Merge branch 'master' of git://github.com/niteoweb/niteoweb.fabfile

README.rst

@@ -1 +1 @@
-See `docs/README.rst <https://github.com/nzupan/niteoweb.fabfile/blob/master/docs/README.rst>`_.
+See `docs/README.rst <https://github.com/niteoweb/niteoweb.fabfile/blob/master/docs/README.rst>`_.

docs/HISTORY.rst

@@ -1,18 +1,52 @@
 Changelog
 =========
 
+2.2.2 (2012-02-09)
+------------------
+
+- Use ``--force`` when purging old Duplicity backups so it also purges
+  old incomplete backups.
+  [zupo]
+
+- Instructions on how to setup iOS or OS X to connect to IPsec server.
+  [zupo]
+
+
+2.2.1 (2012-01-25)
+------------------
+
+- Fixed GitHub's URLs to point to github.com/niteoweb.
+  [zupo]
+
+
+2.2 (2012-01-25)
+----------------
+
+- Fabric step for installing `IPsec`.
+  [zupo]
+
+- Use sudo when configuring rkhunter.
+  [zupo]
+
+- Moved config files in ``docs`` to ``docs/etc/`` folder so they don't mix with
+  Sphinx files.
+  [zupo]
+
+
 2.1.3 (2011-12-23)
 ------------------
 
 - Run `bootstrap` and `buildout` with ``prod_user``, not with `root`.
   [zupo]
 
+
 2.1.2 (2011-12-23)
 ------------------
 
 - Use ``prod_user`` from ``opts`` and not from ``env``.
   [zupo]
 
+
 2.1.1 (2011-12-23)
 ------------------
 

docs/README.rst

@@ -9,7 +9,7 @@ hardcoded internal stuff, so they are not really usable out-of-the-box, more so
 as a point of reference. If there is interest, we'll rewrite them to be more
 reusable.
 
-* `Source code @ GitHub <http://github.com/nzupan/niteoweb.fabfile>`_
+* `Source code @ GitHub <http://github.com/niteoweb/niteoweb.fabfile>`_
 * `Releases @ PyPI <http://pypi.python.org/pypi/niteoweb.fabfile>`_
 * `Sphinx docs @ ReadTheDocs <http://readthedocs.org/docs/niteowebfabfile>`_
 

docs/duplicity.sh.in → docs/etc/duplicity.sh.in

@@ -26,12 +26,12 @@ export FTP_PASSWORD
 # backup.
 if [ $date = 01 ]
 then
-duplicity remove-older-than 2M -v5 ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
-duplicity full -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 remove-older-than 2M -v5 --force ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 full -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
 
 else
-duplicity remove-older-than 2M -v5 ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
-duplicity incremental -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 remove-older-than 2M -v5 --force ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
+duplicity --timeout 120 incremental -v5 --exclude-filelist /etc/duplicityfilelist.conf / ftp://${pass:hetzner_ftp_user}@${pass:hetzner_ftp_user}.your-backup.de/system >>/var/log/duplicity.log
 
 
 fi

docs/etc/psk.txt.in

@@ -0,0 +1,2 @@
+# group group-secret
+sudo ${pass:ipsec}

docs/etc/racoon.conf.in

@@ -0,0 +1,55 @@
+# The listen group specifies the IP’s to bind on.
+# The path directives tell racoon where to find its other configuration files.
+path pre_shared_key "/etc/racoon/psk.txt";
+
+# Next up is a remote section, specifying the phase 1 settings. Normal IPsec
+# tunnels are point-to-point. You can configure the tunnel statically on both
+# ends. Here we are setting up a roaming tunnel: we don’t know where the client
+# is. This has some implications:
+# * the server can never initiate the connection (since the IP of the client(s)
+#   are unknown)
+# * The client’s tunnel-IP needs to be assigned from the server. This minimizes
+#   client-side configuration
+# * The client must authenticate itself using a username/password combo.
+remote anonymous { # Do not filter on source IP, anyone can connect to this tunnel
+  passive on; # Don't initiate, only listen
+  exchange_mode main,aggressive; # Accept both modes
+  my_identifier fqdn "ipsec"; # Identify ourselves with this name
+  mode_cfg on; # configure the client's IP address using mode configuration
+  verify_cert off; # Don't check client certificate
+  ike_frag on; # Announce IKE-fragmentation support
+  generate_policy on; # automatically install SPD's
+  nat_traversal on; # Support NAT traversal
+  dpd_delay 20; # Disconnect dead clients after 20 seconds
+  proposal { # Phase 1 parameters
+    encryption_algorithm aes;
+    hash_algorithm sha1;
+    authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication
+    dh_group 2;
+  }
+}
+
+# Next section is the mode configuration. This is sometimes called phase 1.5,
+# because it happens between phase 1 and phase 2. In this step, the client is
+# authenticated.
+mode_cfg {
+  auth_source system; # Authenticate against Linux users
+  save_passwd on; # Allow users to save passwords
+
+  group_source system; # Verify group membership in Linux groups
+  auth_groups "sudo";  # Require users to be member of this group in order to connect
+
+  network4 10.0.0.0;  # Give clients addresses starting from this address
+  pool_size 255;  # up to 255 addresses higher
+
+  dns4 8.8.8.8;      # Use Google's public DNS
+  dns4 8.8.4.4;
+}
+
+# The sainfo section specifies the parameters to use for phase 2, the actual
+# data-encryption
+sainfo anonymous {
+ encryption_algorithm aes;
+ authentication_algorithm hmac_sha1;
+ compression_algorithm deflate;
+}

