From 65be894048e1fb4a16e78cb0c685f021747849af Mon Sep 17 00:00:00 2001 From: Benoit Date: Sat, 15 Feb 2025 00:56:26 +0900 Subject: [PATCH] Archive abandoned project --- cinc-repo/.chef-repo.txt | 6 + cinc-repo/.gitignore | 129 ++++ cinc-repo/LICENSE | 201 ++++++ cinc-repo/README.md | 20 + cinc-repo/chefignore | 115 ++++ cinc-repo/cookbooks/esh_adguard | 1 + cinc-repo/cookbooks/esh_archivebox | 1 + cinc-repo/cookbooks/esh_borgmatic | 1 + cinc-repo/cookbooks/esh_cinc | 1 + cinc-repo/cookbooks/esh_cloudflared | 1 + cinc-repo/cookbooks/esh_docker | 1 + cinc-repo/cookbooks/esh_forgejo | 1 + cinc-repo/cookbooks/esh_go_mmproxy | 1 + cinc-repo/cookbooks/esh_haproxy | 1 + cinc-repo/cookbooks/esh_kanboard | 1 + cinc-repo/cookbooks/esh_laminar | 1 + cinc-repo/cookbooks/esh_letsencrypt | 1 + cinc-repo/cookbooks/esh_lxd | 1 + cinc-repo/cookbooks/esh_mailcow | 1 + cinc-repo/cookbooks/esh_miniflux | 1 + cinc-repo/cookbooks/esh_mkdocs | 1 + cinc-repo/cookbooks/esh_netplan | 1 + cinc-repo/cookbooks/esh_nginx | 1 + cinc-repo/cookbooks/esh_nitter | 1 + cinc-repo/cookbooks/esh_photoprism | 1 + cinc-repo/cookbooks/esh_piped | 1 + cinc-repo/cookbooks/esh_syncthing | 1 + cinc-repo/cookbooks/esh_system | 1 + cinc-repo/cookbooks/esh_systemd | 1 + cinc-repo/cookbooks/esh_ufw | 1 + cinc-repo/cookbooks/esh_undocker | 1 + cinc-repo/cookbooks/esh_vaultwarden | 1 + cinc-repo/cookbooks/esh_webhook | 1 + cinc-repo/cookbooks/esh_wireguard | 1 + cinc-repo/cookbooks/esh_writefreely | 1 + cinc-repo/cookbooks/esh_zfs | 1 + cinc-repo/data_bags/README.md | 56 ++ cinc-repo/data_bags/example/example_item.json | 4 + cinc-repo/knife.rb | 33 + cinc-repo/policyfiles/README.md | 24 + cinc-repo/policyfiles/archive.rb | 33 + cinc-repo/policyfiles/blog.rb | 40 ++ cinc-repo/policyfiles/dns.rb | 433 +++++++++++++ cinc-repo/policyfiles/flux.rb | 39 ++ cinc-repo/policyfiles/gallery.rb | 127 ++++ cinc-repo/policyfiles/git.rb | 122 ++++ cinc-repo/policyfiles/gtw.rb | 265 ++++++++ cinc-repo/policyfiles/justfile | 14 + cinc-repo/policyfiles/kb.rb | 316 ++++++++++ cinc-repo/policyfiles/lxd101.rb | 253 ++++++++ cinc-repo/policyfiles/lxd2204.rb | 183 ++++++ cinc-repo/policyfiles/mail.rb | 54 ++ cinc-repo/policyfiles/mkdocs.rb | 39 ++ cinc-repo/policyfiles/photos.rb | 118 ++++ cinc-repo/policyfiles/pwd.rb | 590 ++++++++++++++++++ cinc-repo/policyfiles/server_cert.der | Bin 0 -> 988 bytes cinc-repo/policyfiles/server_cert.pem | 23 + cinc-repo/policyfiles/twt.rb | 39 ++ cinc-repo/policyfiles/ytb.rb | 34 + esh_adguard/.gitignore | 25 + esh_adguard/CHANGELOG.md | 10 + esh_adguard/LICENSE | 201 ++++++ esh_adguard/Policyfile.rb | 16 + esh_adguard/README.md | 4 + esh_adguard/chefignore | 115 ++++ esh_adguard/compliance/README.md | 25 + esh_adguard/kitchen.yml | 31 + esh_adguard/metadata.rb | 19 + esh_adguard/recipes/default.rb | 142 +++++ .../test/integration/default/default_test.rb | 16 + esh_archivebox/.gitignore | 25 + esh_archivebox/CHANGELOG.md | 10 + esh_archivebox/LICENSE | 201 ++++++ esh_archivebox/Policyfile.rb | 16 + esh_archivebox/README.md | 5 + esh_archivebox/chefignore | 115 ++++ esh_archivebox/compliance/README.md | 25 + esh_archivebox/kitchen.yml | 31 + esh_archivebox/metadata.rb | 21 + esh_archivebox/recipes/compose.rb | 104 +++ esh_archivebox/recipes/default.rb | 17 + esh_archivebox/recipes/init.rb | 61 ++ esh_archivebox/recipes/system.rb | 26 + esh_archivebox/recipes/undocker.rb | 39 ++ .../templates/default/docker-compose.yml.erb | 91 +++ .../test/integration/default/default_test.rb | 16 + esh_borgmatic/.delivery/project.toml | 32 + esh_borgmatic/.gitignore | 25 + esh_borgmatic/CHANGELOG.md | 10 + esh_borgmatic/LICENSE | 201 ++++++ esh_borgmatic/Policyfile.rb | 16 + esh_borgmatic/README.md | 4 + esh_borgmatic/chefignore | 115 ++++ esh_borgmatic/kitchen.yml | 31 + esh_borgmatic/metadata.rb | 19 + esh_borgmatic/recipes/default.rb | 17 + esh_borgmatic/recipes/setup.rb | 122 ++++ .../templates/default/config.yaml.erb | 54 ++ .../test/integration/default/default_test.rb | 16 + esh_cinc/.gitignore | 25 + esh_cinc/CHANGELOG.md | 10 + esh_cinc/LICENSE | 201 ++++++ esh_cinc/Policyfile.rb | 16 + esh_cinc/README.md | 4 + esh_cinc/attributes/default.rb | 3 + esh_cinc/chefignore | 115 ++++ esh_cinc/compliance/README.md | 25 + esh_cinc/kitchen.yml | 31 + esh_cinc/metadata.rb | 22 + esh_cinc/recipes/default.rb | 17 + esh_cinc/resources/download.rb | 42 ++ .../test/integration/default/default_test.rb | 16 + esh_cloudflared/.gitignore | 25 + esh_cloudflared/CHANGELOG.md | 10 + esh_cloudflared/LICENSE | 201 ++++++ esh_cloudflared/Policyfile.rb | 16 + esh_cloudflared/README.md | 4 + esh_cloudflared/chefignore | 115 ++++ esh_cloudflared/compliance/README.md | 25 + esh_cloudflared/kitchen.yml | 31 + esh_cloudflared/metadata.rb | 19 + esh_cloudflared/recipes/cert.rb | 25 + esh_cloudflared/recipes/default.rb | 17 + esh_cloudflared/recipes/install.rb | 75 +++ esh_cloudflared/resources/tunnel.rb | 73 +++ .../templates/default/config.yaml.erb | 9 + .../test/integration/default/default_test.rb | 16 + esh_docker/.delivery/project.toml | 32 + esh_docker/.gitignore | 25 + esh_docker/CHANGELOG.md | 10 + esh_docker/LICENSE | 201 ++++++ esh_docker/Policyfile.rb | 16 + esh_docker/README.md | 4 + esh_docker/chefignore | 115 ++++ esh_docker/kitchen.yml | 31 + esh_docker/metadata.rb | 20 + esh_docker/recipes/default.rb | 17 + esh_docker/recipes/service.rb | 64 ++ .../test/integration/default/default_test.rb | 16 + esh_forgejo/.delivery/project.toml | 32 + esh_forgejo/.gitignore | 25 + esh_forgejo/CHANGELOG.md | 10 + esh_forgejo/LICENSE | 201 ++++++ esh_forgejo/Policyfile.rb | 16 + esh_forgejo/README.md | 4 + esh_forgejo/chefignore | 115 ++++ esh_forgejo/kitchen.yml | 31 + esh_forgejo/metadata.rb | 21 + esh_forgejo/recipes/default.rb | 17 + esh_forgejo/recipes/mariadb.rb | 36 ++ esh_forgejo/recipes/service.rb | 154 +++++ esh_forgejo/recipes/system.rb | 48 ++ .../test/integration/default/default_test.rb | 16 + esh_go_mmproxy/.gitignore | 25 + esh_go_mmproxy/CHANGELOG.md | 10 + esh_go_mmproxy/LICENSE | 201 ++++++ esh_go_mmproxy/Policyfile.rb | 16 + esh_go_mmproxy/README.md | 4 + esh_go_mmproxy/chefignore | 115 ++++ esh_go_mmproxy/compliance/README.md | 25 + esh_go_mmproxy/kitchen.yml | 31 + esh_go_mmproxy/metadata.rb | 19 + esh_go_mmproxy/recipes/default.rb | 45 ++ esh_go_mmproxy/resources/service.rb | 60 ++ .../test/integration/default/default_test.rb | 16 + esh_haproxy/.gitignore | 25 + esh_haproxy/CHANGELOG.md | 10 + esh_haproxy/LICENSE | 201 ++++++ esh_haproxy/Policyfile.rb | 16 + esh_haproxy/README.md | 4 + esh_haproxy/chefignore | 115 ++++ esh_haproxy/compliance/README.md | 25 + esh_haproxy/files/default/haproxy_country | 64 ++ esh_haproxy/kitchen.yml | 31 + esh_haproxy/metadata.rb | 19 + esh_haproxy/recipes/config.rb | 145 +++++ esh_haproxy/recipes/default.rb | 17 + esh_haproxy/templates/default/haproxy.cfg.erb | 387 ++++++++++++ .../test/integration/default/default_test.rb | 16 + esh_kanboard/.gitignore | 25 + esh_kanboard/CHANGELOG.md | 10 + esh_kanboard/LICENSE | 201 ++++++ esh_kanboard/Policyfile.rb | 16 + esh_kanboard/README.md | 4 + esh_kanboard/chefignore | 115 ++++ esh_kanboard/compliance/README.md | 25 + esh_kanboard/files/default/default | 28 + esh_kanboard/kitchen.yml | 31 + esh_kanboard/metadata.rb | 19 + esh_kanboard/recipes/default.rb | 76 +++ .../test/integration/default/default_test.rb | 16 + esh_laminar/.delivery/project.toml | 32 + esh_laminar/CHANGELOG.md | 10 + esh_laminar/LICENSE | 201 ++++++ esh_laminar/Policyfile.rb | 16 + esh_laminar/README.md | 4 + esh_laminar/chefignore | 115 ++++ esh_laminar/kitchen.yml | 31 + esh_laminar/metadata.rb | 19 + esh_laminar/recipes/default.rb | 17 + esh_laminar/recipes/service.rb | 43 ++ .../test/integration/default/default_test.rb | 16 + esh_letsencrypt/.gitignore | 25 + esh_letsencrypt/CHANGELOG.md | 10 + esh_letsencrypt/LICENSE | 201 ++++++ esh_letsencrypt/Policyfile.rb | 16 + esh_letsencrypt/README.md | 4 + esh_letsencrypt/chefignore | 115 ++++ esh_letsencrypt/compliance/README.md | 25 + esh_letsencrypt/kitchen.yml | 31 + esh_letsencrypt/metadata.rb | 19 + esh_letsencrypt/recipes/certs.rb | 84 +++ esh_letsencrypt/recipes/default.rb | 17 + esh_letsencrypt/recipes/serve.rb | 54 ++ esh_letsencrypt/recipes/snap.rb | 23 + .../test/integration/default/default_test.rb | 16 + esh_lxd/.gitignore | 25 + esh_lxd/CHANGELOG.md | 10 + esh_lxd/LICENSE | 201 ++++++ esh_lxd/Policyfile.rb | 16 + esh_lxd/README.md | 4 + esh_lxd/attributes/default.rb | 1 + esh_lxd/chefignore | 115 ++++ esh_lxd/compliance/README.md | 25 + esh_lxd/kitchen.yml | 31 + esh_lxd/metadata.rb | 21 + esh_lxd/recipes/containers.rb | 136 ++++ esh_lxd/recipes/default.rb | 17 + esh_lxd/recipes/resolved.rb | 39 ++ esh_lxd/recipes/setup.rb | 79 +++ esh_lxd/templates/default/lxd.yml.erb | 29 + .../test/integration/default/default_test.rb | 16 + esh_mailcow/.delivery/project.toml | 32 + esh_mailcow/.gitignore | 25 + esh_mailcow/CHANGELOG.md | 10 + esh_mailcow/LICENSE | 201 ++++++ esh_mailcow/Policyfile.rb | 16 + esh_mailcow/README.md | 4 + esh_mailcow/chefignore | 115 ++++ esh_mailcow/files/default/dkim_signing.conf | 35 ++ esh_mailcow/files/default/master.cf | 129 ++++ esh_mailcow/kitchen.yml | 31 + esh_mailcow/metadata.rb | 19 + esh_mailcow/recipes/default.rb | 17 + esh_mailcow/recipes/install.rb | 170 +++++ .../default/docker-compose.override.yml.erb | 22 + esh_mailcow/templates/default/main.cf.erb | 49 ++ .../test/integration/default/default_test.rb | 16 + esh_miniflux/.gitignore | 25 + esh_miniflux/CHANGELOG.md | 10 + esh_miniflux/LICENSE | 201 ++++++ esh_miniflux/Policyfile.rb | 16 + esh_miniflux/README.md | 4 + esh_miniflux/chefignore | 115 ++++ esh_miniflux/compliance/README.md | 25 + esh_miniflux/kitchen.yml | 31 + esh_miniflux/metadata.rb | 20 + esh_miniflux/recipes/default.rb | 60 ++ .../test/integration/default/default_test.rb | 16 + esh_mkdocs/.delivery/project.toml | 32 + esh_mkdocs/.gitignore | 25 + esh_mkdocs/CHANGELOG.md | 10 + esh_mkdocs/LICENSE | 201 ++++++ esh_mkdocs/Policyfile.rb | 16 + esh_mkdocs/README.md | 4 + esh_mkdocs/chefignore | 115 ++++ esh_mkdocs/kitchen.yml | 31 + esh_mkdocs/metadata.rb | 19 + esh_mkdocs/recipes/default.rb | 17 + esh_mkdocs/recipes/install.rb | 38 ++ .../test/integration/default/default_test.rb | 16 + esh_netplan/.gitignore | 25 + esh_netplan/CHANGELOG.md | 10 + esh_netplan/LICENSE | 201 ++++++ esh_netplan/Policyfile.rb | 16 + esh_netplan/README.md | 4 + esh_netplan/chefignore | 115 ++++ esh_netplan/compliance/README.md | 25 + esh_netplan/kitchen.yml | 31 + esh_netplan/metadata.rb | 19 + esh_netplan/recipes/config.rb | 31 + esh_netplan/recipes/default.rb | 17 + .../test/integration/default/default_test.rb | 16 + esh_nginx/.gitignore | 25 + esh_nginx/CHANGELOG.md | 10 + esh_nginx/LICENSE | 201 ++++++ esh_nginx/Policyfile.rb | 16 + esh_nginx/README.md | 4 + esh_nginx/chefignore | 115 ++++ esh_nginx/compliance/README.md | 25 + esh_nginx/kitchen.yml | 31 + esh_nginx/metadata.rb | 19 + esh_nginx/recipes/default.rb | 17 + esh_nginx/resources/basic_proxy.rb | 44 ++ esh_nginx/resources/php_fpm.rb | 58 ++ esh_nginx/templates/default/default.erb | 26 + .../test/integration/default/default_test.rb | 16 + esh_nitter/.gitignore | 25 + esh_nitter/CHANGELOG.md | 10 + esh_nitter/LICENSE | 201 ++++++ esh_nitter/Policyfile.rb | 16 + esh_nitter/README.md | 3 + esh_nitter/chefignore | 115 ++++ esh_nitter/compliance/README.md | 25 + esh_nitter/kitchen.yml | 31 + esh_nitter/metadata.rb | 20 + esh_nitter/recipes/default.rb | 17 + esh_nitter/recipes/install.rb | 76 +++ esh_nitter/recipes/redis.rb | 19 + esh_nitter/recipes/service.rb | 45 ++ esh_nitter/recipes/system.rb | 45 ++ esh_nitter/templates/default/nitter.conf.erb | 45 ++ .../test/integration/default/default_test.rb | 16 + esh_photoprism/.gitignore | 25 + esh_photoprism/CHANGELOG.md | 10 + esh_photoprism/LICENSE | 201 ++++++ esh_photoprism/Policyfile.rb | 16 + esh_photoprism/README.md | 4 + esh_photoprism/chefignore | 115 ++++ esh_photoprism/compliance/README.md | 25 + esh_photoprism/kitchen.yml | 31 + esh_photoprism/metadata.rb | 20 + esh_photoprism/recipes/compose.rb | 69 ++ esh_photoprism/recipes/default.rb | 17 + esh_photoprism/recipes/docker.rb | 40 ++ esh_photoprism/recipes/mariadb.rb | 34 + esh_photoprism/recipes/system.rb | 44 ++ esh_photoprism/recipes/undocker.rb | 39 ++ .../templates/default/docker-compose.yml.erb | 105 ++++ .../test/integration/default/default_test.rb | 16 + esh_photoprism/upstream/docker-compose.yml | 146 +++++ esh_piped/.gitignore | 25 + esh_piped/.gitmodules | 3 + esh_piped/CHANGELOG.md | 10 + esh_piped/LICENSE | 201 ++++++ esh_piped/Policyfile.rb | 16 + esh_piped/README.md | 5 + esh_piped/chefignore | 115 ++++ esh_piped/compliance/README.md | 25 + esh_piped/files/default/nginx.conf | 33 + esh_piped/files/default/ytproxy.conf | 18 + esh_piped/kitchen.yml | 31 + esh_piped/metadata.rb | 20 + esh_piped/recipes/cleaning.rb | 31 + esh_piped/recipes/compose.rb | 129 ++++ esh_piped/recipes/nginx.rb | 66 ++ esh_piped/recipes/postgresql.rb | 55 ++ esh_piped/recipes/service.rb | 26 + esh_piped/recipes/system.rb | 36 ++ esh_piped/recipes/undocker.rb | 46 ++ esh_piped/templates/default/config.properties | 93 +++ .../templates/default/config.properties.erb | 93 +++ .../templates/default/docker-compose.yml.erb | 66 ++ esh_piped/templates/default/hosts.erb | 9 + esh_piped/templates/default/pipedapi.conf.erb | 15 + .../templates/default/pipedfrontend.conf.erb | 12 + .../templates/default/pipedproxy.conf.erb | 14 + .../test/integration/default/default_test.rb | 16 + esh_syncthing/.delivery/project.toml | 32 + esh_syncthing/.gitignore | 25 + esh_syncthing/CHANGELOG.md | 10 + esh_syncthing/LICENSE | 201 ++++++ esh_syncthing/Policyfile.rb | 16 + esh_syncthing/README.md | 4 + esh_syncthing/chefignore | 115 ++++ esh_syncthing/kitchen.yml | 31 + esh_syncthing/metadata.rb | 19 + esh_syncthing/recipes/default.rb | 17 + esh_syncthing/recipes/service.rb | 37 ++ .../test/integration/default/default_test.rb | 16 + esh_system/.delivery/project.toml | 32 + esh_system/.gitignore | 25 + esh_system/CHANGELOG.md | 10 + esh_system/LICENSE | 201 ++++++ esh_system/Policyfile.rb | 16 + esh_system/README.md | 4 + esh_system/chefignore | 115 ++++ esh_system/kitchen.yml | 31 + esh_system/metadata.rb | 19 + esh_system/recipes/default.rb | 17 + esh_system/recipes/hostname.rb | 25 + esh_system/recipes/postfix.rb | 19 + esh_system/recipes/sshd.rb | 45 ++ esh_system/templates/default/pam.d.sshd.erb | 61 ++ esh_system/templates/default/sshd_config.erb | 128 ++++ .../test/integration/default/default_test.rb | 16 + esh_systemd/.gitignore | 25 + esh_systemd/CHANGELOG.md | 10 + esh_systemd/LICENSE | 201 ++++++ esh_systemd/Policyfile.rb | 16 + esh_systemd/README.md | 4 + esh_systemd/chefignore | 115 ++++ esh_systemd/compliance/README.md | 25 + esh_systemd/kitchen.yml | 31 + esh_systemd/metadata.rb | 19 + esh_systemd/recipes/default.rb | 17 + esh_systemd/recipes/resolved.rb | 44 ++ .../test/integration/default/default_test.rb | 16 + esh_ufw/.delivery/project.toml | 32 + esh_ufw/.gitignore | 25 + esh_ufw/CHANGELOG.md | 10 + esh_ufw/LICENSE | 201 ++++++ esh_ufw/Policyfile.rb | 16 + esh_ufw/README.md | 4 + esh_ufw/chefignore | 115 ++++ esh_ufw/kitchen.yml | 31 + esh_ufw/metadata.rb | 19 + esh_ufw/recipes/default.rb | 17 + esh_ufw/recipes/rules.rb | 27 + .../test/integration/default/default_test.rb | 16 + esh_undocker/.gitignore | 25 + esh_undocker/CHANGELOG.md | 10 + esh_undocker/LICENSE | 201 ++++++ esh_undocker/Policyfile.rb | 16 + esh_undocker/README.md | 4 + esh_undocker/chefignore | 115 ++++ esh_undocker/compliance/README.md | 25 + esh_undocker/kitchen.yml | 31 + esh_undocker/metadata.rb | 21 + esh_undocker/recipes/default.rb | 17 + esh_undocker/resources/download.rb | 57 ++ esh_undocker/resources/extract.rb | 113 ++++ esh_undocker/resources/network.rb | 99 +++ esh_undocker/resources/service.rb | 40 ++ .../test/integration/default/default_test.rb | 16 + esh_vaultwarden/.delivery/project.toml | 32 + esh_vaultwarden/.gitignore | 25 + esh_vaultwarden/CHANGELOG.md | 10 + esh_vaultwarden/LICENSE | 201 ++++++ esh_vaultwarden/Policyfile.rb | 16 + esh_vaultwarden/README.md | 4 + esh_vaultwarden/chefignore | 115 ++++ esh_vaultwarden/files/default/default | 59 ++ esh_vaultwarden/kitchen.yml | 31 + esh_vaultwarden/metadata.rb | 20 + esh_vaultwarden/recipes/default.rb | 17 + esh_vaultwarden/recipes/service.rb | 114 ++++ .../test/integration/default/default_test.rb | 16 + esh_webhook/.delivery/project.toml | 32 + esh_webhook/.gitignore | 25 + esh_webhook/CHANGELOG.md | 10 + esh_webhook/LICENSE | 201 ++++++ esh_webhook/Policyfile.rb | 16 + esh_webhook/README.md | 4 + esh_webhook/chefignore | 115 ++++ esh_webhook/files/default/webhook.sh | 5 + esh_webhook/kitchen.yml | 31 + esh_webhook/metadata.rb | 19 + esh_webhook/recipes/default.rb | 17 + esh_webhook/recipes/service.rb | 72 +++ esh_webhook/recipes/system.rb | 38 ++ esh_webhook/templates/default/hooks.json.erb | 44 ++ .../test/integration/default/default_test.rb | 16 + esh_wireguard/.gitignore | 25 + esh_wireguard/CHANGELOG.md | 10 + esh_wireguard/LICENSE | 201 ++++++ esh_wireguard/Policyfile.rb | 16 + esh_wireguard/README.md | 4 + esh_wireguard/chefignore | 115 ++++ esh_wireguard/compliance/README.md | 25 + esh_wireguard/kitchen.yml | 31 + esh_wireguard/metadata.rb | 19 + esh_wireguard/recipes/default.rb | 17 + esh_wireguard/recipes/peer.rb | 56 ++ esh_wireguard/recipes/server.rb | 71 +++ .../templates/default/peer.wg0.conf.erb | 11 + .../templates/default/server.wg0.conf.erb | 14 + .../test/integration/default/default_test.rb | 16 + esh_writefreely/.gitignore | 25 + esh_writefreely/CHANGELOG.md | 10 + esh_writefreely/LICENSE | 201 ++++++ esh_writefreely/Policyfile.rb | 16 + esh_writefreely/README.md | 5 + esh_writefreely/chefignore | 115 ++++ esh_writefreely/compliance/README.md | 25 + esh_writefreely/kitchen.yml | 31 + esh_writefreely/metadata.rb | 21 + esh_writefreely/recipes/default.rb | 17 + esh_writefreely/recipes/install.rb | 65 ++ esh_writefreely/recipes/mariadb.rb | 36 ++ esh_writefreely/recipes/service.rb | 38 ++ .../templates/default/config.ini.erb | 36 ++ esh_writefreely/templates/default/default.erb | 19 + .../test/integration/default/default_test.rb | 16 + esh_zfs/.gitignore | 25 + esh_zfs/CHANGELOG.md | 10 + esh_zfs/LICENSE | 201 ++++++ esh_zfs/Policyfile.rb | 16 + esh_zfs/README.md | 4 + esh_zfs/attributes/default.rb | 2 + esh_zfs/chefignore | 115 ++++ esh_zfs/compliance/README.md | 25 + esh_zfs/kitchen.yml | 31 + esh_zfs/metadata.rb | 20 + esh_zfs/recipes/autobackup.rb | 36 ++ esh_zfs/recipes/default.rb | 17 + esh_zfs/recipes/package.rb | 21 + esh_zfs/recipes/pool.rb | 35 ++ esh_zfs/recipes/scrub.rb | 59 ++ esh_zfs/templates/default/zfs-scrub.erb | 25 + .../test/integration/default/default_test.rb | 16 + 501 files changed, 24305 insertions(+) create mode 100644 cinc-repo/.chef-repo.txt create mode 100644 cinc-repo/.gitignore create mode 100644 cinc-repo/LICENSE create mode 100644 cinc-repo/README.md create mode 100644 cinc-repo/chefignore create mode 120000 cinc-repo/cookbooks/esh_adguard create mode 120000 cinc-repo/cookbooks/esh_archivebox create mode 120000 cinc-repo/cookbooks/esh_borgmatic create mode 120000 cinc-repo/cookbooks/esh_cinc create mode 120000 cinc-repo/cookbooks/esh_cloudflared create mode 120000 cinc-repo/cookbooks/esh_docker create mode 120000 cinc-repo/cookbooks/esh_forgejo create mode 120000 cinc-repo/cookbooks/esh_go_mmproxy create mode 120000 cinc-repo/cookbooks/esh_haproxy create mode 120000 cinc-repo/cookbooks/esh_kanboard create mode 120000 cinc-repo/cookbooks/esh_laminar create mode 120000 cinc-repo/cookbooks/esh_letsencrypt create mode 120000 cinc-repo/cookbooks/esh_lxd create mode 120000 cinc-repo/cookbooks/esh_mailcow create mode 120000 cinc-repo/cookbooks/esh_miniflux create mode 120000 cinc-repo/cookbooks/esh_mkdocs create mode 120000 cinc-repo/cookbooks/esh_netplan create mode 120000 cinc-repo/cookbooks/esh_nginx create mode 120000 cinc-repo/cookbooks/esh_nitter create mode 120000 cinc-repo/cookbooks/esh_photoprism create mode 120000 cinc-repo/cookbooks/esh_piped create mode 120000 cinc-repo/cookbooks/esh_syncthing create mode 120000 cinc-repo/cookbooks/esh_system create mode 120000 cinc-repo/cookbooks/esh_systemd create mode 120000 cinc-repo/cookbooks/esh_ufw create mode 120000 cinc-repo/cookbooks/esh_undocker create mode 120000 cinc-repo/cookbooks/esh_vaultwarden create mode 120000 cinc-repo/cookbooks/esh_webhook create mode 120000 cinc-repo/cookbooks/esh_wireguard create mode 120000 cinc-repo/cookbooks/esh_writefreely create mode 120000 cinc-repo/cookbooks/esh_zfs create mode 100644 cinc-repo/data_bags/README.md create mode 100644 cinc-repo/data_bags/example/example_item.json create mode 100644 cinc-repo/knife.rb create mode 100644 cinc-repo/policyfiles/README.md create mode 100644 cinc-repo/policyfiles/archive.rb create mode 100644 cinc-repo/policyfiles/blog.rb create mode 100644 cinc-repo/policyfiles/dns.rb create mode 100644 cinc-repo/policyfiles/flux.rb create mode 100644 cinc-repo/policyfiles/gallery.rb create mode 100644 cinc-repo/policyfiles/git.rb create mode 100644 cinc-repo/policyfiles/gtw.rb create mode 100644 cinc-repo/policyfiles/justfile create mode 100644 cinc-repo/policyfiles/kb.rb create mode 100644 cinc-repo/policyfiles/lxd101.rb create mode 100644 cinc-repo/policyfiles/lxd2204.rb create mode 100644 cinc-repo/policyfiles/mail.rb create mode 100644 cinc-repo/policyfiles/mkdocs.rb create mode 100644 cinc-repo/policyfiles/photos.rb create mode 100644 cinc-repo/policyfiles/pwd.rb create mode 100644 cinc-repo/policyfiles/server_cert.der create mode 100644 cinc-repo/policyfiles/server_cert.pem create mode 100644 cinc-repo/policyfiles/twt.rb create mode 100644 cinc-repo/policyfiles/ytb.rb create mode 100644 esh_adguard/.gitignore create mode 100644 esh_adguard/CHANGELOG.md create mode 100644 esh_adguard/LICENSE create mode 100644 esh_adguard/Policyfile.rb create mode 100644 esh_adguard/README.md create mode 100644 esh_adguard/chefignore create mode 100644 esh_adguard/compliance/README.md create mode 100644 esh_adguard/kitchen.yml create mode 100644 esh_adguard/metadata.rb create mode 100644 esh_adguard/recipes/default.rb create mode 100644 esh_adguard/test/integration/default/default_test.rb create mode 100644 esh_archivebox/.gitignore create mode 100644 esh_archivebox/CHANGELOG.md create mode 100644 esh_archivebox/LICENSE create mode 100644 esh_archivebox/Policyfile.rb create mode 100644 esh_archivebox/README.md create mode 100644 esh_archivebox/chefignore create mode 100644 esh_archivebox/compliance/README.md create mode 100644 esh_archivebox/kitchen.yml create mode 100644 esh_archivebox/metadata.rb create mode 100644 esh_archivebox/recipes/compose.rb create mode 100644 esh_archivebox/recipes/default.rb create mode 100644 esh_archivebox/recipes/init.rb create mode 100644 esh_archivebox/recipes/system.rb create mode 100644 esh_archivebox/recipes/undocker.rb create mode 100644 esh_archivebox/templates/default/docker-compose.yml.erb create mode 100644 esh_archivebox/test/integration/default/default_test.rb create mode 100644 esh_borgmatic/.delivery/project.toml create mode 100644 esh_borgmatic/.gitignore create mode 100644 esh_borgmatic/CHANGELOG.md create mode 100644 esh_borgmatic/LICENSE create mode 100644 esh_borgmatic/Policyfile.rb create mode 100644 esh_borgmatic/README.md create mode 100644 esh_borgmatic/chefignore create mode 100644 esh_borgmatic/kitchen.yml create mode 100644 esh_borgmatic/metadata.rb create mode 100644 esh_borgmatic/recipes/default.rb create mode 100644 esh_borgmatic/recipes/setup.rb create mode 100644 esh_borgmatic/templates/default/config.yaml.erb create mode 100644 esh_borgmatic/test/integration/default/default_test.rb create mode 100644 esh_cinc/.gitignore create mode 100644 esh_cinc/CHANGELOG.md create mode 100644 esh_cinc/LICENSE create mode 100644 esh_cinc/Policyfile.rb create mode 100644 esh_cinc/README.md create mode 100644 esh_cinc/attributes/default.rb create mode 100644 esh_cinc/chefignore create mode 100644 esh_cinc/compliance/README.md create mode 100644 esh_cinc/kitchen.yml create mode 100644 esh_cinc/metadata.rb create mode 100644 esh_cinc/recipes/default.rb create mode 100644 esh_cinc/resources/download.rb create mode 100644 esh_cinc/test/integration/default/default_test.rb create mode 100644 esh_cloudflared/.gitignore create mode 100644 esh_cloudflared/CHANGELOG.md create mode 100644 esh_cloudflared/LICENSE create mode 100644 esh_cloudflared/Policyfile.rb create mode 100644 esh_cloudflared/README.md create mode 100644 esh_cloudflared/chefignore create mode 100644 esh_cloudflared/compliance/README.md create mode 100644 esh_cloudflared/kitchen.yml create mode 100644 esh_cloudflared/metadata.rb create mode 100644 esh_cloudflared/recipes/cert.rb create mode 100644 esh_cloudflared/recipes/default.rb create mode 100644 esh_cloudflared/recipes/install.rb create mode 100644 esh_cloudflared/resources/tunnel.rb create mode 100644 esh_cloudflared/templates/default/config.yaml.erb create mode 100644 esh_cloudflared/test/integration/default/default_test.rb create mode 100644 esh_docker/.delivery/project.toml create mode 100644 esh_docker/.gitignore create mode 100644 esh_docker/CHANGELOG.md create mode 100644 esh_docker/LICENSE create mode 100644 esh_docker/Policyfile.rb create mode 100644 esh_docker/README.md create mode 100644 esh_docker/chefignore create mode 100644 esh_docker/kitchen.yml create mode 100644 esh_docker/metadata.rb create mode 100644 esh_docker/recipes/default.rb create mode 100644 esh_docker/recipes/service.rb create mode 100644 esh_docker/test/integration/default/default_test.rb create mode 100644 esh_forgejo/.delivery/project.toml create mode 100644 esh_forgejo/.gitignore create mode 100644 esh_forgejo/CHANGELOG.md create mode 100644 esh_forgejo/LICENSE create mode 100644 esh_forgejo/Policyfile.rb create mode 100644 esh_forgejo/README.md create mode 100644 esh_forgejo/chefignore create mode 100644 esh_forgejo/kitchen.yml create mode 100644 esh_forgejo/metadata.rb create mode 100644 esh_forgejo/recipes/default.rb create mode 100644 esh_forgejo/recipes/mariadb.rb create mode 100644 esh_forgejo/recipes/service.rb create mode 100644 esh_forgejo/recipes/system.rb create mode 100644 esh_forgejo/test/integration/default/default_test.rb create mode 100644 esh_go_mmproxy/.gitignore create mode 100644 esh_go_mmproxy/CHANGELOG.md create mode 100644 esh_go_mmproxy/LICENSE create mode 100644 esh_go_mmproxy/Policyfile.rb create mode 100644 esh_go_mmproxy/README.md create mode 100644 esh_go_mmproxy/chefignore create mode 100644 esh_go_mmproxy/compliance/README.md create mode 100644 esh_go_mmproxy/kitchen.yml create mode 100644 esh_go_mmproxy/metadata.rb create mode 100644 esh_go_mmproxy/recipes/default.rb create mode 100644 esh_go_mmproxy/resources/service.rb create mode 100644 esh_go_mmproxy/test/integration/default/default_test.rb create mode 100644 esh_haproxy/.gitignore create mode 100644 esh_haproxy/CHANGELOG.md create mode 100644 esh_haproxy/LICENSE create mode 100644 esh_haproxy/Policyfile.rb create mode 100644 esh_haproxy/README.md create mode 100644 esh_haproxy/chefignore create mode 100644 esh_haproxy/compliance/README.md create mode 100644 esh_haproxy/files/default/haproxy_country create mode 100644 esh_haproxy/kitchen.yml create mode 100644 esh_haproxy/metadata.rb create mode 100644 esh_haproxy/recipes/config.rb create mode 100644 esh_haproxy/recipes/default.rb create mode 100644 esh_haproxy/templates/default/haproxy.cfg.erb create mode 100644 esh_haproxy/test/integration/default/default_test.rb create mode 100644 esh_kanboard/.gitignore create mode 100644 esh_kanboard/CHANGELOG.md create mode 100644 esh_kanboard/LICENSE create mode 100644 esh_kanboard/Policyfile.rb create mode 100644 esh_kanboard/README.md create mode 100644 esh_kanboard/chefignore create mode 100644 esh_kanboard/compliance/README.md create mode 100644 esh_kanboard/files/default/default create mode 100644 esh_kanboard/kitchen.yml create mode 100644 esh_kanboard/metadata.rb create mode 100644 esh_kanboard/recipes/default.rb create mode 100644 esh_kanboard/test/integration/default/default_test.rb create mode 100644 esh_laminar/.delivery/project.toml create mode 100644 esh_laminar/CHANGELOG.md create mode 100644 esh_laminar/LICENSE create mode 100644 esh_laminar/Policyfile.rb create mode 100644 esh_laminar/README.md create mode 100644 esh_laminar/chefignore create mode 100644 esh_laminar/kitchen.yml create mode 100644 esh_laminar/metadata.rb create mode 100644 esh_laminar/recipes/default.rb create mode 100644 esh_laminar/recipes/service.rb create mode 100644 esh_laminar/test/integration/default/default_test.rb create mode 100644 esh_letsencrypt/.gitignore create mode 100644 esh_letsencrypt/CHANGELOG.md create mode 100644 esh_letsencrypt/LICENSE create mode 100644 esh_letsencrypt/Policyfile.rb create mode 100644 esh_letsencrypt/README.md create mode 100644 esh_letsencrypt/chefignore create mode 100644 esh_letsencrypt/compliance/README.md create mode 100644 esh_letsencrypt/kitchen.yml create mode 100644 esh_letsencrypt/metadata.rb create mode 100644 esh_letsencrypt/recipes/certs.rb create mode 100644 esh_letsencrypt/recipes/default.rb create mode 100644 esh_letsencrypt/recipes/serve.rb create mode 100644 esh_letsencrypt/recipes/snap.rb create mode 100644 esh_letsencrypt/test/integration/default/default_test.rb create mode 100644 esh_lxd/.gitignore create mode 100644 esh_lxd/CHANGELOG.md create mode 100644 esh_lxd/LICENSE create mode 100644 esh_lxd/Policyfile.rb create mode 100644 esh_lxd/README.md create mode 100644 esh_lxd/attributes/default.rb create mode 100644 esh_lxd/chefignore create mode 100644 esh_lxd/compliance/README.md create mode 100644 esh_lxd/kitchen.yml create mode 100644 esh_lxd/metadata.rb create mode 100644 esh_lxd/recipes/containers.rb create mode 100644 esh_lxd/recipes/default.rb create mode 100644 esh_lxd/recipes/resolved.rb create mode 100644 esh_lxd/recipes/setup.rb create mode 100644 esh_lxd/templates/default/lxd.yml.erb create mode 100644 esh_lxd/test/integration/default/default_test.rb create mode 100644 esh_mailcow/.delivery/project.toml create mode 100644 esh_mailcow/.gitignore create mode 100644 esh_mailcow/CHANGELOG.md create mode 100644 esh_mailcow/LICENSE create mode 100644 esh_mailcow/Policyfile.rb create mode 100644 esh_mailcow/README.md create mode 100644 esh_mailcow/chefignore create mode 100644 esh_mailcow/files/default/dkim_signing.conf create mode 100644 esh_mailcow/files/default/master.cf create mode 100644 esh_mailcow/kitchen.yml create mode 100644 esh_mailcow/metadata.rb create mode 100644 esh_mailcow/recipes/default.rb create mode 100644 esh_mailcow/recipes/install.rb create mode 100644 esh_mailcow/templates/default/docker-compose.override.yml.erb create mode 100644 esh_mailcow/templates/default/main.cf.erb create mode 100644 esh_mailcow/test/integration/default/default_test.rb create mode 100644 esh_miniflux/.gitignore create mode 100644 esh_miniflux/CHANGELOG.md create mode 100644 esh_miniflux/LICENSE create mode 100644 esh_miniflux/Policyfile.rb create mode 100644 esh_miniflux/README.md create mode 100644 esh_miniflux/chefignore create mode 100644 esh_miniflux/compliance/README.md create mode 100644 esh_miniflux/kitchen.yml create mode 100644 esh_miniflux/metadata.rb create mode 100644 esh_miniflux/recipes/default.rb create mode 100644 esh_miniflux/test/integration/default/default_test.rb create mode 100644 esh_mkdocs/.delivery/project.toml create mode 100644 esh_mkdocs/.gitignore create mode 100644 esh_mkdocs/CHANGELOG.md create mode 100644 esh_mkdocs/LICENSE create mode 100644 esh_mkdocs/Policyfile.rb create mode 100644 esh_mkdocs/README.md create mode 100644 esh_mkdocs/chefignore create mode 100644 esh_mkdocs/kitchen.yml create mode 100644 esh_mkdocs/metadata.rb create mode 100644 esh_mkdocs/recipes/default.rb create mode 100644 esh_mkdocs/recipes/install.rb create mode 100644 esh_mkdocs/test/integration/default/default_test.rb create mode 100644 esh_netplan/.gitignore create mode 100644 esh_netplan/CHANGELOG.md create mode 100644 esh_netplan/LICENSE create mode 100644 esh_netplan/Policyfile.rb create mode 100644 esh_netplan/README.md create mode 100644 esh_netplan/chefignore create mode 100644 esh_netplan/compliance/README.md create mode 100644 esh_netplan/kitchen.yml create mode 100644 esh_netplan/metadata.rb create mode 100644 esh_netplan/recipes/config.rb create mode 100644 esh_netplan/recipes/default.rb create mode 100644 esh_netplan/test/integration/default/default_test.rb create mode 100644 esh_nginx/.gitignore create mode 100644 esh_nginx/CHANGELOG.md create mode 100644 esh_nginx/LICENSE create mode 100644 esh_nginx/Policyfile.rb create mode 100644 esh_nginx/README.md create mode 100644 esh_nginx/chefignore create mode 100644 esh_nginx/compliance/README.md create mode 100644 esh_nginx/kitchen.yml create mode 100644 esh_nginx/metadata.rb create mode 100644 esh_nginx/recipes/default.rb create mode 100644 esh_nginx/resources/basic_proxy.rb create mode 100644 esh_nginx/resources/php_fpm.rb create mode 100644 esh_nginx/templates/default/default.erb create mode 100644 esh_nginx/test/integration/default/default_test.rb create mode 100644 esh_nitter/.gitignore create mode 100644 esh_nitter/CHANGELOG.md create mode 100644 esh_nitter/LICENSE create mode 100644 esh_nitter/Policyfile.rb create mode 100644 esh_nitter/README.md create mode 100644 esh_nitter/chefignore create mode 100644 esh_nitter/compliance/README.md create mode 100644 esh_nitter/kitchen.yml create mode 100644 esh_nitter/metadata.rb create mode 100644 esh_nitter/recipes/default.rb create mode 100644 esh_nitter/recipes/install.rb create mode 100644 esh_nitter/recipes/redis.rb create mode 100644 esh_nitter/recipes/service.rb create mode 100644 esh_nitter/recipes/system.rb create mode 100644 esh_nitter/templates/default/nitter.conf.erb create mode 100644 esh_nitter/test/integration/default/default_test.rb create mode 100644 esh_photoprism/.gitignore create mode 100644 esh_photoprism/CHANGELOG.md create mode 100644 esh_photoprism/LICENSE create mode 100644 esh_photoprism/Policyfile.rb create mode 100644 esh_photoprism/README.md create mode 100644 esh_photoprism/chefignore create mode 100644 esh_photoprism/compliance/README.md create mode 100644 esh_photoprism/kitchen.yml create mode 100644 esh_photoprism/metadata.rb create mode 100644 esh_photoprism/recipes/compose.rb create mode 100644 esh_photoprism/recipes/default.rb create mode 100644 esh_photoprism/recipes/docker.rb create mode 100644 esh_photoprism/recipes/mariadb.rb create mode 100644 esh_photoprism/recipes/system.rb create mode 100644 esh_photoprism/recipes/undocker.rb create mode 100644 esh_photoprism/templates/default/docker-compose.yml.erb create mode 100644 esh_photoprism/test/integration/default/default_test.rb create mode 100644 esh_photoprism/upstream/docker-compose.yml create mode 100644 esh_piped/.gitignore create mode 100644 esh_piped/.gitmodules create mode 100644 esh_piped/CHANGELOG.md create mode 100644 esh_piped/LICENSE create mode 100644 esh_piped/Policyfile.rb create mode 100644 esh_piped/README.md create mode 100644 esh_piped/chefignore create mode 100644 esh_piped/compliance/README.md create mode 100644 esh_piped/files/default/nginx.conf create mode 100644 esh_piped/files/default/ytproxy.conf create mode 100644 esh_piped/kitchen.yml create mode 100644 esh_piped/metadata.rb create mode 100644 esh_piped/recipes/cleaning.rb create mode 100644 esh_piped/recipes/compose.rb create mode 100644 esh_piped/recipes/nginx.rb create mode 100644 esh_piped/recipes/postgresql.rb create mode 100644 esh_piped/recipes/service.rb create mode 100644 esh_piped/recipes/system.rb create mode 100644 esh_piped/recipes/undocker.rb create mode 100644 esh_piped/templates/default/config.properties create mode 100644 esh_piped/templates/default/config.properties.erb create mode 100644 esh_piped/templates/default/docker-compose.yml.erb create mode 100644 esh_piped/templates/default/hosts.erb create mode 100644 esh_piped/templates/default/pipedapi.conf.erb create mode 100644 esh_piped/templates/default/pipedfrontend.conf.erb create mode 100644 esh_piped/templates/default/pipedproxy.conf.erb create mode 100644 esh_piped/test/integration/default/default_test.rb create mode 100644 esh_syncthing/.delivery/project.toml create mode 100644 esh_syncthing/.gitignore create mode 100644 esh_syncthing/CHANGELOG.md create mode 100644 esh_syncthing/LICENSE create mode 100644 esh_syncthing/Policyfile.rb create mode 100644 esh_syncthing/README.md create mode 100644 esh_syncthing/chefignore create mode 100644 esh_syncthing/kitchen.yml create mode 100644 esh_syncthing/metadata.rb create mode 100644 esh_syncthing/recipes/default.rb create mode 100644 esh_syncthing/recipes/service.rb create mode 100644 esh_syncthing/test/integration/default/default_test.rb create mode 100644 esh_system/.delivery/project.toml create mode 100644 esh_system/.gitignore create mode 100644 esh_system/CHANGELOG.md create mode 100644 esh_system/LICENSE create mode 100644 esh_system/Policyfile.rb create mode 100644 esh_system/README.md create mode 100644 esh_system/chefignore create mode 100644 esh_system/kitchen.yml create mode 100644 esh_system/metadata.rb create mode 100644 esh_system/recipes/default.rb create mode 100644 esh_system/recipes/hostname.rb create mode 100644 esh_system/recipes/postfix.rb create mode 100644 esh_system/recipes/sshd.rb create mode 100644 esh_system/templates/default/pam.d.sshd.erb create mode 100644 esh_system/templates/default/sshd_config.erb create mode 100644 esh_system/test/integration/default/default_test.rb create mode 100644 esh_systemd/.gitignore create mode 100644 esh_systemd/CHANGELOG.md create mode 100644 esh_systemd/LICENSE create mode 100644 esh_systemd/Policyfile.rb create mode 100644 esh_systemd/README.md create mode 100644 esh_systemd/chefignore create mode 100644 esh_systemd/compliance/README.md create mode 100644 esh_systemd/kitchen.yml create mode 100644 esh_systemd/metadata.rb create mode 100644 esh_systemd/recipes/default.rb create mode 100644 esh_systemd/recipes/resolved.rb create mode 100644 esh_systemd/test/integration/default/default_test.rb create mode 100644 esh_ufw/.delivery/project.toml create mode 100644 esh_ufw/.gitignore create mode 100644 esh_ufw/CHANGELOG.md create mode 100644 esh_ufw/LICENSE create mode 100644 esh_ufw/Policyfile.rb create mode 100644 esh_ufw/README.md create mode 100644 esh_ufw/chefignore create mode 100644 esh_ufw/kitchen.yml create mode 100644 esh_ufw/metadata.rb create mode 100644 esh_ufw/recipes/default.rb create mode 100644 esh_ufw/recipes/rules.rb create mode 100644 esh_ufw/test/integration/default/default_test.rb create mode 100644 esh_undocker/.gitignore create mode 100644 esh_undocker/CHANGELOG.md create mode 100644 esh_undocker/LICENSE create mode 100644 esh_undocker/Policyfile.rb create mode 100644 esh_undocker/README.md create mode 100644 esh_undocker/chefignore create mode 100644 esh_undocker/compliance/README.md create mode 100644 esh_undocker/kitchen.yml create mode 100644 esh_undocker/metadata.rb create mode 100644 esh_undocker/recipes/default.rb create mode 100644 esh_undocker/resources/download.rb create mode 100644 esh_undocker/resources/extract.rb create mode 100644 esh_undocker/resources/network.rb create mode 100644 esh_undocker/resources/service.rb create mode 100644 esh_undocker/test/integration/default/default_test.rb create mode 100644 esh_vaultwarden/.delivery/project.toml create mode 100644 esh_vaultwarden/.gitignore create mode 100644 esh_vaultwarden/CHANGELOG.md create mode 100644 esh_vaultwarden/LICENSE create mode 100644 esh_vaultwarden/Policyfile.rb create mode 100644 esh_vaultwarden/README.md create mode 100644 esh_vaultwarden/chefignore create mode 100644 esh_vaultwarden/files/default/default create mode 100644 esh_vaultwarden/kitchen.yml create mode 100644 esh_vaultwarden/metadata.rb create mode 100644 esh_vaultwarden/recipes/default.rb create mode 100644 esh_vaultwarden/recipes/service.rb create mode 100644 esh_vaultwarden/test/integration/default/default_test.rb create mode 100644 esh_webhook/.delivery/project.toml create mode 100644 esh_webhook/.gitignore create mode 100644 esh_webhook/CHANGELOG.md create mode 100644 esh_webhook/LICENSE create mode 100644 esh_webhook/Policyfile.rb create mode 100644 esh_webhook/README.md create mode 100644 esh_webhook/chefignore create mode 100644 esh_webhook/files/default/webhook.sh create mode 100644 esh_webhook/kitchen.yml create mode 100644 esh_webhook/metadata.rb create mode 100644 esh_webhook/recipes/default.rb create mode 100644 esh_webhook/recipes/service.rb create mode 100644 esh_webhook/recipes/system.rb create mode 100644 esh_webhook/templates/default/hooks.json.erb create mode 100644 esh_webhook/test/integration/default/default_test.rb create mode 100644 esh_wireguard/.gitignore create mode 100644 esh_wireguard/CHANGELOG.md create mode 100644 esh_wireguard/LICENSE create mode 100644 esh_wireguard/Policyfile.rb create mode 100644 esh_wireguard/README.md create mode 100644 esh_wireguard/chefignore create mode 100644 esh_wireguard/compliance/README.md create mode 100644 esh_wireguard/kitchen.yml create mode 100644 esh_wireguard/metadata.rb create mode 100644 esh_wireguard/recipes/default.rb create mode 100644 esh_wireguard/recipes/peer.rb create mode 100644 esh_wireguard/recipes/server.rb create mode 100644 esh_wireguard/templates/default/peer.wg0.conf.erb create mode 100644 esh_wireguard/templates/default/server.wg0.conf.erb create mode 100644 esh_wireguard/test/integration/default/default_test.rb create mode 100644 esh_writefreely/.gitignore create mode 100644 esh_writefreely/CHANGELOG.md create mode 100644 esh_writefreely/LICENSE create mode 100644 esh_writefreely/Policyfile.rb create mode 100644 esh_writefreely/README.md create mode 100644 esh_writefreely/chefignore create mode 100644 esh_writefreely/compliance/README.md create mode 100644 esh_writefreely/kitchen.yml create mode 100644 esh_writefreely/metadata.rb create mode 100644 esh_writefreely/recipes/default.rb create mode 100644 esh_writefreely/recipes/install.rb create mode 100644 esh_writefreely/recipes/mariadb.rb create mode 100644 esh_writefreely/recipes/service.rb create mode 100644 esh_writefreely/templates/default/config.ini.erb create mode 100644 esh_writefreely/templates/default/default.erb create mode 100644 esh_writefreely/test/integration/default/default_test.rb create mode 100644 esh_zfs/.gitignore create mode 100644 esh_zfs/CHANGELOG.md create mode 100644 esh_zfs/LICENSE create mode 100644 esh_zfs/Policyfile.rb create mode 100644 esh_zfs/README.md create mode 100644 esh_zfs/attributes/default.rb create mode 100644 esh_zfs/chefignore create mode 100644 esh_zfs/compliance/README.md create mode 100644 esh_zfs/kitchen.yml create mode 100644 esh_zfs/metadata.rb create mode 100644 esh_zfs/recipes/autobackup.rb create mode 100644 esh_zfs/recipes/default.rb create mode 100644 esh_zfs/recipes/package.rb create mode 100644 esh_zfs/recipes/pool.rb create mode 100644 esh_zfs/recipes/scrub.rb create mode 100644 esh_zfs/templates/default/zfs-scrub.erb create mode 100644 esh_zfs/test/integration/default/default_test.rb diff --git a/cinc-repo/.chef-repo.txt b/cinc-repo/.chef-repo.txt new file mode 100644 index 0000000..78c289d --- /dev/null +++ b/cinc-repo/.chef-repo.txt @@ -0,0 +1,6 @@ +.chef-repo.txt +============== + +This file gives the Chef CLI's generators a hint that you are using a Chef Infra +Repo and this is the root directory of your Chef Infra Repo. Chef CLI's generators +use this to generate code that is designed to work with the Chef Repo workflow. diff --git a/cinc-repo/.gitignore b/cinc-repo/.gitignore new file mode 100644 index 0000000..0053af0 --- /dev/null +++ b/cinc-repo/.gitignore @@ -0,0 +1,129 @@ +## Below are example of common git excludes. +## Please note that /cookbooks folder is ignored. This allows users to +## clone individual cookbooks into the /cookbook folder of the chef repo +## and work on them in parallel. This pattern also allows for chef-workstation +## pattern, where base repo also builds out a dynamic chef workstation. +## Examples of workstation cookbooks: +## https://github.com/mwrock/chef_workstation +## https://github.com/Nordstrom/chefdk_bootstrap + + +## Ignore Chef related files and secrets +.chef +.chef/*.pem +.chef/encrypted_data_bag_secret + +## Ignore Chef-Zero files +clients +nodes + +## Ignore Policy lock +exported-policies +policyfiles/*.lock.json + +# ## OS junk files +# [Tt]humbs.db +# *.DS_Store + +# ## Example of the workstation pattern. +# !