dust-deploy 0.1.0

data/lib/dust/recipes/aliases.rb

@@ -0,0 +1,13 @@
+class Aliases < Thor
+  desc 'aliases:deploy', 'installs email aliases'
+  def deploy node, ingredients
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    return unless node.package_installed? 'postfix'
+    node.scp "#{template_path}/aliases", '/etc/aliases'
+
+    ::Dust.print_msg 'running newaliases', 1
+    ::Dust.print_result node.exec('newaliases')[:exit_code]
+  end
+end
+

data/lib/dust/recipes/basic_setup.rb

@@ -0,0 +1,35 @@
+class BasicSetup < Thor
+  desc 'basic_setup:deploy', 'installs basic packages and config files'
+  def deploy node, ingredients, options
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    # install some basic packages
+    ::Dust.print_msg "installing basic packages\n"
+
+    node.install_package 'screen', false, 2
+    node.install_package 'rsync', false, 2
+    node.install_package 'psmisc', false, 2 if node.uses_apt? true
+
+    if node.uses_rpm? true
+      node.install_package 'vim-enhanced', false, 2
+    else
+      node.install_package 'vim', false, 2
+    end
+
+    if node.uses_apt? true
+      node.install_package 'git-core', false, 2
+    else
+      node.install_package 'git', false, 2
+    end
+    puts
+    
+    # deploy basic configuration for root user
+    ::Dust.print_msg "deploying configuration files for root\n", 1
+    Dir["#{template_path}/.*"].each do |file|
+      next unless File.file?(file)
+      node.scp file, "/root/#{File.basename(file)}", false, 2
+    end
+
+  end
+end
+

data/lib/dust/recipes/debsecan.rb

@@ -0,0 +1,44 @@
+class Debsecan < Thor
+  desc 'debsecan:deploy', 'installs and configures debian security package "debsecan"'
+  def deploy node, config, options
+    if node.is_os? ['debian', 'ubuntu'], true
+      node.install_package 'debsecan'
+
+      ::Dust.print_msg 'configuring debsecan'
+
+      # if config is simply set to "true", use defaults
+      config = {} unless config.class == Hash
+
+      # setting default config variables (unless already set)
+      config['report'] ||= false
+      config['mailto'] ||= 'root'
+      config['source'] ||= ''
+
+      config_file = ''
+
+      # configures whether daily reports are sent
+      config_file += "# If true, enable daily reports, sent by email.\n" +
+                     "REPORT=#{config['report'].to_s}\n\n"
+     
+      # configures the suite
+      config_file += "# For better reporting, specify the correct suite here, using the code\n" +
+                     "# name (that is, \"sid\" instead of \"unstable\").\n" +
+                     "SUITE=#{node['lsbdistcodename']}\n\n"
+
+      # which user gets the reports?
+      config_file += "# Mail address to which reports are sent.\n" +
+                     "MAILTO=#{config['mailto']}\n\n"
+
+      # set vulnerability source
+      config_file += "# The URL from which vulnerability data is downloaded.  Empty for the\n" +
+                     "# built-in default.\n" +
+                     "SOURCE=#{config['source']}\n\n"
+
+      node.write '/etc/default/debsecan', config_file, true
+      ::Dust.print_ok
+    else
+      ::Dust.print_failed 'os not supported'
+    end
+  end
+end
+

