def _rules_config(rules):
"""
Policy configuration
"""
if rules is None:
rules = DEFAULT_RULES
lines = [RULES_HEADER]
for entry in rules:
entry.setdefault('proto', 'tcp')
entry.setdefault('dest_port', '-')
entry.setdefault('source_port', '-')
entry.setdefault('original_dest', '-')
entry.setdefault('rate_limit', '-')
entry.setdefault('user', '-')
entry.setdefault('mark', '-')
entry.setdefault('conn_limit', '-')
entry.setdefault('time', '-')
if isinstance(entry['dest_port'], list):
entry['dest_port'] = ','.join(map(str, entry['dest_port']))
if isinstance(entry['source_port'], list):
entry['source_port'] = ','.join(map(str, entry['source_port']))
lines.append(RULES_FORMAT % entry)
file('/etc/shorewall/rules', contents=''.join(lines), use_sudo=True)
def _rules_config(rules):
"""
Policy configuration
"""
if rules is None:
rules = DEFAULT_RULES
lines = [RULES_HEADER]
for entry in rules:
entry.setdefault('proto', 'tcp')
entry.setdefault('dest_port', '-')
entry.setdefault('source_port', '-')
entry.setdefault('original_dest', '-')
entry.setdefault('rate_limit', '-')
entry.setdefault('user', '-')
entry.setdefault('mark', '-')
entry.setdefault('conn_limit', '-')
entry.setdefault('time', '-')
if isinstance(entry['dest_port'], list):
entry['dest_port'] = ','.join(map(str, entry['dest_port']))
if isinstance(entry['source_port'], list):
entry['source_port'] = ','.join(map(str, entry['source_port']))
lines.append(RULES_FORMAT % entry)
file('/etc/shorewall/rules', contents=''.join(lines), use_sudo=True)
def _routestopped_config(routestopped):
"""
Routestopped configuration
This lists the hosts that should be accessible
when the firewall is stopped or starting.
"""
if routestopped is None:
routestopped = []
lines = [ROUTESTOPPED_HEADER]
for entry in routestopped:
entry.setdefault('interface', 'eth0')
entry.setdefault('host', '0.0.0.0/0')
entry.setdefault('options', '-')
entry.setdefault('proto', '-')
entry.setdefault('dest_port', '-')
entry.setdefault('source_port', '-')
if isinstance(entry['host'], list):
entry['host'] = ','.join(entry['host'])
if isinstance(entry['options'], list):
entry['options'] = ','.join(entry['options'])
lines.append(ROUTESTOPPED_FORMAT % entry)
file('/etc/shorewall/routestopped', contents=''.join(lines), use_sudo=True)
def deploy_files(version='master'):
"""
Ensure that the directory tree exists and has the requested
version of the site.
"""
require('code_root', 'project_root', 'repo', 'webuser')
files.directory(env.project_root, owner=env.webuser, use_sudo=True)
files.directory(
os.path.join(env.project_root, 'log'),
owner=env.webuser,
use_sudo=True)
if env.environment != "vagrant" and not ffiles.exists(env.code_root):
with cd(env.project_root):
sudo('git clone {} source'.format(env.repo), user=env.webuser)
# Replace remote secrets file only if we are not using Vagrant (because
# the secrets file should be automatically synchronized) and the file
# does not already exist on the remote server.
if env.environment != "vagrant" and not ffiles.exists(env.remote_secrets):
files.file(
env.remote_secrets,
source=os.path.join(env.deploy_dir, 'secrets.py'),
use_sudo=True,
owner=env.webuser)
if env.environment != "vagrant":
with cd(env.code_root):
# discard any local changes to the repo
sudo('git reset --hard', user=env.webuser)
sudo('git checkout {}'.format(version), user=env.webuser)
sudo('git pull', user=env.webuser)
def _routestopped_config(routestopped):
"""
Routestopped configuration
This lists the hosts that should be accessible
when the firewall is stopped or starting.
