Commit a7b28c0ce05cbf28940704e0b58829fd91ba3871
Exists in
master
and in
89 other branches
Merge branch 'master' into fix_external_firewall
Showing
27 changed files
with
277 additions
and
128 deletions
Show diff stats
.gitignore
Rakefile
| 1 | +require 'yaml' | ||
| 2 | + | ||
| 1 | begin | 3 | begin |
| 2 | load 'local.rake' | 4 | load 'local.rake' |
| 3 | rescue LoadError | 5 | rescue LoadError |
| @@ -13,15 +15,40 @@ iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" | @@ -13,15 +15,40 @@ iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" | ||
| 13 | 15 | ||
| 14 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file | 16 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file |
| 15 | 17 | ||
| 18 | +if $SPB_ENV == 'lxc' | ||
| 19 | + system("mkdir -p config/lxc; sudo lxc-ls -f -F name,ipv4 | sed -e '/^softwarepublico/ !d; s/softwarepublico_//; s/_[0-9_]*/:/ ' > #{ips_file}.new") | ||
| 20 | + begin | ||
| 21 | + ips = YAML.load_file("#{ips_file}.new") | ||
| 22 | + raise ArgumentError unless ips.is_a?(Hash) | ||
| 23 | + FileUtils.mv ips_file + '.new', ips_file | ||
| 24 | + rescue Exception => ex | ||
| 25 | + puts ex.message | ||
| 26 | + puts | ||
| 27 | + puts "Q: did you boot the containers first?" | ||
| 28 | + exit | ||
| 29 | + end | ||
| 30 | + config = YAML.load_file('config/local/config.yaml') | ||
| 31 | + config['external_ip'] = ips['reverseproxy'] | ||
| 32 | + config['relay_ip'] = ips['email'] | ||
| 33 | + File.open(config_file, 'w') do |f| | ||
| 34 | + f.puts(YAML.dump(config)) | ||
| 35 | + end | ||
| 36 | + | ||
| 37 | + File.open('config/lxc/iptables-filter-rules', 'w') do |f| | ||
| 38 | + lxc_host_bridge_ip = '192.168.122.1' # FIXME don't hardcode | ||
| 39 | + f.puts "-A INPUT -s #{lxc_host_bridge_ip} -p tcp -m state --state NEW --dport 22 -j ACCEPT" | ||
| 40 | + end | ||
| 41 | +end | ||
| 42 | + | ||
| 16 | require 'chake' | 43 | require 'chake' |
| 17 | 44 | ||
| 18 | if Chake::VERSION < '0.4.3' | 45 | if Chake::VERSION < '0.4.3' |
| 19 | fail "Please upgrade to chake 0.4.3+" | 46 | fail "Please upgrade to chake 0.4.3+" |
| 20 | end | 47 | end |
| 21 | 48 | ||
| 22 | -config = YAML.load_file(config_file) | ||
| 23 | -ips = YAML.load_file(ips_file) | ||
| 24 | -firewall = File.open(iptables_file).read | 49 | +ips ||= YAML.load_file(ips_file) |
| 50 | +config ||= YAML.load_file(config_file) | ||
| 51 | +firewall ||= File.open(iptables_file).read | ||
| 25 | $nodes.each do |node| | 52 | $nodes.each do |node| |
| 26 | node.data['config'] = config | 53 | node.data['config'] = config |
| 27 | node.data['peers'] = ips | 54 | node.data['peers'] = ips |
| @@ -38,13 +65,15 @@ task :test do | @@ -38,13 +65,15 @@ task :test do | ||
| 38 | end | 65 | end |
| 39 | 66 | ||
| 40 | file 'ssh_config.erb' | 67 | file 'ssh_config.erb' |
| 41 | -file 'config/local/ssh_config' => ['nodes.yaml', 'config/local/ips.yaml', 'ssh_config.erb', 'Rakefile'] do |t| | ||
| 42 | - require 'erb' | ||
| 43 | - template = ERB.new(File.read('ssh_config.erb')) | ||
| 44 | - File.open(t.name, 'w') do |f| | ||
| 45 | - f.write(template.result(binding)) | 68 | +if ['local', 'lxc'].include?($SPB_ENV) |
| 69 | + file ssh_config_file => ['nodes.yaml', ips_file, 'ssh_config.erb', 'Rakefile'] do |t| | ||
| 70 | + require 'erb' | ||
| 71 | + template = ERB.new(File.read('ssh_config.erb')) | ||
| 72 | + File.open(t.name, 'w') do |f| | ||
| 73 | + f.write(template.result(binding)) | ||
| 74 | + end | ||
| 75 | + puts 'ERB %s' % t.name | ||
| 46 | end | 76 | end |
| 47 | - puts 'ERB %s' % t.name | ||
| 48 | end | 77 | end |
| 49 | 78 | ||
| 50 | task :backup => ssh_config_file do | 79 | task :backup => ssh_config_file do |
