def configure(full=1, site=ALL, delete_old=0):
"""
Configures Apache to host one or more websites.
"""
from burlap import service
print 'Configuring Apache...'
apache_specifics = set_apache_specifics()
if int(delete_old):
# Delete all existing enabled and available sites.
sudo('rm -f %(apache_sites_available)s/*' % env)
sudo('rm -f %(apache_sites_enabled)s/*' % env)
for site, site_data in common.iter_sites(site=site, setter=set_apache_site_specifics):
#print '-'*80
print site
#continue
print 'env.apache_ssl_domain:',env.apache_ssl_domain
print 'env.apache_ssl_domain_template:',env.apache_ssl_domain_template
fn = common.render_to_file('django.template.wsgi')
put(local_path=fn, remote_path=env.apache_django_wsgi, use_sudo=True)
if env.apache_ssl:
env.apache_ssl_certificates = list(iter_certificates())
fn = common.render_to_file('apache_site.template.conf')
env.apache_site_conf = site+'.conf'
env.apache_site_conf_fqfn = os.path.join(env.apache_sites_available, env.apache_site_conf)
put(local_path=fn, remote_path=env.apache_site_conf_fqfn, use_sudo=True)
sudo('a2ensite %(apache_site_conf)s' % env)
#return
if service.is_selected(APACHE2_MODEVASIVE):
configure_modevasive()
if service.is_selected(APACHE2_MODSECURITY):
configure_modsecurity()
for mod_enabled in env.apache_mods_enabled:
env.apache_mod_enabled = mod_enabled
sudo('a2enmod %(apache_mod_enabled)s' % env)
if int(full):
# Write master Apache configuration file.
fn = common.render_to_file('apache_httpd.template.conf')
put(local_path=fn, remote_path=env.apache_conf, use_sudo=True)
# Write Apache listening ports configuration.
fn = common.render_to_file('apache_ports.template.conf')
put(local_path=fn, remote_path=env.apache_ports, use_sudo=True)
#sudo('mkdir -p %(apache_app_log_dir)s' % env)
#sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_app_log_dir)s' % env)
# sudo('mkdir -p %(apache_log_dir)s' % env)
# sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_log_dir)s' % env)
sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_root)s' % env)
def deploy_services(site=None, dryrun=0):
"""
Collects the configurations for all registered services and writes
the appropriate supervisord.conf file.
"""
dryrun = int(dryrun)
render_paths()
for site, site_data in common.iter_sites(site=site, renderer=render_paths):
print site
for cb in env._supervisor_create_service_callbacks:
ret = cb()
if isinstance(ret, basestring):
env.supervisor_services.append(ret)
# else:
# print 'invalid'
env.supervisor_services_rendered = '\n'.join(env.supervisor_services)
#print env.supervisor_services_rendered
fn = common.render_to_file('supervisor_daemon.template.config')
if dryrun:
print open(fn).read()
else:
put(local_path=fn,
remote_path=env.supervisor_config_path,
use_sudo=True)
def deploy_services(site=None, dryrun=0):
"""
Collects the configurations for all registered services and writes
the appropriate supervisord.conf file.
"""
dryrun = int(dryrun)
render_paths()
for site, site_data in common.iter_sites(site=site, renderer=render_paths):
print site
for cb in env._supervisor_create_service_callbacks:
ret = cb()
if isinstance(ret, basestring):
env.supervisor_services.append(ret)
# else:
# print 'invalid'
env.supervisor_services_rendered = "\n".join(env.supervisor_services)
# print env.supervisor_services_rendered
fn = common.render_to_file("supervisor_daemon.template.config")
if dryrun:
print open(fn).read()
else:
put(local_path=fn, remote_path=env.supervisor_config_path, use_sudo=True)
def configure_modevasive():
env.apache_mods_enabled.append('mod-evasive')
# Write modsecurity.conf.
fn = common.render_to_file('apache_modevasive.template.conf')
put(local_path=fn, remote_path='/etc/apache2/mods-available/mod-evasive.conf', use_sudo=True)
def configure_modevasive():
env.apache_mods_enabled.append('mod-evasive')
# Write modsecurity.conf.
fn = common.render_to_file('apache_modevasive.template.conf')
put(local_path=fn,
remote_path='/etc/apache2/mods-available/mod-evasive.conf',
use_sudo=True)
def static():
"""
Configures the server to use a static IP.
