示例#1
0
文件: fabfile.py 项目: za3k/devops
def invent():
    """Invent is a raspberry pi that connects to the printer. It's LAN only"""

    # Set up logging
    logs.setup()

    # Set up the firewall
    #util.put_file("config/firewalls/invent.sh", "/etc/firewall.sh", mode='755', user='******')
    #sudo("sh /etc/firewall.sh")
    #util.put_file("config/firewalls/iptables", "/etc/network/if-pre-up.d/iptables", mode='755', user='******')

    # Set up authorization to back up to germinate
    public_key = ssh.ensure_key('/var/local/germinate-backup', use_sudo=True)
    with settings(user='******', host_string='germinate'):
        files.append('/home/invent/.ssh/authorized_keys',
                     public_key,
                     use_sudo=True)
    # TODO: Actually, make /root/.ssh first
    util.put_file("config/backup/sshconfig-invent",
                  "/root/.ssh/config",
                  user='******',
                  mode='600')

    # Set up backup
    package_ensure(["rsync"])
    util.put_file("config/backup/generic-backup.sh",
                  "/var/local/generic-backup.sh",
                  mode='755',
                  user='******')
    util.put_file("config/backup/backup-exclude-base",
                  "/var/local/backup-exclude",
                  mode='644',
                  user='******')
    util.put_file("config/backup/backup-invent.sh",
                  "/etc/cron.daily/backup-invent",
                  mode='755',
                  user='******')
    # github-backup setup is manual. Look on github and at cron entry. Backs up to germinate:/data/github

    # Start a webserver
    already_installed = nginx.ensure()
    #nginx.remove_default_sites()
    if not already_installed:
        nginx.restart()  # IPv[46] listener only changes on restart

    letsencrypt.ensure()

    # invent.za3k.com
    nginx.ensure_site(
        'config/nginx/invent.za3k.com'
    )  # read-only boot and LetsEncrypt are not easy to make work together, but no TLS is okay for a LAN-only site
    util.put_dir('data/invent/public', '/var/www', mode='755', user='******')

    nginx.restart()
示例#2
0
文件: fabfile.py 项目: za3k/devops
def germinate():
    """Germinate is the data server. It hosts stuff that is privately-accessible.
    Germinate runs Debian."""
    apt.sudo_ensure()  # cuisine.package_ensure is broken otherwise

    # status.za3k.com
    letsencrypt.ensure()
    nginx.ensure_site('config/nginx/status.za3k.com',
                      cert='config/certs/status.za3k.com.pem',
                      key='config/keys/status.za3k.com.key',
                      domain="status.za3k.com",
                      letsencrypt=True,
                      csr="config/certs/status.za3k.com.csr")
示例#3
0
文件: fabfile.py 项目: za3k/devops
def xenu():
    """Xenu runs minecraft."""
    # Set up the firewall
    util.put_file("config/firewalls/xenu.sh",
                  "/usr/local/bin/xenu.sh",
                  mode='755',
                  user='******')
    sudo("sh /usr/local/bin/xenu.sh")
    util.put_file("config/firewalls/iptables",
                  "/etc/network/if-pre-up.d/",
                  mode='755',
                  user='******')

    # Set up logging
    logs.setup()

    # Set up authorization to back up
    public_key = ssh.ensure_key('/var/local/germinate-backup', use_sudo=True)
    with settings(user='******', host_string='germinate'):
        files.append('/home/xenu-linux/.ssh/authorized_keys',
                     public_key,
                     use_sudo=True)
    sudo("mkdir -p /root/.ssh")
    util.put_file("config/backup/sshconfig-xenu",
                  "/root/.ssh/config",
                  user='******')

    # Set up backup
    package_ensure(["rsync"])
    util.put_file("config/backup/generic-backup.sh",
                  "/var/local",
                  mode='755',
                  user='******')
    util.put_file("config/backup/backup-exclude-xenu",
                  "/var/local/backup-exclude",
                  mode='644',
                  user='******')
    util.put_file("config/backup/backup-xenu.sh",
                  "/etc/cron.daily/backup-xenu",
                  mode='755',
                  user='******')

