From 9db24df29bdfda789f6f9ba81e383d03ba551eaf Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 11:45:06 -0400 Subject: [PATCH 01/11] Update README --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index fccfc16..f619c21 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,32 @@ # TC362 - Web Administration +## Installation + +Download the bootstrap script, set as executable, and run as root. + +## Usage + +``` +./bootstrap -s +``` + +Setup a server using the site.pp manifest and the master branch. + +``` +./bootstrap -s -m final.pp +``` + +Setup the server from the final project manifest + +``` +./bootstrap +``` + +Run the site.pp manifest file without the initial setup configurations. + +``` +./bootstrap -m final.pp atomaka/feature/final +``` + +Run the final.pp manifest file on the ```atomaka/feature/final``` branch of the +project. From fcb8fd20e22a0e79b8b7f666233f6f07b93038e0 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 10:54:59 -0400 Subject: [PATCH 02/11] Allow bootstrap to specify manifest file --- bootstrap.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/bootstrap.sh b/bootstrap.sh index 2533559..3f99f8a 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -3,13 +3,16 @@ # BOOSTRAP SCRIPT # Can take a single param to allow a specific branch to be installed -usage() { echo "Usage: $0 [-s] [branch]" 1>&2; exit 1; } +usage() { echo "Usage: $0 [-s] [-m MANIFEST_FILE] [BRANCH]" 1>&2; exit 1; } -while getopts "s" o; do +while getopts "sm:" o; do case "${o}" in s) SETUP=true ;; + m) + MANIFEST=${OPTARG} + ;; *) usage ;; @@ -68,4 +71,4 @@ fi librarian-puppet install # RUN MANIFEST -puppet apply manifests/site.pp --modulepath=modules/ +puppet apply manifests/$MANIFEST --modulepath=modules/ From f6545bc9547e2b99ae474cf09b6456a11986b5e6 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 13:44:47 -0400 Subject: [PATCH 03/11] Do not automate dist-upgrade --- bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap.sh b/bootstrap.sh index 3f99f8a..50a0adf 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -39,7 +39,7 @@ if [ "$SETUP" = true ] ; then dpkg-reconfigure --frontend noninteractive tzdata # UPGRADE ALL CURRENT PACKAGES - apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y + apt-get update && apt-get upgrade -y # INSTALL GIT apt-get install git -y From 59be174027a0945489f86a9a391ba253d915e921 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 13:09:01 -0400 Subject: [PATCH 04/11] Add ruby1.9.3 to bootstrap --- bootstrap.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bootstrap.sh b/bootstrap.sh index 50a0adf..5108048 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -44,6 +44,11 @@ if [ "$SETUP" = true ] ; then # INSTALL GIT apt-get install git -y + # INSTALL RUBY 1.9.3 (for rails) + apt-get install ruby1.9.3 -y + update-alternatives --set ruby /usr/bin/ruby1.9.1 + update-alternatives --set gem /usr/bin/gem1.9.1 + # INSTALL RUBYGEMS apt-get install rubygems -y From dc5d00d9590617a05f9aa19e1c5bf8318be2033e Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 11:35:14 -0400 Subject: [PATCH 05/11] Basic setup in new manifest --- Puppetfile | 1 + Puppetfile.lock | 2 + manifests/final.pp | 92 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 manifests/final.pp diff --git a/Puppetfile b/Puppetfile index acc5fb2..f780814 100644 --- a/Puppetfile +++ b/Puppetfile @@ -3,6 +3,7 @@ forge "http://forge.puppetlabs.com" mod 'camptocamp/augeas', '0.0.1' mod 'hunner/wordpress', '0.6.0' mod 'puppetlabs/apache', '0.10.0' +mod 'puppetlabs/firewall', '1.0.2' mod 'puppetlabs/mysql', '2.2.3' mod 'saz/ssh', '1.2.0' mod 'saz/sudo', '2.4.3' diff --git a/Puppetfile.lock b/Puppetfile.lock index ce36212..418eb74 100644 --- a/Puppetfile.lock +++ b/Puppetfile.lock @@ -11,6 +11,7 @@ FORGE puppetlabs/stdlib (>= 2.4.0) puppetlabs/concat (1.1.0-rc1) puppetlabs/stdlib (>= 3.0.0) + puppetlabs/firewall (1.0.2) puppetlabs/mysql (2.2.3) puppetlabs/stdlib (>= 3.2.0) puppetlabs/stdlib (4.1.0) @@ -22,6 +23,7 @@ DEPENDENCIES camptocamp/augeas (= 0.0.1) hunner/wordpress (= 0.6.0) puppetlabs/apache (= 0.10.0) + puppetlabs/firewall (= 1.0.2) puppetlabs/mysql (= 2.2.3) saz/ssh (= 1.2.0) saz/sudo (= 2.4.3) diff --git a/manifests/final.pp b/manifests/final.pp new file mode 100644 index 0000000..78cbdf1 --- /dev/null +++ b/manifests/final.pp @@ -0,0 +1,92 @@ +# Create a non root user with sudo permissions +# jeff, with password +user { 'jeff': + ensure => present, + groups => ['sudo'], + managehome => true, + shell => '/bin/bash', + password => '$6$.AURF9sE09Q$..S10CFY7G.AVXzSW//w6GoV6yPzBzdvyUl8a7oyYbW/XzBU.o6AdHxTgTkCSWb64zmN3QoKovoUyLJhE/MFP/', +} + +# Logging in with the root user must be disabled +include augeas +class { '::ssh::server': + require => Class['augeas'], +} +ssh::server::configline { 'PermitRootLogin': value => 'no' } + +# SSH must be enabled on a non-standard port +ssh::server::configline { 'Port': value => '22984' } + +# Install a working MySQL server +class { '::mysql::server': } + +# A fully functioning Ruby on Rails installation must be present at your domain +# name or IP address using the Nginx web server (must show the Rails welcome +# page) +# You may use any Rails deployment that works with Nginx + +# IN PROGRESS + +# A working firewall using iptables or another Linux firewall +resources { 'firewall': + purge => true, +} +class { '::firewall': } +firewall { '000 accept all icmp': + proto => 'icmp', + action => 'accept', +} -> +firewall { '100 accept ssh (non-default port)': + proto => 'tcp', + dport => '22984', + action => 'accept', +} -> +firewall { '200 accept http': + proto => 'tcp', + dport => '80', + action => 'accept', +} -> +firewall { '999 drop all': + proto => 'all', + action => 'drop', + before => undef, +} + +# STUFF OUTSIDE SCOPE OF ASSIGNMENT +# convenience stuff +package { 'mosh': } +package { 'zsh': } + +# atomaka, with SSH key +user { 'atomaka': + ensure => present, + groups => ['sudo'], + managehome => true, + shell => '/bin/zsh', + require => [ + Package['zsh'], + ], +} +file { '/home/atomaka/.ssh': + ensure => directory, + owner => 'atomaka', + group => 'atomaka', + mode => '0700', + require => User['atomaka'], +} +file { '/home/atomaka/.ssh/authorized_keys': + ensure => present, + owner => 'atomaka', + group => 'atomaka', + mode => '0600', + content => file('/tmp/puppet/files/keys/atomaka'), + require => File['/home/atomaka/.ssh'], +} + +# sudo no password +include sudo +sudo::conf { 'sudo': + priority => 10, + content => "%sudo ALL=(ALL) NOPASSWD: ALL\n", +} From c529674de1ae87ce461c65932c2c65b80876f913 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 11:48:30 -0400 Subject: [PATCH 06/11] Install nginx --- Puppetfile | 1 + Puppetfile.lock | 7 +++++++ manifests/final.pp | 3 ++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index f780814..3b9edb7 100644 --- a/Puppetfile +++ b/Puppetfile @@ -2,6 +2,7 @@ forge "http://forge.puppetlabs.com" mod 'camptocamp/augeas', '0.0.1' mod 'hunner/wordpress', '0.6.0' +mod 'jfryman/nginx', '0.0.9' mod 'puppetlabs/apache', '0.10.0' mod 'puppetlabs/firewall', '1.0.2' mod 'puppetlabs/mysql', '2.2.3' diff --git a/Puppetfile.lock b/Puppetfile.lock index 418eb74..d97d805 100644 --- a/Puppetfile.lock +++ b/Puppetfile.lock @@ -6,9 +6,15 @@ FORGE puppetlabs/concat (>= 1.0.0) puppetlabs/mysql (>= 2.1.0) puppetlabs/stdlib (>= 2.3.1) + jfryman/nginx (0.0.9) + puppetlabs/apt (>= 1.0.0) + puppetlabs/concat (>= 1.0.0) + puppetlabs/stdlib (>= 0.1.6) puppetlabs/apache (0.10.0) puppetlabs/concat (>= 1.0.0) puppetlabs/stdlib (>= 2.4.0) + puppetlabs/apt (1.4.2) + puppetlabs/stdlib (>= 2.2.1) puppetlabs/concat (1.1.0-rc1) puppetlabs/stdlib (>= 3.0.0) puppetlabs/firewall (1.0.2) @@ -22,6 +28,7 @@ FORGE DEPENDENCIES camptocamp/augeas (= 0.0.1) hunner/wordpress (= 0.6.0) + jfryman/nginx (= 0.0.9) puppetlabs/apache (= 0.10.0) puppetlabs/firewall (= 