Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'master' of git://github.com/niteoweb/niteoweb.fabfile

  • Loading branch information...
commit 0bdf75b448f74a73e0cff06cd56c202877bd5e07 2 parents 644869a + dbd30ac
@jcerjak authored
View
2  README.rst
@@ -1 +1 @@
-See `docs/README.rst <https://github.com/nzupan/niteoweb.fabfile/blob/master/docs/README.rst>`_.
+See `docs/README.rst <https://github.com/niteoweb/niteoweb.fabfile/blob/master/docs/README.rst>`_.
View
34 docs/HISTORY.rst
@@ -1,18 +1,52 @@
Changelog
=========
+2.2.2 (2012-02-09)
+------------------
+
+- Use ``--force`` when purging old Duplicity backups so it also purges
+ old incomplete backups.
+ [zupo]
+
+- Instructions on how to setup iOS or OS X to connect to IPsec server.
+ [zupo]
+
+
+2.2.1 (2012-01-25)
+------------------
+
+- Fixed GitHub's URLs to point to github.com/niteoweb.
+ [zupo]
+
+
+2.2 (2012-01-25)
+----------------
+
+- Fabric step for installing `IPsec`.
+ [zupo]
+
+- Use sudo when configuring rkhunter.
+ [zupo]
+
+- Moved config files in ``docs`` to ``docs/etc/`` folder so they don't mix with
+ Sphinx files.
+ [zupo]
+
+
2.1.3 (2011-12-23)
------------------
- Run `bootstrap` and `buildout` with ``prod_user``, not with `root`.
[zupo]
+
2.1.2 (2011-12-23)
------------------
- Use ``prod_user`` from ``opts`` and not from ``env``.
[zupo]
+
2.1.1 (2011-12-23)
------------------
View
2  docs/README.rst
@@ -9,7 +9,7 @@ hardcoded internal stuff, so they are not really usable out-of-the-box, more so
as a point of reference. If there is interest, we'll rewrite them to be more
reusable.
-* `Source code @ GitHub <http://github.com/nzupan/niteoweb.fabfile>`_
+* `Source code @ GitHub <http://github.com/niteoweb/niteoweb.fabfile>`_
* `Releases @ PyPI <http://pypi.python.org/pypi/niteoweb.fabfile>`_
* `Sphinx docs @ ReadTheDocs <http://readthedocs.org/docs/niteowebfabfile>`_
View
0  docs/bacula-fd.conf.in → docs/etc/bacula-fd.conf.in
File renamed without changes
View
0  docs/bacula-master.conf.in → docs/etc/bacula-master.conf.in
File renamed without changes
View
8 docs/duplicity.sh.in → docs/etc/duplicity.sh.in
@@ -26,12 +26,12 @@ export FTP_PASSWORD
# backup.
if [ $date = 01 ]
then
-duplicity remove-older-than 2M -v5 ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
-duplicity full -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 remove-older-than 2M -v5 --force ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 full -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
else
-duplicity remove-older-than 2M -v5 ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
-duplicity incremental -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 remove-older-than 2M -v5 --force ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 incremental -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
fi
View
0  docs/duplicityfilelist.conf → docs/etc/duplicityfilelist.conf
File renamed without changes
View
0  docs/nginx.conf → docs/etc/nginx.conf
File renamed without changes
View
2  docs/etc/psk.txt.in
@@ -0,0 +1,2 @@
+# group group-secret
+sudo ${pass:ipsec}
View
55 docs/etc/racoon.conf.in
@@ -0,0 +1,55 @@
+# The listen group specifies the IP’s to bind on.
+# The path directives tell racoon where to find its other configuration files.
+path pre_shared_key "/etc/racoon/psk.txt";
+
+# Next up is a remote section, specifying the phase 1 settings. Normal IPsec
+# tunnels are point-to-point. You can configure the tunnel statically on both
+# ends. Here we are setting up a roaming tunnel: we don’t know where the client
+# is. This has some implications:
+# * the server can never initiate the connection (since the IP of the client(s)
+# are unknown)
+# * The client’s tunnel-IP needs to be assigned from the server. This minimizes
+# client-side configuration
+# * The client must authenticate itself using a username/password combo.
