ubuntu-machine 0.5.3.2.25

data/lib/capistrano/ext/ubuntu-machine/templates/apache2.erb

@@ -0,0 +1,7 @@
+NameVirtualHost *:80
+
+<IfModule mod_ssl.c>
+    NameVirtualHost *:443
+</IfModule>
+
+ServerName <%= server_name %>

data/lib/capistrano/ext/ubuntu-machine/templates/deflate.conf.erb

@@ -0,0 +1,3 @@
+<IfModule mod_deflate.c>
+	AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml
+</IfModule>

data/lib/capistrano/ext/ubuntu-machine/templates/freetds.conf.erb

@@ -0,0 +1,8 @@
+[global]
+  tds version = 4.2
+  text size = 64512
+
+[<%= odbc_sourcename %>]
+#	host = <%= odbc_host %>
+#	port = <%= odbc_port %>
+	tds version = <%= odbc_tds_version rescue '8.0' %>

data/lib/capistrano/ext/ubuntu-machine/templates/iptables.erb

@@ -0,0 +1,46 @@
+*filter
+
+
+#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
+
+
+#  Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+#  Allows all outbound traffic
+#  You can modify this to only allow certain traffic
+-A OUTPUT -j ACCEPT
+
+
+# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+
+#  Allows SSH connections
+#
+# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
+#
+-A INPUT -p tcp -m state --state NEW --dport <%= ssh_options[:port] %> -j ACCEPT
+
+<% if hosting_provider=="ovh-rps" %>
+# allow packets from SAN, only for ovh-rps
+-A OUTPUT -p tcp --dport 3260 -j ACCEPT
+<% end %>
+
+# Allow ping
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+
+# log iptables denied calls
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+
+# Reject all other inbound - default deny unless explicitly allowed policy
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+
+COMMIT

data/lib/capistrano/ext/ubuntu-machine/templates/my.cnf.erb

@@ -0,0 +1,3 @@
+[mysqladmin] 
+  user            = root
+  password        = will-be-changed-so-dont-mind-it

data/lib/capistrano/ext/ubuntu-machine/templates/new_db.erb

@@ -0,0 +1,5 @@
+CREATE DATABASE  `<%= db_name %>` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
+CREATE USER '<%= db_username %>'@'localhost' IDENTIFIED BY  '<%= db_user_password %>';
+GRANT USAGE ON * . * TO  '<%= db_username %>'@'localhost' IDENTIFIED BY  '<%= db_user_password %>' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
+GRANT ALL PRIVILEGES ON  `<%= db_name %>` . * TO  '<%= db_username %>'@'localhost' WITH GRANT OPTION ;
+FLUSH PRIVILEGES ;

data/lib/capistrano/ext/ubuntu-machine/templates/ntp.conf.erb

@@ -0,0 +1,16 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+filegen clockstats file clockstats type day enable
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+restrict 10.13.0.0 mask 255.255.255.0 nomodify notrap
+restrict 10.14.0.0 mask 255.255.255.0 nomodify notrap
+restrict 127.0.0.1
+restrict ::1
+<% ntp_pool_servers.each_with_index do |ntp_server,index|%>
+<%= "server #{ntp_server} #{index == 0 ? 'iburst' : ''}" %>
+<% end %>
+statistics loopstats peerstats clockstats

data/lib/capistrano/ext/ubuntu-machine/templates/ntpdate.erb

@@ -0,0 +1,13 @@
+# The settings in this file are used by the program ntpdate-debian, but not
+# by the upstream program ntpdate.
+
+# Set to "yes" to take the server list from /etc/ntp.conf, from package ntp,
+# so you only have to keep it in one place.
+NTPDATE_USE_NTP_CONF=yes
+
+# List of NTP servers to use  (Separate multiple servers with spaces.)
+# Not used if NTPDATE_USE_NTP_CONF is yes.
+NTPSERVERS="ntp.ubuntu.com"
+
+# Additional options to pass to ntpdate
+NTPOPTIONS=""

data/lib/capistrano/ext/ubuntu-machine/templates/odbc.ini.erb

@@ -0,0 +1,8 @@
+[<%= odbc_sourcename %>]
+Driver      = FreeTDS
+Description = ODBC Connection via FreeTDS
+Trace       = No
+Server      = <%= odbc_host %>
+Port        = <%= odbc_port %>
+TDS Version = <%= odbc_tds_version rescue '8.0' %>
+Database    = <%= odbc_database %>

