def ensure():
git.ensure_git()
# Make sure the user exists
user_ensure('acme')
group_ensure('acme')
group_user_ensure('acme', 'acme')
# Allow the acme user to reload nginx when updating certs
files.append('/etc/sudoers',
'acme ALL=(root) NOPASSWD: {reload_nginx}'.format(
reload_nginx=_reload_nginx()),
use_sudo=True)
# Make sure acme.sh is installed for the acme user
# if not path.has('acme.sh', user='******'): Does not exist--it's imported from bash
if not files.exists('/home/acme/.acme.sh'):
git.ensure_clone_github('Neilpang/acme.sh',
'/home/acme/acme.sh',
user='******')
with cd("/home/acme/acme.sh"):
sudo("./acme.sh --install", user='******')
dir_ensure(well_known_base)
sudo(
"chown acme:acme {well_known} && chmod 755 {well_known}".format(
well_known=well_known_base)
) # Can't change attributes without sudo in a sticky (not write) directory... annoying
util.put_file("config/certs/lets-encrypt-x3-cross-signed.pem",
"/etc/ssl/certs/lets-encrypt-x3-cross-signed.pem",
user='******',
mode='0644')
def sudo_group(username):
'''
Add a user to the sudo group.
'''
print(green("Adding %s to sudo group" % username))
group_ensure('sudo')
group_user_add('sudo', username)
def set_project_user_and_group(username, groupname):
""" Setup project user and group
@param username: system user for zope process
@param groupname: system process group for sites
"""
user_ensure(username)
group_ensure(groupname)
group_user_ensure(groupname, username)
def ensure_fcgiwrap(children=4):
select_package("apt")
package_ensure(["fcgiwrap"]) # On debian will automatically be enabled
# fcgi can't run status script because its default user (www-data) has no login shell--not sure why exactly but work around it by making a new user
user_ensure('fcgiwrap')
group_ensure('fcgiwrap')
group_user_ensure('fcgiwrap', 'fcgiwrap')
sudo('sed -i "s/www-data/fcgiwrap/" /lib/systemd/system/fcgiwrap.service')
sudo('echo "FCGI_CHILDREN={}" > /etc/default/fcgiwrap'.format(children))
sudo('systemctl daemon-reload')
sudo('/etc/init.d/fcgiwrap restart')
def ensure_email_contents(restore):
"""Restore the old email database if needed"""
user_ensure('vmail')
group_ensure('vmail')
group_user_ensure('vmail', 'vmail')
run("usermod -d /var/mail vmail")
#run('usermod -s /bin/false vmail')
if not dir_exists('/var/mail/vmail') and restore:
#with settings(user='******', host_string='burn'):
# get('/data/vmail', '/tmp')
put('/tmp/vmail', '/var/mail')
run('chown -R vmail:vmail /var/mail/vmail')
def add_user_to_docker_group(self):
"""
Make sure the ubuntu user is part of the docker group.
