Commit a7b28c0ce05cbf28940704e0b58829fd91ba3871
Exists in
master
and in
89 other branches
Merge branch 'master' into fix_external_firewall
Showing
27 changed files
with
277 additions
and
128 deletions
Show diff stats
.gitignore
Rakefile
| 1 | +require 'yaml' | |
| 2 | + | |
| 1 | 3 | begin |
| 2 | 4 | load 'local.rake' |
| 3 | 5 | rescue LoadError |
| ... | ... | @@ -13,15 +15,40 @@ iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" |
| 13 | 15 | |
| 14 | 16 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file |
| 15 | 17 | |
| 18 | +if $SPB_ENV == 'lxc' | |
| 19 | + system("mkdir -p config/lxc; sudo lxc-ls -f -F name,ipv4 | sed -e '/^softwarepublico/ !d; s/softwarepublico_//; s/_[0-9_]*/:/ ' > #{ips_file}.new") | |
| 20 | + begin | |
| 21 | + ips = YAML.load_file("#{ips_file}.new") | |
| 22 | + raise ArgumentError unless ips.is_a?(Hash) | |
| 23 | + FileUtils.mv ips_file + '.new', ips_file | |
| 24 | + rescue Exception => ex | |
| 25 | + puts ex.message | |
| 26 | + puts | |
| 27 | + puts "Q: did you boot the containers first?" | |
| 28 | + exit | |
| 29 | + end | |
| 30 | + config = YAML.load_file('config/local/config.yaml') | |
| 31 | + config['external_ip'] = ips['reverseproxy'] | |
| 32 | + config['relay_ip'] = ips['email'] | |
| 33 | + File.open(config_file, 'w') do |f| | |
| 34 | + f.puts(YAML.dump(config)) | |
| 35 | + end | |
| 36 | + | |
| 37 | + File.open('config/lxc/iptables-filter-rules', 'w') do |f| | |
| 38 | + lxc_host_bridge_ip = '192.168.122.1' # FIXME don't hardcode | |
| 39 | + f.puts "-A INPUT -s #{lxc_host_bridge_ip} -p tcp -m state --state NEW --dport 22 -j ACCEPT" | |
| 40 | + end | |
| 41 | +end | |
| 42 | + | |
| 16 | 43 | require 'chake' |
| 17 | 44 | |
| 18 | 45 | if Chake::VERSION < '0.4.3' |
| 19 | 46 | fail "Please upgrade to chake 0.4.3+" |
| 20 | 47 | end |
| 21 | 48 | |
| 22 | -config = YAML.load_file(config_file) | |
| 23 | -ips = YAML.load_file(ips_file) | |
| 24 | -firewall = File.open(iptables_file).read | |
| 49 | +ips ||= YAML.load_file(ips_file) | |
| 50 | +config ||= YAML.load_file(config_file) | |
| 51 | +firewall ||= File.open(iptables_file).read | |
| 25 | 52 | $nodes.each do |node| |
| 26 | 53 | node.data['config'] = config |
| 27 | 54 | node.data['peers'] = ips |
| ... | ... | @@ -38,13 +65,15 @@ task :test do |
| 38 | 65 | end |
| 39 | 66 | |
| 40 | 67 | file 'ssh_config.erb' |
| 41 | -file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb', 'Rakefile'] do |t| | |
| 42 | - require 'erb' | |
| 43 | - template = ERB.new(File.read('ssh_config.erb')) | |
| 44 | - File.open(t.name, 'w') do |f| | |
| 45 | - f.write(template.result(binding)) | |
| 68 | +if ['local', 'lxc'].include?($SPB_ENV) | |
| 69 | + file ssh_config_file => ['nodes.yaml', ips_file, 'ssh_config.erb', 'Rakefile'] do |t| | |
| 70 | + require 'erb' | |
| 71 | + template = ERB.new(File.read('ssh_config.erb')) | |
| 72 | + File.open(t.name, 'w') do |f| | |
| 73 | + f.write(template.result(binding)) | |
| 74 | + end | |
| 75 | + puts 'ERB %s' % t.name | |
| 46 | 76 | end |
| 47 | - puts 'ERB %s' % t.name | |
| 48 | 77 | end |
| 49 | 78 | |
| 50 | 79 | task :backup => ssh_config_file do | ... | ... |
Vagrantfile
| ... | ... | @@ -13,28 +13,43 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| |
| 13 | 13 | config.vm.provision 'shell', path: 'utils/proxy.sh', args: [proxy] |
| 14 | 14 | end |
| 15 | 15 | |
| 16 | - ips = YAML.load_file('config/local/ips.yaml') | |
| 16 | + load './local.rake' if File.exists?('local.rake') | |
| 17 | + env = ENV.fetch('SPB_ENV', 'local') | |