/cookbooks/chef_workstation/files/default/bundler/Gemfile +# !/cookbooks/chef_workstation/files/default/bundler/Gemfile.lock +# cookbooks/* +# !cookbooks/chef_workstation + +# ##Chef +# .kitchen/ +# .vagrant +# nodes +# metadata.json + +# ##ruby +# *.gem +# Gemfile +# Gemfile.lock +.rake_test_cache + +# ## Rails Heroku and other bits to ignore +# *.log +# *.sqlite3 +# db/*.sqlite3 +# .bundle +# log/* +# tmp/* +# public/system/* + +# ## nodejs +# node_modules + +# ## Nuget (exclude all exes except for the one in the global build folder) +# nuget.exe +# !build/nuget/nuget.exe +# *.nupkg +# # NuGet packages (based on default naming convention) +# [Bb]uild/[Pp]ackages/ + +# ## Build System # common build output folders +# build-common/ +# output/ + +# ## VM images +# *.vhd +# *.vhdx + +# ## Pester Test summary +# Test.xml + +# ## JetBrains files +# *.idea +# .idea +# .idea/ + +# ## Mono files +# *.pidb +# *.userprefs + +# ## Visual Studio files +# *.docstates +# *.[Oo]bj +# *.dat +# *.crc +# *.dbmdl +# *.pdb +# *.user +# *.aps +# *.pch +# *.vspscc +# *.vssscc +# *_i.c +# *_p.c +# *.ncb +# *.suo +# *.tlb +# *.tlh +# *.bak +# *.[Cc]ache +# *.ilk +# *.log +# *.lib +# *.sbr +# *.schemaview +# ipch/ +# [Oo]bj/ +# [Bb]in/* +# [Dd]ebug*/ +# [Rr]elease*/ +# Ankh.NoLoad +syntaxcache + +# ## Tooling +# _ReSharper*/ +# *.[Rr]e[Ss]harper +# [Tt]est[Rr]esult* +# .[Jj]ust[Cc]ode +# *ncrunch* + +# ## Subversion files +# .svn + +# ## Office Temp Files +# ~$* diff --git a/cinc-repo/LICENSE b/cinc-repo/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/cinc-repo/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/cinc-repo/README.md b/cinc-repo/README.md new file mode 100644 index 0000000..4af0f2c --- /dev/null +++ b/cinc-repo/README.md @@ -0,0 +1,20 @@ +# Overview + +Every Chef Infra installation needs a Chef Repository. This is the place where cookbooks, policyfiles, config files and other artifacts for managing systems with Chef Infra will live. We strongly recommend storing this repository in a version control system such as Git and treating it like source code. + +## Repository Directories + +This repository contains several directories, and each directory contains a README file that describes what it is for in greater detail, and how to use it for managing your systems with Chef. + +- `cookbooks/` - Cookbooks you download or create. +- `data_bags/` - Store data bags and items in .json in the repository. +- `roles/` - Store roles in .rb or .json in the repository. +- `environments/` - Store environments in .rb or .json in the repository. + +## Configuration + +The config file, `.chef/config.rb` is a repository-specific configuration file for the knife command line tool. If you're using the Hosted Chef platform, you can download one for your organization from the management console. You can also generate a new config.rb by running `knife configure`. For more information about configuring Knife, see the Knife documentation at https://docs.chef.io/workstation/knife/ + +## Next Steps + +Read the README file in each of the subdirectories for more information about what goes in those directories. diff --git a/cinc-repo/chefignore b/cinc-repo/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/cinc-repo/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/cinc-repo/cookbooks/esh_adguard b/cinc-repo/cookbooks/esh_adguard new file mode 120000 index 0000000..cbe1cf7 --- /dev/null +++ b/cinc-repo/cookbooks/esh_adguard @@ -0,0 +1 @@ +../../esh_adguard/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_archivebox b/cinc-repo/cookbooks/esh_archivebox new file mode 120000 index 0000000..9c411c9 --- /dev/null +++ b/cinc-repo/cookbooks/esh_archivebox @@ -0,0 +1 @@ +../../esh_archivebox \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_borgmatic b/cinc-repo/cookbooks/esh_borgmatic new file mode 120000 index 0000000..38fe57d --- /dev/null +++ b/cinc-repo/cookbooks/esh_borgmatic @@ -0,0 +1 @@ +../../esh_borgmatic \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_cinc b/cinc-repo/cookbooks/esh_cinc new file mode 120000 index 0000000..e82112b --- /dev/null +++ b/cinc-repo/cookbooks/esh_cinc @@ -0,0 +1 @@ +../../esh_cinc \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_cloudflared b/cinc-repo/cookbooks/esh_cloudflared new file mode 120000 index 0000000..c04cf4c --- /dev/null +++ b/cinc-repo/cookbooks/esh_cloudflared @@ -0,0 +1 @@ +../../esh_cloudflared \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_docker b/cinc-repo/cookbooks/esh_docker new file mode 120000 index 0000000..ebcb50e --- /dev/null +++ b/cinc-repo/cookbooks/esh_docker @@ -0,0 +1 @@ +../../esh_docker/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_forgejo b/cinc-repo/cookbooks/esh_forgejo new file mode 120000 index 0000000..5461a42 --- /dev/null +++ b/cinc-repo/cookbooks/esh_forgejo @@ -0,0 +1 @@ +../../esh_forgejo \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_go_mmproxy b/cinc-repo/cookbooks/esh_go_mmproxy new file mode 120000 index 0000000..1760088 --- /dev/null +++ b/cinc-repo/cookbooks/esh_go_mmproxy @@ -0,0 +1 @@ +../../esh_go_mmproxy/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_haproxy b/cinc-repo/cookbooks/esh_haproxy new file mode 120000 index 0000000..6a05e92 --- /dev/null +++ b/cinc-repo/cookbooks/esh_haproxy @@ -0,0 +1 @@ +../../esh_haproxy/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_kanboard b/cinc-repo/cookbooks/esh_kanboard new file mode 120000 index 0000000..b5c98b9 --- /dev/null +++ b/cinc-repo/cookbooks/esh_kanboard @@ -0,0 +1 @@ +../../esh_kanboard/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_laminar b/cinc-repo/cookbooks/esh_laminar new file mode 120000 index 0000000..c827544 --- /dev/null +++ b/cinc-repo/cookbooks/esh_laminar @@ -0,0 +1 @@ +../../esh_laminar \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_letsencrypt b/cinc-repo/cookbooks/esh_letsencrypt new file mode 120000 index 0000000..8fcdb24 --- /dev/null +++ b/cinc-repo/cookbooks/esh_letsencrypt @@ -0,0 +1 @@ +../../esh_letsencrypt/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_lxd b/cinc-repo/cookbooks/esh_lxd new file mode 120000 index 0000000..adead1a --- /dev/null +++ b/cinc-repo/cookbooks/esh_lxd @@ -0,0 +1 @@ +../../esh_lxd \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_mailcow b/cinc-repo/cookbooks/esh_mailcow new file mode 120000 index 0000000..7fc9bd1 --- /dev/null +++ b/cinc-repo/cookbooks/esh_mailcow @@ -0,0 +1 @@ +../../esh_mailcow/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_miniflux b/cinc-repo/cookbooks/esh_miniflux new file mode 120000 index 0000000..eb0cde8 --- /dev/null +++ b/cinc-repo/cookbooks/esh_miniflux @@ -0,0 +1 @@ +../../esh_miniflux/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_mkdocs b/cinc-repo/cookbooks/esh_mkdocs new file mode 120000 index 0000000..6bc2c36 --- /dev/null +++ b/cinc-repo/cookbooks/esh_mkdocs @@ -0,0 +1 @@ +../../esh_mkdocs \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_netplan b/cinc-repo/cookbooks/esh_netplan new file mode 120000 index 0000000..69dd1bc --- /dev/null +++ b/cinc-repo/cookbooks/esh_netplan @@ -0,0 +1 @@ +../../esh_netplan/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_nginx b/cinc-repo/cookbooks/esh_nginx new file mode 120000 index 0000000..ae6393a --- /dev/null +++ b/cinc-repo/cookbooks/esh_nginx @@ -0,0 +1 @@ +../../esh_nginx/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_nitter b/cinc-repo/cookbooks/esh_nitter new file mode 120000 index 0000000..c371b99 --- /dev/null +++ b/cinc-repo/cookbooks/esh_nitter @@ -0,0 +1 @@ +../../esh_nitter/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_photoprism b/cinc-repo/cookbooks/esh_photoprism new file mode 120000 index 0000000..41d68f7 --- /dev/null +++ b/cinc-repo/cookbooks/esh_photoprism @@ -0,0 +1 @@ +../../esh_photoprism/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_piped b/cinc-repo/cookbooks/esh_piped new file mode 120000 index 0000000..04cf105 --- /dev/null +++ b/cinc-repo/cookbooks/esh_piped @@ -0,0 +1 @@ +../../esh_piped \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_syncthing b/cinc-repo/cookbooks/esh_syncthing new file mode 120000 index 0000000..c02a5af --- /dev/null +++ b/cinc-repo/cookbooks/esh_syncthing @@ -0,0 +1 @@ +../../esh_syncthing \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_system b/cinc-repo/cookbooks/esh_system new file mode 120000 index 0000000..3610ffe --- /dev/null +++ b/cinc-repo/cookbooks/esh_system @@ -0,0 +1 @@ +../../esh_system/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_systemd b/cinc-repo/cookbooks/esh_systemd new file mode 120000 index 0000000..9e05283 --- /dev/null +++ b/cinc-repo/cookbooks/esh_systemd @@ -0,0 +1 @@ +../../esh_systemd \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_ufw b/cinc-repo/cookbooks/esh_ufw new file mode 120000 index 0000000..ead6abf --- /dev/null +++ b/cinc-repo/cookbooks/esh_ufw @@ -0,0 +1 @@ +../../esh_ufw/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_undocker b/cinc-repo/cookbooks/esh_undocker new file mode 120000 index 0000000..3c0a8e6 --- /dev/null +++ b/cinc-repo/cookbooks/esh_undocker @@ -0,0 +1 @@ +../../esh_undocker \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_vaultwarden b/cinc-repo/cookbooks/esh_vaultwarden new file mode 120000 index 0000000..a2dbeb0 --- /dev/null +++ b/cinc-repo/cookbooks/esh_vaultwarden @@ -0,0 +1 @@ +../../esh_vaultwarden/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_webhook b/cinc-repo/cookbooks/esh_webhook new file mode 120000 index 0000000..a005507 --- /dev/null +++ b/cinc-repo/cookbooks/esh_webhook @@ -0,0 +1 @@ +../../esh_webhook \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_wireguard b/cinc-repo/cookbooks/esh_wireguard new file mode 120000 index 0000000..05ef727 --- /dev/null +++ b/cinc-repo/cookbooks/esh_wireguard @@ -0,0 +1 @@ +../../esh_wireguard/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_writefreely b/cinc-repo/cookbooks/esh_writefreely new file mode 120000 index 0000000..d8df8ab --- /dev/null +++ b/cinc-repo/cookbooks/esh_writefreely @@ -0,0 +1 @@ +../../esh_writefreely/ \ No newline at end of file diff --git a/cinc-repo/cookbooks/esh_zfs b/cinc-repo/cookbooks/esh_zfs new file mode 120000 index 0000000..1853cb7 --- /dev/null +++ b/cinc-repo/cookbooks/esh_zfs @@ -0,0 +1 @@ +../../esh_zfs \ No newline at end of file diff --git a/cinc-repo/data_bags/README.md b/cinc-repo/data_bags/README.md new file mode 100644 index 0000000..bd9d833 --- /dev/null +++ b/cinc-repo/data_bags/README.md @@ -0,0 +1,56 @@ +# Data Bags + +This directory contains directories of the various data bags you create for your infrastructure. Each subdirectory corresponds to a data bag on the Chef Infra Server, and contains JSON files of the items that go in the bag. + +For example, in this directory, you'll find an example data bag directory called `example`, which contains an item definition called `example_item.json` + +Before uploading this item to the server, we must first create the data bag on the Chef Infra Server. + + knife data bag create example + +Then we can upload the items in the data bag's directory to the Chef Infra Server. + + knife data bag from file example example_item.json + +For more information on data bags, see the Chef Infra docs site: + +https://docs.chef.io/data_bags/ + +# Encrypted Data Bags + +Encrypted data bags allow you to encrypt the contents of your data bags. The content of attributes will no longer be searchable. To use encrypted data bags, first you must have or create a secret key. + + openssl rand -base64 512 > secret_key + +You may use this secret_key to add items to a data bag during a create. + + knife data bag create --secret-file secret_key passwords mysql + +You may also use it when adding ITEMs from files, + + knife data bag create passwords + knife data bag from file passwords data_bags/passwords/mysql.json --secret-file secret_key + +The JSON for the ITEM must contain a key named "id" with a value equal to "ITEM" and the contents will be encrypted when uploaded. For example, + + { + "id": "mysql", + "password": "abc123" + } + +Without the secret_key, the contents are encrypted. + + knife data bag show passwords mysql + id: mysql + password: 2I0XUUve1TXEojEyeGsjhw== + +Use the secret_key to view the contents. + + knife data bag show passwords mysql --secret-file secret_key + id: mysql + password: abc123 + + +For more information on encrypted data bags, see the Chef Infra docs site: + +https://docs.chef.io/data_bags/ diff --git a/cinc-repo/data_bags/example/example_item.json b/cinc-repo/data_bags/example/example_item.json new file mode 100644 index 0000000..c6a7074 --- /dev/null +++ b/cinc-repo/data_bags/example/example_item.json @@ -0,0 +1,4 @@ +{ + "id": "example_item", + "key": "value" +} \ No newline at end of file diff --git a/cinc-repo/knife.rb b/cinc-repo/knife.rb new file mode 100644 index 0000000..53df669 --- /dev/null +++ b/cinc-repo/knife.rb @@ -0,0 +1,33 @@ +local_mode true +chef_repo_path File.expand_path('../' , __FILE__) + +knife[:ssh_attribute] = "knife_zero.host" +knife[:use_sudo] = true + +## use specific key file to connect server instead of ssh_agent(use ssh_agent is set true by default). +# knife[:identity_file] = "~/.ssh/id_rsa" +# knife[:ssh_identity_file] = 'PATH_TO_YOUR_PRIVATE_KEY' # Newer than Chef 14 + +## Attributes of node objects will be saved to json file. +## the automatic_attribute_whitelist option limits the attributes to be saved. +knife[:automatic_attribute_whitelist] = %w[ + fqdn + os + os_version + hostname + ipaddress + roles + recipes + ipaddress + platform + platform_version + cloud + cloud_v2 + chef_packages +] + +use_policyfile true +versioned_cookbooks true +policy_document_native_api false +chef_server_url "http://localhost:8889" # for `chef push` + diff --git a/cinc-repo/policyfiles/README.md b/cinc-repo/policyfiles/README.md new file mode 100644 index 0000000..5f3a2cd --- /dev/null +++ b/cinc-repo/policyfiles/README.md @@ -0,0 +1,24 @@ +Create Policyfiles here. When using a chef-repo, give your Policyfiles +the same filename as the name set in the policyfile itself, and use the +`.rb` file extension. + +Compile the policy with a command like this: + +``` +chef install policyfiles/my-app-frontend.rb +``` + +This will create a lockfile `policyfiles/my-app-frontend.lock.json`. + +To update locked dependencies, run `chef update` like this: + +``` +chef update policyfiles/my-app-frontend.rb +``` + +You can upload the policy (with associated cookbooks) to the server +using a command like: + +``` +chef push staging policyfiles/my-app-frontend.rb +``` diff --git a/cinc-repo/policyfiles/archive.rb b/cinc-repo/policyfiles/archive.rb new file mode 100644 index 0000000..6a8b4d9 --- /dev/null +++ b/cinc-repo/policyfiles/archive.rb @@ -0,0 +1,33 @@ +name 'archive' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_docker::service + esh_archivebox::system + esh_archivebox::compose +) + +### +# Attributes +### + +### +# esh_archivebox +### + +default['esh']['archivebox']['username'] = 'benpro' +default['esh']['archivebox']['email'] = 'archivebox@benpro.fr' +default['esh']['archivebox']['password'] = '' diff --git a/cinc-repo/policyfiles/blog.rb b/cinc-repo/policyfiles/blog.rb new file mode 100644 index 0000000..762fe14 --- /dev/null +++ b/cinc-repo/policyfiles/blog.rb @@ -0,0 +1,40 @@ +name 'blog' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_writefreely::install + esh_writefreely::mariadb + esh_writefreely::service +) + +### +# Attributes +### + +### +# esh_writefreely +### + +version = '0.13.1' +default['esh']['writefreely']['version'] = version +default['esh']['writefreely']['url'] = "https://github.com/writefreely/writefreely/releases/download/v#{version}/writefreely_#{version}_linux_amd64.tar.gz" +default['esh']['writefreely']['mariadb']['password'] = '' +default['esh']['writefreely']['app']['site_name'] = 'blog.benpro.fr' +default['esh']['writefreely']['app']['host'] = 'https://blog.benpro.fr' +default['esh']['writefreely']['app']['single_user'] = 'true' + +default['esh']['writefreely']['nginx']['ip_addr'] = '127.0.0.1' +default['esh']['writefreely']['nginx']['port'] = '8080' diff --git a/cinc-repo/policyfiles/dns.rb b/cinc-repo/policyfiles/dns.rb new file mode 100644 index 0000000..266a5d9 --- /dev/null +++ b/cinc-repo/policyfiles/dns.rb @@ -0,0 +1,433 @@ +name 'dns' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_go_mmproxy::default + esh_adguard::default +) + +### +# Attributes +### + +### +# esh_go_mmproxy +### + +# to:listen +default['esh']['go_mmproxy']['proxies'] = { + '853': '10853', +} +default['esh']['go_mmproxy']['prefixes'] = <<~EOT +10.0.0.0/8 +EOT + +### +# esh_adguard +### + +default['esh']['adguard']['cert_pub'] = 'http://10.10.10.1:8898/dns.benoit.jp.net/fullchain.pem' +default['esh']['adguard']['cert_priv'] = 'http://10.10.10.1:8898/dns.benoit.jp.net/privkey.pem' +default['esh']['adguard']['cert_auth'] = '' + +default['esh']['adguard']['version'] = '0.107.55' + +default['esh']['adguard']['config'] = <<~EOT +http: + pprof: + port: 6060 + enabled: false + address: 0.0.0.0:80 + session_ttl: 720h +users: + - name: benoit + password: +auth_attempts: 5 +block_auth_min: 15 +http_proxy: "" +language: en +theme: dark +dns: + bind_hosts: + - 0.0.0.0 + port: 1053 + anonymize_client_ip: false + ratelimit: 100 + ratelimit_subnet_len_ipv4: 24 + ratelimit_subnet_len_ipv6: 56 + ratelimit_whitelist: [] + refuse_any: true + upstream_dns: + - '# Quad9' + - https://dns11.quad9.net/dns-query + - '# CloudFlare' + - tls://1dot1dot1dot1.cloudflare-dns.com + - https://dns.cloudflare.com/dns-query + - '# IIJ' + - tls://public.dns.iij.jp + - https://public.dns.iij.jp/dns-query + - '# NextDNS' + - tls://dns.nextdns.io + - https://dns.nextdns.io + - https://anycast.dns.nextdns.io + - tls://anycast.dns.nextdns.io + - '# AdGuard' + - https://unfiltered.adguard-dns.com/dns-query + - tls://unfiltered.adguard-dns.com + - quic://unfiltered.adguard-dns.com + - '# Cisco OpenDNS' + - https://doh.opendns.com/dns-query + - '# Google' + - https://dns.google/dns-query + - tls://dns.google + - '# Tailscale' + - '[/taile088c7.ts.net/]100.100.100.100' + upstream_dns_file: "" + bootstrap_dns: + - 94.140.14.140 + fallback_dns: [] + upstream_mode: load_balance + fastest_timeout: 1s + allowed_clients: + - chiisai-firefox + - bluejay + - chiisai-chromium + - tangorpro + - reven + - lavie-firefox + - lavie-chromium + - caiman + disallowed_clients: [] + blocked_hosts: + - version.bind + - id.server + - hostname.bind + trusted_proxies: + - 127.0.0.0/8 + - ::1/128 + - 10.0.0.0/8 + cache_size: 4194304 + cache_ttl_min: 0 + cache_ttl_max: 0 + cache_optimistic: true + bogus_nxdomain: [] + aaaa_disabled: false + enable_dnssec: true + edns_client_subnet: + custom_ip: "" + enabled: false + use_custom: false + max_goroutines: 50 + handle_ddr: true + ipset: [] + ipset_file: "" + bootstrap_prefer_ipv6: false + upstream_timeout: 10s + private_networks: [] + use_private_ptr_resolvers: true + local_ptr_upstreams: [] + use_dns64: false + dns64_prefixes: [] + serve_http3: false + use_http3_upstreams: false + serve_plain_dns: false + hostsfile_enabled: true +tls: + enabled: true + server_name: dns.benoit.jp.net + force_https: true + port_https: 443 + port_dns_over_tls: 853 + port_dns_over_quic: 784 + port_dnscrypt: 0 + dnscrypt_config_file: "" + allow_unencrypted_doh: false + certificate_chain: "" + private_key: "" + certificate_path: /etc/adguard/fullchain.pem + private_key_path: /etc/adguard/privkey.pem + strict_sni_check: false +querylog: + dir_path: "" + ignored: [] + interval: 2160h + size_memory: 1000 + enabled: true + file_enabled: true +statistics: + dir_path: "" + ignored: [] + interval: 2160h + enabled: true +filters: + - enabled: true + url: https://logroid.github.io/adaway-hosts/hosts.txt + name: AdAway Blocking Hosts File for Japan + id: 1598087715 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt + name: The NoTracking blocklist + id: 1686439100 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt + name: AdGuard DNS filter + id: 1686439101 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt + name: AdAway Default Blocklist + id: 1686439102 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt + name: WindowsSpyBlocker - Hosts spy rules + id: 1686439103 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt + name: Dandelion Sprout's Game Console Adblock List + id: 1686439104 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt + name: Perflyst and Dandelion Sprout's Smart-TV Blocklist + id: 1686439105 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt + name: Malicious URL Blocklist (URLHaus) + id: 1686439106 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt + name: The Big List of Hacked Malware Web Sites + id: 1686439107 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt + name: Stalkerware Indicators List + id: 1686439108 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_42.txt + name: ShadowWhisperer's Malware List + id: 1686439109 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt + name: Scam Blocklist by DurableNapkin + id: 1686439110 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt + name: NoCoin Filter List + id: 1686439111 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt + name: Dandelion Sprout's Anti-Malware List + id: 1686439112 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt + name: Phishing URL Blocklist (PhishTank and OpenPhish) + id: 1686439113 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt + name: 1Hosts (Lite) + id: 1686439114 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt + name: Dan Pollock's List + id: 1686439115 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt + name: OISD Blocklist Big + id: 1686439117 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt + name: Peter Lowe's Blocklist + id: 1686439118 + - enabled: true + url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt + name: Steven Black's List + id: 1686439119 +whitelist_filters: [] +user_rules: + - '@@||rd.rakuten.co.jp^$important' + - '@@||fls-fe.amazon.co.jp^$important' + - '@@||searchapi.agoda.com^$important' + - '@@||auth.split.io^$important' + - '@@||sdk.split.io^$important' + - "" +dhcp: + enabled: false + interface_name: "" + local_domain_name: lan + dhcpv4: + gateway_ip: "" + subnet_mask: "" + range_start: "" + range_end: "" + lease_duration: 86400 + icmp_timeout_msec: 1000 + options: [] + dhcpv6: + range_start: "" + lease_duration: 86400 + ra_slaac_only: false + ra_allow_slaac: false +filtering: + blocking_ipv4: "" + blocking_ipv6: "" + blocked_services: + schedule: + time_zone: Local + ids: + - facebook + - twitter + - snapchat + - origin + - epic_games + - vk + - mail_ru + - discord + - ok + - tiktok + - 9gag + - hulu + - whatsapp + - wechat + - tinder + - skype + - pinterest + - disneyplus + - qq + - weibo + - telegram + - roblox + - icloud_private_relay + - zhihu + - minecraft + - douban + - deezer + - bilibili + - instagram + - iqiyi + - lazada + - riot_games + - tidal + - twitch + - voot + - xboxlive + - rakuten_viki + - leagueoflegends + - kakaotalk + - hbomax + - crunchyroll + - kik + - onlyfans + - shopee + - soundcloud + - valorant + - shein + - temu + - yy + - xiaohongshu + - wargaming + - ubisoft + - wizz + - samsung_tv_plus + - nebula + - lionsgateplus + - fifa + - dropbox + - discoveryplus + - coolapk + - claro + - bluesky + - betfair + - apple_streaming + - 500px + - amino + - betano + - bigo_live + - blizzard_entertainment + - canais_globo + - clubhouse + - electronic_arts + - globoplay + - linkedin + - paramountplus + - plenty_of_fish + - privacy + - rockstar_games + - pluto_tv + - mercado_libre + - looke + - kook + - iheartradio + - espn + - directvgo + - box + - blaze + - betway + - battle_net + - activision_blizzard + - 4chan + - ebay + - olvid + - peacock_tv + - slack + - spotify + - tumblr + protection_disabled_until: null + safe_search: + enabled: false + bing: true + duckduckgo: true + ecosia: true + google: true + pixabay: true + yandex: true + youtube: true + blocking_mode: null_ip + parental_block_host: family-block.dns.adguard.com + safebrowsing_block_host: standard-block.dns.adguard.com + rewrites: [] + safe_fs_patterns: + - /var/lib/adguard/data/userfilters/* + safebrowsing_cache_size: 1048576 + safesearch_cache_size: 1048576 + parental_cache_size: 1048576 + cache_time: 30 + filters_update_interval: 24 + blocked_response_ttl: 10 + filtering_enabled: true + parental_enabled: true + safebrowsing_enabled: true + protection_enabled: true +clients: + runtime_sources: + whois: true + arp: true + rdns: true + dhcp: true + hosts: true + persistent: [] +log: + enabled: true + file: "" + max_backups: 0 + max_size: 100 + max_age: 3 + compress: false + local_time: false + verbose: false +os: + group: "" + user: "" + rlimit_nofile: 0 +schema_version: 29 +EOT \ No newline at end of file diff --git a/cinc-repo/policyfiles/flux.rb b/cinc-repo/policyfiles/flux.rb new file mode 100644 index 0000000..43c2b96 --- /dev/null +++ b/cinc-repo/policyfiles/flux.rb @@ -0,0 +1,39 @@ +name 'flux' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_miniflux::default +) + +### +# Attributes +### + +### +# esh_miniflux +### + +default['esh']['miniflux']['base_url'] = 'https://flux.benoit.jp.net' +default['esh']['miniflux']['postgresql']['password'] = '' +default['esh']['miniflux']['configfile'] = <<~EOT +# See https://miniflux.app/docs/configuration.html + +RUN_MIGRATIONS=1 +PROXY_IMAGES=all +DATABASE_URL=user=miniflux password=#{default['esh']['miniflux']['postgresql']['password']} dbname=miniflux +BASE_URL=#{default['esh']['miniflux']['base_url']} +LISTEN_ADDR=0.0.0.0:8080 +EOT diff --git a/cinc-repo/policyfiles/gallery.rb b/cinc-repo/policyfiles/gallery.rb new file mode 100644 index 0000000..dfa2330 --- /dev/null +++ b/cinc-repo/policyfiles/gallery.rb @@ -0,0 +1,127 @@ +name 'gallery' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_photoprism::mariadb + esh_photoprism::system + esh_photoprism::undocker +) + +### +# Attributes +### + +### +# esh_writefreely +### + +default['esh']['photoprism']['nginx']['ip_addr'] = '127.0.0.1' +default['esh']['photoprism']['nginx']['port'] = '2342' + +default['esh']['photoprism']['docker']['url'] = 'docker.io/photoprism' +default['esh']['photoprism']['docker']['image'] = 'photoprism' +default['esh']['photoprism']['docker']['tag'] = '221118-jammy' +default['esh']['photoprism']['docker']['network'] = 'host' + +PHOTOPRISM_ADMIN_USER = 'benoit'.freeze +PHOTOPRISM_ADMIN_PASSWORD = ''.freeze +PHOTOPRISM_AUTH_MODE = 'password'.freeze +PHOTOPRISM_SITE_URL = 'https://gallery.benpro.fr'.freeze +PHOTOPRISM_ORIGINALS_LIMIT = 5000 +PHOTOPRISM_HTTP_COMPRESSION = 'gzip'.freeze +PHOTOPRISM_LOG_LEVEL = 'info'.freeze +PHOTOPRISM_READONLY = 'true'.freeze +PHOTOPRISM_EXPERIMENTAL = 'false'.freeze +PHOTOPRISM_DISABLE_CHOWN = 'true'.freeze +PHOTOPRISM_DISABLE_WEBDAV = 'true'.freeze +PHOTOPRISM_DISABLE_SETTINGS = 'false'.freeze +PHOTOPRISM_DISABLE_TENSORFLOW = 'false'.freeze +PHOTOPRISM_DISABLE_FACES = 'false'.freeze +PHOTOPRISM_DISABLE_CLASSIFICATION = 'false'.freeze +PHOTOPRISM_DISABLE_RAW = 'false'.freeze +PHOTOPRISM_RAW_PRESETS = 'false'.freeze +PHOTOPRISM_JPEG_QUALITY = 85 +PHOTOPRISM_DETECT_NSFW = 'false'.freeze +PHOTOPRISM_UPLOAD_NSFW = 'true'.freeze +PHOTOPRISM_DATABASE_DRIVER = 'mysql'.freeze +PHOTOPRISM_DATABASE_SERVER = 'localhost:3306'.freeze +PHOTOPRISM_DATABASE_NAME = 'photoprism'.freeze +PHOTOPRISM_DATABASE_USER = 'photoprism'.freeze +PHOTOPRISM_DATABASE_PASSWORD = 'Enrage-Spring-Refill1'.freeze +PHOTOPRISM_SITE_CAPTION = 'Benpro Gallery'.freeze +PHOTOPRISM_SITE_DESCRIPTION = 'Benpro photos'.freeze +PHOTOPRISM_SITE_AUTHOR = 'benpro.fr'.freeze +PHOTOPRISM_INIT = 'tensorflow'.freeze +PHOTOPRISM_UID = 998 +PHOTOPRISM_GID = 998 + +default['esh']['photoprism']['mariadb']['password'] = PHOTOPRISM_DATABASE_PASSWORD + +default['esh']['photoprism']['docker']['env'] = [ + "PHOTOPRISM_ADMIN_USER=#{PHOTOPRISM_ADMIN_USER}", + "PHOTOPRISM_ADMIN_PASSWORD=#{PHOTOPRISM_ADMIN_PASSWORD}", + "PHOTOPRISM_AUTH_MODE=#{PHOTOPRISM_AUTH_MODE}", + "PHOTOPRISM_SITE_URL=#{PHOTOPRISM_SITE_URL}", + "PHOTOPRISM_ORIGINALS_LIMIT=#{PHOTOPRISM_ORIGINALS_LIMIT}", + "PHOTOPRISM_HTTP_COMPRESSION=#{PHOTOPRISM_HTTP_COMPRESSION}", + "PHOTOPRISM_LOG_LEVEL=#{PHOTOPRISM_LOG_LEVEL}", + "PHOTOPRISM_READONLY=#{PHOTOPRISM_READONLY}", + "PHOTOPRISM_EXPERIMENTAL=#{PHOTOPRISM_EXPERIMENTAL}", + "PHOTOPRISM_DISABLE_CHOWN=#{PHOTOPRISM_DISABLE_CHOWN}", + "PHOTOPRISM_DISABLE_WEBDAV=#{PHOTOPRISM_DISABLE_WEBDAV}", + "PHOTOPRISM_DISABLE_SETTINGS=#{PHOTOPRISM_DISABLE_SETTINGS}", + "PHOTOPRISM_DISABLE_TENSORFLOW=#{PHOTOPRISM_DISABLE_TENSORFLOW}", + "PHOTOPRISM_DISABLE_FACES=#{PHOTOPRISM_DISABLE_FACES}", + "PHOTOPRISM_DISABLE_CLASSIFICATION=#{PHOTOPRISM_DISABLE_CLASSIFICATION}", + "PHOTOPRISM_DISABLE_RAW=#{PHOTOPRISM_DISABLE_RAW}", + "PHOTOPRISM_RAW_PRESETS=#{PHOTOPRISM_RAW_PRESETS}", + "PHOTOPRISM_JPEG_QUALITY=#{PHOTOPRISM_JPEG_QUALITY}", + "PHOTOPRISM_DETECT_NSFW=#{PHOTOPRISM_DETECT_NSFW}", + "PHOTOPRISM_UPLOAD_NSFW=#{PHOTOPRISM_UPLOAD_NSFW}", + "PHOTOPRISM_DATABASE_DRIVER=#{PHOTOPRISM_DATABASE_DRIVER}", + "PHOTOPRISM_DATABASE_SERVER=#{PHOTOPRISM_DATABASE_SERVER}", + "PHOTOPRISM_DATABASE_NAME=#{PHOTOPRISM_DATABASE_NAME}", + "PHOTOPRISM_DATABASE_USER=#{PHOTOPRISM_DATABASE_USER}", + "PHOTOPRISM_DATABASE_PASSWORD=#{PHOTOPRISM_DATABASE_PASSWORD}", + "PHOTOPRISM_SITE_CAPTION=#{PHOTOPRISM_SITE_CAPTION}", + "PHOTOPRISM_SITE_DESCRIPTION=#{PHOTOPRISM_SITE_DESCRIPTION}", + "PHOTOPRISM_SITE_AUTHOR=#{PHOTOPRISM_SITE_AUTHOR}", + "PHOTOPRISM_INIT=#{PHOTOPRISM_INIT}", + "PHOTOPRISM_UID=#{PHOTOPRISM_UID}", + "PHOTOPRISM_GID=#{PHOTOPRISM_GID}", +] + +default['esh']['photoprism']['docker']['service'] = <<~EOT +[Unit] +Description=ESH Undockerized photoprism Service +After=network.target mariadb.service +Requires=mariadb.service + +[Service] +Type=simple +ExecStart=/usr/bin/systemd-nspawn \ + --oci-bundle=/var/lib/machines/photoprism \ + --machine photoprism \ + --hostname photoprism \ + --bind=/var/lib/gallery-originals:/photoprism/originals \ + --bind=/var/lib/gallery-storage:/photoprism/storage \ + --resolv-conf=bind-stub \ + --capability=CAP_SETUID +Restart=on-failure + +[Install] +WantedBy=multi-user.target +EOT diff --git a/cinc-repo/policyfiles/git.rb b/cinc-repo/policyfiles/git.rb new file mode 100644 index 0000000..b7a2c7d --- /dev/null +++ b/cinc-repo/policyfiles/git.rb @@ -0,0 +1,122 @@ +name 'git' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_forgejo::system + esh_forgejo::mariadb + esh_forgejo::service +) + +### +# Attributes +### + +### +# esh_forgejo +### + +default['esh']['forgejo']['mariadb']['password'] = '' +default['esh']['forgejo']['service']['binary'] = 'https://codeberg.org/forgejo/forgejo/releases/download/v8.0.1/forgejo-8.0.1-linux-amd64' +default['esh']['forgejo']['service']['asc'] = 'https://codeberg.org/forgejo/forgejo/releases/download/v8.0.1/forgejo-8.0.1-linux-amd64.asc' +default['esh']['forgejo']['service']['load_config'] = true +default['esh']['forgejo']['service']['config'] = <<~EOT +APP_NAME = Benoit's git +RUN_USER = git +RUN_MODE = prod +WORK_PATH = /var/lib/gitea + +[database] +DB_TYPE = mysql +HOST = 127.0.0.1:3306 +NAME = git +USER = git +PASSWD = +SCHEMA = +SSL_MODE = disable +CHARSET = utf8 +PATH = /var/lib/gitea/data/forgejo.db +LOG_SQL = false + +[repository] +ROOT = /var/lib/gitea/data/forgejo-repositories + +[server] +SSH_DOMAIN = git.benoit.jp.net +DOMAIN = git.benoit.jp.net +HTTP_PORT = 3000 +ROOT_URL = https://git.benoit.jp.net/ +DISABLE_SSH = false +START_SSH_SERVER = true +SSH_PORT = 22 +SSH_LISTEN_HOST = 10.78.127.119 +SSH_LISTEN_PORT = 10022 +SSH_SERVER_USE_PROXY_PROTOCOL = true +LFS_START_SERVER = true +LFS_JWT_SECRET = +OFFLINE_MODE = false + +[lfs] +PATH = /var/lib/gitea/data/lfs + +[mailer] +ENABLED = true +FROM = git-no-reply@benoit.jp.net +MAILER_TYPE = smtp +SMTP_ADDR = mail.benoit.jp.net +SMTP_PORT = 465 +IS_TLS_ENABLED = true +USER = git-no-reply@benoit.jp.net +PASSWD = + +[service] +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +DISABLE_REGISTRATION = true +ALLOW_ONLY_EXTERNAL_REGISTRATION = false +ENABLE_CAPTCHA = false +REQUIRE_SIGNIN_VIEW = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.benoit.jp.net + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[session] +PROVIDER = file + +[log] +MODE = console +LEVEL = info +ROOT_PATH = /var/lib/gitea/log +ROUTER = console + +[repository.pull-request] +DEFAULT_MERGE_STYLE = merge + +[repository.signing] +DEFAULT_TRUST_MODEL = committer + +[security] +INSTALL_LOCK = true +INTERNAL_TOKEN = +PASSWORD_HASH_ALGO = argon2 + +[oauth2] +JWT_SECRET = +EOT diff --git a/cinc-repo/policyfiles/gtw.rb b/cinc-repo/policyfiles/gtw.rb new file mode 100644 index 0000000..6820cc4 --- /dev/null +++ b/cinc-repo/policyfiles/gtw.rb @@ -0,0 +1,265 @@ +name 'gtw' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_system::hostname + esh_system::sshd + esh_ufw::rules + esh_wireguard::server + esh_haproxy::config + esh_letsencrypt::snap + esh_letsencrypt::certs + esh_letsencrypt::serve +) + +### +# Attributes +### + +### +# esh_system +### + +default['esh']['system']['hostname']['fqdn'] = 'gtw.benoit.jp.net' + +default['esh']['system']['sshd']['port'] = '28' +default['esh']['system']['sshd']['permitrootlogin'] = 'prohibit-password' +default['esh']['system']['sshd']['passwordauthentication'] = 'no' +default['esh']['system']['sshd']['maxauthtries'] = '3' +default['esh']['system']['sshd']['maxsessions'] = '5' +default['esh']['system']['sshd']['otp'] = false + +### +# esh_ufw +### + +default['esh']['ufw']['rules']['list'] = [ + 'limit from any to any port 22', + 'limit from any to any port 28', + 'allow from any to any port 25', + 'allow from any to any port 80', + 'allow from any to any port 443', + 'allow from any to any port 465', + 'allow from any to any port 853', + 'allow from any to any port 993', + 'allow from any to any port 4190', + 'allow from 10.10.10.3 to 10.10.10.1 port 8898', + 'allow from any to any port 51820', +] + +### +# esh_wireguard +### + +default['esh']['wireguard']['server']['privkey'] = '=' +default['esh']['wireguard']['server']['pubkey'] = '3JJ00aMP/1mPJeUW0sci4dIK4S4XBiTWWaBgZgq+LCQ=' +default['esh']['wireguard']['server']['address'] = '10.10.10.1/24, fdaf:345d:a5fc::1/64' +default['esh']['wireguard']['server']['listenport'] = '51820' +default['esh']['wireguard']['server']['pubint'] = 'enp1s0' +default['esh']['wireguard']['server']['routing'] = true +default['esh']['wireguard']['server']['peers'] = { + '3HNAZfx02qnpw2Tglrjs7KEnO3lUz1SZ/xUZUYGV6mo=': '10.10.10.3,fdaf:345d:a5fc::3,10.78.127.0/24,fd42:d7a4:755b:7893::/64', + 'agIabJemiFUD+u8BCNmyO2PIgg2SGjQX573AIIkgExs=': '10.10.10.6,fdaf:345d:a5fc::6,10.121.231.1/24,fd42:4a26:3578:a318::1/64', +} + #'8j2fzeFgxk33a+cDemZluPAxlRN21bdmTMHVpayIhQg=': '10.10.10.4,fdaf:345d:a5fc::4,10.78.127.0/24,fd42:d7a4:755b:7893::/64', + #'2o41xCeNiUsfRMFg+fvbRIqTdAWjdPptMu8aRnZ3zyk=': '10.10.10.5' + +### +# esh_lestencrypt +### + +default['esh']['letsencrypt']['certs']['email'] = 'certbot@benpro.fr' +default['esh']['letsencrypt']['certs']['list'] = [ + +] +default['esh']['letsencrypt']['serve']['auth'] = '' +default['esh']['letsencrypt']['serve']['miniserve_url'] = 'https://github.com/svenstaro/miniserve/releases/download/v0.22.0/miniserve-0.22.0-x86_64-unknown-linux-gnu' +default['esh']['letsencrypt']['serve']['listen'] = '10.10.10.1' + +### +# esh_haproxy +### + +default['esh']['haproxy']['config']['stats_password'] = '' + +default['esh']['haproxy']['config']['listen'] = { + 'ssh': { + 'bind': '22', + 'mode': 'tcp', + 'server': 'git-ssh 10.78.127.119:10022 send-proxy', + }, + 'smtp': { + 'bind': '25', + 'mode': 'tcp', + 'server': 'mail 10.78.127.231:10025 send-proxy', + }, + 'smtps': { + 'bind': '465', + 'mode': 'tcp', + 'server': 'mail 10.78.127.231:10465 send-proxy', + }, + 'imaps': { + 'bind': '993', + 'mode': 'tcp', + 'server': 'mail 10.78.127.231:10993 send-proxy', + }, + 'sieve': { + 'bind': '4190', + 'mode': 'tcp', + 'server': 'mail 10.78.127.231:14190 send-proxy', + }, + 'adguard-dot': { + 'bind': '853', + 'mode': 'tcp', + 'server': 'adguard 10.78.127.201:10853 send-proxy', + }, +} + +default['esh']['haproxy']['config']['acls'] = { + 'mail': { + 'hosts': [ + 'mail.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt', + ], + 'backend': 'mail', + }, + 'archive': { + 'hosts': [ + 'blog.benpro.fr.archive.benoit.jp.net', + 'lekernelpanique.fr.archive.benoit.jp.net', + 'sysadmin-bookmarks.archive.benoit.jp.net', + ], + 'denies': [], + 'backend': 'archive', + }, + 'mkdocs': { + 'hosts': [ + 'www.benoit.jp.net', + 'benoit.jp.net', + ], + 'denies': [], + 'backend': 'mkdocs', + }, + 'mkdocs-laminar': { + 'hosts': [ + 'laminar.benoit.jp.net', + ], + 'denies': [], + 'backend': 'mkdocs-laminar', + }, + 'mkdocs-webhook': { + 'hosts': [ + 'webhook.benoit.jp.net', + ], + 'denies': [], + 'backend': 'mkdocs-webhook', + }, + 'flux': { + 'hosts': [ + 'flux.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt' + ], + 'backend': 'flux', + }, + 'dns': { + 'hosts': [ + 'dns.benoit.jp.net', + 'tangorpro.dns.benoit.jp.net', + 'bluejay.dns.benoit.jp.net', + ], + 'denies': [ + '!JP !SG !letsencrypt' + ], + 'backend': 'dns', + }, + 'git': { + 'hosts': [ + 'git.benoit.jp.net', + ], + 'denies': [], + 'backend': 'git', + }, + 'photos': { + 'hosts': [ + 'photos.benoit.jp.net', + ], + 'denies': [ + '!JP !FR !letsencrypt', + ], + 'backend': 'photos', + }, + 'kb': { + 'hosts': [ + 'kb.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt', + ], + 'backend': 'kb', + }, + 'pwd': { + 'hosts': [ + 'pwd.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt', + ], + 'backend': 'pwd', + }, + 'risanokyoku': { + 'hosts': [ + 'risanokyoku.