solokit 0.0.2 → 0.0.3

data/README.markdown

@@ -0,0 +1,29 @@
+A toolkit for provisioning (ubuntu-)servers using chef-solo.
+
+Solokit
+---
+
+* A set of wrappers around SSH and Chef Solo. 
+* Code for setting up user accounts (optionally setting passwords, ssh-keys and sudo access).
+* Uses nesting to override configuration and cookbooks.
+
+Cookbooks and configuration
+---
+
+Solokit includes some defaults so that you don't have to repeat the same things for each server. Any "cookbook" or "chef" directories in the root of your project will be copied over the defaults (but not replace them entierly). The same goes for any "cookbook" or "chef" directories for a specific environment.
+
+An environment can be anything from one server to a staging cluster. Within an environment you can run specific configuration for each server, but Solokit defaults to "server.json".
+
+For each layer, Solokit looks for a directory structure like this:
+
+    cookbooks/upstream # Unchanged cookbooks downloaded from opscode, or simular.
+    cookbooks/site     # Changes or entierly new cookbooks for Solokit, your project or env.
+    chef/solo.rb       # Specifies where to find files.
+    chef/server.json   # Default config, just calls roles/base.rb.
+    chef/roles/base.rb # Base configuration
+
+Usage
+---
+
+TBD
+

data/chef/roles/base.json

@@ -0,0 +1,13 @@
+{
+  "name": "Base",
+  "chef_type": "role",
+  "json_class": "Chef::Role",
+  "override_attributes": {
+    // "tz": "Europe/Stockholm"
+  },
+  "run_list": [
+    "recipe[apt]",
+    "role[users]"
+  ]
+}
+

data/chef/server.json

@@ -0,0 +1,5 @@
+{
+  "run_list": [
+    "role[base]"
+  ]
+}

data/chef/solo.rb

@@ -0,0 +1,6 @@
+file_cache_path  "/tmp/chef-solo"
+cookbook_path    [ "/var/chef-solo/upstream-cookbooks", "/var/chef-solo/site-cookbooks" ]
+role_path        "/etc/chef/roles"
+log_level        :info
+log_location     STDOUT
+ssl_verify_mode  :verify_none

data/cookbooks/site/users/definitions/add_keys.rb

@@ -0,0 +1,45 @@
+define :add_keys, :conf => {} do
+  config = params[:conf]
+  name = params[:name]
+  keys = Mash.new
+  keys[name] = node[:ssh_keys][name]
+
+  if config[:ssh_key_groups]
+    config[:ssh_key_groups].each do |group|
+      node[:users].find_all { |u| u.last[:groups].include?(group) }.each do |user|
+        keys[user.first] = node[:ssh_keys][user.first]
+      end
+    end
+  end
+  
+  if config[:extra_ssh_keys]
+    config[:extra_ssh_keys].each do |username|
+      keys[username] = node[:ssh_keys][username]
+    end
+  end
+
+  # Made home configurable  
+  ssh_dir = "#{node[:users][name][:home] || "/home/#{name}"}/.ssh"
+
+  directory ssh_dir do
+    action :create
+    owner name
+    group config[:groups] ? config[:groups].first.to_s : name
+    mode 0755
+    not_if { File.exists? ssh_dir }
+  end
+  
+  template "#{ssh_dir}/authorized_keys" do
+    source "authorized_keys.erb"
+    action :create
+    owner name
+    group config[:groups] ? config[:groups].first.to_s : name
+    variables(:keys => keys)
+    mode 0600
+    not_if { 
+      # To avoid stale handle on NFS mounted homes when writing.
+      system "cat #{ssh_dir}/authorized_keys > /dev/null; true"
+
+      defined?(node[:users][name][:preserve_keys]) ? node[:users][name][:preserve_keys] : false }
+  end
+end

data/cookbooks/site/users/recipes/default.rb

@@ -0,0 +1,34 @@
+include_recipe "ruby-shadow"
+
+if node[:users]
+
+  node[:users].keys.each do |username|
+    config = node[:users][username]
+    user username do
+      comment config[:comment]
+
+      # Added config for home in this site specific cookbook:
+      if config[:home]
+        if config[:home] != '/root'
+          parent_dir = config[:home].split("/")[0..-2].join("/")
+          FileUtils.mkdir_p(parent_dir) unless File.exists?(parent_dir)
+        end
+
+        home_path = config[:home]
+        home home_path
+      else
+        home_path = "/home/#{username}"
+        home home_path
+      end
+      
+      Kernel.system "chmod 700 #{home_path}" if config[:hidden_home]
+      
+      shell "/bin/bash"
+      password config[:password]
+      supports :manage_home => true
+      action [:create, :manage]
+    end  
+    
+    add_keys username
+  end
+end

