ops / cfe-server · Commits

Commit d242d3e07ab21115a5c79e883243365ac913a28e

Authored by nollieheel
Committed by Earth Ugat
1 parent ade90ebc

Version v0.1.1. Include cfe-simple-iptables cookbook.

Inline Side-by-side
Showing 11 changed files with 205 additions and 38 deletions
... ... @@ -19,3 +19,4 @@ bin/*
19 19 .kitchen/
20 20 .kitchen.local.yml
21 21 .chef
  22 +data_bags
... ...
... ... @@ -2,10 +2,10 @@ source "https://supermarket.chef.io"
2 2
3 3 metadata
4 4
5   -cookbook 'cfe-users', git: 'https://gitlab.chromedia.com/ops/cfe-users.git', tag: 'v0.1.0'
  5 +cookbook 'cfe-users', git: 'https://gitlab.chromedia.com/ops/cfe-users.git', tag: 'v0.1.1'
6 6 cookbook 'cfe-mariadb', git: 'https://gitlab.chromedia.com/ops/cfe-mariadb.git', tag: 'v0.5.0'
7 7 cookbook 'backup-file2s3', git: 'https://gitlab.chromedia.com/ops/backup-file2s3.git', tag: 'v0.3.3'
8   -cookbook 'cfe-nginx-php-fpm', git: 'https://gitlab.chromedia.com/ops/cfe-nginx-php-fpm.git', tag: 'v0.5.1'
  8 +cookbook 'cfe-nginx-php-fpm', git: 'https://gitlab.chromedia.com/ops/cfe-nginx-php-fpm.git', tag: 'v0.5.2'
9 9 cookbook 'cfe-simple-iptables', git: 'https://gitlab.chromedia.com/ops/cfe-simple-iptables.git', tag: 'v0.1.0'
10 10
11 11 cookbook 'cookbook-letsencrypt', git: 'https://github.com/nollieheel/cookbook-letsencrypt.git', tag: 'v0.2.0'
... ...
  1 +## 0.1.1 - 2016-12-09
  2 +### Added
  3 +- Include cookbook 'cfe-simple-iptables'. Also automatically add iptables that are listed in a secret data bag (see default attribute file).
  4 +
1 5 ## 0.1.0 - 2016-12-06
2 6 ### Added
3 7 - Initial release of cfe-server cookbook.
... ...
... ... @@ -16,18 +16,119 @@ Tested on Ubuntu 14.04.
16 16 <th>Default</th>
17 17 </tr>
18 18 <tr>
19   - <td><tt>['cfe-server']['']</tt></td>
  19 + <td><tt>['cfe-server']['db']['mariadb']['install']</tt></td>
20 20 <td>Boolean</td>
21   - <td>Description</td>
  21 + <td>Whether or not to install MariaDB server.</td>
  22 + <td><tt>false</tt></td>
  23 + </tr>
  24 + <tr>
  25 + <td><tt>['cfe-server']['db']['include_mongodb']</tt></td>
  26 + <td>Boolean</td>
  27 + <td>Whether or not to include the recipe `mongodb3`.</td>
  28 + <td><tt>true</tt></td>
  29 + </tr>
  30 + <tr>
  31 + <td><tt>['cfe-server']['filesystem']['swapfile']</tt></td>
  32 + <td>String/Boolean False</td>
  33 + <td>Path to swap file. Set to false to disable creating swap file.</td>
  34 + <td><tt>false</tt></td>
  35 + </tr>
  36 + <tr>
  37 + <td><tt>['cfe-server']['filesystem']['swapsize']</tt></td>
  38 + <td>String</td>
  39 + <td>Size of swap file if enabled.</td>
  40 + <td><tt>'2G'</tt></td>
  41 + </tr>
  42 + <tr>
  43 + <td><tt>['cfe-server']['filesystem']['perms']</tt></td>
  44 + <td>Array</td>
  45 + <td>Custom permissions and/or ownerships to specific filesystem paths. Please see the default attrbutes file for examples.</td>
  46 + <td><tt>[]</tt></td>
  47 + </tr>
  48 + <tr>
  49 + <td><tt>['cfe-server']['filesystem']['symlinks']</tt></td>
  50 + <td>Hash</td>
  51 + <td>Symbolic links to create. Each property-to-value corresponds to a linkname-to-target pair. (See default attribute file for examples.)</td>
  52 + <td><tt>{}</tt></td>
  53 + </tr>