"""
log_green('adding the ubuntu user to the docker group')
data = load_state_from_disk()
with settings(hide('warnings', 'running', 'stdout', 'stderr'),
warn_only=True, capture=True):
user_ensure('ubuntu', home='/home/ubuntu', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'ubuntu')
def ensure_email_contents(restore):
"""Restore the old email database if needed"""
user_ensure('vmail')
group_ensure('vmail')
group_user_ensure('vmail', 'vmail')
run("usermod -d /var/mail vmail")
#run('usermod -s /bin/false vmail')
if not dir_exists('/var/mail/vmail') and restore:
#with settings(user='******', host_string='burn'):
# get('/data/vmail', '/tmp')
put('/tmp/vmail', '/var/mail')
run('chown -R vmail:vmail /var/mail/vmail')
def setup_users():
'''Add web runner group and users'''
puts(green('Creating users and groups'))
orig_user, orig_passw, orig_cert = env.user, env.password, env.key_filename
env.user, env.password, env.key_filename = \
SSH_SUDO_USER , SSH_SUDO_PASSWORD, SSH_SUDO_CERT
cuisine.group_ensure(WEB_RUNNER_GROUP)
cuisine.user_ensure(
WEB_RUNNER_USER,
gid=WEB_RUNNER_GROUP,
shell='/bin/bash',
passwd=WEB_RUNNER_PASSWORD,
encrypted_passwd=False,
)
# Create the ssh certificate for web_runner user
rem_ssh_deploy_cert_file = '~%s/.ssh/authorized_keys' % WEB_RUNNER_USER
rem_ssh_priv_cert_file = '~%s/.ssh/id_rsa' % WEB_RUNNER_USER
rem_ssh_pub_cert_file = '~%s/.ssh/id_rsa.pub' % WEB_RUNNER_USER
ssh_config_file = '~%s/.ssh/config' % WEB_RUNNER_USER
if orig_cert and not sudo('test -e %s && echo OK ; true' %
(rem_ssh_deploy_cert_file, )).endswith("OK"):
sudo('mkdir -p ~%s/.ssh' % WEB_RUNNER_USER)
sudo('chmod 700 ~%s/.ssh' % WEB_RUNNER_USER)
deploy_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_rsa.pub',
'r').read()
priv_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_user_rsa',
'r').read()
pub_cert = open(LOCAL_CERT_PATH + os.sep + 'web_runner_user_rsa.pub',
'r').read()
ssh_config = 'Host bitbucket.org\n\tStrictHostKeyChecking no'
cuisine.file_write('/tmp/deploy_cert', deploy_cert)
cuisine.file_write('/tmp/priv_cert', priv_cert)
cuisine.file_write('/tmp/pub_cert', pub_cert)
cuisine.file_write('/tmp/ssh_config', ssh_config)
sudo('mv /tmp/deploy_cert ' + rem_ssh_deploy_cert_file)
sudo('mv /tmp/priv_cert ' + rem_ssh_priv_cert_file)
sudo('mv /tmp/pub_cert ' + rem_ssh_pub_cert_file)
sudo('mv /tmp/ssh_config ' + ssh_config_file)
sudo('chmod 600 %s' % rem_ssh_deploy_cert_file)
sudo('chmod 600 %s' % rem_ssh_priv_cert_file)
sudo('chmod 600 %s' % rem_ssh_pub_cert_file)
sudo('chown -R %s:%s ~%s/.ssh/' %
(WEB_RUNNER_USER, WEB_RUNNER_GROUP, WEB_RUNNER_USER))
env.user, env.password, env.key_filename = \
orig_user, orig_passw, orig_cert
def add_nagios_user():
'''
Adds Nagios user and groups to VMs and sets the right permissions.
'''
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagios /usr/local/nagios')
sudo('chown -R nagios.nagios /usr/local/nagios/libexec')
def add_nagios_user():
'''
Adds Nagios user and groups to VMs and sets the right permissions.
'''
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagios /usr/local/nagios')
sudo('chown -R nagios.nagios /usr/local/nagios/libexec')
def ensure():
# Make sure the user exists
user_ensure('acme')
group_ensure('acme')
group_user_ensure('acme', 'acme')
# Make sure acme.sh is installed for the acme user
if not path.has('acme.sh', user='******'):
git.ensure_clone_github('Neilpang/acme.sh', '/home/acme/acme.sh', user='******')
with cd("/home/acme/acme.sh"):
sudo("./acme.sh --install", user='******')
dir_ensure(well_known_base)
sudo("chown acme:acme {well_known} && chmod 755 {well_known}".format(well_known=well_known_base)) # Can't change attributes without sudo in a sticky (not write) directory... annoying
def add_user_to_docker_group(distro):
""" make sure the user running jenkins is part of the docker group """