    # Minecraft prereqs
    package_ensure(["make", "tmux"])
    # Set up java for minecraft
    if not path.has('java'):
        sudo(
            'echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list'
        )
        sudo(
            'echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list'
        )
        sudo(
            'apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886'
        )
        sudo('apt-get update')
        sudo(
            'echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | sudo /usr/bin/debconf-set-selections'
        )
        package_ensure(["oracle-java8-installer"])  # fails

    # Set up nginx
    already_installed = nginx.ensure()
    if not already_installed:
        nginx.restart()  # IPv[46] listener only changes on restart
    util.put_dir("data/minecraft-www",
                 "/var/www/minecraft-www",
                 user="******")
    nginx.ensure_site('config/nginx/minecraft.za3k.com')
    nginx.reload()
示例#4
0
文件: fabfile.py 项目: za3k/devops
def corrupt():
    apt.sudo_ensure()  # cuisine.package_ensure is broken otherwise
    with cd("/"):  # Hack because /root is -x
        # Set up the firewall
        util.put_file("config/firewalls/corrupt.sh",
                      "/usr/local/bin/corrupt.sh",
                      mode='755',
                      user='******')
        run("sh /usr/local/bin/corrupt.sh")
        util.put_file("config/firewalls/iptables",
                      "/etc/network/if-pre-up.d/iptables",
                      mode='755',
                      user='******')

        # Set up logging
        logs.setup()

        # Set up authorization to back up email to the data server
        public_key = ssh.ensure_key('/var/local/germinate-backup')
        with settings(user='******', host_string='germinate'):
            files.append('/home/corrupt/.ssh/authorized_keys',
                         public_key,
                         use_sudo=True)
        util.put_file("config/backup/sshconfig-corrupt",
                      "/root/.ssh/config",
                      mode='600',
                      user='******')

        # Set up backup
        package_ensure(["rsync"])
        util.put_file("config/backup/generic-backup.sh",
                      "/var/local/generic-backup.sh",
                      mode='755',
                      user='******')
        util.put_file("config/backup/backup-exclude-base",
                      "/var/local/backup-exclude",
                      mode='644',
                      user='******')
        util.put_file("config/backup/backup-corrupt.sh",
                      "/etc/cron.daily/backup-corrupt",
                      mode='755',
                      user='******')

        # Set up postgres, postfix, dovecot, spamassassin
        mx.ensure(restore=True)

        # Remind zachary to change their email password

        # Remind zachary to change their DNS records to point to the new MX server
        # Remind zachary to change their rDNS record to point to za3k.com

        # znc.za3k.com
        znc.ensure()

        # Start a webserver
        already_installed = nginx.ensure()
        if not already_installed:
            nginx.restart()  # IPv[46] listener only changes on restart

        letsencrypt.ensure()

        # corrupt.za3k.com
        util.put_file('config/keys/basic_auth/corrupt.htaccess',
                      '/etc/nginx/conf.d/corrupt.htaccess',
                      mode='700',
                      user='******')
        nginx.ensure_site('config/nginx/corrupt.za3k.com',
                          cert='config/certs/corrupt.za3k.com.pem',
                          key='config/keys/corrupt.za3k.com.key',
                          domain="corrupt.za3k.com",
                          letsencrypt=True,
                          csr="config/certs/corrupt.za3k.com.csr")
        nginx.ensure_site('config/nginx/imap.za3k.com',
                          cert='config/certs/imap.za3k.com.pem',
                          key='config/keys/imap.za3k.com.key',
                          domain="imap.za3k.com",
                          letsencrypt=True,
                          csr="config/certs/imap.za3k.com.csr")
        nginx.ensure_site('config/nginx/smtp.za3k.com',
                          cert='config/certs/smtp.za3k.com.pem',
                          key='config/keys/smtp.za3k.com.key',
                          domain="smtp.za3k.com",
                          letsencrypt=True,
                          csr="config/certs/smtp.za3k.com.csr")
        util.put_dir('data/corrupt/public',
                     '/var/www/public',
                     'root',
                     mode='755')