Vagrantfile
| @@ -13,28 +13,43 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | @@ -13,28 +13,43 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| | ||
| 13 | config.vm.provision 'shell', path: 'utils/proxy.sh', args: [proxy] | 13 | config.vm.provision 'shell', path: 'utils/proxy.sh', args: [proxy] |
| 14 | end | 14 | end |
| 15 | 15 | ||
| 16 | - ips = YAML.load_file('config/local/ips.yaml') | 16 | + load './local.rake' if File.exists?('local.rake') |
| 17 | + env = ENV.fetch('SPB_ENV', 'local') | ||
| 18 | + | ||
| 19 | + if File.exist?("config/#{env}/ips.yaml") | ||
| 20 | + ips = YAML.load_file("config/#{env}/ips.yaml") | ||
| 21 | + else | ||
| 22 | + ips = nil | ||
| 23 | + end | ||
| 17 | 24 | ||
| 18 | config.vm.define 'database' do |database| | 25 | config.vm.define 'database' do |database| |
| 19 | - database.vm.network 'private_network', ip: ips['database'] | 26 | + database.vm.provider "virtualbox" do |vm| |
| 27 | + database.vm.network 'private_network', ip: ips['database'] if ips | ||
| 28 | + end | ||
| 20 | end | 29 | end |
| 21 | config.vm.define 'integration' do |integration| | 30 | config.vm.define 'integration' do |integration| |
| 22 | - integration.vm.network 'private_network', ip: ips['integration'] | ||
| 23 | - integration.vm.provider "virtualbox" do |v| | ||
| 24 | - v.memory = 1024 | ||
| 25 | - v.cpus = 2 | 31 | + integration.vm.provider "virtualbox" do |vm| |
| 32 | + integration.vm.network 'private_network', ip: ips['integration'] if ips | ||
| 33 | + vm.memory = 1024 | ||
| 34 | + vm.cpus = 2 | ||
| 26 | end | 35 | end |
| 27 | end | 36 | end |
| 28 | config.vm.define 'email' do |email| | 37 | config.vm.define 'email' do |email| |
| 29 | - email.vm.network 'private_network', ip: ips['email'] | 38 | + email.vm.provider "virtualbox" do |vm| |
| 39 | + email.vm.network 'private_network', ip: ips['email'] if ips | ||
| 40 | + end | ||
| 30 | end | 41 | end |
| 31 | config.vm.define 'social' do |social| | 42 | config.vm.define 'social' do |social| |
| 32 | - social.vm.network 'private_network', ip: ips['social'] | 43 | + social.vm.provider "virtualbox" do |vm| |
| 44 | + social.vm.network 'private_network', ip: ips['social'] if ips | ||
| 45 | + end | ||
| 33 | end | 46 | end |
| 34 | config.vm.define 'reverseproxy' do |reverseproxy| | 47 | config.vm.define 'reverseproxy' do |reverseproxy| |
| 35 | - reverseproxy.vm.network 'private_network', ip: ips['reverseproxy'] | ||
| 36 | - if File.exist?('tmp/preconfig.local.stamp') | ||
| 37 | - reverseproxy.ssh.port = File.read('tmp/preconfig.local.stamp').strip.to_i | 48 | + reverseproxy.vm.provider "virtualbox" do |vm| |
| 49 | + reverseproxy.vm.network 'private_network', ip: ips['reverseproxy'] if ips | ||
| 50 | + end | ||
| 51 | + if File.exist?("tmp/preconfig.#{env}.stamp") | ||
| 52 | + reverseproxy.ssh.port = File.read("tmp/preconfig.#{env}.stamp").strip.to_i | ||
| 38 | reverseproxy.ssh.host = ips['reverseproxy'] | 53 | reverseproxy.ssh.host = ips['reverseproxy'] |
| 39 | end | 54 | end |
| 40 | end | 55 | end |
| @@ -0,0 +1,15 @@ | @@ -0,0 +1,15 @@ | ||
| 1 | +admins: | ||
| 2 | + - ["Paulo Meirelles", "paulo@softwarelivre.org"] | ||
| 3 | +external_hostname: dev.softwarepublico.gov.br | ||
| 4 | +external_ip: 189.9.151.16 | ||
| 5 | +site_url: https://dev.softwarepublico.gov.br | ||
| 6 | +colab_from_address: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | ||
| 7 | +server_email: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | ||
| 8 | +email_subject_prefix: '[spb|dev]' | ||
| 9 | +lists_hostname: listas.dev.softwarepublico.gov.br | ||
| 10 | +lists_admin: paulo@softwarelivre.org | ||
