile) sio1 = StringIO() sio1.write(dumps(updated_conf)) sio1.seek(0) c.put(sio1, conf_name) # use_sudo=use_sudo) return conf_name r = tuple(map(apply_cert, domains)) restart_systemd(c, "nginx") return {"updated_ssl_info": r}
def install0(**kwargs): installed = lambda: run( 'mysqld --version | while read _ _ ver _; do echo "$ver"; done', quiet=True) if sudo("dpkg -s mysql-server", quiet=True, warn_only=True).failed: with shell_env(DEBIAN_FRONTEND="noninteractive"): # TODO: Better password handling; I think this can get leaked, even with `quiet=True`? sudo( """ debconf-set-selections <<< 'mysql-server mysql-server/root_password password {password}'; debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password {password}'; """.format(password=kwargs["MYSQL_PASSWORD"]), quiet=True, ) apt_depends("mysql-server", "mysql-client", "libmysqlclient-dev") sudo("systemctl unmask mysql") restart_systemd("mysql") return "MySQL {} installed".format(installed()) return "[Already] MySQL {} installed".format(installed())
def install_service0(conf_name, *args, **kwargs): install_upgrade_service( conf_name, conf_local_filepath=kwargs.get("systemd-conf-file"), context={ "ExecStart": kwargs["ExecStart"], "Environments": kwargs["Environments"], "WorkingDirectory": kwargs["WorkingDirectory"], "User": kwargs["User"], "Group": kwargs["Group"], }, ) return restart_systemd(conf_name)
def install0(*args, **kwargs): apt_depends("libpcre3", "libpcre3-dev") # ^ Needed for uWSGI # if not exists("/etc/systemd/system/circusd.service"): use_sudo = kwargs.get("use_sudo", True) remote_user = kwargs.get( "SERVICE_USER", _run_command("echo $USER", quiet=True, sudo=use_sudo)) if remote_user.startswith("$"): remote_user = _run_command( "echo {remote_user}".format(remote_user=remote_user), quiet=True, sudo=use_sudo, ) database_uri = kwargs.get("BACKEND_DATABASE_URI", kwargs["RDBMS_URI"]) if not isinstance(database_uri, str): database_uri = "".join(map(str, database_uri)) name = kwargs["GIT_REPO"][kwargs["GIT_REPO"].rfind("/") + 1:].replace( "-", "_") env_vars = "\n{}".format("\n".join("{key}={val}".format( key=key, val="".join(map(str, val)) if isinstance(val, (list, tuple)) else val, ) for key, val in kwargs.get("BACKEND_ENV_VARS", {}).items())) _install_backend( backend_root=kwargs["BACKEND_ROOT"], name=name, remote_user=remote_user, backend_virtual_env=kwargs["BACKEND_VIRTUAL_ENV"], team=kwargs["GIT_TEAM"], repo=kwargs["GIT_REPO"], database_uri=database_uri, env_vars="Environment='".join(env_vars), ) _setup_circus( home=_run_command("echo $HOME", quiet=True, sudo=use_sudo), name=name, remote_user=remote_user, circus_virtual_env=kwargs.get("CIRCUS_VIRTUALENV", "/opt/venvs/circus"), backend_virtual_env=kwargs["BACKEND_VIRTUAL_ENV"], database_uri=database_uri, env_vars=env_vars, backend_root=kwargs["BACKEND_ROOT"], backend_logs_root=kwargs["BACKEND_LOGS_ROOT"], port=int(kwargs.get("BACKEND_PORT", "8001")), ) return restart_systemd("circusd")
def configure_nginx1(*args, **kwargs): new_conf = lambda orig_conf: upsert_by_location( "/hooks", orig_conf, loads( api_proxy_block( "/hooks", "{protocol}://{host}:{port}/{urlprefix}".format( protocol="https" if kwargs.get("HOOK_SECURE") else "http", host=kwargs.get("HOOK_IP", "0.0.0.0"), port=kwargs.get("HOOK_PORT", 9000), urlprefix=kwargs.get("HOOK_URLPREFIX", "hooks"), ), )), ) upsert_upload(new_conf, name="hook") return restart_systemd("nginx")
