cookbook 'sanitize', '= 0.2.0'
sanitize
(19) Versions
0.2.0
-
Follow3
Sanitizes system by providing a sane default configuration
cookbook 'sanitize', '= 0.2.0', :supermarket
knife supermarket install sanitize
knife supermarket download sanitize
Description
This cookbook aims to normalize setup of a fresh server and set sane
defaults for global settings, and work with various initial
environments (tested on EC2 images, Hetzner "minimal" installations,
and debootstrap-created LXC images). At the moment it supports only
Ubuntu, Debian support is planned.
This cookbook is developed on GitHub at
https://github.com/3ofcoins/chef-cookbook-sanitize
Requirements
- apt
- build-essential
- iptables
Attributes
sanitize.iptables
-- if false, does not install and configure
iptables; defaults to true.-
sanitize.ports
-- ifsanitize.iptables
is true, specifies TCP
ports to open. It is a dictionary, where keys are port numbers or
service names, and values can be:-
true
-- open port for any source address -
false
-- close port - a string -- will be used as
--src
argument toiptables
- an array of strings -- for many different
--src
entries - TODO: It should be possible to specify a node search query
-
Default:
default['sanitize']['ports']['ssh'] = true
-
sanitize.apt_repositories
-- dictionary of APT repositories to
add. Key is repository name, value is remaining attributes of the
apt_repository
resource provided by theapt
cookbook (see
http://community.opscode.com/cookbooks/apt). If you set
distribution
to"lsb_codename"
,node['lsb']['codename']
attribute will be used instead. Example::sanitize => {
:apt_repositories => {
:percona => {
:uri => 'http://repo.percona.com/apt',
:distribution => 'lsb_codename',
:components => [ 'main' ],
:deb_src => true,
:keyserver => 'hkp://keys.gnupg.net',
:key => '1C4CBDCDCD2EFD2A'
}}} sanitize.install_packages
-- a list of packages to install on all
machines; defaults to an empty list.
Usage
Include recipe[sanitize]
in your run list after your user accounts
are created and sudo and ssh is configured, and otherwise as early as
possible. In particular, if you use omnibus_updater
cookbook, it
should be after sanitize
in the run list.
sanitize::default
This is the default "base settings" setup. It should be called
after shell user accounts and sudo are configured, as it locks
default login user and direct root access.
- Deletes
ubuntu
system user - Locks system password for
root
user (assumes that only sudo is used to elevate privileges) - Ensure all FHS-provided directories exist by creating some that
have been found missing on some of the installation (namely,
/opt
) - Sets locale to
en_US.UTF-8
, generates this locale, sets time zone to UTC - Changes mode of
/var/log/chef/client.log
to0600
-- readable only for root, as it may contain sensitive data - Deletes annoying
motd.d
files - Installs vim and sets it as a default system editor
- Installs and configures iptables, opens SSH port (optional, but enabled by default)
- Installs
can-has
command as a symlink toapt-get
Roadmap
Plans for future, in no particular order:
- Depend on and include
openssh-server
; configure SSH known hosts, provide sane SSH server and client configuration defaults - Provide hooks (definitions / LWRP / library) for other cookbooks for commonly used facilities, such as opening up common ports, "backend" http service, SSL keys management, maybe some other "library" functions like helpers for encrypted data bags
Dependent cookbooks
apt >= 0.0.0 |
build-essential >= 0.0.0 |
iptables >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.