Version v0.1.1. Include cfe-simple-iptables cookbook.

@@ -19,3 +19,4 @@ bin/*
 .kitchen/
 .kitchen/
 .kitchen.local.yml
 .kitchen.local.yml
 .chef
 .chef
+data_bags

@@ -2,10 +2,10 @@ source "https://supermarket.chef.io"
 
 
 metadata
 metadata
 
 
-cookbook 'cfe-users', git: 'https://gitlab.chromedia.com/ops/cfe-users.git', tag: 'v0.1.0'
+cookbook 'cfe-users', git: 'https://gitlab.chromedia.com/ops/cfe-users.git', tag: 'v0.1.1'
 cookbook 'cfe-mariadb', git: 'https://gitlab.chromedia.com/ops/cfe-mariadb.git', tag: 'v0.5.0'
 cookbook 'cfe-mariadb', git: 'https://gitlab.chromedia.com/ops/cfe-mariadb.git', tag: 'v0.5.0'
 cookbook 'backup-file2s3', git: 'https://gitlab.chromedia.com/ops/backup-file2s3.git', tag: 'v0.3.3'
 cookbook 'backup-file2s3', git: 'https://gitlab.chromedia.com/ops/backup-file2s3.git', tag: 'v0.3.3'
-cookbook 'cfe-nginx-php-fpm', git: 'https://gitlab.chromedia.com/ops/cfe-nginx-php-fpm.git', tag: 'v0.5.1'
+cookbook 'cfe-nginx-php-fpm', git: 'https://gitlab.chromedia.com/ops/cfe-nginx-php-fpm.git', tag: 'v0.5.2'
 cookbook 'cfe-simple-iptables', git: 'https://gitlab.chromedia.com/ops/cfe-simple-iptables.git', tag: 'v0.1.0'
 cookbook 'cfe-simple-iptables', git: 'https://gitlab.chromedia.com/ops/cfe-simple-iptables.git', tag: 'v0.1.0'
 
 
 cookbook 'cookbook-letsencrypt', git: 'https://github.com/nollieheel/cookbook-letsencrypt.git', tag: 'v0.2.0'
 cookbook 'cookbook-letsencrypt', git: 'https://github.com/nollieheel/cookbook-letsencrypt.git', tag: 'v0.2.0'

+## 0.1.1 - 2016-12-09
+### Added
+- Include cookbook 'cfe-simple-iptables'. Also automatically add iptables that are listed in a secret data bag (see default attribute file).
+
 ## 0.1.0 - 2016-12-06
 ## 0.1.0 - 2016-12-06
 ### Added
 ### Added
 - Initial release of cfe-server cookbook.
 - Initial release of cfe-server cookbook.

@@ -16,18 +16,119 @@ Tested on Ubuntu 14.04.
     <th>Default</th>
     <th>Default</th>
   </tr>
   </tr>
   <tr>
   <tr>
-    <td><tt>['cfe-server']['']</tt></td>
+    <td><tt>['cfe-server']['db']['mariadb']['install']</tt></td>
     <td>Boolean</td>
     <td>Boolean</td>
-    <td>Description</td>
+    <td>Whether or not to install MariaDB server.</td>
+    <td><tt>false</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['db']['include_mongodb']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe `mongodb3`.</td>
+    <td><tt>true</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['filesystem']['swapfile']</tt></td>
+    <td>String/Boolean False</td>
+    <td>Path to swap file. Set to false to disable creating swap file.</td>
+    <td><tt>false</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['filesystem']['swapsize']</tt></td>
+    <td>String</td>
+    <td>Size of swap file if enabled.</td>
+    <td><tt>'2G'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['filesystem']['perms']</tt></td>
+    <td>Array</td>
+    <td>Custom permissions and/or ownerships to specific filesystem paths. Please see the default attrbutes file for examples.</td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['filesystem']['symlinks']</tt></td>
+    <td>Hash</td>
+    <td>Symbolic links to create. Each property-to-value corresponds to a linkname-to-target pair. (See default attribute file for examples.)</td>
+    <td><tt>{}</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['tls']['include_letsencrypt']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe `cookbook-letsencrypt`.</td>
+    <td><tt>true</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['app']['include_postfix']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe `cfe-nginx-php-fpm::postfix'.</td>
+    <td><tt>true</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['app']['include_php']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe 'cfe-nginx-php-fpm::php-fpm'.</td>
+    <td><tt>true</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['app']['include_pma']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe 'cookbook-phpmyadmin'.</td>
+    <td><tt>false</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['app']['composer']['project_paths']</tt></td>
+    <td>Array</td>
+    <td>If using composer, list here the directories where composer should be initialized.</td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['misc']['cronjobs']</tt></td>
+    <td>Array</td>
+    <td>Specifications of cronjobs to be set up. Please see default attributes file for examples.</td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['misc']['logrotatejobs']</tt></td>
+    <td>Array</td>
+    <td>Specifications of logrotate jobs to be set up. Please see default attribute file for examples.</td>
+    <td><tt>[]</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-server']['web']['include_nginx']</tt></td>
+    <td>Boolean</td>
+    <td>Whether or not to include the recipe 'cfe-nginx-php-fpm::nginx'.</td>
     <td><tt>true</tt></td>
     <td><tt>true</tt></td>
   </tr>
   </tr>
 </table>
 </table>
 