+remote anonymous { # Do not filter on source IP, anyone can connect to this tunnel
+ passive on; # Don't initiate, only listen
+ exchange_mode main,aggressive; # Accept both modes
+ my_identifier fqdn "ipsec"; # Identify ourselves with this name
+ mode_cfg on; # configure the client's IP address using mode configuration
+ verify_cert off; # Don't check client certificate
+ ike_frag on; # Announce IKE-fragmentation support
+ generate_policy on; # automatically install SPD's
+ nat_traversal on; # Support NAT traversal
+ dpd_delay 20; # Disconnect dead clients after 20 seconds
+ proposal { # Phase 1 parameters
+ encryption_algorithm aes;
+ hash_algorithm sha1;
+ authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication
+ dh_group 2;
+ }
+}
+
+# Next section is the mode configuration. This is sometimes called phase 1.5,
+# because it happens between phase 1 and phase 2. In this step, the client is
+# authenticated.
+mode_cfg {
+ auth_source system; # Authenticate against Linux users
+ save_passwd on; # Allow users to save passwords
+
+ group_source system; # Verify group membership in Linux groups
+ auth_groups "sudo"; # Require users to be member of this group in order to connect
+
+ network4 10.0.0.0; # Give clients addresses starting from this address
+ pool_size 255; # up to 255 addresses higher
+
+ dns4 8.8.8.8; # Use Google's public DNS
+ dns4 8.8.4.4;
+}
+
+# The sainfo section specifies the parameters to use for phase 2, the actual
+# data-encryption
+sainfo anonymous {
+ encryption_algorithm aes;
+ authentication_algorithm hmac_sha1;
+ compression_algorithm deflate;
+}
View
1  docs/index.rst
@@ -9,6 +9,7 @@ Table of Contents
hq.rst
projects.rst
bacula.rst
+ ipsec.rst
api.rst
.. include:: FUTURE.rst
View
145 docs/ipsec.rst
@@ -0,0 +1,145 @@
+============
+IPsec server
+============
+
+This is how to setup an IPsec server in your office so you can remotely
+access your internal LAN when you are on the road and also have all
+traffic encrypted when sitting in a cafe and using a public network.
+
+Prerequisities
+--------------
+
+You router needs to forward ports 500 and 4500 to your IPsec server.
+
+
+Sample fabfile
+--------------
+
+Below is a ``fabfile.py.in`` buildout template that uses commands from `Server`
+group to set up an IPsec server (based on Ubuntu 10.04).
+
+.. sourcecode:: python
+
+ import os
+ from fabric.api import env
+ from fabric.api import settings
+ from fabric.api import sudo
+
+ from niteoweb.fabfile.server import *
+
+ env.path = os.getcwd()
+ env.hosts = ['${ips:server}']
+ env.server_ip = '${ips:server}'
+ env.shortname = '${config:shortname}'
+ env.hostname = '${config:hostname}'
+ env.temp_root_pass = '${pass:temp_root}'
+
+ env.email = 'maintenance@company.com'
+ env.admins = ['bob', 'jane', ]
+
+ def deploy():
+ """The highest-level meta-command for deploying Plone to the server.
+ Use this command only on a fresh and clean server."""
+
+ with settings(user='root', password=env.temp_root_pass):
+ create_admin_accounts(default_password='secret123')
+
+ # security
+ harden_sshd()
+ disable_root_login()
+
+ # bootstrap server
+ set_hostname()
+ set_system_time()
+ install_unattended_upgrades()
+ install_sendmail()
+ install_rkhunter()
+
+ # install software stack
+ install_ipsec()
+
+
+Sample buildout.cfg
+-------------------
+
+This ``fabfile.py`` template has a dependency on the `niteoweb.fabfile` package
+and also expects to find certain buildout values and config files in certain
+directories. Here's a sample ``buildout.cfg`` that you can use to prepare an
+environment for using this ``fabfile.py.in``. Save the ``fabfile.py.in`` in
+``etc/`` directory in your buildout.