data/lib/dust/recipes/duplicity.rb

@@ -0,0 +1,111 @@
+require 'erb'
+
+class Duplicity < Thor
+  desc 'duplicity:deploy', 'installs and configures duplicity backups'
+  def deploy node, scenarios, options
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    return unless node.install_package 'duplicity'
+
+    # clear all other duplicity cronjobs that might have been deployed earlier
+    remove_duplicity_cronjobs node
+
+    # return if config simply says 'remove'
+    return if scenarios == 'remove'
+
+    scenarios.each do |scenario, conf|
+      config = conf.clone
+
+      # if directory config options is not given, use hostname-scenario
+      config['directory'] ||= "#{node['hostname']}-#{scenario}"
+
+      # check whether backend is specified, skip to next scenario if not
+      unless config['backend'] and config['passphrase']
+        ::Dust.print_failed "scenario #{scenario}: backend or passphrase missing.", 1
+        next
+      end
+
+      # check if interval is correct   
+      unless [ 'monthly', 'weekly', 'daily', 'hourly' ].include? config['interval']
+        return ::Dust.print_failed "invalid interval: '#{config['interval']}'"
+      end
+
+      # check whether we need ncftp
+      node.install_package 'ncftp' if config['backend'].include? 'ftp://'
+      
+      # scp backend on centos needs python-pexpect
+      node.install_package 'python-pexpect' if config['backend'].include? 'scp://' and node.uses_rpm? true
+
+      # add hostkey to known_hosts
+      if config['hostkey']
+        ::Dust.print_msg 'checking if ssh key is in known_hosts'
+        unless ::Dust.print_result node.exec("grep -q '#{config['hostkey']}' ~/.ssh/known_hosts")[:exit_code] == 0
+          node.mkdir '~/.ssh', false, 2
+          node.append '~/.ssh/known_hosts', config['hostkey'], false, 2
+        end
+      end
+
+      # generate path for the cronjob
+      cronjob_path = "/etc/cron.#{config['interval']}/duplicity-#{scenario}"
+
+      # adjust and upload cronjob
+      template = ERB.new File.read("#{template_path}/cronjob.erb"), nil, '%<>'
+      ::Dust.print_msg "adjusting and deploying cronjob (scenario: #{scenario}, interval: #{config['interval']})\n"
+      config['options'].each { |option| ::Dust.print_ok "adding option: #{option}", 2 }
+      node.write cronjob_path, template.result(binding)
+ 
+      # making cronjob executeable
+      node.chmod '0700', cronjob_path
+      puts
+    end
+  end
+
+
+  # print duplicity-status
+  desc 'duplicity:status', 'displays current status of all duplicity backups'
+  def status node, scenarios, options
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    return unless node.package_installed? 'duplicity'
+
+    scenarios.each do |scenario, conf|
+      config = conf.clone
+
+      # if directory config option is not given, use hostname-scenario
+      config['directory'] ||= "#{node['hostname']}-#{scenario}"
+
+      # check whether backend is specified, skip to next scenario if not
+      return ::Dust.print_failed 'no backend specified.' unless config['backend']
+
+      ::Dust.print_msg "running collection-status for scenario '#{scenario}'"
+      cmd = "nice -n #{config['nice']} duplicity collection-status " +
+            "--archive-dir #{config['archive']} " +
+            "#{File.join(config['backend'], config['directory'])}"
+  
+      cmd += " |tail -n3 |head -n1" unless options.long?
+
+      ret = node.exec cmd
+
+      # check exit code and stdout shouldn't be empty
+      ::Dust.print_result( (ret[:exit_code] == 0 and ret[:stdout].length > 0) )
+
+      if options.long?
+        ::Dust.print_msg "#{::Dust.black}#{ret[:stdout]}#{::Dust.none}", 0
+      else
+        ::Dust.print_msg "\t#{::Dust.black}#{ret[:stdout].sub(/^\s+([a-zA-Z]+)\s+(\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\s+(\d+)$/, 'Last backup: \1 (\3 sets) on \2')}#{::Dust.none}", 0
+      end
+
+      puts
+    end
+  end
+
+  private
+  # removes all duplicity cronjobs
+  def remove_duplicity_cronjobs node
+    ::Dust.print_msg 'deleting old duplicity cronjobs'
+    node.rm '/etc/cron.*/duplicity*', true
+    ::Dust.print_ok
+  end
+
+end
+

data/lib/dust/recipes/etc_hosts.rb

@@ -0,0 +1,13 @@
+class EtcHosts < Thor
+  desc 'etc_hosts:deploy', 'deploys /etc/hosts'
+  def deploy node, daemon, options
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    return unless node.package_installed?('dnsmasq')
+    node.scp("#{template_path}/hosts", '/etc/hosts')
+
+    # restart dns service
+    node.restart_service daemon if options.restart?
+  end
+end
+