| 11 | +from_address: noreply@dev.softwarepublico.gov.br | ||
| 12 | +relay_hostname: relay.dev.softwarepublico.gov.br | ||
| 13 | +relay_ip: 189.9.151.44 | ||
| 14 | +external_outgoing_mail_relay: 189.9.150.53 | ||
| 15 | +external_outgoing_mail_domain: serpro.gov.br |
| @@ -0,0 +1,23 @@ | @@ -0,0 +1,23 @@ | ||
| 1 | + | ||
| 2 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
| 3 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | ||
| 4 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | ||
| 5 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
| 6 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
| 7 | + | ||
| 8 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 9 | + | ||
| 10 | + | ||
| 11 | +# UnB | ||
| 12 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | ||
| 13 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 14 | + | ||
| 15 | + | ||
| 16 | +# Sergio Oliveira | ||
| 17 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 18 | + | ||
| 19 | + | ||
| 20 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 21 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | ||
| 22 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | ||
| 23 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT |
| @@ -0,0 +1,30 @@ | @@ -0,0 +1,30 @@ | ||
| 1 | +Host * | ||
| 2 | + ForwardAgent yes | ||
| 3 | + | ||
| 4 | +Host reverseproxy | ||
| 5 | + Hostname 189.9.151.16 | ||
| 6 | + User spb | ||
| 7 | + | ||
| 8 | +Host database | ||
| 9 | + Hostname 10.18.0.16 | ||
| 10 | + User spb | ||
| 11 | + # connect via reverseproxy host | ||
| 12 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 13 | + | ||
| 14 | +Host social | ||
| 15 | + Hostname 10.18.0.17 | ||
| 16 | + User spb | ||
| 17 | + # connect via reverseproxy host | ||
| 18 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 19 | + | ||
| 20 | +Host email | ||
| 21 | + Hostname 10.18.0.18 | ||
| 22 | + User spb | ||
| 23 | + # connect via reverseproxy host | ||
| 24 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 25 | + | ||
| 26 | +Host integration | ||
| 27 | + Hostname 10.18.0.19 | ||
| 28 | + User spb | ||
| 29 | + # connect via reverseproxy host | ||
| 30 | + ProxyCommand ssh spb@189.9.151.16 nc %h %p |
config/development/config.yaml
| @@ -1,13 +0,0 @@ | @@ -1,13 +0,0 @@ | ||
| 1 | -admins: | ||
| 2 | - - | ||
| 3 | - - Paulo Meirelles | ||
| 4 | - - paulo@softwarelivre.org | ||
| 5 | -external_hostname: dev.softwarepublico.gov.br | ||
| 6 | -site_url: https://dev.softwarepublico.gov.br | ||
| 7 | -colab_from_address: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | ||
| 8 | -server_email: '"Portal do Software Publico (dev)" <noreply@dev.softwarepublico.gov.br>' | ||
| 9 | -email_subject_prefix: '[spb|dev]' | ||
| 10 | -lists_hostname: listas.dev.softwarepublico.gov.br | ||
| 11 | -lists_admin: paulo@softwarelivre.org | ||
| 12 | -relay_hostname: relay.dev.softwarepublico.gov.br | ||
| 13 | -from_address: noreply@dev.softwarepublico.gov.br |
config/development/ips.yaml
config/development/iptables-filter-rules
| @@ -1,23 +0,0 @@ | @@ -1,23 +0,0 @@ | ||
| 1 | - | ||
| 2 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
| 3 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | ||
| 4 | --A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | ||
| 5 | --A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
| 6 | --A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
| 7 | - | ||
| 8 | --A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 9 | - | ||
| 10 | - | ||
| 11 | -# UnB | ||
| 12 | --A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | ||
| 13 | --A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 14 | - | ||