data/lib/capistrano/ext/ubuntu-machine/templates/odbcinst.ini.erb

@@ -0,0 +1,7 @@
+[FreeTDS]
+Description = TDS driver (Sybase/MS SQL)
+Driver      = /usr/lib/odbc/libtdsodbc.so
+Setup       = /usr/lib/odbc/libtdsS.so
+CPTimeout   =
+CPReuse     =
+FileUsage   = 1

data/lib/capistrano/ext/ubuntu-machine/templates/passenger.conf.erb

@@ -0,0 +1,2 @@
+PassengerRoot /opt/<%= ruby_enterprise_version %>/lib/ruby/gems/1.8/gems/passenger-<%= passenger_version %>
+PassengerRuby /opt/<%= ruby_enterprise_version %>/bin/ruby

data/lib/capistrano/ext/ubuntu-machine/templates/passenger.load.erb

@@ -0,0 +1 @@
+LoadModule passenger_module /opt/<%= ruby_enterprise_version %>/lib/ruby/gems/1.8/gems/passenger-<%= passenger_version %>/ext/apache2/mod_passenger.so

data/lib/capistrano/ext/ubuntu-machine/templates/sources.jaunty.erb

@@ -0,0 +1,55 @@
+# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
+# newer versions of the distribution. 
+# Copied here by ubuntu machine 
+
+deb http://archive.ubuntu.com/ubuntu/ jaunty main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty main restricted
+
+## Major bug fix updates produced after the final release of the
+## distribution. 
+deb http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates main restricted
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
+## team, and may not be under a free licence. Please satisfy yourself as to
+## your rights to use the software. Also, please note that software in 
+## universe WILL NOT receive any review or updates from the Ubuntu security
+## team. 
+deb http://archive.ubuntu.com/ubuntu/ jaunty universe 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty universe 
+deb http://archive.ubuntu.com/ubuntu/ jaunty-updates universe 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates universe 
+
+## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
+## team, and may not be under a free licence. Please satisfy yourself as to 
+## your rights to use the software. Also, please note that software in 
+## multiverse WILL NOT receive any review or updates from the Ubuntu 
+## security team. 
+deb http://archive.ubuntu.com/ubuntu/ jaunty multiverse 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty multiverse 
+deb http://archive.ubuntu.com/ubuntu/ jaunty-updates multiverse 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-updates multiverse 
+
+## Uncomment the following two lines to add software from the 'backports'
+## repository. 
+## N.B. software from this repository may not have been tested as 
+## extensively as that contained in the main release, although it includes
+## newer versions of some applications which may provide useful features. 
+## Also, please note that software in backports WILL NOT receive any review
+## or updates from the Ubuntu security team. 
+# deb http://cl.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse
+# deb-src http://cl.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse
+
+## Uncomment the following two lines to add software from Canonical's
+## 'partner' repository. This software is not part of Ubuntu, but is 
+## offered by Canonical and the respective vendors as a service to Ubuntu
+## users. 
+# deb http://archive.canonical.com/ubuntu jaunty partner 
+# deb-src http://archive.canonical.com/ubuntu jaunty partner 
+
+deb http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security main restricted
+deb http://archive.ubuntu.com/ubuntu/ jaunty-security universe 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security universe 
+deb http://archive.ubuntu.com/ubuntu/ jaunty-security multiverse 
+deb-src http://archive.ubuntu.com/ubuntu/ jaunty-security multiverse

data/lib/capistrano/ext/ubuntu-machine/templates/sources.lucid.erb

@@ -0,0 +1,22 @@
+#############################################################
+################### OFFICIAL UBUNTU REPOS ###################
+#############################################################
+
+###### Ubuntu Main Repos
+deb http://nl.archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse 
+deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse 
+
+###### Ubuntu Update Repos
+deb http://nl.archive.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse 
+deb http://nl.archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse 
+deb http://nl.archive.ubuntu.com/ubuntu/ lucid-proposed main restricted universe multiverse 
+deb http://nl.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse 
+deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse 
+deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse 
+deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-proposed main restricted universe multiverse 
+deb-src http://nl.archive.ubuntu.com/ubuntu/ lucid-backports main restricted universe multiverse 
+
+###### Ubuntu Partner Repo
+deb http://archive.canonical.com/ubuntu lucid partner
+deb-src http://archive.canonical.com/ubuntu lucid partner
+