 
 ## Usage
 ## Usage
 
 
+### Secret Data Bag
+
+A secret data bag named either `prod`, `staging`, or `dev` has to be created. In it should be an item named `cfe-server-secret` that contains two properties: `iptables_ssh_ports` and `iptables_add_rules`.
+
+`iptables_ssh_ports` is an array that contains ports to be used by sshd.
+
+`iptables_add_rules` is an array of hashes that denote additional FILTER iptables rules to be created on the server. The hashes must conform to the format required by the cookbook `cfe-simple-iptables`.
+
+Example:
+```json
+{
+  "id": "cfe-server-secret",
+  "iptables_ssh_ports": [ 8822 ],
+  "iptables_add_rules": [
+    {
+      "name"  : "Custom rule for my app",
+      "rule"  : "--proto tcp --dport 8080",
+      "weight": 25
+    }
+  ]
+}
+```
+
 ### cfe-server::default
 ### cfe-server::default
 
 
-Enter proper attributes for the different wrapped cookbooks, including this one. Then include `cfe-server` in your node's `run_list`:
+Enter proper attributes for the different wrapped cookbooks, including this one. Create the secret data bag mentioned above. Then include `cfe-server` in your node's `run_list`:
 
 
 ```json
 ```json
 {
 {

@@ -20,6 +20,21 @@
 
 
 cb = 'cfe-server'
 cb = 'cfe-server'
 
 
+# Secret data bag stuff
+#
+# Necessary secret data bag key/s:
+#   iptables_ssh_ports
+#   iptables_add_rules
+
+databag =
+  case node.chef_environment
+  when 'prod', 'staging'
+    node.chef_environment
+  else
+    'dev'
+  end
+secret = Chef::EncryptedDataBagItem.load(databag, "#{cb}-secret")
+
 default[cb]['db']['mariadb']['install'] = false
 default[cb]['db']['mariadb']['install'] = false
 default[cb]['db']['include_mongodb']    = true
 default[cb]['db']['include_mongodb']    = true
 
 
@@ -52,8 +67,8 @@ default[cb]['misc']['cronjobs'] = [
 #    :name    => 'arbitrary_name_of_cronjob',
 #    :name    => 'arbitrary_name_of_cronjob',
 #    :command => 'command to perform',
 #    :command => 'command to perform',
 #    :sched   => '0 0 * * *',
 #    :sched   => '0 0 * * *',
-#    :mailto  => '""',
-#    :enable  => true
+#    :mailto  => '""', # Optional. Default: ''
+#    :enable  => true # Optional. Default: true
 #  }
 #  }
 ]
 ]
 default[cb]['misc']['logrotatejobs'] = [
 default[cb]['misc']['logrotatejobs'] = [
@@ -61,12 +76,82 @@ default[cb]['misc']['logrotatejobs'] = [
 #    :name    => 'arbitrary_name_of_job', # a filename, no spaces
 #    :name    => 'arbitrary_name_of_job', # a filename, no spaces
 #    :path    => '/path/to/rotate/*.log',
 #    :path    => '/path/to/rotate/*.log',
 #    :options => %w{ weekly rotate\ 12 missingok compress notifempty },
 #    :options => %w{ weekly rotate\ 12 missingok compress notifempty },
-#    :enable  => true
+#    :enable  => true # Optional. Default true
 #  }
 #  }
 ]
 ]
 
 
 default[cb]['misc']['logrotate']['conf_dir'] = '/etc/logrotate.d'
 default[cb]['misc']['logrotate']['conf_dir'] = '/etc/logrotate.d'
-default[cb]['misc']['sshd']['ports']         = [ 22, 8765 ]
+default[cb]['misc']['sshd']['ports']         = secret['iptables_ssh_ports']
 default[cb]['misc']['sshd']['conf_path']     = '/etc/ssh/sshd_config'
 default[cb]['misc']['sshd']['conf_path']     = '/etc/ssh/sshd_config'
 