  54 + <tr>
  55 + <td><tt>['cfe-server']['tls']['include_letsencrypt']</tt></td>
  56 + <td>Boolean</td>
  57 + <td>Whether or not to include the recipe `cookbook-letsencrypt`.</td>
  58 + <td><tt>true</tt></td>
  59 + </tr>
  60 + <tr>
  61 + <td><tt>['cfe-server']['app']['include_postfix']</tt></td>
  62 + <td>Boolean</td>
  63 + <td>Whether or not to include the recipe `cfe-nginx-php-fpm::postfix'.</td>
  64 + <td><tt>true</tt></td>
  65 + </tr>
  66 + <tr>
  67 + <td><tt>['cfe-server']['app']['include_php']</tt></td>
  68 + <td>Boolean</td>
  69 + <td>Whether or not to include the recipe 'cfe-nginx-php-fpm::php-fpm'.</td>
  70 + <td><tt>true</tt></td>
  71 + </tr>
  72 + <tr>
  73 + <td><tt>['cfe-server']['app']['include_pma']</tt></td>
  74 + <td>Boolean</td>
  75 + <td>Whether or not to include the recipe 'cookbook-phpmyadmin'.</td>
  76 + <td><tt>false</tt></td>
  77 + </tr>
  78 + <tr>
  79 + <td><tt>['cfe-server']['app']['composer']['project_paths']</tt></td>
  80 + <td>Array</td>
  81 + <td>If using composer, list here the directories where composer should be initialized.</td>
  82 + <td><tt>[]</tt></td>
  83 + </tr>
  84 + <tr>
  85 + <td><tt>['cfe-server']['misc']['cronjobs']</tt></td>
  86 + <td>Array</td>
  87 + <td>Specifications of cronjobs to be set up. Please see default attributes file for examples.</td>
  88 + <td><tt>[]</tt></td>
  89 + </tr>
  90 + <tr>
  91 + <td><tt>['cfe-server']['misc']['logrotatejobs']</tt></td>
  92 + <td>Array</td>
  93 + <td>Specifications of logrotate jobs to be set up. Please see default attribute file for examples.</td>
  94 + <td><tt>[]</tt></td>
  95 + </tr>
  96 + <tr>
  97 + <td><tt>['cfe-server']['web']['include_nginx']</tt></td>
  98 + <td>Boolean</td>
  99 + <td>Whether or not to include the recipe 'cfe-nginx-php-fpm::nginx'.</td>
22 100 <td><tt>true</tt></td>
23 101 </tr>
24 102 </table>
25 103
26 104 ## Usage
27 105
  106 +### Secret Data Bag
  107 +
  108 +A secret data bag named either `prod`, `staging`, or `dev` has to be created. In it should be an item named `cfe-server-secret` that contains two properties: `iptables_ssh_ports` and `iptables_add_rules`.
  109 +
  110 +`iptables_ssh_ports` is an array that contains ports to be used by sshd.
  111 +
  112 +`iptables_add_rules` is an array of hashes that denote additional FILTER iptables rules to be created on the server. The hashes must conform to the format required by the cookbook `cfe-simple-iptables`.
  113 +
  114 +Example:
  115 +```json
  116 +{
  117 + "id": "cfe-server-secret",
  118 + "iptables_ssh_ports": [ 8822 ],
  119 + "iptables_add_rules": [
  120 + {
  121 + "name" : "Custom rule for my app",
  122 + "rule" : "--proto tcp --dport 8080",
  123 + "weight": 25
  124 + }
  125 + ]
  126 +}
  127 +```
  128 +
28 129 ### cfe-server::default
29 130
30   -Enter proper attributes for the different wrapped cookbooks, including this one. Then include `cfe-server` in your node's `run_list`:
  131 +Enter proper attributes for the different wrapped cookbooks, including this one. Create the secret data bag mentioned above. Then include `cfe-server` in your node's `run_list`:
31 132
32 133 ```json
33 134 {
... ...
