From b9175bfb9f06339bfc508fa3726868404d06d29a Mon Sep 17 00:00:00 2001 From: Christian Joudrey Date: Sun, 1 Jul 2012 23:34:42 -0400 Subject: [PATCH] Added Chef cookbooks and settings. --- .gitmodules | 39 ++++++++ Vagrantfile | 2 +- chef/cookbooks/build-essential | 1 + chef/cookbooks/firewall | 1 + chef/cookbooks/git | 1 + chef/cookbooks/memcached | 1 + chef/cookbooks/mysql | 1 + chef/cookbooks/nginx | 1 + chef/cookbooks/nodejs | 1 + chef/cookbooks/ohai | 1 + chef/cookbooks/openssl | 1 + chef/cookbooks/redis | 1 + chef/cookbooks/runit | 1 + chef/cookbooks/rvm | 1 + chef/cookbooks/ufw | 1 + chef/data_bags/firewall/nginx__source.json | 8 ++ chef/data_bags/users/cjoudrey.json | 7 ++ chef/data_bags/users/deploy.json | 7 ++ chef/node.json | 41 +++++++++ .../memcached/recipes/default.rb | 7 ++ .../openssh/files/default/sshd_config | 89 +++++++++++++++++++ .../site-cookbooks/openssh/recipes/default.rb | 10 +++ chef/site-cookbooks/users/recipes/default.rb | 42 +++++++++ .../templates/default/authorized_keys.erb | 4 + 24 files changed, 268 insertions(+), 1 deletion(-) create mode 100644 .gitmodules create mode 160000 chef/cookbooks/build-essential create mode 160000 chef/cookbooks/firewall create mode 160000 chef/cookbooks/git create mode 160000 chef/cookbooks/memcached create mode 160000 chef/cookbooks/mysql create mode 160000 chef/cookbooks/nginx create mode 160000 chef/cookbooks/nodejs create mode 160000 chef/cookbooks/ohai create mode 160000 chef/cookbooks/openssl create mode 160000 chef/cookbooks/redis create mode 160000 chef/cookbooks/runit create mode 160000 chef/cookbooks/rvm create mode 160000 chef/cookbooks/ufw create mode 100644 chef/data_bags/firewall/nginx__source.json create mode 100644 chef/data_bags/users/cjoudrey.json create mode 100644 chef/data_bags/users/deploy.json create mode 100644 chef/node.json create mode 100644 chef/site-cookbooks/memcached/recipes/default.rb create mode 100644 chef/site-cookbooks/openssh/files/default/sshd_config create mode 100644 chef/site-cookbooks/openssh/recipes/default.rb create mode 100644 chef/site-cookbooks/users/recipes/default.rb create mode 100644 chef/site-cookbooks/users/templates/default/authorized_keys.erb diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..d8d6ae2 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,39 @@ +[submodule "chef/cookbooks/git"] + path = chef/cookbooks/git + url = git://github.com/opscode-cookbooks/git.git +[submodule "chef/cookbooks/ufw"] + path = chef/cookbooks/ufw + url = git://github.com/opscode-cookbooks/ufw.git +[submodule "chef/cookbooks/firewall"] + path = chef/cookbooks/firewall + url = git://github.com/opscode-cookbooks/firewall.git +[submodule "chef/cookbooks/runit"] + path = chef/cookbooks/runit + url = git://github.com/opscode-cookbooks/runit.git +[submodule "chef/cookbooks/build-essential"] + path = chef/cookbooks/build-essential + url = git://github.com/opscode-cookbooks/build-essential.git +[submodule "chef/cookbooks/nginx"] + path = chef/cookbooks/nginx + url = git://github.com/opscode-cookbooks/nginx.git +[submodule "chef/cookbooks/ohai"] + path = chef/cookbooks/ohai + url = git://github.com/opscode-cookbooks/ohai.git +[submodule "chef/cookbooks/rvm"] + path = chef/cookbooks/rvm + url = git://github.com/fnichol/chef-rvm.git +[submodule "chef/cookbooks/memcached"] + path = chef/cookbooks/memcached + url = git://github.com/opscode-cookbooks/memcached.git +[submodule "chef/cookbooks/mysql"] + path = chef/cookbooks/mysql + url = git://github.com/opscode-cookbooks/mysql.git +[submodule "chef/cookbooks/openssl"] + path = chef/cookbooks/openssl + url = git://github.com/opscode-cookbooks/openssl.git +[submodule "chef/cookbooks/redis"] + path = chef/cookbooks/redis + url = git://github.com/CXInc/chef-redis.git +[submodule "chef/cookbooks/nodejs"] + path = chef/cookbooks/nodejs + url = git://github.com/mdxp/nodejs-cookbook.git diff --git a/Vagrantfile b/Vagrantfile index 8e973eb..5eec54d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -68,7 +68,7 @@ Vagrant::Config.run do |config| # some recipes and/or roles. # config.vm.provision :chef_solo do |chef| - chef_root = File.expand_path('../../test-chef-solo/chef', __FILE__) + chef_root = File.expand_path('../chef', __FILE__) chef.cookbooks_path = ["#{chef_root}/cookbooks", "#{chef_root}/site-cookbooks"] chef.data_bags_path = "#{chef_root}/data_bags" diff --git a/chef/cookbooks/build-essential b/chef/cookbooks/build-essential new file mode 160000 index 0000000..e7f5d4e --- /dev/null +++ b/chef/cookbooks/build-essential @@ -0,0 +1 @@ +Subproject commit e7f5d4e2496457c013090f659ed22ac1f74090d3 diff --git a/chef/cookbooks/firewall b/chef/cookbooks/firewall new file mode 160000 index 0000000..776b2e3 --- /dev/null +++ b/chef/cookbooks/firewall @@ -0,0 +1 @@ +Subproject commit 776b2e3011540ba1c852d27169070d80fc5c7caf diff --git a/chef/cookbooks/git b/chef/cookbooks/git new file mode 160000 index 0000000..06ff406 --- /dev/null +++ b/chef/cookbooks/git @@ -0,0 +1 @@ +Subproject commit 06ff406aad523e77d4adccaa4fe719c51a2a63f1 diff --git a/chef/cookbooks/memcached b/chef/cookbooks/memcached new file mode 160000 index 0000000..870c81a --- /dev/null +++ b/chef/cookbooks/memcached @@ -0,0 +1 @@ +Subproject commit 870c81af54948880ca4d29794b2ac153009302f4 diff --git a/chef/cookbooks/mysql b/chef/cookbooks/mysql new file mode 160000 index 0000000..237a1a8 --- /dev/null +++ b/chef/cookbooks/mysql @@ -0,0 +1 @@ +Subproject commit 237a1a8d49658767537a305568cb2983bd606bc6 diff --git a/chef/cookbooks/nginx b/chef/cookbooks/nginx new file mode 160000 index 0000000..73eb194 --- /dev/null +++ b/chef/cookbooks/nginx @@ -0,0 +1 @@ +Subproject commit 73eb194f7de2ed02287045bd42219cc2382fee29 diff --git a/chef/cookbooks/nodejs b/chef/cookbooks/nodejs new file mode 160000 index 0000000..9f34266 --- /dev/null +++ b/chef/cookbooks/nodejs @@ -0,0 +1 @@ +Subproject commit 9f3426670af1debb1bcc4aea6f5a2bb8932a5595 diff --git a/chef/cookbooks/ohai b/chef/cookbooks/ohai new file mode 160000 index 0000000..0a9d656 --- /dev/null +++ b/chef/cookbooks/ohai @@ -0,0 +1 @@ +Subproject commit 0a9d656cda99256bffab6812ee524ea221f96629 diff --git a/chef/cookbooks/openssl b/chef/cookbooks/openssl new file mode 160000 index 0000000..ec39521 --- /dev/null +++ b/chef/cookbooks/openssl @@ -0,0 +1 @@ +Subproject commit ec395219f0586213cb2d34028e252d0884bfe794 