def configure(full=1, site=ALL, delete_old=0): """ Configures Apache to host one or more websites. """ from burlap import service print 'Configuring Apache...' apache_specifics = set_apache_specifics() if int(delete_old): # Delete all existing enabled and available sites. sudo('rm -f %(apache_sites_available)s/*' % env) sudo('rm -f %(apache_sites_enabled)s/*' % env) for site, site_data in common.iter_sites(site=site, setter=set_apache_site_specifics): #print '-'*80 print site #continue print 'env.apache_ssl_domain:',env.apache_ssl_domain print 'env.apache_ssl_domain_template:',env.apache_ssl_domain_template fn = common.render_to_file('django.template.wsgi') put(local_path=fn, remote_path=env.apache_django_wsgi, use_sudo=True) if env.apache_ssl: env.apache_ssl_certificates = list(iter_certificates()) fn = common.render_to_file('apache_site.template.conf') env.apache_site_conf = site+'.conf' env.apache_site_conf_fqfn = os.path.join(env.apache_sites_available, env.apache_site_conf) put(local_path=fn, remote_path=env.apache_site_conf_fqfn, use_sudo=True) sudo('a2ensite %(apache_site_conf)s' % env) #return if service.is_selected(APACHE2_MODEVASIVE): configure_modevasive() if service.is_selected(APACHE2_MODSECURITY): configure_modsecurity() for mod_enabled in env.apache_mods_enabled: env.apache_mod_enabled = mod_enabled sudo('a2enmod %(apache_mod_enabled)s' % env) if int(full): # Write master Apache configuration file. fn = common.render_to_file('apache_httpd.template.conf') put(local_path=fn, remote_path=env.apache_conf, use_sudo=True) # Write Apache listening ports configuration. fn = common.render_to_file('apache_ports.template.conf') put(local_path=fn, remote_path=env.apache_ports, use_sudo=True) #sudo('mkdir -p %(apache_app_log_dir)s' % env) #sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_app_log_dir)s' % env) # sudo('mkdir -p %(apache_log_dir)s' % env) # sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_log_dir)s' % env) sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_root)s' % env)
def deploy_services(site=None, dryrun=0): """ Collects the configurations for all registered services and writes the appropriate supervisord.conf file. """ dryrun = int(dryrun) render_paths() for site, site_data in common.iter_sites(site=site, renderer=render_paths): print site for cb in env._supervisor_create_service_callbacks: ret = cb() if isinstance(ret, basestring): env.supervisor_services.append(ret) # else: # print 'invalid' env.supervisor_services_rendered = '\n'.join(env.supervisor_services) #print env.supervisor_services_rendered fn = common.render_to_file('supervisor_daemon.template.config') if dryrun: print open(fn).read() else: put(local_path=fn, remote_path=env.supervisor_config_path, use_sudo=True)
def deploy_services(site=None, dryrun=0): """ Collects the configurations for all registered services and writes the appropriate supervisord.conf file. """ dryrun = int(dryrun) render_paths() for site, site_data in common.iter_sites(site=site, renderer=render_paths): print site for cb in env._supervisor_create_service_callbacks: ret = cb() if isinstance(ret, basestring): env.supervisor_services.append(ret) # else: # print 'invalid' env.supervisor_services_rendered = "\n".join(env.supervisor_services) # print env.supervisor_services_rendered fn = common.render_to_file("supervisor_daemon.template.config") if dryrun: print open(fn).read() else: put(local_path=fn, remote_path=env.supervisor_config_path, use_sudo=True)
def configure_modevasive(): env.apache_mods_enabled.append('mod-evasive') # Write modsecurity.conf. fn = common.render_to_file('apache_modevasive.template.conf') put(local_path=fn, remote_path='/etc/apache2/mods-available/mod-evasive.conf', use_sudo=True)
def static(): """ Configures the server to use a static IP. """ fn = render_to_file('ip_interfaces_static.template') put(local_path=fn, remote_path=env.ip_interfaces_fn, use_sudo=True) #sudo('ifdown %(ip_interface)s' % env) #sudo('ifup %(ip_interface)s' % env) sudo(env.ip_network_restart_command % env)
def configure(): """ Installs supervisor configuration and daemon. """ render_paths() fn = common.render_to_file('supervisor_daemon.template.init') put(local_path=fn, remote_path=env.supervisor_daemon_path, use_sudo=True) sudo('chmod +x %(supervisor_daemon_path)s' % env) sudo('update-rc.d supervisord defaults' % env)
def configure(): """ Installs supervisor configuration and daemon. """ render_paths() fn = common.render_to_file("supervisor_daemon.template.init") put(local_path=fn, remote_path=env.supervisor_daemon_path, use_sudo=True) sudo("chmod +x %(supervisor_daemon_path)s" % env) sudo("update-rc.d supervisord defaults" % env)