        # webmail.za3k.com
        package_ensure([
            "php", "php-pear", "php-mbstring", "php-sqlite3", "php-gd",
            "php-imagick", "php-intl", "php-ldap"
        ])
        # By hand: edit php.ini to use the time zone you want
        nginx.ensure_site('config/nginx/webmail.za3k.com',
                          cert='config/certs/webmail.za3k.com.pem',
                          key='config/keys/webmail.za3k.com.key',
                          domain="webmail.za3k.com",
                          letsencrypt=True,
                          csr="config/certs/webmail.za3k.com.csr")
        # By hand: install /var/www/roundcube from a tar. chown it to www-data. set it up and delete installer--copy config file from config directory. Edit autologon to include user+pw
        # By hand: touch /var/www/roundcube.db and make it writable

        nginx.restart()
示例#5
0
文件: fabfile.py 项目: za3k/devops
def deadtree():
    """Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
    apt.sudo_ensure()  # cuisine.package_ensure is broken otherwise

    # Set up /etc/skel
    sudo("mkdir /etc/skel/.ssh || true")
    sudo("chmod 700 /etc/skel/.ssh")

    # Add a 'nobody' user
    user_ensure('nobody')
    group_ensure('nobody')
    group_user_ensure('nobody', 'nobody')
    sudo('usermod -s /bin/false nobody')

    # Set up logging
    logs.setup()

    # Set up the firewall
    util.put_file("config/firewalls/deadtree.sh",
                  "/usr/local/bin/deadtree.sh",
                  mode='755',
                  user='******')
    sudo("sh /usr/local/bin/deadtree.sh")
    util.put_file("config/firewalls/iptables",
                  "/etc/network/if-pre-up.d/",
                  mode='755',
                  user='******')

    # Set up authorization to back up to germinate
    public_key = ssh.ensure_key('/var/local/germinate-backup', use_sudo=True)
    with settings(user='******', host_string='germinate'):
        files.append('/home/deadtree/.ssh/authorized_keys',
                     public_key,
                     use_sudo=True)
    util.put_file("config/backup/sshconfig-deadtree",
                  "/root/.ssh/config",
                  user='******')

    # Set up backup
    package_ensure(["rsync"])
    util.put_file("config/backup/generic-backup.sh",
                  "/var/local",
                  mode='755',
                  user='******')
    util.put_file("config/backup/backup-exclude-base",
                  "/var/local/backup-exclude",
                  mode='644',
                  user='******')
    util.put_file("config/backup/backup-deadtree.sh",
                  "/etc/cron.daily/backup-deadtree",
                  mode='755',
                  user='******')

    # Set up nginx
    already_installed = nginx.ensure()
    nginx.ensure_site('config/nginx/default',
                      cert='config/certs/za3k.com.pem',
                      key='config/keys/blog.za3k.com.key')
    nginx.ensure_fcgiwrap(children=4)
    if not already_installed:
        nginx.restart()  # IPv[46] listener only changes on restart

    # Set up letsencrypt
    letsencrypt.ensure()

    # Set up logging reports
    package_ensure(["analog"])
    with mode_sudo():
        dir_ensure("/var/www/logs", mode='755')
    util.put_file("config/logs/generate-logs",
                  "/etc/cron.daily/generate-logs",
                  mode='755',
                  user='******')
    util.put_file("config/logs/analog.cfg",
                  "/etc/analog.cfg",
                  mode='644',
                  user='******')