log_green('adding the user running jenkins into the docker group')
with settings(hide('warnings', 'running', 'stdout', 'stderr'),
warn_only=True, capture=True):
if 'centos' in distro.value:
user_ensure('centos', home='/home/centos', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'centos')
if 'ubuntu' in distro.value:
user_ensure('ubuntu', home='/home/ubuntu', shell='/bin/bash')
group_ensure('docker', gid=55)
group_user_ensure('docker', 'ubuntu')
def initialize():
"""Log in to the server as root and create the initial user/group"""
env.user = '******'
mode_user()
group_ensure(env.remote_group)
user_ensure(env.remote_user, shell='/bin/bash')
group_user_ensure(env.remote_user, env.remote_group)
# copy local public key to user's authorized_keys for convenience
if os.path.exists('~/.ssh/id_rsa.pub'):
f = open('~/.ssh/id_rsa.pub', 'rb')
ssh_authorize(env.remote_user, f.read())
f.close()
file_append("/etc/sudoers", "%(remote_user)s ALL=(ALL) NOPASSWD:ALL\n" % env)
def ensure():
select_package("apt")
package_ensure(["znc"]) # On debian will automatically be enabled
user_ensure('znc')
group_ensure('znc')
group_user_ensure('znc', 'znc')
dir_ensure("/var/znc", mode='755')
dir_ensure("/var/znc/configs", mode='755')
run("chown znc:znc /var/znc")
util.put("/srv/znc.conf", "/var/znc/configs", user="******", mode="600")
util.put("config/keys/znc.pem", "/var/znc", user="******", mode="600")
util.put("config/znc/modules", "/var/znc", user="******", mode="755")
run("cp /var/znc/modules/*.so /usr/lib/znc")
systemd.add_unit("config/systemd/znc.service")
run("systemctl enable znc")
run("systemctl restart znc")
def ensure():
select_package("apt")
package_ensure(["znc"]) # On debian will automatically be enabled
user_ensure('znc')
group_ensure('znc')
group_user_ensure('znc', 'znc')
dir_ensure("/var/znc", mode='755')
dir_ensure("/var/znc/configs", mode='755')
run("chown znc:znc /var/znc")
util.put("/srv/znc.conf", "/var/znc/configs", user="******", mode="600")
util.put("config/keys/znc.pem", "/var/znc", user="******", mode="600")
util.put("config/znc/modules", "/var/znc", user="******", mode="755")
run("cp /var/znc/modules/*.so /usr/lib/znc")
systemd.add_unit("config/systemd/znc.service")
run("systemctl enable znc")
run("systemctl restart znc")
def add_nagios_user():
'''
Adds Nagios user and group and sets correct file permissions.
'''
cuisine.group_ensure('nagcmd')
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
cuisine.group_user_ensure('nagcmd', 'nagios')
cuisine.user_ensure('www-data')
cuisine.group_user_ensure('nagcmd', 'www-data')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagcmd /usr/local/nagios')
sudo('chown -R nagios.nagcmd /usr/local/nagios/libexec')
def add_nagios_user():
'''
Adds Nagios user and group and sets correct file permissions.
'''
cuisine.group_ensure('nagcmd')
cuisine.group_ensure('nagios')
cuisine.user_ensure('nagios')
cuisine.group_user_ensure('nagios', 'nagios')
cuisine.group_user_ensure('nagcmd', 'nagios')
cuisine.user_ensure('www-data')
cuisine.group_user_ensure('nagcmd', 'www-data')
sudo('mkdir -p /usr/local/nagios')
sudo('mkdir -p /usr/local/nagios/libexec')
cuisine.dir_ensure('/usr/local/nagios')
cuisine.dir_ensure('/usr/local/nagios/libexec')
sudo('chown nagios.nagcmd /usr/local/nagios')
sudo('chown -R nagios.nagcmd /usr/local/nagios/libexec')
def ensure_fcgiwrap(children=4):
select_package("apt")
package_ensure(["fcgiwrap"]) # On debian will automatically be enabled
# fcgi can't run status script because its default user (www-data) has no login shell--not sure why exactly but work around it by making a new user
user_ensure('fcgiwrap', shell="/bin/sh")
group_ensure('fcgiwrap')
group_user_ensure('fcgiwrap', 'fcgiwrap')
# Needed because of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792705. Fastcgi 1.1.0-6 (unstable as of writing) fixes this bug.
