server_maint 0.0.1

data/lib/cookbooks/nginx/recipes/upload_progress_module.rb

@@ -0,0 +1,47 @@
+#
+# Cookbook Name:: nginx
+# Recipe:: upload_progress_module
+#
+# Author:: Jamie Winsor (<jamie@vialstudios.com>)
+#
+# Copyright 2012, Riot Games
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+upm_src_filename = ::File.basename(node['nginx']['upload_progress']['url'])
+upm_src_filepath = "#{Chef::Config['file_cache_path']}/#{upm_src_filename}"
+upm_extract_path = "#{Chef::Config['file_cache_path']}/nginx_upload_progress/#{node['nginx']['upload_progress']['checksum']}"
+
+remote_file upm_src_filepath do
+  source node['nginx']['upload_progress']['url']
+  checksum node['nginx']['upload_progress']['checksum']
+  owner "root"
+  group "root"
+  mode 0644
+end
+
+bash "extract_upload_progress_module" do
+  cwd ::File.dirname(upm_src_filepath)
+  code <<-EOH
+    mkdir -p #{upm_extract_path}
+    tar xzf #{upm_src_filename} -C #{upm_extract_path}
+    mv #{upm_extract_path}/*/* #{upm_extract_path}/
+  EOH
+
+  not_if { ::File.exists?(upm_extract_path) }
+end
+
+node.run_state['nginx_configure_flags'] =
+  node.run_state['nginx_configure_flags'] | ["--add-module=#{upm_extract_path}"]
+  

data/lib/cookbooks/nginx/templates/debian/nginx.init.erb

@@ -0,0 +1,97 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:          nginx
+# Required-Start:    $local_fs $remote_fs $network $syslog
+# Required-Stop:     $local_fs $remote_fs $network $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts the nginx web server
+# Description:       starts nginx using start-stop-daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=<%= @src_binary %>
+NAME=nginx
+DESC=nginx
+PID=<%= @pid %>
+
+# Include nginx defaults if available
+if [ -f /etc/default/nginx ]; then
+	. /etc/default/nginx
+fi
+
+test -x $DAEMON || exit 0
+
+set -e
+
+. /lib/lsb/init-functions
+
+test_nginx_config() {
+	if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
+		return 0
+	else
+		$DAEMON -t $DAEMON_OPTS
+		return $?
+	fi
+}
+
+case "$1" in
+	start)
+		echo -n "Starting $DESC: "
+		test_nginx_config
+		# Check if the ULIMIT is set in /etc/default/nginx
+		if [ -n "$ULIMIT" ]; then
+			# Set the ulimits
+			ulimit $ULIMIT
+		fi
+		start-stop-daemon --start --quiet --pidfile $PID \
+		    --exec $DAEMON -- $DAEMON_OPTS || true
+		echo "$NAME."
+		;;
+
+	stop)
+		echo -n "Stopping $DESC: "
+		start-stop-daemon --stop --quiet --pidfile $PID \
+		    --exec $DAEMON || true
+		echo "$NAME."
+		;;
+
+	restart|force-reload)
+		echo -n "Restarting $DESC: "
+		start-stop-daemon --stop --quiet --pidfile \
+		    $PID --exec $DAEMON || true
+		sleep 1
+		test_nginx_config
+		start-stop-daemon --start --quiet --pidfile \
+		    $PID --exec $DAEMON -- $DAEMON_OPTS || true
+		echo "$NAME."
+		;;
+
+	reload)
+		echo -n "Reloading $DESC configuration: "
+		test_nginx_config
+		start-stop-daemon --stop --signal HUP --quiet --pidfile $PID \
+		    --exec $DAEMON || true
+		echo "$NAME."
+		;;
+
+	configtest|testconfig)
+		echo -n "Testing $DESC configuration: "
+		if test_nginx_config; then
+			echo "$NAME."
+		else
+			exit $?
+		fi
+		;;
+
+	status)
+		status_of_proc -p $PID "$DAEMON" nginx && exit 0 || exit $?
+		;;
+	*)
+		echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
+		exit 1
+		;;
+esac
+
+exit 0

