le1t0-deprec 2.1.6.001

data/lib/deprec/templates/iptables/firewall-default.erb

@@ -0,0 +1,13 @@
+# define tcp ports allowed for the world: "tcp:80,443"
+# define non-tcp/udp/icmp protocols allowed for the world: "pptp"
+# define tcp/udp ports allowed for specific networks/IPs: "tcp:389;udp:514@10.0.1.2,192.168.0.0/24 tcp,udp:22@192.168.0.3"
+# define non-tcp/udp/icmp protocols allowed for specific networks/IPs: "vrrp@192.168.0.0/24"
+# example: allowed="tcp:80,443 udp:138 pptp tcp:21,443@192.168.0.0/24 tcp:389;udp:514@10.0.1.2,10.0.1.5 vrrp@192.168.0.0/24 gre@10.0.1.2"
+allowed="<%= iptables_allowed %>"
+
+# example: forwards="192.168.0.1:8080>192.168.0.2:80;tcp 192.168.0.1:514>192.168.0.2:514;udp"
+forwards="<%= iptables_forwards %>"
+
+DRYRUN="NO" # Set to exactly YES to enable dry runs
+IPTABLES="<%= iptables_binary %>"
+IPTABLES_SAVE="<%= iptables_save_binary %>"

data/lib/deprec/templates/iptables/firewall-init.erb

@@ -0,0 +1,171 @@
+#!/bin/bash
+# Copyright 2009-2010 by le1t0@github. All rights reserved.
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin
+DRYRUN="NO" # Set to exactly YES to enable dry runs
+IPTABLES="/sbin/iptables"
+IPTABLES_SAVE="/sbin/iptables-save"
+ENABLED=1
+
+test -x $IPTABLES || exit 0
+
+if [ -e /etc/default/firewall ]; then
+	. /etc/default/firewall
+fi
+
+test "$ENABLED" != "0" || exit 0
+
+if [ "$DRYRUN" = "YES" ] ; then
+	IPTABLES="echo ${IPTABLES}"
+fi
+
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+. /lib/lsb/init-functions
+
+function flush_rules () {
+	if [ -x $IPTABLES_SAVE ]; then
+		tmpfile="/tmp/.firewall.save.$(date +"%Y%m%d%H%M%S").tmp"
+		# save current firewall FORWARD rules with physdev-in, these are necessary for the functioning of xen
+		$IPTABLES_SAVE -t filter | perl -ne "m/^-A FORWARD/ && m/physdev-in/ && print \"${IPTABLES} \" . \$_" > $tmpfile
+	fi
+	# flush default chains
+	$IPTABLES -F -t nat
+	$IPTABLES -F
+	# delete all custom chains
+	$IPTABLES -X
+	# source, re-apply and remove saved rules of above
+	if [ -x $IPTABLES_SAVE ]; then
+		. $tmpfile
+		rm -f $tmpfile
+	fi
+}
+
+function define_forwards () {
+  for forward in $forwards ; do {
+    proto="$(echo $forward | cut -d ';' -f 2)"
+	localip="$(echo $forward | cut -d '>' -f 1 | cut -d ':' -f 1)"
+    srcport="$(echo $forward | cut -d '>' -f 1 | cut -d ':' -f 2)"
+    destip="$(echo $forward | cut -d ';' -f 1 | cut -d '>' -f '2' | cut -d ':' -f 1)"
+    destport="$(echo $forward | cut -d ';' -f 1 | cut -d '>' -f '2' | cut -d ':' -f 2)"
+    $IPTABLES -t nat -A PREROUTING -p $proto -d $localip --dport $srcport -j DNAT --to $destip:$destport
+	$IPTABLES -A FORWARD -p $proto -d $destip --dport $destport -j ACCEPT
+  } ; done
+}
+
+function set_default_policies () {
+	$IPTABLES --policy INPUT $1
+	$IPTABLES --policy OUTPUT $2
+	$IPTABLES --policy FORWARD $3
+}
+
+function set_default_rules () {
+	# Allow unlimited traffic on the loopback interface
+	$IPTABLES -A INPUT -i lo -j ACCEPT
+	$IPTABLES -A OUTPUT -o lo -j ACCEPT
+
+	# Previously initiated and accepted exchanges bypass rule checking
+	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	# Allow unlimited outbound traffic
+	$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+}
+
+# don't call parse_sources directly! It's called by set_allowed_rules
+function parse_sources () {
+	for sourcedef in $1 ; do {
