Browse files

add ssh, default and user recipes

  • Loading branch information...
1 parent a7b483c commit 92c9acbf65986d5a92c537265173fae758871a92 @ilude committed May 9, 2012
View
23 default/recipes/default.rb
@@ -0,0 +1,23 @@
+include_recipe "ssh::server"
+include_recipe "users"
+include_recipe "ssmtp"
+
+user node[:user][:name] do
+ gid "adm"
+ home "/home/#{node[:user][:name]}"
+ supports manage_home: true
+ shell "/bin/bash"
+end
+
+directory "/home/#{node[:user][:name]}/.ssh" do
+ owner node[:user][:name]
+ group node[:user][:name]
+ mode "0700"
+end
+
+remotefile "/home/#{node[:user][:name]}/.ssh/authorized_keys" do
+ source "https://raw.github.com/gist/2647943/vagabond.pub"
+ owner node[:user][:name]
+ group node[:user][:name]
+ mode "0600"
+end
View
27 nagios/templates/default/nginx.server.nagios.conf.erb
@@ -1,32 +1,39 @@
access_log /var/log/nginx/nagios.access.log;
- error_log /var/log/nginx/nagios.error.log info;
+ error_log /var/log/nginx/nagios.error.log warn;
- expires 31d;
+ auth_basic "Nagios Restricted Access";
+ auth_basic_user_file /etc/nagios3/htpasswd.users;
- root /usr/share/nagios3/htdocs;
+ root /usr/share/nagios3/htdocs;
index index.php index.html;
- auth_basic "Nagios Restricted Access";
- auth_basic_user_file /etc/nagios3/htpasswd.users;
+
+ location /nagios3/stylesheets {
+ alias /etc/nagios3/stylesheets;
+ }
location /stylesheets {
alias /etc/nagios3/stylesheets;
}
+ location /nagios3/images {
+ alias /usr/share/nagios3/htdocs/images;
+ }
+
+
location ~ \.cgi$ {
root /usr/lib/cgi-bin/nagios3;
+ include /etc/nginx/fastcgi_params;
rewrite ^/cgi-bin/nagios3/(.*)$ /$1;
- include /etc/nginx/fastcgi_params;
-
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
- fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios3$fastcgi_script_name;
- fastcgi_pass fcgiwrap;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nagios3$fastcgi_script_name;
+ fastcgi_pass fcgi;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass php;
- }
+ }
View
87 ssh/files/default/sshd_config
@@ -0,0 +1,87 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 30
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
View
15 ssh/recipes/server.rb
@@ -0,0 +1,15 @@
+service "ssh" do
+ provider Chef::Provider::Service::Upstart
+ supports :status => true, :restart => true, :start => true, :stop => true
+end
+
+cookbookfile "/etc/ssh/sshd_config" do
+ source "sshd_config"
+ mode "0644"
+ notifies :restart, resources(:service => "ssh")
+end
+
+service "ssh" do
+ provider Chef::Provider::Service::Upstart
+ action [:enable, :start]
+end
View
4 ssmtp/recipes/default.rb
@@ -10,6 +10,6 @@
mode "0644"
end
-link "/usr/sbin/ssmtp" do
- to "/usr/bin/mail"
+package "mailutils" do
+ action :install
end
View
15 users/recipes/default.rb
@@ -7,3 +7,18 @@
mode "0644"
end
+template "default.bashrc" do
+ path "/etc/skel/.bashrc"
+ source "bashrc.erb"
+ owner "root"
+ group "root"
+ mode "0644"
+end
+
+template "default.bashrc" do
+ path "/root/.bashrc"
+ source "bashrc.erb"
+ owner "root"
+ group "root"
+ mode "0644"
+end
View
105 users/templates/default/bashrc.erb
@@ -0,0 +1,105 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+[ -z "$PS1" ] && return
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
+ debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+ xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+ if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+ # We have color support; assume it's compliant with Ecma-48
+ # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+ # a case would tend to support setf rather than setaf.)
+ color_prompt=yes
+ else
+ color_prompt=
+ fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+ PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+ PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+ PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+ ;;
+*)
+ ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+ test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+ alias ls='ls --color=auto'
+ #alias dir='dir --color=auto'
+ #alias vdir='vdir --color=auto'
+
+ alias grep='grep --color=auto'
+ alias fgrep='fgrep --color=auto'
+ alias egrep='egrep --color=auto'
+fi
+
+# some more ls aliases
+alias l='ls -la'
+
+# Add an "alert" alias for long running commands. Use like so:
+# sleep 10; alert
+alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+ . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
+ . /etc/bash_completion
+fi

0 comments on commit 92c9acb

Please sign in to comment.