| 15 | - | ||
| 16 | -# Sergio Oliveira | ||
| 17 | --A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 18 | - | ||
| 19 | - | ||
| 20 | --A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | ||
| 21 | --A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | ||
| 22 | --A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | ||
| 23 | --A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT |
config/development/ssh_config
| @@ -1,30 +0,0 @@ | @@ -1,30 +0,0 @@ | ||
| 1 | -Host * | ||
| 2 | - ForwardAgent yes | ||
| 3 | - | ||
| 4 | -Host reverseproxy | ||
| 5 | - Hostname 189.9.151.16 | ||
| 6 | - User spb | ||
| 7 | - | ||
| 8 | -Host database | ||
| 9 | - Hostname 10.18.0.16 | ||
| 10 | - User spb | ||
| 11 | - # connect via reverseproxy host | ||
| 12 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 13 | - | ||
| 14 | -Host social | ||
| 15 | - Hostname 10.18.0.17 | ||
| 16 | - User spb | ||
| 17 | - # connect via reverseproxy host | ||
| 18 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 19 | - | ||
| 20 | -Host email | ||
| 21 | - Hostname 10.18.0.18 | ||
| 22 | - User spb | ||
| 23 | - # connect via reverseproxy host | ||
| 24 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | ||
| 25 | - | ||
| 26 | -Host integration | ||
| 27 | - Hostname 10.18.0.19 | ||
| 28 | - User spb | ||
| 29 | - # connect via reverseproxy host | ||
| 30 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p |
config/homologa/config.yaml
| @@ -9,7 +9,8 @@ server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.so | @@ -9,7 +9,8 @@ server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.so | ||
| 9 | email_subject_prefix: '[spb]' | 9 | email_subject_prefix: '[spb]' |
| 10 | lists_hostname: listas.homologa.softwarepublico.gov.br | 10 | lists_hostname: listas.homologa.softwarepublico.gov.br |
| 11 | lists_admin: nayanne.bonifacio@planejamento.gov.br | 11 | lists_admin: nayanne.bonifacio@planejamento.gov.br |
| 12 | +from_address: noreply@homologa.softwarepublico.gov.br | ||
| 12 | relay_hostname: relay.homologa.softwarepublico.gov.br | 13 | relay_hostname: relay.homologa.softwarepublico.gov.br |
| 13 | relay_ip: 189.9.151.66 | 14 | relay_ip: 189.9.151.66 |
| 14 | -alt_ssh_port: 55555 | ||
| 15 | -from_address: noreply@homologa.softwarepublico.gov.br | 15 | +external_outgoing_mail_relay: 189.9.150.53 |
| 16 | +external_outgoing_mail_domain: serpro.gov.br |
config/homologa/ssh_config
| 1 | Host * | 1 | Host * |
| 2 | ForwardAgent yes | 2 | ForwardAgent yes |
| 3 | 3 | ||
| 4 | -Host reverseproxy | ||
| 5 | - Hostname 164.41.9.49 | ||
| 6 | - Port 55555 | ||
| 7 | - | ||
| 8 | Host reverseproxy.unconfigured | 4 | Host reverseproxy.unconfigured |
| 9 | - Hostname 164.41.9.49 | 5 | + Hostname 189.9.151.65 |
| 6 | + User spb | ||
| 7 | + | ||
| 8 | +Host reverseproxy | ||
| 9 | + Hostname 10.0.13.2 | ||
| 10 | + User spb | ||
| 11 | + # connect via reverseproxy host | ||
| 12 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p | ||
| 10 | 13 | ||
| 11 | Host database | 14 | Host database |
| 12 | - Hostname 10.10.40.47 | ||
| 13 | - Port 55555 | 15 | + Hostname 10.0.13.6 |
| 16 | + User spb | ||
| 14 | # connect via reverseproxy host | 17 | # connect via reverseproxy host |
| 15 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 18 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p |
| 16 | 19 | ||
| 17 | Host social | 20 | Host social |
| 18 | - Hostname 10.10.40.46 | ||
| 19 | - Port 55555 | 21 | + Hostname 10.0.13.4 |
| 22 | + User spb | ||
| 20 | # connect via reverseproxy host | 23 | # connect via reverseproxy host |
| 21 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 24 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p |