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt', + ], + 'backend': 'risanokyoku', + }, + 'ytb': { + 'hosts': [ + 'ytb.benoit.jp.net', + 'ytb-proxy.benoit.jp.net', + 'ytb-api.benoit.jp.net', + ], + 'denies': [ + '!JP !letsencrypt', + ], + 'backend': 'ytb', + }, +} + +default['esh']['haproxy']['config']['backends'] = { + 'archive': 'archive 10.78.127.252:80 check', + 'dns': 'dns 10.78.127.201:443 check ssl verify none', + 'flux': 'flux 10.78.127.111:8080 check', + 'git': 'git 10.78.127.119:3000 check', + 'kb': 'kb 10.78.127.127:80 check', + 'mail': 'mail 10.78.127.231:80 check', + 'mkdocs': 'mkdocs 10.78.127.73:80 check', + 'mkdocs-laminar': 'mkdocs-laminar 10.78.127.73:8080 check', + 'mkdocs-webhook': 'mkdocs-webhook 10.78.127.73:9000 check', + 'photos': 'photos 10.78.127.121:2342 check', + 'pwd': 'pwd 10.78.127.195:80 check', + 'risanokyoku': 'risanokyoku 10.121.231.3:4533 check', + 'ytb': 'ytb 10.78.127.55:8080 check', +} + +default['esh']['haproxy']['config']['maxmind_key'] = '' +default['esh']['haproxy']['config']['hc_url'] = 'https://hc-ping.com/' diff --git a/cinc-repo/policyfiles/justfile b/cinc-repo/policyfiles/justfile new file mode 100644 index 0000000..c05abd8 --- /dev/null +++ b/cinc-repo/policyfiles/justfile @@ -0,0 +1,14 @@ +dst := 'none' +policy := 'none' + +oneshot: update && export rsync + +update: + cinc-cli update {{policy}}.rb + +export: + cinc-cli export {{policy}}.lock.json ../exported-policies/{{policy}} --force + +rsync: + rsync -a --delete --ignore-errors ../exported-policies/{{policy}} {{dst}} + diff --git a/cinc-repo/policyfiles/kb.rb b/cinc-repo/policyfiles/kb.rb new file mode 100644 index 0000000..568e60b --- /dev/null +++ b/cinc-repo/policyfiles/kb.rb @@ -0,0 +1,316 @@ +name 'kb' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_kanboard::default +) + +### +# Attributes +### + +### +# esh_kanboard +### + +default['esh']['kanboard']['version'] = '1.2.34' +default['esh']['kanboard']['config'] = <<~EOT + /var/lib/mysql/photoprism.sql\'"', + 'lxc exec ytb -- sh -c "docker exec -u 999 -t postgres sh -c \'pg_dump -U piped piped > /var/lib/postgresql/data/piped.sql\'"', +] +default['esh']['borgmatic']['timer'] = '*-*-* 21:00:00' diff --git a/cinc-repo/policyfiles/lxd2204.rb b/cinc-repo/policyfiles/lxd2204.rb new file mode 100644 index 0000000..f3886b4 --- /dev/null +++ b/cinc-repo/policyfiles/lxd2204.rb @@ -0,0 +1,183 @@ +name 'lxd2204' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_zfs::package + esh_zfs::pool + esh_zfs::scrub + esh_lxd::setup + esh_cloudflared::install + esh_cloudflared::cert + esh_lxd::containers + esh_lxd::resolved +) + +### +# Attributes +### + +### +# esh_zfs +### + +default['esh']['zfs']['pools'] = { + 'nvme': { + 'mount_point': 'none', + 'ashift': 12, + 'autotrim': 'on', + 'lz4_compress': 'enabled', + 'compression': 'on', + 'dedup': 'on', + 'target': '/dev/vdb', + }, + 'hdd': { + 'mount_point': 'none', + 'ashift': 12, + 'autotrim': 'off', + 'lz4_compress': 'enabled', + 'compression': 'on', + 'dedup': 'off', + 'target': '/dev/vdc', + }, + 'backup': { + 'mount_point': 'none', + 'ashift': 12, + 'autotrim': 'off', + 'lz4_compress': 'enabled', + 'compression': 'on', + 'dedup': 'on', + 'target': '/dev/vdd', + }, +} + +default['esh']['zfs']['scrub']['hc_url'] = 'https://hc-ping.com/' + +### +# esh_lxd +### + +default['esh']['lxd']['containers'] = { + 'archive': { + 'image': 'debian/11', + 'volumes': { + 'archive-data': { + 'pool': 'nvme', + 'path': '/var/lib/archive-data', + }, + }, + 'cloudflared': { + 'archive': { + 'archive.benpro.fr': 'http://archive:80', + }, + }, + }, + 'arc': { + 'cookbook': 'esh_archivebox', + 'image': 'debian/11', + 'cinc_flavor': 'debian/11', + 'volumes': { + 'arc-data': { + 'pool': 'nvme', + 'path': '/var/lib/arc-data', + }, + }, + 'apparmor': 'unconfined', + 'cloudflared': { + 'arc': { + 'arc.benpro.fr': 'http://arc:8000', + }, + }, + }, + 'ytb': { + 'cookbook': 'esh_piped', + 'image': 'debian/11', + 'cinc_flavor': 'debian/11', + 'volumes': { + 'ytb-postgresql': { + 'pool': 'nvme', + 'path': '/var/lib/postgresql', + }, + }, + 'apparmor': 'unconfined', + 'cloudflared': { + 'ytb': { + 'ytb.benpro.fr': 'http://ytb:80', + 'ytb-proxy.benpro.fr': 'http://ytb:80', + 'ytb-api.benpro.fr': 'http://ytb:80', + }, + }, + }, + 'blog': { + 'cookbook': 'esh_writefreely', + 'image': 'debian/11', + 'cinc_flavor': 'debian/11', + 'volumes': { + 'blog-mysql': { + 'pool': 'nvme', + 'path': '/var/lib/mysql', + }, + }, + 'cloudflared': { + 'blog': { + 'blog.benpro.fr': 'http://blog:80', + }, + }, + }, + 'twt': { + 'cookbook': 'esh_nitter', + 'image': 'debian/11', + 'cinc_flavor': 'debian/11', + 'volumes': {}, + 'cloudflared': { + 'twt': { + 'twt.benpro.fr': 'http://twt:80', + }, + }, + }, + 'gallery': { + 'cookbook': 'esh_photoprism', + 'image': 'debian/11', + 'cinc_flavor': 'debian/11', + 'volumes': { + 'gallery-originals': { + 'pool': 'hdd', + 'path': '/var/lib/gallery-originals', + }, + 'gallery-storage': { + 'pool': 'nvme', + 'path': '/var/lib/gallery-storage', + }, + 'gallery-mysql': { + 'pool': 'nvme', + 'path': '/var/lib/mysql', + }, + }, + 'apparmor': 'unconfined', + 'cloudflared': { + 'gallery': { + 'gallery.benpro.fr': 'http://gallery:80', + 'gallery-sync.benpro.fr': 'http://gallery:8384', + }, + }, + }, +} + +### +# esh_cloudflared +### + +default['esh']['cloudflared']['cert'] = <<~EOT +EOT diff --git a/cinc-repo/policyfiles/mail.rb b/cinc-repo/policyfiles/mail.rb new file mode 100644 index 0000000..08f26ff --- /dev/null +++ b/cinc-repo/policyfiles/mail.rb @@ -0,0 +1,54 @@ +name 'mail' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + + #esh_system::hostname +run_list %w( + esh_system::postfix + esh_docker::service + esh_mailcow::install +) + +### +# Attributes +### + +### +# esh_system +### + +default['esh']['system']['hostname']['fqdn'] = 'mail.home.arpa' + +### +# esh_mailcow +### + +default['esh']['mailcow']['install']['fqdn'] = 'mail.benoit.jp.net' +default['esh']['mailcow']['install']['timezone'] = 'Asia/Tokyo' + +# Set to 1 for stable updates +# Set to 2 for unstable updates, testing +default['esh']['mailcow']['install']['branch'] = '1' + +default['esh']['mailcow']['install']['haproxy'] = true +default['esh']['mailcow']['install']['haproxy_trusted_networks'] = '10.10.10.0/24' + +default['esh']['mailcow']['install']['postfix_myhostname'] = 'gtw.benoit.jp.net' + +default['esh']['mailcow']['install']['cert_pub'] = 'http://10.10.10.1:8898/mail.benoit.jp.net/fullchain.pem' +default['esh']['mailcow']['install']['cert_priv'] = 'http://10.10.10.1:8898/mail.benoit.jp.net/privkey.pem' +default['esh']['mailcow']['install']['cert_auth'] = '' + +default['esh']['mailcow']['install']['clamd'] = false diff --git a/cinc-repo/policyfiles/mkdocs.rb b/cinc-repo/policyfiles/mkdocs.rb new file mode 100644 index 0000000..cb00859 --- /dev/null +++ b/cinc-repo/policyfiles/mkdocs.rb @@ -0,0 +1,39 @@ +name 'mkdocs' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_laminar::service + esh_mkdocs::install + esh_webhook::system + esh_webhook::service +) + +### +# Attributes +### + +### +# esh_laminar +### + +default['esh']['laminar']['service']['package'] = 'https://github.com/ohwgiles/laminar/releases/download/1.2/laminar_1.2-1.upstream-debian11_amd64.deb' + +### +# esh_webhook +### + +default['esh']['webhook']['service']['version'] = '2.8.0' +default['esh']['webhook']['service']['hook_secret'] = '' diff --git a/cinc-repo/policyfiles/photos.rb b/cinc-repo/policyfiles/photos.rb new file mode 100644 index 0000000..0dde4b4 --- /dev/null +++ b/cinc-repo/policyfiles/photos.rb @@ -0,0 +1,118 @@ +name 'photos' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_docker::service + esh_photoprism::system + esh_photoprism::compose + esh_syncthing::service +) + +### +# Attributes +### + +### +# esh_photoprism +### + +PHOTOPRISM_ADMIN_USER = 'benoit'.freeze +PHOTOPRISM_ADMIN_PASSWORD = ''.freeze +PHOTOPRISM_AUTH_MODE = 'password'.freeze +PHOTOPRISM_SITE_URL = 'https://photos.benoit.jp.net'.freeze +PHOTOPRISM_DISABLE_TLS = 'false'.freeze +PHOTOPRISM_DEFAULT_TLS = 'false'.freeze +PHOTOPRISM_ORIGINALS_LIMIT = 5000 +PHOTOPRISM_HTTP_COMPRESSION = 'gzip'.freeze +PHOTOPRISM_LOG_LEVEL = 'info'.freeze +PHOTOPRISM_READONLY = 'true'.freeze +PHOTOPRISM_EXPERIMENTAL = 'false'.freeze +PHOTOPRISM_DISABLE_CHOWN = 'true'.freeze +PHOTOPRISM_DISABLE_WEBDAV = 'true'.freeze +PHOTOPRISM_DISABLE_SETTINGS = 'false'.freeze +PHOTOPRISM_DISABLE_TENSORFLOW = 'false'.freeze +PHOTOPRISM_DISABLE_FACES = 'false'.freeze +PHOTOPRISM_DISABLE_CLASSIFICATION = 'false'.freeze +PHOTOPRISM_DISABLE_VECTORS = 'false'.freeze +PHOTOPRISM_DISABLE_RAW = 'false'.freeze +PHOTOPRISM_RAW_PRESETS = 'false'.freeze +PHOTOPRISM_JPEG_QUALITY = 85 +PHOTOPRISM_DETECT_NSFW = 'false'.freeze +PHOTOPRISM_UPLOAD_NSFW = 'true'.freeze +PHOTOPRISM_DATABASE_DRIVER = 'mysql'.freeze +PHOTOPRISM_DATABASE_SERVER = 'mariadb:3306'.freeze +PHOTOPRISM_DATABASE_NAME = 'photoprism'.freeze +PHOTOPRISM_DATABASE_USER = 'photoprism'.freeze +PHOTOPRISM_DATABASE_PASSWORD = 'Enrage-Spring-Refill1'.freeze +PHOTOPRISM_SITE_CAPTION = 'Photos by Benoit'.freeze +PHOTOPRISM_SITE_DESCRIPTION = 'Photos by Benoit'.freeze +PHOTOPRISM_SITE_AUTHOR = 'benoit.jp.net'.freeze +PHOTOPRISM_INIT = 'tensorflow'.freeze +PHOTOPRISM_UID = 998 +PHOTOPRISM_GID = 998 + +default['esh']['photoprism']['environment'] = [ + "PHOTOPRISM_ADMIN_USER: #{PHOTOPRISM_ADMIN_USER}", + "PHOTOPRISM_ADMIN_PASSWORD: #{PHOTOPRISM_ADMIN_PASSWORD}", + "PHOTOPRISM_AUTH_MODE: #{PHOTOPRISM_AUTH_MODE}", + "PHOTOPRISM_SITE_URL: #{PHOTOPRISM_SITE_URL}", + "PHOTOPRISM_DISABLE_TLS: #{PHOTOPRISM_DISABLE_TLS}", + "PHOTOPRISM_DEFAULT_TLS: #{PHOTOPRISM_DEFAULT_TLS}", + "PHOTOPRISM_ORIGINALS_LIMIT: #{PHOTOPRISM_ORIGINALS_LIMIT}", + "PHOTOPRISM_HTTP_COMPRESSION: #{PHOTOPRISM_HTTP_COMPRESSION}", + "PHOTOPRISM_LOG_LEVEL: #{PHOTOPRISM_LOG_LEVEL}", + "PHOTOPRISM_READONLY: #{PHOTOPRISM_READONLY}", + "PHOTOPRISM_EXPERIMENTAL: #{PHOTOPRISM_EXPERIMENTAL}", + "PHOTOPRISM_DISABLE_CHOWN: #{PHOTOPRISM_DISABLE_CHOWN}", + "PHOTOPRISM_DISABLE_WEBDAV: #{PHOTOPRISM_DISABLE_WEBDAV}", + "PHOTOPRISM_DISABLE_SETTINGS: #{PHOTOPRISM_DISABLE_SETTINGS}", + "PHOTOPRISM_DISABLE_TENSORFLOW: #{PHOTOPRISM_DISABLE_TENSORFLOW}", + "PHOTOPRISM_DISABLE_FACES: #{PHOTOPRISM_DISABLE_FACES}", + "PHOTOPRISM_DISABLE_CLASSIFICATION: #{PHOTOPRISM_DISABLE_CLASSIFICATION}", + "PHOTOPRISM_DISABLE_VECTORS: #{PHOTOPRISM_DISABLE_VECTORS}", + "PHOTOPRISM_DISABLE_RAW: #{PHOTOPRISM_DISABLE_RAW}", + "PHOTOPRISM_RAW_PRESETS: #{PHOTOPRISM_RAW_PRESETS}", + "PHOTOPRISM_JPEG_QUALITY: #{PHOTOPRISM_JPEG_QUALITY}", + "PHOTOPRISM_DETECT_NSFW: #{PHOTOPRISM_DETECT_NSFW}", + "PHOTOPRISM_UPLOAD_NSFW: #{PHOTOPRISM_UPLOAD_NSFW}", + "PHOTOPRISM_DATABASE_DRIVER: #{PHOTOPRISM_DATABASE_DRIVER}", + "PHOTOPRISM_DATABASE_SERVER: #{PHOTOPRISM_DATABASE_SERVER}", + "PHOTOPRISM_DATABASE_NAME: #{PHOTOPRISM_DATABASE_NAME}", + "PHOTOPRISM_DATABASE_USER: #{PHOTOPRISM_DATABASE_USER}", + "PHOTOPRISM_DATABASE_PASSWORD: #{PHOTOPRISM_DATABASE_PASSWORD}", + "PHOTOPRISM_SITE_CAPTION: #{PHOTOPRISM_SITE_CAPTION}", + "PHOTOPRISM_SITE_DESCRIPTION: #{PHOTOPRISM_SITE_DESCRIPTION}", + "PHOTOPRISM_SITE_AUTHOR: #{PHOTOPRISM_SITE_AUTHOR}", + "PHOTOPRISM_INIT: #{PHOTOPRISM_INIT}", + "PHOTOPRISM_UID: #{PHOTOPRISM_UID}", + "PHOTOPRISM_GID: #{PHOTOPRISM_GID}", +] + +default['esh']['photoprism']['volumes'] = %w( + /var/lib/photos-originals:/photoprism/originals + /var/lib/photos-storage:/photoprism/storage +) +default['esh']['photoprism']['mariadb']['volumes'] = %w( + /var/lib/mysql:/var/lib/mysql +) +default['esh']['photoprism']['mariadb']['password'] = PHOTOPRISM_DATABASE_PASSWORD +default['esh']['photoprism']['mariadb']['root_password'] = '' + +### +# esh_syncthing +### + +default['esh']['syncthing']['service']['user'] = 'photoprism' diff --git a/cinc-repo/policyfiles/pwd.rb b/cinc-repo/policyfiles/pwd.rb new file mode 100644 index 0000000..18eec8b --- /dev/null +++ b/cinc-repo/policyfiles/pwd.rb @@ -0,0 +1,590 @@ +name 'pwd' + +### +# Cookbooks location +### + +# ESH +default_source :chef_repo, '../cookbooks' + +# Community +default_source :supermarket, 'https://supermarket.chef.io' + +### +# Run List +### + +run_list %w( + esh_vaultwarden::service +) + +### +# Attributes +### + +### +# esh_vaultwarden +### + +default['esh']['vaultwarden']['docker']['image'] = 'docker.io/vaultwarden/server:1.32.4' +default['esh']['vaultwarden']['service']['config'] = <<~EOT +# shellcheck disable=SC2034,SC2148 +## Vaultwarden Configuration File +## Uncomment any of the following lines to change the defaults +## +## Be aware that most of these settings will be overridden if they were changed +## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . +## +## By default, Vaultwarden expects for this file to be named ".env" and located +## in the current working directory. If this is not the case, the environment +## variable ENV_FILE can be set to the location of this file prior to starting +## Vaultwarden. + +#################### +### Data folders ### +#################### + +## Main data folder +DATA_FOLDER=/var/lib/vaultwarden + +## Individual folders, these override %DATA_FOLDER% +# RSA_KEY_FILENAME=data/rsa_key +# ICON_CACHE_FOLDER=data/icon_cache +# ATTACHMENTS_FOLDER=data/attachments +# SENDS_FOLDER=data/sends +# TMP_FOLDER=data/tmp + +## Templates data folder, by default uses embedded templates +## Check source code to see the format +# TEMPLATES_FOLDER=data/templates +## Automatically reload the templates for every request, slow, use only for development +# RELOAD_TEMPLATES=false + +## Web vault settings +WEB_VAULT_FOLDER=/opt/undocker/vaultwarden/server/rootfs/web-vault +WEB_VAULT_ENABLED=true + +######################### +### Database settings ### +######################### + +## Database URL +## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 +# DATABASE_URL=data/db.sqlite3 +## When using MySQL, specify an appropriate connection URI. +## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html +# DATABASE_URL=mysql://user:password@host[:port]/database_name +## When using PostgreSQL, specify an appropriate connection URI (recommended) +## or keyword/value connection string. +## Details: +## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html +## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING +# DATABASE_URL=postgresql://user:password@host[:port]/database_name + +## Enable WAL for the DB +## Set to false to avoid enabling WAL during startup. +## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, +## this setting only prevents Vaultwarden from automatically enabling it on start. +## Please read project wiki page about this setting first before changing the value as it can +## cause performance degradation or might render the service unable to start. +# ENABLE_DB_WAL=true + +## Database connection retries +## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely +# DB_CONNECTION_RETRIES=15 + +## Database timeout +## Timeout when acquiring database connection +# DATABASE_TIMEOUT=30 + +## Database max connections +## Define the size of the connection pool used for connecting to the database. +# DATABASE_MAX_CONNS=10 + +## Database connection initialization +## Allows SQL statements to be run whenever a new database connection is created. +## This is mainly useful for connection-scoped pragmas. +## If empty, a database-specific default is used: +## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" +## - MySQL: "" +## - PostgreSQL: "" +# DATABASE_CONN_INIT="" + +################# +### WebSocket ### +################# + +## Enable websocket notifications +ENABLE_WEBSOCKET=true + +########################## +### Push notifications ### +########################## + +## Enables push notifications (requires key and id from https://bitwarden.com/host) +## Details about mobile client push notification: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification +# PUSH_ENABLED=false +# PUSH_INSTALLATION_ID=CHANGEME +# PUSH_INSTALLATION_KEY=CHANGEME + +# WARNING: Do not modify the following settings unless you fully understand their implications! +# Default Push Relay and Identity URIs +# PUSH_RELAY_URI=https://push.bitwarden.com +# PUSH_IDENTITY_URI=https://identity.bitwarden.com +# European Union Data Region Settings +# If you have selected "European Union" as your data region, use the following URIs instead. +# PUSH_RELAY_URI=https://api.bitwarden.eu +# PUSH_IDENTITY_URI=https://identity.bitwarden.eu + +##################### +### Schedule jobs ### +##################### + +## Job scheduler settings +## +## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), +## and are always in terms of UTC time (regardless of your local time zone settings). +## +## The schedule format is a bit different from crontab as crontab does not contains seconds. +## You can test the the format here: https://crontab.guru, but remove the first digit! +## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK +## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri" +## "0 30 * * * * " +## "0 30 1 * * * " +## +## How often (in ms) the job scheduler thread checks for jobs that need running. +## Set to 0 to globally disable scheduled jobs. +# JOB_POLL_INTERVAL_MS=30000 +## +## Cron schedule of the job that checks for Sends past their deletion date. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# SEND_PURGE_SCHEDULE="0 5 * * * *" +## +## Cron schedule of the job that checks for trashed items to delete permanently. +## Defaults to daily (5 minutes after midnight). Set blank to disable this job. +# TRASH_PURGE_SCHEDULE="0 5 0 * * *" +## +## Cron schedule of the job that checks for incomplete 2FA logins. +## Defaults to once every minute. Set blank to disable this job. +# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. +# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" +## +## Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. +# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" +## +## Cron schedule of the job that cleans old events from the event table. +## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. +# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" +## Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +# EVENTS_DAYS_RETAIN= +## +## Cron schedule of the job that cleans old auth requests from the auth request. +## Defaults to every minute. Set blank to disable this job. +# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. +## Defaults to every minute. Set blank to disable this job. +# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" + +######################## +### General settings ### +######################## + +## Domain settings +## The domain must match the address from where you access the server +## It's recommended to configure this value, otherwise certain functionality might not work, +## like attachment downloads, email links and U2F. +## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs +## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy +## Details: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS +## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples +## For development +# DOMAIN=http://localhost +## For public server +DOMAIN=https://pwd.benoit.jp.net +## For public server (URL with port number) +# DOMAIN=https://vw.domain.tld:8443 +## For public server (URL with path) +# DOMAIN=https://domain.tld/vw + +## Controls whether users are allowed to create Bitwarden Sends. +## This setting applies globally to all users. +## To control this on a per-org basis instead, use the "Disable Send" org policy. +# SENDS_ALLOWED=true + +## HIBP Api Key +## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key +# HIBP_API_KEY= + +## Per-organization attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. +# ORG_ATTACHMENT_LIMIT= +## Per-user attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. +# USER_ATTACHMENT_LIMIT= +## Per-user send storage limit (KB) +## Max kilobytes of send storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further sends. +# USER_SEND_LIMIT= + +## Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +# TRASH_AUTO_DELETE_DAYS= + +## Number of minutes to wait before a 2FA-enabled login is considered incomplete, +## resulting in an email notification. An incomplete 2FA login is one where the correct +## master password was provided but the required 2FA step was not completed, which +## potentially indicates a master password compromise. Set to 0 to disable this check. +## This setting applies globally to all users. +# INCOMPLETE_2FA_TIME_LIMIT=3 + +## Disable icon downloading +## Set to true to disable icon downloading in the internal icon service. +## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external +## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons +## will be deleted eventually, but won't be downloaded again. +# DISABLE_ICON_DOWNLOAD=false + +## Controls if new users can register +SIGNUPS_ALLOWED=false + +## Controls if new users need to verify their email address upon registration +## Note that setting this option to true prevents logins until the email address has been verified! +## The welcome email will include a verification link, and login attempts will periodically +## trigger another verification email to be sent. +SIGNUPS_VERIFY=true + +## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time +## an email verification link has been sent another verification email will be sent +SIGNUPS_VERIFY_RESEND_TIME=600 + +## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification +## email will be re-sent upon an attempted login. +# SIGNUPS_VERIFY_RESEND_LIMIT=6 + +## Controls if new users from a list of comma-separated domains can register +## even if SIGNUPS_ALLOWED is set to false +# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org + +## Controls whether event logging is enabled for organizations +## This setting applies to organizations. +## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. +# ORG_EVENTS_ENABLED=false + +## Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs (this is the default): +# ORG_CREATION_USERS= +## 'none' means no users can create orgs: +# ORG_CREATION_USERS=none +## A comma-separated list means only those users can create orgs: +# ORG_CREATION_USERS=admin1@example.com,admin2@example.com + +## Invitations org admins to invite users, even when signups are disabled +# INVITATIONS_ALLOWED=true +## Name shown in the invitation emails that don't come from a specific organization +# INVITATION_ORG_NAME=Vaultwarden + +## The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +# INVITATION_EXPIRATION_HOURS=120 + +## Controls whether users can enable emergency access to their accounts. +## This setting applies globally to all users. +# EMERGENCY_ACCESS_ALLOWED=true + +## Controls whether users can change their email. +## This setting applies globally to all users +# EMAIL_CHANGE_ALLOWED=true + +## Number of server-side passwords hashing iterations for the password hash. +## The default for new users. If changed, it will be updated during login for existing users. +# PASSWORD_ITERATIONS=600000 + +## Controls whether users can set password hints. This setting applies globally to all users. +# PASSWORD_HINTS_ALLOWED=true + +## Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured. Not recommended for publicly-accessible instances +## as this provides unauthenticated access to potentially sensitive data. +# SHOW_PASSWORD_HINT=false + +######################### +### Advanced settings ### +######################### + +## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" +## Set to the string "none" (without quotes), to disable any headers and just use the remote IP +IP_HEADER=X-Forwarded-For + +## Icon service +## The predefined icon services are: internal, bitwarden, duckduckgo, google. +## To specify a custom icon service, set a URL template with exactly one instance of `{}`, +## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. +## +## `internal` refers to Vaultwarden's built-in icon fetching implementation. +## If an external service is set, an icon request to Vaultwarden will return an HTTP +## redirect to the corresponding icon at the external service. An external service may +## be useful if your Vaultwarden instance has no external network connectivity, or if +## you are concerned that someone may probe your instance to try to detect whether icons +## for certain sites have been cached. +# ICON_SERVICE=internal + +## Icon redirect code +## The HTTP status code to use for redirects to an external icon service. +## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). +## Temporary redirects are useful while testing different icon services, but once a service +## has been decided on, consider using permanent redirects for cacheability. The legacy codes +## are currently better supported by the Bitwarden clients. +# ICON_REDIRECT_CODE=302 + +## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") +## Default: 2592000 (30 days) +# ICON_CACHE_TTL=2592000 +## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") +## Default: 2592000 (3 days) +# ICON_CACHE_NEGTTL=259200 + +## Icon download timeout +## Configure the timeout value when downloading the favicons. +## The default is 10 seconds, but this could be to low on slower network connections +# ICON_DOWNLOAD_TIMEOUT=10 + +## Block HTTP domains/IPs by Regex +## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. +## Useful to hide other servers in the local network. Check the WIKI for more details +## NOTE: Always enclose this regex withing single quotes! +# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' + +## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true + +## Client Settings +## Enable experimental feature flags for clients. +## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". +## +## The following flags are available: +## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. +## - "autofill-v2": Use the new autofill implementation. +## - "browser-fileless-import": Directly import credentials from other providers without a file. +## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. +# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials + +## Require new device emails. When a user logs in an email is required to be sent. +## If sending the email fails the login attempt will fail!! +REQUIRE_DEVICE_EMAIL=true + +## Enable extended logging, which shows timestamps and targets in the logs +# EXTENDED_LOGGING=true + +## Timestamp format used in extended logging. +## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime +# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" + +## Logging to Syslog +## This requires extended logging +# USE_SYSLOG=false + +## Logging to file +# LOG_FILE=/path/to/log + +## Log level +## Change the verbosity of the log output +## Valid values are "trace", "debug", "info", "warn", "error" and "off" +## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests +## For a specific module append a comma separated `path::to::module=log_level` +## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" +# LOG_LEVEL=info + +## Token for the admin interface, preferably an Argon2 PCH string +## Vaultwarden has a built-in generator by calling `vaultwarden hash` +## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token +## If not set, the admin panel is disabled +## New Argon2 PHC string +## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` +## Also, use single quotes (') instead of double quotes (") to enclose the string when needed + +## Enable this to bypass the admin panel security. This option is only +## meant to be used with the use of a separate auth layer in front +# DISABLE_ADMIN_TOKEN=false + +## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. +# ADMIN_RATELIMIT_SECONDS=300 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. +# ADMIN_RATELIMIT_MAX_BURST=3 + +## Set the lifetime of admin sessions to this value (in minutes). +# ADMIN_SESSION_LIFETIME=20 + +## Allowed iframe ancestors (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets +## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. +## Multiple values must be separated with a whitespace. +# ALLOWED_IFRAME_ANCESTORS= + +## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. +# LOGIN_RATELIMIT_SECONDS=60 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. +## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. +# LOGIN_RATELIMIT_MAX_BURST=10 + +## BETA FEATURE: Groups +## Controls whether group support is enabled for organizations +## This setting applies to organizations. +## Disabled by default because this is a beta feature, it contains known issues! +## KNOW WHAT YOU ARE DOING! +# ORG_GROUPS_ENABLED=false + +## Increase secure note size limit (Know the risks!) +## Sets the secure note size limit to 100_000 instead of the default 10_000. +## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! +## KNOW WHAT YOU ARE DOING! +# INCREASE_NOTE_SIZE_LIMIT=false + +######################## +### MFA/2FA settings ### +######################## + +## Yubico (Yubikey) Settings +## Set your Client ID and Secret Key for Yubikey OTP +## You can generate it here: https://upgrade.yubico.com/getapikey/ +## You can optionally specify a custom OTP server +# YUBICO_CLIENT_ID=11111 +# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA +# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify + +## Duo Settings +## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. +## Otherwise users will need to configure it themselves. +## Create an account and protect an application as mentioned in this link (only the first step, not the rest): +## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account +## Then set the following options, based on the values obtained from the last step: +# DUO_IKEY= +# DUO_SKEY= +# DUO_HOST= +## After that, you should be able to follow the rest of the guide linked above, +## ignoring the fields that ask for the values that you already configured beforehand. +## +## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. +## Duo no longer supports this, but it still works for some integrations. +## If you aren't sure, leave this alone. +# DUO_USE_IFRAME=false + +## Email 2FA settings +## Email token size +## Number of digits in an email 2FA token (min: 6, max: 255). +## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! +# EMAIL_TOKEN_SIZE=6 +## +## Token expiration time +## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. +# EMAIL_EXPIRATION_TIME=600 +## +## Maximum attempts before an email token is reset and a new email will need to be sent. +# EMAIL_ATTEMPTS_LIMIT=3 +## +## Setup email 2FA regardless of any organization policy +# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false +## Automatically setup email 2FA as fallback provider when needed +# EMAIL_2FA_AUTO_FALLBACK=false + +## Other MFA/2FA settings +## Disable 2FA remember +## Enabling this would force the users to use a second factor to login every time. +## Note that the checkbox would still be present, but ignored. +# DISABLE_2FA_REMEMBER=false +## +## Authenticator Settings +## Disable authenticator time drifted codes to be valid. +## TOTP codes of the previous and next 30 seconds will be invalid +## +## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), +## we allow by default the TOTP code which was valid one step back and one in the future. +## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. +## You can disable this, so that only the current TOTP Code is allowed. +## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. +## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. +# AUTHENTICATOR_DISABLE_TIME_DRIFT=false + +########################### +### SMTP Email settings ### +########################### + +## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. +## To make sure the email links are pointing to the correct host, set the DOMAIN variable. +## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory +SMTP_HOST=mail.benoit.jp.net +SMTP_FROM=pwd-no-reply@benoit.jp.net +SMTP_FROM_NAME=Vaultwarden +SMTP_USERNAME=pwd-no-reply@benoit.jp.net +SMTP_PASSWORD= +# SMTP_TIMEOUT=15 + +## Choose the type of secure connection for SMTP. The default is "starttls". +## The available options are: +## - "starttls": The default port is 587. +## - "force_tls": The default port is 465. +## - "off": The default port is 25. +## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). +SMTP_SECURITY=force_tls +SMTP_PORT=465 + +# Whether to send mail via the `sendmail` command +# USE_SENDMAIL=false +# Which sendmail command to use. The one found in the $PATH is used if not specified. +# SENDMAIL_COMMAND="/path/to/sendmail" + +## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. +## Possible values: ["Plain", "Login", "Xoauth2"]. +## Multiple options need to be separated by a comma ','. +# SMTP_AUTH_MECHANISM= + +## Server name sent during the SMTP HELO +## By default this value should be is on the machine's hostname, +## but might need to be changed in case it trips some anti-spam filters +# HELO_NAME= + +## Embed images as email attachments +# SMTP_EMBED_IMAGES=true + +## SMTP debugging +## When set to true this will output very detailed SMTP messages. +## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! +# SMTP_DEBUG=false + +## Accept Invalid Certificates +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. +# SMTP_ACCEPT_INVALID_CERTS=false + +## Accept Invalid Hostnames +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +# SMTP_ACCEPT_INVALID_HOSTNAMES=false + +####################### +### Rocket settings ### +####################### + +## Rocket specific settings +## See https://rocket.rs/v0.5/guide/configuration/ for more details. +# ROCKET_ADDRESS=0.0.0.0 +## The default port is 8000, unless running in a Docker container, in which case it is 80. +# ROCKET_PORT=8000 +# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} + + +# vim: syntax=ini +EOT diff --git a/cinc-repo/policyfiles/server_cert.der b/cinc-repo/policyfiles/server_cert.der new file mode 100644 index 0000000000000000000000000000000000000000..da975eb0ce0d8bc0a11daeeb0c509acef343a516 GIT binary patch literal 988 zcmXqLV!mO}#2mYTnTe5!Nr=UI(;1eTpTwTT9TBOMV3nRm?<>aP|QFC#NiU=^+_#JFII5POD?J`D1j+r7G`oaG>{YLH8M5?YBd4^ zV~Z#t*Tlfk&=Slwk1~)ols1qA8N)0rl$)5DqnDJLm!DapmsOybms(;_W+1@E4t4+& zBO9xBBMXBPa}ooK>!0~|mv0tnx02smtXvr?{=}KNe$wpMX_E`S_(&X12%oe)O8V;8 zy2Nms9V<`$pX8*ZeN<(_tl+n0H6OJ(_kDMjhzXjUd;IXt2TV^cMqRGo{q05r)6eYi z9wyHng#KL&3l8J?hrSS_(<41<~45bX# z!R4iPx;q>Ex(%Y){yA8u-|#>D<@jC(UfrVnhrh0fGcYiAhxAyVU|?WjW^glbVN$TI z=C{&qs_2>eTjp-M-mUuMa;7+gqYQc!&}Z|`#9zJz1F@(k0DGDb5V zsJF;}^YH#c{`xbXExpbRWem5r?a#K~x=m^R>_fX_vR@QTEX>&**wSjUcZscm$MxT< zA=cU+1Y7HF;L4<6Eq;6Jar5|NjF*2s-?XDu?MT@zK|y`{gAxLQk~o$K= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_adguard/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_adguard' diff --git a/esh_adguard/recipes/default.rb b/esh_adguard/recipes/default.rb new file mode 100644 index 0000000..bc5f8cb --- /dev/null +++ b/esh_adguard/recipes/default.rb @@ -0,0 +1,142 @@ +# +# Cookbook:: esh_adguard +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +group 'adguard' do + system true + action :create +end + +user 'adguard' do + comment 'adguard system user' + gid 'adguard' + home '/var/lib/adguard' + manage_home true + shell '/usr/bin/bash' + system true + action :create +end + +directory '/etc/adguard' do + owner 'adguard' + group 'adguard' + mode '0750' + action :create +end + +%w(/var/log/AdGuardHome.out /var/log/AdGuardHome.err).each do |log| + file log do + owner 'adguard' + group 'adguard' + mode '0640' + action :create + end +end + +version = node['esh']['adguard']['version'] +url = "https://github.com/AdguardTeam/AdGuardHome/releases/download/v#{version}/AdGuardHome_linux_amd64.tar.gz" + +remote_file "adguard.#{version}.tar.gz" do + source url + path "#{Chef::Config[:file_cache_path]}/adguard.#{version}.tar.gz" + notifies :run, 'execute[extract adguard]', :immediately +end + +execute 'extract adguard' do + command <<~EOT + tar -zxvf \ + #{Chef::Config[:file_cache_path]}/adguard.#{version}.tar.gz \ + -C /var/lib/adguard \ + --strip-components=2 ./AdGuardHome + chown -R adguard: /var/lib/adguard + chmod 750 /var/lib/adguard/AdGuardHome + EOT + action :nothing + notifies :restart, 'service[AdGuardHome]', :delayed +end + +username = node['esh']['adguard']['cert_auth'].split(':')[0] +password = node['esh']['adguard']['cert_auth'].split(':')[1] +auth_string = Base64.strict_encode64("#{username}:#{password}") + +remote_file '/etc/adguard/fullchain.pem' do + source node['esh']['adguard']['cert_pub'] + headers({ 'Authorization' => "Basic #{auth_string}" }) + owner 'adguard' + group 'adguard' + mode '0400' + action :create +end + +remote_file '/etc/adguard/privkey.pem' do + source node['esh']['adguard']['cert_priv'] + headers({ 'Authorization' => "Basic #{auth_string}" }) + owner 'adguard' + group 'adguard' + mode '0400' + action :create +end + +execute 'setcap AdGuardHome' do + command "setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' /var/lib/adguard/AdGuardHome" + not_if 'getcap /var/lib/adguard/AdGuardHome | grep -q cap_net_bind_service,cap_net_raw=eip' + action :run +end + +execute 'adguard service' do + command '/var/lib/adguard/AdGuardHome -s install' + not_if { ::File.exist?('/etc/systemd/system/AdGuardHome.service') } + action :run +end + +directory '/etc/systemd/system/AdGuardHome.service.d' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +file '/etc/systemd/system/AdGuardHome.service.d/override.conf' do + content <<~EOT + [Service] + User=adguard + Group=adguard + EOT + owner 'root' + group 'root' + mode '0644' + action :create + notifies :run, 'execute[systemctl daemon-reload]', :immediately +end + +execute 'systemctl daemon-reload' do + command 'systemctl daemon-reload' + action :nothing +end + +file '/var/lib/adguard/AdGuardHome.yaml' do + content node['esh']['adguard']['config'] + owner 'adguard' + group 'adguard' + mode '0640' + action :create + notifies :restart, 'service[AdGuardHome]', :immediately +end + +service 'AdGuardHome' do + action :nothing +end diff --git a/esh_adguard/test/integration/default/default_test.rb b/esh_adguard/test/integration/default/default_test.rb new file mode 100644 index 0000000..9d99206 --- /dev/null +++ b/esh_adguard/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_adguard::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_archivebox/.gitignore b/esh_archivebox/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_archivebox/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_archivebox/CHANGELOG.md b/esh_archivebox/CHANGELOG.md new file mode 100644 index 0000000..6981e2f --- /dev/null +++ b/esh_archivebox/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_archivebox CHANGELOG + +This file is used to list changes made in each version of the esh_archivebox cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_archivebox/LICENSE b/esh_archivebox/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_archivebox/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_archivebox/Policyfile.rb b/esh_archivebox/Policyfile.rb new file mode 100644 index 0000000..ba9a501 --- /dev/null +++ b/esh_archivebox/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_archivebox' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_archivebox::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_archivebox', path: '.' diff --git a/esh_archivebox/README.md b/esh_archivebox/README.md new file mode 100644 index 0000000..df77f1f --- /dev/null +++ b/esh_archivebox/README.md @@ -0,0 +1,5 @@ +# esh_archivebox + +- [Upstream](https://hub.docker.com/r/archivebox/archivebox/tags) + +Cookbook is made for tag `0.6.3` \ No newline at end of file diff --git a/esh_archivebox/chefignore b/esh_archivebox/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_archivebox/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_archivebox/compliance/README.md b/esh_archivebox/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_archivebox/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_archivebox/kitchen.yml b/esh_archivebox/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_archivebox/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_archivebox/metadata.rb b/esh_archivebox/metadata.rb new file mode 100644 index 0000000..eda4456 --- /dev/null +++ b/esh_archivebox/metadata.rb @@ -0,0 +1,21 @@ +name 'esh_archivebox' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_archivebox' +version '0.1.0' +chef_version '>= 16.0' +supports 'debian', '= 11.0' +depends 'esh_undocker' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_archivebox/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_archivebox' diff --git a/esh_archivebox/recipes/compose.rb b/esh_archivebox/recipes/compose.rb new file mode 100644 index 0000000..c2a9bea --- /dev/null +++ b/esh_archivebox/recipes/compose.rb @@ -0,0 +1,104 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: compose +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +directory '/opt/archivebox' do + owner 'root' + group 'root' + mode '0700' + action :create +end + +template '/opt/archivebox/docker-compose.yml' do + owner 'root' + group 'root' + mode '0400' + variables volume_data: "/var/lib/#{node['hostname']}-data" + action :create +end + +execute 'docker compose pull' do + command 'docker compose pull' + cwd '/opt/archivebox' + live_stream true + action :run +end + +apt_package 'expect' + +file '/tmp/archivebox-init.expect' do + content <<~EOT + #!/usr/bin/expect -f + + set timeout -1 + + cd /opt/archivebox + spawn /usr/bin/docker compose run archivebox init --setup + + expect "Username" + send -- "#{node['esh']['archivebox']['username']}\\r" + + expect "Email address:" + send -- "#{node['esh']['archivebox']['email']}\\r" + + expect "Password:" + send -- "#{node['esh']['archivebox']['password']}\\r" + + expect "Password (again):" + send -- "#{node['esh']['archivebox']['password']}\\r" + + expect eof + EOT + owner 'root' + group 'root' + mode '0400' + not_if { ::File.exist?("/var/lib/#{node['hostname']}-data/index.sqlite3")} + notifies :run, 'execute[init archivebox configuration]', :immediately + action :create +end + +execute 'init archivebox configuration' do + command 'expect -f /tmp/archivebox-init.expect' + live_stream true + action :nothing +end + +systemd_unit 'archivebox.service' do + content <<~EOU + [Unit] + Description=archivebox via docker compose + Requires=docker.service + After=docker.service + + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/opt/archivebox + ExecStart=/usr/bin/docker compose up -d + ExecStop=/usr/bin/docker compose down + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable] + subscribes :restart, 'template[/opt/archivebox/docker-compose.yml]', :delayed +end + +service 'archivebox' do + action :nothing + subscribes :start, 'execute[docker compose pull]', :delayed +end diff --git a/esh_archivebox/recipes/default.rb b/esh_archivebox/recipes/default.rb new file mode 100644 index 0000000..f4e1fbe --- /dev/null +++ b/esh_archivebox/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_archivebox/recipes/init.rb b/esh_archivebox/recipes/init.rb new file mode 100644 index 0000000..bcb86fc --- /dev/null +++ b/esh_archivebox/recipes/init.rb @@ -0,0 +1,61 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: init +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w(systemd-container expect) + +service 'archivebox' do + action :stop + not_if { ::File.exist?("/var/lib/#{node['hostname']}-data/index.sqlite3")} +end + +file '/tmp/archivebox-init.expect' do + content <<~EOT + #!/usr/bin/expect -f + + set timeout -1 + + spawn systemd-nspawn --oci-bundle=/var/lib/machines/archivebox/ --machine archivebox --hostname archivebox --bind /var/lib/#{node['hostname']}-data:/data --capability=CAP_CHOWN -- /app/bin/docker_entrypoint.sh init --setup + + expect "Username (leave blank to use 'root'):" + send -- "#{node['esh']['archivebox']['username']}\\r" + + expect "Email address:" + send -- "#{node['esh']['archivebox']['email']}\\r" + + expect "Password:" + send -- "#{node['esh']['archivebox']['password']}\\r" + + expect "Password (again):" + send -- "#{node['esh']['archivebox']['password']}\\r" + + expect eof + EOT + owner 'root' + group 'root' + mode '0400' + not_if { ::File.exist?("/var/lib/#{node['hostname']}-data/index.sqlite3")} + notifies :run, 'execute[init archivebox configuration]', :immediately + action :create +end + +execute 'init archivebox configuration' do + command 'expect -f /tmp/archivebox-init.expect' + live_stream true + action :nothing + notifies :start, 'service[archivebox]', :immediately +end diff --git a/esh_archivebox/recipes/system.rb b/esh_archivebox/recipes/system.rb new file mode 100644 index 0000000..1a48d42 --- /dev/null +++ b/esh_archivebox/recipes/system.rb @@ -0,0 +1,26 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The app use 999:999 +directory "/var/lib/#{node['hostname']}-data" do + owner 999 + group 999 + mode '0750' + not_if { ::Dir.exist?("/var/lib/#{node['hostname']}-data") } + action :create +end diff --git a/esh_archivebox/recipes/undocker.rb b/esh_archivebox/recipes/undocker.rb new file mode 100644 index 0000000..98b0de0 --- /dev/null +++ b/esh_archivebox/recipes/undocker.rb @@ -0,0 +1,39 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: undocker +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +url = node['esh']['archivebox']['docker']['url'] +image = node['esh']['archivebox']['docker']['image'] +tag = node['esh']['archivebox']['docker']['tag'] +network = node['esh']['archivebox']['docker']['network'] +env = node['esh']['archivebox']['docker']['env'] +service = node['esh']['archivebox']['docker']['service'] + +esh_undocker_download url do + image image + tag tag +end + +esh_undocker_extract image do + tag tag + network network + env env +end + +esh_undocker_service image do + content service +end diff --git a/esh_archivebox/templates/default/docker-compose.yml.erb b/esh_archivebox/templates/default/docker-compose.yml.erb new file mode 100644 index 0000000..75f4834 --- /dev/null +++ b/esh_archivebox/templates/default/docker-compose.yml.erb @@ -0,0 +1,91 @@ +# Usage: +# docker-compose run archivebox init --setup +# docker-compose up +# echo "https://example.com" | docker-compose run archivebox archivebox add +# docker-compose run archivebox add --depth=1 https://example.com/some/feed.rss +# docker-compose run archivebox config --set PUBLIC_INDEX=True +# docker-compose run archivebox help +# Documentation: +# https://github.com/ArchiveBox/ArchiveBox/wiki/Docker#docker-compose + +version: '2.4' + +services: + archivebox: + # build: . # for developers working on archivebox + image: ${DOCKER_IMAGE:-archivebox/archivebox:master} + command: server --quick-init 0.0.0.0:8000 + ports: + - 8000:8000 + environment: + - ALLOWED_HOSTS=* # add any config options you want as env vars + - MEDIA_MAX_SIZE=750m + # - SEARCH_BACKEND_ENGINE=sonic # uncomment these if you enable sonic below + # - SEARCH_BACKEND_HOST_NAME=sonic + # - SEARCH_BACKEND_PASSWORD=SecretPassword + volumes: + - <%= @volume_data %>:/data + # - ./archivebox:/app/archivebox # for developers working on archivebox + + # To run the Sonic full-text search backend, first download the config file to sonic.cfg + # curl -O https://raw.githubusercontent.com/ArchiveBox/ArchiveBox/master/etc/sonic.cfg + # after starting, backfill any existing Snapshots into the index: docker-compose run archivebox update --index-only + # sonic: + # image: valeriansaliou/sonic:v1.3.0 + # expose: + # - 1491 + # environment: + # - SEARCH_BACKEND_PASSWORD=SecretPassword + # volumes: + # - ./sonic.cfg:/etc/sonic.cfg:ro + # - ./data/sonic:/var/lib/sonic/store + + + ### Optional Addons: tweak these examples as needed for your specific use case + + # Example: Run scheduled imports in a docker instead of using cron on the + # host machine, add tasks and see more info with archivebox schedule --help + # scheduler: + # image: archivebox/archivebox:latest + # command: schedule --foreground --every=day --depth=1 'https://getpocket.com/users/USERNAME/feed/all' + # environment: + # - USE_COLOR=True + # - SHOW_PROGRESS=False + # volumes: + # - ./data:/data + + # Example: Put Nginx in front of the ArchiveBox server for SSL termination + # nginx: + # image: nginx:alpine + # ports: + # - 443:443 + # - 80:80 + # volumes: + # - ./etc/nginx/nginx.conf:/etc/nginx/nginx.conf + # - ./data:/var/www + + # Example: run all your ArchiveBox traffic through a WireGuard VPN tunnel + # wireguard: + # image: linuxserver/wireguard + # network_mode: 'service:archivebox' + # cap_add: + # - NET_ADMIN + # - SYS_MODULE + # sysctls: + # - net.ipv4.conf.all.rp_filter=2 + # - net.ipv4.conf.all.src_valid_mark=1 + # volumes: + # - /lib/modules:/lib/modules + # - ./wireguard.conf:/config/wg0.conf:ro + + # Example: Run PYWB in parallel and auto-import WARCs from ArchiveBox + # pywb: + # image: webrecorder/pywb:latest + # entrypoint: /bin/sh 'wb-manager add default /archivebox/archive/*/warc/*.warc.gz; wayback --proxy;' + # environment: + # - INIT_COLLECTION=archivebox + # ports: + # - 8080:8080 + # volumes: + # ./data:/archivebox + # ./data/wayback:/webarchive diff --git a/esh_archivebox/test/integration/default/default_test.rb b/esh_archivebox/test/integration/default/default_test.rb new file mode 100644 index 0000000..d92695e --- /dev/null +++ b/esh_archivebox/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_archivebox::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_borgmatic/.delivery/project.toml b/esh_borgmatic/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_borgmatic/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_borgmatic/.gitignore b/esh_borgmatic/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_borgmatic/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_borgmatic/CHANGELOG.md b/esh_borgmatic/CHANGELOG.md new file mode 100644 index 0000000..df9080e --- /dev/null +++ b/esh_borgmatic/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_borgmatic CHANGELOG + +This file is used to list changes made in each version of the esh_borgmatic cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_borgmatic/LICENSE b/esh_borgmatic/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_borgmatic/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_borgmatic/Policyfile.rb b/esh_borgmatic/Policyfile.rb new file mode 100644 index 0000000..375059f --- /dev/null +++ b/esh_borgmatic/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_borgmatic' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_borgmatic::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_borgmatic', path: '.' diff --git a/esh_borgmatic/README.md b/esh_borgmatic/README.md new file mode 100644 index 0000000..db5af4c --- /dev/null +++ b/esh_borgmatic/README.md @@ -0,0 +1,4 @@ +# esh_borgmatic + +TODO: Enter the cookbook description here. + diff --git a/esh_borgmatic/chefignore b/esh_borgmatic/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_borgmatic/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_borgmatic/kitchen.yml b/esh_borgmatic/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_borgmatic/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_borgmatic/metadata.rb b/esh_borgmatic/metadata.rb new file mode 100644 index 0000000..f5766e8 --- /dev/null +++ b/esh_borgmatic/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_borgmatic' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_borgmatic' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_borgmatic/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_borgmatic' diff --git a/esh_borgmatic/recipes/default.rb b/esh_borgmatic/recipes/default.rb new file mode 100644 index 0000000..f6373ee --- /dev/null +++ b/esh_borgmatic/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_borgmatic +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_borgmatic/recipes/setup.rb b/esh_borgmatic/recipes/setup.rb new file mode 100644 index 0000000..a1eca43 --- /dev/null +++ b/esh_borgmatic/recipes/setup.rb @@ -0,0 +1,122 @@ +# +# Cookbook:: esh_borgmatic +# Recipe:: setup +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +repo_passphrase = node['esh']['borgmatic']['config']['repo_passphrase'] +repo = node['esh']['borgmatic']['config']['repo'] +location_src = node['esh']['borgmatic']['config']['location_src'] +before_backup = node['esh']['borgmatic']['config']['before_backup'] +healthchecks = node['esh']['borgmatic']['config']['healthchecks'] + +file '/root/.ssh/borgmatic' do + content node['esh']['borgmatic']['ssh_priv'] + owner 'root' + group 'root' + mode '0400' + action :create +end + +file '/root/.ssh/borgmatic.pub' do + content node['esh']['borgmatic']['ssh_pub'] + owner 'root' + group 'root' + mode '0400' + action :create +end + +apt_package 'borgmatic' + +execute 'trust the borg repo' do + command <<~EOT + ssh-keyscan #{repo.split('@')[1].split(':')[0]} >> /root/.ssh/known_hosts + EOT + not_if <<~EOT + grep -q #{repo.split('@')[1].split(':')[0]} /root/.ssh/known_hosts + EOT + action :run +end + +directory '/etc/borgmatic' do + owner 'root' + group 'root' + mode '0700' + action :create +end + +template '/etc/borgmatic/config.yaml' do + owner 'root' + group 'root' + mode '0400' + variables location_src: location_src, + repo: repo, + repo_passphrase: repo_passphrase, + before_backup: before_backup, + healthchecks: healthchecks + action :create +end + +systemd_unit 'borgmatic.service' do + content <<~EOU + [Unit] + Description=borgmatic backup + Wants=network-online.target + After=network-online.target + # Prevent borgmatic from running unless the machine is plugged into power. Remove this line if you + # want to allow borgmatic to run anytime. + ConditionACPower=true + ConditionFileNotEmpty=/etc/borgmatic/config.yaml + Documentation=https://torsion.org/borgmatic/ + + [Service] + Type=oneshot + + # Lower CPU and I/O priority. + Nice=19 + CPUSchedulingPolicy=batch + IOSchedulingClass=best-effort + IOSchedulingPriority=7 + IOWeight=100 + + Restart=no + # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that + # doesn't support this (pre-240 or so), you may have to remove this option. + LogRateLimitIntervalSec=0 + + # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and + # dbus-user-session to be installed. + ExecStartPre=sleep 1m + ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" /usr/bin/borgmatic --verbosity -1 --syslog-verbosity 1 + EOU + action [:create, :enable] +end + + +systemd_unit 'borgmatic.timer' do + content <<~EOU + [Unit] + Description=Run borgmatic backup + + [Timer] + OnCalendar=#{node['esh']['borgmatic']['timer']} + Persistent=true + + [Install] + WantedBy=timers.target + EOU + verify false + action [:create, :enable] +end diff --git a/esh_borgmatic/templates/default/config.yaml.erb b/esh_borgmatic/templates/default/config.yaml.erb new file mode 100644 index 0000000..18aa3e4 --- /dev/null +++ b/esh_borgmatic/templates/default/config.yaml.erb @@ -0,0 +1,54 @@ +location: + source_directories: + - /var/backups/<%= @location_src %> + + repositories: + - <%= @repo %> + + exclude_patterns: + - '.zfs' + + one_file_system: false + +storage: + compression: auto,zstd + encryption_passphrase: <%= @repo_passphrase %> + archive_name_format: "{hostname}-{now:%Y-%m-%d-%H%M%S}" + ssh_command: ssh -i /root/.ssh/borgmatic + +retention: + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 12 + keep_yearly: 1 + prefix: "{hostname}-" + +consistency: + checks: + # Uncomment to always do integrity checks. + # (takes long time for larger repos) + #- repository + - disabled + + check_last: 3 + prefix: "{hostname}-" + +hooks: + # Shell commands to execute before or after a backup + before_backup: + - echo "`date` - Starting custom actions" + <% @before_backup.each do |action| %> + - <%= action %> + <% end %> + - echo "`date` - Starting mysqldump" + - for i in $(lxc list --format csv -c n); do lxc exec $i -- sh -c "test -x /usr/bin/mysqldump && /usr/bin/mysqldump --all-databases > /var/lib/mysql/dump.sql || true"; done + - echo "`date` - Starting zfs-autobackup" + - zfs-autobackup -v local <%= @location_src.split('/')[0] %> + - echo "`date` - Starting borg" + - for i in $(zfs get -r -t filesystem,volume autobackup:local <%= @location_src %> | grep 'autobackup:local.