util.put_file("config/systemd/fcgiwrap.service",
"/etc/systemd/system/gcgiwrap.service",
mode='0644',
user='******')
# Not sure these two lines actually do anything
sudo('sed -i "s/www-data/fcgiwrap/" /lib/systemd/system/fcgiwrap.service')
sudo('echo "FCGI_CHILDREN={}" > /etc/default/fcgiwrap'.format(children))
sudo('systemctl daemon-reload')
sudo('/etc/init.d/fcgiwrap restart')
def deadtree():
"""Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
apt.sudo_ensure() # cuisine.package_ensure is broken otherwise
# Set up /etc/skel
sudo("mkdir /etc/skel/.ssh || true")
sudo("chmod 700 /etc/skel/.ssh")
# Add a 'nobody' user
user_ensure('nobody')
group_ensure('nobody')
group_user_ensure('nobody', 'nobody')
sudo('usermod -s /bin/false nobody')
# Set up the firewall
put("config/firewalls/deadtree.sh", "/usr/local/bin", use_sudo=True)
sudo("sh /usr/local/bin/deadtree.sh")
# Set up nginx
already_installed = nginx.ensure()
nginx.ensure_site('config/nginx/default', cert='config/certs/za3k.com.pem', key='config/keys/blog.za3k.com.key')
nginx.ensure_fcgiwrap(children=4)
if not already_installed:
nginx.restart() # IPv[46] listener only changes on restart
# Set up letsencrypt
letsencrypt.ensure()
# Set up authorization to back up to the data server
#public_key = ssh.ensure_key('/root/.ssh/id_rsa')
#with settings(user='******', host_string='burn'):
# #put(public_key, '/home/zachary/test_authorized_keys')
# files.append('/home/deadtree/.ssh/authorized_keys', public_key)
# ddns.za3k.com (TCP port 80, web updater for DDNS)
# ns.za3k.com (UDP port 53, DNS server)
user_ensure('nsd')
group_ensure('nsd')
group_user_ensure('nsd', 'nsd')
with mode_sudo():
dir_ensure('/var/lib/nsd', mode='755')
sudo("chown nsd:nsd /var/lib/nsd")
package_ensure(["nsd"])
with cd("/var/lib/nsd"):
sudo("touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone")
node.ensure()
put("config/ddns/moreorcs.com.zonetemplate", "/etc/nsd", mode='644', use_sudo=True)
supervisord.ensure()
git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
supervisord.ensure_config("config/supervisor/ddns.conf")
put("config/ddns/config.json", "/var/lib/nsd", mode='644', use_sudo=True)
sudo("chown nsd:nsd /var/lib/nsd/config.json")
# [Manual] Copy dnsDB.json from backup
sudo("cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt")
supervisord.update() # Run ddns
package_ensure(["nsd"])
put("config/ddns/nsd.conf", "/etc/nsd", mode='644', use_sudo=True)
sudo("systemctl restart nsd")
nginx.ensure_site('config/nginx/ddns.za3k.com', csr='config/certs/ddns.za3k.com.csr', key='config/keys/ddns.za3k.com.key', domain="ddns.za3k.com", letsencrypt=True, cert="config/certs/ddns.za3k.com.pem")
nginx.reload()
# blog.za3k.com
package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])
nginx.ensure_site('config/nginx/blog.za3k.com', cert='config/certs/blog.za3k.com.pem', key='config/keys/blog.za3k.com.key', domain="blog.za3k.com", letsencrypt=True, csr="config/certs/blog.za3k.com.csr")
git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
# TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
# [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
sudo('systemctl restart mysql')
# etherpad.za3k.com
package_ensure(["sqlite3"])
user_ensure('etherpad')
group_ensure('etherpad')
group_user_ensure('etherpad', 'etherpad')
git.ensure_clone_github('ether/etherpad-lite', '/var/www/etherpad', commit='1.6.0', user='******')
nginx.ensure_site('config/nginx/etherpad.za3k.com', csr='config/certs/etherpad.za3k.com.csr', key='config/keys/etherpad.za3k.com.key', domain="etherpad.za3k.com", letsencrypt=True, cert="config/certs/etherpad.za3k.com.pem")