data/cookbooks/upstream/apt/files/default/apt-cacher

@@ -0,0 +1,9 @@
+# apt-cacher startup configuration file
+
+# IMPORTANT: check the apt-cacher.conf file before using apt-cacher as daemon.
+
+# set to 1 to start the daemon at boot time
+AUTOSTART=1
+
+# extra settings to override the ones in apt-cacher.conf
+# EXTRAOPT=" daemon_port=3142 limit=30 "

data/cookbooks/upstream/apt/files/default/apt-cacher.conf

@@ -0,0 +1,144 @@
+# This file has been modified by ./apt-proxy-to-apt-cacher
+# Some lines may have been appended at the bottom of this file
+# This file has been modified by /usr/share/apt-cacher/apt-proxy-to-apt-cacher
+# Some lines may have been appended at the bottom of this file
+#################################################################
+# This is the config file for apt-cacher. On most Debian systems
+# you can safely leave the defaults alone.
+#################################################################
+
+# cache_dir is used to set the location of the local cache. This can
+# become quite large, so make sure it is somewhere with plenty of space.
+cache_dir=/var/cache/apt-cacher
+
+# The email address of the administrator is displayed in the info page
+# and traffic reports.
+admin_email=root@localhost
+
+# For the daemon startup settings please edit the file /etc/default/apt-cacher.
+
+# Daemon port setting, only useful in stand-alone mode. You need to run the
+# daemon as root to use privileged ports (<1024).
+daemon_port = 3142
+
+# optional settings, user and group to run the daemon as. Make sure they have
+# sufficient permissions on the cache and log directories. Comment the settings
+# to run apt-cacher as the native user.
+group=www-data
+user=www-data
+
+# optional setting, binds the listening daemon to one specified IP. Use IP
+# ranges for more advanced configuration, see below.
+# daemon_addr=localhost
+
+# If your apt-cacher machine is directly exposed to the Internet and you are
+# worried about unauthorised machines fetching packages through it, you can
+# specify a list of IPv4 addresses which are allowed to use it and another
+# list of IPv4 addresses which aren't.
+# Localhost (127.0.0.1) is always allowed. Other addresses must be matched
+# by allowed_hosts and not by denied_hosts to be permitted to use the cache.
+# Setting allowed_hosts to "*" means "allow all".
+# Otherwise the format is a comma-separated list containing addresses,
+# optionally with masks (like 10.0.0.0/22), or ranges of addresses (two
+# addresses separated by a hyphen, no masks, like '192.168.0.3-192.168.0.56').
+allowed_hosts=*
+denied_hosts=
+
+# And similiarly for IPv6 with allowed_hosts_6 and denied_hosts_6.
+# Note that IPv4-mapped IPv6 addresses (::ffff:w.x.y.z) are truncated to
+# w.x.y.z and are handled as IPv4.
+allowed_hosts_6=fec0::/16
+denied_hosts_6=
+
+# This thing can be done by Apache but is much simplier here - limit access to
+# Debian mirrors based on server names in the URLs
+#allowed_locations=ftp.uni-kl.de,ftp.nerim.net,debian.tu-bs.de
+
+# Apt-cacher can generate usage reports every 24 hours if you set this
+# directive to 1. You can view the reports in a web browser by pointing
+# to your cache machine with '/apt-cacher/report' on the end, like this:
+#      http://yourcache.example.com/apt-cacher/report
+# Generating reports is very fast even with many thousands of logfile
+# lines, so you can safely turn this on without creating much 
+# additional system load.
+generate_reports=1
+
+# Apt-cacher can clean up its cache directory every 24 hours if you set
+# this directive to 1. Cleaning the cache can take some time to run
+# (generally in the order of a few minutes) and removes all package
+# files that are not mentioned in any existing 'Packages' lists. This
+# has the effect of deleting packages that have been superseded by an
+# updated 'Packages' list.
+clean_cache=1
+
+# The directory to use for apt-cacher access and error logs.
