deprec 1.9.3 → 2.0.0

data/lib/deprec/templates/passenger/passenger.load.erb

@@ -0,0 +1,3 @@
+# /etc/apache2/mods-available/passenger.conf
+#
+LoadModule passenger_module <%= passenger_install_dir %>/ext/apache2/mod_passenger.so

data/lib/deprec/templates/postfix/aliases.erb

@@ -0,0 +1,3 @@
+# See man 5 aliases for format
+postmaster:    root
+

data/lib/deprec/templates/postfix/dynamicmaps.cf.erb

@@ -0,0 +1,8 @@
+# Postfix dynamic maps configuration file.
+#
+# The first match found is the one that is used.  Wildcards are not supported
+# as of postfix 2.0.2
+#
+#type	location of .so file			open function	(mkmap func)
+#====	================================	=============	============
+tcp	/usr/lib/postfix/dict_tcp.so		dict_tcp_open	

data/lib/deprec/templates/{postfix_main.conf → postfix/main.cf.erb}

@@ -1,11 +1,10 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
-# CONFIGURATION DEPLOYED BY CAPISTRANO/DEPREC
-# MODIFICATIONS WILL BE OVERWRITTEN IF YOU RUN THIS SCRIPT AGAIN
+
 
 # Debian specific:  Specifying a file name will cause the first
 # line of that file to be used as the name.  The Debian default
 # is /etc/mailname.
-#myorigin = /etc/mailname
+myorigin = /etc/mailname
 
 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 biff = no
@@ -26,13 +25,12 @@ smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 
-myhostname = playful
+# myhostname = 
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-myorigin = /etc/mailname
-mydestination = <%= postfix_destination_domains * ', ' %>, localhost.localdomain, localhost
-relayhost = 
+mydestination = $myhostname localhost.$mydomain $myorigin
+relayhost = <%= postfix_relayhost %>
 mynetworks = 127.0.0.0/8
 mailbox_size_limit = 0
 recipient_delimiter = +
-inet_interfaces = all
+inet_interfaces = loopback-only

data/lib/deprec/templates/postfix/master.cf.erb

@@ -0,0 +1,77 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+#submission inet n       -       -       -       -       smtpd
+#  -o smtpd_enforce_tls=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#628      inet  n       -       -       -       -       qmqpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       -       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+smtp      unix  -       -       -       -       -       smtp
+# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
+relay     unix  -       -       -       -       -       smtp
+	-o smtp_fallback_relay=
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache	  unix	-	-	-	-	1	scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+

data/lib/deprec/templates/sphinx/monit.conf.erb

@@ -0,0 +1,5 @@
+check process searchd with pidfile /opt/local/var/db/sphinx/log/searchd.pid
+	start program = "/usr/local/bin/searchd --config <%= deploy_to %>/current/config/ultrasphinx/production.conf"
+	stop program = "/usr/local/bin/searchd --stop --config <%= deploy_to %>/current/config/ultrasphinx/production.conf"
+
+	if 3 restarts within 5 cycles then timeout

data/lib/deprec/templates/ssh/ssh_config.erb

@@ -0,0 +1,50 @@
+
+# This is the ssh client system-wide configuration file.  See
+# ssh_config(5) for more information.  This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+#  1. command line options
+#  2. user-specific file
+#  3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for some commonly used options.  For a comprehensive
+# list of available options, their meanings and defaults, please see the
+# ssh_config(5) man page.
+
+Host *
+    ForwardAgent yes
+#   ForwardX11 no
+#   ForwardX11Trusted yes
+#   RhostsRSAAuthentication no
+#   RSAAuthentication yes
+#   PasswordAuthentication yes
+#   HostbasedAuthentication no
+#   GSSAPIAuthentication no
+#   GSSAPIDelegateCredentials no
+#   GSSAPIKeyExchange no
+#   GSSAPITrustDNS no
+#   BatchMode no
+#   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
+#   StrictHostKeyChecking ask
+#   IdentityFile ~/.ssh/identity
+#   IdentityFile ~/.ssh/id_rsa
+#   IdentityFile ~/.ssh/id_dsa
+#   Port 22
+#   Protocol 2,1
+#   Cipher 3des
+#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+#   EscapeChar ~
+#   Tunnel no
+#   TunnelDevice any:any
+#   PermitLocalCommand no
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no

data/lib/deprec/templates/ssh/sshd_config.erb

@@ -0,0 +1,78 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UsePAM no
+UseDNS no