def configure(): """ Configures rules for IPTables. """ if env.iptables_enabled: fn = common.render_to_file(env.iptables_rules_template) put(local_path=fn) cmd = 'iptables-restore < %(put_remote_path)s; iptables-save > /etc/iptables.up.rules' % env sudo_or_dryrun(cmd) enable() restart() else: disable() stop()
def configure_modsecurity(): env.apache_mods_enabled.append('mod-security') env.apache_mods_enabled.append('headers') # Write modsecurity.conf. fn = common.render_to_file('apache_modsecurity.template.conf') put(local_path=fn, remote_path='/etc/modsecurity/modsecurity.conf', use_sudo=True) # Write OWASP rules. env.apache_modsecurity_download_filename = '/tmp/owasp-modsecurity-crs.tar.gz' sudo('cd /tmp; wget --output-document=%(apache_modsecurity_download_filename)s %(apache_modsecurity_download_url)s' % env) env.apache_modsecurity_download_top = sudo("cd /tmp; tar tzf %(apache_modsecurity_download_filename)s | sed -e 's@/.*@@' | uniq" % env) sudo('cd /tmp; tar -zxvf %(apache_modsecurity_download_filename)s' % env) sudo('cd /tmp; cp -R %(apache_modsecurity_download_top)s/* /etc/modsecurity/' % env) sudo('mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf' % env) sudo('rm -f /etc/modsecurity/activated_rules/*') sudo('cd /etc/modsecurity/base_rules; for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done') sudo('cd /etc/modsecurity/optional_rules; for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done') env.apache_httpd_conf_append.append('Include "/etc/modsecurity/activated_rules/*.conf"')
def configure_modsecurity(): env.apache_mods_enabled.append('mod-security') env.apache_mods_enabled.append('headers') # Write modsecurity.conf. fn = common.render_to_file('apache_modsecurity.template.conf') put(local_path=fn, remote_path='/etc/modsecurity/modsecurity.conf', use_sudo=True) # Write OWASP rules. env.apache_modsecurity_download_filename = '/tmp/owasp-modsecurity-crs.tar.gz' sudo( 'cd /tmp; wget --output-document=%(apache_modsecurity_download_filename)s %(apache_modsecurity_download_url)s' % env) env.apache_modsecurity_download_top = sudo( "cd /tmp; tar tzf %(apache_modsecurity_download_filename)s | sed -e 's@/.*@@' | uniq" % env) sudo('cd /tmp; tar -zxvf %(apache_modsecurity_download_filename)s' % env) sudo( 'cd /tmp; cp -R %(apache_modsecurity_download_top)s/* /etc/modsecurity/' % env) sudo( 'mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf' % env) sudo('rm -f /etc/modsecurity/activated_rules/*') sudo( 'cd /etc/modsecurity/base_rules; for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done' ) sudo( 'cd /etc/modsecurity/optional_rules; for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done' ) env.apache_httpd_conf_append.append( 'Include "/etc/modsecurity/activated_rules/*.conf"')
def configure(full=1, site=ALL, delete_old=0): """ Configures Apache to host one or more websites. """ from burlap import service print 'Configuring Apache...' apache_specifics = set_apache_specifics() if int(delete_old): # Delete all existing enabled and available sites. sudo('rm -f %(apache_sites_available)s/*' % env) sudo('rm -f %(apache_sites_enabled)s/*' % env) for site, site_data in common.iter_sites(site=site, setter=set_apache_site_specifics): #print '-'*80 print site #continue print 'env.apache_ssl_domain:', env.apache_ssl_domain print 'env.apache_ssl_domain_template:', env.apache_ssl_domain_template fn = common.render_to_file('django.template.wsgi') put(local_path=fn, remote_path=env.apache_django_wsgi, use_sudo=True) if env.apache_ssl: env.apache_ssl_certificates = list(iter_certificates()) fn = common.render_to_file('apache_site.template.conf') env.apache_site_conf = site + '.conf' env.apache_site_conf_fqfn = os.path.join(env.apache_sites_available, env.apache_site_conf) put(local_path=fn, remote_path=env.apache_site_conf_fqfn, use_sudo=True) sudo('a2ensite %(apache_site_conf)s' % env) #return if service.is_selected(APACHE2_MODEVASIVE): configure_modevasive() if service.is_selected(APACHE2_MODSECURITY): configure_modsecurity() for mod_enabled in env.apache_mods_enabled: env.apache_mod_enabled = mod_enabled sudo('a2enmod %(apache_mod_enabled)s' % env) if int(full): # Write master Apache configuration file. fn = common.render_to_file('apache_httpd.template.conf') put(local_path=fn, remote_path=env.apache_conf, use_sudo=True) # Write Apache listening ports configuration. fn = common.render_to_file('apache_ports.template.conf') put(local_path=fn, remote_path=env.apache_ports, use_sudo=True) #sudo('mkdir -p %(apache_app_log_dir)s' % env) #sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_app_log_dir)s' % env) # sudo('mkdir -p %(apache_log_dir)s' % env) # sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_log_dir)s' % env) sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_root)s' % env)