+# The access log records every request in the format:
+# date-time|client ip address|HIT/MISS/EXPIRED|object size|object name
+# The error log is slightly more free-form, and is also used for debug
+# messages if debug mode is turned on.
+# Note that the old 'logfile' and 'errorfile' directives are
+# deprecated: if you set them explicitly they will be honoured, but it's
+# better to just get rid of them from old config files.
+logdir=/var/log/apt-cacher
+
+# apt-cacher can use different methods to decide whether package lists need to
+# be updated,
+# A) looking at the age of the cached files
+# B) getting HTTP header from server and comparing that with cached data. This
+# method is more reliable and avoids desynchronisation of data and index files
+# but needs to transfer few bytes from the server every time somebody requests
+# the files ("apt-get update")
+# Set the following value to the maximum age (in hours) for method A or to 0
+# for method B
+expire_hours=0
+
+# Apt-cacher can pass all its requests to an external http proxy like
+# Squid, which could be very useful if you are using an ISP that blocks
+# port 80 and requires all web traffic to go through its proxy. The
+# format is 'hostname:port', eg: 'proxy.example.com:8080'.
+http_proxy=proxy.example.com:8080
+
+# Use of an external proxy can be turned on or off with this flag.
+# Value should be either 0 (off) or 1 (on).
+use_proxy=0
+
+# External http proxy sometimes need authentication to get full access. The
+# format is 'username:password'.
+http_proxy_auth=proxyuser:proxypass
+
+# Use of external proxy authentication can be turned on or off with this flag.
+# Value should be either 0 (off) or 1 (on).
+use_proxy_auth=0
+
+# Rate limiting sets the maximum bandwidth in bytes per second to use
+# for fetching packages. Syntax is fully defined in 'man wget'.
+# Use 'k' or 'm' to use kilobits or megabits / second: eg, 'limit=25k'.
+# Use 0 or a negative value for no rate limiting.
+limit=0
+
+# Debug mode makes apt-cacher spew a lot of extra debug junk to the
+# error log (whose location is defined with the 'logdir' directive).
+# Leave this off unless you need it, or your error log will get very
+# big. Acceptable values are 0 or 1.
+debug=0
+
+# Adapt the line in the usage info web page to match your server configuration
+# example_sources_line=deb&nbsp;http://<b>my.cacher.server:3142/</b>ftp.au.debian.org/debian&nbsp;unstable&nbsp;main&nbsp;contrib&nbsp;non-free
+
+# Print a 410 (Gone) HTTP message with the specified text when accessed via
+# CGI. Useful to tell users to adapt their sources.list files when the
+# apt-cacher server is beeing relocated (via apt-get's error messages while
+# running "update")
+#cgi_advise_to_use = Please use http://cacheserver:3142/ as apt-cacher access URL
+#cgi_advise_to_use = Server relocated. To change sources.list, run perl -pe "s,/apt-cacher\??,:3142," -i /etc/apt/sources.list
+
+# Server mapping - this allows to hide real server names behind virtual paths
+# that appear in the access URL. This method is known from apt-proxy. This is
+# also the only method to use FTP access to the target hosts. The syntax is simple, the part of the beginning to replace, followed by a list of mirror urls, all space separated. Multiple profile are separated by semicolons
+# path_map = debian ftp.uni-kl.de/pub/linux/debian ftp2.de.debian.org/debian ; ubuntu archive.ubuntu.com/ubuntu ; security security.debian.org/debian-security ftp2.de.debian.org/debian-security
+# Note that you need to specify all target servers in the allowed_locations
+# options if you make use of it. Also note that the paths should not overlap
+# each other. FTP access method not supported yet, maybe in the future.
+
+# extra setting from apt-proxy configuration
+path_map =  ubuntu us.archive.ubuntu.com/ubuntu ; ubuntu-security security.ubuntu.com/ubuntu ; debian debian.osuosl.org/debian/ ; security security.debian.org/debian-security