data/lib/cookbooks/nginx/templates/default/default-site.erb

@@ -0,0 +1,11 @@
+server {
+  listen   80;
+  server_name  <%= node['hostname'] %>;
+
+  access_log  <%= node['nginx']['log_dir'] %>/localhost.access.log;
+
+  location / {
+    root   /var/www/nginx-default;
+    index  index.html index.htm;
+  }
+}

data/lib/cookbooks/nginx/templates/default/modules/authorized_ip.erb

@@ -0,0 +1,6 @@
+geo $<%= @remote_ip_var %> $authorized_ip {
+  default no;
+  <% @authorized_ips.each do |ip| %>
+  <%= "#{ip} yes;" %>
+  <% end %>
+}

data/lib/cookbooks/nginx/templates/default/modules/http_geoip.conf.erb

@@ -0,0 +1,4 @@
+geoip_country <%= @country_dat %>;
+<% if @city_dat -%>
+geoip_city <%= @city_dat %>;
+<% end -%>

data/lib/cookbooks/nginx/templates/default/modules/http_realip.conf.erb

@@ -0,0 +1,4 @@
+<% @addresses.each do |address| %>
+set_real_ip_from <%= address %>;
+<% end %>
+real_ip_header <%= @header %>;

data/lib/cookbooks/nginx/templates/default/modules/nginx_status.erb

@@ -0,0 +1,14 @@
+include authorized_ip;
+
+server {
+  listen 8090;
+  server_name _;
+  
+  location /nginx_status {
+    if ($authorized_ip = no) {
+      return 404;
+    }
+    stub_status on;
+    access_log off;
+  }
+}

data/lib/cookbooks/nginx/templates/default/modules/passenger.conf.erb

@@ -0,0 +1,3 @@
+passenger_root <%= @passenger_root %>;
+passenger_ruby <%= @passenger_ruby %>;
+passenger_max_pool_size <%= @passenger_max_pool_size %>;

data/lib/cookbooks/nginx/templates/default/nginx.conf.erb

@@ -0,0 +1,48 @@
+user <%= node['nginx']['user'] %>;
+worker_processes  <%= node['nginx']['worker_processes'] %>;
+<% if node['nginx']['daemon_disable'] -%>
+daemon off;
+<% end -%>
+
+error_log  <%= node['nginx']['log_dir'] %>/error.log;
+pid        <%= node['nginx']['pid'] %>;
+
+events {
+  worker_connections  <%= node['nginx']['worker_connections'] %>;
+}
+
+http {
+  <% if node.recipe?('nginx::naxsi_module') %>
+  include       <%= node['nginx']['dir'] %>/naxsi_core.rules;
+  <% end %>
+
+  include       <%= node['nginx']['dir'] %>/mime.types;
+  default_type  application/octet-stream;
+
+  <% unless node['nginx']['disable_access_log'] -%>
+  access_log	<%= node['nginx']['log_dir'] %>/access.log;
+  <% end %>
+
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+
+  <% if node['nginx']['keepalive'] == "on" %>
+  keepalive_timeout  <%= node['nginx']['keepalive_timeout'] %>;
+  <% end %>
+
+  gzip  <%= node['nginx']['gzip'] %>;
+  <% if node['nginx']['gzip'] == "on" %>
+  gzip_http_version <%= node['nginx']['gzip_http_version'] %>;
+  gzip_comp_level <%= node['nginx']['gzip_comp_level'] %>;
+  gzip_proxied <%= node['nginx']['gzip_proxied'] %>;
+  gzip_types <%= node['nginx']['gzip_types'].join(' ') %>;
+  gzip_min_length  1000;
+  gzip_disable     "MSIE [1-6]\.";
+  <% end %>
+
+  server_names_hash_bucket_size <%= node['nginx']['server_names_hash_bucket_size'] %>;
+
+  include <%= node['nginx']['dir'] %>/conf.d/*.conf;
+  include <%= node['nginx']['dir'] %>/sites-enabled/*;
+}