diff --git a/chef/cookbooks/redis b/chef/cookbooks/redis new file mode 160000 index 0000000..36a9438 --- /dev/null +++ b/chef/cookbooks/redis @@ -0,0 +1 @@ +Subproject commit 36a94382d77da8dae282b3be46feddf40d2ac568 diff --git a/chef/cookbooks/runit b/chef/cookbooks/runit new file mode 160000 index 0000000..0685710 --- /dev/null +++ b/chef/cookbooks/runit @@ -0,0 +1 @@ +Subproject commit 06857102ff76ffc8c0dc45694fc2cf6b16e0b3f7 diff --git a/chef/cookbooks/rvm b/chef/cookbooks/rvm new file mode 160000 index 0000000..6411f11 --- /dev/null +++ b/chef/cookbooks/rvm @@ -0,0 +1 @@ +Subproject commit 6411f1194c2f57dc2578e87d9ca89199561512dd diff --git a/chef/cookbooks/ufw b/chef/cookbooks/ufw new file mode 160000 index 0000000..ce3a954 --- /dev/null +++ b/chef/cookbooks/ufw @@ -0,0 +1 @@ +Subproject commit ce3a954031949645ad74bb0d9fb10f1b86d9c8fb diff --git a/chef/data_bags/firewall/nginx__source.json b/chef/data_bags/firewall/nginx__source.json new file mode 100644 index 0000000..6b6c4cd --- /dev/null +++ b/chef/data_bags/firewall/nginx__source.json @@ -0,0 +1,8 @@ +{ + "id": "nginx__source", + "rules": [ + {"http": { + "port": "80" + }} + ] +} diff --git a/chef/data_bags/users/cjoudrey.json b/chef/data_bags/users/cjoudrey.json new file mode 100644 index 0000000..6e09c82 --- /dev/null +++ b/chef/data_bags/users/cjoudrey.json @@ -0,0 +1,7 @@ +{ + "id": "cjoudrey", + "groups": ["admin"], + "home": "/home/cjoudrey", + "shell": "/bin/bash", + "ssh_keys": ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDODP3Io7mZWwPuBfP3GylZ+ojAqeoV9mQKtmyN5x7n2GCXsUKV1Wirg17QfYeKR1aELZ1FpqK120g8tHEMwnCGk+ewLXOfEZOw4jEyQ8kmpOf79aG53wVAz3Tlc175DVoT/4SAaZdbVmSpO/ut68lS+uHicxdsbXKySN6Ih3UlAVRjjML3XKdPbBT6F4c2LEFTb25gXjmx8bo+iOdQXEhsOXlDoPWP0sYDxopD5YYdZbO5hG2bNjnJBjklk4fBmRGa516LS99kmJ+i83e25VGlw25qixE8apdoBgveba00kfBTTrVLa03Fbh/oKrZPOKnmL0S9MEP2+8jq8Jk9ttNb MBA"] +} diff --git a/chef/data_bags/users/deploy.json b/chef/data_bags/users/deploy.json new file mode 100644 index 0000000..4fc09db --- /dev/null +++ b/chef/data_bags/users/deploy.json @@ -0,0 +1,7 @@ +{ + "id": "deploy", + "groups": ["admin"], + "home": "/home/deploy", + "shell": "/bin/bash", + "ssh_keys": ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDODP3Io7mZWwPuBfP3GylZ+ojAqeoV9mQKtmyN5x7n2GCXsUKV1Wirg17QfYeKR1aELZ1FpqK120g8tHEMwnCGk+ewLXOfEZOw4jEyQ8kmpOf79aG53wVAz3Tlc175DVoT/4SAaZdbVmSpO/ut68lS+uHicxdsbXKySN6Ih3UlAVRjjML3XKdPbBT6F4c2LEFTb25gXjmx8bo+iOdQXEhsOXlDoPWP0sYDxopD5YYdZbO5hG2bNjnJBjklk4fBmRGa516LS99kmJ+i83e25VGlw25qixE8apdoBgveba00kfBTTrVLa03Fbh/oKrZPOKnmL0S9MEP2+8jq8Jk9ttNb MBA"] +} diff --git a/chef/node.json b/chef/node.json new file mode 100644 index 0000000..6d27718 --- /dev/null +++ b/chef/node.json @@ -0,0 +1,41 @@ +{ + "run_list": [ + "recipe[build-essential]", + "recipe[ufw::databag]", + "recipe[openssh]", + "recipe[users]", + "recipe[git]", + "recipe[rvm::system]", + "recipe[memcached]", + "recipe[mysql::server]", + "recipe[nginx::source]", + "recipe[redis::server_source]", + "recipe[redis::_server_service]", + "recipe[nodejs]" + ], + "nginx": { + "version": "1.2.1" + }, + "rvm": { + "default_ruby": "ruby-1.9.3-p194", + "user_default_ruby": "ruby-1.9.3-p194" + }, + "mysql": { + "server_root_password": "temporary_password_Pqa7RkzyDic4YMD2R3vDtFHpJ4hmoECzpz74T4zxfmE", + "server_repl_password": "temporary_password_Pqa7RkzyDic4YMD2R3vDtFHpJ4hmoECzpz74T4zxfmE", + "server_debian_password": "temporary_password_Pqa7RkzyDic4YMD2R3vDtFHpJ4hmoECzpz74T4zxfmE", + "package_name": "mysql-server-5.5", + "use_upstart": true, + "skip-innodb": true, + "tunable": { + "sort_buffer_size": "64K", + "net_buffer_length": "2K" + } + }, + "redis": { + "source": { + "sha": "9e388d2c070b15136da1277f4d21f1c788694b12", + "version": "2.4.15" + } + } +} diff --git a/chef/site-cookbooks/memcached/recipes/default.rb b/chef/site-cookbooks/memcached/recipes/default.rb new file mode 100644 index 0000000..cfefea4 --- /dev/null +++ b/chef/site-cookbooks/memcached/recipes/default.rb @@ -0,0 +1,7 @@ +package "memcached" + +service "memcached" do + action [:stop, :disable] +end + +memcached_instance "main" diff --git a/chef/site-cookbooks/openssh/files/default/sshd_config b/chef/site-cookbooks/openssh/files/default/sshd_config new file mode 100644 index 0000000..0e6e50d --- /dev/null +++ b/chef/site-cookbooks/openssh/files/default/sshd_config @@ -0,0 +1,89 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +AllowAgentForwarding yes + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin no +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes +#AuthorizedKeysFile %h/.ssh/authorized_keys + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes diff --git a/chef/site-cookbooks/openssh/recipes/default.rb b/chef/site-cookbooks/openssh/recipes/default.rb new file mode 100644 index 0000000..605571c --- /dev/null +++ b/chef/site-cookbooks/openssh/recipes/default.rb @@ -0,0 +1,10 @@ +cookbook_file '/etc/ssh/sshd_config' do + source 'sshd_config' + owner 'root' + group 'root' + mode '0644' +end + +service 'ssh' do + action :restart +end diff --git a/chef/site-cookbooks/users/recipes/default.rb b/chef/site-cookbooks/users/recipes/default.rb new file mode 100644 index 0000000..c655c33 --- /dev/null +++ b/chef/site-cookbooks/users/recipes/default.rb @@ -0,0 +1,42 @@ +users = data_bag('users') + +users.each do |name| + u = data_bag_item('users', name) + + user(name) do + gid u['gid'] if u['gid'] + shell u['shell'] + comment u['comment'] + if u['home'] + home u['home'] + supports :manage_home => true + else + supports :manage_home => false + end + end + + if u['home'] + directory "#{u['home']}/.ssh" do + owner u['id'] + group u['gid'] || u['id'] + mode '0700' + end + + if u['ssh_keys'] + template "#{u['home']}/.ssh/authorized_keys" do + source 'authorized_keys.erb' + owner u['id'] + group u['gid'] || u['id'] + mode '0600' + variables :ssh_keys => u['ssh_keys'] + end + end + end + + u['groups'].each do |g| + group g do + members name + append true + end + end +end diff --git a/chef/site-cookbooks/users/templates/default/authorized_keys.erb b/chef/site-cookbooks/users/templates/default/authorized_keys.erb new file mode 100644 index 0000000..3edfff7 --- /dev/null +++ b/chef/site-cookbooks/users/templates/default/authorized_keys.erb @@ -0,0 +1,4 @@ +# Dropped off by Chef, thanks! +<% Array(@ssh_keys).each do |key| %> +<%= key %> +<% end %>