*true' | tail -n +2 | awk '{print $1}'); do zfs set mountpoint=/var/backups/${i} $i ; zfs mount -o ro $i; done + + after_backup: + - for i in $(zfs get -r -t filesystem,volume autobackup:local <%= @location_src %> | grep 'autobackup:local.*true' | tail -n +2 | awk '{print $1}'); do zfs umount $i; done + - echo "`date` - Finished backup" + + healthchecks: <%= @healthchecks %> diff --git a/esh_borgmatic/test/integration/default/default_test.rb b/esh_borgmatic/test/integration/default/default_test.rb new file mode 100644 index 0000000..4a850de --- /dev/null +++ b/esh_borgmatic/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_borgmatic::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_cinc/.gitignore b/esh_cinc/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_cinc/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_cinc/CHANGELOG.md b/esh_cinc/CHANGELOG.md new file mode 100644 index 0000000..45c124f --- /dev/null +++ b/esh_cinc/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_cinc CHANGELOG + +This file is used to list changes made in each version of the esh_cinc cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_cinc/LICENSE b/esh_cinc/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_cinc/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_cinc/Policyfile.rb b/esh_cinc/Policyfile.rb new file mode 100644 index 0000000..8f00c54 --- /dev/null +++ b/esh_cinc/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_cinc' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_cinc::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_cinc', path: '.' diff --git a/esh_cinc/README.md b/esh_cinc/README.md new file mode 100644 index 0000000..358213a --- /dev/null +++ b/esh_cinc/README.md @@ -0,0 +1,4 @@ +# esh_cinc + +TODO: Enter the cookbook description here. + diff --git a/esh_cinc/attributes/default.rb b/esh_cinc/attributes/default.rb new file mode 100644 index 0000000..7ac4b52 --- /dev/null +++ b/esh_cinc/attributes/default.rb @@ -0,0 +1,3 @@ +node.default['esh']['cinc']['ubuntu']['22.04']['url'] = 'http://downloads.cinc.sh/files/stable/cinc/18.3.0/ubuntu/22.04/cinc_18.3.0-1_amd64.deb' +node.default['esh']['cinc']['debian']['11']['url'] = 'http://downloads.cinc.sh/files/stable/cinc/18.3.0/debian/11/cinc_18.3.0-1_amd64.deb' +node.default['esh']['cinc']['debian']['12']['url'] = 'http://downloads.cinc.sh/files/stable/cinc/18.3.0/debian/12/cinc_18.3.0-1_amd64.deb' diff --git a/esh_cinc/chefignore b/esh_cinc/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_cinc/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_cinc/compliance/README.md b/esh_cinc/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_cinc/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_cinc/kitchen.yml b/esh_cinc/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_cinc/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_cinc/metadata.rb b/esh_cinc/metadata.rb new file mode 100644 index 0000000..fcb9e5a --- /dev/null +++ b/esh_cinc/metadata.rb @@ -0,0 +1,22 @@ +name 'esh_cinc' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_cinc' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 20.04' +supports 'ubuntu', '= 22.04' +supports 'debian', '= 11.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_cinc/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_cinc' diff --git a/esh_cinc/recipes/default.rb b/esh_cinc/recipes/default.rb new file mode 100644 index 0000000..6b0333b --- /dev/null +++ b/esh_cinc/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_cinc +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_cinc/resources/download.rb b/esh_cinc/resources/download.rb new file mode 100644 index 0000000..835a8b1 --- /dev/null +++ b/esh_cinc/resources/download.rb @@ -0,0 +1,42 @@ +# +# Cookbook:: esh_cinc +# Resource:: download +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :url, String, name_property: true +property :distribution, String, required: true +property :release, String, required: true +default_action :download + +action :download do + distribution = new_resource.distribution + release = new_resource.release + filename = new_resource.url.split('/').last + + directory "#{Chef::Config['file_cache_path']}/#{distribution}/#{release}" do + owner 'root' + group 'root' + mode '0755' + recursive true + action :create + end + + remote_file "#{Chef::Config['file_cache_path']}/#{distribution}/#{release}/#{filename}" do + source new_resource.url + action :create_if_missing + end +end diff --git a/esh_cinc/test/integration/default/default_test.rb b/esh_cinc/test/integration/default/default_test.rb new file mode 100644 index 0000000..21f8fd7 --- /dev/null +++ b/esh_cinc/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_cinc::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_cloudflared/.gitignore b/esh_cloudflared/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_cloudflared/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_cloudflared/CHANGELOG.md b/esh_cloudflared/CHANGELOG.md new file mode 100644 index 0000000..6794971 --- /dev/null +++ b/esh_cloudflared/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_cloudflared CHANGELOG + +This file is used to list changes made in each version of the esh_cloudflared cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_cloudflared/LICENSE b/esh_cloudflared/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_cloudflared/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_cloudflared/Policyfile.rb b/esh_cloudflared/Policyfile.rb new file mode 100644 index 0000000..04cec07 --- /dev/null +++ b/esh_cloudflared/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_cloudflared' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_cloudflared::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_cloudflared', path: '.' diff --git a/esh_cloudflared/README.md b/esh_cloudflared/README.md new file mode 100644 index 0000000..eb9666c --- /dev/null +++ b/esh_cloudflared/README.md @@ -0,0 +1,4 @@ +# esh_cloudflared + +TODO: Enter the cookbook description here. + diff --git a/esh_cloudflared/chefignore b/esh_cloudflared/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_cloudflared/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_cloudflared/compliance/README.md b/esh_cloudflared/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_cloudflared/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_cloudflared/kitchen.yml b/esh_cloudflared/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_cloudflared/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_cloudflared/metadata.rb b/esh_cloudflared/metadata.rb new file mode 100644 index 0000000..ec65e20 --- /dev/null +++ b/esh_cloudflared/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_cloudflared' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_cloudflared' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_cloudflared/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_cloudflared' diff --git a/esh_cloudflared/recipes/cert.rb b/esh_cloudflared/recipes/cert.rb new file mode 100644 index 0000000..24f2bc1 --- /dev/null +++ b/esh_cloudflared/recipes/cert.rb @@ -0,0 +1,25 @@ +# +# Cookbook:: esh_cloudflared +# Recipe:: cert +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +file '/etc/cloudflared/cert.pem' do + content node['esh']['cloudflared']['cert'] + owner 'cloudflared' + group 'cloudflared' + mode '0400' + action :create +end diff --git a/esh_cloudflared/recipes/default.rb b/esh_cloudflared/recipes/default.rb new file mode 100644 index 0000000..d2bfab9 --- /dev/null +++ b/esh_cloudflared/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_cloudflared +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_cloudflared/recipes/install.rb b/esh_cloudflared/recipes/install.rb new file mode 100644 index 0000000..57cd9b7 --- /dev/null +++ b/esh_cloudflared/recipes/install.rb @@ -0,0 +1,75 @@ +# +# Cookbook:: esh_cloudflared +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_repository 'cloudflared' do + uri 'https://pkg.cloudflare.com/cloudflared' + distribution 'jammy' + components %w(main) + key 'https://pkg.cloudflare.com/cloudflare-main.gpg' +end + +apt_package 'cloudflared' + +sysctl 'net.core.rmem_max' do + value '2500000' + action :apply +end + +group 'cloudflared' do + system true + action :create +end + +user 'cloudflared' do + comment 'cloudflared tunnel user' + gid 'cloudflared' + home '/nonexistent' + shell '/usr/sbin/nologin' + system true + action :create +end + +directory '/etc/cloudflared' do + owner 'cloudflared' + group 'cloudflared' + mode '0700' + action :create +end + +systemd_unit 'cloudflared@.service' do + content <<~EOU + [Unit] + Description=Cloudflared tunnel %i + After=network.target + + [Service] + User=cloudflared + Group=cloudflared + Type=notify + ExecStart=/usr/bin/cloudflared \ + --origincert /etc/cloudflared/cert.pem \ + --config /etc/cloudflared/%i.yaml \ + tunnel run %i + Restart=on-failure + RestartSec=5s + + [Install] + WantedBy=multi-user.target + EOU + action :create +end diff --git a/esh_cloudflared/resources/tunnel.rb b/esh_cloudflared/resources/tunnel.rb new file mode 100644 index 0000000..afba79a --- /dev/null +++ b/esh_cloudflared/resources/tunnel.rb @@ -0,0 +1,73 @@ +# +# Cookbook:: esh_cloudflared +# Resource:: tunnel +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :tunnel_name, String, name_property: true +property :tunnel_hostname, Hash, required: true +default_action :setup + +action :setup do + tunnel_name = new_resource.tunnel_name + tunnel_hostname = new_resource.tunnel_hostname + + execute "cloudflared tunnel create #{tunnel_name}" do + command <<~EOT + cloudflared \ + tunnel \ + --origincert /etc/cloudflared/cert.pem \ + create \ + --credentials-file /etc/cloudflared/#{tunnel_name}.json \ + #{tunnel_name} + EOT + creates "/etc/cloudflared/#{tunnel_name}.json" + user 'cloudflared' + login true + live_stream true + end + + tunnel_hostname.each_key do |hostname| + execute "cloudflared tunnel route dns #{tunnel_name} #{hostname}" do + command <<~EOT + cloudflared \ + --origincert /etc/cloudflared/cert.pem \ + --credentials-file /etc/cloudflared/#{tunnel_name}.json \ + tunnel route dns #{tunnel_name} #{hostname} + EOT + user 'cloudflared' + login true + live_stream true + not_if "host #{hostname}" + end + end + + template "/etc/cloudflared/#{tunnel_name}.yaml" do + cookbook 'esh_cloudflared' + source 'config.yaml.erb' + owner 'cloudflared' + group 'cloudflared' + mode '0400' + variables tunnel_name: tunnel_name, + tunnel_hostname: tunnel_hostname + notifies :restart, "service[cloudflared@#{tunnel_name}]", :delayed + action :create + end + + service "cloudflared@#{tunnel_name}" do + action [:enable, :start] + end +end diff --git a/esh_cloudflared/templates/default/config.yaml.erb b/esh_cloudflared/templates/default/config.yaml.erb new file mode 100644 index 0000000..277d52b --- /dev/null +++ b/esh_cloudflared/templates/default/config.yaml.erb @@ -0,0 +1,9 @@ +tunnel: <%= @tunnel_name %> +credentials-file: /etc/cloudflared/<%= @tunnel_name %>.json + +ingress: +<% @tunnel_hostname.each do |hostname, service| %> + - hostname: <%= hostname %> + service: <%= service %> +<% end %> + - service: http_status:404 diff --git a/esh_cloudflared/test/integration/default/default_test.rb b/esh_cloudflared/test/integration/default/default_test.rb new file mode 100644 index 0000000..1bf4eed --- /dev/null +++ b/esh_cloudflared/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_cloudflared::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_docker/.delivery/project.toml b/esh_docker/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_docker/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_docker/.gitignore b/esh_docker/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_docker/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_docker/CHANGELOG.md b/esh_docker/CHANGELOG.md new file mode 100644 index 0000000..72cff3c --- /dev/null +++ b/esh_docker/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_docker CHANGELOG + +This file is used to list changes made in each version of the esh_docker cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_docker/LICENSE b/esh_docker/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_docker/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_docker/Policyfile.rb b/esh_docker/Policyfile.rb new file mode 100644 index 0000000..f87ce52 --- /dev/null +++ b/esh_docker/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_docker' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_docker::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_docker', path: '.' diff --git a/esh_docker/README.md b/esh_docker/README.md new file mode 100644 index 0000000..41aadc9 --- /dev/null +++ b/esh_docker/README.md @@ -0,0 +1,4 @@ +# esh_docker + +TODO: Enter the cookbook description here. + diff --git a/esh_docker/chefignore b/esh_docker/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_docker/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_docker/kitchen.yml b/esh_docker/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_docker/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_docker/metadata.rb b/esh_docker/metadata.rb new file mode 100644 index 0000000..38e1e93 --- /dev/null +++ b/esh_docker/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_docker' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_docker' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_docker/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_docker' diff --git a/esh_docker/recipes/default.rb b/esh_docker/recipes/default.rb new file mode 100644 index 0000000..86b4e39 --- /dev/null +++ b/esh_docker/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_docker +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_docker/recipes/service.rb b/esh_docker/recipes/service.rb new file mode 100644 index 0000000..cf12159 --- /dev/null +++ b/esh_docker/recipes/service.rb @@ -0,0 +1,64 @@ +# +# Cookbook:: esh_docker +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w( + apt-transport-https + ca-certificates + curl + gnupg-agent + software-properties-common + lsb-release +) + +directory '/etc/apt/keyrings' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +execute 'add docker gpg key' do + command <<~EOT + curl -fsSL https://download.docker.com/linux/ubuntu/gpg \ + | gpg --dearmor -o /etc/apt/keyrings/docker.gpg + EOT + not_if { ::File.exist?('/etc/apt/keyrings/docker.gpg') } + action :run +end + +execute 'add docker sources.list' do + command <<~EOT + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \ + > /etc/apt/sources.list.d/docker.list + EOT + notifies :update, 'apt_update', :immediately + not_if { ::File.exist?('/etc/apt/sources.list.d/docker.list') } + action :run +end + +apt_update do + action :nothing +end + +apt_package %w( + docker-ce docker-ce-cli containerd.io docker-compose-plugin +) + +service 'docker' do + action [:enable, :start] +end diff --git a/esh_docker/test/integration/default/default_test.rb b/esh_docker/test/integration/default/default_test.rb new file mode 100644 index 0000000..72d1f17 --- /dev/null +++ b/esh_docker/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_docker::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_forgejo/.delivery/project.toml b/esh_forgejo/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_forgejo/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_forgejo/.gitignore b/esh_forgejo/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_forgejo/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_forgejo/CHANGELOG.md b/esh_forgejo/CHANGELOG.md new file mode 100644 index 0000000..2b34b87 --- /dev/null +++ b/esh_forgejo/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_forgejo CHANGELOG + +This file is used to list changes made in each version of the esh_forgejo cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_forgejo/LICENSE b/esh_forgejo/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_forgejo/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_forgejo/Policyfile.rb b/esh_forgejo/Policyfile.rb new file mode 100644 index 0000000..0118a7a --- /dev/null +++ b/esh_forgejo/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_forgejo' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_forgejo::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_forgejo', path: '.' diff --git a/esh_forgejo/README.md b/esh_forgejo/README.md new file mode 100644 index 0000000..f21dc65 --- /dev/null +++ b/esh_forgejo/README.md @@ -0,0 +1,4 @@ +# esh_forgejo + +TODO: Enter the cookbook description here. + diff --git a/esh_forgejo/chefignore b/esh_forgejo/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_forgejo/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_forgejo/kitchen.yml b/esh_forgejo/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_forgejo/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_forgejo/metadata.rb b/esh_forgejo/metadata.rb new file mode 100644 index 0000000..69b7113 --- /dev/null +++ b/esh_forgejo/metadata.rb @@ -0,0 +1,21 @@ +name 'esh_forgejo' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_forgejo' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' +depends 'mariadb' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_forgejo/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_forgejo' diff --git a/esh_forgejo/recipes/default.rb b/esh_forgejo/recipes/default.rb new file mode 100644 index 0000000..964aece --- /dev/null +++ b/esh_forgejo/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_forgejo +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_forgejo/recipes/mariadb.rb b/esh_forgejo/recipes/mariadb.rb new file mode 100644 index 0000000..162cd0f --- /dev/null +++ b/esh_forgejo/recipes/mariadb.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: esh_forgejo +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'mariadb-server' + +mariadb_server_install 'MariaDB Server install' do + version '10.6' + setup_repo false +end + +mariadb_user 'git' do + password node['esh']['forgejo']['mariadb']['password'] + database_name 'git' + action [:create, :grant] +end + +mariadb_database 'git' do + encoding 'utf8mb4' + collation 'utf8mb4_unicode_ci' + action :create +end diff --git a/esh_forgejo/recipes/service.rb b/esh_forgejo/recipes/service.rb new file mode 100644 index 0000000..510396d --- /dev/null +++ b/esh_forgejo/recipes/service.rb @@ -0,0 +1,154 @@ +# +# Cookbook:: esh_forgejo +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +remote_file '/usr/local/bin/forgejo' do + source node['esh']['forgejo']['service']['binary'] + owner 'root' + group 'root' + mode '0755' + action :create +end + +apt_package 'gpg' + +execute 'add forgejo gpg key' do + command 'gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710' + not_if 'gpg --list-keys EB114F5E6C0DC2BCDD183550A4B61A2DC5923710' + action :run +end + +remote_file '/tmp/forgejo.asc' do + source node['esh']['forgejo']['service']['asc'] + owner 'root' + group 'root' + mode '0444' + action :create +end + +execute 'check if valid gpg signature' do + command 'gpg --verify /tmp/forgejo.asc /usr/local/bin/forgejo' + action :run +end + +systemd_unit 'forgejo.service' do + content <<~EOU + [Unit] + Description=Forgejo + After=syslog.target + After=network.target + ### + # Don't forget to add the database service dependencies + ### + # + #Wants=mysql.service + #After=mysql.service + # + Wants=mariadb.service + After=mariadb.service + # + #Wants=postgresql.service + #After=postgresql.service + # + #Wants=memcached.service + #After=memcached.service + # + Wants=redis.service + After=redis.service + # + ### + # If using socket activation for main http/s + ### + # + #After=gitea.main.socket + #Requires=gitea.main.socket + # + ### + # (You can also provide gitea an http fallback and/or ssh socket too) + # + # An example of /etc/systemd/system/gitea.main.socket + ### + ## + ## [Unit] + ## Description=Gitea Web Socket + ## PartOf=gitea.service + ## + ## [Socket] + ## Service=gitea.service + ## ListenStream= + ## NoDelay=true + ## + ## [Install] + ## WantedBy=sockets.target + ## + ### + + [Service] + # Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that + # LimitNOFILE=524288:524288 + RestartSec=2s + Type=simple + User=git + Group=git + WorkingDirectory=/var/lib/gitea + # If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file + # (manually creating /run/gitea doesn't work, because it would not persist across reboots) + #RuntimeDirectory=gitea + ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini + Restart=always + Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea + # If you install Git to directory prefix other than default PATH (which happens + # for example if you install other versions of Git side-to-side with + # distribution version), uncomment below line and add that prefix to PATH + # Don't forget to place git-lfs binary on the PATH below if you want to enable + # Git LFS support + #Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin + # If you want to bind Gitea to a port below 1024, uncomment + # the two values below, or use socket activation to pass Gitea its ports as above + ### + #CapabilityBoundingSet=CAP_NET_BIND_SERVICE + #AmbientCapabilities=CAP_NET_BIND_SERVICE + ### + # In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to + # set the following value to false to allow capabilities to be applied on gitea process. The following + # value if set to true sandboxes gitea service and prevent any processes from running with privileges + # in the host user namespace. + ### + #PrivateUsers=false + ### + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable, :start] +end + +if node['esh']['forgejo']['service']['load_config'] + file '/etc/forgejo/app.ini' do + content node['esh']['forgejo']['service']['config'] + owner 'git' + group 'git' + mode '0600' + notifies :restart, 'service[forgejo]', :immediately + action :create + end +end + +service 'forgejo' do + subscribes :restart, 'remote_file[/usr/local/bin/forgejo]', :delayed + action :nothing +end diff --git a/esh_forgejo/recipes/system.rb b/esh_forgejo/recipes/system.rb new file mode 100644 index 0000000..b9c5a5b --- /dev/null +++ b/esh_forgejo/recipes/system.rb @@ -0,0 +1,48 @@ +# +# Cookbook:: esh_forgejo +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w(git redis-server) + +group 'git' do + system true + action :create +end + +user 'git' do + comment 'git system user' + gid 'git' + home '/home/git' + manage_home true + shell '/usr/bin/bash' + system true + action :create +end + +directory '/var/lib/gitea' do + owner 'git' + group 'git' + mode '0750' + action :create +end + +directory '/etc/forgejo' do + owner 'git' + group 'git' + mode '0750' + action :create +end diff --git a/esh_forgejo/test/integration/default/default_test.rb b/esh_forgejo/test/integration/default/default_test.rb new file mode 100644 index 0000000..e3f687d --- /dev/null +++ b/esh_forgejo/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_forgejo::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_go_mmproxy/.gitignore b/esh_go_mmproxy/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_go_mmproxy/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_go_mmproxy/CHANGELOG.md b/esh_go_mmproxy/CHANGELOG.md new file mode 100644 index 0000000..af4a9f9 --- /dev/null +++ b/esh_go_mmproxy/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_go_mmproxy CHANGELOG + +This file is used to list changes made in each version of the esh_go_mmproxy cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_go_mmproxy/LICENSE b/esh_go_mmproxy/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_go_mmproxy/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_go_mmproxy/Policyfile.rb b/esh_go_mmproxy/Policyfile.rb new file mode 100644 index 0000000..fbf325e --- /dev/null +++ b/esh_go_mmproxy/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_go_mmproxy' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_go_mmproxy::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_go_mmproxy', path: '.' diff --git a/esh_go_mmproxy/README.md b/esh_go_mmproxy/README.md new file mode 100644 index 0000000..a717b44 --- /dev/null +++ b/esh_go_mmproxy/README.md @@ -0,0 +1,4 @@ +# esh_go_mmproxy + +TODO: Enter the cookbook description here. + diff --git a/esh_go_mmproxy/chefignore b/esh_go_mmproxy/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_go_mmproxy/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_go_mmproxy/compliance/README.md b/esh_go_mmproxy/compliance/README.md new file mode 100644 index 0000000..998facd --- /dev/null +++ b/esh_go_mmproxy/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Cinc Auditor profile, waiver and input objects which are used with the Cinc Infra Compliance Phase. + +Detailed information on the Cinc Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `cinc generate` command from Cinc Workstation to create content for these directories: + +```sh +# Generate a Cinc Auditor profile +cinc generate profile PROFILE_NAME + +# Generate a Cinc Auditor waiver file +cinc generate waiver WAIVER_NAME + +# Generate a Cinc Auditor input file +cinc generate input INPUT_NAME +``` diff --git a/esh_go_mmproxy/kitchen.yml b/esh_go_mmproxy/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_go_mmproxy/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_go_mmproxy/metadata.rb b/esh_go_mmproxy/metadata.rb new file mode 100644 index 0000000..d7ef6e5 --- /dev/null +++ b/esh_go_mmproxy/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_go_mmproxy' +maintainer 'https://easyself.host' +maintainer_email 'esh@benoit.jp.net' +license 'Apache-2.0' +description 'Installs/Configures esh_go_mmproxy' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_go_mmproxy/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_go_mmproxy' diff --git a/esh_go_mmproxy/recipes/default.rb b/esh_go_mmproxy/recipes/default.rb new file mode 100644 index 0000000..10de4b6 --- /dev/null +++ b/esh_go_mmproxy/recipes/default.rb @@ -0,0 +1,45 @@ +# +# Cookbook:: esh_go_mmproxy +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package 'golang' + +execute 'set GOBIN path' do + command 'go env -w GOBIN=/usr/local/bin' + not_if 'go env | grep GOBIN=\"/usr/local/bin\"' + action :run +end + +execute 'install go-mmproxy' do + command 'go install github.com/path-network/go-mmproxy@2.1' + not_if { ::File.exist?('/usr/local/bin/go-mmproxy') } + action :run +end + +file '/usr/share/path-prefixes.txt' do + content node['esh']['go_mmproxy']['prefixes'] + owner 'root' + group 'root' + mode '0644' + action :create +end + +node['esh']['go_mmproxy']['proxies'].each do |to, listen| + esh_go_mmproxy_service to do + listen listen + end +end \ No newline at end of file diff --git a/esh_go_mmproxy/resources/service.rb b/esh_go_mmproxy/resources/service.rb new file mode 100644 index 0000000..98b1cbe --- /dev/null +++ b/esh_go_mmproxy/resources/service.rb @@ -0,0 +1,60 @@ +# +# Cookbook:: esh_go_mmproxy +# Resource:: service +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :to, String, required: true, name_property: true +property :listen, String +default_action :service + +action :service do + listen = new_resource.listen + to = new_resource.to + + systemd_unit "go-mmproxy-#{listen}.service" do + content <<~EOU + [Unit] + Description=go-mmproxy redirect on #{to}, listen on #{listen} + Documentation=https://github.com/path-network/go-mmproxy/blob/master/go-mmproxy.service.example + After=network.target + + [Service] + Type=simple + LimitNOFILE=65535 + ExecStartPost=-/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 + ExecStartPost=-/sbin/ip route add local 0.0.0.0/0 dev lo table 123 + ExecStartPost=-/sbin/ip -6 rule add from ::1/128 iif lo table 123 + ExecStartPost=-/sbin/ip -6 route add local ::/0 dev lo table 123 + ExecStart=/usr/local/bin/go-mmproxy -4 127.0.0.1:#{to} -6 "[::1]:#{to}" -allowed-subnets /usr/share/path-prefixes.txt -l 0.0.0.0:#{listen} + ExecStopPost=-/sbin/ip rule del from 127.0.0.1/8 iif lo table 123 + ExecStopPost=-/sbin/ip route del local 0.0.0.0/0 dev lo table 123 + ExecStopPost=-/sbin/ip -6 rule del from ::1/128 iif lo table 123 + ExecStopPost=-/sbin/ip -6 route del local ::/0 dev lo table 123 + Restart=on-failure + RestartSec=10s + + [Install] + WantedBy=multi-user.target + EOU + verify false + action :create + end + + service "go-mmproxy-#{listen}" do + action [:enable, :start] + end +end \ No newline at end of file diff --git a/esh_go_mmproxy/test/integration/default/default_test.rb b/esh_go_mmproxy/test/integration/default/default_test.rb new file mode 100644 index 0000000..051056c --- /dev/null +++ b/esh_go_mmproxy/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_go_mmproxy::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_haproxy/.gitignore b/esh_haproxy/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_haproxy/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_haproxy/CHANGELOG.md b/esh_haproxy/CHANGELOG.md new file mode 100644 index 0000000..440c6dc --- /dev/null +++ b/esh_haproxy/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_haproxy CHANGELOG + +This file is used to list changes made in each version of the esh_haproxy cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_haproxy/LICENSE b/esh_haproxy/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_haproxy/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_haproxy/Policyfile.rb b/esh_haproxy/Policyfile.rb new file mode 100644 index 0000000..b96e138 --- /dev/null +++ b/esh_haproxy/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_haproxy' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_haproxy::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_haproxy', path: '.' diff --git a/esh_haproxy/README.md b/esh_haproxy/README.md new file mode 100644 index 0000000..fc1d15d --- /dev/null +++ b/esh_haproxy/README.md @@ -0,0 +1,4 @@ +# esh_haproxy + +TODO: Enter the cookbook description here. + diff --git a/esh_haproxy/chefignore b/esh_haproxy/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_haproxy/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_haproxy/compliance/README.md b/esh_haproxy/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_haproxy/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_haproxy/files/default/haproxy_country b/esh_haproxy/files/default/haproxy_country new file mode 100644 index 0000000..880c86c --- /dev/null +++ b/esh_haproxy/files/default/haproxy_country @@ -0,0 +1,64 @@ +#!/bin/bash +set -euo pipefail +LICENSE_KEY=${LICENSE_KEY:?LICENSE_KEY missing} +TMPDIR=$(mktemp -p /tmp -d haproxy_country.XXX) + +curl --silent \ + --output "$TMPDIR/geoip.zip" \ + "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=${LICENSE_KEY}&suffix=zip" + +unzip -j "$TMPDIR/geoip.zip" -d "$TMPDIR" -x '*.txt' + +cd "$TMPDIR" + +# Create an array of country codes using the first column of +# GeoLite2-Country-Locations-en.csv as the indices and the fifth column as the +# values +# Use sed to skip the first line +declare -A country_codes +while IFS=',' read -r geoname_id _ _ _ country_iso_code _ _; do + country_codes[$geoname_id]=$country_iso_code +done < <(sed '1d' GeoLite2-Country-Locations-en.csv) + +# Process the blocks file, replacing country identifiers with the corresponding +# country codes +# Use sed to skip the first line +while IFS=',' read -r network geoname_id registered_country_geoname_id _ _ _; do + # If geoname_id is not present, use registered_country_geoname_id as a substitute + # Or if registered_country_geoname_id is not present, use whois + if [[ -z $geoname_id ]]; then + if [[ -n $registered_country_geoname_id ]]; then + geoname_id=$registered_country_geoname_id + else + country_code=$(whois -h whois.cymru.com "-v $network" | tail -n1 | awk -F'|' '{print $4}' | tr -d ' ') + # Convert country code to GeoLite country code + geo_country_code=$(grep "$country_code" GeoLite2-Country-Locations-en.csv | awk -F',' '{print $1}') + geoname_id=$geo_country_code + fi + fi + echo "$network" >> "${country_codes[$geoname_id]}.txt" +done < <(sed '1d' GeoLite2-Country-Blocks-IPv4.csv) + +while IFS=',' read -r network geoname_id registered_country_geoname_id _ _ _; do + # If geoname_id is not present, use registered_country_geoname_id as a substitute + # Or if registered_country_geoname_id is not present, use whois + if [[ -z $geoname_id ]]; then + if [[ -n $registered_country_geoname_id ]]; then + geoname_id=$registered_country_geoname_id + else + country_code=$(whois -h whois.cymru.com "-v $network" | tail -n1 | awk -F'|' '{print $4}' | tr -d ' ') + # Convert country code to GeoLite country code + geo_country_code=$(grep "$country_code" GeoLite2-Country-Locations-en.csv | awk -F',' '{print $1}') + geoname_id=$geo_country_code + fi + fi + echo "$network" >> "${country_codes[$geoname_id]}.txt" +done < <(sed '1d' GeoLite2-Country-Blocks-IPv6.csv) + +rm -f /etc/haproxy/country/*.txt +cp ./*.txt /etc/haproxy/country/ + +systemctl reload haproxy + +cd - > /dev/null +rm -rf "$TMPDIR" \ No newline at end of file diff --git a/esh_haproxy/kitchen.yml b/esh_haproxy/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_haproxy/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_haproxy/metadata.rb b/esh_haproxy/metadata.rb new file mode 100644 index 0000000..169dfd8 --- /dev/null +++ b/esh_haproxy/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_haproxy' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_haproxy' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_haproxy/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_haproxy' diff --git a/esh_haproxy/recipes/config.rb b/esh_haproxy/recipes/config.rb new file mode 100644 index 0000000..8ecf517 --- /dev/null +++ b/esh_haproxy/recipes/config.rb @@ -0,0 +1,145 @@ +# +# Cookbook:: esh_haproxy +# Recipe:: config +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w(haproxy whois) + +directory "/etc/haproxy/country" do + owner 'root' + group 'root' + mode '0755' + action :create +end + +cookbook_file '/usr/local/bin/haproxy_country' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +execute 'haproxy generate country acl' do + command '/usr/local/bin/haproxy_country' + environment ({ 'LICENSE_KEY' => node['esh']['haproxy']['config']['maxmind_key'] }) + action :run + not_if { ::File.exist?('/etc/haproxy/country/JP.txt') } +end + +remote_file '/etc/haproxy/dhparam' do + source 'https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem' + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/etc/haproxy/haproxy.cfg' do + owner 'root' + group 'root' + mode '0444' + variables acls: node['esh']['haproxy']['config']['acls'], + listen: node['esh']['haproxy']['config']['listen'], + backends: node['esh']['haproxy']['config']['backends'], + stats_password: node['esh']['haproxy']['config']['stats_password'] + action :create +end + +systemd_unit 'haproxy_country_failure.service' do + content <<~EOU + [Unit] + Description=Notifies HC if haproxy country fail + + [Service] + Type=simple + ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/fail + + EOU + verify false + action [:create, :enable] +end + +systemd_unit 'haproxy_country_success.service' do + content <<~EOU + [Unit] + Description=Notifies HC if haproxy country succeed + + [Service] + Type=simple + ExecStart=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']} + + EOU + verify false + action [:create, :enable] +end + +systemd_unit 'haproxy_country.service' do + content <<~EOU + [Unit] + Description=Update haproxy country IP range + OnFailure=haproxy_country_failure.service + OnSuccess=haproxy_country_success.service + + [Service] + Type=simple + Environment="LICENSE_KEY=#{node['esh']['haproxy']['config']['maxmind_key']}" + ExecStartPre=/usr/bin/curl -fsS -m 10 --retry 5 #{node['esh']['haproxy']['config']['hc_url']}/start + ExecStart=/usr/local/bin/haproxy_country + + EOU + verify false + action [:create, :enable] +end + +systemd_unit 'haproxy_country.timer' do + content <<~EOU + [Unit] + Description=Run haproxy_country on Fridays, 12h random + + [Timer] + OnCalendar=Fri 00:00 + RandomizedDelaySec=12h + + [Install] + WantedBy=timers.target + EOU + verify false + action [:create, :enable] +end + +apt_package 'ssl-cert' + +directory '/etc/haproxy/crt' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +execute 'add to haproxy default self-signed certificate' do + command <<~EOT + cat /etc/ssl/certs/ssl-cert-snakeoil.pem \ + /etc/ssl/private/ssl-cert-snakeoil.key \ + > /etc/haproxy/crt/ssl-cert-snakeoil.pem + EOT + not_if { ::File.exist?