| 18 | + | |
| 19 | + if File.exist?("config/#{env}/ips.yaml") | |
| 20 | + ips = YAML.load_file("config/#{env}/ips.yaml") | |
| 21 | + else | |
| 22 | + ips = nil | |
| 23 | + end | |
| 17 | 24 | |
| 18 | 25 | config.vm.define 'database' do |database| |
| 19 | - database.vm.network 'private_network', ip: ips['database'] | |
| 26 | + database.vm.provider "virtualbox" do |vm| | |
| 27 | + database.vm.network 'private_network', ip: ips['database'] if ips | |
| 28 | + end | |
| 20 | 29 | end |
| 21 | 30 | config.vm.define 'integration' do |integration| |
| 22 | - integration.vm.network 'private_network', ip: ips['integration'] | |
| 23 | - integration.vm.provider "virtualbox" do |v| | |
| 24 | - v.memory = 1024 | |
| 25 | - v.cpus = 2 | |
| 31 | + integration.vm.provider "virtualbox" do |vm| | |
| 32 | + integration.vm.network 'private_network', ip: ips['integration'] if ips | |
| 33 | + vm.memory = 1024 | |
| 34 | + vm.cpus = 2 | |
| 26 | 35 | end |
| 27 | 36 | end |
| 28 | 37 | config.vm.define 'email' do |email| |
| 29 | - email.vm.network 'private_network', ip: ips['email'] | |
| 38 | + email.vm.provider "virtualbox" do |vm| | |
| 39 | + email.vm.network 'private_network', ip: ips['email'] if ips | |
| 40 | + end | |
| 30 | 41 | end |
| 31 | 42 | config.vm.define 'social' do |social| |
| 32 | - social.vm.network 'private_network', ip: ips['social'] | |
| 43 | + social.vm.provider "virtualbox" do |vm| | |
| 44 | + social.vm.network 'private_network', ip: ips['social'] if ips | |
| 45 | + end | |
| 33 | 46 | end |
| 34 | 47 | config.vm.define 'reverseproxy' do |reverseproxy| |
| 35 | - reverseproxy.vm.network 'private_network', ip: ips['reverseproxy'] | |
| 36 | - if File.exist?('tmp/preconfig.local.stamp') | |
| 37 | - reverseproxy.ssh.port = File.read('tmp/preconfig.local.stamp').strip.to_i | |
| 48 | + reverseproxy.vm.provider "virtualbox" do |vm| | |
| 49 | + reverseproxy.vm.network 'private_network', ip: ips['reverseproxy'] if ips | |
| 50 | + end | |
| 51 | + if File.exist?("tmp/preconfig.#{env}.stamp") | |
| 52 | + reverseproxy.ssh.port = File.read("tmp/preconfig.#{env}.stamp").strip.to_i | |
| 38 | 53 | reverseproxy.ssh.host = ips['reverseproxy'] |
| 39 | 54 | end |
| 40 | 55 | end | ... | ... |
| ... | ... | @@ -0,0 +1,15 @@ |
| 1 | +admins: | |
| 2 | + - ["Paulo Meirelles", "paulo@softwarelivre.org"] | |
| 3 | +external_hostname: dev.softwarepublico.gov.br | |
| 4 | +external_ip: 189.9.151.16 | |
| 5 | +site_url: https://dev.softwarepublico.gov.br | |
| 6 | +colab_from_address: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | |
| 7 | +server_email: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | |
| 8 | +email_subject_prefix: '[spb|dev]' | |
| 9 | +lists_hostname: listas.dev.softwarepublico.gov.br | |
| 10 | +lists_admin: paulo@softwarelivre.org | |
| 11 | +from_address: noreply@dev.softwarepublico.gov.br | |
| 12 | +relay_hostname: relay.dev.softwarepublico.gov.br | |
| 13 | +relay_ip: 189.9.151.44 | |
| 14 | +external_outgoing_mail_relay: 189.9.150.53 | |
| 15 | +external_outgoing_mail_domain: serpro.gov.br | ... | ... |
| ... | ... | @@ -0,0 +1,23 @@ |
| 1 | + | |
| 2 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 3 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 4 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 5 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 6 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 9 | + | |
| 10 | + | |
| 11 | +# UnB | |
