devops: baagi.org automated

Signed-off-by: Rohit Yadav <[email protected]>

Author: Rohit Yadav

.gitignore

@@ -0,0 +1,4 @@
+*.pyc
+*~
+.DS_Store
+keys/*

README.md

@@ -0,0 +1,22 @@
+# DevOps automation using Fabric and Puppet
+
+Install Fabric:
+
+    pip install fabric
+
+Initialize and bootstrap puppet repository and keys, deploy for the first time
+on a node:
+
+    fab -R <role> -H <host> init
+
+Check changes on server:
+
+    fab -R baagi noop
+
+Push eventual changes on server:
+
+    fab -R baagi deploy
+
+Upgrading packages:
+
+    fab -R baagi upgrade

fabfile.py

@@ -0,0 +1,113 @@
+from fabric.api import *
+import getpass
+import sys
+
+# Enforce sysadmin params
+env.user = "bhaisaab"
+env.port = "1009"
+
+# Forward local agent
+env.forward_agent = True
+
+# Move to a reusable map/hash module
+env.roledefs = {
+                   "baagi": [""],
+               }
+
+# Add role to capture all nodes
+all_servers = []
+for key in env.roledefs:
+    all_servers = all_servers + env.roledefs[key]
+
+env.roledefs["all"] = all_servers
+
+if len(env.hosts) != 0:
+    for key in env.roledefs.keys():
+        env.roledefs[key] = []
+
+
+print """
+   _____          __                         __
+  /  _  \  __ ___/  |_  ____   _____ _____ _/  |_  ___________
+ /  /_\  \|  |  \   __\/  _ \ /     \\\\__  \\\\   __\/  _ \_  __ \\
+/    |    \  |  /|  | (  <_> )  Y Y  \/ __ \|  | (  <_> )  | \/
+\____|__  /____/ |__|  \____/|__|_|  (____  /__|  \____/|__|
+        \/                         \/     \/
+"""
+
+print "Tasks:", env['tasks']
+print "Roles:", env['roles']
+print "Hosts:", env['hosts']
+print "SSH Port:", env['port']
+
+
+if "init" not in sys.argv and not env.password:
+    env.password = getpass.getpass("Enter OTP for sudo ops: ")
+
+
+def info():
+    run("uname -a")
+    run("lsb_release -a")
+    run("uptime")
+    run("last | head -5")
+    run("hostname && hostname -f")
+
+
+def upgrade():
+    sudo("apt-get update && apt-get upgrade -V")
+
+
+def noop():
+    sudo("cd /etc/puppet/ && git clean -fd && git checkout -- /etc/puppet/ && git pull --rebase origin master")
+    sudo("puppet apply --modulepath /etc/puppet/modules --noop /etc/puppet/manifests/site.pp --templatedir /etc/puppet/templates/")
+
+
+def deploy():
+    """
+    Runs puppet apply
+    """
+    sudo("cd /etc/puppet/ && git clean -fd && git checkout -- /etc/puppet/ && git pull --rebase origin master")
+    sudo("puppet apply --modulepath /etc/puppet/modules /etc/puppet/manifests/site.pp --templatedir /etc/puppet/templates/ --debug")
+
+
+def reboot():
+    sudo("reboot")
+
+
+def init():
+    """
+    Assumed that root user will setup initial environment before admin takes control
+    """
+    if len(env.hosts) > 1:
+        print "WARNING: You're initializing more than one host in one go!"
+
+    env.user = "root"
+    env.port = "22"
+
+    # host info
+    info()
+
+    # basic package management
+    run("apt-get update && apt-get upgrade -y")
+    run("apt-get purge -y exim* mutt procmail bind9 apache2* php5* mysql* mailagent")
+    run("apt-get install --no-install-recommends -y vim htop sudo openssh-client ssh wget gcc build-essential python-pip git tig")
+
+    # append local public key to authorized_keys
+    put("~/.ssh/id_rsa.pub", "/tmp")
+    run("mkdir -p /root/.ssh && cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys")
+
+    # fix ulimits
+    run("echo -e '* \t soft \t nofile \t 64000' >> /etc/security/limits.conf")
+    run("echo -e '* \t hard \t nofile \t 128000' >> /etc/security/limits.conf")
+    run("echo -e 'root \t soft \t nofile \t 64000' >> /etc/security/limits.conf")
+    run("echo -e 'root \t hard \t nofile \t 128000' >> /etc/security/limits.conf")
+
+    # install puppet based on Debian codename
+    run("if [ `lsb_release --codename | grep wheezy | wc -l` -eq 1 ]; then cd /tmp && wget http://apt.puppetlabs.com/puppetlabs-release-wheezy.deb && dpkg -i puppetlabs-release-wheezy.deb; else cd /tmp && wget http://apt.puppetlabs.com/puppetlabs-release-squeeze.deb && dpkg -i puppetlabs-release-squeeze.deb; fi")
+
+    # install puppet and git, clone repo
+    run("apt-get update && apt-get install puppet -y --no-install-recommends")
+    run("cd /etc && rm -fr puppet && git clone https://github.com/baagi/devops.git puppet")
+
+    # first deploy
+    deploy()