"""
fn = render_to_file('ip_interfaces_static.template')
put(local_path=fn, remote_path=env.ip_interfaces_fn, use_sudo=True)
#sudo('ifdown %(ip_interface)s' % env)
#sudo('ifup %(ip_interface)s' % env)
sudo(env.ip_network_restart_command % env)
def configure():
"""
Installs supervisor configuration and daemon.
"""
render_paths()
fn = common.render_to_file('supervisor_daemon.template.init')
put(local_path=fn, remote_path=env.supervisor_daemon_path, use_sudo=True)
sudo('chmod +x %(supervisor_daemon_path)s' % env)
sudo('update-rc.d supervisord defaults' % env)
def configure():
"""
Installs supervisor configuration and daemon.
"""
render_paths()
fn = common.render_to_file("supervisor_daemon.template.init")
put(local_path=fn, remote_path=env.supervisor_daemon_path, use_sudo=True)
sudo("chmod +x %(supervisor_daemon_path)s" % env)
sudo("update-rc.d supervisord defaults" % env)
def configure():
"""
Configures rules for IPTables.
"""
if env.iptables_enabled:
fn = common.render_to_file(env.iptables_rules_template)
put(local_path=fn)
cmd = 'iptables-restore < %(put_remote_path)s; iptables-save > /etc/iptables.up.rules' % env
sudo_or_dryrun(cmd)
enable()
restart()
else:
disable()
stop()
def configure_modsecurity():
env.apache_mods_enabled.append('mod-security')
env.apache_mods_enabled.append('headers')
# Write modsecurity.conf.
fn = common.render_to_file('apache_modsecurity.template.conf')
put(local_path=fn, remote_path='/etc/modsecurity/modsecurity.conf', use_sudo=True)
# Write OWASP rules.
env.apache_modsecurity_download_filename = '/tmp/owasp-modsecurity-crs.tar.gz'
sudo('cd /tmp; wget --output-document=%(apache_modsecurity_download_filename)s %(apache_modsecurity_download_url)s' % env)
env.apache_modsecurity_download_top = sudo("cd /tmp; tar tzf %(apache_modsecurity_download_filename)s | sed -e 's@/.*@@' | uniq" % env)
sudo('cd /tmp; tar -zxvf %(apache_modsecurity_download_filename)s' % env)
sudo('cd /tmp; cp -R %(apache_modsecurity_download_top)s/* /etc/modsecurity/' % env)
sudo('mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf' % env)
sudo('rm -f /etc/modsecurity/activated_rules/*')
sudo('cd /etc/modsecurity/base_rules; for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done')
sudo('cd /etc/modsecurity/optional_rules; for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done')
env.apache_httpd_conf_append.append('Include "/etc/modsecurity/activated_rules/*.conf"')
def configure_modsecurity():
env.apache_mods_enabled.append('mod-security')
env.apache_mods_enabled.append('headers')
# Write modsecurity.conf.
fn = common.render_to_file('apache_modsecurity.template.conf')
put(local_path=fn,
remote_path='/etc/modsecurity/modsecurity.conf',
use_sudo=True)
# Write OWASP rules.
env.apache_modsecurity_download_filename = '/tmp/owasp-modsecurity-crs.tar.gz'
sudo(
'cd /tmp; wget --output-document=%(apache_modsecurity_download_filename)s %(apache_modsecurity_download_url)s'
% env)
env.apache_modsecurity_download_top = sudo(
"cd /tmp; tar tzf %(apache_modsecurity_download_filename)s | sed -e 's@/.*@@' | uniq"
% env)
sudo('cd /tmp; tar -zxvf %(apache_modsecurity_download_filename)s' % env)
sudo(
'cd /tmp; cp -R %(apache_modsecurity_download_top)s/* /etc/modsecurity/'
% env)
sudo(
'mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf'
% env)
sudo('rm -f /etc/modsecurity/activated_rules/*')
sudo(
'cd /etc/modsecurity/base_rules; for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done'
)
sudo(
'cd /etc/modsecurity/optional_rules; for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done'
)
env.apache_httpd_conf_append.append(
'Include "/etc/modsecurity/activated_rules/*.conf"')
def configure(full=1, site=ALL, delete_old=0):
"""
Configures Apache to host one or more websites.