data/lib/cookbooks/nginx/templates/default/nginx.init.erb

@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+# nginx
+#
+# chkconfig:   - 57 47
+# description: nginx
+# processname:  nginx
+# config:       /etc/sysconfig/nginx
+#
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+
+# Check that networking is up.
+[ "$NETWORKING" = "no" ] && exit
+exec=<%= @src_binary %>
+prog=$(basename $exec)
+
+# default options, overruled by items in sysconfig
+NGINX_GLOBAL=""
+
+[ -e /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
+
+lockfile=/var/lock/subsys/nginx
+
+start() {
+    [ -x $exec ] || exit 5
+    echo -n $"Starting $prog: "
+    # if not running, start it up here, usually something like "daemon $exec"
+    options=""
+    if [ "${NGINX_GLOBAL}" != ""  ]; then
+        options="-g ${NGINX_GLOBAL}"
+    fi
+    $exec $options
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+	return $retval
+}
+
+stop() {
+	echo -n $"Stopping $prog: "
+	$exec -s stop
+	retval=$?
+	echo
+	[ $retval -eq 0 ] && rm -f $lockfile
+	return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+	echo -n $"Reloading $prog: "
+	$exec -s reload
+	retval=$?
+	echo
+	[ $retval -eq 0 ] && rm -f $lockfile
+	return $retval
+}
+
+# See how we were called.
+case "$1" in 
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  status)
+        status nginx
+        ;;
+  restart)
+        restart
+        ;;
+  reload|force-reload)
+		reload
+		;;
+  condrestart)
+        [ -f $lockfile ] && restart || :
+        ;;
+  *)
+        echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}"
+        exit 1 
+esac
+
+exit $?

data/lib/cookbooks/nginx/templates/default/nginx.pill.erb

@@ -0,0 +1,15 @@
+Bluepill.application("nginx", :log_file => "<%= @log_dir %>/bluepill-nginx.log") do |app|
+  app.process("nginx") do |process|
+    process.pid_file           = "<%= @pid %>"
+    process.working_dir        = "<%= @working_dir %>"
+    process.start_command      = "<%= @src_binary %> -c <%= @nginx_dir %>/nginx.conf"
+    process.stop_command       = "kill -QUIT {{PID}}"
+    process.restart_command    = "kill -HUP {{PID}}"
+    process.daemonize          = true
+    process.stdout             = process.stderr = "<%= @log_dir %>/nginx.log"
+
+    process.monitor_children do |child_process|
+      child_process.stop_command = "kill -QUIT {{PID}}"
+    end
+  end
+end

data/lib/cookbooks/nginx/templates/default/nginx.sysconfig.erb

@@ -0,0 +1 @@
+NGINX_GLOBAL=<%= node['nginx']['global'] %>

data/lib/cookbooks/nginx/templates/default/nxdissite.erb

@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+SYSCONFDIR='<%= node['nginx']['dir'] %>'
+
+if [ -z $1 ]; then
+        echo "Which site would you like to disable?"
+        echo -n "Your choices are: "
+        ls $SYSCONFDIR/sites-enabled/* | \
+        sed -e "s,$SYSCONFDIR/sites-enabled/,,g" | xargs echo
+        echo -n "Site name? "
+        read SITENAME
+else
+        SITENAME=$1
+fi
+
+if [ $SITENAME = "default" ]; then
+        PRIORITY="000"
+fi
+
+if ! [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \
+       -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then
+        echo "This site is already disabled, or does not exist!"
+        exit 1
+fi
+
+if ! rm $SYSCONFDIR/sites-enabled/$SITENAME 2>/dev/null; then
+        rm -f $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME"
+fi
+echo "Site $SITENAME disabled; reload nginx to disable."

data/lib/cookbooks/nginx/templates/default/nxensite.erb

@@ -0,0 +1,38 @@
+#!/bin/sh -e
+
+SYSCONFDIR='<%= node['nginx']['dir'] %>'
+
+if [ -z $1 ]; then
+        echo "Which site would you like to enable?"
+        echo -n "Your choices are: "
+        ls $SYSCONFDIR/sites-available/* | \
+        sed -e "s,$SYSCONFDIR/sites-available/,,g" | xargs echo
+        echo -n "Site name? "
+        read SITENAME
+else
+        SITENAME=$1
+fi
+
+if [ $SITENAME = "default" ]; then
+        PRIORITY="000"
+fi
+
+if [ -e $SYSCONFDIR/sites-enabled/$SITENAME -o \
+     -e $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME" ]; then
+        echo "This site is already enabled!"
+        exit 0
+fi
+
+if ! [ -e $SYSCONFDIR/sites-available/$SITENAME ]; then
+        echo "This site does not exist!"
+        exit 1
+fi
+
+if [ $SITENAME = "default" ]; then
+        ln -sf $SYSCONFDIR/sites-available/$SITENAME \
+               $SYSCONFDIR/sites-enabled/"$PRIORITY"-"$SITENAME"
+else
+        ln -sf $SYSCONFDIR/sites-available/$SITENAME $SYSCONFDIR/sites-enabled/$SITENAME
+fi
+
+echo "Site $SITENAME installed; reload nginx to enable."