"""
if routestopped is None:
routestopped = []
lines = [ROUTESTOPPED_HEADER]
for entry in routestopped:
entry.setdefault("interface", "eth0")
entry.setdefault("host", "0.0.0.0/0")
entry.setdefault("options", "-")
entry.setdefault("proto", "-")
entry.setdefault("dest_port", "-")
entry.setdefault("source_port", "-")
if isinstance(entry["host"], list):
entry["host"] = ",".join(entry["host"])
if isinstance(entry["options"], list):
entry["options"] = ",".join(entry["options"])
lines.append(ROUTESTOPPED_FORMAT % entry)
file("/etc/shorewall/routestopped", contents="".join(lines), use_sudo=True)
def _rules_config(rules):
"""
Policy configuration
"""
if rules is None:
rules = DEFAULT_RULES
lines = [RULES_HEADER]
for entry in rules:
entry.setdefault("proto", "tcp")
entry.setdefault("dest_port", "-")
entry.setdefault("source_port", "-")
entry.setdefault("original_dest", "-")
entry.setdefault("rate_limit", "-")
entry.setdefault("user", "-")
entry.setdefault("mark", "-")
entry.setdefault("conn_limit", "-")
entry.setdefault("time", "-")
if isinstance(entry["dest_port"], list):
entry["dest_port"] = ",".join(map(str, entry["dest_port"]))
if isinstance(entry["source_port"], list):
entry["source_port"] = ",".join(map(str, entry["source_port"]))
lines.append(RULES_FORMAT % entry)
file("/etc/shorewall/rules", contents="".join(lines), use_sudo=True)
def _routestopped_config(routestopped):
"""
Routestopped configuration
This lists the hosts that should be accessible
when the firewall is stopped or starting.
"""
if routestopped is None:
routestopped = []
lines = [ROUTESTOPPED_HEADER]
for entry in routestopped:
entry.setdefault('interface', 'eth0')
entry.setdefault('host', '0.0.0.0/0')
entry.setdefault('options', '-')
entry.setdefault('proto', '-')
entry.setdefault('dest_port', '-')
entry.setdefault('source_port', '-')
if isinstance(entry['host'], list):
entry['host'] = ','.join(entry['host'])
if isinstance(entry['options'], list):
entry['options'] = ','.join(entry['options'])
lines.append(ROUTESTOPPED_FORMAT % entry)
file('/etc/shorewall/routestopped', contents=''.join(lines), use_sudo=True)
def _policy_config(policy):
"""
Policy configuration
"""
if policy is None:
policy = DEFAULT_POLICY
lines = [POLICY_HEADER]
for entry in policy:
entry.setdefault('log_level', '')
entry.setdefault('burst_limit', '')
lines.append(POLICY_FORMAT % entry)
file('/etc/shorewall/policy', contents=''.join(lines), use_sudo=True)
def _policy_config(policy):
"""
Policy configuration
"""
if policy is None:
policy = DEFAULT_POLICY
lines = [POLICY_HEADER]
for entry in policy:
entry.setdefault('log_level', '')
entry.setdefault('burst_limit', '')
lines.append(POLICY_FORMAT % entry)
file('/etc/shorewall/policy', contents=''.join(lines), use_sudo=True)
def _interfaces_config(interfaces):
"""
Interfaces configuration
"""
if interfaces is None:
interfaces = DEFAULT_INTERFACES
lines = [INTERFACES_HEADER]
for entry in interfaces:
entry.setdefault("zone", "net")
entry.setdefault("broadcast", "detect")
entry.setdefault("options", "")
lines.append(INTERFACES_FORMAT % entry)
file("/etc/shorewall/interfaces", contents="".join(lines), use_sudo=True)
def _interfaces_config(interfaces):
"""
Interfaces configuration
"""
if interfaces is None:
interfaces = DEFAULT_INTERFACES
lines = [INTERFACES_HEADER]
for entry in interfaces:
entry.setdefault('zone', 'net')
entry.setdefault('broadcast', 'detect')
entry.setdefault('options', '')
lines.append(INTERFACES_FORMAT % entry)
file('/etc/shorewall/interfaces', contents=''.join(lines), use_sudo=True)
def _zone_config(zones):
"""
Zone configuration
"""
if zones is None:
zones = DEFAULT_ZONES
lines = [ZONE_HEADER]
for entry in zones:
entry.setdefault('options', '')
entry.setdefault('in_options', '')
entry.setdefault('out_options', '')
lines.append(ZONE_FORMAT % entry)
file('/etc/shorewall/zones', contents=''.join(lines), use_sudo=True)
def deploy_vagrant_files():
""" ensure that the directory tree resembles production
The Vagrantfile mounts the current working directory where
the source directory will be in production.