| 12 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 13 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 14 | + | |
| 15 | + | |
| 16 | +# Sergio Oliveira | |
| 17 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 18 | + | |
| 19 | + | |
| 20 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 22 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 23 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | ... | ... |
| ... | ... | @@ -0,0 +1,30 @@ |
| 1 | +Host * | |
| 2 | + ForwardAgent yes | |
| 3 | + | |
| 4 | +Host reverseproxy | |
| 5 | + Hostname 189.9.151.16 | |
| 6 | + User spb | |
| 7 | + | |
| 8 | +Host database | |
| 9 | + Hostname 10.18.0.16 | |
| 10 | + User spb | |
| 11 | + # connect via reverseproxy host | |
| 12 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 13 | + | |
| 14 | +Host social | |
| 15 | + Hostname 10.18.0.17 | |
| 16 | + User spb | |
| 17 | + # connect via reverseproxy host | |
| 18 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 19 | + | |
| 20 | +Host email | |
| 21 | + Hostname 10.18.0.18 | |
| 22 | + User spb | |
| 23 | + # connect via reverseproxy host | |
| 24 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 25 | + | |
| 26 | +Host integration | |
| 27 | + Hostname 10.18.0.19 | |
| 28 | + User spb | |
| 29 | + # connect via reverseproxy host | |
| 30 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | ... | ... |
config/development/config.yaml
| ... | ... | @@ -1,13 +0,0 @@ |
| 1 | -admins: | |
| 2 | - - | |
| 3 | - - Paulo Meirelles | |
| 4 | - - paulo@softwarelivre.org | |
| 5 | -external_hostname: dev.softwarepublico.gov.br | |
| 6 | -site_url: https://dev.softwarepublico.gov.br | |
| 7 | -colab_from_address: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | |
| 8 | -server_email: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | |
| 9 | -email_subject_prefix: '[spb|dev]' | |
| 10 | -lists_hostname: listas.dev.softwarepublico.gov.br | |
| 11 | -lists_admin: paulo@softwarelivre.org | |
| 12 | -relay_hostname: relay.dev.softwarepublico.gov.br | |
| 13 | -from_address: noreply@dev.softwarepublico.gov.br |
config/development/ips.yaml
config/development/iptables-filter-rules
| ... | ... | @@ -1,23 +0,0 @@ |
| 1 | - | |
| 2 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 3 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 4 | --A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 5 | --A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 6 | --A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 7 | - | |
| 8 | --A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 9 | - | |
| 10 | - | |
| 11 | -# UnB | |
| 12 | --A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 13 | --A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 14 | - | |
| 15 | - | |
| 16 | -# Sergio Oliveira | |
| 17 | --A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 18 | - | |
| 19 | - | |
| 20 | --A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | --A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 22 | --A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 23 | --A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT |
config/development/ssh_config
| ... | ... | @@ -1,30 +0,0 @@ |
| 1 | -Host * | |
| 2 | - ForwardAgent yes | |
| 3 | - | |
| 4 | -Host reverseproxy | |
| 5 | - Hostname 189.9.151.16 | |
| 6 | - User spb | |
| 7 | - | |
| 8 | -Host database | |
| 9 | - Hostname 10.18.0.16 | |
| 10 | - User spb | |
| 11 | - # connect via reverseproxy host | |
| 12 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 13 | - | |