    # ddns.za3k.com (TCP port 80, web updater for DDNS)
    # ns.za3k.com (UDP port 53, DNS server)
    user_ensure('nsd')
    group_ensure('nsd')
    group_user_ensure('nsd', 'nsd')
    with mode_sudo():
        dir_ensure('/var/lib/nsd', mode='755')
    sudo("chown nsd:nsd /var/lib/nsd")
    package_ensure(["nsd"])
    with cd("/var/lib/nsd"):
        sudo(
            "touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone"
        )
    node.ensure()
    util.put_file("config/ddns/moreorcs.com.zonetemplate",
                  "/etc/nsd/moreorcs.com.zonetemplate",
                  mode='644',
                  user='******')
    supervisord.ensure()
    git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
    supervisord.ensure_config("config/supervisor/ddns.conf")
    util.put_file("config/ddns/config.json",
                  "/var/lib/nsd/config.json",
                  mode='644',
                  user='******')
    # [Manual] Copy dnsDB.json from backup
    sudo(
        "cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt"
    )
    supervisord.update()  # Run ddns
    package_ensure(["nsd"])
    util.put_file("config/ddns/nsd.conf",
                  "/etc/nsd/nsd.conf",
                  mode='644',
                  user='******')
    sudo("systemctl restart nsd")
    nginx.ensure_site('config/nginx/ddns.za3k.com',
                      csr='config/certs/ddns.za3k.com.csr',
                      key='config/keys/ddns.za3k.com.key',
                      domain="ddns.za3k.com",
                      letsencrypt=True,
                      cert="config/certs/ddns.za3k.com.pem")
    nginx.reload()

    # blog.za3k.com
    package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])

    nginx.ensure_site('config/nginx/blog.za3k.com',
                      cert='config/certs/blog.za3k.com.pem',
                      key='config/keys/blog.za3k.com.key',
                      domain="blog.za3k.com",
                      letsencrypt=True,
                      csr="config/certs/blog.za3k.com.csr")

    git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
    # [Manual] Edit /etc/php5/fpm/php.ini
    # upload_max_filesize = 20M
    # post_max_size = 26M
    # sudo("systemctl reload php5-fpm.service")

    # Yes, www-data and not fcgiwrap
    sudo("chown www-data:www-data -R /var/www/za3k_blog")
    sudo("find . -type d -exec chmod 755 {} \;")
    sudo("find . -type f -exec chmod 644 {} \;")

    # TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
    # [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
    sudo('systemctl restart mysql')

    # deadtree.za3k.com
    nginx.ensure_site('config/nginx/deadtree.za3k.com',
                      cert='config/certs/deadtree.za3k.com.pem',
                      key='config/keys/deadtree.za3k.com.key',
                      domain="deadtree.za3k.com",
                      letsencrypt=True,
                      csr="config/certs/deadtree.za3k.com.csr")
    util.put_dir('data/deadtree/public',
                 '/var/www/public',
                 mode='755',
                 user='******')

    # etherpad.za3k.com
    package_ensure(["sqlite3"])
    user_ensure('etherpad')
    group_ensure('etherpad')
    group_user_ensure('etherpad', 'etherpad')
    git.ensure_clone_github('ether/etherpad-lite',
                            '/var/www/etherpad',
                            commit='1.6.0',
                            user='******')
    nginx.ensure_site('config/nginx/etherpad.za3k.com',
                      csr='config/certs/etherpad.za3k.com.csr',
                      key='config/keys/etherpad.za3k.com.key',
                      domain="etherpad.za3k.com",
                      letsencrypt=True,
                      cert="config/certs/etherpad.za3k.com.pem")
    util.put_file("config/etherpad/APIKEY.txt",
                  "/var/www/etherpad",
                  user='******',
                  mode='600')
    util.put_file("config/etherpad/settings.json",
                  "/var/www/etherpad",
                  user='******',
                  mode='644')
    if not files.exists("/var/www/etherpad/var/sqlite.db"):
        sudo("mkdir -p /var/www/etherpad/var", user='******')
        with cd("/var/www/etherpad"):
            sudo("npm install sqlite3")
        sudo(
            "rsync -av germinate.za3k.com::etherpad --delete /var/www/etherpad/var",
            user='******')
    supervisord.ensure()
    supervisord.ensure_config("config/supervisor/etherpad.conf")
    supervisord.update()