| 22 | 25 | ||
| 23 | Host email | 26 | Host email |
| 24 | - Hostname 10.10.40.48 | ||
| 25 | - Port 55555 | 27 | + Hostname 10.0.13.5 |
| 28 | + User spb | ||
| 26 | # connect via reverseproxy host | 29 | # connect via reverseproxy host |
| 27 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 30 | + ProxyCommand ssh spb@189.9.151.65 nc %h %p |
| 28 | 31 | ||
| 29 | Host integration | 32 | Host integration |
| 30 | - Hostname 10.10.40.45 | ||
| 31 | - Port 55555 | ||
| 32 | - # connect via reverseproxy host | ||
| 33 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | 33 | + Hostname 10.0.13.7 |
| 34 | + User spb | ||
| 35 | + # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand |
cookbooks/basics/files/default/selinux-install-module
| @@ -9,6 +9,12 @@ if [ $# -ne 1 ]; then | @@ -9,6 +9,12 @@ if [ $# -ne 1 ]; then | ||
| 9 | exit 1 | 9 | exit 1 |
| 10 | fi | 10 | fi |
| 11 | 11 | ||
| 12 | +selinux_status=$(sestatus | sed -e '/^SELinux status:/ !d; s/.*\s//') | ||
| 13 | +if ! selinux-enabled; then | ||
| 14 | + echo "I: SELinux disabled, skipping" | ||
| 15 | + exit 0 | ||
| 16 | +fi | ||
| 17 | + | ||
| 12 | input="$1" | 18 | input="$1" |
| 13 | 19 | ||
| 14 | directory=$(dirname "$input") | 20 | directory=$(dirname "$input") |
cookbooks/basics/recipes/default.rb
| @@ -10,8 +10,19 @@ cookbook_file '/etc/selinux/config' do | @@ -10,8 +10,19 @@ cookbook_file '/etc/selinux/config' do | ||
| 10 | group 'root' | 10 | group 'root' |
| 11 | mode 0644 | 11 | mode 0644 |
| 12 | end | 12 | end |
| 13 | -execute 'setenforce Enforcing' | ||
| 14 | -execute 'setsebool httpd_can_network_connect 1' | 13 | + |
| 14 | +cookbook_file '/usr/local/bin/selinux-enabled' do | ||
| 15 | + owner 'root' | ||
| 16 | + group 'root' | ||
| 17 | + mode '0755' | ||
| 18 | +end | ||
| 19 | + | ||
| 20 | +execute 'setenforce Enforcing' do | ||
| 21 | + only_if 'selinux-enabled' | ||
| 22 | +end | ||
| 23 | +execute 'setsebool httpd_can_network_connect 1' do | ||
| 24 | + only_if 'selinux-enabled' | ||
| 25 | +end | ||
| 15 | # directory for local type enforcements | 26 | # directory for local type enforcements |
| 16 | directory '/etc/selinux/local' do | 27 | directory '/etc/selinux/local' do |
| 17 | owner 'root' | 28 | owner 'root' |
| @@ -32,8 +43,14 @@ package 'less' | @@ -32,8 +43,14 @@ package 'less' | ||
| 32 | package 'htop' | 43 | package 'htop' |
| 33 | package 'ntp' | 44 | package 'ntp' |
| 34 | 45 | ||
| 46 | +cookbook_file '/usr/local/bin/is-a-container' do | ||
| 47 | + owner 'root' | ||
| 48 | + group 'root' | ||
| 49 | + mode '0755' | ||
| 50 | +end | ||
| 35 | service 'ntpd' do | 51 | service 'ntpd' do |
| 36 | action [:enable, :start] | 52 | action [:enable, :start] |
| 53 | + not_if 'is-a-container' | ||
| 37 | end | 54 | end |
| 38 | 55 | ||
| 39 | service 'firewalld' do | 56 | service 'firewalld' do |
cookbooks/colab/recipes/default.rb
cookbooks/email/recipes/relay.rb
| @@ -46,3 +46,10 @@ execute 'transport:postmap' do | @@ -46,3 +46,10 @@ execute 'transport:postmap' do | ||
| 46 | command "postmap /etc/postfix/transport" | 46 | command "postmap /etc/postfix/transport" |
| 47 | action :nothing | 47 | action :nothing |
| 48 | end | 48 | end |
| 49 | + | ||
| 50 | +external_relay = node['config']['external_outgoing_mail_relay'] | ||
| 51 | +if external_relay | ||
| 52 | + execute "postconf relayhost=#{external_relay}" | ||
| 53 | +else | ||
| 54 | + execute 'postconf -X relayhost' | ||
| 55 | +end |
cookbooks/noosfero/recipes/default.rb
| @@ -42,6 +42,10 @@ execute 'plugins:enable' do | @@ -42,6 +42,10 @@ execute 'plugins:enable' do | ||