| 14 | -Host social | |
| 15 | - Hostname 10.18.0.17 | |
| 16 | - User spb | |
| 17 | - # connect via reverseproxy host | |
| 18 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 19 | - | |
| 20 | -Host email | |
| 21 | - Hostname 10.18.0.18 | |
| 22 | - User spb | |
| 23 | - # connect via reverseproxy host | |
| 24 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 25 | - | |
| 26 | -Host integration | |
| 27 | - Hostname 10.18.0.19 | |
| 28 | - User spb | |
| 29 | - # connect via reverseproxy host | |
| 30 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p |
config/homologa/config.yaml
| ... | ... | @@ -9,7 +9,8 @@ server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.so |
| 9 | 9 | email_subject_prefix: '[spb]' |
| 10 | 10 | lists_hostname: listas.homologa.softwarepublico.gov.br |
| 11 | 11 | lists_admin: nayanne.bonifacio@planejamento.gov.br |
| 12 | +from_address: noreply@homologa.softwarepublico.gov.br | |
| 12 | 13 | relay_hostname: relay.homologa.softwarepublico.gov.br |
| 13 | 14 | relay_ip: 189.9.151.66 |
| 14 | -alt_ssh_port: 55555 | |
| 15 | -from_address: noreply@homologa.softwarepublico.gov.br | |
| 15 | +external_outgoing_mail_relay: 189.9.150.53 | |
| 16 | +external_outgoing_mail_domain: serpro.gov.br | ... | ... |
config/homologa/ssh_config
| 1 | 1 | Host * |
| 2 | 2 | ForwardAgent yes |
| 3 | 3 | |
| 4 | -Host reverseproxy | |
| 5 | - Hostname 164.41.9.49 | |
| 6 | - Port 55555 | |
| 7 | - | |
| 8 | 4 | Host reverseproxy.unconfigured |
| 9 | - Hostname 164.41.9.49 | |
| 5 | + Hostname 189.9.151.65 | |
| 6 | + User spb | |
| 7 | + | |
| 8 | +Host reverseproxy | |
| 9 | + Hostname 10.0.13.2 | |
| 10 | + User spb | |
| 11 | + # connect via reverseproxy host | |
| 12 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
| 10 | 13 | |
| 11 | 14 | Host database |
| 12 | - Hostname 10.10.40.47 | |
| 13 | - Port 55555 | |
| 15 | + Hostname 10.0.13.6 | |
| 16 | + User spb | |
| 14 | 17 | # connect via reverseproxy host |
| 15 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
| 18 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
| 16 | 19 | |
| 17 | 20 | Host social |
| 18 | - Hostname 10.10.40.46 | |
| 19 | - Port 55555 | |
| 21 | + Hostname 10.0.13.4 | |
| 22 | + User spb | |
| 20 | 23 | # connect via reverseproxy host |
| 21 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
| 24 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
| 22 | 25 | |
| 23 | 26 | Host email |
| 24 | - Hostname 10.10.40.48 | |
| 25 | - Port 55555 | |
| 27 | + Hostname 10.0.13.5 | |
| 28 | + User spb | |
| 26 | 29 | # connect via reverseproxy host |
| 27 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
| 30 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
| 28 | 31 | |
| 29 | 32 | Host integration |
| 30 | - Hostname 10.10.40.45 | |
| 31 | - Port 55555 | |
| 32 | - # connect via reverseproxy host | |
| 33 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
| 33 | + Hostname 10.0.13.7 | |
| 34 | + User spb | |
| 35 | + # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand | ... | ... |
cookbooks/basics/files/default/selinux-install-module
| ... | ... | @@ -9,6 +9,12 @@ if [ $# -ne 1 ]; then |
| 9 | 9 | exit 1 |
| 10 | 10 | fi |
| 11 | 11 | |
| 12 | +selinux_status=$(sestatus | sed -e '/^SELinux status:/ !d; s/.*\s//') | |
| 13 | +if ! selinux-enabled; then | |
| 14 | + echo "I: SELinux disabled, skipping" | |
| 15 | + exit 0 | |
| 16 | +fi | |
| 17 | + | |
| 12 | 18 | input="$1" |
| 13 | 19 | |
| 14 | 20 | directory=$(dirname "$input") | ... | ... |