data/lib/dust/recipes/iptables.rb

@@ -0,0 +1,267 @@
+class Iptables < Thor
+  desc 'iptables:deploy', 'configures iptables firewall'
+  def deploy node, rules, options
+    template_path = "./templates/#{ File.basename(__FILE__).chomp( File.extname(__FILE__) ) }"
+
+    # install iptables
+    if node.uses_apt? true or node.uses_emerge? true
+      node.install_package 'iptables'
+
+    elsif node.uses_rpm? true
+      node.install_package 'iptables-ipv6'
+
+    else
+      ::Dust.print_failed 'os not supported'
+      return 
+    end
+
+    # configure attributes (using empty arrays as default)
+    rules['ports'] ||= []
+    rules['ipv4-custom-input-rules'] ||= []
+    rules['ipv6-custom-input-rules'] ||= []
+    rules['ipv4-custom-output-rules'] ||= []
+    rules['ipv6-custom-output-rules'] ||= []
+    rules['ipv4-custom-forward-rules'] ||= []
+    rules['ipv6-custom-forward-rules'] ||= []
+    rules['ipv4-custom-prerouting-rules'] ||= []
+    rules['ipv6-custom-prerouting-rules'] ||= []
+    rules['ipv4-custom-postrouting-rules'] ||= []
+    rules['ipv6-custom-postrouting-rules'] ||= []
+
+    # convert ports: int to array if its just a single int so .each won't get hickups
+    rules['ports'] = [ rules['ports'] ] if rules['ports'].class == Fixnum
+
+    [ 'iptables', 'ip6tables' ].each do |iptables|
+      ipv4 = iptables == 'iptables'
+      ipv6 = iptables == 'ip6tables'
+
+      ::Dust.print_msg "configuring and deploying ipv4 rules\n" if ipv4
+      ::Dust.print_msg "configuring and deploying ipv6 rules\n" if ipv6
+
+      rule_file = '' 
+
+      # default policy for chains
+      if node.uses_apt? true or node.uses_emerge? true
+        rule_file += "-P INPUT DROP\n" +
+                     "-P OUTPUT DROP\n" +
+                     "-P FORWARD DROP\n" +
+                     "-F\n"
+        rule_file += "-F -t nat\n" if ipv4
+        rule_file += "-X\n"
+
+      elsif node.uses_rpm? true
+        rule_file += "*filter\n" +
+                     ":INPUT DROP [0:0]\n" +
+                     ":FORWARD DROP [0:0]\n" +
+                     ":OUTPUT DROP [0:0]\n"
+      end
+
+      # allow localhost
+      rule_file += "-A INPUT -i lo -j ACCEPT\n"
+
+      # drop invalid packets
+      rule_file += "-A INPUT -m state --state INVALID -j DROP\n"
+
+      # allow related packets
+      rule_file += "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+
+      # drop tcp packets with the syn bit set if the tcp connection is already established
+      rule_file += "-A INPUT -p tcp --tcp-flags SYN SYN -m state --state ESTABLISHED -j DROP\n" # if ipv4
+
+      # drop icmp timestamps
+      rule_file += "-A INPUT -p icmp --icmp-type timestamp-request -j DROP\n" if ipv4
+      rule_file += "-A INPUT -p icmp --icmp-type timestamp-reply -j DROP\n" if ipv4
+
+      # allow other icmp packets
+      rule_file += "-A INPUT -p icmpv6 -j ACCEPT\n" if ipv6
+      rule_file += "-A INPUT -p icmp -j ACCEPT\n"
+
+      # open ports
+      rules['ports'].each do |rule|
+        # if config is something like
+        #   ports: 22
+        # or 
+        #   ports: [ 22, 443, 1000:2000 ]
+        # generate a new hash, and set rule['port']
+        unless rule.class == Hash
+          port = rule
+          rule = {}
+          rule['port'] = port
+        end
+
+        # skip rule for other ipversion than specified
+        rule['ip-version'] ||= 0 # default to 0, means both protocols
+        next if rule['ip-version'].to_i == 4 and ipv6
+        next if rule['ip-version'].to_i == 6 and ipv4
+
+        # convert to string if port is a int
+        rule['port'] = rule['port'].to_s if rule['port'].class == Fixnum
+
+        # skip this port if no portnumber is specified
+        unless rule['port']
+          ::Dust.print_failed "no port specified: #{rule.inspect}", 2
+          next
+        end
+
+        # tcp is the default protocol
+        rule['protocol'] ||= 'tcp'
+
+        # apply one rule for each port(range)
+        rule['port'].each do |port| 
+          ::Dust.print_msg "allowing port #{port}:#{rule['protocol']}", 2
+          rule_file += "-A INPUT -p #{rule['protocol']} --dport #{port} "
+          if rule['interface']
+            print " [dev: #{rule['interface']}]"
+            rule_file += "-i #{rule['interface']} " 
+          end
+          if rule['source']
+            print " [source: #{rule['source']}]"
+            rule_file += "--source #{rule['source']} "
+          end
+          rule_file += "-m state --state NEW "
+          rule_file += "-j ACCEPT\n"
+          ::Dust.print_ok
+        end
+      end
+
+      # add custom ipv4 iput rules
+      rules['ipv4-custom-input-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv4 input rule: #{rule}", 2
+        rule_file += "-A INPUT #{rule}\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv6 iput rules