+
+::
+
+ [buildout]
+ unzip = true
+ newest = false
+ extensions = buildout.dumppickedversions
+ prefer-final = true
+
+ parts =
+ fabfile
+ fabric
+ racoon.conf
+ psk.txt
+
+ [config]
+ # Project shortname
+ shortname = ipsec
+
+ # Main domain on which this project runs on
+ hostname = ipsec.company.com
+
+ # Various IPs needed for deployment
+ [ips]
+ server = ?.?.?.?
+
+ [pass]
+ # Temporary root password assigned to us by hosting provider
+ temp_root = some_password_here
+ ipsec = strong_password_here
+
+ # Prepare Fabric
+ [fabric]
+ recipe = zc.recipe.egg
+ eggs =
+ Fabric
+ niteoweb.fabfile
+
+ [fabfile]
+ recipe = collective.recipe.template
+ input = ${buildout:directory}/etc/fabfile.py.in
+ output = ${buildout:directory}/fabfile.py
+
+ # Generate config files from templates in ./etc
+ [racoon.conf]
+ recipe = collective.recipe.template
+ input = ${buildout:directory}/etc/racoon.conf.in
+ output = ${buildout:directory}/etc/racoon.conf
+
+ [psk.txt]
+ recipe = collective.recipe.template
+ input = ${buildout:directory}/etc/psk.txt.in
+ output = ${buildout:directory}/etc/psk.txt
+
+Config files
+------------
+
+Samples of config files that you need to put inside ``etc/`` directory in your
+buildout:
+
+ * :download:`racoon.conf.in <etc/racoon.conf.in>`.
+ * :download:`psk.txt.in <etc/psk.txt.in>`.
+
+
+Client configuration
+--------------------
+
+Configuring a client to use this IPsec server is fairly easy. For iOS,
+go to Settings -> Network -> VPN and add a new IPsec VPN with the following
+settings:
+
+ * Description: whatever
+ * Server: Public IP of your router behind which the IPsec server sits
+ * Account: a Linux user on the machine that is in the ``sudo`` group
+ * Group name: ``sudo`` (it's specified in ``racoon.conf``)
+ * Secret: secret set for group ``sudo`` in ``psk.txt``
View
36 docs/projects.rst
@@ -6,6 +6,9 @@ A Projects server is a server that runs your Plone projects. This is a
prerequisite to have before you can run any commands from the `Project` group
of commands.
+Sample fabfile
+--------------
+
Below is a ``fabfile.py.in`` buildout template that uses commands from `Server`
group to set up a Projects server (based on Ubuntu 10.04).
@@ -81,11 +84,15 @@ group to set up a Projects server (based on Ubuntu 10.04).
install_bacula_client()
configure_hetzner_backup()
-This ``fabfile.py`` template has a dependency on a specific version of
-`niteoweb.fabfile` and also expects to find certain buildout values and config
-files in certain directories. Here's a sample ``buildout.cfg`` that you can use
-to prepare an environment for using this ``fabfile.py.in``. Save the
-``fabfile.py.in`` in ``etc/`` directory in your buildout.
+
+Sample buildout.cfg
+-------------------
+
+This ``fabfile.py`` template has a dependency on the `niteoweb.fabfile` package
+and also expects to find certain buildout values and config files in certain
+directories. Here's a sample ``buildout.cfg`` that you can use to prepare an
+environment for using this ``fabfile.py.in``. Save the ``fabfile.py.in`` in
+``etc/`` directory in your buildout.