cookbooks/basics/recipes/default.rb
| ... | ... | @@ -10,8 +10,19 @@ cookbook_file '/etc/selinux/config' do |
| 10 | 10 | group 'root' |
| 11 | 11 | mode 0644 |
| 12 | 12 | end |
| 13 | -execute 'setenforce Enforcing' | |
| 14 | -execute 'setsebool httpd_can_network_connect 1' | |
| 13 | + | |
| 14 | +cookbook_file '/usr/local/bin/selinux-enabled' do | |
| 15 | + owner 'root' | |
| 16 | + group 'root' | |
| 17 | + mode '0755' | |
| 18 | +end | |
| 19 | + | |
| 20 | +execute 'setenforce Enforcing' do | |
| 21 | + only_if 'selinux-enabled' | |
| 22 | +end | |
| 23 | +execute 'setsebool httpd_can_network_connect 1' do | |
| 24 | + only_if 'selinux-enabled' | |
| 25 | +end | |
| 15 | 26 | # directory for local type enforcements |
| 16 | 27 | directory '/etc/selinux/local' do |
| 17 | 28 | owner 'root' |
| ... | ... | @@ -32,8 +43,14 @@ package 'less' |
| 32 | 43 | package 'htop' |
| 33 | 44 | package 'ntp' |
| 34 | 45 | |
| 46 | +cookbook_file '/usr/local/bin/is-a-container' do | |
| 47 | + owner 'root' | |
| 48 | + group 'root' | |
| 49 | + mode '0755' | |
| 50 | +end | |
| 35 | 51 | service 'ntpd' do |
| 36 | 52 | action [:enable, :start] |
| 53 | + not_if 'is-a-container' | |
| 37 | 54 | end |
| 38 | 55 | |
| 39 | 56 | service 'firewalld' do | ... | ... |
cookbooks/colab/recipes/default.rb
cookbooks/email/recipes/relay.rb
| ... | ... | @@ -46,3 +46,10 @@ execute 'transport:postmap' do |
| 46 | 46 | command "postmap /etc/postfix/transport" |
| 47 | 47 | action :nothing |
| 48 | 48 | end |
| 49 | + | |
| 50 | +external_relay = node['config']['external_outgoing_mail_relay'] | |
| 51 | +if external_relay | |
| 52 | + execute "postconf relayhost=#{external_relay}" | |
| 53 | +else | |
| 54 | + execute 'postconf -X relayhost' | |
| 55 | +end | ... | ... |
cookbooks/noosfero/recipes/default.rb
| ... | ... | @@ -42,6 +42,10 @@ execute 'plugins:enable' do |
| 42 | 42 | command '/usr/lib/noosfero/script/noosfero-plugins enable ' + plugins.join(' ') |
| 43 | 43 | end |
| 44 | 44 | |
| 45 | +execute 'plugins:activate' do | |
| 46 | + command "RAILS_ENV=production bundle exec rake noosfero:plugins:enable_all_plugins" | |
| 47 | +end | |
| 48 | + | |
| 45 | 49 | execute 'theme:enable' do |
| 46 | 50 | command 'psql -h database -U noosfero --no-align --tuples-only -q -c "update environments set theme=\'noosfero-spb-theme\' where id=1;"' |
| 47 | 51 | end |
| ... | ... | @@ -61,6 +65,10 @@ service 'noosfero' do |
| 61 | 65 | action [:enable, :start] |
| 62 | 66 | end |
| 63 | 67 | |
| 68 | +service 'memcached' do | |
| 69 | + action [:enable, :start] | |
| 70 | +end | |
| 71 | + | |
| 64 | 72 | template '/etc/nginx/conf.d/noosfero.conf' do |
| 65 | 73 | owner 'root'; group 'root'; mode 0644 |
| 66 | 74 | source 'nginx.conf.erb' | ... | ... |
cookbooks/reverse_proxy/recipes/default.rb
| ... | ... | @@ -12,7 +12,9 @@ cookbook_file "/etc/sysctl.d/ip_forward.conf" do |
| 12 | 12 | mode 0644 |
| 13 | 13 | end |
| 14 | 14 | |
| 15 | -execute 'sysctl -w net.ipv4.ip_forward=1' | |
| 15 | +execute 'sysctl -w net.ipv4.ip_forward=1' do | |
| 16 | + not_if 'is-a-container' | |
| 17 | +end | |
| 16 | 18 | |
| 17 | 19 | cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do |
| 18 | 20 | owner 'root' | ... | ... |
tasks/doc.rake
| ... | ... | @@ -17,9 +17,9 @@ desc 'Publishes PDF' |
| 17 | 17 | task :pdfupload => :pdf do |
| 18 | 18 | require 'date' |
| 19 | 19 | |
| 20 | - tag = Date.today.strftime('doc-%Y-%m-%d') | |
| 20 | + tag = Date.today.strftime('doc-%Y-%m-%d-') + $SPB_ENV | |