+      rules['ipv6-custom-input-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv6 input rule: #{rule}", 2
+        rule_file += "-A INPUT #{rule}\n"
+        ::Dust.print_ok
+      end if ipv6
+
+      # deny the rest
+      rule_file += "-A INPUT -p tcp -j REJECT --reject-with tcp-reset\n"
+      rule_file += "-A INPUT -j REJECT --reject-with icmp-port-unreachable\n" if ipv4
+
+      # add custom ipv4 prerouting rules
+      rules['ipv4-custom-prerouting-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv4 prerouting rule: #{rule}", 2
+        rule_file += "-A PREROUTING #{rule}\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv6 prerouting rules
+      rules['ipv6-custom-prerouting-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv6 prerouting rule: #{rule}", 2
+        rule_file += "-A PREROUTING #{rule}\n"
+        ::Dust.print_ok
+      end if ipv6
+
+      # add custom ipv4 postrouting rules
+      rules['ipv4-custom-postrouting-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv4 postrouting rule: #{rule}", 2
+        rule_file += "-A POSTROUTING #{rule}\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv6 postrouting rules
+      rules['ipv6-custom-postrouting-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv6 postrouting rule: #{rule}", 2
+        rule_file += "-A POSTROUTING #{rule}\n"
+        ::Dust.print_ok
+      end if ipv6
+
+
+      # drop invalid outgoing packets
+      rule_file += "-A OUTPUT -m state --state INVALID -j DROP\n"
+
+      # allow related outgoing packets
+      rule_file += "-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+
+      # add custom ipv4 output rules
+      rules['ipv4-custom-output-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv4 outgoing rule: #{rule}", 2
+        rule_file += "-A OUTPUT #{rule}\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv6 output rules
+      rules['ipv6-custom-output-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv6 outgoing rule: #{rule}", 2
+        rule_file += "-A OUTPUT #{rule}\n"
+        ::Dust.print_ok
+      end if ipv6
+
+      # allow everything out
+      rule_file += "-A OUTPUT -j ACCEPT\n"
+
+
+      # enable packet forwarding
+      if rules['forward']
+        ::Dust.print_msg 'enabling ipv4 forwarding', 2
+        rule_file += "-A FORWARD -m state --state INVALID -j DROP\n"
+        rule_file += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+        rule_file += "-A FORWARD -j ACCEPT\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv4 forward rules
+      rules['ipv4-custom-forward-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv4 forward rule: #{rule}", 2
+        rule_file += "-A FORWARD #{rule}\n"
+        ::Dust.print_ok
+      end if ipv4
+
+      # add custom ipv6 forward rules
+      rules['ipv6-custom-forward-rules'].each do |rule|
+        ::Dust.print_msg "adding custom ipv6 forward rule: #{rule}", 2
+        rule_file += "-A FORWARD #{rule}\n"
+        ::Dust.print_ok
+      end if ipv6
+
+      rule_file += "COMMIT\n" if node.uses_rpm? true
+
+      # prepend iptables command on non-centos-like machines
+      rule_file = rule_file.map { |s| "#{iptables} #{s}" }.to_s if node.uses_apt? true or node.uses_emerge? true
+
+      # set header
+      header  = ''
+      header  = "#!/bin/sh\n" if node.uses_apt? true or node.uses_emerge? true
+      header += "# automatically generated by dust\n\n"
+      rule_file = header + rule_file
+
+      # set the target file depending on distribution
+      target = "/etc/network/if-pre-up.d/#{iptables}" if node.uses_apt? true
+      target = "/etc/#{iptables}" if node.uses_emerge? true
+      target = "/etc/sysconfig/#{iptables}" if node.uses_rpm? true
+
+      node.write target, rule_file, true
+
+      node.chmod '700', target if node.uses_apt? true or node.uses_emerge? true
+      node.chmod '600', target if node.uses_rpm? true
+
+      if options.restart?
+        ::Dust.print_msg 'applying ipv4 rules' if ipv4
+        ::Dust.print_msg 'applying ipv6 rules' if ipv6
+
+        if node.uses_rpm? true
+          ::Dust.print_result node.exec("/etc/init.d/#{iptables} restart")[:exit_code]
+
+        elsif node.uses_apt? true or node.uses_emerge? true
+          ret = node.exec target
+          ::Dust.print_result( (ret[:exit_code] == 0 and ret[:stdout].empty? and ret[:stderr].empty?) )
+        end
+      end
+
+      # on gentoo, rules have to be saved using the init script,
+      # otherwise they won't get re-applied on next startup
+      if node.uses_emerge? true
+        ::Dust.print_msg 'saving ipv4 rules' if ipv4
+        ::Dust.print_msg 'saving ipv6 rules' if ipv6
+        ::Dust.print_result node.exec("/etc/init.d/#{iptables} save")[:exit_code]
+      end
+
+      puts
+    end
+  end
+end
+