def configure_nginx2(*args, **kwargs): kwargs.setdefault("LISTEN_PORT", 80) nginx.install_nginx0() nginx.setup_nginx_init1() if kwargs.get("self_signed", False): certificate.self_signed0(use_sudo=True, **kwargs) server_block = utils.merge_into( ( lambda server_block: utils.apply_attributes( server_block, emit.secure_attr(kwargs["SSL_CERTOUT"], kwargs["SSL_KEYOUT"]), ) if kwargs["LISTEN_PORT"] == 443 else server_block )( emit.server_block( server_name=kwargs["MATRIX_SERVER_NAME"], listen=kwargs["LISTEN_PORT"] ) ), emit.api_proxy_block("/_matrix", "https://127.0.0.1:8008"), ) sio = StringIO() sio.write( dumps( loads( emit.redirect_block(server_name=kwargs["MATRIX_SERVER_NAME"], port=80) ) + server_block if kwargs["LISTEN_PORT"] == 443 else server_block ) ) put( sio, "/etc/nginx/sites-enabled/{matrix_server_name}".format( matrix_server_name=kwargs["MATRIX_SERVER_NAME"] ), use_sudo=True, ) return restart_systemd("nginx")
def configure_nginx3(*args, **kwargs): nginx.install_nginx0() nginx.setup_nginx_init1() if kwargs.get("self_signed"): self_signed0(use_sudo=True, **kwargs) server_block = utils.merge_into( ( lambda server_block: utils.apply_attributes( server_block, emit.secure_attr(kwargs["SSL_CERTOUT"], kwargs["SSL_KEYOUT"]), ) if kwargs["LISTEN_PORT"] == 443 else server_block )( emit.server_block( server_name=kwargs["SERVER_NAME"], listen=kwargs["LISTEN_PORT"] ) ), emit.api_proxy_block("/go", "https://localhost:8154"), ) sio = StringIO() sio.write( dumps( loads(emit.redirect_block(server_name=kwargs["SERVER_NAME"], port=80)) + server_block if kwargs["LISTEN_PORT"] == 443 else server_block ) ) put( sio, "/etc/nginx/sites-enabled/{server_name}".format( server_name=kwargs["SERVER_NAME"] ), use_sudo=True, ) return restart_systemd("nginx")
def setup_custom_conf2(c, nginx_conf="api-and-static.conf", conf_keys=None, skip_nginx_restart=False, http_to_https=False, https=False, *args, **kwargs): """ Generate a new nginx config; interpolating vars within. :param c: Connection :type c: ```fabric.connection.Connection``` :param nginx_conf: Nginx conf local filename (for interpolation) :type nginx_conf: ```str``` :param conf_keys: Valid keys that can be interpolated (from kwargs) :type conf_keys: ```Optional[Iterable[str]]``` :param skip_nginx_restart: Whether to skip `nginx` restart :type skip_nginx_restart: ```bool``` :param http_to_https: Whether to redirect HTTP to HTTPS :type http_to_https: ```bool``` :param https: Whether to enable HTTPS (defaults to LetsEncrypt) :type https: ```bool``` """ apt_depends(c, "nginx") kwargs.setdefault("LISTEN_PORT", 80) kwargs.setdefault("NAME_OF_BLOCK", "server_block") kwargs.setdefault("ROUTE_BLOCK", "") kwargs.setdefault("LOCATION", "/") kwargs.setdefault("API_HOST", "127.0.0.1") kwargs.setdefault("API_PORT", 8000) kwargs.setdefault( "EXTRA_BODY_FOOT", "return 302 https://$host$request_uri" if http_to_https else "", ) kwargs.setdefault("LETSENCRYPT", https) kwargs.setdefault("SSL_DHPARAM", "/etc/ssl/certs/dhparam.pem") if https and kwargs["LETSENCRYPT"] and "SERVER_NAME" in kwargs: root = "/etc/letsencrypt/live/{SERVER_NAME}".format( SERVER_NAME=kwargs["SERVER_NAME"]) kwargs.update({ "SSL_CERTIFICATE": "{root}/fullchain.pem".format(root=root), "SSL_CERTIFICATE_KEY": "{root}/privkey.pem".format(root=root), }) builtin_contexts = { "api-and-static.conf": ( "SERVER_NAME", "WWWROOT", "API_HOST", "API_PORT", "LISTEN_PORT", ), "static.conf": ("SERVER_NAME", "WWWROOT"), "proxy-pass.conf": ( "NAME_OF_BLOCK", "SERVER_LOCATION", "SERVER_NAME", "ROUTE_BLOCK", "LISTEN_PORT", "LOCATION", ), "websocket.location.conf": ( "API_HOST", "API_PORT", ), "websocket.conf": ( "EXTRA_HEAD", "SERVER_NAME", "LISTEN_PORT", "SERVER_BODY", "EXTRA_BODY_FOOT", ), "websocket.https.conf": ( "EXTRA_HEAD", "SERVER_NAME", "SSL_CERTIFICATE", "SSL_CERTIFICATE_KEY", "SSL_DHPARAM", "SERVER_BODY", ), } # type: Dict[str, Iterable[str]] if conf_keys is None: conf_keys = builtin_contexts.get(nginx_conf) conf_local_filepath = kwargs.get("nginx-conf-file", conf_dir(nginx_conf)) conf_remote_filepath = kwargs.get("nginx-conf-dirname", "/etc/nginx/conf.d") conf_remote_filename = kwargs.get( "conf_remote_filename", "{conf_remove_filepath}/{conf_remove_basename}".format( conf_remove_filepath=conf_remote_filepath, conf_remove_basename=kwargs.get( "nginx-conf-filename", path.basename(conf_local_filepath)), ), ) if not conf_remote_filename.endswith(".conf"): conf_remote_filename += ".conf" # <WEBSOCKET only (so far)> base_conf_path = path.basename(conf_remote_filename) top_fname = conf_dir(nginx_conf.replace(".conf", ".top.conf")) if path.isfile(top_fname): with open(top_fname, "rt") as f: kwargs["EXTRA_HEAD"] = f.read() else: kwargs.setdefault("EXTRA_HEAD", "") conf_name = nginx_conf.replace(".conf", ".location.conf") location_fname = conf_dir(conf_name) if path.isfile(location_fname): with open(location_fname, "rt") as f: kwargs["SERVER_BODY"] = f.read() % { k: kwargs[k] for k in builtin_contexts[conf_name] } else: kwargs.setdefault("SERVER_BODY", "") if http_to_https and https: fname = "{}/{}".format(base_conf_path, nginx_conf) if path.isfile(fname): with open(fname, "rt") as f: nginx_config_content = f.read() % { k: kwargs[k] for k in builtin_contexts[nginx_conf] } else: nginx_config_content = "" del kwargs["EXTRA_BODY_FOOT"] kwargs["EXTRA_HEAD"] = nginx_config_content # </WEBSOCKET only (so far)> upload_template_fmt( c, conf_local_filepath, conf_remote_filename, context=conf_keys if conf_keys is None else {k: kwargs[k] for k in conf_keys}, use_sudo=True, mode=0o400, backup=False, ) if skip_nginx_restart: return restart_systemd(c, "nginx") res = c.sudo("systemctl status nginx --no-pager --full") return res.stdout if res.exited == 0 else res.stderr
def nginx3(**kwargs): if not kwargs["nginx"]: return "[Warn]: skipping nginx" if not cmd_avail("nginx") and not exists("/etc/nginx"): uname = run("uname -v") sio = StringIO() flavour = None if "Ubuntu" in uname: flavour = "ubuntu" elif "Debian" in uname: flavour = "debian" if flavour is None: raise NotImplementedError() apt_depends("curl", "gnupg2", "ca-certificates", "lsb-release") release = run("lsb_release -cs") sio.write( "deb http://nginx.org/packages/{flavour} {release} nginx".format( flavour=flavour, release=release)) put(sio, "/etc/apt/sources.list.d/nginx.list", use_sudo=True) sudo("apt-get update -qq") sudo( "curl -fsSL https://nginx.org/keys/nginx_signing.key | apt-key add -" ) sudo("apt-key fingerprint ABF5BD827BD9BF62") apt_depends("nginx") # TODO: Move this to an nginx module; usable by other `offregister-` packages sites_avail_local_filepath = kwargs.get( "nginx-sites-available", resource_filename("offregister_app_push", path.join("conf", "nginx.sites-available.conf")), ) proxy_block_local_filepath = kwargs.get( "nginx-proxy-block", resource_filename("offregister_app_push", path.join("conf", "nginx.proxy_block.conf")), ) remote_conf_dir = "/etc/nginx/sites-enabled" if not exists(remote_conf_dir): sudo("mkdir -p {}".format(remote_conf_dir)) sudo( r"sed -i '/include \/etc\/nginx\/conf.d\/\*.conf;/ a\ \ \ \ include {remote_dir}/*;' {fname}" .format(remote_dir=remote_conf_dir, fname="/etc/nginx/nginx.conf")) conf_remote_filename = "/etc/nginx/sites-enabled/{service_name}.conf".format( service_name=kwargs["app_name"]) deque( map( lambda dns_name: append( text="127.0.0.1\t{site_name}".format(site_name=dns_name), filename="/etc/hosts", use_sudo=True, ), kwargs["DNS_NAMES"], ), maxlen=0, ) _send_nginx_conf( conf_remote_filename, proxy_block_local_filepath, sites_avail_local_filepath, kwargs, ) return restart_systemd("nginx")
def install0(*args, **kwargs): kwargs.setdefault("virtual_env", "/opt/venvs/mlflow") if not kwargs.get("skip_virtualenv", False): venv0_kwargs = { "virtual_env": kwargs["virtual_env"], "python3": True, "pip_version": "19.2.3", "use_sudo": True, "remote_user": "******", "PACKAGES": ["mlflow[extras]"], } venv0_kwargs.update(kwargs) python_mod.install_venv0(**venv0_kwargs) circus0_kwargs = { "APP_NAME": "mlflow", "APP_PORT": 5000, "CMD": "{virtual_env}/bin/mlflow".format(virtual_env=kwargs["virtual_env"]), "CMD_ARGS": "ui", "WSGI_FILE": None, } circus0_kwargs.update(kwargs) circus_mod.install_circus0(**circus0_kwargs) kwargs.setdefault("skip_nginx_restart", True) kwargs.setdefault( "conf_remote_filename", "/etc/nginx/sites-enabled/{}.conf".format(kwargs["SERVER_NAME"]), ) kwargs.update({ "nginx_conf": "proxy-pass.conf", "NAME_OF_BLOCK": "mlflow", "SERVER_LOCATION": "localhost:{port}".format(port=circus0_kwargs["APP_PORT"]), "LISTEN_PORT": 80, "LOCATION": "/", }) if exists(kwargs["conf_remote_filename"]): parsed_remote_conf = get_parsed_remote_conf( kwargs["conf_remote_filename"]) parsed_api_block = loads( api_proxy_block( location=kwargs["LOCATION"], proxy_pass="******".format(kwargs["SERVER_LOCATION"]), )) sio = StringIO() sio.write( dumps( merge_into(kwargs["SERVER_NAME"], parsed_remote_conf, parsed_api_block))) sio.seek(0) put(sio, kwargs["conf_remote_filename"], use_sudo=True) else: nginx_static.setup_conf0(**kwargs) # with shell_env(VIRTUAL_ENV=kwargs['virtual_env'], PATH="{}/bin:$PATH".format(kwargs['virtual_env'])):sudo('mlflow initdb') restart_systemd("circusd")
def restart1(*args, **kwargs): return restart_systemd("matrix-synapse")
def _install_backend( backend_root, name, remote_user, backend_virtual_env, team, repo, database_uri, env_vars, install_postgres=True, create_postgres_database=True, use_sudo=True, ): uname = run("uname -v") is_ubuntu = "Ubuntu" in uname run_cmd = partial(_run_command, sudo=use_sudo) if install_postgres: if not is_ubuntu and not cmd_avail("psql"): raise NotImplementedError("Postgres install on {!r}".format(uname)) postgres.install0() if create_postgres_database: parsed_database_uri = urlparse(database_uri) created = postgres.setup_users( create=({ "user": parsed_database_uri.username, "password": parsed_database_uri.password, "dbname": parsed_database_uri.path[1:], }, ), connection_str=database_uri, ) assert created is not None clone_or_update(team=team, repo=repo, use_sudo=use_sudo, to_dir=backend_root, branch="master") offregister_python_ubuntu.install_venv0(virtual_env=backend_virtual_env, python3=True, packages=("gunicorn", "uwsgi")) offregister_python_ubuntu.install_package1(package_directory=backend_root, virtual_env=backend_virtual_env) if