util.put("config/etherpad/APIKEY.txt", "/var/www/etherpad", user='******', mode='600')
util.put("config/etherpad/settings.json", "/var/www/etherpad", user='******', mode='644')
if not files.exists("/var/www/etherpad/var/sqlite.db"):
sudo("mkdir -p /var/www/etherpad/var", user='******')
with cd("/var/www/etherpad"):
sudo("npm install sqlite3")
sudo("rsync -av burn.za3k.com::etherpad --delete /var/www/etherpad/var", user='******')
supervisord.ensure()
supervisord.ensure_config("config/supervisor/etherpad.conf")
supervisord.update()
# forsale
nginx.ensure_site('config/nginx/forsale')
util.put('data/forsale', '/var/www', user='******', mode='755')
# gipc daily sync
# github personal backup
# github repo list
# -> updater
# irc.za3k.com -> irc
# -> webchat (qwebirc)
# jsfail.com
user_ensure('jsfail')
group_ensure('jsfail')
group_user_ensure('jsfail', 'jsfail')
nginx.ensure_site('config/nginx/jsfail.com')
util.put('data/jsfail', '/var/www', 'jsfail', mode='755')
# library.za3k.com -> website
# -> sync script
# -> card catalog
# MUST be user 2001 to match remote rsync
user_ensure('library', uid=2001)
group_ensure('library', gid=2001)
group_user_ensure('library', 'library')
with mode_sudo():
dir_ensure('/var/www/library', mode='755')
sudo("chown library:library /var/www/library")
put("config/library/library.sync", "/etc/cron.daily", mode='755', use_sudo=True)
sudo("/etc/cron.daily/library.sync")
nginx.ensure_site('config/nginx/library.za3k.com', csr='config/certs/library.za3k.com.csr', key='config/keys/library.za3k.com.key', domain="library.za3k.com", letsencrypt=True, cert="config/certs/library.za3k.com.pem")
# logs (nginx) and analysis (analog)
# mint sync
# moreorcs.com
user_ensure('moreorcs')
group_ensure('moreorcs')
group_user_ensure('moreorcs', 'moreorcs')
nginx.ensure_site('config/nginx/moreorcs.com', cert='config/certs/moreorcs.com.pem', key='config/keys/moreorcs.com.key', domain="moreorcs.com", letsencrypt=True, csr="config/certs/moreorcs.com.csr")
git.ensure_clone_github('za3k/moreorcs', '/var/www/moreorcs', user='******')
# nanowrimo.za3k.com
nginx.ensure_site('config/nginx/nanowrimo.za3k.com', csr='config/certs/nanowrimo.za3k.com.csr', key='config/keys/nanowrimo.za3k.com.key', domain="nanowrimo.za3k.com", letsencrypt=True, cert="config/certs/nanowrimo.za3k.com.pem")
util.put('data/nanowrimo', '/var/www', user='******', mode='755')
# nntp.za3k.com - Discontinued
# petchat.za3k.com
nginx.ensure_site('config/nginx/petchat.za3k.com')
if not files.exists('/var/www/petchat'):
git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')
# publishing.za3k.com
# thinkingtropes.com
nginx.ensure_site('config/nginx/thinkingtropes.com')
util.put('data/thinkingtropes', '/var/www', user='******', mode='755')
# thisisashell.com
nginx.ensure_site('config/nginx/thisisashell.com', csr='config/certs/thisisashell.com.csr', key='config/keys/thisisashell.com.key', domain="thisisashell.com", letsencrypt=True, cert="config/certs/thisisashell.com.pem")
# twitter archive
# za3k.com
user_ensure('za3k')
group_ensure('za3k')
group_user_ensure('za3k', 'za3k')
nginx.ensure_site('config/nginx/za3k.com', cert='config/certs/za3k.com.pem', key='config/keys/za3k.com.key', domain="za3k.com", letsencrypt=True, csr="config/certs/za3k.com.csr")
git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
# Markdown .md
ruby.ensure()
ruby.ensure_gems(["redcarpet"])
# colony on the moon
sudo("rsync -av burn.za3k.com::colony --delete /var/www/colony", user='******')
# |-- status.za3k.com
sudo("mkdir -p /var/www/status && chmod 755 /var/www/status")