... ... @@ -20,6 +20,21 @@
20 20
21 21 cb = 'cfe-server'
22 22
  23 +# Secret data bag stuff
  24 +#
  25 +# Necessary secret data bag key/s:
  26 +# iptables_ssh_ports
  27 +# iptables_add_rules
  28 +
  29 +databag =
  30 + case node.chef_environment
  31 + when 'prod', 'staging'
  32 + node.chef_environment
  33 + else
  34 + 'dev'
  35 + end
  36 +secret = Chef::EncryptedDataBagItem.load(databag, "#{cb}-secret")
  37 +
23 38 default[cb]['db']['mariadb']['install'] = false
24 39 default[cb]['db']['include_mongodb'] = true
25 40
... ... @@ -52,8 +67,8 @@ default[cb]['misc']['cronjobs'] = [
52 67 # :name => 'arbitrary_name_of_cronjob',
53 68 # :command => 'command to perform',
54 69 # :sched => '0 0 * * *',
55   -# :mailto => '""',
56   -# :enable => true
  70 +# :mailto => '""', # Optional. Default: ''
  71 +# :enable => true # Optional. Default: true
57 72 # }
58 73 ]
59 74 default[cb]['misc']['logrotatejobs'] = [
... ... @@ -61,12 +76,82 @@ default[cb]['misc']['logrotatejobs'] = [
61 76 # :name => 'arbitrary_name_of_job', # a filename, no spaces
62 77 # :path => '/path/to/rotate/*.log',
63 78 # :options => %w{ weekly rotate\ 12 missingok compress notifempty },
64   -# :enable => true
  79 +# :enable => true # Optional. Default true
65 80 # }
66 81 ]
67 82
68 83 default[cb]['misc']['logrotate']['conf_dir'] = '/etc/logrotate.d'
69   -default[cb]['misc']['sshd']['ports'] = [ 22, 8765 ]
  84 +default[cb]['misc']['sshd']['ports'] = secret['iptables_ssh_ports']
70 85 default[cb]['misc']['sshd']['conf_path'] = '/etc/ssh/sshd_config'
71 86
72 87 default[cb]['web']['include_nginx'] = true
  88 +
  89 +# Wrapped attributes
  90 +
  91 +rules_ssh = secret['iptables_ssh_ports'].inject([]) do |acc, sport|
  92 + acc << "--proto tcp --dport #{sport} -m conntrack --ctstate NEW"
  93 + acc
  94 +end
  95 +
  96 +# Place additional iptables filter rules in a secret data bag
  97 +# according to the format for cfe-simple-iptables attribute:
  98 +# "iptables_add_rules": [
  99 +# {
  100 +# "name": "example",
  101 +# "rule": "example",
  102 +# "weight": 21
  103 +# }
  104 +# ]
  105 +rules_add = secret['iptables_add_rules'].inject([]) do |acc1, rule|
  106 + hrule = rule.inject({}) do |acc2, (k, v)|
  107 + acc2[k.to_sym] = v
  108 + acc2
  109 + end
  110 + acc1 << hrule
  111 + acc1
  112 +end
  113 +
  114 +rules_filter1 = [
  115 + {
  116 + :n => 'established',
  117 + :r => '-m conntrack --ctstate ESTABLISHED,RELATED',
  118 + :w => 1
  119 + },
  120 + {
  121 + :n => 'icmp',
  122 + :r => '--proto icmp',
  123 + :w => 2
  124 + },
  125 + {
  126 + :n => 'loopback',
  127 + :r => '--in-interface lo',
  128 + :w => 3
  129 + },
  130 + {
  131 + :n => 'ssh',
  132 + :r => rules_ssh,
  133 + :w => 4
  134 + },
  135 + {
  136 + :n => 'http',
  137 + :r => ['--proto tcp --dport 80',
  138 + '--proto tcp --dport 443'],
  139 + :w => 20
  140 + }
  141 +]
  142 +rules_filter2 = [
  143 + {
  144 + :n => 'reject',
  145 + :j => 'REJECT --reject-with icmp-host-prohibited',
  146 + :w => 90
  147 + },
  148 + {
  149 + :n => 'reject',
  150 + :c => 'FORWARD',
  151 + :j => 'REJECT --reject-with icmp-host-prohibited',
  152 + :w => 90
  153 + }
  154 +]
  155 +
  156 +default['cfe-simple-iptables']['filter'] =
  157 + rules_filter1 + rules_add + rules_filter2
... ...