docs/index.rst

@@ -9,6 +9,7 @@ Table of Contents
    hq.rst
    projects.rst
    bacula.rst
+   ipsec.rst
    api.rst
 
 .. include:: FUTURE.rst

docs/ipsec.rst

@@ -0,0 +1,145 @@
+============
+IPsec server
+============
+
+This is how to setup an IPsec server in your office so you can remotely
+access your internal LAN when you are on the road and also have all
+traffic encrypted when sitting in a cafe and using a public network.
+
+Prerequisities
+--------------
+
+You router needs to forward ports 500 and 4500 to your IPsec server.
+
+
+Sample fabfile
+--------------
+
+Below is a ``fabfile.py.in`` buildout template that uses commands from `Server`
+group to set up an IPsec server (based on Ubuntu 10.04).
+
+.. sourcecode:: python
+
+    import os
+    from fabric.api import env
+    from fabric.api import settings
+    from fabric.api import sudo
+
+    from niteoweb.fabfile.server import *
+
+    env.path = os.getcwd()
+    env.hosts = ['${ips:server}']
+    env.server_ip = '${ips:server}'
+    env.shortname = '${config:shortname}'
+    env.hostname = '${config:hostname}'
+    env.temp_root_pass = '${pass:temp_root}'
+
+    env.email = 'maintenance@company.com'
+    env.admins = ['bob', 'jane', ]
+
+    def deploy():
+        """The highest-level meta-command for deploying Plone to the server.
+        Use this command only on a fresh and clean server."""
+
+        with settings(user='root', password=env.temp_root_pass):
+            create_admin_accounts(default_password='secret123')
+
+        # security
+        harden_sshd()
+        disable_root_login()
+
+        # bootstrap server
+        set_hostname()
+        set_system_time()
+        install_unattended_upgrades()
+        install_sendmail()
+        install_rkhunter()
+
+        # install software stack
+        install_ipsec()
+
+
+Sample buildout.cfg
+-------------------
+
+This ``fabfile.py`` template has a dependency on the `niteoweb.fabfile` package
+and also expects to find certain buildout values and config files in certain
+directories. Here's a sample ``buildout.cfg`` that you can use to prepare an
+environment for using this ``fabfile.py.in``. Save the ``fabfile.py.in`` in
+``etc/`` directory in your buildout.
+
+::
+
+    [buildout]
+    unzip = true
+    newest = false
+    extensions = buildout.dumppickedversions
+    prefer-final = true
+
+    parts =
+        fabfile
+        fabric
+        racoon.conf
+        psk.txt
+
+    [config]
+    # Project shortname
+    shortname = ipsec
+
+    # Main domain on which this project runs on
+    hostname = ipsec.company.com
+
+    # Various IPs needed for deployment
+    [ips]
+    server = ?.?.?.?
+
+    [pass]
+    # Temporary root password assigned to us by hosting provider
+    temp_root = some_password_here
+    ipsec = strong_password_here
+
+    # Prepare Fabric
+    [fabric]
+    recipe = zc.recipe.egg
+    eggs =
+        Fabric
+        niteoweb.fabfile
+
+    [fabfile]
+    recipe = collective.recipe.template
+    input = ${buildout:directory}/etc/fabfile.py.in
+    output = ${buildout:directory}/fabfile.py
+
+    # Generate config files from templates in ./etc
+    [racoon.conf]
+    recipe = collective.recipe.template
+    input = ${buildout:directory}/etc/racoon.conf.in
+    output = ${buildout:directory}/etc/racoon.conf
+
+    [psk.txt]
+    recipe = collective.recipe.template
+    input = ${buildout:directory}/etc/psk.txt.in
+    output = ${buildout:directory}/etc/psk.txt
+
+Config files
+------------
+
+Samples of config files that you need to put inside ``etc/`` directory in your
+buildout:
+
+ * :download:`racoon.conf.in <etc/racoon.conf.in>`.
+ * :download:`psk.txt.in <etc/psk.txt.in>`.
+
+
+Client configuration
+--------------------
+
+Configuring a client to use this IPsec server is fairly easy. For iOS,
+go to Settings -> Network -> VPN and add a new IPsec VPN with the following
+settings:
+
+ * Description: whatever
+ * Server: Public IP of your router behind which the IPsec server sits
+ * Account: a Linux user on the machine that is in the ``sudo`` group
+ * Group name: ``sudo`` (it's specified in ``racoon.conf``)
+ * Secret: secret set for group ``sudo`` in ``psk.txt``