('/etc/haproxy/crt/ssl-cert-snakeoil.pem') } + action :run +end + +service 'haproxy' do + action :nothing + subscribes :reload, 'template[/etc/haproxy/haproxy.cfg]', :immediately +end diff --git a/esh_haproxy/recipes/default.rb b/esh_haproxy/recipes/default.rb new file mode 100644 index 0000000..24d789a --- /dev/null +++ b/esh_haproxy/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_haproxy +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_haproxy/templates/default/haproxy.cfg.erb b/esh_haproxy/templates/default/haproxy.cfg.erb new file mode 100644 index 0000000..643ac10 --- /dev/null +++ b/esh_haproxy/templates/default/haproxy.cfg.erb @@ -0,0 +1,387 @@ +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # TLS config + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 + ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 + ssl-default-server-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5s + timeout client 1m + timeout server 1m + timeout http-keep-alive 2m + timeout queue 15s + timeout tunnel 4h # for websocket + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + +# The cache instance used by the frontend (256MB, 50MB max object, 1 hour max) +# May be consulted using "show cache" on the CLI socket +cache cache + total-max-size 256 # RAM cache size in megabytes + max-object-size 52428800 # max cacheable object size in bytes + max-age 3600 # max cache duration in seconds + process-vary on # handle the Vary header (otherwise don't cache) + +# Frontends +frontend frontend_default + bind :80 name http + bind :::80 name httpv6 v6only + # Sadly we can't use strict-sni because of Let's Encrypt challenge on https + bind :443 name https ssl crt /etc/haproxy/crt alpn h2,http/1.1 + bind :::443 name httpsv6 v6only ssl crt /etc/haproxy/crt alpn h2,http/1.1 + + option socket-stats # provide per-bind line stats + stats enable + stats auth admin:<%= @stats_password %> + stats admin if TRUE + stats uri /haproxy?stats + stats refresh 10s + + # silently ignore connect probes and pre-connect without request + option http-ignore-probes + + # pass client's IP address to the server and prevent against attempts + # to inject bad contents + http-request del-header x-forwarded-for + option forwardfor + + # enable HTTP compression of text contents + compression algo deflate gzip + compression type text/ application/javascript application/xhtml+xml image/x-icon + + # enable HTTP caching of any cacheable content + http-request cache-use cache + http-response cache-store cache + + # Redirect to HTTPS + http-request redirect scheme https unless { ssl_fc } + + # ACLs + # ACL for country blocks + acl AD src -f /etc/haproxy/country/AD.txt + acl AE src -f /etc/haproxy/country/AE.txt + acl AF src -f /etc/haproxy/country/AF.txt + acl AG src -f /etc/haproxy/country/AG.txt + acl AI src -f /etc/haproxy/country/AI.txt + acl AL src -f /etc/haproxy/country/AL.txt + acl AM src -f /etc/haproxy/country/AM.txt + acl AO src -f /etc/haproxy/country/AO.txt + acl AQ src -f /etc/haproxy/country/AQ.txt + acl AR src -f /etc/haproxy/country/AR.txt + acl AS src -f /etc/haproxy/country/AS.txt + acl AT src -f /etc/haproxy/country/AT.txt + acl AU src -f /etc/haproxy/country/AU.txt + acl AW src -f /etc/haproxy/country/AW.txt + acl AX src -f /etc/haproxy/country/AX.txt + acl AZ src -f /etc/haproxy/country/AZ.txt + acl BA src -f /etc/haproxy/country/BA.txt + acl BB src -f /etc/haproxy/country/BB.txt + acl BD src -f /etc/haproxy/country/BD.txt + acl BE src -f /etc/haproxy/country/BE.txt + acl BF src -f /etc/haproxy/country/BF.txt + acl BG src -f /etc/haproxy/country/BG.txt + acl BH src -f /etc/haproxy/country/BH.txt + acl BI src -f /etc/haproxy/country/BI.txt + acl BJ src -f /etc/haproxy/country/BJ.txt + acl BL src -f /etc/haproxy/country/BL.txt + acl BM src -f /etc/haproxy/country/BM.txt + acl BN src -f /etc/haproxy/country/BN.txt + acl BO src -f /etc/haproxy/country/BO.txt + acl BQ src -f /etc/haproxy/country/BQ.txt + acl BR src -f /etc/haproxy/country/BR.txt + acl BS src -f /etc/haproxy/country/BS.txt + acl BT src -f /etc/haproxy/country/BT.txt + acl BV src -f /etc/haproxy/country/BV.txt + acl BW src -f /etc/haproxy/country/BW.txt + acl BY src -f /etc/haproxy/country/BY.txt + acl BZ src -f /etc/haproxy/country/BZ.txt + acl CA src -f /etc/haproxy/country/CA.txt + acl CC src -f /etc/haproxy/country/CC.txt + acl CD src -f /etc/haproxy/country/CD.txt + acl CF src -f /etc/haproxy/country/CF.txt + acl CG src -f /etc/haproxy/country/CG.txt + acl CH src -f /etc/haproxy/country/CH.txt + acl CI src -f /etc/haproxy/country/CI.txt + acl CK src -f /etc/haproxy/country/CK.txt + acl CL src -f /etc/haproxy/country/CL.txt + acl CM src -f /etc/haproxy/country/CM.txt + acl CN src -f /etc/haproxy/country/CN.txt + acl CO src -f /etc/haproxy/country/CO.txt + acl CR src -f /etc/haproxy/country/CR.txt + acl CU src -f /etc/haproxy/country/CU.txt + acl CV src -f /etc/haproxy/country/CV.txt + acl CW src -f /etc/haproxy/country/CW.txt + acl CX src -f /etc/haproxy/country/CX.txt + acl CY src -f /etc/haproxy/country/CY.txt + acl CZ src -f /etc/haproxy/country/CZ.txt + acl DE src -f /etc/haproxy/country/DE.txt + acl DJ src -f /etc/haproxy/country/DJ.txt + acl DK src -f /etc/haproxy/country/DK.txt + acl DM src -f /etc/haproxy/country/DM.txt + acl DO src -f /etc/haproxy/country/DO.txt + acl DZ src -f /etc/haproxy/country/DZ.txt + acl EC src -f /etc/haproxy/country/EC.txt + acl EE src -f /etc/haproxy/country/EE.txt + acl EG src -f /etc/haproxy/country/EG.txt + acl EH src -f /etc/haproxy/country/EH.txt + acl ER src -f /etc/haproxy/country/ER.txt + acl ES src -f /etc/haproxy/country/ES.txt + acl ET src -f /etc/haproxy/country/ET.txt + acl FI src -f /etc/haproxy/country/FI.txt + acl FJ src -f /etc/haproxy/country/FJ.txt + acl FK src -f /etc/haproxy/country/FK.txt + acl FM src -f /etc/haproxy/country/FM.txt + acl FO src -f /etc/haproxy/country/FO.txt + acl FR src -f /etc/haproxy/country/FR.txt + acl GA src -f /etc/haproxy/country/GA.txt + acl GB src -f /etc/haproxy/country/GB.txt + acl GD src -f /etc/haproxy/country/GD.txt + acl GE src -f /etc/haproxy/country/GE.txt + acl GF src -f /etc/haproxy/country/GF.txt + acl GG src -f /etc/haproxy/country/GG.txt + acl GH src -f /etc/haproxy/country/GH.txt + acl GI src -f /etc/haproxy/country/GI.txt + acl GL src -f /etc/haproxy/country/GL.txt + acl GM src -f /etc/haproxy/country/GM.txt + acl GN src -f /etc/haproxy/country/GN.txt + acl GP src -f /etc/haproxy/country/GP.txt + acl GQ src -f /etc/haproxy/country/GQ.txt + acl GR src -f /etc/haproxy/country/GR.txt + acl GS src -f /etc/haproxy/country/GS.txt + acl GT src -f /etc/haproxy/country/GT.txt + acl GU src -f /etc/haproxy/country/GU.txt + acl GW src -f /etc/haproxy/country/GW.txt + acl GY src -f /etc/haproxy/country/GY.txt + acl HK src -f /etc/haproxy/country/HK.txt + acl HM src -f /etc/haproxy/country/HM.txt + acl HN src -f /etc/haproxy/country/HN.txt + acl HR src -f /etc/haproxy/country/HR.txt + acl HT src -f /etc/haproxy/country/HT.txt + acl HU src -f /etc/haproxy/country/HU.txt + acl ID src -f /etc/haproxy/country/ID.txt + acl IE src -f /etc/haproxy/country/IE.txt + acl IL src -f /etc/haproxy/country/IL.txt + acl IM src -f /etc/haproxy/country/IM.txt + acl IN src -f /etc/haproxy/country/IN.txt + acl IO src -f /etc/haproxy/country/IO.txt + acl IQ src -f /etc/haproxy/country/IQ.txt + acl IR src -f /etc/haproxy/country/IR.txt + acl IS src -f /etc/haproxy/country/IS.txt + acl IT src -f /etc/haproxy/country/IT.txt + acl JE src -f /etc/haproxy/country/JE.txt + acl JM src -f /etc/haproxy/country/JM.txt + acl JO src -f /etc/haproxy/country/JO.txt + acl JP src -f /etc/haproxy/country/JP.txt + acl KE src -f /etc/haproxy/country/KE.txt + acl KG src -f /etc/haproxy/country/KG.txt + acl KH src -f /etc/haproxy/country/KH.txt + acl KI src -f /etc/haproxy/country/KI.txt + acl KM src -f /etc/haproxy/country/KM.txt + acl KN src -f /etc/haproxy/country/KN.txt + acl KP src -f /etc/haproxy/country/KP.txt + acl KR src -f /etc/haproxy/country/KR.txt + acl KW src -f /etc/haproxy/country/KW.txt + acl KY src -f /etc/haproxy/country/KY.txt + acl KZ src -f /etc/haproxy/country/KZ.txt + acl LA src -f /etc/haproxy/country/LA.txt + acl LB src -f /etc/haproxy/country/LB.txt + acl LC src -f /etc/haproxy/country/LC.txt + acl LI src -f /etc/haproxy/country/LI.txt + acl LK src -f /etc/haproxy/country/LK.txt + acl LR src -f /etc/haproxy/country/LR.txt + acl LS src -f /etc/haproxy/country/LS.txt + acl LT src -f /etc/haproxy/country/LT.txt + acl LU src -f /etc/haproxy/country/LU.txt + acl LV src -f /etc/haproxy/country/LV.txt + acl LY src -f /etc/haproxy/country/LY.txt + acl MA src -f /etc/haproxy/country/MA.txt + acl MC src -f /etc/haproxy/country/MC.txt + acl MD src -f /etc/haproxy/country/MD.txt + acl ME src -f /etc/haproxy/country/ME.txt + acl MF src -f /etc/haproxy/country/MF.txt + acl MG src -f /etc/haproxy/country/MG.txt + acl MH src -f /etc/haproxy/country/MH.txt + acl MK src -f /etc/haproxy/country/MK.txt + acl ML src -f /etc/haproxy/country/ML.txt + acl MM src -f /etc/haproxy/country/MM.txt + acl MN src -f /etc/haproxy/country/MN.txt + acl MO src -f /etc/haproxy/country/MO.txt + acl MP src -f /etc/haproxy/country/MP.txt + acl MQ src -f /etc/haproxy/country/MQ.txt + acl MR src -f /etc/haproxy/country/MR.txt + acl MS src -f /etc/haproxy/country/MS.txt + acl MT src -f /etc/haproxy/country/MT.txt + acl MU src -f /etc/haproxy/country/MU.txt + acl MV src -f /etc/haproxy/country/MV.txt + acl MW src -f /etc/haproxy/country/MW.txt + acl MX src -f /etc/haproxy/country/MX.txt + acl MY src -f /etc/haproxy/country/MY.txt + acl MZ src -f /etc/haproxy/country/MZ.txt + acl NA src -f /etc/haproxy/country/NA.txt + acl NC src -f /etc/haproxy/country/NC.txt + acl NE src -f /etc/haproxy/country/NE.txt + acl NF src -f /etc/haproxy/country/NF.txt + acl NG src -f /etc/haproxy/country/NG.txt + acl NI src -f /etc/haproxy/country/NI.txt + acl NL src -f /etc/haproxy/country/NL.txt + acl NO src -f /etc/haproxy/country/NO.txt + acl NP src -f /etc/haproxy/country/NP.txt + acl NR src -f /etc/haproxy/country/NR.txt + acl NU src -f /etc/haproxy/country/NU.txt + acl NZ src -f /etc/haproxy/country/NZ.txt + acl OM src -f /etc/haproxy/country/OM.txt + acl PA src -f /etc/haproxy/country/PA.txt + acl PE src -f /etc/haproxy/country/PE.txt + acl PF src -f /etc/haproxy/country/PF.txt + acl PG src -f /etc/haproxy/country/PG.txt + acl PH src -f /etc/haproxy/country/PH.txt + acl PK src -f /etc/haproxy/country/PK.txt + acl PL src -f /etc/haproxy/country/PL.txt + acl PM src -f /etc/haproxy/country/PM.txt + acl PN src -f /etc/haproxy/country/PN.txt + acl PR src -f /etc/haproxy/country/PR.txt + acl PS src -f /etc/haproxy/country/PS.txt + acl PT src -f /etc/haproxy/country/PT.txt + acl PW src -f /etc/haproxy/country/PW.txt + acl PY src -f /etc/haproxy/country/PY.txt + acl QA src -f /etc/haproxy/country/QA.txt + acl RE src -f /etc/haproxy/country/RE.txt + acl RO src -f /etc/haproxy/country/RO.txt + acl RS src -f /etc/haproxy/country/RS.txt + acl RU src -f /etc/haproxy/country/RU.txt + acl RW src -f /etc/haproxy/country/RW.txt + acl SA src -f /etc/haproxy/country/SA.txt + acl SB src -f /etc/haproxy/country/SB.txt + acl SC src -f /etc/haproxy/country/SC.txt + acl SD src -f /etc/haproxy/country/SD.txt + acl SE src -f /etc/haproxy/country/SE.txt + acl SG src -f /etc/haproxy/country/SG.txt + acl SH src -f /etc/haproxy/country/SH.txt + acl SI src -f /etc/haproxy/country/SI.txt + acl SJ src -f /etc/haproxy/country/SJ.txt + acl SK src -f /etc/haproxy/country/SK.txt + acl SL src -f /etc/haproxy/country/SL.txt + acl SM src -f /etc/haproxy/country/SM.txt + acl SN src -f /etc/haproxy/country/SN.txt + acl SO src -f /etc/haproxy/country/SO.txt + acl SR src -f /etc/haproxy/country/SR.txt + acl SS src -f /etc/haproxy/country/SS.txt + acl ST src -f /etc/haproxy/country/ST.txt + acl SV src -f /etc/haproxy/country/SV.txt + acl SX src -f /etc/haproxy/country/SX.txt + acl SY src -f /etc/haproxy/country/SY.txt + acl SZ src -f /etc/haproxy/country/SZ.txt + acl TC src -f /etc/haproxy/country/TC.txt + acl TD src -f /etc/haproxy/country/TD.txt + acl TF src -f /etc/haproxy/country/TF.txt + acl TG src -f /etc/haproxy/country/TG.txt + acl TH src -f /etc/haproxy/country/TH.txt + acl TJ src -f /etc/haproxy/country/TJ.txt + acl TK src -f /etc/haproxy/country/TK.txt + acl TL src -f /etc/haproxy/country/TL.txt + acl TM src -f /etc/haproxy/country/TM.txt + acl TN src -f /etc/haproxy/country/TN.txt + acl TO src -f /etc/haproxy/country/TO.txt + acl TR src -f /etc/haproxy/country/TR.txt + acl TT src -f /etc/haproxy/country/TT.txt + acl TV src -f /etc/haproxy/country/TV.txt + acl TW src -f /etc/haproxy/country/TW.txt + acl TZ src -f /etc/haproxy/country/TZ.txt + acl UA src -f /etc/haproxy/country/UA.txt + acl UG src -f /etc/haproxy/country/UG.txt + acl UM src -f /etc/haproxy/country/UM.txt + acl US src -f /etc/haproxy/country/US.txt + acl UY src -f /etc/haproxy/country/UY.txt + acl UZ src -f /etc/haproxy/country/UZ.txt + acl VA src -f /etc/haproxy/country/VA.txt + acl VC src -f /etc/haproxy/country/VC.txt + acl VE src -f /etc/haproxy/country/VE.txt + acl VG src -f /etc/haproxy/country/VG.txt + acl VI src -f /etc/haproxy/country/VI.txt + acl VN src -f /etc/haproxy/country/VN.txt + acl VU src -f /etc/haproxy/country/VU.txt + acl WF src -f /etc/haproxy/country/WF.txt + acl WS src -f /etc/haproxy/country/WS.txt + acl XK src -f /etc/haproxy/country/XK.txt + acl YE src -f /etc/haproxy/country/YE.txt + acl YT src -f /etc/haproxy/country/YT.txt + acl ZA src -f /etc/haproxy/country/ZA.txt + acl ZM src -f /etc/haproxy/country/ZM.txt + acl ZW src -f /etc/haproxy/country/ZW.txt + + # Redirect www to non-www domains + http-request redirect prefix https://%[hdr(host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. } + + acl letsencrypt path_beg /.well-known/acme-challenge/ + <% @acls.each do |acl_name, params| %> + <% params['hosts'].each do |host| %> + acl <%= acl_name %> hdr(host) -i <%= host %> + <% end %> + <% params['denies'].each do |deny| %> + http-request deny if <%= acl_name %> <%= deny %> + <% end %> + <% end %> + + use_backend letsencrypt if letsencrypt + + <% @acls.each do |acl_name, params| %> + <% params['hosts'].each do |host| %> + use_backend <%= params['backend'] %> if <%= acl_name %> + <% break %> + <% end %> + <% end %> + + default_backend default + +# Listens (frontend and backend combined) +<% @listen.each do |frontend_name, params| %> + listen <%= frontend_name %> + bind :<%= params['bind'] %> + bind :::<%= params['bind'] %> v6only + <% if params['mode'] == 'tcp' %> + mode tcp + option tcplog + <% end %> + server <%= params['server'] %> +<% end %> + +# Backends +backend default + tcp-request content reject + +backend letsencrypt + server certbot 127.0.0.1:8899 + +<% @backends.each do |backend, server| %> + backend <%= backend %> + # set HSTS for one year after all responses + http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # add some Security headers + http-response set-header X-Frame-Options "SAMEORIGIN" + http-response set-header X-Content-Type-Options "nosniff" + + server <%= server %> +<% end %> diff --git a/esh_haproxy/test/integration/default/default_test.rb b/esh_haproxy/test/integration/default/default_test.rb new file mode 100644 index 0000000..2709ad6 --- /dev/null +++ b/esh_haproxy/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_haproxy::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_kanboard/.gitignore b/esh_kanboard/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_kanboard/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_kanboard/CHANGELOG.md b/esh_kanboard/CHANGELOG.md new file mode 100644 index 0000000..d61fece --- /dev/null +++ b/esh_kanboard/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_kanboard CHANGELOG + +This file is used to list changes made in each version of the esh_kanboard cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_kanboard/LICENSE b/esh_kanboard/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_kanboard/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_kanboard/Policyfile.rb b/esh_kanboard/Policyfile.rb new file mode 100644 index 0000000..54d3f84 --- /dev/null +++ b/esh_kanboard/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_kanboard' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_kanboard::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_kanboard', path: '.' diff --git a/esh_kanboard/README.md b/esh_kanboard/README.md new file mode 100644 index 0000000..dc69241 --- /dev/null +++ b/esh_kanboard/README.md @@ -0,0 +1,4 @@ +# esh_kanboard + +TODO: Enter the cookbook description here. + diff --git a/esh_kanboard/chefignore b/esh_kanboard/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_kanboard/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_kanboard/compliance/README.md b/esh_kanboard/compliance/README.md new file mode 100644 index 0000000..998facd --- /dev/null +++ b/esh_kanboard/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Cinc Auditor profile, waiver and input objects which are used with the Cinc Infra Compliance Phase. + +Detailed information on the Cinc Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `cinc generate` command from Cinc Workstation to create content for these directories: + +```sh +# Generate a Cinc Auditor profile +cinc generate profile PROFILE_NAME + +# Generate a Cinc Auditor waiver file +cinc generate waiver WAIVER_NAME + +# Generate a Cinc Auditor input file +cinc generate input INPUT_NAME +``` diff --git a/esh_kanboard/files/default/default b/esh_kanboard/files/default/default new file mode 100644 index 0000000..0cc7e6c --- /dev/null +++ b/esh_kanboard/files/default/default @@ -0,0 +1,28 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/kanboard; + + index index.php; + + server_name _; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + # With php-fpm (or other unix sockets): + fastcgi_pass unix:/run/php/php-fpm.sock; + } + + location ~ /\.ht { + deny all; + } + + location ~ /data { + deny all; + } +} diff --git a/esh_kanboard/kitchen.yml b/esh_kanboard/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_kanboard/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_kanboard/metadata.rb b/esh_kanboard/metadata.rb new file mode 100644 index 0000000..3528fdc --- /dev/null +++ b/esh_kanboard/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_kanboard' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_kanboard' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_kanboard/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_kanboard' diff --git a/esh_kanboard/recipes/default.rb b/esh_kanboard/recipes/default.rb new file mode 100644 index 0000000..79c7179 --- /dev/null +++ b/esh_kanboard/recipes/default.rb @@ -0,0 +1,76 @@ +# +# Cookbook:: esh_kanboard +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w( + nginx + php-curl + php-fpm + php-gd + php-json + php-mbstring + php-sqlite3 + php-xml + php-zip +) + +cookbook_file '/etc/nginx/sites-available/default' do + owner 'root' + group 'root' + mode '0444' + notifies :restart, 'service[nginx]', :delayed + action :create +end + +directory '/var/www/kanboard' do + owner 'www-data' + group 'www-data' + mode '0755' + action :create +end + +version = node['esh']['kanboard']['version'] +url = "https://github.com/kanboard/kanboard/archive/refs/tags/v#{version}.tar.gz" + +remote_file "kanboard.#{version}.tar.gz" do + source url + path "#{Chef::Config[:file_cache_path]}/kanboard.#{version}.tar.gz" + notifies :run, 'execute[extract kanboard]', :immediately +end + +execute 'extract kanboard' do + command <<~EOT + tar -zxvf \ + #{Chef::Config[:file_cache_path]}/kanboard.#{version}.tar.gz \ + -C /var/www/kanboard kanboard-#{version}/ \ + --strip-components=1 + chown -R www-data:www-data /var/www/kanboard + EOT + action :nothing +end + +file '/var/www/kanboard/config.php' do + content node['esh']['kanboard']['config'] + owner 'www-data' + group 'www-data' + mode '0400' + action :create +end + +service 'nginx' do + action [:start, :enable] + end \ No newline at end of file diff --git a/esh_kanboard/test/integration/default/default_test.rb b/esh_kanboard/test/integration/default/default_test.rb new file mode 100644 index 0000000..aff5956 --- /dev/null +++ b/esh_kanboard/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_kanboard::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_laminar/.delivery/project.toml b/esh_laminar/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_laminar/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_laminar/CHANGELOG.md b/esh_laminar/CHANGELOG.md new file mode 100644 index 0000000..10c201e --- /dev/null +++ b/esh_laminar/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_laminar CHANGELOG + +This file is used to list changes made in each version of the esh_laminar cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_laminar/LICENSE b/esh_laminar/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_laminar/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_laminar/Policyfile.rb b/esh_laminar/Policyfile.rb new file mode 100644 index 0000000..4789952 --- /dev/null +++ b/esh_laminar/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_laminar' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_laminar::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_laminar', path: '.' diff --git a/esh_laminar/README.md b/esh_laminar/README.md new file mode 100644 index 0000000..1623a17 --- /dev/null +++ b/esh_laminar/README.md @@ -0,0 +1,4 @@ +# esh_laminar + +TODO: Enter the cookbook description here. + diff --git a/esh_laminar/chefignore b/esh_laminar/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_laminar/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_laminar/kitchen.yml b/esh_laminar/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_laminar/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_laminar/metadata.rb b/esh_laminar/metadata.rb new file mode 100644 index 0000000..81b058e --- /dev/null +++ b/esh_laminar/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_laminar' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_laminar' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_laminar/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_laminar' diff --git a/esh_laminar/recipes/default.rb b/esh_laminar/recipes/default.rb new file mode 100644 index 0000000..767429d --- /dev/null +++ b/esh_laminar/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_laminar +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_laminar/recipes/service.rb b/esh_laminar/recipes/service.rb new file mode 100644 index 0000000..9778fee --- /dev/null +++ b/esh_laminar/recipes/service.rb @@ -0,0 +1,43 @@ +# +# Cookbook:: esh_laminar +# Recipe:: service +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +package_uri = node['esh']['laminar']['service']['package'] +package_name = package_uri.split('/').last +package_dst = "#{Chef::Config['file_cache_path']}/#{package_name}" + +apt_package %w(libcapnp-0.7.0 libsqlite3-0) do + action :install +end + +remote_file package_dst do + source package_uri + owner 'root' + group 'root' + mode '0444' + action :create + notifies :install, 'dpkg_package[laminar]', :immediately +end + +dpkg_package 'laminar' do + source package_dst + action :nothing +end + +service 'laminar' do + action [:enable, :start] +end diff --git a/esh_laminar/test/integration/default/default_test.rb b/esh_laminar/test/integration/default/default_test.rb new file mode 100644 index 0000000..eeafbad --- /dev/null +++ b/esh_laminar/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_laminar::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_letsencrypt/.gitignore b/esh_letsencrypt/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_letsencrypt/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_letsencrypt/CHANGELOG.md b/esh_letsencrypt/CHANGELOG.md new file mode 100644 index 0000000..cfbe859 --- /dev/null +++ b/esh_letsencrypt/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_letsencrypt CHANGELOG + +This file is used to list changes made in each version of the esh_letsencrypt cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_letsencrypt/LICENSE b/esh_letsencrypt/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_letsencrypt/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_letsencrypt/Policyfile.rb b/esh_letsencrypt/Policyfile.rb new file mode 100644 index 0000000..83b332e --- /dev/null +++ b/esh_letsencrypt/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_letsencrypt' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_letsencrypt::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_letsencrypt', path: '.' diff --git a/esh_letsencrypt/README.md b/esh_letsencrypt/README.md new file mode 100644 index 0000000..507f8fb --- /dev/null +++ b/esh_letsencrypt/README.md @@ -0,0 +1,4 @@ +# esh_letsencrypt + +TODO: Enter the cookbook description here. + diff --git a/esh_letsencrypt/chefignore b/esh_letsencrypt/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_letsencrypt/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_letsencrypt/compliance/README.md b/esh_letsencrypt/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_letsencrypt/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_letsencrypt/kitchen.yml b/esh_letsencrypt/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_letsencrypt/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_letsencrypt/metadata.rb b/esh_letsencrypt/metadata.rb new file mode 100644 index 0000000..083c188 --- /dev/null +++ b/esh_letsencrypt/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_letsencrypt' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_letsencrypt' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_letsencrypt/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_letsencrypt' diff --git a/esh_letsencrypt/recipes/certs.rb b/esh_letsencrypt/recipes/certs.rb new file mode 100644 index 0000000..9c759ec --- /dev/null +++ b/esh_letsencrypt/recipes/certs.rb @@ -0,0 +1,84 @@ +# +# Cookbook:: esh_letsencrypt +# Recipe:: certs +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +email = node['esh']['letsencrypt']['certs']['email'] +certs_list = node['esh']['letsencrypt']['certs']['list'] + +certs_list.each do |domains| + if match = domains.match(/-d\s+(\S+)/) + first_domain = match[1] + end + execute "certbot certonly #{domains}" do + command <<~EOT + certbot certonly \ + --standalone \ + --non-interactive \ + --agree-tos \ + --email #{email} \ + --key-type ecdsa \ + --elliptic-curve secp384r1 \ + --http-01-port=8899 \ + #{domains} + EOT + not_if { ::File.directory?("/etc/letsencrypt/live/#{first_domain}") } + action :run + end +end + +certs_list.each do |domains| + if match = domains.match(/-d\s+(\S+)/) + first_domain = match[1] + end + execute "certbot renew #{domains}" do + command <<~EOT + certbot renew \ + --cert-name #{first_domain} \ + --http-01-port=8899 + EOT + only_if <<~EOT + cert_status=$(certbot certificates #{domains} 2>/dev/null) + valid_days=$(echo "$cert_status" | grep 'Expiry Date' | sed 's/.*VALID: \\([0-9]*\\) days.*/\\1/') + test $valid_days -le 30 + EOT + action :run + end +end + +# Copy certificates for HAProxy (if present) +certs_list.each do |domains| + if match = domains.match(/-d\s+(\S+)/) + first_domain = match[1] + end + execute "copy certificate #{first_domain} for HAproxy" do + command <<~EOT + cat /etc/letsencrypt/live/#{first_domain}/fullchain.pem \ + /etc/letsencrypt/live/#{first_domain}/privkey.pem \ + > /etc/haproxy/crt/#{first_domain}.pem + EOT + only_if { File.directory?('/etc/haproxy/crt') } + only_if <<~EOT + test -f /etc/haproxy/crt/#{first_domain}.pem || exit 0 + grep -qvFf \ + /etc/letsencrypt/live/#{first_domain}/fullchain.pem \ + -f /etc/letsencrypt/live/#{first_domain}/privkey.pem \ + /etc/haproxy/crt/#{first_domain}.pem + EOT + notifies :reload, 'service[haproxy]', :delayed + action :run + end +end diff --git a/esh_letsencrypt/recipes/default.rb b/esh_letsencrypt/recipes/default.rb new file mode 100644 index 0000000..c758674 --- /dev/null +++ b/esh_letsencrypt/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_letsencrypt +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_letsencrypt/recipes/serve.rb b/esh_letsencrypt/recipes/serve.rb new file mode 100644 index 0000000..54a9be7 --- /dev/null +++ b/esh_letsencrypt/recipes/serve.rb @@ -0,0 +1,54 @@ +# +# Cookbook:: esh_letsencrypt +# Recipe:: serve +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +auth = node['esh']['letsencrypt']['serve']['auth'] +miniserve_url = node['esh']['letsencrypt']['serve']['miniserve_url'] +listen = node['esh']['letsencrypt']['serve']['listen'] + +remote_file '/usr/local/bin/miniserve' do + source miniserve_url + mode '0755' + action :create +end + +systemd_unit 'letsencrypt-serve.service' do + content <<~EOU + [Unit] + Description=Serve letsencrypt certs + + [Service] + Type=simple + ExecStart=/usr/local/bin/miniserve \ + --auth #{auth} \ + --interfaces #{listen} \ + --port 8898 \ + --verbose \ + /etc/letsencrypt/live + + [Install] + WantedBy=multi-user.target + EOU + action :create + verify false +end + +service 'letsencrypt-serve' do + action [:enable, :start] + subscribes :restart, 'remote_file[/usr/local/bin/miniserve]', :delayed + subscribes :restart, 'systemd_unit[letsencrypt-serve.service]', :delayed +end diff --git a/esh_letsencrypt/recipes/snap.rb b/esh_letsencrypt/recipes/snap.rb new file mode 100644 index 0000000..83aba51 --- /dev/null +++ b/esh_letsencrypt/recipes/snap.rb @@ -0,0 +1,23 @@ +# +# Cookbook:: esh_letsencrypt +# Recipe:: snap +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +execute 'snap install certbot' do + command 'snap install certbot --classic' + not_if 'snap list | grep -q certbot' + action :run +end diff --git a/esh_letsencrypt/test/integration/default/default_test.rb b/esh_letsencrypt/test/integration/default/default_test.rb new file mode 100644 index 0000000..0cc6ee3 --- /dev/null +++ b/esh_letsencrypt/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_letsencrypt::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_lxd/.gitignore b/esh_lxd/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_lxd/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_lxd/CHANGELOG.md b/esh_lxd/CHANGELOG.md new file mode 100644 index 0000000..24f489f --- /dev/null +++ b/esh_lxd/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_lxd CHANGELOG + +This file is used to list changes made in each version of the esh_lxd cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_lxd/LICENSE b/esh_lxd/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_lxd/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_lxd/Policyfile.rb b/esh_lxd/Policyfile.rb new file mode 100644 index 0000000..aa09d20 --- /dev/null +++ b/esh_lxd/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_lxd' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_lxd::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_lxd', path: '.' diff --git a/esh_lxd/README.md b/esh_lxd/README.md new file mode 100644 index 0000000..ed77710 --- /dev/null +++ b/esh_lxd/README.md @@ -0,0 +1,4 @@ +# esh_lxd + +TODO: Enter the cookbook description here. + diff --git a/esh_lxd/attributes/default.rb b/esh_lxd/attributes/default.rb new file mode 100644 index 0000000..57cd620 --- /dev/null +++ b/esh_lxd/attributes/default.rb @@ -0,0 +1 @@ +node.default['esh']['lxd']['containers'] = {} \ No newline at end of file diff --git a/esh_lxd/chefignore b/esh_lxd/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_lxd/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_lxd/compliance/README.md b/esh_lxd/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_lxd/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_lxd/kitchen.yml b/esh_lxd/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_lxd/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_lxd/metadata.rb b/esh_lxd/metadata.rb new file mode 100644 index 0000000..524787d --- /dev/null +++ b/esh_lxd/metadata.rb @@ -0,0 +1,21 @@ +name 'esh_lxd' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_lxd' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' +depends 'esh_cinc' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_lxd/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_lxd' diff --git a/esh_lxd/recipes/containers.rb b/esh_lxd/recipes/containers.rb new file mode 100644 index 0000000..41e3757 --- /dev/null +++ b/esh_lxd/recipes/containers.rb @@ -0,0 +1,136 @@ +# +# Cookbook:: esh_lxd +# Recipe:: containers +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +node['esh']['lxd']['containers'].each do |container, params| + if params['type'] == 'lxc' + execute "create container #{container}" do + command "lxc launch images:#{params['image']} #{container}" + not_if "lxc info #{container}" + live_stream true + end + end + if params['type'] == 'vm' + execute "create vm #{container}" do + command <<~EOT + lxc launch images:#{params['image']} #{container} --vm + sleep 1m + lxc stop #{container} + EOT + not_if "lxc info #{container}" + live_stream true + end + end + + params['volumes'].each do |name, vol_params| + execute "create volume #{name} on #{vol_params['pool']} for #{container}" do + command "lxc storage volume create #{vol_params['pool']} #{name}" + not_if "lxc storage volume show #{vol_params['pool']} #{name}" + live_stream true + end + + execute "add volume #{name} on #{vol_params['pool']} for #{container}:/var/lib/#{name}" do + command "lxc config device add #{container} #{name} disk pool=#{vol_params['pool']} source=#{name} path=#{vol_params['path']}" + not_if "lxc config device get #{container} #{name} path" + live_stream true + end + end + + if params['type'] == 'vm' + execute "set vm mem #{container}" do + command "lxc config set #{container} limits.memory=#{params['mem']}" + not_if "lxc config get #{container} limits.memory | grep #{params['mem']}" + live_stream true + end + execute "set vm cpu #{container}" do + command "lxc config set #{container} limits.cpu=#{params['cpu']}" + not_if "lxc config get #{container} limits.cpu | grep #{params['cpu']}" + live_stream true + end + execute "set vm disk #{container}" do + command "lxc config device override #{container} root size=#{params['disk']}" + not_if "lxc config device get #{container} root size | grep -q #{params['disk']}" + live_stream true + end + execute "start vm #{container}" do + command "lxc start #{container} && sleep 1m" + only_if "lxc info #{container} | grep -q STOPPED" + live_stream true + end + end + + unless params['cinc_flavor'].nil? + distribution = params['cinc_flavor'].split('/').first + release = params['cinc_flavor'].split('/').last + cinc_url = node['esh']['cinc'][distribution][release]['url'] + filename = cinc_url.split('/').last + + esh_cinc_download cinc_url do + distribution distribution + release release + end + + execute "push cinc to container #{container}" do + command "lxc file push #{Chef::Config['file_cache_path']}/#{distribution}/#{release}/#{filename} #{container}/opt/" + not_if "lxc exec #{container} -- test -f /opt/#{filename}" + live_stream true + # Sometimes the container has just been created and copy fail since + # starting take a few secs + retries 3 + end + + execute "install cinc to container #{container}" do + command "lxc exec #{container} -- apt install -y /opt/#{filename}" + not_if "lxc exec #{container} -- dpkg -s cinc" + live_stream true + end + end + + execute "lxc restart #{container}" do + command "lxc restart #{container}" + action :nothing + end + + unless params['apparmor'].nil? + execute "set apparmor profile for #{container}" do + command "lxc config set #{container} raw.lxc lxc.apparmor.profile=#{params['apparmor']}" + not_if do + `lxc config get #{container} raw.lxc`.strip == "lxc.apparmor.profile=#{params['apparmor']}" + end + live_stream true + notifies :run, "execute[lxc restart #{container}]", :immediately + end + end + + unless params['security.nesting'].nil? + execute "set security.nesting for #{container}" do + command "lxc config set #{container} security.nesting=#{params['security.nesting']}" + not_if do + `lxc config get #{container} security.nesting`.strip == params['security.nesting'] + end + live_stream true + notifies :run, "execute[lxc restart #{container}]", :immediately + end + end + + next if params['cloudflared'].nil? + params['cloudflared'].each do |tunnel_name, tunnel_hostname| + esh_cloudflared_tunnel tunnel_name do + tunnel_hostname tunnel_hostname + end + end +end diff --git a/esh_lxd/recipes/default.rb b/esh_lxd/recipes/default.rb new file mode 100644 index 0000000..f89e314 --- /dev/null +++ b/esh_lxd/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_lxd +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_lxd/recipes/resolved.rb b/esh_lxd/recipes/resolved.rb new file mode 100644 index 0000000..dc9a9ac --- /dev/null +++ b/esh_lxd/recipes/resolved.rb @@ -0,0 +1,39 @@ +# +# Cookbook:: esh_lxd +# Recipe:: resolved +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dns_address = `lxc network get lxdbr0 ipv4.address`.strip.chomp('/24') + +systemd_unit 'lxd-dns.service' do + content <<~EOU + [Unit] + Description=LXD DNS configuration + BindsTo=sys-subsystem-net-devices-lxdbr0.device + After=sys-subsystem-net-devices-lxdbr0.device + + [Service] + Type=oneshot + ExecStart=/usr/bin/resolvectl dns lxdbr0 #{dns_address} + ExecStart=/usr/bin/resolvectl domain lxdbr0 ~lxd + ExecStopPost=/usr/bin/resolvectl revert lxdbr0 + RemainAfterExit=yes + + [Install] + WantedBy=sys-subsystem-net-devices-lxdbr0.device + EOU + action [:create, :enable, :start] +end diff --git a/esh_lxd/recipes/setup.rb b/esh_lxd/recipes/setup.rb new file mode 100644 index 0000000..a2533ae --- /dev/null +++ b/esh_lxd/recipes/setup.rb @@ -0,0 +1,79 @@ +# +# Cookbook:: esh_lxd +# Recipe:: setup +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# systemd need to be booted with systemd.unified_cgroup_hierarchy=0 +# otherwise, cgroup v1 container cannot be started, only v2 +# and some docker containers use v1 + +#execute 'set systemd boot mode to cgroup v1' do +# command <<~EOT +# echo '# use cgroup1' >> /etc/default/grub +# echo 'GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.unified_cgroup_hierarchy=0"' \ +# >> /etc/default/grub +# EOT +# notifies :run, 'execute[update grub]', :immediately +# not_if 'grep -q cgroup1 /etc/default/grub' +#end +# +#cgroup = `stat -fc %T /sys/fs/cgroup/`.strip +#ruby_block 'Check cgroup version' do +# block do +# if cgroup == 'cgroup2fs' +# Chef::Log.fatal('You need to reboot now to enable cgroup v1!') +# raise 'You need to reboot now to enable cgroup v1!' +# end +# end +# action :run +#end +# +#execute 'update grub' do +# command 'update-grub2' +# action :nothing +#end + +template '/tmp/lxd.yml' do + owner 'root' + group 'root' + mode '0644' + not_if 'lxc storage info nvme' + action :create +end + +execute 'lxd init' do + command 'lxd init --preseed < /tmp/lxd.yml' + not_if 'lxc storage info nvme' + action :run +end + +execute 'lxd change images storage location' do + command <<~EOT + lxc storage volume create nvme images + lxc config set storage.images_volume nvme/images + EOT + action :run + not_if 'lxc storage volume info nvme images' +end + +unless node['esh']['lxd']['mtu'].nil? + mtu = node['esh']['lxd']['mtu'] + execute "lxc network set lxdbr0 bridge.mtu #{mtu}" do + command "lxc network set lxdbr0 bridge.mtu #{mtu}" + action :run + not_if "lxc network get lxdbr0 bridge.mtu | grep -q #{mtu}" + end +end diff --git a/esh_lxd/templates/default/lxd.yml.erb b/esh_lxd/templates/default/lxd.yml.erb new file mode 100644 index 0000000..af77fc8 --- /dev/null +++ b/esh_lxd/templates/default/lxd.yml.erb @@ -0,0 +1,29 @@ +config: {} +networks: +- config: + ipv4.address: auto + ipv6.address: auto + description: "" + name: lxdbr0 + type: "" + project: default +storage_pools: +- config: + source: nvme + description: "" + name: nvme + driver: zfs +profiles: +- config: {} + description: "" + devices: + eth0: + name: eth0 + network: lxdbr0 + type: nic + root: + path: / + pool: nvme + type: disk + name: default +cluster: null \ No newline at end of file diff --git a/esh_lxd/test/integration/default/default_test.rb b/esh_lxd/test/integration/default/default_test.rb new file mode 100644 index 0000000..84fc588 --- /dev/null +++ b/esh_lxd/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_lxd::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_mailcow/.delivery/project.toml b/esh_mailcow/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_mailcow/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_mailcow/.gitignore b/esh_mailcow/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_mailcow/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_mailcow/CHANGELOG.md b/esh_mailcow/CHANGELOG.md new file mode 100644 index 0000000..6802446 --- /dev/null +++ b/esh_mailcow/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_mailcow CHANGELOG + +This file is used to list changes made in each version of the esh_mailcow cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_mailcow/LICENSE b/esh_mailcow/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_mailcow/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_mailcow/Policyfile.rb b/esh_mailcow/Policyfile.rb new file mode 100644 index 0000000..e0592e7 --- /dev/null +++ b/esh_mailcow/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_mailcow' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_mailcow::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_mailcow', path: '.' diff --git a/esh_mailcow/README.md b/esh_mailcow/README.md new file mode 100644 index 0000000..12c86c9 --- /dev/null +++ b/esh_mailcow/README.md @@ -0,0 +1,4 @@ +# esh_mailcow + +TODO: Enter the cookbook description here. + diff --git a/esh_mailcow/chefignore b/esh_mailcow/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_mailcow/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_mailcow/files/default/dkim_signing.conf b/esh_mailcow/files/default/dkim_signing.conf new file mode 100644 index 0000000..14a81c9 --- /dev/null +++ b/esh_mailcow/files/default/dkim_signing.conf @@ -0,0 +1,35 @@ +# If false, messages with empty envelope from are not signed +allow_envfrom_empty = true; +# If true, envelope/header domain mismatch is ignored +allow_hdrfrom_mismatch = true; +# If true, multiple from headers are allowed (but only first is used) +allow_hdrfrom_multiple = true; +# If true, username does not need to contain matching domain +allow_username_mismatch = true; +# If false, messages from authenticated users are not selected for signing +sign_authenticated = true; +# Default path to key, can include '$domain' and '$selector' variables +path = "/data/dkim/keys/$domain.dkim"; +# Default selector to use +selector = "dkim"; +# If false, messages from local networks are not selected for signing +sign_local = true; +# Symbol to add when message is signed +symbol = "DKIM_SIGNED"; +# Whether to fallback to global config +try_fallback = true; +# Domain to use for DKIM signing: can be "header" or "envelope" +use_domain = "envelope"; +# Whether to normalise domains to eSLD +use_esld = false; +# Whether to get keys from Redis +use_redis = true; +# Hash for DKIM keys in Redis +key_prefix = "DKIM_PRIV_KEYS"; +# Selector map +selector_prefix = "DKIM_SELECTORS"; +# Sieve is in sign_networks only +# forwards are arc signed, rejects are dkim signed +sign_networks = "/etc/rspamd/custom/dovecot_trusted.map"; +use_domain_sign_networks = "header"; +sign_headers = "from:sender:reply-to:subject:to:cc:mime-version:content-type:content-transfer-encoding:content-language:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-help:list-owner:list-unsubscribe:list-subscribe:list-post:list-unsubscribe-post:disposition-notification-to:disposition-notification-options:original-recipient:openpgp:autocrypt"; diff --git a/esh_mailcow/files/default/master.cf b/esh_mailcow/files/default/master.cf new file mode 100644 index 0000000..667b280 --- /dev/null +++ b/esh_mailcow/files/default/master.cf @@ -0,0 +1,129 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +#smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable smtps for loopback clients only, or for any client. +#127.0.0.1:smtps inet n - y - - smtpd +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} \ No newline at end of file diff --git a/esh_mailcow/kitchen.yml b/esh_mailcow/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_mailcow/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_mailcow/metadata.rb b/esh_mailcow/metadata.rb new file mode 100644 index 0000000..84a5abb --- /dev/null +++ b/esh_mailcow/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_mailcow' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_mailcow' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_mailcow/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_mailcow' diff --git a/esh_mailcow/recipes/default.rb b/esh_mailcow/recipes/default.rb new file mode 100644 index 0000000..e4fb9ec --- /dev/null +++ b/esh_mailcow/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_mailcow +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_mailcow/recipes/install.rb b/esh_mailcow/recipes/install.rb new file mode 100644 index 0000000..7915a61 --- /dev/null +++ b/esh_mailcow/recipes/install.rb @@ -0,0 +1,170 @@ +# +# Cookbook:: esh_mailcow +# Recipe:: install +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +fqdn = node['esh']['system']['hostname']['fqdn'] +hostname = fqdn.split('.')[0] + +file '/etc/mailname' do + content fqdn + owner 'root' + group 'root' + mode '0444' + action :create +end + +cookbook_file '/etc/postfix/master.cf' do + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/etc/postfix/main.cf' do + owner 'root' + group 'root' + mode '444' + variables fqdn: fqdn, + hostname: hostname + action :create +end + +service 'postfix@-.service' do + action :nothing + subscribes :restart, 'cookbook_file[/etc/postfix/master.cf]', :delayed + subscribes :restart, 'template[/etc/postfix/main.cf]', :delayed +end + +git '/opt/mailcow-dockerized' do + repository 'https://github.com/mailcow/mailcow-dockerized' + revision 'master' + action :sync + not_if { ::File.exist?('/opt/mailcow-dockerized') } +end + +package 'expect' + +file '/tmp/mailcow-init.expect' do + content <<~EOT + #!/usr/bin/expect -f + + set timeout -1 + + cd /opt/mailcow-dockerized + spawn /opt/mailcow-dockerized/generate_config.sh + + expect "Mail server hostname (FQDN) - this is not your mail domain, but your mail servers hostname:" + send -- "#{node['esh']['mailcow']['install']['fqdn']}\\r" + + expect -re ".*Timezone.*" + send -- "#{node['esh']['mailcow']['install']['timezone']}\\r" + + expect -re ".*Choose the Branch.*" + send -- "#{node['esh']['mailcow']['install']['branch']}\\r" + + expect eof + EOT + owner 'root' + group 'root' + mode '0400' + not_if { ::File.exist?