| 21 | 21 | blob = `git hash-object -w docs/_build/latex/softwarepublico.pdf`.strip |
| 22 | - tree = `printf '100644 blob #{blob}\tsoftwarepublico.pdf\n' | git mktree`.strip | |
| 22 | + tree = `printf '100644 blob #{blob}\tsoftwarepublico-#{$SPB_ENV}.pdf\n' | git mktree`.strip | |
| 23 | 23 | commit = `git commit-tree -m #{tag} #{tree}`.strip |
| 24 | 24 | |
| 25 | 25 | sh 'git', 'tag', tag, commit | ... | ... |
test/colab_test.sh
| ... | ... | @@ -21,16 +21,16 @@ test_nginx_responds() { |
| 21 | 21 | } |
| 22 | 22 | |
| 23 | 23 | test_nginx_virtualhost() { |
| 24 | - local title="$(curl --header 'Host: softwarepublico.dev' http://$integration/dashboard | grep '<title>' | sed -e 's/^\s*//')" | |
| 24 | + local title="$(curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/dashboard | grep '<title>' | sed -e 's/^\s*//')" | |
| 25 | 25 | assertEquals "<title>Home - Colab</title>" "$title" |
| 26 | 26 | } |
| 27 | 27 | |
| 28 | 28 | test_reverse_proxy_gitlab() { |
| 29 | - assertTrue 'Reverse proxy for gitlab' "curl --header 'Host: softwarepublico.dev' http://$integration/gitlab/public/projects | grep -i '<meta.*gitlab.*>'" | |
| 29 | + assertTrue 'Reverse proxy for gitlab' "curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/gitlab/public/projects | grep -i '<meta.*gitlab.*>'" | |
| 30 | 30 | } |
| 31 | 31 | |
| 32 | 32 | test_reverse_proxy_noosfero() { |
| 33 | - assertTrue 'Reverse proxy for noosfero' "curl --header 'Host: softwarepublico.dev' http://$integration/social/search/people | grep -i '<meta.*noosfero.*>'" | |
| 33 | + assertTrue 'Reverse proxy for noosfero' "curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/social/search/people | grep -i '<meta.*noosfero.*>'" | |
| 34 | 34 | } |
| 35 | 35 | |
| 36 | 36 | load_shunit2 | ... | ... |
test/dns_test.sh
| 1 | 1 | . $(dirname $0)/test_helper.sh |
| 2 | 2 | |
| 3 | -if [ "$SPB_ENV" = local ]; then | |
| 3 | +if [ "$SPB_ENV" = local -o "$SPB_ENV" = lxc ]; then | |
| 4 | 4 | echo "_No DNS for local environment_" |
| 5 | 5 | exit |
| 6 | 6 | fi |
| ... | ... | @@ -29,7 +29,14 @@ check_reverse_dns() { |
| 29 | 29 | local hostname="$2" |
| 30 | 30 | local results="$(host $ip)" |
| 31 | 31 | local expected=".*in-addr.arpa domain name pointer ${hostname}." |
| 32 | - assertTrue "Reverse DNS of $ip must be $hostname (found: $results)" "expr match '$results' '$expected\$'" | |
| 32 | + assertTrue "Reverse DNS of $ip must be $hostname (found: $results)" "expr match '$results' 'include:$expected\$'" | |
| 33 | +} | |
| 34 | + | |
| 35 | +check_spf() { | |
| 36 | + domain="$1" | |
| 37 | + spf_domain="$2" | |
| 38 | + local results="$(host -t TXT "$domain")" | |
| 39 | + assertTrue "TXT entry for $domain must have include:$spf_domain (found: $results)" "expr match '$results' 'include:$spf_domain'" | |
| 33 | 40 | } |
| 34 | 41 | |
| 35 | 42 | test_dns_web() { |
| ... | ... | @@ -60,7 +67,14 @@ test_reverse_dns_relay() { |
| 60 | 67 | check_reverse_dns "$config_relay_ip" "$config_relay_hostname" |
| 61 | 68 | } |
| 62 | 69 | |
| 63 | -# TODO test_spf_external_relay | |
| 70 | +if [ -n "$config_external_outgoing_mail_domain" ]; then | |
| 71 | + test_spf_domain() { | |
| 72 | + check_spf "$config_external_hostname" "$config_external_outgoing_mail_domain" | |
| 73 | + } | |
| 74 | + test_spf_lists() { | |
| 75 | + check_spf "$config_lists_hostname" "$config_external_outgoing_mail_domain" | |
| 76 | + } | |
| 77 | +fi | |
| 64 | 78 | |
| 65 | 79 | if [ "$1" = '--doc' ]; then |
| 66 | 80 | check_hostname() { |