not exists("/etc/systemd/system"): raise NotImplementedError("Non SystemD platforms") if run("id {remote_user}".format(remote_user=remote_user), warn_only=True, quiet=True).failed: sudo('adduser {remote_user} --disabled-password --quiet --gecos ""'. format(remote_user=remote_user)) (uid, user), (gid, group) = get_user_group_tuples(remote_user) uwsgi_service = "/etc/systemd/system/{name}-uwsgi.service".format( name=name) upload_template( circus_dir("uwsgi.service"), uwsgi_service, context={ "USER": user, "GROUP": group, "{}_BACK".format(name.upper()): "{}/{}".format(backend_root, name), "UID": uid, "GID": gid, "VENV": backend_virtual_env, "BACKEND_ROOT": backend_root, "SERVICE_USER": "******", "NAME": name, "ENV": env_vars, }, use_sudo=True, backup=False, mode=0o644, ) grp = sudo("id -gn", quiet=True) sudo("chown {grp}:{grp} {uwsgi_service}".format( grp=grp, uwsgi_service=uwsgi_service)) restart_systemd("{name}-uwsgi".format(name=name)) return backend_virtual_env, database_uri
def add_cert1(c, domains, email, server="nginx", **kwargs): """add_cert1 gets a new LetsEncrypt HTTPS certificate using certbot. Because we don't trust the nginx module, we do this process: 0. move conf(s) for domain(s) to sites-disabled 1. create new conf(s) for domain(s) in sites-enabled, that point to temporary wwwroot 2. use certbot to request new certificate 3. restore previous conf :param c: Connection :type c: ```fabric.connection.Connection``` """ if server != "nginx": logger.warning( "Not tested with non nginx: {server}".format(server=server)) sites_enabled = kwargs.get("sites-enabled", "/etc/nginx/sites-enabled") sites_disabled = kwargs.get("sites-disabled", "/etc/nginx/sites-disabled") c.sudo("mkdir -p {sites_disabled}".format(sites_disabled=sites_disabled)) cmd = partial( c.sudo, user=kwargs.get("as_user", "root"), # group=kwargs.get("as_group", "root"), ) if not cmd_avail(c, "nginx") and not exists( c, runner=cmd, path="/usr/sbin/nginx"): raise EnvironmentError("nginx is not installed | not found in PATH") if not exists(c, runner=cmd, path=sites_enabled): raise EnvironmentError('No confs found in "{}"'.format(sites_enabled)) _grep_conf = "grep -lER {pat} {sites_enabled}".format( pat=" -e " + " -e ".join("'server_name[[:space:]]+{domain}'".format(domain=domain) for domain in domains) if len(domains) > 0 else "", sites_enabled=sites_enabled, ) confs = cmd(_grep_conf, warn=True) if confs.exited != 0: stderr.write(confs.stderr) raise EnvironmentError( "grep failed with: {}. Failed command: {}".format( confs, _grep_conf)) elif not confs: # print(_grep_conf, file=sys.stderr) raise ReferenceError("No confs found matching domains searched for") confs = [ s.rstrip().replace(sites_enabled + "/", "") for s in confs.stdout.split("\n") ] cmd("mv '{sites_enabled}/'{confs} '{sites_disabled}/'".format( sites_enabled=sites_enabled, confs="{{{confs}}}".format( confs=",".join(confs)) if len(confs) > 1 else "".join(confs), sites_disabled=sites_disabled, )) def apply_conf(domain): root = c.sudo("mktemp -d --suffix .nginx").stdout.strip() assert root != "/" nginx.setup_custom_conf2( c, nginx_conf="static.conf", SERVER_NAME=domain, WWWROOT=root, conf_remote_filename="{}/{}".format(sites_enabled, domain.replace("/", "-")), skip_nginx_restart=True, ) cmd("touch {root}/index.html && chmod -R 755 {root}".format(root=root)) return root static_dirs = tuple(map(apply_conf, domains)) def exclude_valid_certs(domain): cert_details = c.sudo( "certbot certificates --cert-name {domain}".format( domain=domain)).stdout if "Expiry Date" not in cert_details: return domain elif "(VALID" not in cert_details: return domain cert_expiry = next( map( lambda s: s.partition(":")[2].rpartition("(")[0].strip(), filter( lambda s: s.lstrip().startswith("Expiry Date"), cert_details.split("\n"), ), ), None, ) if cert_expiry is None: return domain cert_expiry = datetime.strptime(cert_expiry, "%Y-%m-%d %H:%M:%S+00:00") if (cert_expiry - datetime.now()).days < 30: return domain return None domains = tuple(_f for _f in map(exclude_valid_certs, domains) if _f) if domains: restart_systemd(c, "nginx") cmd("certbot certonly {email} --webroot {webroots} {domains} --agree-tos --no-eff-email" .format( email="-m '{email}'".format(email=email), webroots=" ".join("-w '{}'".format(wr) for wr in static_dirs), domains=" ".join("-d '{}'".format(domain) for domain in domains), )) cmd("rm -rf {}/*nginx".format( static_dirs[0][:static_dirs[0].rfind("/")])) cmd("rm -f {}".format(" ".join("{}/{}".format( sites_enabled, domain if domain.endswith(".conf") else "{domain}.conf".format( domain=domain), ) for domain in domains))) cmd("mv '{sites_disabled}/'{confs} '{sites_enabled}/'".format( sites_enabled=sites_enabled, confs="{{{confs}}}".format(confs=",".join(confs)) if len(confs) > 1 else "{confs}".format(confs="".join(confs)), sites_disabled=sites_disabled, )) return restart_systemd(c, "nginx") # reload didn't work :(
def install_configure0(*args, **kwargs): apt_install = False if apt_install: apt_depends("webhook") elif not cmd_avail("webhook"): go.install0() run("go get github.com/adnanh/webhook") if (kwargs.get("HOOK_PORT") == 443 or kwargs.get("HOOK_KEY") or kwargs.get("HOOK_CERT")): kwargs["HOOK_SECURE"] = True if not kwargs.get("HOOK_IP") and kwargs.get("SERVER_NAME"): kwargs["HOOK_IP"] = kwargs["SERVER_NAME"] if not kwargs.get("HOOK_HOOKS"): kwargs["HOOK_HOOKS"] = "/etc/webhook.json" else: sudo('mkdir -p "${' + kwargs["HOOK_HOOKS"] + '##*/}"', shell_escape=False) sio = StringIO() dump(kwargs["HOOK_HOOKS_JSON"], sio) tmp = "{}.tmp".format(kwargs["HOOK_HOOKS"]) put(sio, tmp, use_sudo=True) sudo("cat {tmp} | envsubst > {hooks} && rm {tmp}".format( tmp=tmp, hooks=kwargs["HOOK_HOOKS"])) if "HOOK_NOPANIC" not in kwargs: kwargs["HOOK_NOPANIC"] = "" # true elif not kwargs["HOOK_NOPANIC"]: del kwargs["HOOK_NOPANIC"] upload_template( hook_dir("webhook.service"), "/lib/systemd/system/", context={ "CMD": "/usr/bin/webhook" if apt_install else run( 'echo "$GOPATH/bin/webhook"', quiet=True, shell_escape=False), "ARGS": " ".join("-{cli_arg} '{cli_val}'".format( cli_arg=cli_arg, cli_val=kwargs["HOOK_{}".format(cli_arg.upper())]) for cli_arg in ( "cert", "header", "hooks", "hotreload", "ip", "key", "nopanic", "port", "secure", "template", "verbose", ) if "HOOK_{}".format(cli_arg.upper()) in kwargs).replace( " ''", "").replace(" 'True'", ""), }, use_sudo=True, ) return restart_systemd("webhook")
def restart_nginx2(*args, **kwargs): return restart_systemd("nginx")
def restart_services3(*args, **kwargs): if (kwargs.get("circus_args") and kwargs.get("circus_name") and kwargs.get("circus_home")): return restart_systemd("circusd")