data/lib/deprec/templates/ssl/make-ssl-cert

@@ -0,0 +1,138 @@
+#!/bin/bash -e
+# This is a mockup of a script to produce a snakeoil cert
+# The aim is to have a debconfisable ssl-certificate script
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+db_capb backup
+
+ask_via_debconf() {
+    db_settitle make-ssl-cert/title
+
+    templates="countryname statename localityname organisationname ouname hostname email"
+
+    for i in $templates; do
+	RET=""
+	while [ "x$RET" = "x" ]; do
+	    db_fset make-ssl-cert/$i seen false
+	    db_input high make-ssl-cert/$i || true
+	    db_go
+	    db_get make-ssl-cert/$i
+	done
+     done
+
+     db_get make-ssl-cert/countryname
+     CountryName="$RET"
+     db_fset make-ssl-cert/countryname seen false
+
+     db_get make-ssl-cert/statename
+     StateName="$RET"
+     db_fset make-ssl-cert/statename seen false
+
+     db_get make-ssl-cert/localityname
+     LocalityName="$RET"
+     db_fset make-ssl-cert/localityname seen false
+
+     db_get make-ssl-cert/organisationname
+     OrganisationName="$RET"
+     db_fset make-ssl-cert/organisationname seen false
+
+     db_get make-ssl-cert/ouname
+     OUName="$RET"
+     db_fset make-ssl-cert/ouname seen false
+
+     db_get make-ssl-cert/hostname
+     HostName="$RET"
+     db_fset make-ssl-cert/hostname seen false
+
+     db_get make-ssl-cert/email
+     Email="$RET"
+     db_fset make-ssl-cert/email seen false
+}
+
+make_snakeoil() {
+     CountryName="XX"
+     StateName="There is no such thing outside US"
+     LocalityName="Everywhere"
+     OrganisationName="OCOSA"
+     OUName="Office for Complication of Otherwise Simple Affairs"
+     HostName="$(hostname -f || hostname)"
+     Email="root@$HostName"
+}
+
+create_temporary_cnf() {
+    sed -e s#@CountryName@#"$CountryName"# \
+	-e s#@StateName@#"$StateName"# \
+	-e s#@LocalityName@#"$LocalityName"# \
+	-e s#@OrganisationName@#"$OrganisationName"# \
+	-e s#@OUName@#"$OUName"# \
+	-e s#@HostName@#"$HostName"# \
+	-e s#@Email@#"$Email"# \
+	$template > $TMPFILE
+}
+
+# Takes two arguments, the base layout and the output cert.
+
+if [ $# -lt 2 ] && [ "$1" != "generate-default-snakeoil" ]; then
+    printf "Usage: $0 template output [--force-overwrite]\n";
+    printf "Usage: $0 generate-default-snakeoil [--force-overwrite]\n";
+    exit 1;
+fi
+
+if [ "$1" != "generate-default-snakeoil" ]; then
+    template="$1"
+    output="$2"
+    # be anal in manual mode.
+    if [ ! -f $template ]; then
+	printf "Could not open template file: $template!\n";
+	exit 1;
+    fi
+    if [ -f $output ] && [ "$3" != "--force-overwrite" ]; then
+        printf "$output file already exists!\n";
+        exit 1;
+    fi
+    ask_via_debconf
+else
+    template="/usr/share/ssl-cert/ssleay.cnf"
+    if [ -f "/etc/ssl/certs/ssl-cert-snakeoil.pem" ] && [ -f "/etc/ssl/private/ssl-cert-snakeoil.key" ]; then
+        if [ "$2" != "--force-overwrite" ]; then
+             exit 0
+        fi
+    fi
+    make_snakeoil
+fi
+
+# # should be a less common char
+# problem is that openssl virtually accepts everything and we need to
+# sacrifice one char.
+
+TMPFILE="$(mktemp)" || exit 1
+
+create_temporary_cnf
+
+# create the certiface.
+
+export RANDFILE=/dev/random
+
+if [ "$1" != "generate-default-snakeoil" ]; then
+	# openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output > /dev/null 2>&1
+    openssl req -config $TMPFILE -new -x509 -days 365 -nodes -out $output -keyout $output > /dev/null 2>&1
+    chmod 600 $output
+    # hash symlink
+    cd $(dirname $output)
+    ln -sf $(basename $output) $(openssl x509 -hash -noout -in $output)
+else
+    # openssl req -config $TMPFILE -new -x509 -nodes \
+    openssl req -config $TMPFILE -new -x509 -days 365 nodes \
+	-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
+        -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /dev/null 2>&1
+    chmod 644 /etc/ssl/certs/ssl-cert-snakeoil.pem
+    chmod 640 /etc/ssl/private/ssl-cert-snakeoil.key
+    chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+    # hash symlink
+    cd /etc/ssl/certs/
+    ln -sf ssl-cert-snakeoil.pem $(openssl x509 -hash -noout -in ssl-cert-snakeoil.pem)
+fi
+
+# cleanup
+rm -f $TMPFILE