| ... | ... | @@ -78,13 +92,19 @@ if [ "$1" = '--doc' ]; then |
| 78 | 92 | echo " - $1" |
| 79 | 93 | echo " - ${2}." |
| 80 | 94 | } |
| 95 | + check_spf() { | |
| 96 | + echo " * - TXT (SPF: \"v=spf1 ...\")" | |
| 97 | + echo " - $1 " | |
| 98 | + echo " - include:${2} " | |
| 99 | + } | |
| 81 | 100 | header() { |
| 101 | + local aponta="${2:-Aponta para}" | |
| 82 | 102 | echo '.. list-table::' |
| 83 | 103 | echo ' :header-rows: 1' |
| 84 | 104 | echo |
| 85 | 105 | echo ' * - Tipo' |
| 86 | 106 | echo ' - Entrada' |
| 87 | - echo ' - Aponta para' | |
| 107 | + echo " - $aponta" | |
| 88 | 108 | } |
| 89 | 109 | footer() { |
| 90 | 110 | echo |
| ... | ... | @@ -106,7 +126,10 @@ if [ "$1" = '--doc' ]; then |
| 106 | 126 | test_reverse_dns_relay |
| 107 | 127 | footer |
| 108 | 128 | |
| 109 | - # FIXME test_spf_external_relay | |
| 129 | + header 'SPF' 'Deve conter' | |
| 130 | + test_spf_domain | |
| 131 | + test_spf_lists | |
| 132 | + footer | |
| 110 | 133 | |
| 111 | 134 | ) |
| 112 | 135 | else | ... | ... |
test/mailman_test.sh
| ... | ... | @@ -21,7 +21,7 @@ test_mailman_delivery() { |
| 21 | 21 | } |
| 22 | 22 | |
| 23 | 23 | test_mailman_web_interface() { |
| 24 | - local title="$(curl --location --header 'Host: listas.softwarepublico.dev' http://$integration/mailman/cgi-bin/listinfo | grep -i '<title>')" | |
| 24 | + local title="$(curl --location --header 'Host: listas.softwarepublico.dev' http://$config_external_hostname/mailman/cgi-bin/listinfo | grep -i '<title>')" | |
| 25 | 25 | assertEquals "<TITLE>listas.softwarepublico.dev Mailing Lists</TITLE>" "$title" |
| 26 | 26 | } |
| 27 | 27 | ... | ... |
test/noosfero_test.sh
| ... | ... | @@ -19,12 +19,12 @@ test_reverse_proxy_noosfero() { |
| 19 | 19 | } |
| 20 | 20 | |
| 21 | 21 | test_reverse_proxy_static_files() { |
| 22 | - local content_type="$(curl-host softwarepublico.dev --head http://$social/social/images/noosfero-network.png | grep-header Content-Type)" | |
| 22 | + local content_type="$(curl-host softwarepublico.dev --head http://$config_external_hostname/social/images/noosfero-network.png | grep-header Content-Type)" | |
| 23 | 23 | assertEquals "Content-Type: image/png" "$content_type" |
| 24 | 24 | } |
| 25 | 25 | |
| 26 | 26 | test_redirect_with_correct_hostname_behind_proxy() { |
| 27 | - local redirect="$(curl-host softwarepublico.dev --head https://softwarepublico.dev/social/search/contents | grep-header Location)" | |
| 27 | + local redirect="$(curl-host softwarepublico.dev --head https://$config_external_hostname/social/search/contents | grep-header Location)" | |
| 28 | 28 | assertEquals "Location: https://softwarepublico.dev/social/search/articles" "$redirect" |
| 29 | 29 | } |
| 30 | 30 | ... | ... |
utils/reverseproxy_ssh_setup
| ... | ... | @@ -14,7 +14,15 @@ sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config |
| 14 | 14 | yum install -y selinux-policy policycoreutils-python |
| 15 | 15 | |
| 16 | 16 | # Tell SELinux to allow the new port |
| 17 | -semanage port -a -t ssh_port_t -p tcp "$port" | |
| 17 | +if grep -q '/$' /proc/1/cgroup; then | |
| 18 | + # not in a container | |
| 19 | + semanage port -a -t ssh_port_t -p tcp "$port" | |
| 20 | +else | |
| 21 | + # in container; will fail if host does not have SELinux enabled | |
| 22 | + if ! semanage port -a -t ssh_port_t -p tcp "$port"; then | |
| 23 | + echo "I: can't use SELinux, your host probably does not have it enabled" | |
| 24 | + fi | |
| 25 | +fi | |
| 18 | 26 | |
| 19 | 27 | # Restart SSH |
| 20 | 28 | systemctl restart sshd | ... | ... |