data/cookbooks/upstream/apt/files/default/apt-proxy-v2.conf

@@ -0,0 +1,50 @@
+[DEFAULT]
+;; All times are in seconds, but you can add a suffix
+;; for minutes(m), hours(h) or days(d)
+
+;; commented out address so apt-proxy will listen on all IPs
+;; address = 127.0.0.1
+port = 9999
+cache_dir = /var/cache/apt-proxy
+
+;; Control files (Packages/Sources/Contents) refresh rate
+min_refresh_delay = 1s
+complete_clientless_downloads = 1
+
+;; Debugging settings.
+debug = all:4 db:0
+
+time = 30
+passive_ftp = on
+
+;;--------------------------------------------------------------
+;; Cache housekeeping
+
+cleanup_freq = 1d
+max_age = 120d
+max_versions = 3
+
+;;---------------------------------------------------------------
+;; Backend servers
+;;
+;; Place each server in its own [section]
+
+[ubuntu]
+; Ubuntu archive
+backends =
+        http://us.archive.ubuntu.com/ubuntu
+
+[ubuntu-security]
+; Ubuntu security updates
+backends = http://security.ubuntu.com/ubuntu
+
+[debian]
+;; Backend servers, in order of preference
+backends = 
+        http://debian.osuosl.org/debian/
+
+[security]
+;; Debian security archive
+backends = 
+        http://security.debian.org/debian-security
+        http://ftp2.de.debian.org/debian-security

data/cookbooks/upstream/apt/metadata.json

@@ -0,0 +1,51 @@
+{
+  "maintainer": "Opscode, Inc.",
+  "description": "Configures apt and apt services",
+  "recommendations": {
+
+  },
+  "maintainer_email": "cookbooks@opscode.com",
+  "recipes": {
+    "apt::proxy": "Set up an APT proxy",
+    "apt": "",
+    "apt::cacher": "Set up an APT cache"
+  },
+  "suggestions": {
+
+  },
+  "platforms": {
+    "ubuntu": [
+
+    ],
+    "debian": [
+
+    ]
+  },
+  "version": "0.8.0",
+  "name": "apt",
+  "conflicting": {
+
+  },
+  "attributes": {
+
+  },
+  "providing": {
+    "apt::proxy": [
+
+    ],
+    "apt": [
+
+    ],
+    "apt::cacher": [
+
+    ]
+  },
+  "license": "Apache 2.0",
+  "long_description": "",
+  "replacing": {
+
+  },
+  "dependencies": {
+
+  }
+}

data/cookbooks/upstream/apt/metadata.rb

@@ -0,0 +1,11 @@
+maintainer        "Opscode, Inc."
+maintainer_email  "cookbooks@opscode.com"
+license           "Apache 2.0"
+description       "Configures apt and apt services"
+version           "0.8"
+recipe            "apt::cacher", "Set up an APT cache"
+recipe            "apt::proxy", "Set up an APT proxy"
+
+%w{ ubuntu debian }.each do |os|
+  supports os
+end

data/cookbooks/upstream/apt/recipes/cacher.rb

@@ -0,0 +1,42 @@
+#
+# Cookbook Name:: apt
+# Recipe:: cacher
+#
+# Copyright 2008-2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package "apt-cacher" do
+  action :install
+end
+
+service "apt-cacher" do
+  supports :restart => true, :status => false
+  action [ :enable, :start ]
+end
+
+remote_file "/etc/apt-cacher/apt-cacher.conf" do
+  source "apt-cacher.conf"
+  owner "root"
+  group "root"
+  mode 0644
+  notifies :restart, resources(:service => "apt-cacher")
+end
+
+remote_file "/etc/default/apt-cacher" do
+  source "apt-cacher"
+  owner "root"
+  group "root"
+  mode 0644
+  notifies :restart, resources(:service => "apt-cacher")
+end

data/cookbooks/upstream/apt/recipes/default.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: apt
+# Recipe:: default
+#
+# Copyright 2008-2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+e = execute "apt-get update" do
+  action :nothing
+end
+
+e.run_action(:run)
+
+%w{/var/cache/local /var/cache/local/preseeding}.each do |dirname|
+  directory dirname do
+    owner "root"
+    group "root"
+    mode  0755
+    action :create
+  end
+end

data/cookbooks/upstream/apt/recipes/proxy.rb

@@ -0,0 +1,34 @@
+#
+# Cookbook Name:: apt
+# Recipe:: proxy
+#
+# Copyright 2008-2009, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package "apt-proxy" do 
+  action :install
+end
+
+service "apt-proxy" do
+  supports :restart => true, :status => false
+  action [ :enable, :start ]
+end
+
+remote_file "/etc/apt-proxy/apt-proxy-v2.conf" do
+  source "apt-proxy-v2.conf"
+  owner "root"
+  group "root"
+  mode 0644
+  notifies :restart, resources(:service => "apt-proxy")
+end