 
 default[cb]['web']['include_nginx'] = true
 default[cb]['web']['include_nginx'] = true
+
+# Wrapped attributes
+
+rules_ssh = secret['iptables_ssh_ports'].inject([]) do |acc, sport|
+  acc << "--proto tcp --dport #{sport} -m conntrack --ctstate NEW"
+  acc
+end
+
+# Place additional iptables filter rules in a secret data bag
+# according to the format for cfe-simple-iptables attribute:
+#  "iptables_add_rules": [
+#    {
+#      "name": "example",
+#      "rule": "example",
+#      "weight": 21
+#    }
+#  ]
+rules_add = secret['iptables_add_rules'].inject([]) do |acc1, rule|
+  hrule = rule.inject({}) do |acc2, (k, v)|
+    acc2[k.to_sym] = v
+    acc2
+  end
+  acc1 << hrule
+  acc1
+end
+
+rules_filter1 = [
+  {
+    :n => 'established',
+    :r => '-m conntrack --ctstate ESTABLISHED,RELATED',
+    :w => 1
+  },
+  {
+    :n => 'icmp',
+    :r => '--proto icmp',
+    :w => 2
+  },
+  {
+    :n => 'loopback',
+    :r => '--in-interface lo',
+    :w => 3
+  },
+  {
+    :n => 'ssh',
+    :r => rules_ssh,
+    :w => 4
+  },
+  {
+    :n => 'http',
+    :r => ['--proto tcp --dport 80',
+           '--proto tcp --dport 443'],
+    :w => 20
+  }
+]
+rules_filter2 = [
+  {
+    :n => 'reject',
+    :j => 'REJECT --reject-with icmp-host-prohibited',
+    :w => 90
+  },
+  {
+    :n => 'reject',
+    :c => 'FORWARD',
+    :j => 'REJECT --reject-with icmp-host-prohibited',
+    :w => 90
+  }
+]
+
+default['cfe-simple-iptables']['filter'] =
+  rules_filter1 + rules_add + rules_filter2

-{
-  "comment": "Test User",
-  "shell": "/bin/bash",
-  "groups": [
-    "test",
-    "devs",
-    "adm",
-    "plugdev",
-    "netdev"
-  ],
-  "ssh_keys": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx7fx78WXwHhrB3BGUVyrw2XONh/qE6waU/8/0aZ6bkBSGu2z2GnkXI6JSfAuAO7spBHlXJZRtwTV5VuJx4n28zmQpTksGjS8xP/a1vphwwVkABomempxY97V4PBJqpWSzCoHG2zmotARcwBKJcwQd4FFE7vngrBk9SxczyWer26rMkY8SyjUFQm2o8dPuZuaY8rHqK9QUw1YJg3rSDd6qfi2dlunAc8fbTdDnZ5hjgmlrfyFLgoP31Ix0OVL9ogFYE//tV9CjHbwV2wKCJEI57rXJ/AMX4ZTTR6L6ljoKDxis9QiJwae/x0J+fi8EADtaLrbdZ0y5nu4/UtSURVXt cfe_stg_20161109",
-  "id": "test"
-}

-{
-  "comment": "Chromedia SysAdmin",
-  "shell": "/bin/bash",
-  "groups": [
-    "cfe",
-    "sysadmins",
-    "adm",
-    "plugdev",
-    "netdev"
-  ],
-  "ssh_keys": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCx7fx78WXwHhrB3BGUVyrw2XONh/qE6waU/8/0aZ6bkBSGu2z2GnkXI6JSfAuAO7spBHlXJZRtwTV5VuJx4n28zmQpTksGjS8xP/a1vphwwVkABomempxY97V4PBJqpWSzCoHG2zmotARcwBKJcwQd4FFE7vngrBk9SxczyWer26rMkY8SyjUFQm2o8dPuZuaY8rHqK9QUw1YJg3rSDd6qfi2dlunAc8fbTdDnZ5hjgmlrfyFLgoP31Ix0OVL9ogFYE//tV9CjHbwV2wKCJEI57rXJ/AMX4ZTTR6L6ljoKDxis9QiJwae/x0J+fi8EADtaLrbdZ0y5nu4/UtSURVXt cfe_stg_20161109",
-  "id": "cfe"
-}

@@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com'
 license          'Apache License'
 license          'Apache License'
 description      'Simplifies setting up common Linux servers.'
 description      'Simplifies setting up common Linux servers.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.0'
+version          '0.1.1'
 
 
 %w{
 %w{
   cfe-users           cfe-mariadb 
   cfe-users           cfe-mariadb 

@@ -69,7 +69,7 @@ node[cookbook_name]['filesystem']['perms'].each do |perm|
   elsif perm[:owner]
   elsif perm[:owner]
     execute "chown -R #{perm[:owner]} #{perm[:path]}"
     execute "chown -R #{perm[:owner]} #{perm[:path]}"
   elsif perm[:group]
   elsif perm[:group]
-    execute "chown -R #{perm[:group]} #{perm[:path]}"
+    execute "chgrp -R #{perm[:group]} #{perm[:path]}"
   end
   end
 
 
   if perm[:mode]
   if perm[:mode]

@@ -28,7 +28,7 @@ node[cookbook_name]['misc']['cronjobs'].each do |cjob|
     day     sched[2]
     day     sched[2]
     month   sched[3]
     month   sched[3]
     weekday sched[4]
     weekday sched[4]
-    mailto  cjob[:mailto]
+    mailto  cjob[:mailto] || '""'
     path    '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
     path    '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin'
     action( is_enable ? :create : :delete )
     action( is_enable ? :create : :delete )
   end
   end
@@ -56,3 +56,5 @@ template node[cookbook_name]['misc']['sshd']['conf_path'] do
     :ports => node[cookbook_name]['misc']['sshd']['ports']
     :ports => node[cookbook_name]['misc']['sshd']['ports']
   )
   )
 end
 end
+
+include_recipe 'cfe-simple-iptables'