"""
from burlap import service
print 'Configuring Apache...'
apache_specifics = set_apache_specifics()
if int(delete_old):
# Delete all existing enabled and available sites.
sudo('rm -f %(apache_sites_available)s/*' % env)
sudo('rm -f %(apache_sites_enabled)s/*' % env)
for site, site_data in common.iter_sites(site=site,
setter=set_apache_site_specifics):
#print '-'*80
print site
#continue
print 'env.apache_ssl_domain:', env.apache_ssl_domain
print 'env.apache_ssl_domain_template:', env.apache_ssl_domain_template
fn = common.render_to_file('django.template.wsgi')
put(local_path=fn, remote_path=env.apache_django_wsgi, use_sudo=True)
if env.apache_ssl:
env.apache_ssl_certificates = list(iter_certificates())
fn = common.render_to_file('apache_site.template.conf')
env.apache_site_conf = site + '.conf'
env.apache_site_conf_fqfn = os.path.join(env.apache_sites_available,
env.apache_site_conf)
put(local_path=fn,
remote_path=env.apache_site_conf_fqfn,
use_sudo=True)
sudo('a2ensite %(apache_site_conf)s' % env)
#return
if service.is_selected(APACHE2_MODEVASIVE):
configure_modevasive()
if service.is_selected(APACHE2_MODSECURITY):
configure_modsecurity()
for mod_enabled in env.apache_mods_enabled:
env.apache_mod_enabled = mod_enabled
sudo('a2enmod %(apache_mod_enabled)s' % env)
if int(full):
# Write master Apache configuration file.
fn = common.render_to_file('apache_httpd.template.conf')
put(local_path=fn, remote_path=env.apache_conf, use_sudo=True)
# Write Apache listening ports configuration.
fn = common.render_to_file('apache_ports.template.conf')
put(local_path=fn, remote_path=env.apache_ports, use_sudo=True)
#sudo('mkdir -p %(apache_app_log_dir)s' % env)
#sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_app_log_dir)s' % env)
# sudo('mkdir -p %(apache_log_dir)s' % env)
# sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_log_dir)s' % env)
sudo('chown -R %(apache_user)s:%(apache_group)s %(apache_root)s' % env)
def configure(name=None, site=None, _role=None, dryrun=0):
"""
Configures a fresh install of the database
"""
assert env[ROLE]
require('app_name')
set_db(name=name, site=site, role=_role)
# print 'site:',env[SITE]
# print 'role:',env[ROLE]
env.dryrun = int(dryrun)
if 'postgres' in env.db_engine:
env.pg_ver = run('psql --version | grep -o -E "[0-9]+.[0-9]+"')
print 'PostgreSQL version %(pg_ver)s detected.' % env
print 'Backing up PostgreSQL configuration files...'
sudo(
'cp /etc/postgresql/%(pg_ver)s/main/postgresql.conf /etc/postgresql/%(pg_ver)s/main/postgresql.conf.$(date +%%Y%%m%%d%%H%%M).bak'
% env)
sudo(
'cp /etc/postgresql/%(pg_ver)s/main/pg_hba.conf /etc/postgresql/%(pg_ver)s/main/pg_hba.conf.$(date +%%Y%%m%%d%%H%%M).bak'
% env)
print 'Allowing remote connections...'
fn = common.render_to_file('pg_hba.template.conf')
put(local_path=fn,
remote_path='/etc/postgresql/%(pg_ver)s/main/pg_hba.conf' % env,
use_sudo=True)
# Don't do this. Keep it locked down and use an SSH tunnel instead.
# See common.tunnel()
#sudo('sed -i "s/#listen_addresses = \'localhost\'/listen_addresses = \'*\'/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env)
print 'Enabling auto-vacuuming...'