("/opt/mailcow-dockerized/mailcow.conf")} + notifies :run, 'execute[init mailcow configuration]', :immediately + action :create +end + +execute 'init mailcow configuration' do + command 'expect -f /tmp/mailcow-init.expect' + live_stream true + action :nothing +end + +# Override dkim config, so that it is always compatible with AWS SES +cookbook_file '/opt/mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf' do + owner 102 + group 102 + mode '0644' + action :create +end + +# If behind HAProxy disable Let's Encrypt and set docker-compose.override +if node['esh']['mailcow']['install']['haproxy'] + execute 'update_skip_lets_encrypt' do + command "sed -i 's/SKIP_LETS_ENCRYPT=n/SKIP_LETS_ENCRYPT=y/' /opt/mailcow-dockerized/mailcow.conf" + not_if "grep -q 'SKIP_LETS_ENCRYPT=y' /opt/mailcow-dockerized/mailcow.conf" + end + + file '/opt/mailcow-dockerized/data/conf/dovecot/extra.conf' do + content <<~EOT + haproxy_trusted_networks = #{node['esh']['mailcow']['install']['haproxy_trusted_networks']} + EOT + owner 'root' + group 'root' + mode '0400' + action :create + end + + template '/opt/mailcow-dockerized/docker-compose.override.yml' do + owner 'root' + group 'root' + mode '0444' + variables mailcow_hostname: node['esh']['mailcow']['install']['postfix_myhostname'] + action :create + end + + username = node['esh']['mailcow']['install']['cert_auth'].split(':')[0] + password = node['esh']['mailcow']['install']['cert_auth'].split(':')[1] + auth_string = Base64.strict_encode64("#{username}:#{password}") + + remote_file '/opt/mailcow-dockerized/data/assets/ssl/cert.pem' do + source node['esh']['mailcow']['install']['cert_pub'] + headers({ 'Authorization' => "Basic #{auth_string}" }) + owner 'root' + group 'root' + mode '0400' + action :create + end + + remote_file '/opt/mailcow-dockerized/data/assets/ssl/key.pem' do + source node['esh']['mailcow']['install']['cert_priv'] + headers({ 'Authorization' => "Basic #{auth_string}" }) + owner 'root' + group 'root' + mode '0400' + action :create + end +end + +unless node['esh']['mailcow']['install']['clamd'] + execute 'update_skip_clamd' do + command "sed -i 's/SKIP_CLAMD=n/SKIP_CLAMD=y/' /opt/mailcow-dockerized/mailcow.conf" + not_if "grep -q 'SKIP_CLAMD=y' /opt/mailcow-dockerized/mailcow.conf" + end +end + +execute 'docker compose pull' do + command 'docker compose pull --quiet' + cwd '/opt/mailcow-dockerized' + action :run +end + +execute 'docker compose up -d' do + command 'docker compose up -d' + cwd '/opt/mailcow-dockerized' + action :run +end + +### TLSA monitoring \ No newline at end of file diff --git a/esh_mailcow/templates/default/docker-compose.override.yml.erb b/esh_mailcow/templates/default/docker-compose.override.yml.erb new file mode 100644 index 0000000..c4d75bb --- /dev/null +++ b/esh_mailcow/templates/default/docker-compose.override.yml.erb @@ -0,0 +1,22 @@ +## +## Set haproxy_trusted_networks in Dovecots extra.conf! +## + +services: + + dovecot-mailcow: + ports: + - "${IMAP_PORT_HAPROXY:-0.0.0.0:10143}:10143" + - "${IMAPS_PORT_HAPROXY:-0.0.0.0:10993}:10993" + - "${POP_PORT_HAPROXY:-0.0.0.0:10110}:10110" + - "${POPS_PORT_HAPROXY:-0.0.0.0:10995}:10995" + - "${SIEVE_PORT_HAPROXY:-0.0.0.0:14190}:14190" + + postfix-mailcow: + ports: + - "${SMTP_PORT_HAPROXY:-0.0.0.0:10025}:10025" + - "${SMTPS_PORT_HAPROXY:-0.0.0.0:10465}:10465" + - "${SUBMISSION_PORT_HAPROXY:-0.0.0.0:10587}:10587" + environment: + - MAILCOW_HOSTNAME=<%= @mailcow_hostname %> + diff --git a/esh_mailcow/templates/default/main.cf.erb b/esh_mailcow/templates/default/main.cf.erb new file mode 100644 index 0000000..ae5a6b4 --- /dev/null +++ b/esh_mailcow/templates/default/main.cf.erb @@ -0,0 +1,49 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on +# fresh installs. +compatibility_level = 3.6 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = <%= @fqdn %> +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = <%= @fqdn %>, $myhostname, <%= @hostname %>, localhost.localdomain, localhost +relayhost = 172.22.1.1 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = loopback-only +inet_protocols = all +relay_transport = relay +default_transport = smtp diff --git a/esh_mailcow/test/integration/default/default_test.rb b/esh_mailcow/test/integration/default/default_test.rb new file mode 100644 index 0000000..046d099 --- /dev/null +++ b/esh_mailcow/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_mailcow::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_miniflux/.gitignore b/esh_miniflux/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_miniflux/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_miniflux/CHANGELOG.md b/esh_miniflux/CHANGELOG.md new file mode 100644 index 0000000..fa4b8bb --- /dev/null +++ b/esh_miniflux/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_miniflux CHANGELOG + +This file is used to list changes made in each version of the esh_miniflux cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_miniflux/LICENSE b/esh_miniflux/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_miniflux/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_miniflux/Policyfile.rb b/esh_miniflux/Policyfile.rb new file mode 100644 index 0000000..92fae2b --- /dev/null +++ b/esh_miniflux/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_miniflux' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_miniflux::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_miniflux', path: '.' diff --git a/esh_miniflux/README.md b/esh_miniflux/README.md new file mode 100644 index 0000000..e083c88 --- /dev/null +++ b/esh_miniflux/README.md @@ -0,0 +1,4 @@ +# esh_miniflux + +TODO: Enter the cookbook description here. + diff --git a/esh_miniflux/chefignore b/esh_miniflux/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_miniflux/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_miniflux/compliance/README.md b/esh_miniflux/compliance/README.md new file mode 100644 index 0000000..998facd --- /dev/null +++ b/esh_miniflux/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Cinc Auditor profile, waiver and input objects which are used with the Cinc Infra Compliance Phase. + +Detailed information on the Cinc Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `cinc generate` command from Cinc Workstation to create content for these directories: + +```sh +# Generate a Cinc Auditor profile +cinc generate profile PROFILE_NAME + +# Generate a Cinc Auditor waiver file +cinc generate waiver WAIVER_NAME + +# Generate a Cinc Auditor input file +cinc generate input INPUT_NAME +``` diff --git a/esh_miniflux/kitchen.yml b/esh_miniflux/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_miniflux/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_miniflux/metadata.rb b/esh_miniflux/metadata.rb new file mode 100644 index 0000000..4d93294 --- /dev/null +++ b/esh_miniflux/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_miniflux' +maintainer 'https://easyself.host' +maintainer_email 'esh@benoit.jp.net' +license 'Apache-2.0' +description 'Installs/Configures esh_miniflux' +version '0.1.0' +chef_version '>= 16.0' +depends 'postgresql' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_miniflux/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_miniflux' diff --git a/esh_miniflux/recipes/default.rb b/esh_miniflux/recipes/default.rb new file mode 100644 index 0000000..c611f03 --- /dev/null +++ b/esh_miniflux/recipes/default.rb @@ -0,0 +1,60 @@ +# +# Cookbook:: esh_miniflux +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +postgresql_install 'install posgresql' do + version '14' + repo_pgdg false + action :install_server +end + +service 'postgresql@14-main' do + action :nothing +end + +postgresql_role 'miniflux' do + unencrypted_password node['esh']['miniflux']['postgresql']['password'] + login true + createdb true +end + +postgresql_database 'miniflux' do + owner 'miniflux' +end + +apt_repository 'miniflux' do + uri 'https://repo.miniflux.app/apt/' + components ['/'] + distribution '' + trusted true + action :add +end + +package 'miniflux' + +file '/etc/miniflux.conf' do + content node['esh']['miniflux']['configfile'] + owner 'root' + group 'root' + mode '0644' + action :create +end + +service 'miniflux' do + action [:enable, :start] + subscribes :restart, 'file[/etc/miniflux.conf]', :immediately +end diff --git a/esh_miniflux/test/integration/default/default_test.rb b/esh_miniflux/test/integration/default/default_test.rb new file mode 100644 index 0000000..190d27f --- /dev/null +++ b/esh_miniflux/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_miniflux::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_mkdocs/.delivery/project.toml b/esh_mkdocs/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_mkdocs/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_mkdocs/.gitignore b/esh_mkdocs/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_mkdocs/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_mkdocs/CHANGELOG.md b/esh_mkdocs/CHANGELOG.md new file mode 100644 index 0000000..6ed675e --- /dev/null +++ b/esh_mkdocs/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_mkdocs CHANGELOG + +This file is used to list changes made in each version of the esh_mkdocs cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_mkdocs/LICENSE b/esh_mkdocs/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_mkdocs/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_mkdocs/Policyfile.rb b/esh_mkdocs/Policyfile.rb new file mode 100644 index 0000000..8ed4915 --- /dev/null +++ b/esh_mkdocs/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_mkdocs' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_mkdocs::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_mkdocs', path: '.' diff --git a/esh_mkdocs/README.md b/esh_mkdocs/README.md new file mode 100644 index 0000000..76e19e1 --- /dev/null +++ b/esh_mkdocs/README.md @@ -0,0 +1,4 @@ +# esh_mkdocs + +TODO: Enter the cookbook description here. + diff --git a/esh_mkdocs/chefignore b/esh_mkdocs/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_mkdocs/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_mkdocs/kitchen.yml b/esh_mkdocs/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_mkdocs/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_mkdocs/metadata.rb b/esh_mkdocs/metadata.rb new file mode 100644 index 0000000..194f179 --- /dev/null +++ b/esh_mkdocs/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_mkdocs' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_mkdocs' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_mkdocs/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_mkdocs' diff --git a/esh_mkdocs/recipes/default.rb b/esh_mkdocs/recipes/default.rb new file mode 100644 index 0000000..a90974a --- /dev/null +++ b/esh_mkdocs/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_mkdocs +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_mkdocs/recipes/install.rb b/esh_mkdocs/recipes/install.rb new file mode 100644 index 0000000..d14f6d0 --- /dev/null +++ b/esh_mkdocs/recipes/install.rb @@ -0,0 +1,38 @@ +# +# Cookbook:: esh_mkdocs +# Recipe:: install +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w(python3-pip git nginx) + +execute 'install mkdocs' do + command <<~EOT + pip install \ + mkdocs-git-revision-date-localized-plugin \ + mkdocs-material \ + mkdocs + EOT + action :run +end + +directory '/var/www/html' do + owner 'laminar' + group 'laminar' + mode '0755' + action :create +end + +apt_package 'nginx' diff --git a/esh_mkdocs/test/integration/default/default_test.rb b/esh_mkdocs/test/integration/default/default_test.rb new file mode 100644 index 0000000..c266c71 --- /dev/null +++ b/esh_mkdocs/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_mkdocs::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_netplan/.gitignore b/esh_netplan/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_netplan/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_netplan/CHANGELOG.md b/esh_netplan/CHANGELOG.md new file mode 100644 index 0000000..f92113b --- /dev/null +++ b/esh_netplan/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_netplan CHANGELOG + +This file is used to list changes made in each version of the esh_netplan cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_netplan/LICENSE b/esh_netplan/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_netplan/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_netplan/Policyfile.rb b/esh_netplan/Policyfile.rb new file mode 100644 index 0000000..cc614af --- /dev/null +++ b/esh_netplan/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_netplan' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_netplan::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_netplan', path: '.' diff --git a/esh_netplan/README.md b/esh_netplan/README.md new file mode 100644 index 0000000..753e174 --- /dev/null +++ b/esh_netplan/README.md @@ -0,0 +1,4 @@ +# esh_netplan + +TODO: Enter the cookbook description here. + diff --git a/esh_netplan/chefignore b/esh_netplan/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_netplan/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_netplan/compliance/README.md b/esh_netplan/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_netplan/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_netplan/kitchen.yml b/esh_netplan/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_netplan/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_netplan/metadata.rb b/esh_netplan/metadata.rb new file mode 100644 index 0000000..a469f2b --- /dev/null +++ b/esh_netplan/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_netplan' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_netplan' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_netplan/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_netplan' diff --git a/esh_netplan/recipes/config.rb b/esh_netplan/recipes/config.rb new file mode 100644 index 0000000..a53515a --- /dev/null +++ b/esh_netplan/recipes/config.rb @@ -0,0 +1,31 @@ +# +# Cookbook:: esh_netplan +# Recipe:: config +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +file '/etc/netplan/10-cinc.yaml' do + content node['esh']['netplan']['config'] + owner 'root' + group 'root' + mode '0444' + notifies :run, 'execute[netplan apply]', :immediately + action :create +end + +execute 'netplan apply' do + command 'netplan apply' + action :nothing +end diff --git a/esh_netplan/recipes/default.rb b/esh_netplan/recipes/default.rb new file mode 100644 index 0000000..abd2a60 --- /dev/null +++ b/esh_netplan/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_netplan +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_netplan/test/integration/default/default_test.rb b/esh_netplan/test/integration/default/default_test.rb new file mode 100644 index 0000000..9123c2e --- /dev/null +++ b/esh_netplan/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_netplan::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_nginx/.gitignore b/esh_nginx/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_nginx/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_nginx/CHANGELOG.md b/esh_nginx/CHANGELOG.md new file mode 100644 index 0000000..f90241c --- /dev/null +++ b/esh_nginx/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_nginx CHANGELOG + +This file is used to list changes made in each version of the esh_nginx cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_nginx/LICENSE b/esh_nginx/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_nginx/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_nginx/Policyfile.rb b/esh_nginx/Policyfile.rb new file mode 100644 index 0000000..b35ffa8 --- /dev/null +++ b/esh_nginx/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_nginx' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_nginx::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_nginx', path: '.' diff --git a/esh_nginx/README.md b/esh_nginx/README.md new file mode 100644 index 0000000..48cfefa --- /dev/null +++ b/esh_nginx/README.md @@ -0,0 +1,4 @@ +# esh_nginx + +TODO: Enter the cookbook description here. + diff --git a/esh_nginx/chefignore b/esh_nginx/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_nginx/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_nginx/compliance/README.md b/esh_nginx/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_nginx/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_nginx/kitchen.yml b/esh_nginx/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_nginx/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_nginx/metadata.rb b/esh_nginx/metadata.rb new file mode 100644 index 0000000..fcfbab2 --- /dev/null +++ b/esh_nginx/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_nginx' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_nginx' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_nginx/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_nginx' diff --git a/esh_nginx/recipes/default.rb b/esh_nginx/recipes/default.rb new file mode 100644 index 0000000..6782220 --- /dev/null +++ b/esh_nginx/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_nginx +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_nginx/resources/basic_proxy.rb b/esh_nginx/resources/basic_proxy.rb new file mode 100644 index 0000000..5b1c19a --- /dev/null +++ b/esh_nginx/resources/basic_proxy.rb @@ -0,0 +1,44 @@ +# +# Cookbook:: esh_nginx +# Resource:: basic_proxy +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :proxy_pass, String, name_property: true +property :set_real_ip_from, String, required: true +default_action :setup + +action :setup do + proxy_pass = new_resource.proxy_pass + set_real_ip_from = new_resource.set_real_ip_from + + apt_package 'nginx' + + template '/etc/nginx/sites-available/default' do + cookbook 'esh_nginx' + owner 'root' + group 'root' + mode '0644' + variables proxy_pass: proxy_pass, + set_real_ip_from: set_real_ip_from + notifies :reload, 'service[nginx]', :immediately + action :create + end + + service 'nginx' do + action :nothing + end +end diff --git a/esh_nginx/resources/php_fpm.rb b/esh_nginx/resources/php_fpm.rb new file mode 100644 index 0000000..228f242 --- /dev/null +++ b/esh_nginx/resources/php_fpm.rb @@ -0,0 +1,58 @@ +# +# Cookbook:: esh_nginx +# Resource:: php_fpm +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :proxy_pass, String, name_property: true +property :set_real_ip_from, String, required: true +default_action :setup + +action :setup do + proxy_pass = new_resource.proxy_pass + set_real_ip_from = new_resource.set_real_ip_from + + apt_package %w( + nginx + php-curl + php-fpm + php-gd + php-json + php-ldap + php-mbstring + php-mysql + php-pgsql + php-sqlite3 + php-xml + php-zip + ) + + template '/etc/nginx/sites-available/default' do + source 'default_fpm.erb' + cookbook 'esh_nginx' + owner 'root' + group 'root' + mode '0644' + variables proxy_pass: proxy_pass, + set_real_ip_from: set_real_ip_from + notifies :reload, 'service[nginx]', :immediately + action :create + end + + service 'nginx' do + action :nothing + end +end diff --git a/esh_nginx/templates/default/default.erb b/esh_nginx/templates/default/default.erb new file mode 100644 index 0000000..03158c6 --- /dev/null +++ b/esh_nginx/templates/default/default.erb @@ -0,0 +1,26 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/html; + + index index.php index.html index.htm index.nginx-debian.html; + + server_name _; + + set_real_ip_from <%= @set_real_ip_from %>; + real_ip_header X-Forwarded-For; + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php-fpm.sock; + } + + location ~ /\.ht { + deny all; + } +} \ No newline at end of file diff --git a/esh_nginx/test/integration/default/default_test.rb b/esh_nginx/test/integration/default/default_test.rb new file mode 100644 index 0000000..d6f90cf --- /dev/null +++ b/esh_nginx/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_nginx::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_nitter/.gitignore b/esh_nitter/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_nitter/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_nitter/CHANGELOG.md b/esh_nitter/CHANGELOG.md new file mode 100644 index 0000000..ce2d9b9 --- /dev/null +++ b/esh_nitter/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_nitter CHANGELOG + +This file is used to list changes made in each version of the esh_nitter cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_nitter/LICENSE b/esh_nitter/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_nitter/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_nitter/Policyfile.rb b/esh_nitter/Policyfile.rb new file mode 100644 index 0000000..4f5ea0d --- /dev/null +++ b/esh_nitter/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_nitter' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_nitter::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_nitter', path: '.' diff --git a/esh_nitter/README.md b/esh_nitter/README.md new file mode 100644 index 0000000..190bd19 --- /dev/null +++ b/esh_nitter/README.md @@ -0,0 +1,3 @@ +# esh_nitter + +[Upstream Github](https://github.com/zedeus/nitter) \ No newline at end of file diff --git a/esh_nitter/chefignore b/esh_nitter/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_nitter/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_nitter/compliance/README.md b/esh_nitter/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_nitter/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_nitter/kitchen.yml b/esh_nitter/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_nitter/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_nitter/metadata.rb b/esh_nitter/metadata.rb new file mode 100644 index 0000000..efe056f --- /dev/null +++ b/esh_nitter/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_nitter' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_nitter' +version '0.1.0' +chef_version '>= 16.0' +depends 'esh_nginx' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_nitter/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_nitter' diff --git a/esh_nitter/recipes/default.rb b/esh_nitter/recipes/default.rb new file mode 100644 index 0000000..0ded878 --- /dev/null +++ b/esh_nitter/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_nitter +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_nitter/recipes/install.rb b/esh_nitter/recipes/install.rb new file mode 100644 index 0000000..3c8d5bc --- /dev/null +++ b/esh_nitter/recipes/install.rb @@ -0,0 +1,76 @@ +# +# Cookbook:: esh_nitter +# Recipe:: install +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +git '/home/nitter/nitter' do + repository 'https://github.com/zedeus/nitter.git' + # Sadly nitter poject does not manage any releases nor tags/branches + revision 'HEAD' + user 'nitter' + group 'nitter' + action :sync + notifies :run, 'execute[build nitter]', :immediately + notifies :run, 'execute[generate CSS]', :immediately + notifies :run, 'execute[render MD]', :immediately +end + +execute 'build nitter' do + command 'nimble -y build -d:release' + user 'nitter' + login true + cwd '/home/nitter/nitter' + live_stream true + action :nothing + notifies :restart, 'service[nitter]', :delayed +end + +execute 'generate CSS' do + command 'nimble scss' + user 'nitter' + login true + cwd '/home/nitter/nitter' + live_stream true + action :nothing + notifies :restart, 'service[nitter]', :delayed +end + +execute 'render MD' do + command 'nimble md' + user 'nitter' + login true + cwd '/home/nitter/nitter' + live_stream true + action :nothing + notifies :restart, 'service[nitter]', :delayed +end + +template '/home/nitter/nitter/nitter.conf' do + owner 'nitter' + group 'nitter' + mode '0400' + variables title: node['esh']['nitter']['config']['title'], + hostname: node['esh']['nitter']['config']['hostname'], + hmac_key: node['esh']['nitter']['config']['hmac_key'], + replace_twitter: node['esh']['nitter']['config']['replace_twitter'], + replace_youtube: node['esh']['nitter']['config']['replace_youtube'] + notifies :restart, 'service[nitter]', :delayed + action :create +end + +esh_nginx_basic_proxy node['esh']['nitter']['nginx']['ip_addr'] do + port node['esh']['nitter']['nginx']['port'] +end diff --git a/esh_nitter/recipes/redis.rb b/esh_nitter/recipes/redis.rb new file mode 100644 index 0000000..507dbb4 --- /dev/null +++ b/esh_nitter/recipes/redis.rb @@ -0,0 +1,19 @@ +# +# Cookbook:: esh_nitter +# Recipe:: redis +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'redis-server' diff --git a/esh_nitter/recipes/service.rb b/esh_nitter/recipes/service.rb new file mode 100644 index 0000000..cdddd7a --- /dev/null +++ b/esh_nitter/recipes/service.rb @@ -0,0 +1,45 @@ +# +# Cookbook:: esh_nitter +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +systemd_unit 'nitter.service' do + content <<~EOU + [Unit] + Description=Nitter (An alternative Twitter front-end) + After=syslog.target + After=network.target + [Service] + Type=simple + # set user and group + User=nitter + Group=nitter + # configure location + WorkingDirectory=/home/nitter/nitter + ExecStart=/home/nitter/nitter/nitter + Restart=always + RestartSec=15 + [Install] + WantedBy=multi-user.target + EOU + verify false + action [:create, :enable, :start] + notifies :restart, 'service[nitter]', :immediately +end + +service 'nitter' do + action :nothing +end diff --git a/esh_nitter/recipes/system.rb b/esh_nitter/recipes/system.rb new file mode 100644 index 0000000..26db438 --- /dev/null +++ b/esh_nitter/recipes/system.rb @@ -0,0 +1,45 @@ +# +# Cookbook:: esh_nitter +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_repository 'bullseye-backports' do + uri 'http://deb.debian.org/debian' + components ['main'] + distribution 'bullseye-backports' + action :add +end + +apt_package 'nim' do + default_release 'bullseye-backports' +end + +apt_package %w(git nim libsass-dev libpcre2-dev build-essential) + +group 'nitter' do + system true + action :create +end + +user 'nitter' do + comment 'nitter system user' + gid 'nitter' + home '/home/nitter' + manage_home true + shell '/usr/bin/bash' + system true + action :create +end diff --git a/esh_nitter/templates/default/nitter.conf.erb b/esh_nitter/templates/default/nitter.conf.erb new file mode 100644 index 0000000..61df93d --- /dev/null +++ b/esh_nitter/templates/default/nitter.conf.erb @@ -0,0 +1,45 @@ +[Server] +address = "0.0.0.0" +port = 8080 +https = false # disable to enable cookies when not using https +httpMaxConnections = 100 +staticDir = "./public" +title = "<%= @title %>" +hostname = "<%= @hostname %>" + +[Cache] +listMinutes = 240 # how long to cache list info (not the tweets, so keep it high) +rssMinutes = 10 # how long to cache rss queries +redisHost = "localhost" # Change to "nitter-redis" if using docker-compose +redisPort = 6379 +redisPassword = "" +redisConnections = 20 # connection pool size +redisMaxConnections = 30 +# max, new connections are opened when none are available, but if the pool size +# goes above this, they're closed when released. don't worry about this unless +# you receive tons of requests per second + +[Config] +hmacKey = "<%= @hmac_key %>" # random key for cryptographic signing of video urls +base64Media = true # use base64 encoding for proxied media urls +enableRSS = true # set this to false to disable RSS feeds +enableDebug = false # enable request logs and debug endpoints +proxy = "" # http/https url, SOCKS proxies are not supported +proxyAuth = "" +tokenCount = 10 +# minimum amount of usable tokens. tokens are used to authorize API requests, +# but they expire after ~1 hour, and have a limit of 187 requests. +# the limit gets reset every 15 minutes, and the pool is filled up so there's +# always at least $tokenCount usable tokens. again, only increase this if +# you receive major bursts all the time + +# Change default preferences here, see src/prefs_impl.nim for a complete list +[Preferences] +theme = "Nitter" +replaceTwitter = "<%= @replace_twitter %>" +replaceYouTube = "<%= @replace_youtube %>" +replaceReddit = "teddit.net" +replaceInstagram = "" +proxyVideos = true +hlsPlayback = false +infiniteScroll = false diff --git a/esh_nitter/test/integration/default/default_test.rb b/esh_nitter/test/integration/default/default_test.rb new file mode 100644 index 0000000..2b6be8c --- /dev/null +++ b/esh_nitter/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_nitter::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_photoprism/.gitignore b/esh_photoprism/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_photoprism/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_photoprism/CHANGELOG.md b/esh_photoprism/CHANGELOG.md new file mode 100644 index 0000000..b9b40a9 --- /dev/null +++ b/esh_photoprism/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_photoprism CHANGELOG + +This file is used to list changes made in each version of the esh_photoprism cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_photoprism/LICENSE b/esh_photoprism/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_photoprism/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_photoprism/Policyfile.rb b/esh_photoprism/Policyfile.rb new file mode 100644 index 0000000..2967781 --- /dev/null +++ b/esh_photoprism/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_photoprism' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_photoprism::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_photoprism', path: '.' diff --git a/esh_photoprism/README.md b/esh_photoprism/README.md new file mode 100644 index 0000000..08a3d98 --- /dev/null +++ b/esh_photoprism/README.md @@ -0,0 +1,4 @@ +# esh_photoprism + +TODO: Enter the cookbook description here. + diff --git a/esh_photoprism/chefignore b/esh_photoprism/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_photoprism/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_photoprism/compliance/README.md b/esh_photoprism/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_photoprism/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_photoprism/kitchen.yml b/esh_photoprism/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_photoprism/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_photoprism/metadata.rb b/esh_photoprism/metadata.rb new file mode 100644 index 0000000..e1b47e1 --- /dev/null +++ b/esh_photoprism/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_photoprism' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_photoprism' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_photoprism/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_photoprism' diff --git a/esh_photoprism/recipes/compose.rb b/esh_photoprism/recipes/compose.rb new file mode 100644 index 0000000..04d6bb6 --- /dev/null +++ b/esh_photoprism/recipes/compose.rb @@ -0,0 +1,69 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: compose +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +directory '/opt/photoprism' do + owner 'photoprism' + group 'photoprism' + mode '0755' + action :create +end + +template '/opt/photoprism/docker-compose.yml' do + owner 'photoprism' + group 'photoprism' + mode '0400' + variables environment: node['esh']['photoprism']['environment'], + volumes: node['esh']['photoprism']['volumes'], + mariadb_volumes: node['esh']['photoprism']['mariadb']['volumes'], + mariadb_password: node['esh']['photoprism']['mariadb']['password'], + mariadb_root_password: node['esh']['photoprism']['mariadb']['root_password'] + action :create +end + +execute 'docker compose pull' do + command 'docker compose pull --quiet' + cwd '/opt/photoprism' + live_stream true + action :run +end + +systemd_unit 'photoprism.service' do + content <<~EOU + [Unit] + Description=photoprism via docker compose + Requires=docker.service + After=docker.service + + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/opt/photoprism + ExecStart=/usr/bin/docker compose up --detach + ExecStop=/usr/bin/docker compose down + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable] + subscribes :restart, 'template[/opt/photoprism/docker-compose.yml]', :delayed +end + +service 'photoprism' do + action :nothing + subscribes :start, 'execute[docker compose pull]', :delayed +end diff --git a/esh_photoprism/recipes/default.rb b/esh_photoprism/recipes/default.rb new file mode 100644 index 0000000..ce36af0 --- /dev/null +++ b/esh_photoprism/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_photoprism/recipes/docker.rb b/esh_photoprism/recipes/docker.rb new file mode 100644 index 0000000..08ff8c8 --- /dev/null +++ b/esh_photoprism/recipes/docker.rb @@ -0,0 +1,40 @@ +# Cookbook:: esh_photoprism +# Recipe:: docker +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image = node['esh']['photoprism']['docker']['image'] +repo = image.split('/', 2)[1] +tag = node['esh']['photoprism']['docker']['tag'] +env = node['esh']['photoprism']['docker']['env'] +volumes = node['esh']['photoprism']['docker']['volumes'] + +docker_image image do + tag tag + action :pull +end + +docker_container 'photoprism' do + repo repo + tag tag + port '2342:2342' + env env + user '998:998' + working_dir '/photoprism' + security_opt ['seccomp:unconfined', 'apparmor:unconfined'] + volumes volumes + restart_policy 'unless-stopped' + action [:create, :start] +end diff --git a/esh_photoprism/recipes/mariadb.rb b/esh_photoprism/recipes/mariadb.rb new file mode 100644 index 0000000..92c53b1 --- /dev/null +++ b/esh_photoprism/recipes/mariadb.rb @@ -0,0 +1,34 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: mariadb +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'mariadb-server' + +mariadb_server_install 'MariaDB Server install' do + version '10.5' + setup_repo false +end + +mariadb_user 'photoprism' do + password node['esh']['photoprism']['mariadb']['password'] + database_name 'photoprism' + action [:create, :grant] +end + +mariadb_database 'photoprism' do + action :create +end diff --git a/esh_photoprism/recipes/system.rb b/esh_photoprism/recipes/system.rb new file mode 100644 index 0000000..a0980d9 --- /dev/null +++ b/esh_photoprism/recipes/system.rb @@ -0,0 +1,44 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +group 'photoprism' do + system true + gid 998 + action :create +end + +user 'photoprism' do + comment 'photoprism system user' + gid 998 + uid 998 + home '/home/photoprism' + manage_home true + shell '/usr/bin/bash' + system true + action :create +end + +%w(originals storage).each do |name| + directory "/var/lib/#{node['hostname']}-#{name}" do + owner 'photoprism' + group 'photoprism' + mode '0750' + not_if { ::Dir.exist?("/var/lib/#{node['hostname']}-#{name}") } + action :create + end +end diff --git a/esh_photoprism/recipes/undocker.rb b/esh_photoprism/recipes/undocker.rb new file mode 100644 index 0000000..7b9155b --- /dev/null +++ b/esh_photoprism/recipes/undocker.rb @@ -0,0 +1,39 @@ +# +# Cookbook:: esh_photoprism +# Recipe:: undocker +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +url = node['esh']['photoprism']['docker']['url'] +image = node['esh']['photoprism']['docker']['image'] +tag = node['esh']['photoprism']['docker']['tag'] +network = node['esh']['photoprism']['docker']['network'] +service = node['esh']['photoprism']['docker']['service'] +env = node['esh']['photoprism']['docker']['env'] + +esh_undocker_download url do + image image + tag tag +end + +esh_undocker_extract image do + tag tag + network network + env env +end + +esh_undocker_service image do + content service +end diff --git a/esh_photoprism/templates/default/docker-compose.yml.erb b/esh_photoprism/templates/default/docker-compose.yml.erb new file mode 100644 index 0000000..ed71685 --- /dev/null +++ b/esh_photoprism/templates/default/docker-compose.yml.erb @@ -0,0 +1,105 @@ +# Example Docker Compose config file for PhotoPrism (Linux / AMD64) +# +# Note: +# - Running PhotoPrism on a server with less than 4 GB of swap space or setting a memory/swap limit can cause unexpected +# restarts ("crashes"), for example, when the indexer temporarily needs more memory to process large files. +# - If you install PhotoPrism on a public server outside your home network, please always run it behind a secure +# HTTPS reverse proxy such as Traefik or Caddy. Your files and passwords will otherwise be transmitted +# in clear text and can be intercepted by anyone, including your provider, hackers, and governments: +# https://docs.photoprism.app/getting-started/proxies/traefik/ +# +# Setup Guides: +# - https://docs.photoprism.app/getting-started/docker-compose/ +# - https://docs.photoprism.app/getting-started/raspberry-pi/ +# - https://www.photoprism.app/kb/activation +# +# Troubleshooting Checklists: +# - https://docs.photoprism.app/getting-started/troubleshooting/ +# - https://docs.photoprism.app/getting-started/troubleshooting/docker/ +# - https://docs.photoprism.app/getting-started/troubleshooting/mariadb/ +# +# CLI Commands: +# - https://docs.photoprism.app/getting-started/docker-compose/#command-line-interface +# +# All commands may have to be prefixed with "sudo" when not running as root. +# This will point the home directory shortcut ~ to /root in volume mounts. + +services: + photoprism: + ## Use photoprism/photoprism:preview for testing preview builds: + image: photoprism/photoprism:latest + ## Don't enable automatic restarts until PhotoPrism has been properly configured and tested! + ## If the service gets stuck in a restart loop, this points to a memory, filesystem, network, or database issue: + ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors + # restart: unless-stopped + stop_grace_period: 10s + depends_on: + - mariadb + security_opt: + - seccomp:unconfined + - apparmor:unconfined + ## Server port mapping in the format "Host:Container". To use a different port, change the host port on + ## the left-hand side and keep the container port, e.g. "80:2342" (for HTTP) or "443:2342 (for HTTPS): + ports: + - "2342:2342" # HTTP port (host:container) + environment: + <% @environment.each do |env| %> + <%= env %> + <% end %> + ## Start as non-root user before initialization (supported: 0, 33, 50-99, 500-600, and 900-1200): + user: "998:998" + ## Share hardware devices with FFmpeg and TensorFlow (optional): + # devices: + # - "/dev/dri:/dev/dri" # Intel QSV + # - "/dev/nvidia0:/dev/nvidia0" # Nvidia CUDA + # - "/dev/nvidiactl:/dev/nvidiactl" + # - "/dev/nvidia-modeset:/dev/nvidia-modeset" + # - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl" + # - "/dev/nvidia-uvm:/dev/nvidia-uvm" + # - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools" + # - "/dev/video11:/dev/video11" # Video4Linux Video Encode Device (h264_v4l2m2m) + working_dir: "/photoprism" # do not change or remove + ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory + volumes: + <% @volumes.each do |volume| %> + - "<%= volume %>" + <% end %> + + ## MariaDB Database Server (recommended) + ## see https://docs.photoprism.app/getting-started/faq/#should-i-use-sqlite-mariadb-or-mysql + mariadb: + image: mariadb:11 + ## If MariaDB gets stuck in a restart loop, this points to a memory or filesystem issue: + ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors + restart: unless-stopped + stop_grace_period: 5s + security_opt: # see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239 + - seccomp:unconfined + - apparmor:unconfined + command: --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120 + ## Never store database files on an unreliable device such as a USB flash drive, an SD card, or a shared network folder: + volumes: + <% @mariadb_volumes.each do |volume| %> + - "<%= volume %>" + <% end %> + environment: + MARIADB_AUTO_UPGRADE: "1" + MARIADB_INITDB_SKIP_TZINFO: "1" + MARIADB_DATABASE: "photoprism" + MARIADB_USER: "photoprism" + MARIADB_PASSWORD: "<%= @mariadb_password %>" + MARIADB_ROOT_PASSWORD: "<%= @mariadb_root_password %>" + + ## Watchtower upgrades services automatically (optional) + ## see https://docs.photoprism.app/getting-started/updates/#watchtower + ## activate via "COMPOSE_PROFILES=update docker compose up -d" + watchtower: + restart: unless-stopped + image: containrrr/watchtower + profiles: ["update"] + environment: + WATCHTOWER_CLEANUP: "true" + WATCHTOWER_POLL_INTERVAL: 7200 # checks for updates every two hours + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + - "~/.docker/config.json:/config.json" # optional, for authentication if you have a Docker Hub account diff --git a/esh_photoprism/test/integration/default/default_test.rb b/esh_photoprism/test/integration/default/default_test.rb new file mode 100644 index 0000000..4a7cb69 --- /dev/null +++ b/esh_photoprism/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_photoprism::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_photoprism/upstream/docker-compose.yml b/esh_photoprism/upstream/docker-compose.yml new file mode 100644 index 0000000..6f78f52 --- /dev/null +++ b/esh_photoprism/upstream/docker-compose.yml @@ -0,0 +1,146 @@ +version: '3.5' + +# Example Docker Compose config file for PhotoPrism (Linux / AMD64) +# +# Note: +# - Running PhotoPrism on a server with less than 4 GB of swap space or setting a memory/swap limit can cause unexpected +# restarts ("crashes"), for example, when the indexer temporarily needs more memory to process large files. +# - If you install PhotoPrism on a public server outside your home network, please always run it behind a secure +# HTTPS reverse proxy such as Traefik or Caddy. Your files and passwords will otherwise be transmitted +# in clear text and can be intercepted by anyone, including your provider, hackers, and governments: +# https://docs.photoprism.app/getting-started/proxies/traefik/ +# +# Documentation : https://docs.photoprism.app/getting-started/docker-compose/ +# Docker Hub URL: https://hub.docker.com/r/photoprism/photoprism/ +# +# DOCKER COMPOSE COMMAND REFERENCE +# see https://docs.photoprism.app/getting-started/docker-compose/#command-line-interface +# -------------------------------------------------------------------------- +# Start | docker-compose up -d +# Stop | docker-compose stop +# Update | docker-compose pull +# Logs | docker-compose logs --tail=25 -f +# Terminal | docker-compose exec photoprism bash +# Help | docker-compose exec photoprism photoprism help +# Config | docker-compose exec photoprism photoprism config +# Reset | docker-compose exec photoprism photoprism reset +# Backup | docker-compose exec photoprism photoprism backup -a -i +# Restore | docker-compose exec photoprism photoprism restore -a -i +# Index | docker-compose exec photoprism photoprism index +# Reindex | docker-compose exec photoprism photoprism index -f +# Import | docker-compose exec photoprism photoprism import +# +# To search originals for faces without a complete rescan: +# docker-compose exec photoprism photoprism faces index +# +# All commands may have to be prefixed with "sudo" when not running as root. +# This will point the home directory shortcut ~ to /root in volume mounts. + +services: + photoprism: + ## Use photoprism/photoprism:preview for testing preview builds: + image: photoprism/photoprism:latest + depends_on: + - mariadb + ## Don't enable automatic restarts until PhotoPrism has been properly configured and tested! + ## If the service gets stuck in a restart loop, this points to a memory, filesystem, network, or database issue: + ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors + # restart: unless-stopped + security_opt: + - seccomp:unconfined + - apparmor:unconfined + ports: + - "2342:2342" # HTTP port (host:container) + environment: + PHOTOPRISM_ADMIN_PASSWORD: "insecure" # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS + PHOTOPRISM_AUTH_MODE: "password" # authentication mode (public, password) + PHOTOPRISM_SITE_URL: "http://localhost:2342/" # public server URL incl http:// or https:// and /path, :port is optional + PHOTOPRISM_ORIGINALS_LIMIT: 5000 # file size limit for originals in MB (increase for high-res video) + PHOTOPRISM_HTTP_COMPRESSION: "gzip" # improves transfer speed and bandwidth utilization (none or gzip) + PHOTOPRISM_LOG_LEVEL: "info" # log level: trace, debug, info, warning, error, fatal, or panic + PHOTOPRISM_READONLY: "false" # do not modify originals directory (reduced functionality) + PHOTOPRISM_EXPERIMENTAL: "false" # enables experimental features + PHOTOPRISM_DISABLE_CHOWN: "false" # disables updating storage permissions via chmod and chown on startup + PHOTOPRISM_DISABLE_WEBDAV: "false" # disables built-in WebDAV server + PHOTOPRISM_DISABLE_SETTINGS: "false" # disables settings UI and API + PHOTOPRISM_DISABLE_TENSORFLOW: "false" # disables all features depending on TensorFlow + PHOTOPRISM_DISABLE_FACES: "false" # disables face detection and recognition (requires TensorFlow) + PHOTOPRISM_DISABLE_CLASSIFICATION: "false" # disables image classification (requires TensorFlow) + PHOTOPRISM_DISABLE_RAW: "false" # disables indexing and conversion of RAW files + PHOTOPRISM_RAW_PRESETS: "false" # enables applying user presets when converting RAW files (reduces performance) + PHOTOPRISM_JPEG_QUALITY: 85 # a higher value increases the quality and file size of JPEG images and thumbnails (25-100) + PHOTOPRISM_DETECT_NSFW: "false" # automatically flags photos as private that MAY be offensive (requires TensorFlow) + PHOTOPRISM_UPLOAD_NSFW: "true" # allows uploads that MAY be offensive (no effect without TensorFlow) + # PHOTOPRISM_DATABASE_DRIVER: "sqlite" # SQLite is an embedded database that doesn't require a server + PHOTOPRISM_DATABASE_DRIVER: "mysql" # use MariaDB 10.5+ or MySQL 8+ instead of SQLite for improved performance + PHOTOPRISM_DATABASE_SERVER: "mariadb:3306" # MariaDB or MySQL database server (hostname:port) + PHOTOPRISM_DATABASE_NAME: "photoprism" # MariaDB or MySQL database schema name + PHOTOPRISM_DATABASE_USER: "photoprism" # MariaDB or MySQL database user name + PHOTOPRISM_DATABASE_PASSWORD: "insecure" # MariaDB or MySQL database user password + PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App" + PHOTOPRISM_SITE_DESCRIPTION: "" # meta site description + PHOTOPRISM_SITE_AUTHOR: "" # meta site author + ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean): + # PHOTOPRISM_INIT: "gpu tensorflow" + ## Hardware Video Transcoding (for sponsors only due to high maintenance and support costs): + # PHOTOPRISM_FFMPEG_ENCODER: "software" # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry") + # PHOTOPRISM_FFMPEG_BITRATE: "32" # FFmpeg encoding bitrate limit in Mbit/s (default: 50) + ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200): + # PHOTOPRISM_UID: 1000 + # PHOTOPRISM_GID: 1000 + # PHOTOPRISM_UMASK: 0000 + ## Start as non-root user before initialization (supported: 0, 33, 50-99, 500-600, and 900-1200): + # user: "1000:1000" + ## Share hardware devices with FFmpeg and TensorFlow (optional): + # devices: + # - "/dev/dri:/dev/dri" # Intel QSV + # - "/dev/nvidia0:/dev/nvidia0" # Nvidia CUDA + # - "/dev/nvidiactl:/dev/nvidiactl" + # - "/dev/nvidia-modeset:/dev/nvidia-modeset" + # - "/dev/nvidia-nvswitchctl:/dev/nvidia-nvswitchctl" + # - "/dev/nvidia-uvm:/dev/nvidia-uvm" + # - "/dev/nvidia-uvm-tools:/dev/nvidia-uvm-tools" + # - "/dev/video11:/dev/video11" # Video4Linux Video Encode Device (h264_v4l2m2m) + working_dir: "/photoprism" # do not change or remove + ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory + volumes: + # "/host/folder:/photoprism/folder" # Example + - "~/Pictures:/photoprism/originals" # Original media files (DO NOT REMOVE) + # - "/example/family:/photoprism/originals/family" # *Additional* media folders can be mounted like this + # - "~/Import:/photoprism/import" # *Optional* base folder from which files can be imported to originals + - "./storage:/photoprism/storage" # *Writable* storage folder for cache, database, and sidecar files (DO NOT REMOVE) + + ## Database Server (recommended) + ## see https://docs.photoprism.app/getting-started/faq/#should-i-use-sqlite-mariadb-or-mysql + mariadb: + ## If MariaDB gets stuck in a restart loop, this points to a memory or filesystem issue: + ## https://docs.photoprism.app/getting-started/troubleshooting/#fatal-server-errors + restart: unless-stopped + image: mariadb:10.8 + security_opt: # see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239 + - seccomp:unconfined + - apparmor:unconfined + command: mysqld --innodb-buffer-pool-size=512M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120 + ## Never store database files on an unreliable device such as a USB flash drive, an SD card, or a shared network folder: + volumes: + - "./database:/var/lib/mysql" # DO NOT REMOVE + environment: + MARIADB_AUTO_UPGRADE: "1" + MARIADB_INITDB_SKIP_TZINFO: "1" + MARIADB_DATABASE: "photoprism" + MARIADB_USER: "photoprism" + MARIADB_PASSWORD: "insecure" + MARIADB_ROOT_PASSWORD: "insecure" + + ## Watchtower upgrades services automatically (optional) + ## see https://docs.photoprism.app/getting-started/updates/#watchtower + # + # watchtower: + # restart: unless-stopped + # image: containrrr/watchtower + # environment: + # WATCHTOWER_CLEANUP: "true" + # WATCHTOWER_POLL_INTERVAL: 7200 # checks for updates every two hours + # volumes: + # - "/var/run/docker.sock:/var/run/docker.sock" + # - "~/.docker/config.json:/config.json" # optional, for authentication if you have a Docker Hub account diff --git a/esh_piped/.gitignore b/esh_piped/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_piped/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_piped/.gitmodules b/esh_piped/.gitmodules new file mode 100644 index 0000000..13ba6f9 --- /dev/null +++ b/esh_piped/.gitmodules @@ -0,0 +1,3 @@ +[submodule "upstream"] + path = upstream + url = https://github.com/TeamPiped/Piped-Docker.git diff --git a/esh_piped/CHANGELOG.md b/esh_piped/CHANGELOG.md new file mode 100644 index 0000000..6981e2f --- /dev/null +++ b/esh_piped/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_archivebox CHANGELOG + +This file is used to list changes made in each version of the esh_archivebox cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_piped/LICENSE b/esh_piped/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_piped/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_piped/Policyfile.rb b/esh_piped/Policyfile.rb new file mode 100644 index 0000000..ba9a501 --- /dev/null +++ b/esh_piped/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_archivebox' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_archivebox::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_archivebox', path: '.' diff --git a/esh_piped/README.md b/esh_piped/README.md new file mode 100644 index 0000000..5c58de2 --- /dev/null +++ b/esh_piped/README.md @@ -0,0 +1,5 @@ +# esh_archivebox + +- [Upstream](https://github.com/TeamPiped/Piped-Docker) + +Cookbook is made for commit `113e0da`. diff --git a/esh_piped/chefignore b/esh_piped/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_piped/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_piped/compliance/README.md b/esh_piped/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_piped/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_piped/files/default/nginx.conf b/esh_piped/files/default/nginx.conf new file mode 100644 index 0000000..da404aa --- /dev/null +++ b/esh_piped/files/default/nginx.conf @@ -0,0 +1,33 @@ +user root; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_names_hash_bucket_size 128; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nodelay on; + + keepalive_timeout 65; + + resolver 127.0.0.11 ipv6=off valid=10s; + + include /etc/nginx/conf.d/*.conf; +} \ No newline at end of file diff --git a/esh_piped/files/default/ytproxy.conf b/esh_piped/files/default/ytproxy.conf new file mode 100644 index 0000000..4fd36f1 --- /dev/null +++ b/esh_piped/files/default/ytproxy.conf @@ -0,0 +1,18 @@ +proxy_buffering on; +proxy_buffers 1024 16k; +proxy_set_header X-Forwarded-For ""; +proxy_set_header CF-Connecting-IP ""; +proxy_hide_header "alt-svc"; +sendfile on; +sendfile_max_chunk 512k; +tcp_nopush on; +aio threads=default; +aio_write on; +directio 16m; +proxy_hide_header Cache-Control; +proxy_hide_header etag; +proxy_http_version 1.1; +proxy_set_header Connection keep-alive; +proxy_max_temp_file_size 32m; +access_log off; +proxy_pass http://unix:/var/run/ytproxy/actix.sock; diff --git a/esh_piped/kitchen.yml b/esh_piped/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_piped/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_piped/metadata.rb b/esh_piped/metadata.rb new file mode 100644 index 0000000..85f99bf --- /dev/null +++ b/esh_piped/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_piped' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_piped' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_archivebox/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_archivebox' diff --git a/esh_piped/recipes/cleaning.rb b/esh_piped/recipes/cleaning.rb new file mode 100644 index 0000000..f8f63f5 --- /dev/null +++ b/esh_piped/recipes/cleaning.rb @@ -0,0 +1,31 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: cleaning +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Starting upstream a77f887 they switched from ytproxy to piped-proxy +# So we need to clean ytproxy container + +execute 'Stop ytproxy container' do + command 'machinectl stop ytproxy' + action :run + only_if 'machinectl status ytproxy 2>/dev/null' +end + +directory '/var/lib/machines/ytproxy' do + recursive true + action :delete +end diff --git a/esh_piped/recipes/compose.rb b/esh_piped/recipes/compose.rb new file mode 100644 index 0000000..44cc3bc --- /dev/null +++ b/esh_piped/recipes/compose.rb @@ -0,0 +1,129 @@ +# +# Cookbook:: esh_piped +# Recipe:: compose +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +directory '/opt/piped' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +directory '/opt/piped/config' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +template '/opt/piped/config/config.properties' do + owner 'root' + group 'root' + mode '0400' + variables proxy_hostname: node['esh']['piped']['config']['proxy_hostname'], + captcha_api_key: node['esh']['piped']['config']['captcha_api_key'], + backend_hostname: node['esh']['piped']['config']['backend_hostname'], + frontend_hostname: node['esh']['piped']['config']['frontend_hostname'], + postgresql_password: node['esh']['piped']['config']['postgresql_password'] + action :create +end + +cookbook_file '/opt/piped/config/nginx.conf' do + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/opt/piped/config/pipedapi.conf' do + owner 'root' + group 'root' + mode '0444' + variables backend_hostname: node['esh']['piped']['config']['backend_hostname'] + action :create +end + +template '/opt/piped/config/pipedproxy.conf' do + owner 'root' + group 'root' + mode '0444' + variables proxy_hostname: node['esh']['piped']['config']['proxy_hostname'] + action :create +end + +template '/opt/piped/config/pipedfrontend.conf' do + owner 'root' + group 'root' + mode '0444' + variables frontend_hostname: node['esh']['piped']['config']['frontend_hostname'] + action :create +end + +cookbook_file '/opt/piped/config/ytproxy.conf' do + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/opt/piped/docker-compose.yml' do + owner 'root' + group 'root' + mode '0400' + variables backend_hostname: node['esh']['piped']['config']['backend_hostname'], + postgresql_password: node['esh']['piped']['config']['postgresql_password'] + action :create +end + +execute 'docker compose pull' do + command 'docker compose pull --quiet' + cwd '/opt/piped' + live_stream true + action :run +end + +systemd_unit 'piped.service' do + content <<~EOU + [Unit] + Description=piped via docker compose + Requires=docker.service + After=docker.service + + [Service] + Type=oneshot + RemainAfterExit=true + WorkingDirectory=/opt/piped + ExecStart=/usr/bin/docker compose up -d + ExecStop=/usr/bin/docker compose down + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable] + subscribes :restart, 'template[/opt/piped/config/config.properties]', :delayed + subscribes :restart, 'file[/opt/piped/config/nginx.conf]', :delayed + subscribes :restart, 'template[/opt/piped/config/pipedapi.conf]', :delayed + subscribes :restart, 'template[/opt/piped/config/pipedproxy.conf]', :delayed + subscribes :restart, 'template[/opt/piped/config/pipedfrontend.conf]', :delayed + subscribes :restart, 'file[/opt/piped/config/ytproxy.conf]', :delayed + subscribes :restart, 'template[/opt/piped/docker-compose.yml]', :delayed +end + +service 'piped' do + action :nothing + subscribes :start, 'execute[docker compose pull]', :delayed +end diff --git a/esh_piped/recipes/nginx.rb b/esh_piped/recipes/nginx.rb new file mode 100644 index 0000000..261d8d0 --- /dev/null +++ b/esh_piped/recipes/nginx.rb @@ -0,0 +1,66 @@ +# +# Cookbook:: esh_piped +# Recipe:: nginx +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'nginx-full' + +cookbook_file '/etc/nginx/nginx.conf' do + owner 'root' + group 'root' + mode '0644' + action :create +end + +template '/etc/nginx/conf.d/pipedapi.conf' do + owner 'root' + group 'root' + mode '0644' + variables backend_hostname: "#{node['esh']['piped']['config']['backend_hostname']}.#{node['esh']['piped']['config']['domain']}" + action :create +end + +template '/etc/nginx/conf.d/pipedproxy.conf' do + owner 'root' + group 'root' + mode '0644' + variables proxy_hostname: "#{node['esh']['piped']['config']['proxy_hostname']}.#{node['esh']['piped']['config']['domain']}" + action :create +end + +template '/etc/nginx/conf.d/pipedfrontend.conf' do + owner 'root' + group 'root' + mode '0644' + variables frontend_hostname: "#{node['esh']['piped']['config']['frontend_hostname']}.#{node['esh']['piped']['config']['domain']}" + action :create +end + +cookbook_file '/etc/nginx/snippets/ytproxy.conf' do + owner 'root' + group 'root' + mode '0644' + action :create +end + +service 'nginx' do + action :nothing + subscribes :restart, 'file[/etc/nginx/nginx.conf]', :immediately + subscribes :restart, 'file[/etc/nginx/conf.d/pipedapi.conf]', :immediately + subscribes :restart, 'file[/etc/nginx/conf.d/pipedproxy.conf]', :immediately + subscribes :restart, 'file[/etc/nginx/conf.d/pipedfrontend.conf]', :immediately + subscribes :restart, 'file[/etc/nginx/snippets/ytproxy.conf]', :immediately +end diff --git a/esh_piped/recipes/postgresql.rb b/esh_piped/recipes/postgresql.rb new file mode 100644 index 0000000..9ea14e1 --- /dev/null +++ b/esh_piped/recipes/postgresql.rb @@ -0,0 +1,55 @@ +# +# Cookbook:: esh_piped +# Recipe:: postgresql +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +postgresql_install 'install posgresql' do + version '13' + repo_pgdg false + action :install_server +end + +service 'postgresql@13-main' do + action :nothing +end + +additional_config = { + 'listen_addresses': "localhost,#{node['ipaddress']}", +} + +postgresql_config 'update postgresql listen_addresses' do + version '13' + server_config additional_config + notifies :restart, 'service[postgresql@13-main]' +end + +postgresql_user 'piped' do + password node['esh']['piped']['postgresql']['password'] + createdb true +end + +postgresql_database 'piped' do + owner 'piped' +end + +postgresql_access 'piped_access' do +# type 'host' + database 'piped' +# user 'piped' + address '10.10.10.0/24' + auth_method 'md5' + notifies :reload, 'service[postgresql@13-main]', :immediately +end diff --git a/esh_piped/recipes/service.rb b/esh_piped/recipes/service.rb new file mode 100644 index 0000000..3df7f66 --- /dev/null +++ b/esh_piped/recipes/service.rb @@ -0,0 +1,26 @@ +# +# Cookbook:: esh_piped +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +template '/etc/hosts' do + variables piped_addr: node['esh']['piped']['docker']['piped']['ip_addr'], + pipedfrontend_addr: node['esh']['piped']['docker']['piped-frontend']['ip_addr'], + pipedproxy_addr: node['esh']['piped']['docker']['piped-proxy']['ip_addr'] + owner 'root' + group 'root' + mode '0644' +end diff --git a/esh_piped/recipes/system.rb b/esh_piped/recipes/system.rb new file mode 100644 index 0000000..d82fe86 --- /dev/null +++ b/esh_piped/recipes/system.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: esh_piped +# Recipe:: system +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +directory '/etc/piped/' do + owner 'root' + group 'root' + mode '0700' + action :create +end + +template '/etc/piped/config.properties' do + owner 'root' + group 'root' + mode '0755' + variables proxy_hostname: "#{node['esh']['piped']['config']['proxy_hostname']}.#{node['esh']['piped']['config']['domain']}", + captcha_api_key: node['esh']['piped']['config']['captcha_api_key'], + backend_hostname: "#{node['esh']['piped']['config']['backend_hostname']}.#{node['esh']['piped']['config']['domain']}", + frontend_hostname: "#{node['esh']['piped']['config']['frontend_hostname']}.#{node['esh']['piped']['config']['domain']}", + postgresql_password: node['esh']['piped']['postgresql']['password'] + action :create +end diff --git a/esh_piped/recipes/undocker.rb b/esh_piped/recipes/undocker.rb new file mode 100644 index 0000000..eee2002 --- /dev/null +++ b/esh_piped/recipes/undocker.rb @@ -0,0 +1,46 @@ +# +# Cookbook:: esh_archivebox +# Recipe:: undocker +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +%w(piped piped-frontend piped-proxy).each do |image| + url = node['esh']['piped']['docker'][image]['url'] + image = node['esh']['piped']['docker'][image]['image'] + tag = node['esh']['piped']['docker'][image]['tag'] + network = node['esh']['piped']['docker'][image]['network'] + ip_addr = node['esh']['piped']['docker'][image]['ip_addr'] + service = node['esh']['piped']['docker'][image]['service'] + env = node['esh']['piped']['docker'][image]['env'] + + esh_undocker_download url do + image image + tag tag + end + + esh_undocker_extract image do + tag tag + network network + env env + end + + esh_undocker_network ip_addr do + image image + end + + esh_undocker_service image do + content service + end +end diff --git a/esh_piped/templates/default/config.properties b/esh_piped/templates/default/config.properties new file mode 100644 index 0000000..c2ae410 --- /dev/null +++ b/esh_piped/templates/default/config.properties @@ -0,0 +1,93 @@ +# The port to Listen on. +PORT: 8080 + +# The number of workers to use for the server +HTTP_WORKERS: 2 + +# Proxy +PROXY_PART: https://PROXY_HOSTNAME + +# Outgoing HTTP Proxy - eg: 127.0.0.1:8118 +#HTTP_PROXY: 127.0.0.1:8118 + +# Captcha Parameters +CAPTCHA_BASE_URL: https://api.capmonster.cloud/ +CAPTCHA_API_KEY: INSERT_HERE + +# Public API URL +API_URL: https://BACKEND_HOSTNAME + +# Public Frontend URL +FRONTEND_URL: https://FRONTEND_HOSTNAME + +# Enable haveibeenpwned compromised password API +COMPROMISED_PASSWORD_CHECK: true + +# Disable Registration +DISABLE_REGISTRATION: false + +# Feed Retention Time in Days +FEED_RETENTION: 30 + +# Disable CPU expensive timers (for nodes with low CPU, at least one node should have this disabled) +DISABLE_TIMERS:false + +# RYD Proxy URL (see https://github.com/TeamPiped/RYD-Proxy) +RYD_PROXY_URL:https://ryd-proxy.kavin.rocks + +# SponsorBlock Servers(s) +# Comma separated list of SponsorBlock Servers to use +SPONSORBLOCK_SERVERS:https://sponsor.ajay.app,https://sponsorblock.kavin.rocks + +# Disable the usage of RYD +DISABLE_RYD:false + +# Disable API server (node just runs timers if enabled) +DISABLE_SERVER:false + +# Disable the inclusion of LBRY streams +DISABLE_LBRY:false + +# How long should unauthenticated subscriptions last for +SUBSCRIPTIONS_EXPIRY:30 + +# Send consent accepted cookie +# This is required for certain features to work in some countries +CONSENT_COOKIE:true + +# Sentry DSN +# Use Sentry to log errors and trace performance +#SENTRY_DSN:INSERT_HERE + +# Matrix Client Server URL +MATRIX_SERVER:https://matrix-client.matrix.org +# Matrix Access Token +# If not present, will work in anon mode +#MATRIX_TOKEN:INSERT_HERE + +# Geo Restriction Checker for federated bypassing of Geo Restrictions +#GEO_RESTRICTION_CHECKER_URL:INSERT_HERE + +# S3 Configuration Data (compatible with any provider that offers an S3 compatible API) +#S3_ENDPOINT:INSERT_HERE +#S3_ACCESS_KEY:INSERT_HERE +#S3_SECRET_KEY:INSERT_HERE +#S3_BUCKET:INSERT_HERE + +# Hibernate properties +hibernate.connection.url:jdbc:postgresql://postgres:5432/piped +hibernate.connection.driver_class:org.postgresql.Driver +hibernate.dialect:org.hibernate.dialect.PostgreSQLDialect +hibernate.connection.username:piped +hibernate.connection.password:changeme + +# Frontend configuration +#frontend.statusPageUrl:changeme +#frontend.donationUrl:changeme + +# Hibernate properties +hibernate.connection.url: jdbc:postgresql://postgres:5432/piped +hibernate.connection.driver_class: org.postgresql.Driver +hibernate.dialect: org.hibernate.dialect.PostgreSQLDialect +hibernate.connection.username: piped +hibernate.connection.password: changeme diff --git a/esh_piped/templates/default/config.properties.erb b/esh_piped/templates/default/config.properties.erb new file mode 100644 index 0000000..160ae84 --- /dev/null +++ b/esh_piped/templates/default/config.properties.erb @@ -0,0 +1,93 @@ +# The port to Listen on. +PORT: 8080 + +# The number of workers to use for the server +HTTP_WORKERS: 2 + +# Proxy +PROXY_PART: https://<%= @proxy_hostname %> + +# Outgoing HTTP Proxy - eg: 127.0.0.1:8118 +#HTTP_PROXY: 127.0.0.1:8118 + +# Captcha Parameters +CAPTCHA_BASE_URL: https://api.capmonster.cloud/ +CAPTCHA_API_KEY: <%= @captcha_api_key %> + +# Public API URL +API_URL: https://<%= @backend_hostname %> + +# Public Frontend URL +FRONTEND_URL: https://<%= @frontend_hostname %> + +# Enable haveibeenpwned compromised password API +COMPROMISED_PASSWORD_CHECK: true + +# Disable Registration +DISABLE_REGISTRATION: false + +# Feed Retention Time in Days +FEED_RETENTION: 30 + +# Disable CPU expensive timers (for nodes with low CPU, at least one node should have this disabled) +DISABLE_TIMERS:false + +# RYD Proxy URL (see https://github.com/TeamPiped/RYD-Proxy) +RYD_PROXY_URL:https://ryd-proxy.kavin.rocks + +# SponsorBlock Servers(s) +# Comma separated list of SponsorBlock Servers to use +SPONSORBLOCK_SERVERS:https://sponsor.ajay.app,https://sponsorblock.kavin.rocks + +# Disable the usage of RYD +DISABLE_RYD:false + +# Disable API server (node just runs timers if enabled) +DISABLE_SERVER:false + +# Disable the inclusion of LBRY streams +DISABLE_LBRY:false + +# How long should unauthenticated subscriptions last for +SUBSCRIPTIONS_EXPIRY:30 + +# Send consent accepted cookie +# This is required for certain features to work in some countries +CONSENT_COOKIE:true + +# Sentry DSN +# Use Sentry to log errors and trace performance +#SENTRY_DSN:INSERT_HERE + +# Matrix Client Server URL +MATRIX_SERVER:https://matrix-client.matrix.org +# Matrix Access Token +# If not present, will work in anon mode +#MATRIX_TOKEN:INSERT_HERE + +# Geo Restriction Checker for federated bypassing of Geo Restrictions +#GEO_RESTRICTION_CHECKER_URL:INSERT_HERE + +# S3 Configuration Data (compatible with any provider that offers an S3 compatible API) +#S3_ENDPOINT:INSERT_HERE +#S3_ACCESS_KEY:INSERT_HERE +#S3_SECRET_KEY:INSERT_HERE +#S3_BUCKET:INSERT_HERE + +# Hibernate properties +hibernate.connection.url:jdbc:postgresql://postgres:5432/piped +hibernate.connection.driver_class:org.postgresql.Driver +hibernate.dialect:org.hibernate.dialect.PostgreSQLDialect +hibernate.connection.username:piped +hibernate.connection.password:changeme + +# Frontend configuration +#frontend.statusPageUrl:changeme +#frontend.donationUrl:changeme + +# Hibernate properties +hibernate.connection.url: jdbc:postgresql://postgres:5432/piped +hibernate.connection.driver_class: org.postgresql.Driver +hibernate.dialect: org.hibernate.dialect.PostgreSQLDialect +hibernate.connection.username: piped +hibernate.connection.password: <%= @postgresql_password %> diff --git a/esh_piped/templates/default/docker-compose.yml.erb b/esh_piped/templates/default/docker-compose.yml.erb new file mode 100644 index 0000000..f25fcfe --- /dev/null +++ b/esh_piped/templates/default/docker-compose.yml.erb @@ -0,0 +1,66 @@ +version: "3" + +services: + pipedfrontend: + image: 1337kavin/piped-frontend:latest + restart: unless-stopped + depends_on: + - piped + container_name: piped-frontend + entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/<%= @backend_hostname %>/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh && nginx -g "daemon off;"' + piped-proxy: + image: 1337kavin/piped-proxy:latest + restart: unless-stopped + environment: + - UDS=1 + volumes: + - piped-proxy:/app/socket + container_name: piped-proxy + piped: + image: 1337kavin/piped:latest + restart: unless-stopped + volumes: + - ./config/config.properties:/app/config.properties:ro + depends_on: + - postgres + container_name: piped-backend + nginx: + image: nginx:mainline-alpine + restart: unless-stopped + ports: + - "8080:80" + volumes: + - ./config/nginx.conf:/etc/nginx/nginx.conf:ro + - ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro + - ./config/pipedproxy.conf:/etc/nginx/conf.d/pipedproxy.conf:ro + - ./config/pipedfrontend.conf:/etc/nginx/conf.d/pipedfrontend.conf:ro + - ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro + - piped-proxy:/var/run/ytproxy + container_name: nginx + depends_on: + - piped + - piped-proxy + - pipedfrontend + postgres: + image: postgres:15 + restart: unless-stopped + volumes: + - /var/lib/postgresql:/var/lib/postgresql/data + environment: + - POSTGRES_DB=piped + - POSTGRES_USER=piped + - POSTGRES_PASSWORD=<%= @postgresql_password %> + container_name: postgres + watchtower: + image: containrrr/watchtower + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /etc/timezone:/etc/timezone:ro + environment: + - WATCHTOWER_CLEANUP=true + - WATCHTOWER_INCLUDE_RESTARTING=true + container_name: watchtower + command: piped-frontend piped-backend piped-proxy varnish nginx postgres watchtower +volumes: + piped-proxy: null diff --git a/esh_piped/templates/default/hosts.erb b/esh_piped/templates/default/hosts.erb new file mode 100644 index 0000000..17c8f57 --- /dev/null +++ b/esh_piped/templates/default/hosts.erb @@ -0,0 +1,9 @@ +127.0.1.1 <%= node['hostname'] %> +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +<%= @piped_addr %> piped +<%= @pipedfrontend_addr %> pipedfrontend +<%= @pipedproxy_addr %> pipedproxy \ No newline at end of file diff --git a/esh_piped/templates/default/pipedapi.conf.erb b/esh_piped/templates/default/pipedapi.conf.erb new file mode 100644 index 0000000..c1b3e75 --- /dev/null +++ b/esh_piped/templates/default/pipedapi.conf.erb @@ -0,0 +1,15 @@ +proxy_cache_path /tmp/pipedapi_cache levels=1:2 keys_zone=pipedapi:4m max_size=2g inactive=60m use_temp_path=off; + +server { + listen 80; + server_name <%= @backend_hostname %>; + + set $backend "http://piped:8080"; + + location / { + proxy_cache pipedapi; + proxy_pass $backend; + proxy_http_version 1.1; + proxy_set_header Connection "keep-alive"; + } +} diff --git a/esh_piped/templates/default/pipedfrontend.conf.erb b/esh_piped/templates/default/pipedfrontend.conf.erb new file mode 100644 index 0000000..bd4ba3c --- /dev/null +++ b/esh_piped/templates/default/pipedfrontend.conf.erb @@ -0,0 +1,12 @@ +server { + listen 80; + server_name <%= @frontend_hostname %>; + + set $backend "http://pipedfrontend:80"; + + location / { + proxy_pass $backend; + proxy_http_version 1.1; + proxy_set_header Connection "keep-alive"; + } +} diff --git a/esh_piped/templates/default/pipedproxy.conf.erb b/esh_piped/templates/default/pipedproxy.conf.erb new file mode 100644 index 0000000..d35294d --- /dev/null +++ b/esh_piped/templates/default/pipedproxy.conf.erb @@ -0,0 +1,14 @@ +server { + listen 80; + server_name <%= @proxy_hostname %>; + + location ~ (/videoplayback|/api/v4/|/api/manifest/) { + include snippets/ytproxy.conf; + add_header Cache-Control private always; + } + + location / { + include snippets/ytproxy.conf; + add_header Cache-Control "public, max-age=604800"; + } +} diff --git a/esh_piped/test/integration/default/default_test.rb b/esh_piped/test/integration/default/default_test.rb new file mode 100644 index 0000000..d92695e --- /dev/null +++ b/esh_piped/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_archivebox::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_syncthing/.delivery/project.toml b/esh_syncthing/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_syncthing/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_syncthing/.gitignore b/esh_syncthing/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_syncthing/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_syncthing/CHANGELOG.md b/esh_syncthing/CHANGELOG.md new file mode 100644 index 0000000..ff91085 --- /dev/null +++ b/esh_syncthing/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_syncthing CHANGELOG + +This file is used to list changes made in each version of the esh_syncthing cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_syncthing/LICENSE b/esh_syncthing/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_syncthing/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_syncthing/Policyfile.rb b/esh_syncthing/Policyfile.rb new file mode 100644 index 0000000..215314e --- /dev/null +++ b/esh_syncthing/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_syncthing' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_syncthing::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_syncthing', path: '.' diff --git a/esh_syncthing/README.md b/esh_syncthing/README.md new file mode 100644 index 0000000..9c06418 --- /dev/null +++ b/esh_syncthing/README.md @@ -0,0 +1,4 @@ +# esh_syncthing + +TODO: Enter the cookbook description here. + diff --git a/esh_syncthing/chefignore b/esh_syncthing/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_syncthing/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_syncthing/kitchen.yml b/esh_syncthing/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_syncthing/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_syncthing/metadata.rb b/esh_syncthing/metadata.rb new file mode 100644 index 0000000..87defa5 --- /dev/null +++ b/esh_syncthing/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_syncthing' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_syncthing' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_syncthing/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_syncthing' diff --git a/esh_syncthing/recipes/default.rb b/esh_syncthing/recipes/default.rb new file mode 100644 index 0000000..da854a2 --- /dev/null +++ b/esh_syncthing/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_syncthing +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_syncthing/recipes/service.rb b/esh_syncthing/recipes/service.rb new file mode 100644 index 0000000..e8e0508 --- /dev/null +++ b/esh_syncthing/recipes/service.rb @@ -0,0 +1,37 @@ +# +# Cookbook:: esh_syncthing +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +user = node['esh']['syncthing']['service']['user'] + +package 'syncthing' + +service "syncthing@#{user}" do + action [:enable, :start] +end + +# Listen on 0.0.0.0:8384 +file "/home/#{user}/.config/syncthing/config.xml" do + content lazy { + file = Chef::Util::FileEdit.new("/home/#{user}/.config/syncthing/config.xml") + file.search_file_replace(/
127.0.0.1:8384<\/address>/, '
0.0.0.0:8384
') + file.send(:editor).lines.join + } + retries 1 + notifies :restart, "service[syncthing@photoprism]", :immediately +end + \ No newline at end of file diff --git a/esh_syncthing/test/integration/default/default_test.rb b/esh_syncthing/test/integration/default/default_test.rb new file mode 100644 index 0000000..12f450e --- /dev/null +++ b/esh_syncthing/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_syncthing::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_system/.delivery/project.toml b/esh_system/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_system/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_system/.gitignore b/esh_system/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_system/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_system/CHANGELOG.md b/esh_system/CHANGELOG.md new file mode 100644 index 0000000..72afbd7 --- /dev/null +++ b/esh_system/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_system CHANGELOG + +This file is used to list changes made in each version of the esh_system cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_system/LICENSE b/esh_system/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_system/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_system/Policyfile.rb b/esh_system/Policyfile.rb new file mode 100644 index 0000000..faa14f8 --- /dev/null +++ b/esh_system/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_system' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_system::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_system', path: '.' diff --git a/esh_system/README.md b/esh_system/README.md new file mode 100644 index 0000000..4b1ea65 --- /dev/null +++ b/esh_system/README.md @@ -0,0 +1,4 @@ +# esh_system + +TODO: Enter the cookbook description here. + diff --git a/esh_system/chefignore b/esh_system/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_system/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_system/kitchen.yml b/esh_system/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_system/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_system/metadata.rb b/esh_system/metadata.rb new file mode 100644 index 0000000..d7af3f3 --- /dev/null +++ b/esh_system/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_system' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_system' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_system/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_system' diff --git a/esh_system/recipes/default.rb b/esh_system/recipes/default.rb new file mode 100644 index 0000000..01566c2 --- /dev/null +++ b/esh_system/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_system +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_system/recipes/hostname.rb b/esh_system/recipes/hostname.rb new file mode 100644 index 0000000..ea309d4 --- /dev/null +++ b/esh_system/recipes/hostname.rb @@ -0,0 +1,25 @@ +# +# Cookbook:: esh_system +# Recipe:: hostname +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +fqdn = node['esh']['system']['hostname']['fqdn'] +hostname = fqdn.split('.')[0] + +hostname hostname do + fqdn fqdn + action :set +end diff --git a/esh_system/recipes/postfix.rb b/esh_system/recipes/postfix.rb new file mode 100644 index 0000000..086c3d7 --- /dev/null +++ b/esh_system/recipes/postfix.rb @@ -0,0 +1,19 @@ +# +# Cookbook:: esh_system +# Recipe:: postfix +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'postfix' diff --git a/esh_system/recipes/sshd.rb b/esh_system/recipes/sshd.rb new file mode 100644 index 0000000..2042ae5 --- /dev/null +++ b/esh_system/recipes/sshd.rb @@ -0,0 +1,45 @@ +# +# Cookbook:: esh_system +# Recipe:: sshd +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +template '/etc/ssh/sshd_config' do + owner 'root' + group 'root' + mode '0444' + variables port: node['esh']['system']['sshd']['port'], + permitrootlogin: node['esh']['system']['sshd']['permitrootlogin'], + passwordauthentication: node['esh']['system']['sshd']['passwordauthentication'], + maxauthtries: node['esh']['system']['sshd']['maxauthtries'], + maxsessions: node['esh']['system']['sshd']['maxsessions'], + otp: node['esh']['system']['sshd']['otp'] + action :create + notifies :reload, 'service[sshd]', :delayed +end + +template '/etc/pam.d/sshd' do + source 'pam.d.sshd.erb' + owner 'root' + group 'root' + mode '0644' + variables otp: node['esh']['system']['sshd']['otp'] + action :create + notifies :reload, 'service[sshd]', :delayed +end + +service 'sshd' do + action :nothing +end diff --git a/esh_system/templates/default/pam.d.sshd.erb b/esh_system/templates/default/pam.d.sshd.erb new file mode 100644 index 0000000..1442f22 --- /dev/null +++ b/esh_system/templates/default/pam.d.sshd.erb @@ -0,0 +1,61 @@ +# PAM configuration for the Secure Shell service +<% if @otp %> +# Standard Un*x authentication. +#@include common-auth +# OTP +auth required pam_google_authenticator.so debug nullok +<% else %> +# Standard Un*x authentication. +@include common-auth +<% end %> + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +@include common-account + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible that a +# module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# Set the loginuid process attribute. +session required pam_loginuid.so + +# Create a new session keyring. +session optional pam_keyinit.so force revoke + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +session required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +session required pam_env.so user_readenv=1 envfile=/etc/default/locale + +# SELinux needs to intervene at login time to ensure that the process starts +# in the proper default security context. Only sessions which are intended +# to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open + +# Standard Un*x password updating. +@include common-password diff --git a/esh_system/templates/default/sshd_config.erb b/esh_system/templates/default/sshd_config.erb new file mode 100644 index 0000000..6cb2e75 --- /dev/null +++ b/esh_system/templates/default/sshd_config.erb @@ -0,0 +1,128 @@ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +Include /etc/ssh/sshd_config.d/*.conf + +Port <%= @port %> +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin <%= @permitrootlogin %> +#StrictModes yes +MaxAuthTries <%= @maxauthtries %> +MaxSessions <%= @maxsessions %> + +#PubkeyAuthentication yes + +# Expect .ssh/authorized_keys2 to be disregarded by default in future. +#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication <%= @passwordauthentication %> +#PermitEmptyPasswords no + +<% if @otp %> +# OTP +KbdInteractiveAuthentication yes +ChallengeResponseAuthentication yes +AuthenticationMethods publickey,keyboard-interactive +<% else %> +KbdInteractiveAuthentication no +<% end %> + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "#PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd no +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum + +# no default banner path +# Banner none +DebianBanner no + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib/openssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +#X11Forwarding no +#AllowTcpForwarding no +#PermitTTY no +#ForceCommand cvs server \ No newline at end of file diff --git a/esh_system/test/integration/default/default_test.rb b/esh_system/test/integration/default/default_test.rb new file mode 100644 index 0000000..4f387ad --- /dev/null +++ b/esh_system/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_system::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_systemd/.gitignore b/esh_systemd/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_systemd/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_systemd/CHANGELOG.md b/esh_systemd/CHANGELOG.md new file mode 100644 index 0000000..94900d2 --- /dev/null +++ b/esh_systemd/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_systemd CHANGELOG + +This file is used to list changes made in each version of the esh_systemd cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_systemd/LICENSE b/esh_systemd/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_systemd/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_systemd/Policyfile.rb b/esh_systemd/Policyfile.rb new file mode 100644 index 0000000..b3abd44 --- /dev/null +++ b/esh_systemd/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_systemd' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_systemd::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_systemd', path: '.' diff --git a/esh_systemd/README.md b/esh_systemd/README.md new file mode 100644 index 0000000..66d0686 --- /dev/null +++ b/esh_systemd/README.md @@ -0,0 +1,4 @@ +# esh_systemd + +TODO: Enter the cookbook description here. + diff --git a/esh_systemd/chefignore b/esh_systemd/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_systemd/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_systemd/compliance/README.md b/esh_systemd/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_systemd/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_systemd/kitchen.yml b/esh_systemd/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_systemd/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_systemd/metadata.rb b/esh_systemd/metadata.rb new file mode 100644 index 0000000..66dfcab --- /dev/null +++ b/esh_systemd/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_systemd' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_systemd' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_systemd/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_systemd' diff --git a/esh_systemd/recipes/default.rb b/esh_systemd/recipes/default.rb new file mode 100644 index 0000000..4875627 --- /dev/null +++ b/esh_systemd/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_systemd +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_systemd/recipes/resolved.rb b/esh_systemd/recipes/resolved.rb new file mode 100644 index 0000000..daad1f5 --- /dev/null +++ b/esh_systemd/recipes/resolved.rb @@ -0,0 +1,44 @@ +# +# Cookbook:: esh_systemd +# Resource:: resolved +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +file '/etc/systemd/resolved.conf' do + content <<~EOT + [Resolve] + DNSStubListenerExtra=#{node['ipaddress']} + EOT + owner 'root' + group 'root' + mode '0644' + action :create + notifies :restart, 'service[systemd-resolved]', :immediately +end + +service 'systemd-resolved' do + action :nothing +end + +file '/etc/resolv.nspawn.conf' do + content <<~EOT + nameserver #{node['ipaddress']} + options edns0 trust-ad + EOT + owner 'root' + group 'root' + mode '0644' + action :create +end diff --git a/esh_systemd/test/integration/default/default_test.rb b/esh_systemd/test/integration/default/default_test.rb new file mode 100644 index 0000000..acdb4e9 --- /dev/null +++ b/esh_systemd/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_systemd::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_ufw/.delivery/project.toml b/esh_ufw/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_ufw/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_ufw/.gitignore b/esh_ufw/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_ufw/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_ufw/CHANGELOG.md b/esh_ufw/CHANGELOG.md new file mode 100644 index 0000000..5368fe6 --- /dev/null +++ b/esh_ufw/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_ufw CHANGELOG + +This file is used to list changes made in each version of the esh_ufw cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_ufw/LICENSE b/esh_ufw/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_ufw/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_ufw/Policyfile.rb b/esh_ufw/Policyfile.rb new file mode 100644 index 0000000..3dcdc84 --- /dev/null +++ b/esh_ufw/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_ufw' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_ufw::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_ufw', path: '.' diff --git a/esh_ufw/README.md b/esh_ufw/README.md new file mode 100644 index 0000000..7f52824 --- /dev/null +++ b/esh_ufw/README.md @@ -0,0 +1,4 @@ +# esh_ufw + +TODO: Enter the cookbook description here. + diff --git a/esh_ufw/chefignore b/esh_ufw/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_ufw/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_ufw/kitchen.yml b/esh_ufw/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_ufw/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_ufw/metadata.rb b/esh_ufw/metadata.rb new file mode 100644 index 0000000..4e392a8 --- /dev/null +++ b/esh_ufw/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_ufw' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_ufw' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_ufw/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_ufw' diff --git a/esh_ufw/recipes/default.rb b/esh_ufw/recipes/default.rb new file mode 100644 index 0000000..fa86576 --- /dev/null +++ b/esh_ufw/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_ufw +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_ufw/recipes/rules.rb b/esh_ufw/recipes/rules.rb new file mode 100644 index 0000000..ad37bfe --- /dev/null +++ b/esh_ufw/recipes/rules.rb @@ -0,0 +1,27 @@ +# +# Cookbook:: esh_ufw +# Recipe:: rules +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +rules = node['esh']['ufw']['rules']['list'] + +rules.each do |rule| + execute "ufw #{rule}" do + command "ufw #{rule}" + not_if "ufw --dry-run #{rule} | grep -q 'Skipping adding existing rule'" + action :run + end +end diff --git a/esh_ufw/test/integration/default/default_test.rb b/esh_ufw/test/integration/default/default_test.rb new file mode 100644 index 0000000..5a1797a --- /dev/null +++ b/esh_ufw/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_ufw::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_undocker/.gitignore b/esh_undocker/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_undocker/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_undocker/CHANGELOG.md b/esh_undocker/CHANGELOG.md new file mode 100644 index 0000000..d8f963b --- /dev/null +++ b/esh_undocker/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_undocker CHANGELOG + +This file is used to list changes made in each version of the esh_undocker cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_undocker/LICENSE b/esh_undocker/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_undocker/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_undocker/Policyfile.rb b/esh_undocker/Policyfile.rb new file mode 100644 index 0000000..4c16413 --- /dev/null +++ b/esh_undocker/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_undocker' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_undocker::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_undocker', path: '.' diff --git a/esh_undocker/README.md b/esh_undocker/README.md new file mode 100644 index 0000000..df28ba9 --- /dev/null +++ b/esh_undocker/README.md @@ -0,0 +1,4 @@ +# esh_undocker + +TODO: Enter the cookbook description here. + diff --git a/esh_undocker/chefignore b/esh_undocker/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_undocker/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_undocker/compliance/README.md b/esh_undocker/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_undocker/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_undocker/kitchen.yml b/esh_undocker/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_undocker/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_undocker/metadata.rb b/esh_undocker/metadata.rb new file mode 100644 index 0000000..617bb36 --- /dev/null +++ b/esh_undocker/metadata.rb @@ -0,0 +1,21 @@ +name 'esh_undocker' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_undocker' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' +supports 'debian', '= 11.