    # forsale
    nginx.ensure_site('config/nginx/forsale')
    util.put_dir('data/forsale', '/var/www/forsale', mode='755', user='******')

    # gipc daily sync
    # github personal backup
    # github repo list
    util.put_file("config/github/github-metadata-sync",
                  "/etc/cron.daily/github-metadata-sync",
                  mode='755',
                  user='******')

    #                  -> updater
    # irc.za3k.com -> irc
    #              -> webchat (qwebirc)
    # jsfail.com
    user_ensure('jsfail')
    group_ensure('jsfail')
    group_user_ensure('jsfail', 'jsfail')
    nginx.ensure_site('config/nginx/jsfail.com')
    util.put_dir('data/jsfail', '/var/www/jsfail', 'jsfail', mode='755')

    # library.za3k.com -> website
    #                  -> sync script
    #                  -> card catalog
    # MUST be user 2001 to match remote rsync
    user_ensure('library', uid=2001)
    group_ensure('library', gid=2001)
    group_user_ensure('library', 'library')
    with mode_sudo():
        dir_ensure('/var/www/library', mode='755')
    files.append('/etc/sudoers',
                 'za3k    ALL=(root) NOPASSWD: /etc/cron.daily/library-sync',
                 use_sudo=True)
    with settings(user='******', host_string='germinate'):
        actual_key = ssh.get_public_key(
            "/data/git/books.git/hooks/deadtree.library")
    ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
        command="sudo /etc/cron.daily/library-sync", key=actual_key)
    files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)

    sudo("chown library:library /var/www/library")
    util.put_file("config/library/library-sync",
                  "/etc/cron.daily/library-sync",
                  mode='755',
                  user='******')
    sudo("/etc/cron.daily/library-sync")
    nginx.ensure_site('config/nginx/library.za3k.com',
                      csr='config/certs/library.za3k.com.csr',
                      key='config/keys/library.za3k.com.key',
                      domain="library.za3k.com",
                      letsencrypt=True,
                      cert="config/certs/library.za3k.com.pem")

    # logs (nginx) and analysis (analog)
    # mint sync
    # moreorcs.com
    user_ensure('moreorcs')
    group_ensure('moreorcs')
    group_user_ensure('moreorcs', 'moreorcs')
    nginx.ensure_site('config/nginx/moreorcs.com',
                      cert='config/certs/moreorcs.com.pem',
                      key='config/keys/moreorcs.com.key',
                      domain="moreorcs.com",
                      letsencrypt=True,
                      csr="config/certs/moreorcs.com.csr")
    git.ensure_clone_github('za3k/moreorcs',
                            '/var/www/moreorcs',
                            user='******')

    # nanowrimo.za3k.com
    nginx.ensure_site('config/nginx/nanowrimo.za3k.com',
                      csr='config/certs/nanowrimo.za3k.com.csr',
                      key='config/keys/nanowrimo.za3k.com.key',
                      domain="nanowrimo.za3k.com",
                      letsencrypt=True,
                      cert="config/certs/nanowrimo.za3k.com.pem")
    util.put_dir('data/nanowrimo',
                 '/var/www/nanowrimo',
                 user='******',
                 mode='755')

    # nntp.za3k.com - Discontinued
    # petchat.za3k.com
    nginx.ensure_site('config/nginx/petchat.za3k.com')
    if not files.exists('/var/www/petchat'):
        git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')

    # publishing.za3k.com
    # thinkingtropes.com
    nginx.ensure_site('config/nginx/thinkingtropes.com')
    util.put_dir('data/thinkingtropes',
                 '/var/www/thinkingtropes',
                 user='******',
                 mode='755')