util.put("/srv/keys/backup_check", "/var/www/status", user='******', mode='600')
#util.put("/srv/keys/backup_check.pub", "/var/www/status", user='******', mode='644')
package_ensure(["parallel", "curl"])
nginx.reload()
def add_glance_user():
"""Add glance users and groups if they don't exists in the
operating system"""
group_ensure('glance', 202)
user_ensure('glance', home='/var/lib/glance', uid=202, gid=202,
shell='/bin/false')
def add_nova_user():
"""Add nova users and groups if they don't exists in the
operating system"""
group_ensure('nova', 201)
user_ensure('nova', home='/var/lib/nova', uid=201, gid=201,
shell='/bin/false')
def provision_user(admin_user, admin_group):
group_ensure(admin_group)
user_ensure(admin_user, shell='/bin/bash')
group_user_ensure(admin_group, admin_user)
append("/etc/sudoers", "%{group} ALL=(ALL) NOPASSWD:ALL".format(group=admin_group),
use_sudo=True)
def deadtree():
"""Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
apt.sudo_ensure() # cuisine.package_ensure is broken otherwise
# Set up /etc/skel
sudo("mkdir /etc/skel/.ssh || true")
sudo("chmod 700 /etc/skel/.ssh")
# Add a 'nobody' user
user_ensure('nobody')
group_ensure('nobody')
group_user_ensure('nobody', 'nobody')
sudo('usermod -s /bin/false nobody')
# Set up logging
logs.setup()
# Set up the firewall
util.put_file("config/firewalls/deadtree.sh",
"/usr/local/bin/deadtree.sh",
mode='755',
user='******')
sudo("sh /usr/local/bin/deadtree.sh")
util.put_file("config/firewalls/iptables",
"/etc/network/if-pre-up.d/",
mode='755',
user='******')
# Set up authorization to back up to germinate
public_key = ssh.ensure_key('/var/local/germinate-backup', use_sudo=True)
with settings(user='******', host_string='germinate'):
files.append('/home/deadtree/.ssh/authorized_keys',
public_key,
use_sudo=True)
util.put_file("config/backup/sshconfig-deadtree",
"/root/.ssh/config",
user='******')
# Set up backup
package_ensure(["rsync"])
util.put_file("config/backup/generic-backup.sh",
"/var/local",
mode='755',
user='******')
util.put_file("config/backup/backup-exclude-base",
"/var/local/backup-exclude",
mode='644',
user='******')
util.put_file("config/backup/backup-deadtree.sh",
"/etc/cron.daily/backup-deadtree",
mode='755',
user='******')
# Set up nginx
already_installed = nginx.ensure()
nginx.ensure_site('config/nginx/default',
cert='config/certs/za3k.com.pem',
key='config/keys/blog.za3k.com.key')
nginx.ensure_fcgiwrap(children=4)
if not already_installed:
nginx.restart() # IPv[46] listener only changes on restart
# Set up letsencrypt
letsencrypt.ensure()
# Set up logging reports
package_ensure(["analog"])
with mode_sudo():
dir_ensure("/var/www/logs", mode='755')
util.put_file("config/logs/generate-logs",
"/etc/cron.daily/generate-logs",
mode='755',
user='******')
util.put_file("config/logs/analog.cfg",
"/etc/analog.cfg",
mode='644',
user='******')
# ddns.za3k.com (TCP port 80, web updater for DDNS)
# ns.za3k.com (UDP port 53, DNS server)
user_ensure('nsd')
group_ensure('nsd')
group_user_ensure('nsd', 'nsd')
with mode_sudo():
dir_ensure('/var/lib/nsd', mode='755')
sudo("chown nsd:nsd /var/lib/nsd")
package_ensure(["nsd"])
with cd("/var/lib/nsd"):
sudo(
"touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone"
)
node.ensure()
util.put_file("config/ddns/moreorcs.com.zonetemplate",
"/etc/nsd/moreorcs.com.zonetemplate",
mode='644',
user='******')
supervisord.ensure()
git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
supervisord.ensure_config("config/supervisor/ddns.conf")
util.put_file("config/ddns/config.json",
"/var/lib/nsd/config.json",
mode='644',