1.0.2) puppetlabs/mysql (= 2.2.3) diff --git a/manifests/final.pp b/manifests/final.pp index 78cbdf1..3456d12 100644 --- a/manifests/final.pp +++ b/manifests/final.pp @@ -26,7 +26,8 @@ class { '::mysql::server': } # page) # You may use any Rails deployment that works with Nginx -# IN PROGRESS +# install nginx +class { 'nginx': } # A working firewall using iptables or another Linux firewall resources { 'firewall': From 6c78a8f79d630b7a875068a3b309642e9cfe9052 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 12:02:45 -0400 Subject: [PATCH 07/11] Create, install, and start basic rails app --- manifests/final.pp | 48 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/manifests/final.pp b/manifests/final.pp index 3456d12..a4e6c55 100644 --- a/manifests/final.pp +++ b/manifests/final.pp @@ -29,6 +29,54 @@ class { '::mysql::server': } # install nginx class { 'nginx': } +# install rails +package { 'rails': + provider => 'gem', +} + +# add rails depends +package { ['libsqlite3-dev', 'build-essential', 'nodejs']: + before => Exec['install rails app'] +} + +# add rails user and application +user { 'rails': + ensure => present, + groups => ['sudo'], + managehome => true, + shell => '/bin/bash', +} +exec { 'create rails app': + command => 'rails new welcome', + user => 'rails', + environment => ['HOME=/home/rails'], + path => '/usr/bin:/usr/local/bin', + cwd => '/home/rails', + creates => '/home/rails/welcome', + require => [ + Package['rails'], + User['rails'], + ], +} +exec { 'install rails app': + command => 'bundle install --path vendor/bundle', + user => 'rails', + environment => ['HOME=/home/rails'], + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + cwd => '/home/rails/welcome', + unless => 'bundle check', + require => Exec['create rails app'], + notify => Exec['start rails app'], +} +exec { 'start rails app': + command => 'rails server -d', + user => 'rails', + environment => ['HOME=/home/rails'], + path => '/usr/bin:/usr/local/bin', + cwd => '/home/rails/welcome', + refreshonly => true, +} + # A working firewall using iptables or another Linux firewall resources { 'firewall': purge => true, From 954067c9553fc1d4882dc41521cf2edf62c68c25 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 17:14:44 -0400 Subject: [PATCH 08/11] Update saz/ssh --- Puppetfile | 3 +-- Puppetfile.lock | 6 ++---- manifests/final.pp | 14 +++++++------- manifests/site.pp | 21 ++++++++++++++------- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/Puppetfile b/Puppetfile index 3b9edb7..7633622 100644 --- a/Puppetfile +++ b/Puppetfile @@ -1,11 +1,10 @@ forge "http://forge.puppetlabs.com" -mod 'camptocamp/augeas', '0.0.1' mod 'hunner/wordpress', '0.6.0' mod 'jfryman/nginx', '0.0.9' mod 'puppetlabs/apache', '0.10.0' mod 'puppetlabs/firewall', '1.0.2' mod 'puppetlabs/mysql', '2.2.3' -mod 'saz/ssh', '1.2.0' +mod 'saz/ssh', '2.3.3' mod 'saz/sudo', '2.4.3' diff --git a/Puppetfile.lock b/Puppetfile.lock index d97d805..80f7013 100644 --- a/Puppetfile.lock +++ b/Puppetfile.lock @@ -1,7 +1,6 @@ FORGE remote: http://forge.puppetlabs.com specs: - camptocamp/augeas (0.0.1) hunner/wordpress (0.6.0) puppetlabs/concat (>= 1.0.0) puppetlabs/mysql (>= 2.1.0) @@ -21,17 +20,16 @@ FORGE puppetlabs/mysql (2.2.3) puppetlabs/stdlib (>= 3.2.0) puppetlabs/stdlib (4.1.0) - saz/ssh (1.2.0) + saz/ssh (2.3.3) puppetlabs/stdlib (>= 2.2.1) saz/sudo (2.4.3) DEPENDENCIES - camptocamp/augeas (= 0.0.1) hunner/wordpress (= 0.6.0) jfryman/nginx (= 0.0.9) puppetlabs/apache (= 0.10.0) puppetlabs/firewall (= 1.0.2) puppetlabs/mysql (= 2.2.3) - saz/ssh (= 1.2.0) + saz/ssh (= 2.3.3) saz/sudo (= 2.4.3) diff --git a/manifests/final.pp b/manifests/final.pp index a4e6c55..1acfeaa 100644 --- a/manifests/final.pp +++ b/manifests/final.pp @@ -8,15 +8,15 @@ user { 'jeff': password => '$6$.AURF9sE09Q$..S10CFY7G.AVXzSW//w6GoV6yPzBzdvyUl8a7oyYbW/XzBU.o6AdHxTgTkCSWb64zmN3QoKovoUyLJhE/MFP/', } -# Logging in with the root user must be disabled -include