    # thisisashell.com
    nginx.ensure_site('config/nginx/thisisashell.com',
                      csr='config/certs/thisisashell.com.csr',
                      key='config/keys/thisisashell.com.key',
                      domain="thisisashell.com",
                      letsencrypt=True,
                      cert="config/certs/thisisashell.com.pem")

    # isrickandmortyout.com
    nginx.ensure_site('config/nginx/isrickandmortyout.com',
                      csr='config/certs/isrickandmortyout.com.csr',
                      key='config/keys/isrickandmortyout.com.key',
                      domain="isrickandmortyout.com",
                      letsencrypt=True,
                      cert="config/certs/isrickandmortyout.com.pem")

    # twitter archive
    # za3k.com
    user_ensure('za3k')
    group_ensure('za3k')
    group_user_ensure('za3k', 'za3k')
    nginx.ensure_site('config/nginx/za3k.com',
                      cert='config/certs/za3k.com.pem',
                      key='config/keys/za3k.com.key',
                      domain="za3k.com",
                      letsencrypt=True,
                      csr="config/certs/za3k.com.csr")
    git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
    with settings(user='******', host_string='germinate'):
        actual_key = ssh.get_public_key(
            "/data/git/za3k.git/hooks/deadtree_key")
    ssh_line = 'command="{command}",no-port-forwarding,no-x11-forwarding,no-agent-forwarding {key}'.format(
        command="/usr/bin/git -C /var/www/za3k pull", key=actual_key)
    files.append('/home/za3k/.ssh/authorized_keys', ssh_line, use_sudo=True)

    # Markdown .md
    ruby.ensure()
    ruby.ensure_gems(["redcarpet"])
    # Databases .view
    package_ensure(["sqlite3"])
    util.put_file("config/za3k/za3k-db-sync",
                  "/etc/cron.daily/za3k-db-sync",
                  mode='755',
                  user='******')
    sudo("/etc/cron.daily/za3k-db-sync")
    # colony on the moon
    # disabled temp. because we're out of space
    #sudo("rsync -av germinate.za3k.com::colony --delete /var/www/colony", user='******')
    # .sc
    package_ensure(["sc"])

    nginx.reload()
示例#6
0
文件: fabfile.py 项目: za3k/devops
def deadtree():
    """Deadtree is the main services machine. It can be taken down at any time and rebuilt."""
    apt.sudo_ensure() # cuisine.package_ensure is broken otherwise
    
    # Set up /etc/skel
    sudo("mkdir /etc/skel/.ssh || true")
    sudo("chmod 700 /etc/skel/.ssh")

    # Add a 'nobody' user
    user_ensure('nobody')
    group_ensure('nobody')
    group_user_ensure('nobody', 'nobody')
    sudo('usermod -s /bin/false nobody')

    # Set up the firewall
    put("config/firewalls/deadtree.sh", "/usr/local/bin", use_sudo=True)
    sudo("sh /usr/local/bin/deadtree.sh")

    # Set up nginx
    already_installed = nginx.ensure()
    nginx.ensure_site('config/nginx/default', cert='config/certs/za3k.com.pem', key='config/keys/blog.za3k.com.key')
    nginx.ensure_fcgiwrap(children=4)
    if not already_installed:
        nginx.restart() # IPv[46] listener only changes on restart

    # Set up letsencrypt
    letsencrypt.ensure() 

    # Set up authorization to back up to the data server
    #public_key = ssh.ensure_key('/root/.ssh/id_rsa')
    #with settings(user='******', host_string='burn'):
    #    #put(public_key, '/home/zachary/test_authorized_keys')
    #    files.append('/home/deadtree/.ssh/authorized_keys', public_key)