data/lib/cookbooks/nginx/templates/default/plugins/nginx.rb.erb

@@ -0,0 +1,66 @@
+#
+# Author:: Jamie Winsor (<jamie@vialstudios.com>)
+#
+# Copyright 2012, Riot Games
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+provides "nginx"
+provides "nginx/version"
+provides "nginx/configure_arguments"
+provides "nginx/prefix"
+provides "nginx/conf_path"
+
+def parse_flags(flags)
+  prefix = nil
+  conf_path = nil
+
+  flags.each do |flag|
+    case flag
+    when /^--prefix=(.+)$/
+      prefix = $1
+    when /^--conf-path=(.+)$/
+      conf_path = $1
+    end
+  end
+
+  [ prefix, conf_path ]
+end
+
+nginx Mash.new unless nginx
+nginx[:version]             = nil unless nginx[:version]
+nginx[:configure_arguments] = Array.new unless nginx[:configure_arguments]
+nginx[:prefix]              = nil unless nginx[:prefix]
+nginx[:conf_path]           = nil unless nginx[:conf_path]
+
+status, stdout, stderr = run_command(:no_status_check => true, :command => "<%= @nginx_bin %> -V")
+
+if status == 0
+  stderr.split("\n").each do |line|
+    case line
+    when /^configure arguments:(.+)/
+      # This could be better: I'm splitting on configure arguments which removes them and also 
+      # adds a blank string at index 0 of the array. This is why we drop index 0 and map to 
+      # add the '--' prefix back to the configure argument.
+      nginx[:configure_arguments] = $1.split(/\s--/).drop(1).map { |ca| "--#{ca}" }
+
+      prefix, conf_path = parse_flags(nginx[:configure_arguments])
+
+      nginx[:prefix] = prefix
+      nginx[:conf_path] = conf_path
+    when /^nginx version: nginx\/(.+)/
+      nginx[:version] = $1
+    end
+  end
+end

data/lib/cookbooks/nginx/templates/default/sv-nginx-log-run.erb

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt ./main

data/lib/cookbooks/nginx/templates/default/sv-nginx-run.erb

@@ -0,0 +1,3 @@
+#!/bin/sh
+exec 2>&1
+exec <%= node['nginx']['src_binary'] %> -c <%= node['nginx']['dir'] %>/nginx.conf