user='******')
# [Manual] Copy dnsDB.json from backup
sudo(
"cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt"
)
supervisord.update() # Run ddns
package_ensure(["nsd"])
util.put_file("config/ddns/nsd.conf",
"/etc/nsd/nsd.conf",
mode='644',
user='******')
sudo("systemctl restart nsd")
nginx.ensure_site('config/nginx/ddns.za3k.com',
csr='config/certs/ddns.za3k.com.csr',
key='config/keys/ddns.za3k.com.key',
domain="ddns.za3k.com",
letsencrypt=True,
cert="config/certs/ddns.za3k.com.pem")
nginx.reload()
# blog.za3k.com
package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])
nginx.ensure_site('config/nginx/blog.za3k.com',
cert='config/certs/blog.za3k.com.pem',
key='config/keys/blog.za3k.com.key',
domain="blog.za3k.com",
letsencrypt=True,
csr="config/certs/blog.za3k.com.csr")
git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
# [Manual] Edit /etc/php5/fpm/php.ini
# upload_max_filesize = 20M
# post_max_size = 26M
# sudo("systemctl reload php5-fpm.service")
# Yes, www-data and not fcgiwrap
sudo("chown www-data:www-data -R /var/www/za3k_blog")
sudo("find . -type d -exec chmod 755 {} \;")
sudo("find . -type f -exec chmod 644 {} \;")
# TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
# [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
sudo('systemctl restart mysql')
# deadtree.za3k.com
nginx.ensure_site('config/nginx/deadtree.za3k.com',
cert='config/certs/deadtree.za3k.com.pem',
key='config/keys/deadtree.za3k.com.key',
domain="deadtree.za3k.com",
letsencrypt=True,
csr="config/certs/deadtree.za3k.com.csr")
util.put_dir('data/deadtree/public',
'/var/www/public',
mode='755',
user='******')
# etherpad.za3k.com
package_ensure(["sqlite3"])
user_ensure('etherpad')
group_ensure('etherpad')
group_user_ensure('etherpad', 'etherpad')
git.ensure_clone_github('ether/etherpad-lite',
'/var/www/etherpad',
commit='1.6.0',
user='******')
nginx.ensure_site('config/nginx/etherpad.za3k.com',
csr='config/certs/etherpad.za3k.com.csr',
key='config/keys/etherpad.za3k.com.key',
domain="etherpad.za3k.com",
letsencrypt=True,
cert="config/certs/etherpad.za3k.com.pem")
util.put_file("config/etherpad/APIKEY.txt",
"/var/www/etherpad",
user='******',
mode='600')
util.put_file("config/etherpad/settings.json",
"/var/www/etherpad",
user='******',
mode='644')
if not files.exists("/var/www/etherpad/var/sqlite.db"):
sudo("mkdir -p /var/www/etherpad/var", user='******')
with cd("/var/www/etherpad"):
sudo("npm install sqlite3")
sudo(
"rsync -av germinate.za3k.com::etherpad --delete /var/www/etherpad/var",
user='******')
supervisord.ensure()
supervisord.ensure_config("config/supervisor/etherpad.conf")
supervisord.update()
# forsale
nginx.ensure_site('config/nginx/forsale')
util.put_dir('data/forsale', '/var/www/forsale', mode='755', user='******')
# gipc daily sync
# github personal backup
# github repo list
util.put_file("config/github/github-metadata-sync",
"/etc/cron.daily/github-metadata-sync",
mode='755',
user='******')
# -> updater
# irc.za3k.com -> irc
# -> webchat (qwebirc)
# jsfail.com
user_ensure('jsfail')
group_ensure('jsfail')
group_user_ensure('jsfail', 'jsfail')
nginx.ensure_site('config/nginx/jsfail.com')
util.put_dir('data/jsfail', '/var/www/jsfail', 'jsfail', mode='755')
# library.za3k.com -> website
# -> sync script
# -> card catalog
# MUST be user 2001 to match remote rsync
user_ensure('library', uid=2001)
group_ensure('library', gid=2001)
group_user_ensure('library', 'library')
with mode_sudo():
dir_ensure('/var/www/library', mode='755')
files.append('/etc/sudoers',
'za3k ALL=(root) NOPASSWD: /etc/cron.daily/library-sync',