    # ddns.za3k.com (TCP port 80, web updater for DDNS)
    # ns.za3k.com (UDP port 53, DNS server)
    user_ensure('nsd')
    group_ensure('nsd')
    group_user_ensure('nsd', 'nsd')
    with mode_sudo():
        dir_ensure('/var/lib/nsd', mode='755')
    sudo("chown nsd:nsd /var/lib/nsd")
    package_ensure(["nsd"])
    with cd("/var/lib/nsd"):
        sudo("touch /var/lib/nsd/moreorcs.com.zone && chown nsd:nsd /var/lib/nsd/moreorcs.com.zone")
    node.ensure()
    put("config/ddns/moreorcs.com.zonetemplate", "/etc/nsd", mode='644', use_sudo=True)
    supervisord.ensure()
    git.ensure_clone_github('thingless/ddns', '/var/lib/nsd/ddns', user='******')
    supervisord.ensure_config("config/supervisor/ddns.conf")
    put("config/ddns/config.json", "/var/lib/nsd", mode='644', use_sudo=True)
    sudo("chown nsd:nsd /var/lib/nsd/config.json")
    # [Manual] Copy dnsDB.json from backup
    sudo("cd /var/lib/nsd && ln -sf ddns/index.txt index.txt && chown nsd:nsd index.txt")
    supervisord.update() # Run ddns
    package_ensure(["nsd"])
    put("config/ddns/nsd.conf", "/etc/nsd", mode='644', use_sudo=True)
    sudo("systemctl restart nsd")
    nginx.ensure_site('config/nginx/ddns.za3k.com', csr='config/certs/ddns.za3k.com.csr', key='config/keys/ddns.za3k.com.key', domain="ddns.za3k.com", letsencrypt=True, cert="config/certs/ddns.za3k.com.pem")
    nginx.reload()

    # blog.za3k.com
    package_ensure(["php5-fpm", "mysql-server", "php5-mysql"])

    nginx.ensure_site('config/nginx/blog.za3k.com', cert='config/certs/blog.za3k.com.pem', key='config/keys/blog.za3k.com.key', domain="blog.za3k.com", letsencrypt=True, csr="config/certs/blog.za3k.com.csr")
    git.ensure_clone_za3k('za3k_blog', '/var/www/za3k_blog', user='******')
    # TODO: Replace a database-specific password or make it more obvious it's not used? Currently we're using user ACLs and this gets ignored anyway, I think?
    # [Manual] Load the blog database from backup at /srv/mysql -> /var/lib/mysql
    sudo('systemctl restart mysql')

    # etherpad.za3k.com
    package_ensure(["sqlite3"])
    user_ensure('etherpad')
    group_ensure('etherpad')
    group_user_ensure('etherpad', 'etherpad')
    git.ensure_clone_github('ether/etherpad-lite', '/var/www/etherpad', commit='1.6.0', user='******')
    nginx.ensure_site('config/nginx/etherpad.za3k.com', csr='config/certs/etherpad.za3k.com.csr', key='config/keys/etherpad.za3k.com.key', domain="etherpad.za3k.com", letsencrypt=True, cert="config/certs/etherpad.za3k.com.pem")
    util.put("config/etherpad/APIKEY.txt", "/var/www/etherpad", user='******', mode='600')
    util.put("config/etherpad/settings.json", "/var/www/etherpad", user='******', mode='644')
    if not files.exists("/var/www/etherpad/var/sqlite.db"):
        sudo("mkdir -p /var/www/etherpad/var", user='******')
        with cd("/var/www/etherpad"):
            sudo("npm install sqlite3")
        sudo("rsync -av burn.za3k.com::etherpad --delete /var/www/etherpad/var", user='******')
    supervisord.ensure()
    supervisord.ensure_config("config/supervisor/etherpad.conf")
    supervisord.update()

    # forsale
    nginx.ensure_site('config/nginx/forsale')
    util.put('data/forsale', '/var/www', user='******', mode='755')