| 42 | command '/usr/lib/noosfero/script/noosfero-plugins enable ' + plugins.join(' ') | 42 | command '/usr/lib/noosfero/script/noosfero-plugins enable ' + plugins.join(' ') |
| 43 | end | 43 | end |
| 44 | 44 | ||
| 45 | +execute 'plugins:activate' do | ||
| 46 | + command "RAILS_ENV=production bundle exec rake noosfero:plugins:enable_all_plugins" | ||
| 47 | +end | ||
| 48 | + | ||
| 45 | execute 'theme:enable' do | 49 | execute 'theme:enable' do |
| 46 | command 'psql -h database -U noosfero --no-align --tuples-only -q -c "update environments set theme=\'noosfero-spb-theme\' where id=1;"' | 50 | command 'psql -h database -U noosfero --no-align --tuples-only -q -c "update environments set theme=\'noosfero-spb-theme\' where id=1;"' |
| 47 | end | 51 | end |
| @@ -61,6 +65,10 @@ service 'noosfero' do | @@ -61,6 +65,10 @@ service 'noosfero' do | ||
| 61 | action [:enable, :start] | 65 | action [:enable, :start] |
| 62 | end | 66 | end |
| 63 | 67 | ||
| 68 | +service 'memcached' do | ||
| 69 | + action [:enable, :start] | ||
| 70 | +end | ||
| 71 | + | ||
| 64 | template '/etc/nginx/conf.d/noosfero.conf' do | 72 | template '/etc/nginx/conf.d/noosfero.conf' do |
| 65 | owner 'root'; group 'root'; mode 0644 | 73 | owner 'root'; group 'root'; mode 0644 |
| 66 | source 'nginx.conf.erb' | 74 | source 'nginx.conf.erb' |
cookbooks/reverse_proxy/recipes/default.rb
| @@ -12,7 +12,9 @@ cookbook_file "/etc/sysctl.d/ip_forward.conf" do | @@ -12,7 +12,9 @@ cookbook_file "/etc/sysctl.d/ip_forward.conf" do | ||
| 12 | mode 0644 | 12 | mode 0644 |
| 13 | end | 13 | end |
| 14 | 14 | ||
| 15 | -execute 'sysctl -w net.ipv4.ip_forward=1' | 15 | +execute 'sysctl -w net.ipv4.ip_forward=1' do |
| 16 | + not_if 'is-a-container' | ||
| 17 | +end | ||
| 16 | 18 | ||
| 17 | cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do | 19 | cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.key" do |
| 18 | owner 'root' | 20 | owner 'root' |
tasks/doc.rake
| @@ -17,9 +17,9 @@ desc 'Publishes PDF' | @@ -17,9 +17,9 @@ desc 'Publishes PDF' | ||
| 17 | task :pdfupload => :pdf do | 17 | task :pdfupload => :pdf do |
| 18 | require 'date' | 18 | require 'date' |
| 19 | 19 | ||
| 20 | - tag = Date.today.strftime('doc-%Y-%m-%d') | 20 | + tag = Date.today.strftime('doc-%Y-%m-%d-') + $SPB_ENV |
| 21 | blob = `git hash-object -w docs/_build/latex/softwarepublico.pdf`.strip | 21 | blob = `git hash-object -w docs/_build/latex/softwarepublico.pdf`.strip |
| 22 | - tree = `printf '100644 blob #{blob}\tsoftwarepublico.pdf\n' | git mktree`.strip | 22 | + tree = `printf '100644 blob #{blob}\tsoftwarepublico-#{$SPB_ENV}.pdf\n' | git mktree`.strip |
| 23 | commit = `git commit-tree -m #{tag} #{tree}`.strip | 23 | commit = `git commit-tree -m #{tag} #{tree}`.strip |
| 24 | 24 | ||
| 25 | sh 'git', 'tag', tag, commit | 25 | sh 'git', 'tag', tag, commit |
test/colab_test.sh
| @@ -21,16 +21,16 @@ test_nginx_responds() { | @@ -21,16 +21,16 @@ test_nginx_responds() { | ||
| 21 | } | 21 | } |
| 22 | 22 | ||
| 23 | test_nginx_virtualhost() { | 23 | test_nginx_virtualhost() { |
| 24 | - local title="$(curl --header 'Host: softwarepublico.dev' http://$integration/dashboard | grep '<title>' | sed -e 's/^\s*//')" | 24 | + local title="$(curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/dashboard | grep '<title>' | sed -e 's/^\s*//')" |
| 25 | assertEquals "<title>Home - Colab</title>" "$title" | 25 | assertEquals "<title>Home - Colab</title>" "$title" |
| 26 | } | 26 | } |
| 27 | 27 | ||
| 28 | test_reverse_proxy_gitlab() { | 28 | test_reverse_proxy_gitlab() { |