"""
require('project_root', 'webuser')
files.directory(env.project_root, owner=env.webuser, use_sudo=True)
files.directory(os.path.join(env.project_root, 'log'),
owner=env.webuser,
use_sudo=True)
files.file(os.path.join(env.code_root, 'conf_site/settings/secrets.py'),
source=os.path.join(env.deploy_dir, 'secrets.py'),
use_sudo=True,
owner=env.webuser)
def _interfaces_config(interfaces):
"""
Interfaces configuration
"""
if interfaces is None:
interfaces = DEFAULT_INTERFACES
lines = [INTERFACES_HEADER]
for entry in interfaces:
entry.setdefault('zone', 'net')
entry.setdefault('broadcast', 'detect')
entry.setdefault('options', '')
lines.append(INTERFACES_FORMAT % entry)
file('/etc/shorewall/interfaces', contents=''.join(lines), use_sudo=True)
def _zone_config(zones):
"""
Zone configuration
"""
if zones is None:
zones = DEFAULT_ZONES
lines = [ZONE_HEADER]
for entry in zones:
entry.setdefault('options', '')
entry.setdefault('in_options', '')
entry.setdefault('out_options', '')
lines.append(ZONE_FORMAT % entry)
file('/etc/shorewall/zones', contents=''.join(lines), use_sudo=True)
def _masq_config(masq):
"""
Masquerading/SNAT configuration
"""
if masq is None:
masq = []
lines = [MASQ_HEADER]
for entry in masq:
entry.setdefault('interface', 'eth0')
entry.setdefault('address', '-')
entry.setdefault('proto', '-')
entry.setdefault('port', '-')
if isinstance(entry['source'], list):
entry['source'] = ','.join(entry['source'])
lines.append(MASQ_FORMAT % entry)
file('/etc/shorewall/masq', contents=''.join(lines), use_sudo=True)
def _masq_config(masq):
"""
Masquerading/SNAT configuration
"""
if masq is None:
masq = []
lines = [MASQ_HEADER]
for entry in masq:
entry.setdefault("interface", "eth0")
entry.setdefault("address", "-")
entry.setdefault("proto", "-")
entry.setdefault("port", "-")
if isinstance(entry["source"], list):
entry["source"] = ",".join(entry["source"])
lines.append(MASQ_FORMAT % entry)
file("/etc/shorewall/masq", contents="".join(lines), use_sudo=True)
def _masq_config(masq):
"""
Masquerading/SNAT configuration
"""
if masq is None:
masq = []
lines = [MASQ_HEADER]
for entry in masq:
entry.setdefault('interface', 'eth0')
entry.setdefault('address', '-')
entry.setdefault('proto', '-')
entry.setdefault('port', '-')
if isinstance(entry['source'], list):
entry['source'] = ','.join(entry['source'])
lines.append(MASQ_FORMAT % entry)
file('/etc/shorewall/masq', contents=''.join(lines), use_sudo=True)
def deploy_files(version='master'):
""" ensure that the directory tree exists and has the requested version of the site """
require('code_root', 'project_root', 'repo', 'webuser')
if env.environment == "vagrant":
deploy_vagrant_files()
return
files.directory(env.project_root, owner=env.webuser, use_sudo=True)
files.directory(os.path.join(env.project_root, 'log'),
owner=env.webuser,
use_sudo=True)
if not ffiles.exists(env.code_root):
with cd(env.project_root):
sudo('git clone {} source'.format(env.repo), user=env.webuser)
files.file(os.path.join(env.code_root, 'conf_site/settings/secrets.py'),
source=os.path.join(env.deploy_dir, 'secrets.py'),
use_sudo=True,
owner=env.webuser)
with cd(env.code_root):
# discard any local changes to the repo
sudo('git reset --hard', user=env.webuser)
sudo('git checkout {}'.format(version), user=env.webuser)
sudo('git pull', user=env.webuser)
def push():
"""
This function for create django site project work flow on remote server.
Django site source cloning from remote git repository.
NOTE: This function may be used in other fab file.
For this need setup global `env` dict.
**`env` settings**
env.user - deploy user name (use for ssh)
env.password - deploy user password (use for ssh)
env.hosts - list deploy hosts (use for ssh)
env.domain - django site domain (DNS) use for:
- nginx settings
- uWSGI start user
- project dir name
env.repository - remote git repository url, use for git clone site source
env.no_input_mode - in this variable True use no input deploy mode.
If no_input_mode==True using follow strategy:
Abort if env.domain (env.repository) value not set or invalid.
And using default confirm() value if needed.
