def autoupgrade(): util.debian_install("unattended-upgrades") util.putstring( """APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";""", "/etc/apt/apt.conf.d/10periodic")
def harden(): upgrade() autoupgrade() util.debian_install("fail2ban") print "attempting to configure key-based auth for root..." import os.path localKey = open(os.path.expanduser("~/.ssh/id_rsa.pub")).read() util.append(localKey, "~/.ssh/authorized_keys") print "WARNING: YOU *MUST* have root configured to continue. Type YES to confirm." confirm = None while confirm != "YES": confirm = raw_input() pass print "disabling password auth for root" util.config("PasswordAuthentication no", "/etc/ssh/sshd_config") run("service ssh restart") setupDeployUser() logwatch() firewall() #this should be run last, since it can abort the SSH connection
def install_docker(): """DigitalOcean requires a fix, see documentation so 1. Go to Settings->Kernel 2. Choose Debian Unstable x64 3. Power cycle 4. Run digitalOceanKernelFix command before you run this command.""" kernel_upgrade() #run("modprobe aufs") #not necessary on Linode? #Linode wants "busybox" util.debian_install("curl") run("wget http://get.docker.io -O - | bash") with settings(warn_only=True): run("groupadd docker") run("gpasswd -a deploy docker") init_setup() # https://github.com/dotcloud/docker/issues/431 util.append( "none /cgroup cgroup defaults 0 0", "/etc/fstab") with settings(warn_only=True): run("mkdir -p /cgroup") run("mount /cgroup") util.append("net.ipv4.ip_forward=1", "/etc/sysctl.conf") run("sysctl -p") #fix_cgroups() Isn't necessary on Linode run("service docker start")
def harden(): upgrade() autoupgrade() util.debian_install("fail2ban") print "attempting to configure key-based auth for root..." import os.path localKey = open(os.path.expanduser("~/.ssh/id_rsa.pub")).read() util.append(localKey,"~/.ssh/authorized_keys") print "WARNING: YOU *MUST* have root configured to continue. Type YES to confirm." confirm = None while confirm != "YES": confirm = raw_input() pass print "disabling password auth for root" util.config("PasswordAuthentication no","/etc/ssh/sshd_config") run("service ssh restart") setupDeployUser() logwatch() firewall() #this should be run last, since it can abort the SSH connection
def install_docker(): kernel_upgrade() run("modprobe aufs") util.debian_install("curl") run("wget http://get.docker.io -O - | bash") with settings(warn_only=True): run("groupadd docker") run("gpasswd -a deploy docker") init_setup() # https://github.com/dotcloud/docker/issues/431 util.append("none /cgroup cgroup defaults 0 0", "/etc/fstab") with settings(warn_only=True): run("mkdir -p /cgroup") run("mount /cgroup") util.append("net.ipv4.ip_forward=1", "/etc/sysctl.conf") run("sysctl -p") run("service docker start")
def install_docker(): kernel_upgrade() run("modprobe aufs") util.debian_install("curl") run("wget http://get.docker.io -O - | bash") with settings(warn_only=True): run("groupadd docker") run("gpasswd -a deploy docker") init_setup() # https://github.com/dotcloud/docker/issues/431 util.append("none /cgroup cgroup defaults 0 0","/etc/fstab") with settings(warn_only=True): run("mkdir -p /cgroup") run("mount /cgroup") util.append("net.ipv4.ip_forward=1","/etc/sysctl.conf") run("sysctl -p") run("service docker start")
def logwatch(): util.debian_install("logwatch") util.append( "/usr/sbin/logwatch --output mail --mailto [email protected] --detail high", "/etc/cron.daily/00logwatch")
def firewall(): util.debian_install("ufw") run("ufw allow 22") run("""sed -i /etc/default/ufw -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g'""" ) #https://github.com/dotcloud/docker/issues/1251 run("ufw enable")
def logwatch(): util.debian_install("logwatch") util.append("/usr/sbin/logwatch --output mail --mailto [email protected] --detail high","/etc/cron.daily/00logwatch")
def firewall(): util.debian_install("ufw") run("ufw allow 22") run("""sed -i /etc/default/ufw -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g'""") #https://github.com/dotcloud/docker/issues/1251 run("ufw enable")
def autoupgrade(): util.debian_install("unattended-upgrades") util.putstring("""APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";""","/etc/apt/apt.conf.d/10periodic")