+		parse_targets "$2" "-s ${sourcedef}"
+	} ; done
+}
+
+# don't call parse_targets directly! It's called by set_allowed_rules
+function parse_targets () {
+	sourcedef="$2"
+	for targetdef in $1 ; do {
+		protocols="$(echo $targetdef | awk -F ":" '{ print $1; }' | sed 's/,/ /g')"
+		ports="$(echo $targetdef | awk -F ":" '{ print $2; }' | sed 's/,/ /g')"
+		for protocol in ${protocols} ; do {
+			if [ -z "${ports}" ] ; then
+				$IPTABLES -A INPUT -p ${protocol} ${sourcedef} -m state --state NEW -j ACCEPT ;
+			else
+				for port in ${ports} ; do {
+					OPT="--dport"
+					[ "$protocol" = "icmp" ] && OPT="--icmp-type"
+					$IPTABLES -A INPUT -p ${protocol} ${sourcedef} -m state --state NEW $OPT ${port} -j ACCEPT ;
+				} ; done
+			fi
+		} ; done
+	} ; done
+}
+
+function set_allowed_rules () {
+	for ruledef in ${allowed} ; do {
+		target="$(echo $ruledef | awk -F "@" '{ print $1; }' | sed 's/;/ /g')"
+		source="$(echo $ruledef | awk -F "@" '{ print $2; }' | sed 's/,/ /g')"
+		if [ -z "${source}" ] ; then
+			parse_targets "$target"
+		else
+			parse_sources "$source" "$target"
+		fi
+	} ; done	
+}
+
+function set_proc_variables () {
+	# Kernel monitoring support
+	# More information:
+	# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
+	# http://www.linuxgazette.com/book/view/1645
+	# http://www.spirit.com/Network/net0300.html
+
+	# Drop ICMP echo-request messages sent to broadcast or multicast addresses
+	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+
+	# Drop source routed packets
+	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+
+	# Enable TCP SYN cookie protection from SYN floods
+	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+
+	# Don't accept ICMP redirect messages
+	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+
+	# Don't send ICMP redirect messages
+	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+
+	# Enable source address spoofing protection
+	echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
+	# Log packets with impossible source addresses
+	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians	
+}
+
+function firewall_start () {
+	set_proc_variables
+	flush_rules
+	set_default_policies DROP ACCEPT ACCEPT
+	define_forwards
+	set_default_rules
+	set_allowed_rules	
+}
+
+function firewall_stop () {
+	flush_rules
+	set_default_policies ACCEPT ACCEPT ACCEPT	
+}
+
+case "$1" in
+start)
+	firewall_start
+	;;
+stop)
+	firewall_stop
+	;;
+reload|force-reload)
+	firewall_start
+	;;
+restart)
+	firewall_start
+	;;
+*)
+	echo "Usage: /etc/init.d/firewall {start|stop|reload|restart}"
+	exit 3
+	;;
+esac

data/lib/deprec/templates/keepalived/keepalived.conf.erb

@@ -0,0 +1,18 @@
+vrrp_script chk_haproxy {           # Requires keepalived-1.1.13
+        script "<%= keepalived_script %>"     # cheaper than pidof
+        interval <%= keepalived_interval %>                      # check every 2 seconds
+        weight <%= keepalived_weight %>                        # add 2 points of prio if OK
+}
+
+vrrp_instance VI_1 {
+        interface <%= keepalived_interface %>
+        state <%= keepalived_state %>
+        virtual_router_id <%= keepalived_virtual_router_id %>
+        priority <%= keepalived_priority %>
+        virtual_ipaddress {
+            <%= keepalived_virtual_ipaddress %>
+        }
+        track_script {
+            chk_haproxy
+        }
+}