data/lib/deprec/templates/ssl/ssl-cert-snakeoil.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXwIBAAKBgQDAq435f/QmKkc/Z3UDPxcdZM0XNNFE97DGSFJIjuKdJaLp+HDr
+JroV1TS8YUpZpJ7FhuasEg9G+HcwZcncChWgiwXnwMxG/6zs4U+7SzaehpB0lfCp
+8jYHNwhaUDr5H4YSfznltGQRlELlSHNLyDgQzRwMjWluTpxJ2MXMcKXCvQIDAQAB
+AoGBAI7kbQZW1F8dyfuHIixHNUByivykCnSI8s0LxCLV/dGooRu/SxfLgAVDO7pe
+uYKkabB7bUa+mh/7lIILa9tKi2Bbqnr+DZyCmKqQn3YBsc6yS19zMDhkt+UfhQc9
+3/ssdASGCQg3cW7Y3x103S+j3zB6dmO44vDOevDymVg8z//tAkEA9kmlwavZ5sKq
+fLYCz7edp7hCcOL1QO/iwKMlnyGLOhg5sgwHu8o/+5OHlWLGAln0Z6Q6XEdWw9pD
+LDxPntmAawJBAMhEnvHjPLAN8oSnrLsklBC6N77t3TNt5e+1SSeGhfgZcw3m2ftE
+jPNgdcu9+JTgGD9yV6u1FWQReG/saYlRc3cCQQCUP8an6qLydbEb+o98q0EaCR7t
+RqBsYzlxzYLC4/Ujlht8oiMxlc+nxqkxcdBQ8AbfMAr1Kvf+Um5mvTMMIk5bAkEA
+uOHQspILtqRJnXmGFwZ/wqmHSTYinZX5TkBYFqs0BoTIGK9j0XnJfe0xEjSAxj/T
+Ys9WbGgyJT2TqA/ipiiRpQJBAMYFGlBV6/zNaX0u1vm2E8/96jl7FAxA06F2OiBn
+lWtdmT+adpNo04XyX61N5+ie0A2SOgKpZWomm0wA1SGi7TQ=
+-----END RSA PRIVATE KEY-----

data/lib/deprec/templates/ssl/ssl-cert-snakeoil.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCzCCAnQCCQDHermh7psBnzANBgkqhkiG9w0BAQUFADCByTELMAkGA1UEBhMC
+WFgxKjAoBgNVBAgTIVRoZXJlIGlzIG5vIHN1Y2ggdGhpbmcgb3V0c2lkZSBVUzET
+MBEGA1UEBxMKRXZlcnl3aGVyZTEOMAwGA1UEChMFT0NPU0ExPDA6BgNVBAsTM09m
+ZmljZSBmb3IgQ29tcGxpY2F0aW9uIG9mIE90aGVyd2lzZSBTaW1wbGUgQWZmYWly
+czEPMA0GA1UEAxMGY2FsdmluMRowGAYJKoZIhvcNAQkBFgtyb290QGNhbHZpbjAe
+Fw0wOTAyMDMwNTExNDdaFw0wOTAzMDUwNTExNDdaMIHJMQswCQYDVQQGEwJYWDEq
+MCgGA1UECBMhVGhlcmUgaXMgbm8gc3VjaCB0aGluZyBvdXRzaWRlIFVTMRMwEQYD
+VQQHEwpFdmVyeXdoZXJlMQ4wDAYDVQQKEwVPQ09TQTE8MDoGA1UECxMzT2ZmaWNl
+IGZvciBDb21wbGljYXRpb24gb2YgT3RoZXJ3aXNlIFNpbXBsZSBBZmZhaXJzMQ8w
+DQYDVQQDEwZjYWx2aW4xGjAYBgkqhkiG9w0BCQEWC3Jvb3RAY2FsdmluMIGfMA0G
+CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAq435f/QmKkc/Z3UDPxcdZM0XNNFE97DG
+SFJIjuKdJaLp+HDrJroV1TS8YUpZpJ7FhuasEg9G+HcwZcncChWgiwXnwMxG/6zs
+4U+7SzaehpB0lfCp8jYHNwhaUDr5H4YSfznltGQRlELlSHNLyDgQzRwMjWluTpxJ
+2MXMcKXCvQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADZ2Uu123BHOGow9C5lnxP3K
+nkVpfqOTvVztyOtTVE+GZrCiFj4RyuJpL9JmpXTo+Dl8CrTguxbhnSPFQCYdmIbj
+zYGygWx4a0qfKdVe4GMREWzsBVCwH0mPEV6i0nxy4KMffNcTKwhSoh3LZ0rWhoYr
+gb3pgta67aRdAaIS556W
+-----END CERTIFICATE-----

data/lib/deprec/templates/starling/monit.conf.erb

@@ -0,0 +1,14 @@
+check process starling-<%= starling_port %> with pidfile <%= starling_run_dir %>/starling.pid
+group starling
+start program = "start-stop-daemon -c <%= starling_user %>:<%= starling_group %> --start --quiet --pidfile <%= starling_run_dir %>/starling.pid --exec /usr/local/bin/starling -- <%= starling_runtime_options %>"
+stop program = "start-stop-daemon -c <%= starling_user %>:<%= starling_group %> --stop --quiet --pidfile <%= starling_run_dir %>/starling.pid --exec /usr/local/bin/starling -- <%= starling_runtime_options %>"
+	
+if failed host 127.0.0.1 port <%= starling_port %>
+  	with timeout 10 seconds
+  	then alert
+
+if totalmem > 100 Mb then restart
+if cpu > 60% for 2 cycles then alert
+if cpu > 80% for 5 cycles then restart
+if loadavg(5min) > 10 for 8 cycles then restart
+if 3 restarts within 5 cycles then timeout