data/lib/capistrano/ext/ubuntu-machine/templates/sshd_config.erb

@@ -0,0 +1,80 @@
+# Package generated configuration file
+# See the sshd(8) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port <%= ssh_options[:port] %>
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes # allow it to enable OVH to connect to your server
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile	.ssh/authorized_keys2
+UsePam yes
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+KeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+UseDNS no
+
+AllowUsers <%= user %>

data/lib/capistrano/ext/ubuntu-machine/templates/vhost.erb

@@ -0,0 +1,17 @@
+<VirtualHost *:80>
+
+  # Admin email, Server Name (domain name) and any aliases
+  ServerAdmin <%= server_admin %>
+  ServerName  <%= server_name %>
+  ServerAlias <%= server_alias %>
+
+  # Index file and Document Root (where the public files are located)
+  DirectoryIndex <%= directory_index %>
+  DocumentRoot /home/<%= user %>/websites/<%= server_name %>/public
+
+  # Custom log file locations
+  LogLevel warn
+  ErrorLog  /home/<%= user %>/websites/<%= server_name %>/logs/error.log
+  CustomLog /home/<%= user %>/websites/<%= server_name %>/logs/access.log combined
+
+</VirtualHost>

data/lib/capistrano/ext/ubuntu-machine/templates/vsftpd.conf.erb

@@ -0,0 +1,158 @@
+# Example config file /etc/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
+# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# capabilities.
+#
+#
+# Run standalone?  vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+#listen=YES
+#
+# Run standalone with IPv6?
+# Like the listen parameter, except vsftpd will listen on an IPv6 socket
+# instead of an IPv4 one. This parameter and the listen parameter are mutually
+# exclusive.
+#listen_ipv6=YES
+#
+# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+#anonymous_enable=YES
+#
+# Uncomment this to allow local users to log in.
+#local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+#write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#local_umask=022
+#
+# Uncomment this to allow the anonymous FTP user to upload files. This only
+# has an effect if the above global write enable is activated. Also, you will
+# obviously need to create a directory writable by the FTP user.
+#anon_upload_enable=YES
+#
+# Uncomment this if you want the anonymous FTP user to be able to create
+# new directories.
+#anon_mkdir_write_enable=YES
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+#dirmessage_enable=YES
+#
+# Activate logging of uploads/downloads.
+#xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+#connect_from_port_20=YES
+#
+# If you want, you can arrange for uploaded anonymous files to be owned by
+# a different user. Note! Using "root" for uploaded files is not
+# recommended!
+#chown_uploads=YES
+#chown_username=whoever
+#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# If you want, you can have your log file in standard ftpd xferlog format
+#xferlog_std_format=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+#
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+#
+# By default the server will pretend to allow ASCII mode but in fact ignore
+# the request. Turn on the below options to have the server actually do ASCII
+# mangling on files when in ASCII mode.
+# Beware that on some FTP servers, ASCII support allows a denial of service
+# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+# predicted this attack and has always been safe, reporting the size of the
+# raw file.
+# ASCII mangling is a horrible feature of the protocol.
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# You may restrict local users to their home directories.  See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+#chroot_local_user=YES
+#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+#
+# Debian customization
+#
+# Some of vsftpd's settings don't fit the Debian filesystem layout by
+# default.  These settings are more Debian-friendly.
+#
+# This option should be the name of a directory which is empty.  Also, the
+# directory should not be writable by the ftp user. This directory is used
+# as a secure chroot() jail at times vsftpd does not require filesystem
+# access.
+secure_chroot_dir=/var/run/vsftpd
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+# This option specifies the location of the RSA key to use for SSL
+# encrypted connections.
+rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+
+# We run from init.d
+listen=YES
+# We do not want anons connecting nor uploading
+anonymous_enable=NO
+anon_upload_enable=NO
+# We want local users connecting/writing
+local_enable=YES
+write_enable=YES
+# Files are initially created as Owner/Group read/write
+file_open_mode=0660
+local_umask=0007
+# No need for active directory messages
+dirmessage_enable=NO
+xferlog_enable=YES
+connect_from_port_20=YES
+# Jail that local user!
+chroot_local_user=YES