def configure(): """ renders config of nginx and restarts gracefully """ env.roles = ["proxy"] put_template("proxy_nginx.conf", "~/conf/nginx.conf", context=proxy_config()) put_template("proxy_supervisor.ini", "~/conf/supervisor.ini", context=proxy_config()) execute(supervisor.restart) print_successful()
def secure_account(user_account): """ ensures owner is correctly set on all files under $HOME of user_account, and limit appropriately for ssh """ setup_env_for_user() sudo('chown -R {0} ~{0}/.'.format(user_account)) sudo('chmod 700 ~{0}/. ~{0}/.ssh'.format(user_account)) sudo('chmod 600 ~{0}/.ssh/authorized_keys'.format(user_account)) print_successful()
def create_user(user_account, password): setup_env_for_user() execute(root.user_create, user_account, password) user_add_ssh(user_account, pub_key_file=env.key_filename + '.pub', use_sudo=True) dummy_port = 123 # bh sets env variable 'HTTP_LISTENING_PORT' to this one, but we won't use that env var execute(user.init_home_env, dummy_port, hosts=new_host_string(user=user_account)) sudo('mkdir -p ~{}/conf'.format(user_account)) secure_account(user_account) print_successful()
def bootstrap(template_dir, server_yaml, pub_key_file): """ run once to initialize an 'empty' Debian system. requires root access via password on port 22 NOTE: after this command, can only login as 'admin' (it has sudo rights) - secures ssh access, creates 'admin' account with sudo rights - ensures hostname exists both in your /etc/hosts and in remote's /etc/hosts - restricts ssh: only login via ssh-key, no root login, ssh-port is non-standard - LOCALLY: adds ssh-key and ssh-port to your local ~/.ssh/config - installs denyhosts - installs some basic libraries (see debian_requirements) - iptables: routes 80 to configured port: {server.port_80_via} - iptables: routes 443 to configured port: {server.port_443_via} """ server_config = get_config(env, yaml_file=server_yaml) my_put_template = partial(put_template, context=server_config, template_dir=template_dir) if not env.key_filename: print(red('Must generate a key for ssh to this server (see example_app/bootstrap.py)')) if 'root@' not in env.host_string or len(env.roles): print(red('Must be run as root! (hint: do not run with -R or -H)')) sys.exit(-1) setup_env_for_user() hostname = run('hostname') append('/etc/hosts', '127.0.0.1 {}'.format(hostname)) local_append('/etc/hosts', text='{} {}'.format(env_ip(), hostname), refuse_keywords=[env_ip(), hostname], use_sudo=True) run('apt-get -y --force-yes install sudo vim') debian_requirements() install(['denyhosts']) my_put_template('denyhosts.conf', '/etc/denyhosts.conf') run('/etc/init.d/denyhosts restart') password = gen_password() user_account = 'admin' with settings(hide('warnings'), warn_only=True): run('userdel -f -r {}'.format(user_account)) run('useradd {user} -g {group}'.format(user=user_account, group='sudo')) print(red("Set password for admin (has sudo rights), type in: {} or choose one yourself".format(password))) passwd_retry('admin') user_add_ssh(user_account, pub_key_file=pub_key_file) local_ssh_config(env_ip(), hostname, server_config['server']['ssh_port'], env.key_filename) # TODO: lock down: http://rudd-o.com/linux-and-free-software/hardening-a-linux-server-in-10-minutes my_put_template('rc.local', '/etc/rc.local') my_put_template('init_supervisors.py', '/etc/init_supervisors.py') # config iptables run('/etc/rc.local') my_put_template('sshd_config', '/etc/ssh/sshd_config') # note after restart, can only login as admin via public key on ssh-port defined in template run('/etc/init.d/ssh restart') print_successful()
def create_instance(user_account): """ create account for user and install requirements """ with total_silence(): execute(supervisor.stop_program, 'all') # in case this is re-init, stop all execute(admin.create_user, user_account, password='******', hosts=new_host_string('admin')) execute(system.python, hosts=new_host_string(user_account)) execute(system.nginx, hosts=new_host_string(user_account)) execute(system.uwsgi, hosts=new_host_string(user_account)) execute(supervisor.install, hosts=new_host_string(user_account)) print_successful()
def example_deploy(app_name): """ an example of a deploy function (run setup_example first) """ run('pip install django') with cd('~/etc'): run('django-admin.py startproject {}'.format(app_name)) run('mv ~/etc/{0}/{0}/wsgi.py ~/conf/wsgi.py'.format(app_name)) fix_sys_path = ("import os\\n" "import sys\\n" "sys.path.insert(0, os.path.expanduser('~/etc/{}'))".format(app_name)) run('sed -i "1i {}" ~/conf/wsgi.py'.format(fix_sys_path)) execute(configure) print_successful()
def init(): """ sets-up reverse-proxy """ with total_silence(): execute(supervisor.stop_program, "all") # in case this is re-init, stop all execute(system.python) execute(system.nginx) execute(supervisor.install) execute(configure) print(yellow("generating self signed ssl for now (you should have yours signed and use proxy.update_ssl!)")) keys = dict(ssl_key=rel_path("dummy_ssl.key"), ssl_cert=rel_path("dummy_ssl.cert")) local("openssl req -nodes -new -x509 -keyout {ssl_key} -out {ssl_cert}".format(**keys)) update_ssl(**keys) print_successful()
def configure(): put_template('app_nginx.conf', '~/conf/nginx.conf', context=get_role_config(env)) put_template('app_uwsgi.ini', '~/conf/uwsgi.ini', context=get_role_config(env)) put_template('app_supervisor.ini', '~/conf/supervisor.ini', context=get_role_config(env)) execute(supervisor.restart) print_successful()