::
@@ -93,7 +100,6 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
unzip = true
newest = false
extensions = buildout.dumppickedversions
- versions = versions
prefer-final = true
parts =
@@ -135,9 +141,6 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
temp_root = root_password_that_hetzner_gives_you_for_a_new_server
# temp_root password is changed and disabled later on in deployment
- # Pin versions of niteoweb.fabfile and other dependencies
- [versions]
-
# Prepare Fabric
[fabfile]
recipe = collective.recipe.template
@@ -150,7 +153,7 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
Fabric
niteoweb.fabfile
- # Generate config files from templates ./etc
+ # Generate config files from templates in ./etc
[bacula-fd-conf]
recipe = collective.recipe.template
input = ${buildout:directory}/etc/bacula-fd.conf.in
@@ -166,11 +169,14 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
input = ${buildout:directory}/etc/duplicity.sh.in
output = ${buildout:directory}/etc/duplicity.sh
+Config files
+------------
+
Samples of config files that you need to put inside ``etc/`` directory in your
buildout:
- * :download:`bacula-fd.conf.in <bacula-fd.conf.in>`.
- * :download:`bacula-master.conf.in <bacula-master.conf.in>`.
- * :download:`duplicity.sh.in <duplicity.sh.in>`.
- * :download:`duplicityfilelist.conf <duplicityfilelist.conf>`.
- * :download:`nginx.conf <nginx.conf>`.
+ * :download:`bacula-fd.conf.in <etc/bacula-fd.conf.in>`.
+ * :download:`bacula-master.conf.in <etc/bacula-master.conf.in>`.
+ * :download:`duplicity.sh.in <etc/duplicity.sh.in>`.
+ * :download:`duplicityfilelist.conf <etc/duplicityfilelist.conf>`.
+ * :download:`nginx.conf <etc/nginx.conf>`.
View
35 niteoweb/fabfile/server.py
@@ -622,3 +622,38 @@ def configure_hetzner_backup(duplicityfilelist=None, duplicitysh=None):
if not env.get('confirm'):
confirm("You need to manually run a full backup first time. Noted?")
+
+
+def install_ipsec(racoonconf=None, psktxt=None, server_ip=None):
+ """Install and configure IPsec server."""
+
+ opts = dict(
+ server_ip=server_ip or env.server_ip or err("env.server_ip must be set"),
+ )
+
+ # install and configure racoon
+ sudo('apt-get -yq install racoon')
+ configure_racoon(racoonconf, psktxt)
+
+ # forward traffic so IPsec-ed devices have internet
+ sudo('apt-get -yq install iptables-persistent')
+ uncomment('/etc/sysctl.conf', 'net.ipv4.ip_forward = 1', use_sudo=True)
+ sudo('iptables-save > /etc/iptables/rules')
+ append('/etc/iptables/rules',
+ 'iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source %(server_ip)s' % opts,
+ use_sudo=True)
+
+
+def configure_racoon(racoonconf=None, psktxt=None):
+ """Upload racoon configuration files and restart the service."""
+ opts = dict(
+ racoonconf=racoonconf or env.get('racoonconf') or '%s/etc/racoon.conf' % os.getcwd(),
+ psktxt=psktxt or env.get('psktxt') or '%s/etc/psk.txt' % os.getcwd(),
+ )
+
+ upload_template(opts['racoonconf'], '/etc/racoon/racoon.conf', use_sudo=True)
+ upload_template(opts['psktxt'], '/etc/racoon/psk.txt', use_sudo=True)
+ sudo('chown -R root:root /etc/racoon/')
+ sudo('chmod -R 700 /etc/racoon/')
+
+ sudo('service racoon restart')
View
2  setup.py
@@ -11,7 +11,7 @@
def read(*rnames):
return open(os.path.join(os.path.dirname(__file__), *rnames)).read()
-version = '2.1.3'
+version = '2.2.2'
setup(name='niteoweb.fabfile',
version=version,
Please sign in to comment.
Something went wrong with that request. Please try again.