data/lib/cookbooks/nginx/templates/ubuntu/nginx.init.erb

@@ -0,0 +1,97 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:          nginx
+# Required-Start:    $local_fs $remote_fs $network $syslog
+# Required-Stop:     $local_fs $remote_fs $network $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts the nginx web server
+# Description:       starts nginx using start-stop-daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=<%= @src_binary %>
+NAME=nginx
+DESC=nginx
+PID=<%= @pid %>
+
+# Include nginx defaults if available
+if [ -f /etc/default/nginx ]; then
+	. /etc/default/nginx
+fi
+
+test -x $DAEMON || exit 0
+
+set -e
+
+. /lib/lsb/init-functions
+
+test_nginx_config() {
+	if $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1; then
+		return 0
+	else
+		$DAEMON -t $DAEMON_OPTS
+		return $?
+	fi
+}
+
+case "$1" in
+	start)
+		echo -n "Starting $DESC: "
+		test_nginx_config
+		# Check if the ULIMIT is set in /etc/default/nginx
+		if [ -n "$ULIMIT" ]; then
+			# Set the ulimits
+			ulimit $ULIMIT
+		fi
+		start-stop-daemon --start --quiet --pidfile $PID \
+		    --exec $DAEMON -- $DAEMON_OPTS || true
+		echo "$NAME."
+		;;
+
+	stop)
+		echo -n "Stopping $DESC: "
+		start-stop-daemon --stop --quiet --pidfile $PID \
+		    --exec $DAEMON || true
+		echo "$NAME."
+		;;
+
+	restart|force-reload)
+		echo -n "Restarting $DESC: "
+		start-stop-daemon --stop --quiet --pidfile \
+		    $PID --exec $DAEMON || true
+		sleep 1
+		test_nginx_config
+		start-stop-daemon --start --quiet --pidfile \
+		    $PID --exec $DAEMON -- $DAEMON_OPTS || true
+		echo "$NAME."
+		;;
+
+	reload)
+		echo -n "Reloading $DESC configuration: "
+		test_nginx_config
+		start-stop-daemon --stop --signal HUP --quiet --pidfile $PID \
+		    --exec $DAEMON || true
+		echo "$NAME."
+		;;
+
+	configtest|testconfig)
+		echo -n "Testing $DESC configuration: "
+		if test_nginx_config; then
+			echo "$NAME."
+		else
+			exit $?
+		fi
+		;;
+
+	status)
+		status_of_proc -p $PID "$DAEMON" nginx && exit 0 || exit $?
+		;;
+	*)
+		echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest}" >&2
+		exit 1
+		;;
+esac
+
+exit 0

data/lib/cookbooks/nginx/test/kitchen/Kitchenfile

@@ -0,0 +1,5 @@
+cookbook "nginx" do
+  configuration("default") { runtimes [] }
+  configuration("source") { runtimes [] }
+  runtimes []
+end

data/lib/cookbooks/sanitize/.gitignore

@@ -0,0 +1 @@
+*~

data/lib/cookbooks/sanitize/CHANGELOG.md

@@ -0,0 +1,10 @@
+# CHANGELOG for sanitize
+
+## 0.1.0:
+
+* Initial release of sanitize
+
+- - - 
+Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
+
+The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.

data/lib/cookbooks/sanitize/README.md

@@ -0,0 +1,65 @@
+Description
+===========
+
+This cookbook aims to normalize setup of a fresh server and set sane
+defaults for global settings, and work with various initial
+environments (tested on EC2 images, Hetzner "minimal" installations,
+and debootstrap-created LXC images). At the moment it supports only
+Ubuntu, Debian support is planned.
+
+This cookbook is developed on GitHub at
+https://github.com/3ofcoins/chef-cookbook-sanitize
+
+Requirements
+============
+
+* apt
+* build-essential
+* iptables
+
+Attributes
+==========
+
+* `sanitize.iptables` -- if false, does not install and configure
+  iptables; defaults to true.
+
+Usage
+=====
+
+Include `recipe[sanitize]` in your run list after your user accounts
+are created and sudo and ssh is configured.
+
+sanitize::default
+-----------------
+
+This is the default "base settings" setup. It should be called
+**after** shell user accounts and sudo are configured, as it locks
+default login user and direct root access.
+
+1. Deletes `ubuntu` system user
+2. Locks system password for `root` user (assumes that only sudo is
+   used to elevate privileges)
+3. Ensure all FHS-provided directories exist by creating some that
+   have been found missing on some of the installation (namely,
+   `/opt`)
+4. Sets locale to `en_US.UTF-8`, generates this locale, sets time zone
+   to UTC
+5. Changes mode of `/var/log/chef/client.log` to `0600` -- readable
+   only for root, as it may contain sensitive data
+6. Deletes annoying `motd.d` files
+7. Installs vim and sets it as a default system editor
+8. Installs and configures iptables, opens SSH port (optional, but
+   enabled by default)
+9. Installs `can-has` command as a symlink to `apt-get`
+
+Roadmap
+=======
+
+Plans for future, in no particular order:
+
+* Depend on and include `openssh-server`; configure SSH known hosts,
+  provide sane SSH server and client configuration defaults
+* Provide hooks (definitions / LWRP / library) for other cookbooks for
+  commonly used facilities, such as opening up common ports, "backend"
+  http service, SSL keys management, maybe some other "library"
+  functions like helpers for encrypted data bags