| 29 | - assertTrue 'Reverse proxy for gitlab' "curl --header 'Host: softwarepublico.dev' http://$integration/gitlab/public/projects | grep -i '<meta.*gitlab.*>'" | 29 | + assertTrue 'Reverse proxy for gitlab' "curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/gitlab/public/projects | grep -i '<meta.*gitlab.*>'" |
| 30 | } | 30 | } |
| 31 | 31 | ||
| 32 | test_reverse_proxy_noosfero() { | 32 | test_reverse_proxy_noosfero() { |
| 33 | - assertTrue 'Reverse proxy for noosfero' "curl --header 'Host: softwarepublico.dev' http://$integration/social/search/people | grep -i '<meta.*noosfero.*>'" | 33 | + assertTrue 'Reverse proxy for noosfero' "curl --header 'Host: softwarepublico.dev' http://$config_external_hostname/social/search/people | grep -i '<meta.*noosfero.*>'" |
| 34 | } | 34 | } |
| 35 | 35 | ||
| 36 | load_shunit2 | 36 | load_shunit2 |
test/dns_test.sh
| 1 | . $(dirname $0)/test_helper.sh | 1 | . $(dirname $0)/test_helper.sh |
| 2 | 2 | ||
| 3 | -if [ "$SPB_ENV" = local ]; then | 3 | +if [ "$SPB_ENV" = local -o "$SPB_ENV" = lxc ]; then |
| 4 | echo "_No DNS for local environment_" | 4 | echo "_No DNS for local environment_" |
| 5 | exit | 5 | exit |
| 6 | fi | 6 | fi |
| @@ -29,7 +29,14 @@ check_reverse_dns() { | @@ -29,7 +29,14 @@ check_reverse_dns() { | ||
| 29 | local hostname="$2" | 29 | local hostname="$2" |
| 30 | local results="$(host $ip)" | 30 | local results="$(host $ip)" |
| 31 | local expected=".*in-addr.arpa domain name pointer ${hostname}." | 31 | local expected=".*in-addr.arpa domain name pointer ${hostname}." |
| 32 | - assertTrue "Reverse DNS of $ip must be $hostname (found: $results)" "expr match '$results' '$expected\$'" | 32 | + assertTrue "Reverse DNS of $ip must be $hostname (found: $results)" "expr match '$results' 'include:$expected\$'" |
| 33 | +} | ||
| 34 | + | ||
| 35 | +check_spf() { | ||
| 36 | + domain="$1" | ||
| 37 | + spf_domain="$2" | ||
| 38 | + local results="$(host -t TXT "$domain")" | ||
| 39 | + assertTrue "TXT entry for $domain must have include:$spf_domain (found: $results)" "expr match '$results' 'include:$spf_domain'" | ||
| 33 | } | 40 | } |
| 34 | 41 | ||
| 35 | test_dns_web() { | 42 | test_dns_web() { |
| @@ -60,7 +67,14 @@ test_reverse_dns_relay() { | @@ -60,7 +67,14 @@ test_reverse_dns_relay() { | ||
| 60 | check_reverse_dns "$config_relay_ip" "$config_relay_hostname" | 67 | check_reverse_dns "$config_relay_ip" "$config_relay_hostname" |
| 61 | } | 68 | } |
| 62 | 69 | ||
| 63 | -# TODO test_spf_external_relay | 70 | +if [ -n "$config_external_outgoing_mail_domain" ]; then |
| 71 | + test_spf_domain() { | ||
| 72 | + check_spf "$config_external_hostname" "$config_external_outgoing_mail_domain" | ||
| 73 | + } | ||
| 74 | + test_spf_lists() { | ||
| 75 | + check_spf "$config_lists_hostname" "$config_external_outgoing_mail_domain" | ||
| 76 | + } | ||
| 77 | +fi | ||
| 64 | 78 | ||
| 65 | if [ "$1" = '--doc' ]; then | 79 | if [ "$1" = '--doc' ]; then |
| 66 | check_hostname() { | 80 | check_hostname() { |
| @@ -78,13 +92,19 @@ if [ "$1" = '--doc' ]; then | @@ -78,13 +92,19 @@ if [ "$1" = '--doc' ]; then | ||
| 78 | echo " - $1" | 92 | echo " - $1" |
| 79 | echo " - ${2}." | 93 | echo " - ${2}." |
| 80 | } | 94 | } |
| 95 | + check_spf() { | ||
| 96 | + echo " * - TXT (SPF: \"v=spf1 ...\")" | ||
| 97 | + echo " - $1 " | ||
| 98 | + echo " - include:${2} " | ||
| 99 | + } | ||
| 81 | header() { | 100 | header() { |
| 101 | + local aponta="${2:-Aponta para}" | ||
| 82 | echo '.. list-table::' | 102 | echo '.. list-table::' |
| 83 | echo ' :header-rows: 1' | 103 | echo ' :header-rows: 1' |
| 84 | echo | 104 | echo |
| 85 | echo ' * - Tipo' | 105 | echo ' * - Tipo' |
| 86 | echo ' - Entrada' | 106 | echo ' - Entrada' |
| 87 | - echo ' - Aponta para' | 107 | + echo " - $aponta" |