    # gipc daily sync
    # github personal backup
    # github repo list
    #                  -> updater
    # irc.za3k.com -> irc
    #              -> webchat (qwebirc)
    # jsfail.com
    user_ensure('jsfail')
    group_ensure('jsfail')
    group_user_ensure('jsfail', 'jsfail')
    nginx.ensure_site('config/nginx/jsfail.com')
    util.put('data/jsfail', '/var/www', 'jsfail', mode='755')

    # library.za3k.com -> website
    #                  -> sync script
    #                  -> card catalog
    # MUST be user 2001 to match remote rsync
    user_ensure('library', uid=2001)
    group_ensure('library', gid=2001)
    group_user_ensure('library', 'library')
    with mode_sudo():
        dir_ensure('/var/www/library', mode='755')
    sudo("chown library:library /var/www/library")
    put("config/library/library.sync", "/etc/cron.daily", mode='755', use_sudo=True)
    sudo("/etc/cron.daily/library.sync")
    nginx.ensure_site('config/nginx/library.za3k.com', csr='config/certs/library.za3k.com.csr', key='config/keys/library.za3k.com.key', domain="library.za3k.com", letsencrypt=True, cert="config/certs/library.za3k.com.pem")

    # logs (nginx) and analysis (analog)
    # mint sync
    # moreorcs.com
    user_ensure('moreorcs')
    group_ensure('moreorcs')
    group_user_ensure('moreorcs', 'moreorcs')
    nginx.ensure_site('config/nginx/moreorcs.com', cert='config/certs/moreorcs.com.pem', key='config/keys/moreorcs.com.key', domain="moreorcs.com", letsencrypt=True, csr="config/certs/moreorcs.com.csr")
    git.ensure_clone_github('za3k/moreorcs', '/var/www/moreorcs', user='******')

    # nanowrimo.za3k.com
    nginx.ensure_site('config/nginx/nanowrimo.za3k.com', csr='config/certs/nanowrimo.za3k.com.csr', key='config/keys/nanowrimo.za3k.com.key', domain="nanowrimo.za3k.com", letsencrypt=True, cert="config/certs/nanowrimo.za3k.com.pem")
    util.put('data/nanowrimo', '/var/www', user='******', mode='755')

    # nntp.za3k.com - Discontinued
    # petchat.za3k.com
    nginx.ensure_site('config/nginx/petchat.za3k.com')
    if not files.exists('/var/www/petchat'):
        git.ensure_clone_za3k('petchat', '/var/www/petchat', user='******')

    # publishing.za3k.com
    # thinkingtropes.com
    nginx.ensure_site('config/nginx/thinkingtropes.com')
    util.put('data/thinkingtropes', '/var/www', user='******', mode='755')

    # thisisashell.com
    nginx.ensure_site('config/nginx/thisisashell.com', csr='config/certs/thisisashell.com.csr', key='config/keys/thisisashell.com.key', domain="thisisashell.com", letsencrypt=True, cert="config/certs/thisisashell.com.pem")

    # twitter archive
    # za3k.com
    user_ensure('za3k')
    group_ensure('za3k')
    group_user_ensure('za3k', 'za3k')
    nginx.ensure_site('config/nginx/za3k.com', cert='config/certs/za3k.com.pem', key='config/keys/za3k.com.key', domain="za3k.com", letsencrypt=True, csr="config/certs/za3k.com.csr")
    git.ensure_clone_za3k('za3k', '/var/www/za3k', user='******')
    # Markdown .md
    ruby.ensure()
    ruby.ensure_gems(["redcarpet"])
    # colony on the moon
    sudo("rsync -av burn.za3k.com::colony --delete /var/www/colony", user='******')
    # |-- status.za3k.com
    sudo("mkdir -p /var/www/status && chmod 755 /var/www/status")
    util.put("/srv/keys/backup_check", "/var/www/status", user='******', mode='600')
    #util.put("/srv/keys/backup_check.pub", "/var/www/status", user='******', mode='644')
    package_ensure(["parallel", "curl"])
    nginx.reload()