files/.gitkeep

@@ -0,0 +1,3 @@
+[files]
+allow *.baagi.org
+path /etc/puppet/files

fileserver.conf

@@ -0,0 +1,5 @@
+import "base"
+import "locale"
+import "ntp"
+import "ssh"
+import "timezone"

manifests/modules.pp

@@ -0,0 +1,21 @@
+node basenode {
+    include base
+    include ntp
+
+    class { "ssh":
+        allowed_users => "bhaisaab",
+    }
+
+    timezone { "server timezone":
+        tz => "UTC",
+    }
+
+    users::admin { "bhaisaab": }
+    locale { "default": }
+}
+
+node default inherits basenode {
+}
+
+node /^baagi(\.org)?$/ inherits basenode {
+}

manifests/nodes.pp

@@ -0,0 +1,17 @@
+import "modules"
+import "nodes"
+
+# global defaults
+Exec { path => "/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin" }
+
+Package {
+    provider => $operatingsystem ? {
+        debian => aptitude,
+        ubuntu => aptitude,
+        redhat => yum,
+        fedora => yum,
+        centos => yum,
+    }
+}
+
+

manifests/site.pp

@@ -0,0 +1,17 @@
+class base {
+    $packages = [ "sudo", "htop", "rsync", "tar", "tmux", "vim", "locales" ]
+    package { $packages: ensure => installed }
+
+#    file { "/etc/hosts":
+#        ensure => file,
+#        content => template("base/hosts.erb"),
+#    }
+
+#    firewall { '000 allow packets with valid state':
+#        state    => ['RELATED', 'ESTABLISHED'],
+#        action   => 'accept',
+#    }
+#    resources { 'firewall':
+#        purge    => false,
+#    }
+}

modules/base/manifests/init.pp

@@ -0,0 +1,8 @@
+127.0.0.1     <%= @fqdn %> <%= @hostname %> localhost
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters

modules/base/templates/hosts.erb

@@ -0,0 +1,13 @@
+class dotfiles($user = 'bhaisaab') {
+
+    $packages = [ "zsh" ]
+    package { $packages: ensure => installed } ->
+    exec { "set dotfiles for user":
+        path     => "/bin:/usr/bin:/usr/local/bin",
+        user     => "$user",
+        unless   => "ls /home/${user}/.dotfiles && ls /home/${user}/.oh-my-zsh",
+        command  => 'git clone git://github.com/bhaisaab/dotfiles.git /home/${user}/.dotfiles \
+                     && git clone git://github.com/robbyrussell/oh-my-zsh.git /home/${user}/.oh-my-zsh \
+                     && /bin/bash /home/${user}/.dotfiles/install.sh',
+    }
+}

modules/dotfiles/manifests/init.pp

@@ -0,0 +1,2 @@
+en_US.UTF-8 UTF-8
+en_US ISO-8859-1

modules/locale/files/default.gen

@@ -0,0 +1,21 @@
+define locale($role = $title) {
+
+    $localefile = $role ? {
+        default     => 'default.gen',
+    }
+
+    # configure locale
+    file { "/etc/locale.gen":
+        ensure  => present,
+        owner   => root,
+        group   => root,
+        mode    => 644,
+        source  => "puppet:///modules/locale/$localefile",
+        notify  => Exec["locale-gen"],
+    }
+
+    exec { "locale-gen":
+        command => "/usr/sbin/locale-gen",
+        refreshonly => true,
+    }
+}

modules/locale/manifests/init.pp

@@ -0,0 +1,15 @@
+class ntp {
+
+    package { 'ntpdate':
+        ensure => latest
+    }
+
+    package { "ntp":
+        ensure => latest,
+    }
+
+    service { "ntp":
+        ensure => "running"
+    }
+
+}

modules/ntp/manifests/init.pp

@@ -0,0 +1,33 @@
+class ssh($allowed_users = 'bhaisaab rohit rohityadav') {
+
+    $packages = [ "openssh-client", "openssh-server" ]
+    package { $packages: ensure => latest }
+
+    service { "ssh":
+        ensure => "running",
+        enable => "true",
+        hasstatus => true,
+        require => Package["openssh-server"],
+    }
+
+    file { "/etc/ssh/sshd_config":
+        ensure => file,
+        notify => Service["ssh"],
+        mode => 600,
+        owner => "root",
+        group => "root",
+        content => template("ssh/sshd_config.erb"),
+        require => Package["openssh-server"],
+    }
+
+    file { "/root/.ssh":
+        ensure => directory,
+        mode => 700,
+        owner => root,
+        group => root,
+        selrange => s0,
+        seltype => home_ssh_t,
+        selrole => object_r,
+        seluser => system_u,
+    }
+}

modules/ssh/manifests/init.pp

@@ -0,0 +1,88 @@
+Port 1009
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 30
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile  %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+AllowTcpForwarding no
+
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+MaxStartups 4:50:16
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+UseDNS no
+
+AllowUsers <%= @allowed_users %>