| 88 | } | 108 | } |
| 89 | footer() { | 109 | footer() { |
| 90 | echo | 110 | echo |
| @@ -106,7 +126,10 @@ if [ "$1" = '--doc' ]; then | @@ -106,7 +126,10 @@ if [ "$1" = '--doc' ]; then | ||
| 106 | test_reverse_dns_relay | 126 | test_reverse_dns_relay |
| 107 | footer | 127 | footer |
| 108 | 128 | ||
| 109 | - # FIXME test_spf_external_relay | 129 | + header 'SPF' 'Deve conter' |
| 130 | + test_spf_domain | ||
| 131 | + test_spf_lists | ||
| 132 | + footer | ||
| 110 | 133 | ||
| 111 | ) | 134 | ) |
| 112 | else | 135 | else |
test/mailman_test.sh
| @@ -21,7 +21,7 @@ test_mailman_delivery() { | @@ -21,7 +21,7 @@ test_mailman_delivery() { | ||
| 21 | } | 21 | } |
| 22 | 22 | ||
| 23 | test_mailman_web_interface() { | 23 | test_mailman_web_interface() { |
| 24 | - local title="$(curl --location --header 'Host: listas.softwarepublico.dev' http://$integration/mailman/cgi-bin/listinfo | grep -i '<title>')" | 24 | + local title="$(curl --location --header 'Host: listas.softwarepublico.dev' http://$config_external_hostname/mailman/cgi-bin/listinfo | grep -i '<title>')" |
| 25 | assertEquals "<TITLE>listas.softwarepublico.dev Mailing Lists</TITLE>" "$title" | 25 | assertEquals "<TITLE>listas.softwarepublico.dev Mailing Lists</TITLE>" "$title" |
| 26 | } | 26 | } |
| 27 | 27 |
test/noosfero_test.sh
| @@ -19,12 +19,12 @@ test_reverse_proxy_noosfero() { | @@ -19,12 +19,12 @@ test_reverse_proxy_noosfero() { | ||
| 19 | } | 19 | } |
| 20 | 20 | ||
| 21 | test_reverse_proxy_static_files() { | 21 | test_reverse_proxy_static_files() { |
| 22 | - local content_type="$(curl-host softwarepublico.dev --head http://$social/social/images/noosfero-network.png | grep-header Content-Type)" | 22 | + local content_type="$(curl-host softwarepublico.dev --head http://$config_external_hostname/social/images/noosfero-network.png | grep-header Content-Type)" |
| 23 | assertEquals "Content-Type: image/png" "$content_type" | 23 | assertEquals "Content-Type: image/png" "$content_type" |
| 24 | } | 24 | } |
| 25 | 25 | ||
| 26 | test_redirect_with_correct_hostname_behind_proxy() { | 26 | test_redirect_with_correct_hostname_behind_proxy() { |
| 27 | - local redirect="$(curl-host softwarepublico.dev --head https://softwarepublico.dev/social/search/contents | grep-header Location)" | 27 | + local redirect="$(curl-host softwarepublico.dev --head https://$config_external_hostname/social/search/contents | grep-header Location)" |
| 28 | assertEquals "Location: https://softwarepublico.dev/social/search/articles" "$redirect" | 28 | assertEquals "Location: https://softwarepublico.dev/social/search/articles" "$redirect" |
| 29 | } | 29 | } |
| 30 | 30 |
utils/reverseproxy_ssh_setup
| @@ -14,7 +14,15 @@ sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config | @@ -14,7 +14,15 @@ sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config | ||
| 14 | yum install -y selinux-policy policycoreutils-python | 14 | yum install -y selinux-policy policycoreutils-python |
| 15 | 15 | ||
| 16 | # Tell SELinux to allow the new port | 16 | # Tell SELinux to allow the new port |
| 17 | -semanage port -a -t ssh_port_t -p tcp "$port" | 17 | +if grep -q '/$' /proc/1/cgroup; then |
| 18 | + # not in a container | ||
| 19 | + semanage port -a -t ssh_port_t -p tcp "$port" | ||
| 20 | +else | ||
| 21 | + # in container; will fail if host does not have SELinux enabled | ||
| 22 | + if ! semanage port -a -t ssh_port_t -p tcp "$port"; then | ||
| 23 | + echo "I: can't use SELinux, your host probably does not have it enabled" | ||
| 24 | + fi | ||
| 25 | +fi | ||
| 18 | 26 | ||
| 19 | # Restart SSH | 27 | # Restart SSH |
| 20 | systemctl restart sshd | 28 | systemctl restart sshd |