def configure(name=None, site=None, _role=None, dryrun=0): """ Configures a fresh install of the database """ assert env[ROLE] require('app_name') set_db(name=name, site=site, role=_role) # print 'site:',env[SITE] # print 'role:',env[ROLE] env.dryrun = int(dryrun) if 'postgres' in env.db_engine: env.pg_ver = run('psql --version | grep -o -E "[0-9]+.[0-9]+"') print 'PostgreSQL version %(pg_ver)s detected.' % env print 'Backing up PostgreSQL configuration files...' sudo( 'cp /etc/postgresql/%(pg_ver)s/main/postgresql.conf /etc/postgresql/%(pg_ver)s/main/postgresql.conf.$(date +%%Y%%m%%d%%H%%M).bak' % env) sudo( 'cp /etc/postgresql/%(pg_ver)s/main/pg_hba.conf /etc/postgresql/%(pg_ver)s/main/pg_hba.conf.$(date +%%Y%%m%%d%%H%%M).bak' % env) print 'Allowing remote connections...' fn = common.render_to_file('pg_hba.template.conf') put(local_path=fn, remote_path='/etc/postgresql/%(pg_ver)s/main/pg_hba.conf' % env, use_sudo=True) # Don't do this. Keep it locked down and use an SSH tunnel instead. # See common.tunnel() #sudo('sed -i "s/#listen_addresses = \'localhost\'/listen_addresses = \'*\'/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) print 'Enabling auto-vacuuming...' sudo( 'sed -i "s/#autovacuum = on/autovacuum = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) sudo( 'sed -i "s/#track_counts = on/track_counts = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) # Set UTF-8 as the default database encoding. sudo( 'psql --user=postgres --no-password --command="' 'UPDATE pg_database SET datistemplate = FALSE WHERE datname = \'template1\';' 'DROP DATABASE template1;' 'CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = \'UNICODE\';' 'UPDATE pg_database SET datistemplate = TRUE WHERE datname = \'template1\';' '\c template1\n' 'VACUUM FREEZE;' 'UPDATE pg_database SET datallowconn = FALSE WHERE datname = \'template1\';"' ) elif 'mysql' in env.db_engine: if env.db_allow_remote_connections: # Enable remote connections. sudo("sed -i 's/127.0.0.1/0.0.0.0/g' %(db_mysql_conf)s" % env) # Enable root logins from remote connections. sudo( 'mysql -u %(db_root_user)s -p"%(db_root_password)s" --execute="USE mysql; GRANT ALL ON *.* to %(db_root_user)s@\'%%\' IDENTIFIED BY \'%(db_root_password)s\'; FLUSH PRIVILEGES;"' % env) sudo('service mysql restart') else: print 'No database parameters found.'
def configure(name=None, site=None, _role=None, dryrun=0): """ Configures a fresh install of the database """ assert env[ROLE] require("app_name") set_db(name=name, site=site, role=_role) # print 'site:',env[SITE] # print 'role:',env[ROLE] env.dryrun = int(dryrun) if "postgres" in env.db_engine: env.pg_ver = run('psql --version | grep -o -E "[0-9]+.[0-9]+"') print "PostgreSQL version %(pg_ver)s detected." % env print "Backing up PostgreSQL configuration files..." sudo( "cp /etc/postgresql/%(pg_ver)s/main/postgresql.conf /etc/postgresql/%(pg_ver)s/main/postgresql.conf.$(date +%%Y%%m%%d%%H%%M).bak" % env ) sudo( "cp /etc/postgresql/%(pg_ver)s/main/pg_hba.conf /etc/postgresql/%(pg_ver)s/main/pg_hba.conf.$(date +%%Y%%m%%d%%H%%M).bak" % env ) print "Allowing remote connections..." fn = common.render_to_file("pg_hba.template.conf") put(local_path=fn, remote_path="/etc/postgresql/%(pg_ver)s/main/pg_hba.conf" % env, use_sudo=True) # Don't do this. Keep it locked down and use an SSH tunnel instead. # See common.tunnel() # sudo('sed -i "s/#listen_addresses = \'localhost\'/listen_addresses = \'*\'/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) print "Enabling auto-vacuuming..." sudo('sed -i "s/#autovacuum = on/autovacuum = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) sudo('sed -i "s/#track_counts = on/track_counts = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env) # Set UTF-8 as the default database encoding. sudo( 'psql --user=postgres --no-password --command="' "UPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';" "DROP DATABASE template1;" "CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE';" "UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1';" "\c template1\n" "VACUUM FREEZE;" "UPDATE pg_database SET datallowconn = FALSE WHERE datname = 'template1';\"" ) elif "mysql" in env.db_engine: if env.db_allow_remote_connections: # Enable remote connections. sudo("sed -i 's/127.0.0.1/0.0.0.0/g' %(db_mysql_conf)s" % env) # Enable root logins from remote connections. sudo( "mysql -u %(db_root_user)s -p\"%(db_root_password)s\" --execute=\"USE mysql; GRANT ALL ON *.* to %(db_root_user)s@'%%' IDENTIFIED BY '%(db_root_password)s'; FLUSH PRIVILEGES;\"" % env ) sudo("service mysql restart") else: print "No database parameters found."