sudo(
'sed -i "s/#autovacuum = on/autovacuum = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf'
% env)
sudo(
'sed -i "s/#track_counts = on/track_counts = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf'
% env)
# Set UTF-8 as the default database encoding.
sudo(
'psql --user=postgres --no-password --command="'
'UPDATE pg_database SET datistemplate = FALSE WHERE datname = \'template1\';'
'DROP DATABASE template1;'
'CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = \'UNICODE\';'
'UPDATE pg_database SET datistemplate = TRUE WHERE datname = \'template1\';'
'\c template1\n'
'VACUUM FREEZE;'
'UPDATE pg_database SET datallowconn = FALSE WHERE datname = \'template1\';"'
)
elif 'mysql' in env.db_engine:
if env.db_allow_remote_connections:
# Enable remote connections.
sudo("sed -i 's/127.0.0.1/0.0.0.0/g' %(db_mysql_conf)s" % env)
# Enable root logins from remote connections.
sudo(
'mysql -u %(db_root_user)s -p"%(db_root_password)s" --execute="USE mysql; GRANT ALL ON *.* to %(db_root_user)s@\'%%\' IDENTIFIED BY \'%(db_root_password)s\'; FLUSH PRIVILEGES;"'
% env)
sudo('service mysql restart')
else:
print 'No database parameters found.'
def configure(name=None, site=None, _role=None, dryrun=0):
"""
Configures a fresh install of the database
"""
assert env[ROLE]
require("app_name")
set_db(name=name, site=site, role=_role)
# print 'site:',env[SITE]
# print 'role:',env[ROLE]
env.dryrun = int(dryrun)
if "postgres" in env.db_engine:
env.pg_ver = run('psql --version | grep -o -E "[0-9]+.[0-9]+"')
print "PostgreSQL version %(pg_ver)s detected." % env
print "Backing up PostgreSQL configuration files..."
sudo(
"cp /etc/postgresql/%(pg_ver)s/main/postgresql.conf /etc/postgresql/%(pg_ver)s/main/postgresql.conf.$(date +%%Y%%m%%d%%H%%M).bak"
% env
)
sudo(
"cp /etc/postgresql/%(pg_ver)s/main/pg_hba.conf /etc/postgresql/%(pg_ver)s/main/pg_hba.conf.$(date +%%Y%%m%%d%%H%%M).bak"
% env
)
print "Allowing remote connections..."
fn = common.render_to_file("pg_hba.template.conf")
put(local_path=fn, remote_path="/etc/postgresql/%(pg_ver)s/main/pg_hba.conf" % env, use_sudo=True)
# Don't do this. Keep it locked down and use an SSH tunnel instead.
# See common.tunnel()
# sudo('sed -i "s/#listen_addresses = \'localhost\'/listen_addresses = \'*\'/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env)
print "Enabling auto-vacuuming..."
sudo('sed -i "s/#autovacuum = on/autovacuum = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env)
sudo('sed -i "s/#track_counts = on/track_counts = on/g" /etc/postgresql/%(pg_ver)s/main/postgresql.conf' % env)
# Set UTF-8 as the default database encoding.
sudo(
'psql --user=postgres --no-password --command="'
"UPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';"
"DROP DATABASE template1;"
"CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE';"
"UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1';"
"\c template1\n"
"VACUUM FREEZE;"
"UPDATE pg_database SET datallowconn = FALSE WHERE datname = 'template1';\""
)
elif "mysql" in env.db_engine:
if env.db_allow_remote_connections:
# Enable remote connections.
sudo("sed -i 's/127.0.0.1/0.0.0.0/g' %(db_mysql_conf)s" % env)
# Enable root logins from remote connections.
sudo(
"mysql -u %(db_root_user)s -p\"%(db_root_password)s\" --execute=\"USE mysql; GRANT ALL ON *.* to %(db_root_user)s@'%%' IDENTIFIED BY '%(db_root_password)s'; FLUSH PRIVILEGES;\""
% env
)
sudo("service mysql restart")
else:
print "No database parameters found."