augeas class { '::ssh::server': - require => Class['augeas'], + storeconfigs_enabled => false, + options => { + # Logging in with the root user must be disabled + 'PermitRootLogin' => 'no', + # SSH must be enabled on a non-standard port + 'Port' => [22984], + }, } -ssh::server::configline { 'PermitRootLogin': value => 'no' } - -# SSH must be enabled on a non-standard port -ssh::server::configline { 'Port': value => '22984' } # Install a working MySQL server class { '::mysql::server': } diff --git a/manifests/site.pp b/manifests/site.pp index cc117d4..97e1ffc 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -65,8 +65,21 @@ package { 'mailutils': } include augeas include sudo +ssh::server::configline { 'Port': value => '22984' } +ssh::server::configline { 'PermitRootLogin': value => 'no' } +ssh::server::configline { 'PasswordAuthentication': value => 'yes' } +ssh::server::configline { 'AllowUsers/1': value => 'atomaka' } +ssh::server::configline { 'AllowUsers/2': value => 'jeff' } + class { '::ssh::server': - require => Class['augeas'], + storeconfigs_enabled => false, + options => { + 'Port' => [22984], + 'PermitRootLogin' => 'no', + 'PasswordAuthentication' => 'yes', + 'AllowUsers/1' => 'atomaka', + 'AllowUsers/2' => 'jeff', + }, } class { '::apache': @@ -87,12 +100,6 @@ class { '::wordpress': } # CONFIGURATIONS -ssh::server::configline { 'Port': value => '22984' } -ssh::server::configline { 'PermitRootLogin': value => 'no' } -ssh::server::configline { 'PasswordAuthentication': value => 'yes' } -ssh::server::configline { 'AllowUsers/1': value => 'atomaka' } -ssh::server::configline { 'AllowUsers/2': value => 'jeff' } - sudo::conf { 'sudo': priority => 10, content => "%sudo ALL=(ALL) NOPASSWD: ALL\n", From 203ed074422a00d7b760cba4c94534b076d73da7 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 14:48:41 -0400 Subject: [PATCH 09/11] Fix firewall rules --- manifests/final.pp | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/manifests/final.pp b/manifests/final.pp index 1acfeaa..0b91be4 100644 --- a/manifests/final.pp +++ b/manifests/final.pp @@ -81,11 +81,23 @@ exec { 'start rails app': resources { 'firewall': purge => true, } -class { '::firewall': } +class { '::firewall': + require => Class['::ssh::server'], +} firewall { '000 accept all icmp': proto => 'icmp', action => 'accept', } -> +firewall { '001 accept all to lo interface': + proto => 'all', + iniface => 'lo', + action => 'accept', +}-> +firewall { '002 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + action => 'accept', +}-> firewall { '100 accept ssh (non-default port)': proto => 'tcp', dport => '22984', @@ -95,7 +107,8 @@ firewall { '200 accept http': proto => 'tcp', dport => '80', action => 'accept', -} -> +} + firewall { '999 drop all': proto => 'all', action => 'drop', From 435e7e755f872084624b34431670b8b5aa061316 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Tue, 1 Apr 2014 17:50:48 -0400 Subject: [PATCH 10/11] Add nginx proxy --- manifests/final.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/manifests/final.pp b/manifests/final.pp index 0b91be4..0fd4828 100644 --- a/manifests/final.pp +++ b/manifests/final.pp @@ -29,6 +29,14 @@ class { '::mysql::server': } # install nginx class { 'nginx': } +# configure nginx proxy +nginx::resource::upstream { 'welcome_app': + members => ['localhost:3000'], +} +nginx::resource::vhost { 'final.atomaka.com': + proxy => 'http://welcome_app', +} + # install rails package { 'rails': provider => 'gem', From 6d2bf0ee7311d1d1884fa504ed87d984340d9248 Mon Sep 17 00:00:00 2001 From: Andrew Tomaka Date: Wed, 2 Apr 2014 15:49:58 -0400 Subject: [PATCH 11/11] Add IP for final project --- final/server.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 final/server.txt diff --git a/final/server.txt b/final/server.txt new file mode 100644 index 0000000..7f48b1e --- /dev/null +++ b/final/server.txt @@ -0,0 +1 @@ +final.atomaka.com (162.243.53.120)