data/lib/deprec/templates/logrotate/logrotate.conf.erb

@@ -0,0 +1,32 @@
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+
+# keep 4 weeks worth of backlogs
+rotate 4
+
+# create new (empty) log files after rotating old ones
+create
+
+# uncomment this if you want your log files compressed
+#compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp, or btmp -- we'll rotate them here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+/var/log/btmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    rotate 1
+}
+
+# system-specific logs may be configured here

data/lib/deprec/templates/mongodb/mongodb-init.d

@@ -0,0 +1,88 @@
+#!/bin/sh
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+MONGOD=/usr/local/mongo/bin/mongod
+DATADIR=/var/lib/mongodb
+PIDFILE=$DATADIR/mongod.lock
+LOGFILE=/var/log/mongodb.log
+EXTRAOPTS=
+ENABLED=1
+
+test -x $MONGOD || exit 0
+
+if [ -e /etc/default/mongodb ]; then
+	. /etc/default/mongodb
+fi
+
+test "$ENABLED" != "0" || exit 0
+
+[ -f /etc/default/rcS ] && . /etc/default/rcS
+. /lib/lsb/init-functions
+
+
+mongodb_start()
+{
+	start-stop-daemon --start --pidfile "$PIDFILE" \
+		--exec $MONGOD -- --fork --logpath $LOGFILE --logappend --dbpath $DATADIR \
+		$EXTRAOPTS || return 2
+	return 0
+}
+
+mongodb_stop()
+{
+	start-stop-daemon --stop --user root --pidfile "$PIDFILE" \
+		|| return 2
+	return 0
+}
+
+case "$1" in
+start)
+	log_daemon_msg "Starting mongodb" "mongodb"
+	mongodb_start
+	case "$?" in
+	0)
+		log_end_msg 0
+		;;
+	1)
+		log_end_msg 1
+		echo "pid file '$PIDFILE' found, mongodb not started."
+		;;
+	2)
+		log_end_msg 1
+		;;
+	esac
+	;;
+stop)
+	log_daemon_msg "Stopping mongodb" "mongodb"
+	mongodb_stop
+	case "$?" in
+	0|1)
+		log_end_msg 0
+		;;
+	2)
+		log_end_msg 1
+		;;
+	esac
+	;;
+restart)
+	log_daemon_msg "Restarting mongodb" "mongodb"
+	mongodb_stop
+	mongodb_start
+	case "$?" in
+	0)
+		log_end_msg 0
+		;;
+	1)
+		log_end_msg 1
+		;;
+	2)
+		log_end_msg 1
+		;;
+	esac
+	;;
+*)
+	echo "Usage: /etc/init.d/mongodb {start|stop|restart}"
+	exit 3
+	;;
+esac
+
+:

data/lib/deprec/templates/mongrel/apache_vhost.conf.erb

@@ -0,0 +1,148 @@
+<VirtualHost *:80>
+  ServerName <%= domain %>
+  <%- 4.times do |counter| -%>
+  ServerAlias <%= domain.sub(/.*?\./, "assets#{counter}.") %>
+  <%- end %>
+  DocumentRoot <%= "#{current_path}/public" %>
+  ErrorLog <%= apache_log_dir %>/<%= domain %>-error_log
+  CustomLog <%= apache_log_dir %>/<%= domain %>-access_log combined
+
+  <Directory <%= "#{current_path}/public" %>>
+    Options FollowSymLinks
+    AllowOverride None
+    Order allow,deny
+    Allow from all
+  </Directory>
+
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+  </Proxy>
+
+  # Configure mongrel_cluster 
+  <Proxy balancer://<%= "#{application}_cluster" %>>
+	<%- mongrel_servers.times do |counter| -%>
+    BalancerMember http://<%= "127.0.0.1:#{mongrel_port+counter}"  %>
+	<%- end -%>
+  </Proxy>
+
+  RewriteEngine On
+
+  <%- if apache_ssl_enabled && apache_ssl_forward_all -%>
+  RewriteRule ^(.*)$ https://<%= domain %>$1
+  <%- else -%>
+  # Prevent access to .svn directories
+  RewriteRule ^(.*/)?\.svn/ - [F,L]
+  ErrorDocument 403 "Access Forbidden"
+
+  # Check for maintenance file and redirect all requests
+  RewriteCond %{REQUEST_URI} !\.(css|jpg|png|gif)$
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteRule ^.*$ /system/maintenance.html [L]
+
+  # Rewrite index to check for static
+  RewriteRule ^/$ /index.html [QSA] 
+
+  # Rewrite to check for Rails cached page
+  RewriteRule ^([^.]+)$ $1.html [QSA]
+
+  # Redirect all non-static requests to cluster
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+  RewriteRule ^/(.*)$ balancer://<%= "#{application}_cluster" %>%{REQUEST_URI} [P,QSA,L]
+  
+  # Deflate
+  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript
+  BrowserMatch ^Mozilla/4 gzip-only-text/html
+  BrowserMatch ^Mozilla/4\.0[678] no-gzip
+  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+  <%- end -%>
+</VirtualHost>
+
+
+<% if apache_ssl_enabled %>
+<VirtualHost <%= apache_ssl_ip ? apache_ssl_ip : '*' %>:443>
+  ServerName <%= domain %>
+  <%- 4.times do |counter| -%>
+  ServerAlias <%= domain.sub(/.*?\./, "assets#{counter}.") %>
+  <%- end %>
+  DocumentRoot <%= "#{current_path}/public" %>
+  ErrorLog <%= apache_log_dir %>/<%= domain %>-error_log
+  CustomLog <%= apache_log_dir %>/<%= domain %>-access_log combined       
+  CustomLog <%= apache_log_dir %>/<%= domain %>-ssl_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+  <Directory <%= "#{current_path}/public" %>>
+    Options FollowSymLinks
+    AllowOverride None
+    Order allow,deny
+    Allow from all
+  </Directory>
+
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+  </Proxy>
+
+  # Configure mongrel_cluster 
+  <Proxy balancer://<%= "#{application}_cluster" %>>
+	<%- mongrel_servers.times do |counter| -%>
+    BalancerMember http://<%= "127.0.0.1:#{mongrel_port+counter}"  %>
+	<%- end -%>
+  </Proxy>
+
+  RewriteEngine On
+
+  # Prevent access to .svn directories
+  RewriteRule ^(.*/)?\.svn/ - [F,L]
+  ErrorDocument 403 "Access Forbidden"
+
+  # Prevent access to .git directories
+  RewriteRule ^(.*/)?\.git/ - [F,L]
+  ErrorDocument 403 "Access Forbidden"
+
+  # Check for maintenance file and redirect all requests
+  RewriteCond %{REQUEST_URI} !\.(css|jpg|png|gif)$
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteRule ^.*$ /system/maintenance.html [L]
+
+  # Rewrite index to check for static
+  RewriteRule ^/$ /index.html [QSA] 
+
+  # Rewrite to check for Rails cached page
+  RewriteRule ^([^.]+)$ $1.html [QSA]
+
+  # Redirect all non-static requests to cluster
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+  # Add header for Mongrel to set HTTPS environment for Rails
+  RequestHeader set X-Forwarded-Proto "https"
+  RewriteRule ^/(.*)$ balancer://<%= "#{application}_cluster" %>%{REQUEST_URI} [P,QSA,L]
+
+  # Deflate
+  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript
+  BrowserMatch ^Mozilla/4 gzip-only-text/html
+  BrowserMatch ^Mozilla/4\.0[678] no-gzip
+  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+
+  # SSL Engine Switch
+  SSLEngine on
+
+  # SSL Cipher Suite:
+  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+  # Server Certificate
+  SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+  # Server Private Key
+  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+  <% if apache_ssl_chainfile %>
+  # Intermediate keys
+  SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/<%= domain %>-chainfile.crt
+  <% end %>
+
+  BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+
+</VirtualHost>
+<% end  %>