data/cookbooks/upstream/ruby-shadow/attributes/ruby-shadow.rb

@@ -0,0 +1 @@
+set_unless[:ruby_shadow][:site_ruby] = "/usr/local/lib/ruby/site_ruby/1.8"

data/cookbooks/upstream/ruby-shadow/files/default/shadow-1.4.1/HISTORY

@@ -0,0 +1,34 @@
+[1999/08/18]
+* version 1.4.1
+  - extconf.rb supports glibc2(libc6).
+  
+[1999/03/09]
+* version 1.4
+  - require ruby-1.3 or later version.
+  - sShadowPasswd,mShadow,eFileLock was renamed.
+  - FileLock class is inner class of Shadow Module.
+  - lock,unlock was changed.
+  - lock? method was added.
+  - getspent,fgetspent doesn't raise EOFError
+  - class hierarchy was changed.
+      Shadow Module
+       +  Passwd Module
+           + Entry Structure
+       +  Group Module (not implemented yet)
+           + Entry Structure (not implemented yet)
+       +  FileLock Class
+
+[1998/12/17]
+* version 1.3
+  - require ruby-1.1d0 or later version.
+
+[1998/10/31]
+* version 1.2
+  - only some bug fix.
+
+[1998/08/31]
+* version 1.1
+  - structure Shadow::ShadowPasswd is added.
+
+[1998/07/15]
+* version 1.0 released.

data/cookbooks/upstream/ruby-shadow/files/default/shadow-1.4.1/MANIFEST

@@ -0,0 +1,7 @@
+HISTORY
+MANIFEST
+README
+README.euc
+depend
+extconf.rb
+shadow.c

data/cookbooks/upstream/ruby-shadow/files/default/shadow-1.4.1/README

@@ -0,0 +1,79 @@
+Shadow Password module
+
+Copyright (C) 1998-1999 Takaaki Tateishi <ttate@jaist.ac.jp>
+Modified at: <1999/8/19 06:47:14 by ttate>
+License: Free for any use with your own risk!
+
+
+1. What's this
+
+This is the module which used when you access
+linux shadow password files.
+
+
+2. install
+
+ruby extconf.rb
+make
+(make install)
+
+* Note:
+  version 1.3 require the ruby-1.3 or later version.
+
+3. Shadow::Passwd module's methods
+
+getspent
+getspnam(name)
+setspent
+endspent
+fgetspent(file)
+sgetspent(str)
+putspent(entry,file)
+lckpwdf,lock
+ulckpwdf,unlock
+lock?
+
+4. Structure
+
+Shadow::Passwd::Entry (Struct::PasswdEntry)
+       sp_namp - pointer to null-terminated user name.
+       sp_pwdp - pointer to null-terminated password.
+       sp_lstchg  -  days  since  Jan  1,  1970 password was last
+                     changed.
+       sp_min - days before which password may not be changed.
+       sp_max - days after which password must be changed.
+       sp_warn - days before password is to expire that  user  is
+       warned of pending password expiration.
+       sp_inact  -  days  after  password expires that account is
+                    considered inactive and disabled.
+       sp_expire - days since Jan 1, 1970 when  account  will  be
+
+
+5. Description
+
+getspent,  getspname,  fgetspent and sgetspent each return
+a structure Shadow::Passwd::Entry.    getspent returns the
+next entry from the file,   and fgetspent returns the next
+entry from the given stream. sgetspent returns a structure
+Shadow::Passwd::Entry using the provided string as input.
+getspnam searches from the current position in the file for
+an entry matching name.
+if you get EOF from each operation, you will get nil.
+
+setspent and endspent may be used to begin and end, respe-
+ctively, access to the shadow password file.
+
+lckpwdf(lock) and ulckpwdf(unlock) methods should be used
+to insure exclusive access to the /etc/shadow file.
+when either method fail, Exception Shadow::FileLock is raised.
+if you use lock as the iterator, unlock is automatically called
+when you exit the iterator block.
+
+6. Reference
+
+* man shadow
+* /usr/include/shadow.h
+
+
+
+					ttate@jaist.ac.jp