1   -{
2   - "comment": "Test User",
3   - "shell": "/bin/bash",
4   - "groups": [
5   - "test",
6   - "devs",
7   - "adm",
8   - "plugdev",
9   - "netdev"
10   - ],
11   - "ssh_keys": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx7fx78WXwHhrB3BGUVyrw2XONh/qE6waU/8/0aZ6bkBSGu2z2GnkXI6JSfAuAO7spBHlXJZRtwTV5VuJx4n28zmQpTksGjS8xP/a1vphwwVkABomempxY97V4PBJqpWSzCoHG2zmotARcwBKJcwQd4FFE7vngrBk9SxczyWer26rMkY8SyjUFQm2o8dPuZuaY8rHqK9QUw1YJg3rSDd6qfi2dlunAc8fbTdDnZ5hjgmlrfyFLgoP31Ix0OVL9ogFYE//tV9CjHbwV2wKCJEI57rXJ/AMX4ZTTR6L6ljoKDxis9QiJwae/x0J+fi8EADtaLrbdZ0y5nu4/UtSURVXt cfe_stg_20161109",
12   - "id": "test"
13   -}
1   -{
2   - "comment": "Chromedia SysAdmin",
3   - "shell": "/bin/bash",
4   - "groups": [
5   - "cfe",
6   - "sysadmins",
7   - "adm",
8   - "plugdev",
9   - "netdev"
10   - ],
11   - "ssh_keys": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx7fx78WXwHhrB3BGUVyrw2XONh/qE6waU/8/0aZ6bkBSGu2z2GnkXI6JSfAuAO7spBHlXJZRtwTV5VuJx4n28zmQpTksGjS8xP/a1vphwwVkABomempxY97V4PBJqpWSzCoHG2zmotARcwBKJcwQd4FFE7vngrBk9SxczyWer26rMkY8SyjUFQm2o8dPuZuaY8rHqK9QUw1YJg3rSDd6qfi2dlunAc8fbTdDnZ5hjgmlrfyFLgoP31Ix0OVL9ogFYE//tV9CjHbwV2wKCJEI57rXJ/AMX4ZTTR6L6ljoKDxis9QiJwae/x0J+fi8EADtaLrbdZ0y5nu4/UtSURVXt cfe_stg_20161109",
12   - "id": "cfe"
13   -}
... ... @@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com'
4 4 license 'Apache License'
5 5 description 'Simplifies setting up common Linux servers.'
6 6 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7   -version '0.1.0'
  7 +version '0.1.1'
8 8
9 9 %w{
10 10 cfe-users cfe-mariadb
... ...
... ... @@ -69,7 +69,7 @@ node[cookbook_name]['filesystem']['perms'].each do |perm|
69 69 elsif perm[:owner]
70 70 execute "chown -R #{perm[:owner]} #{perm[:path]}"
71 71 elsif perm[:group]
72   - execute "chown -R #{perm[:group]} #{perm[:path]}"
  72 + execute "chgrp -R #{perm[:group]} #{perm[:path]}"
73 73 end
74 74
75 75 if perm[:mode]
... ...
... ... @@ -28,7 +28,7 @@ node[cookbook_name]['misc']['cronjobs'].each do |cjob|
28 28 day sched[2]
29 29 month sched[3]
30 30 weekday sched[4]
31   - mailto cjob[:mailto]
  31 + mailto cjob[:mailto] || '""'
32 32 path '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
33 33 action( is_enable ? :create : :delete )
34 34 end
... ... @@ -56,3 +56,5 @@ template node[cookbook_name]['misc']['sshd']['conf_path'] do
56 56 :ports => node[cookbook_name]['misc']['sshd']['ports']
57 57 )
58 58 end
  59 +
  60 +include_recipe 'cfe-simple-iptables'
... ...