"""
# cwd => ./deploy
env.lcwd = os.path.abspath(os.path.dirname(__file__))
require('no_input_mode')
#env.no_input_mode = False
if env.no_input_mode:
def confirm_local(question, default=True):
puts(question)
puts("Use no_input_mode [default: {0}]".format("Y" if default else "N"))
return default
confirm = confirm_local
else:
confirm = confirm_global
validate = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$"
if not env.get("domain"):
if env.no_input_mode:
abort("Need set env.domain !")
else:
prompt("Project DNS url: ", "domain", env.get('domain_default', ''), validate=validate)
else:
if not re.findall(validate, env.domain):
abort("Invalid env.domain !")
if not env.get("repository"):
if env.no_input_mode:
env.repository = env.repository_default
else:
prompt("Deploy from: ", "repository", env.get('repository_default', ''))
require('repository', 'domain')
puts("Deploy site: {0} \nFrom: {1}".format(env.domain, env.repository))
DOMAIN_WITHOUT_DOT = env.domain.replace('.', '_')
env.project_user = DOMAIN_WITHOUT_DOT
env.project_group = DOMAIN_WITHOUT_DOT
env.project_dir_name = DOMAIN_WITHOUT_DOT
env.root = posixpath.join(PROJECTS_ROOT, env.project_dir_name)
env.debug = True
deb.packages(['git'])
files.directory(PROJECTS_ROOT, use_sudo=True, owner='root', group='root', mode='755')
with cd(PROJECTS_ROOT):
# pip cache
files.directory('.pip.cache', use_sudo=True, owner='deploy', group='deploy', mode='755')
pip_cache_dir = posixpath.join(PROJECTS_ROOT, '.pip.cache')
# proj dir create
if is_dir(env.project_dir_name) and confirm("proj dir exist! abort ?", default=False):
return
files.directory(env.project_dir_name, use_sudo=True, owner='root', group='root', mode='755')
# proj user create
if not fabtools.user.exists(env.project_user):
fabtools.user.create(env.project_user, home=env.root, group=env.project_group, create_home=False,
system=True, shell='/bin/false', create_group=True)
# proj infrastructure
with cd(env.project_dir_name):
# proj source
if not is_dir('src') or confirm("proj src exist! [rm all and re clone / git pull]?", default=False):
files.directory('src', use_sudo=True, owner='deploy', group='deploy', mode='755')
with cd('src'):
sudo('rm -Rf .??* *')
sudo('git clone {repository:s} .'.format(env), user='******')
else:
with cd('src'):
sudo('git pull', user='******')
# proj virtual env
if not is_dir('.virtualenvs') or confirm("proj venv dir exist! [rm all and recreate / repeat install]?",
default=False):
files.directory('.virtualenvs', use_sudo=True, owner='deploy', group='deploy', mode='755')
with cd('.virtualenvs'):
sudo('rm -Rf .??* *')
python.virtualenv('.virtualenvs', use_sudo=True, user='******', clear=True)
with fabtools.python.virtualenv('.virtualenvs'):
python.install_requirements('src/requirements.txt', use_mirrors=False, use_sudo=True, user='******',
download_cache=pip_cache_dir)
# ------------------- #
# WEB SERVER SETTINGS #
# ------------------- #
# I`m use nginx <-> uWSGI <-> Django
nginx.server()
deb.packages(['uwsgi', 'uwsgi-plugin-python'])
# proj conf!
if not is_dir('conf') or confirm("proj conf dir exist! [backup and update? / skip]", default=False):
files.directory('conf', use_sudo=True, owner='root', group='root', mode='755')
with cd('conf'):
local_conf_templates = os.path.join(os.path.dirname(__file__), 'template', 'conf')
uwsgi_conf = os.path.join(local_conf_templates, 'uwsgi.ini')
nginx_conf = os.path.join(local_conf_templates, 'nginx.conf')
sudo("rm -Rf *.back")
sudo("ls -d *{.conf,.ini} | sed 's/.*$/mv -fu \"&\" \"\\0.back\"/' | sh")
files.template_file('uwsgi.ini', template_source=uwsgi_conf, context=env,
use_sudo=True, owner='root', group='root', mode='644')
files.file('reload', use_sudo=True, owner='root', group='root')
sudo('ln -sf $(pwd)/uwsgi.ini /etc/uwsgi/apps-enabled/' + env.project_dir_name + '.ini')
files.template_file('nginx.conf', template_source=nginx_conf, context=env,
use_sudo=True, owner='root', group='root', mode='644')
sudo('ln -sf $(pwd)/nginx.conf /etc/nginx/sites-enabled/' + env.project_dir_name)
sudo('service nginx restart')
sudo('service uwsgi restart')