docs/projects.rst

@@ -6,6 +6,9 @@ A Projects server is a server that runs your Plone projects. This is a
 prerequisite to have before you can run any commands from the `Project` group
 of commands.
 
+Sample fabfile
+--------------
+
 Below is a ``fabfile.py.in`` buildout template that uses commands from `Server`
 group to set up a Projects server (based on Ubuntu 10.04).
 
@@ -81,19 +84,22 @@ group to set up a Projects server (based on Ubuntu 10.04).
         install_bacula_client()
         configure_hetzner_backup()
 
-This ``fabfile.py`` template has a dependency on a specific version of
-`niteoweb.fabfile` and also expects to find certain buildout values and config
-files in certain directories. Here's a sample ``buildout.cfg`` that you can use
-to prepare an environment for using this ``fabfile.py.in``. Save the
-``fabfile.py.in`` in ``etc/`` directory in your buildout.
+
+Sample buildout.cfg
+-------------------
+
+This ``fabfile.py`` template has a dependency on the `niteoweb.fabfile` package
+and also expects to find certain buildout values and config files in certain
+directories. Here's a sample ``buildout.cfg`` that you can use to prepare an
+environment for using this ``fabfile.py.in``. Save the ``fabfile.py.in`` in
+``etc/`` directory in your buildout.
 
 ::
 
     [buildout]
     unzip = true
     newest = false
     extensions = buildout.dumppickedversions
-    versions = versions
     prefer-final = true
 
     parts =
@@ -135,9 +141,6 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
     temp_root = root_password_that_hetzner_gives_you_for_a_new_server
     # temp_root password is changed and disabled later on in deployment
 
-    # Pin versions of niteoweb.fabfile and other dependencies
-    [versions]
-
     # Prepare Fabric
     [fabfile]
     recipe = collective.recipe.template
@@ -150,7 +153,7 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
         Fabric
         niteoweb.fabfile
 
-    # Generate config files from templates ./etc
+    # Generate config files from templates in ./etc
     [bacula-fd-conf]
     recipe = collective.recipe.template
     input = ${buildout:directory}/etc/bacula-fd.conf.in
@@ -166,11 +169,14 @@ to prepare an environment for using this ``fabfile.py.in``. Save the
     input = ${buildout:directory}/etc/duplicity.sh.in
     output = ${buildout:directory}/etc/duplicity.sh
 
+Config files
+------------
+
 Samples of config files that you need to put inside ``etc/`` directory in your
 buildout:
 
- * :download:`bacula-fd.conf.in <bacula-fd.conf.in>`.
- * :download:`bacula-master.conf.in <bacula-master.conf.in>`.
- * :download:`duplicity.sh.in <duplicity.sh.in>`.
- * :download:`duplicityfilelist.conf <duplicityfilelist.conf>`.
- * :download:`nginx.conf <nginx.conf>`.
+ * :download:`bacula-fd.conf.in <etc/bacula-fd.conf.in>`.
+ * :download:`bacula-master.conf.in <etc/bacula-master.conf.in>`.
+ * :download:`duplicity.sh.in <etc/duplicity.sh.in>`.
+ * :download:`duplicityfilelist.conf <etc/duplicityfilelist.conf>`.
+ * :download:`nginx.conf <etc/nginx.conf>`.