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_undocker/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_undocker' diff --git a/esh_undocker/recipes/default.rb b/esh_undocker/recipes/default.rb new file mode 100644 index 0000000..e3c830d --- /dev/null +++ b/esh_undocker/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_undocker +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_undocker/resources/download.rb b/esh_undocker/resources/download.rb new file mode 100644 index 0000000..f0e240c --- /dev/null +++ b/esh_undocker/resources/download.rb @@ -0,0 +1,57 @@ +# +# Cookbook:: esh_undocker +# Resource:: download +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :image, String, name_property: true +default_action :download + +action :download do + image = new_resource.image + parts = image.split(':') + tag = parts.pop + url, image = parts.join(':').split('/', 2) + + apt_package %w(skopeo ca-certificates jq) + + directory "#{Chef::Config['file_cache_path']}/#{image}-#{tag}" do + owner 'root' + group 'root' + mode '0755' + recursive true + action :create + end + + current_created = `skopeo inspect oci:#{Chef::Config['file_cache_path']}/#{image}-#{tag}:#{tag} | jq -r .Created`.strip + latest_created = `skopeo inspect docker://#{url}/#{image}:#{tag} | jq -r .Created`.strip + + directory "#{Chef::Config['file_cache_path']}/#{image}-#{tag}" do + recursive true + action :delete + only_if { current_created != latest_created } + end + + execute "download docker image #{image} as oci layout format" do + command <<~EOT + skopeo copy \ + docker://#{url}/#{image}:#{tag} \ + oci:#{Chef::Config['file_cache_path']}/#{image}-#{tag}:#{tag} + EOT + not_if { ::File.exist?("#{Chef::Config['file_cache_path']}/#{image}-#{tag}/index.json") } + live_stream true + end +end diff --git a/esh_undocker/resources/extract.rb b/esh_undocker/resources/extract.rb new file mode 100644 index 0000000..8fe3a7a --- /dev/null +++ b/esh_undocker/resources/extract.rb @@ -0,0 +1,113 @@ +# +# Cookbook:: esh_undocker +# Resource:: extract +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :image, String, name_property: true +#property :tag, String, required: true +#property :network, String, required: true +#property :env, Array, required: true +default_action :extract + +action :extract do + image = new_resource.image + parts = image.split(':') + tag = parts.pop + url, image = parts.join(':').split('/', 2) + + #tag = new_resource.tag + #network = new_resource.network + #env = new_resource.env + path = '/opt/undocker' + + directory path do + owner 'root' + group 'root' + mode '0755' + action :create + end + + apt_package %w(umoci jq) + + current_digest = `jq -r '.from_descriptor_path.descriptor_walk[].digest' < #{path}/#{image}/umoci.json`.strip + latest_digest = `skopeo inspect oci:#{Chef::Config['file_cache_path']}/#{image}-#{tag}:#{tag} | jq -r .Digest`.strip + + directory "#{path}/#{image}" do + recursive true + action :delete + only_if { current_digest != latest_digest } + end + + execute "undockerize #{image} (convert to OCI runtime bundle)" do + command <<~EOT + umoci unpack \ + --image #{Chef::Config['file_cache_path']}/#{image}-#{tag}:#{tag} \ + #{path}/#{image} + done + EOT + # Weird, umoci return 2 not 0... + returns 2 + not_if { current_digest == latest_digest } + end + + directory "#{path}/#{image}" do + owner 'root' + group 'root' + mode '0755' + action :create + end + +# bash "patch #{path}/#{image}/config.json rootfs path" do +# code <<~EOT +# cat <<< $(jq '.root.path = "#{path}/#{image}/rootfs"' #{path}/#{image}/config.json) > #{path}/#{image}/config.json +# EOT +# action :run +# not_if do +# `jq '.root.path == "#{path}/#{image}/rootfs"' #{path}/#{image}/config.json`.strip == 'true' +# end +# end +# +# bash "patch #{path}/#{image}/config.json network namespace" do +# code <<~EOT +# cat <<< $(jq 'del(.linux.namespaces[] | select(.type == "network"))' #{path}/#{image}/config.json) > #{path}/#{image}/config.json +# EOT +# action :run +# only_if do +# `jq -r '.linux.namespaces[] | select(.type == "network") | .type' #{path}/#{image}/config.json`.strip == 'network' +# end +# only_if { network == 'host' } +# end +# +# file "/usr/local/bin/patch_process_env_#{image}.sh" do +# content <<~EOT +# #!/usr/bin/bash +# set -euo pipefail +# cat <<< $(jq '.process.env += #{env}' #{path}/#{image}/config.json) > #{path}/#{image}/config.json +# EOT +# owner 'root' +# group 'root' +# mode '0755' +# action :create +# notifies :run, "execute[patch #{path}/#{image}/config.json process env]", :immediately +# end +# +# execute "patch #{path}/#{image}/config.json process env" do +# command "/usr/local/bin/patch_process_env_#{image}.sh" +# action :nothing +# # TODO: Add a guard, complicated to find if env vars are missing +# end +end diff --git a/esh_undocker/resources/network.rb b/esh_undocker/resources/network.rb new file mode 100644 index 0000000..776715a --- /dev/null +++ b/esh_undocker/resources/network.rb @@ -0,0 +1,99 @@ +# +# Cookbook:: esh_undocker +# Resource:: network +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :ip_addr, String, name_property: true +property :image, String, required: true +default_action :setup + +action :setup do + ip_addr = new_resource.ip_addr + image = new_resource.image + netns_name = image + eth_name = image[0..8] + + apt_package 'bridge-utils' + + file '/etc/systemd/network/undocker0.netdev' do + content <<~EOT + [NetDev] + Name=undocker0 + Kind=bridge + EOT + owner 'root' + group 'root' + mode '0644' + action :create + notifies :restart, 'service[systemd-networkd]', :immediately + end + + file '/etc/systemd/network/undocker0.network' do + content <<~EOT + [Match] + Name=undocker0 + Driver=bridge + [Network] + Address=10.10.10.1/24 + LinkLocalAddressing=yes + DHCPServer=no + IPMasquerade=yes + LLDP=yes + EmitLLDP=customer-bridge + EOT + owner 'root' + group 'root' + mode '0644' + action :create + notifies :restart, 'service[systemd-networkd]', :immediately + end + + service 'systemd-networkd' do + action :nothing + end + + systemd_unit "#{image}-network.service" do + content <<~EOU + [Unit] + Description=ESH Piped Network Service + After=network.target + Before=#{image}.service + + [Service] + Type=oneshot + RemainAfterExit=yes + # Weird bug where you need to mount sys again... + ExecStart=-/usr/bin/mkdir -p /sys2 + ExecStart=-/usr/bin/mount -t sysfs --make-private /sys2 + ExecStart=-/usr/bin/ip netns add #{netns_name} + ExecStart=-/usr/bin/ip link add name vb-#{eth_name} type veth peer name host-#{eth_name} + ExecStart=-/usr/bin/ip link set host-#{eth_name} netns #{netns_name} + ExecStart=-/usr/bin/ip netns exec #{netns_name} ip addr add #{ip_addr}/24 dev host-#{eth_name} + ExecStart=-/usr/bin/ip netns exec #{netns_name} ip link set host-#{eth_name} up + ExecStart=-/usr/bin/ip netns exec #{netns_name} ip route add 10.10.10.0/24 dev host-#{eth_name} + ExecStart=-/usr/bin/ip netns exec #{netns_name} ip link set lo up + ExecStart=-/usr/bin/ip link set vb-#{eth_name} up + ExecStart=-/usr/bin/ip netns exec #{netns_name} ip route add default via 10.10.10.1 dev host-#{eth_name} + ExecStart=-/usr/sbin/brctl addif undocker0 vb-#{eth_name} + Restart=on-failure + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable, :start] + end +end diff --git a/esh_undocker/resources/service.rb b/esh_undocker/resources/service.rb new file mode 100644 index 0000000..a874979 --- /dev/null +++ b/esh_undocker/resources/service.rb @@ -0,0 +1,40 @@ +# +# Cookbook:: esh_undocker +# Resource:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +unified_mode true +property :image, String, name_property: true +property :content, String, required: true +default_action :service + +action :service do + image = new_resource.image + content = new_resource.content + + apt_package 'systemd-container' + + systemd_unit "#{image}.service" do + content content + verify false + action [:create, :enable, :start] + end + + service "#{image}.service" do + action :nothing + subscribes :restart, "systemd_unit[#{image}.service]", :immediately + end +end diff --git a/esh_undocker/test/integration/default/default_test.rb b/esh_undocker/test/integration/default/default_test.rb new file mode 100644 index 0000000..1ec0669 --- /dev/null +++ b/esh_undocker/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_undocker::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_vaultwarden/.delivery/project.toml b/esh_vaultwarden/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_vaultwarden/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_vaultwarden/.gitignore b/esh_vaultwarden/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_vaultwarden/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_vaultwarden/CHANGELOG.md b/esh_vaultwarden/CHANGELOG.md new file mode 100644 index 0000000..04c1346 --- /dev/null +++ b/esh_vaultwarden/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_vaultwarden CHANGELOG + +This file is used to list changes made in each version of the esh_vaultwarden cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_vaultwarden/LICENSE b/esh_vaultwarden/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_vaultwarden/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_vaultwarden/Policyfile.rb b/esh_vaultwarden/Policyfile.rb new file mode 100644 index 0000000..59cf09c --- /dev/null +++ b/esh_vaultwarden/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_vaultwarden' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_vaultwarden::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_vaultwarden', path: '.' diff --git a/esh_vaultwarden/README.md b/esh_vaultwarden/README.md new file mode 100644 index 0000000..b89cbf9 --- /dev/null +++ b/esh_vaultwarden/README.md @@ -0,0 +1,4 @@ +# esh_vaultwarden + +TODO: Enter the cookbook description here. + diff --git a/esh_vaultwarden/chefignore b/esh_vaultwarden/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_vaultwarden/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_vaultwarden/files/default/default b/esh_vaultwarden/files/default/default new file mode 100644 index 0000000..14e12cb --- /dev/null +++ b/esh_vaultwarden/files/default/default @@ -0,0 +1,59 @@ +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 127.0.0.1:8000; + keepalive 2; +} + +# Needed to support websocket connections +# See: https://nginx.org/en/docs/http/websocket.html +# Instead of "close" as stated in the above link we send an empty value. +# Else all keepalive connections will not work. +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +server { + listen 80; + listen [::]:80; + server_name _; + + client_max_body_size 525M; + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; + # + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # + # proxy_pass http://vaultwarden-default; + #} +} \ No newline at end of file diff --git a/esh_vaultwarden/kitchen.yml b/esh_vaultwarden/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_vaultwarden/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_vaultwarden/metadata.rb b/esh_vaultwarden/metadata.rb new file mode 100644 index 0000000..e2dc62e --- /dev/null +++ b/esh_vaultwarden/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_vaultwarden' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_vaultwarden' +version '0.1.0' +chef_version '>= 16.0' +depends 'esh_undocker' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_vaultwarden/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_vaultwarden' diff --git a/esh_vaultwarden/recipes/default.rb b/esh_vaultwarden/recipes/default.rb new file mode 100644 index 0000000..e6eec21 --- /dev/null +++ b/esh_vaultwarden/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_vaultwarden +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_vaultwarden/recipes/service.rb b/esh_vaultwarden/recipes/service.rb new file mode 100644 index 0000000..29ec731 --- /dev/null +++ b/esh_vaultwarden/recipes/service.rb @@ -0,0 +1,114 @@ +# +# Cookbook:: esh_vaultwarden +# Recipe:: service +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +esh_undocker_download node['esh']['vaultwarden']['docker']['image'] +esh_undocker_extract node['esh']['vaultwarden']['docker']['image'] + +group 'vaultwarden' do + system true + action :create +end + +user 'vaultwarden' do + comment 'vaultwarden system user' + gid 'vaultwarden' + home '/var/lib/vaultwarden' + manage_home true + shell '/sbin/nologin' + system true + action :create +end + +apt_package 'nginx' + +cookbook_file '/etc/nginx/sites-available/default' do + owner 'root' + group 'root' + mode '0444' + notifies :restart, 'service[nginx]', :delayed + action :create +end + +directory '/etc/vaultwarden' do + owner 'vaultwarden' + group 'vaultwarden' + mode '0500' + action :create +end + +directory '/var/lib/vaultwarden' do + owner 'vaultwarden' + group 'vaultwarden' + mode '0700' + action :create +end + +file '/etc/vaultwarden/vaultwarden.cfg' do + content node['esh']['vaultwarden']['service']['config'] + owner 'vaultwarden' + group 'vaultwarden' + mode '0400' + notifies :restart, 'service[vaultwarden]', :delayed + action :create +end + +file '/etc/ld.so.conf.d/zzz-vaultwarden.conf' do + content '/opt/undocker/vaultwarden/server/rootfs/usr/lib/x86_64-linux-gnu' + owner 'root' + group 'root' + mode '0400' + notifies :run, 'execute[ldconfig]', :immediately + action :create +end + +execute 'ldconfig' do + command 'ldconfig' + action :nothing +end + +systemd_unit 'vaultwarden.service' do + content <<~EOU + [Unit] + Description=Vaultwarden - A Bitwarden API server + After=network.target + + [Service] + Type=simple + User=vaultwarden + ExecStart=/opt/undocker/vaultwarden/server/rootfs/vaultwarden + PrivateTmp=true + PrivateDevices=true + ProtectHome=true + ProtectSystem=full + WorkingDirectory=/var/lib/vaultwarden + ReadWriteDirectories=/var/lib/vaultwarden + EnvironmentFile=/etc/vaultwarden/vaultwarden.cfg + + [Install] + WantedBy=multi-user.target + EOU + action :create +end + +service 'vaultwarden' do + action [:start, :enable] +end + +service 'nginx' do + action [:start, :enable] +end diff --git a/esh_vaultwarden/test/integration/default/default_test.rb b/esh_vaultwarden/test/integration/default/default_test.rb new file mode 100644 index 0000000..a3bf17c --- /dev/null +++ b/esh_vaultwarden/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_vaultwarden::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_webhook/.delivery/project.toml b/esh_webhook/.delivery/project.toml new file mode 100644 index 0000000..3a12ab5 --- /dev/null +++ b/esh_webhook/.delivery/project.toml @@ -0,0 +1,32 @@ +# Delivery for Local Phases Execution +# +# This file allows you to execute test phases locally on a workstation or +# in a CI pipeline. The delivery-cli will read this file and execute the +# command(s) that are configured for each phase. You can customize them +# by just modifying the phase key on this file. +# +# By default these phases are configured for Cookbook Workflow only +# + +[local_phases] +unit = "echo skipping unit phase." +lint = "chef exec cookstyle" +# foodcritic has been deprecated in favor of cookstyle so we skip the syntax +# phase now. +syntax = "echo skipping syntax phase. Use lint phase instead." +provision = "chef exec kitchen create" +deploy = "chef exec kitchen converge" +smoke = "chef exec kitchen verify" +# The functional phase is optional, you can define it by uncommenting +# the line below and running the command: `delivery local functional` +# functional = "" +cleanup = "chef exec kitchen destroy" + +# Remote project.toml file +# +# Instead of the local phases above, you may specify a remote URI location for +# the `project.toml` file. This is useful for teams that wish to centrally +# manage the behavior of the `delivery local` command across many different +# projects. +# +# remote_file = "https://url/project.toml" diff --git a/esh_webhook/.gitignore b/esh_webhook/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_webhook/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_webhook/CHANGELOG.md b/esh_webhook/CHANGELOG.md new file mode 100644 index 0000000..5b3a405 --- /dev/null +++ b/esh_webhook/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_webhook CHANGELOG + +This file is used to list changes made in each version of the esh_webhook cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_webhook/LICENSE b/esh_webhook/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_webhook/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_webhook/Policyfile.rb b/esh_webhook/Policyfile.rb new file mode 100644 index 0000000..2a94654 --- /dev/null +++ b/esh_webhook/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_webhook' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_webhook::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_webhook', path: '.' diff --git a/esh_webhook/README.md b/esh_webhook/README.md new file mode 100644 index 0000000..6ffd0ff --- /dev/null +++ b/esh_webhook/README.md @@ -0,0 +1,4 @@ +# esh_webhook + +TODO: Enter the cookbook description here. + diff --git a/esh_webhook/chefignore b/esh_webhook/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_webhook/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_webhook/files/default/webhook.sh b/esh_webhook/files/default/webhook.sh new file mode 100644 index 0000000..fdc2e53 --- /dev/null +++ b/esh_webhook/files/default/webhook.sh @@ -0,0 +1,5 @@ +#!/bin/bash +set -euo pipefail + + +laminarc queue "$1" \ No newline at end of file diff --git a/esh_webhook/kitchen.yml b/esh_webhook/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_webhook/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_webhook/metadata.rb b/esh_webhook/metadata.rb new file mode 100644 index 0000000..a1ad0a8 --- /dev/null +++ b/esh_webhook/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_webhook' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_webhook' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_webhook/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_webhook' diff --git a/esh_webhook/recipes/default.rb b/esh_webhook/recipes/default.rb new file mode 100644 index 0000000..a4e0061 --- /dev/null +++ b/esh_webhook/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_webhook +# Recipe:: default +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_webhook/recipes/service.rb b/esh_webhook/recipes/service.rb new file mode 100644 index 0000000..c262c13 --- /dev/null +++ b/esh_webhook/recipes/service.rb @@ -0,0 +1,72 @@ +# +# Cookbook:: esh_webhook +# Recipe:: service +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version = node['esh']['webhook']['service']['version'] +url = "https://github.com/adnanh/webhook/releases/download/#{version}/webhook-linux-amd64.tar.gz" + +remote_file "webhook.#{version}.tar.gz" do + source url + path "#{Chef::Config[:file_cache_path]}/webhook.#{version}.tar.gz" + notifies :run, 'execute[extract webhook]', :immediately +end + +execute 'extract webhook' do + command <<~EOT + tar -zxvf \ + #{Chef::Config[:file_cache_path]}/webhook.#{version}.tar.gz \ + -C /usr/local/bin webhook-linux-amd64/webhook \ + --strip-components=1 + EOT + action :nothing +end + +cookbook_file '/usr/local/bin/webhook.sh' do + owner 'root' + group 'root' + mode '0755' + action :create +end + +template '/etc/webhook/hooks.json' do + owner 'webhook' + group 'webhook' + mode '0400' + variables secret: node['esh']['webhook']['service']['hook_secret'] + action :create +end + +systemd_unit 'webhook.service' do + content <<~EOU + [Unit] + Description=Webhook service + + [Service] + User=webhook + Group=webhook + ExecStart=/usr/local/bin/webhook -hooks /etc/webhook/hooks.json -debug + + [Install] + WantedBy=multi-user.target + EOU + action :create +end + +service 'webhook' do + action [:enable, :start] + subscribes :restart, 'template[/etc/webhook/hooks.json]', :delayed +end diff --git a/esh_webhook/recipes/system.rb b/esh_webhook/recipes/system.rb new file mode 100644 index 0000000..37609df --- /dev/null +++ b/esh_webhook/recipes/system.rb @@ -0,0 +1,38 @@ +# +# Cookbook:: esh_webhook +# Recipe:: system +# +# Copyright:: 2023, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +group 'webhook' do + system true + action :create +end + +user 'webhook' do + comment 'webhook system user' + gid 'webhook' + home '/' + shell '/sbin/nologin' + system true + action :create +end + +directory '/etc/webhook' do + owner 'webhook' + group 'webhook' + mode '0755' + action :create +end diff --git a/esh_webhook/templates/default/hooks.json.erb b/esh_webhook/templates/default/hooks.json.erb new file mode 100644 index 0000000..474b714 --- /dev/null +++ b/esh_webhook/templates/default/hooks.json.erb @@ -0,0 +1,44 @@ +[ + { + "id": "webhook", + "execute-command": "/usr/local/bin/webhook.sh", + "command-working-directory": "/tmp", + "pass-arguments-to-command": + [ + { + "source": "payload", + "name": "repository.name" + } + ], + "trigger-rule": + { + "and": + [ + { + "match": + { + "type": "payload-hmac-sha1", + "secret": "<%= @secret %>", + "parameter": + { + "source": "header", + "name": "X-Hub-Signature" + } + } + }, + { + "match": + { + "type": "value", + "value": "refs/heads/master", + "parameter": + { + "source": "payload", + "name": "ref" + } + } + } + ] + } + } + ] \ No newline at end of file diff --git a/esh_webhook/test/integration/default/default_test.rb b/esh_webhook/test/integration/default/default_test.rb new file mode 100644 index 0000000..76b4d71 --- /dev/null +++ b/esh_webhook/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_webhook::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_wireguard/.gitignore b/esh_wireguard/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_wireguard/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_wireguard/CHANGELOG.md b/esh_wireguard/CHANGELOG.md new file mode 100644 index 0000000..f22c753 --- /dev/null +++ b/esh_wireguard/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_wireguard CHANGELOG + +This file is used to list changes made in each version of the esh_wireguard cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_wireguard/LICENSE b/esh_wireguard/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_wireguard/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_wireguard/Policyfile.rb b/esh_wireguard/Policyfile.rb new file mode 100644 index 0000000..f73594d --- /dev/null +++ b/esh_wireguard/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_wireguard' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_wireguard::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_wireguard', path: '.' diff --git a/esh_wireguard/README.md b/esh_wireguard/README.md new file mode 100644 index 0000000..2a4bd4f --- /dev/null +++ b/esh_wireguard/README.md @@ -0,0 +1,4 @@ +# esh_wireguard + +TODO: Enter the cookbook description here. + diff --git a/esh_wireguard/chefignore b/esh_wireguard/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_wireguard/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_wireguard/compliance/README.md b/esh_wireguard/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_wireguard/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_wireguard/kitchen.yml b/esh_wireguard/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_wireguard/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_wireguard/metadata.rb b/esh_wireguard/metadata.rb new file mode 100644 index 0000000..6e8332a --- /dev/null +++ b/esh_wireguard/metadata.rb @@ -0,0 +1,19 @@ +name 'esh_wireguard' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_wireguard' +version '0.1.0' +chef_version '>= 16.0' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_wireguard/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_wireguard' diff --git a/esh_wireguard/recipes/default.rb b/esh_wireguard/recipes/default.rb new file mode 100644 index 0000000..1a67cd8 --- /dev/null +++ b/esh_wireguard/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_wireguard +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_wireguard/recipes/peer.rb b/esh_wireguard/recipes/peer.rb new file mode 100644 index 0000000..0cd1682 --- /dev/null +++ b/esh_wireguard/recipes/peer.rb @@ -0,0 +1,56 @@ +# +# Cookbook:: esh_wireguard +# Recipe:: peer +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package %w(wireguard resolvconf) + +file '/etc/wireguard/private.key' do + content node['esh']['wireguard']['peer']['privkey'] + owner 'root' + group 'root' + mode '0400' + action :create +end + +file '/etc/wireguard/public.key' do + content node['esh']['wireguard']['peer']['pubkey'] + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/etc/wireguard/wg0.conf' do + source 'peer.wg0.conf.erb' + owner 'root' + group 'root' + mode '0400' + variables privkey: node['esh']['wireguard']['peer']['privkey'], + address: node['esh']['wireguard']['peer']['address'], + pubkey: node['esh']['wireguard']['server']['pubkey'], + allowedips: node['esh']['wireguard']['peer']['allowedips'], + endpoint: node['esh']['wireguard']['peer']['endpoint'] + if node['esh']['wireguard']['peer'].key?('dns') + variables dns: node['esh']['wireguard']['peer']['dns'] + end + action :create +end + +service 'wg-quick@wg0.service' do + action [:enable, :start] + subscribes :restart, 'template[/etc/wireguard/wg0.conf]', :immediately +end diff --git a/esh_wireguard/recipes/server.rb b/esh_wireguard/recipes/server.rb new file mode 100644 index 0000000..ff6504d --- /dev/null +++ b/esh_wireguard/recipes/server.rb @@ -0,0 +1,71 @@ +# +# Cookbook:: esh_wireguard +# Recipe:: server +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'wireguard' + +file '/etc/wireguard/private.key' do + content node['esh']['wireguard']['server']['privkey'] + owner 'root' + group 'root' + mode '0400' + action :create +end + +file '/etc/wireguard/public.key' do + content node['esh']['wireguard']['server']['pubkey'] + owner 'root' + group 'root' + mode '0444' + action :create +end + +template '/etc/wireguard/wg0.conf' do + source 'server.wg0.conf.erb' + owner 'root' + group 'root' + mode '0400' + variables privkey: node['esh']['wireguard']['server']['privkey'], + address: node['esh']['wireguard']['server']['address'], + listenport: node['esh']['wireguard']['server']['listenport'], + pubint: node['esh']['wireguard']['server']['pubint'] + action :create +end + +%w(net.ipv4.ip_forward net.ipv6.conf.all.forwarding).each do |key| + sysctl key do + value '1' + action :apply + only_if { node['esh']['wireguard']['server']['routing'] } + end +end + +service 'wg-quick@wg0.service' do + action [:enable, :start] +end + +node['esh']['wireguard']['server']['peers'].each do |peer, allowedips| + execute 'wg allow peers' do + command <<~EOT + wg set wg0 \ + peer #{peer} \ + allowed-ips #{allowedips} + EOT + action :run + not_if "wg | grep -q #{peer}" + end +end \ No newline at end of file diff --git a/esh_wireguard/templates/default/peer.wg0.conf.erb b/esh_wireguard/templates/default/peer.wg0.conf.erb new file mode 100644 index 0000000..7bf7c2e --- /dev/null +++ b/esh_wireguard/templates/default/peer.wg0.conf.erb @@ -0,0 +1,11 @@ +[Interface] +PrivateKey = <%= @privkey %> +Address = <%= @address %> +<% if defined?(@dns) %> +DNS = <%= @dns %> +<% end %> + +[Peer] +PublicKey = <%= @pubkey %> +AllowedIPs = <%= @allowedips %> +Endpoint = <%= @endpoint %> \ No newline at end of file diff --git a/esh_wireguard/templates/default/server.wg0.conf.erb b/esh_wireguard/templates/default/server.wg0.conf.erb new file mode 100644 index 0000000..0f7b9c0 --- /dev/null +++ b/esh_wireguard/templates/default/server.wg0.conf.erb @@ -0,0 +1,14 @@ +[Interface] +PrivateKey = <%= @privkey %> +Address = <%= @address %> +ListenPort = <%= @listenport %> +SaveConfig = true + +<% if node['esh']['wireguard']['server']['routing'] %> +PostUp = ufw route allow in on wg0 out on <%= @pubint %> +PostUp = iptables -t nat -I POSTROUTING -o <%= @pubint %> -j MASQUERADE +PostUp = ip6tables -t nat -I POSTROUTING -o <%= @pubint %> -j MASQUERADE +PreDown = ufw route delete allow in on wg0 out on <%= @pubint %> +PreDown = iptables -t nat -D POSTROUTING -o <%= @pubint %> -j MASQUERADE +PreDown = ip6tables -t nat -D POSTROUTING -o <%= @pubint %> -j MASQUERADE +<% end %> \ No newline at end of file diff --git a/esh_wireguard/test/integration/default/default_test.rb b/esh_wireguard/test/integration/default/default_test.rb new file mode 100644 index 0000000..756cbbd --- /dev/null +++ b/esh_wireguard/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_wireguard::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_writefreely/.gitignore b/esh_writefreely/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_writefreely/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_writefreely/CHANGELOG.md b/esh_writefreely/CHANGELOG.md new file mode 100644 index 0000000..dc7fcb6 --- /dev/null +++ b/esh_writefreely/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_writefreely CHANGELOG + +This file is used to list changes made in each version of the esh_writefreely cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_writefreely/LICENSE b/esh_writefreely/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_writefreely/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_writefreely/Policyfile.rb b/esh_writefreely/Policyfile.rb new file mode 100644 index 0000000..20e4fc6 --- /dev/null +++ b/esh_writefreely/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_writefreely' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_writefreely::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_writefreely', path: '.' diff --git a/esh_writefreely/README.md b/esh_writefreely/README.md new file mode 100644 index 0000000..699a562 --- /dev/null +++ b/esh_writefreely/README.md @@ -0,0 +1,5 @@ +# esh_writefreely + +- [Upstream](https://github.com/writefreely/writefreely) + +Cookbook is made for release `v0.13.1`. diff --git a/esh_writefreely/chefignore b/esh_writefreely/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_writefreely/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_writefreely/compliance/README.md b/esh_writefreely/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_writefreely/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_writefreely/kitchen.yml b/esh_writefreely/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_writefreely/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_writefreely/metadata.rb b/esh_writefreely/metadata.rb new file mode 100644 index 0000000..adac914 --- /dev/null +++ b/esh_writefreely/metadata.rb @@ -0,0 +1,21 @@ +name 'esh_writefreely' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_writefreely' +version '0.1.0' +chef_version '>= 16.0' +depends 'mariadb' +depends 'esh_nginx' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_writefreely/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_writefreely' diff --git a/esh_writefreely/recipes/default.rb b/esh_writefreely/recipes/default.rb new file mode 100644 index 0000000..f214455 --- /dev/null +++ b/esh_writefreely/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_writefreely +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_writefreely/recipes/install.rb b/esh_writefreely/recipes/install.rb new file mode 100644 index 0000000..1159f08 --- /dev/null +++ b/esh_writefreely/recipes/install.rb @@ -0,0 +1,65 @@ +# +# Cookbook:: esh_writefreely +# Recipe:: install +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version = node['esh']['writefreely']['version'] +url = node['esh']['writefreely']['url'] + +group 'writefreely' do + system true + action :create +end + +user 'writefreely' do + gid 'writefreely' + home '/home/writefreely' + manage_home true + shell '/usr/sbin/nologin' + system true + action :create +end + +remote_file "#{Chef::Config['file_cache_path']}/writefreely_#{version}_linux_amd64.tar.gz" do + source url + action :create_if_missing +end + +archive_file "#{Chef::Config['file_cache_path']}/writefreely_#{version}_linux_amd64.tar.gz" do + destination '/home/' + owner 'writefreely' + group 'writefreely' + mode '0755' + overwrite true + not_if do + `/home/writefreely/writefreely --version | awk '{print $2}'`.strip == version + end +end + +template '/home/writefreely/config.ini' do + owner 'writefreely' + group 'writefreely' + mode '0600' + variables database_password: node['esh']['writefreely']['mariadb']['password'], + site_name: node['esh']['writefreely']['app']['site_name'], + host: node['esh']['writefreely']['app']['host'], + single_user: node['esh']['writefreely']['app']['single_user'] + action :create +end + +esh_nginx_basic_proxy node['esh']['writefreely']['nginx']['ip_addr'] do + port node['esh']['writefreely']['nginx']['port'] +end diff --git a/esh_writefreely/recipes/mariadb.rb b/esh_writefreely/recipes/mariadb.rb new file mode 100644 index 0000000..082b786 --- /dev/null +++ b/esh_writefreely/recipes/mariadb.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: esh_writefreely +# Recipe:: mariadb +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'mariadb-server' + +mariadb_server_install 'MariaDB Server install' do + version '10.5' + setup_repo false +end + +mariadb_user 'writefreely' do + password node['esh']['writefreely']['mariadb']['password'] + database_name 'writefreely' + action [:create, :grant] +end + +mariadb_database 'writefreely' do + encoding 'latin1' + collation 'latin1_swedish_ci' + action :create +end diff --git a/esh_writefreely/recipes/service.rb b/esh_writefreely/recipes/service.rb new file mode 100644 index 0000000..a87b84b --- /dev/null +++ b/esh_writefreely/recipes/service.rb @@ -0,0 +1,38 @@ +# +# Cookbook:: esh_writefreely +# Recipe:: service +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +systemd_unit 'writefreely.service' do + content <<~EOU + [Unit] + Description=WriteFreely Instance + After=syslog.target network.target mariadb.service + [Service] + Type=simple + User=writefreely + Group=writefreely + StandardOutput=syslog + StandardError=syslog + WorkingDirectory=/home/writefreely + ExecStart=/home/writefreely/writefreely + Restart=always + [Install] + WantedBy=multi-user.target + EOU + verify false + action [:create, :enable, :start] +end diff --git a/esh_writefreely/templates/default/config.ini.erb b/esh_writefreely/templates/default/config.ini.erb new file mode 100644 index 0000000..18965c5 --- /dev/null +++ b/esh_writefreely/templates/default/config.ini.erb @@ -0,0 +1,36 @@ +[server] +hidden_host = +port = 8080 +bind = 127.0.0.1 +tls_cert_path = +tls_key_path = +templates_parent_dir = +static_parent_dir = +pages_parent_dir = +keys_parent_dir = + +[database] +type = mysql +filename = +username = writefreely +password = <%= @database_password %> +database = writefreely +host = localhost +port = 3306 + +[app] +site_name = <%= @site_name %> +site_description = +host = <%= @host %> +theme = write +disable_js = false +webfonts = true +single_user = <%= @single_user %> +open_registration = false +min_username_len = 3 +max_blogs = 1 +federation = true +public_stats = true +private = false +local_timeline = false +user_invites = diff --git a/esh_writefreely/templates/default/default.erb b/esh_writefreely/templates/default/default.erb new file mode 100644 index 0000000..65ec86f --- /dev/null +++ b/esh_writefreely/templates/default/default.erb @@ -0,0 +1,19 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + root /var/www/html; + + index index.html index.htm index.nginx-debian.html; + + server_name _; + + set_real_ip_from <%= node['network']['default_gateway'] %>; + real_ip_header X-Forwarded-For; + + location / { + proxy_pass http://127.0.0.1:8080/; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; + } +} \ No newline at end of file diff --git a/esh_writefreely/test/integration/default/default_test.rb b/esh_writefreely/test/integration/default/default_test.rb new file mode 100644 index 0000000..ea5176b --- /dev/null +++ b/esh_writefreely/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_writefreely::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end diff --git a/esh_zfs/.gitignore b/esh_zfs/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/esh_zfs/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/esh_zfs/CHANGELOG.md b/esh_zfs/CHANGELOG.md new file mode 100644 index 0000000..4e94637 --- /dev/null +++ b/esh_zfs/CHANGELOG.md @@ -0,0 +1,10 @@ +# esh_zfs CHANGELOG + +This file is used to list changes made in each version of the esh_zfs cookbook. + +## 0.1.0 + +Initial release. + +- change 0 +- change 1 diff --git a/esh_zfs/LICENSE b/esh_zfs/LICENSE new file mode 100644 index 0000000..11069ed --- /dev/null +++ b/esh_zfs/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/esh_zfs/Policyfile.rb b/esh_zfs/Policyfile.rb new file mode 100644 index 0000000..493799c --- /dev/null +++ b/esh_zfs/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'esh_zfs' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'esh_zfs::default' + +# Specify a custom source for a single cookbook: +cookbook 'esh_zfs', path: '.' diff --git a/esh_zfs/README.md b/esh_zfs/README.md new file mode 100644 index 0000000..ade9861 --- /dev/null +++ b/esh_zfs/README.md @@ -0,0 +1,4 @@ +# esh_zfs + +TODO: Enter the cookbook description here. + diff --git a/esh_zfs/attributes/default.rb b/esh_zfs/attributes/default.rb new file mode 100644 index 0000000..c86d960 --- /dev/null +++ b/esh_zfs/attributes/default.rb @@ -0,0 +1,2 @@ +default['esh']['zfs']['pools'] = {} +default['esh']['zfs']['scrub']['hc_url'] = nil \ No newline at end of file diff --git a/esh_zfs/chefignore b/esh_zfs/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/esh_zfs/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/esh_zfs/compliance/README.md b/esh_zfs/compliance/README.md new file mode 100644 index 0000000..947be3e --- /dev/null +++ b/esh_zfs/compliance/README.md @@ -0,0 +1,25 @@ +# compliance + +This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase. + +Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/). + +```plain +./compliance +├── inputs +├── profiles +└── waivers +``` + +Use the `chef generate` command from Chef Workstation to create content for these directories: + +```sh +# Generate a Chef InSpec profile +chef generate profile PROFILE_NAME + +# Generate a Chef InSpec waiver file +chef generate waiver WAIVER_NAME + +# Generate a Chef InSpec input file +chef generate input INPUT_NAME +``` diff --git a/esh_zfs/kitchen.yml b/esh_zfs/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/esh_zfs/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/esh_zfs/metadata.rb b/esh_zfs/metadata.rb new file mode 100644 index 0000000..6d790e3 --- /dev/null +++ b/esh_zfs/metadata.rb @@ -0,0 +1,20 @@ +name 'esh_zfs' +maintainer 'https://easyself.host' +maintainer_email 'esh@benpro.fr' +license 'Apache-2.0' +description 'Installs/Configures esh_zfs' +version '0.1.0' +chef_version '>= 16.0' +supports 'ubuntu', '= 22.04' + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//esh_zfs/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//esh_zfs' diff --git a/esh_zfs/recipes/autobackup.rb b/esh_zfs/recipes/autobackup.rb new file mode 100644 index 0000000..10fd177 --- /dev/null +++ b/esh_zfs/recipes/autobackup.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: esh_zfs +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'python3-pip' + +execute 'pip install zfs-autobackup' do + command 'pip install zfs-autobackup' + not_if 'pip show zfs-autobackup > /dev/null' + action :run +end + +execute 'init zfs autobackup group name' do + command <<~EOT + zfs set autobackup:local=true #{node['esh']['zfs']['autobackup']['src']} + zfs set autobackup:local=false #{node['esh']['zfs']['autobackup']['src']}/default_images + EOT + not_if <<~EOT + zfs get -H -t filesystem,volume autobackup:local #{node['esh']['zfs']['autobackup']['src']} | grep -q true + EOT + action :run +end diff --git a/esh_zfs/recipes/default.rb b/esh_zfs/recipes/default.rb new file mode 100644 index 0000000..0cafbb8 --- /dev/null +++ b/esh_zfs/recipes/default.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: esh_zfs +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/esh_zfs/recipes/package.rb b/esh_zfs/recipes/package.rb new file mode 100644 index 0000000..1075652 --- /dev/null +++ b/esh_zfs/recipes/package.rb @@ -0,0 +1,21 @@ +# +# Cookbook:: esh_zfs +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apt_package 'zfsutils-linux' do + action :install +end diff --git a/esh_zfs/recipes/pool.rb b/esh_zfs/recipes/pool.rb new file mode 100644 index 0000000..d4b83eb --- /dev/null +++ b/esh_zfs/recipes/pool.rb @@ -0,0 +1,35 @@ +# +# Cookbook:: esh_zfs +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +node['esh']['zfs']['pools'].each do |pool, params| + execute "zpool create #{pool}" do + command <<~EOT + zpool create \ + -m #{params['mount_point']} \ + -o ashift=#{params['ashift']} \ + -o autotrim=#{params['autotrim']} \ + -o feature@lz4_compress=#{params['lz4_compress']} \ + -O compression=#{params['compression']} \ + -O dedup=#{params['dedup']} \ + #{pool} \ + #{params['target']} + EOT + action :run + not_if "zpool list #{pool}" + end +end diff --git a/esh_zfs/recipes/scrub.rb b/esh_zfs/recipes/scrub.rb new file mode 100644 index 0000000..d38f4f7 --- /dev/null +++ b/esh_zfs/recipes/scrub.rb @@ -0,0 +1,59 @@ +# +# Cookbook:: esh_zfs +# Recipe:: default +# +# Copyright:: 2022, https://easyself.host +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +template '/usr/local/bin/zfs-scrub' do + owner 'root' + group 'root' + mode '0500' + variables hc_url: node['esh']['zfs']['scrub']['hc_url'], + pools: node['esh']['zfs']['pools'] + action :create +end + +systemd_unit 'zfs-scrub.service' do + content <<~EOU + [Unit] + Description=zfs scrub pools + + [Service] + Nice=19 + IOSchedulingClass=idle + KillSignal=SIGINT + ExecStart=/usr/local/bin/zfs-scrub + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable] +end + +systemd_unit 'zfs-scrub.timer' do + content <<~EOU + [Unit] + Description=Monthly zpool scrub + + [Timer] + OnCalendar=monthly + RandomizedDelaySec=86400 + Persistent=true + + [Install] + WantedBy=multi-user.target + EOU + action [:create, :enable, :start] +end diff --git a/esh_zfs/templates/default/zfs-scrub.erb b/esh_zfs/templates/default/zfs-scrub.erb new file mode 100644 index 0000000..b0b38c7 --- /dev/null +++ b/esh_zfs/templates/default/zfs-scrub.erb @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +# https://serverfault.com/questions/538978/how-to-run-a-command-once-a-zfs-scrub-completes +set -euo pipefail + +<% unless @hc_url.nil? %> +curl -m 10 --retry 5 <%= @hc_url %>/start +<% end %> +<% @pools.each_key do |pool| %> +zpool scrub <%= pool %> +# Wait until scrub for <%= pool %> is finished +while zpool status <%= pool %> | grep -q 'scan: *scrub in progress'; do + zpool status <%= pool %> + sleep 600 +done +<% end %> + +# Get status for all pools +zpool status + +# Get stdout from journalctl +<% unless @hc_url.nil? %> +LOG=$(journalctl -o cat -u zfs-scrub.service -n 100) +curl -fsS -m 10 --retry 5 --data-raw "$LOG" <%= @hc_url %> +<% end %> +exit 0 \ No newline at end of file diff --git a/esh_zfs/test/integration/default/default_test.rb b/esh_zfs/test/integration/default/default_test.rb new file mode 100644 index 0000000..fc7bd55 --- /dev/null +++ b/esh_zfs/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe esh_zfs::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end