use_sudo=True)
with settings(user='******', host_string='germinate'):
actual_key = ssh.get_public_key(
"/data/git/books.git/hooks/deadtree.library")
ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
command="sudo /etc/cron.daily/library-sync", key=actual_key)
files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)
sudo("chown library:library /var/www/library")
util.put_file("config/library/library-sync",
"/etc/cron.daily/library-sync",
mode='755',
user='******')
sudo("/etc/cron.daily/library-sync")
nginx.ensure_site('config/nginx/library.za3k.com',
csr='config/certs/library.za3k.com.csr',
key='config/keys/library.za3k.com.key',
domain="library.za3k.com",
letsencrypt=True,
cert="config/certs/library.za3k.com.pem")
# logs (nginx) and analysis (analog)
# mint sync
# moreorcs.com
user_ensure('moreorcs')
group_ensure('moreorcs')
group_user_ensure('moreorcs', 'moreorcs')
nginx.ensure_site('config/nginx/moreorcs.com',
cert='config/certs/moreorcs.com.pem',
key='config/keys/moreorcs.com.key',
domain="moreorcs.com",
letsencrypt=True,
csr="config/certs/moreorcs.com.csr")
git.ensure_clone_github('za3k/moreorcs',
'/var/www/moreorcs',
user='******')
# nanowrimo.za3k.com
nginx.ensure_site('config/nginx/nanowrimo.za3k.com',
csr='config/certs/nanowrimo.za3k.com.csr',
key='config/keys/nanowrimo.za3k.com.key',
domain="nanowrimo.za3k.com",
letsencrypt=True,
cert="config/certs/nanowrimo.za3k.com.pem")
util.put_dir('data/nanowrimo',
'/var/www/nanowrimo',
user='******',
mode='755')
# nntp.za3k.com - Discontinued
# petchat.za3k.com
nginx.ensure_site('config/nginx/petchat.za3k.com')
if not files.exists('/var/www/petchat'):
git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')
# publishing.za3k.com
# thinkingtropes.com
nginx.ensure_site('config/nginx/thinkingtropes.com')
util.put_dir('data/thinkingtropes',
'/var/www/thinkingtropes',
user='******',
mode='755')
# thisisashell.com
nginx.ensure_site('config/nginx/thisisashell.com',
csr='config/certs/thisisashell.com.csr',
key='config/keys/thisisashell.com.key',
domain="thisisashell.com",
letsencrypt=True,
cert="config/certs/thisisashell.com.pem")
# isrickandmortyout.com
nginx.ensure_site('config/nginx/isrickandmortyout.com',
csr='config/certs/isrickandmortyout.com.csr',
key='config/keys/isrickandmortyout.com.key',
domain="isrickandmortyout.com",
letsencrypt=True,
cert="config/certs/isrickandmortyout.com.pem")
# twitter archive
# za3k.com
user_ensure('za3k')
group_ensure('za3k')
group_user_ensure('za3k', 'za3k')
nginx.ensure_site('config/nginx/za3k.com',
cert='config/certs/za3k.com.pem',
key='config/keys/za3k.com.key',
domain="za3k.com",
letsencrypt=True,
csr="config/certs/za3k.com.csr")
git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
with settings(user='******', host_string='germinate'):
actual_key = ssh.get_public_key(
"/data/git/za3k.git/hooks/deadtree_key")
ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
command="/usr/bin/git -C /var/www/za3k pull", key=actual_key)
files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)
# Markdown .md
ruby.ensure()
ruby.ensure_gems(["redcarpet"])
# Databases .view
package_ensure(["sqlite3"])
util.put_file("config/za3k/za3k-db-sync",
"/etc/cron.daily/za3k-db-sync",
mode='755',
user='******')
sudo("/etc/cron.daily/za3k-db-sync")
# colony on the moon
# disabled temp. because we're out of space
#sudo("rsync -av germinate.za3k.com::colony --delete /var/www/colony", user='******')
# .sc
package_ensure(["sc"])
nginx.reload()
def create_user(self):
user_ensure(self.user_name)
group_ensure(self.group_name)
group_user_ensure(self.user_name, self.group_name)
