cookbook 'sanitize', '= 0.4.1'
sanitize
(19) Versions
0.4.1
-
Follow3
Sanitizes system by providing a sane default configuration
cookbook 'sanitize', '= 0.4.1', :supermarket
knife supermarket install sanitize
knife supermarket download sanitize
Description
This cookbook aims to normalize setup of a fresh server and set sane
defaults for global settings, and work with various initial
environments (tested on EC2 images, Hetzner "minimal" installations,
and debootstrap-created LXC images). At the moment it supports only
Ubuntu, Debian support is planned.
It calls recipes chef-client::config
and omnibus_updater
, and
works only with Omnibus Chef client package.
This cookbook is developed on GitHub at
https://github.com/3ofcoins/chef-cookbook-sanitize
Requirements
- apt
- chef-client
- iptables
- omnibus_updater
Attributes
sanitize.iptables
-- if false, does not install and configure
iptables; defaults to true.sanitize.keep_access
-- if true, don't disable direct access users
(ubuntu user or root password); defaults to false.-
sanitize.ports
-- ifsanitize.iptables
is true, specifies TCP
ports to open. It is a dictionary, where keys are port numbers or
service names, and values can be:-
true
-- open port for any source address -
false
-- close port - a string -- will be used as
--src
argument toiptables
- an array of strings -- for many different
--src
entries - TODO: It should be possible to specify a node search query
-
If the key is a list of ports (port,port
) or a range
(port1:port2
), then the multiport
iptables module will be used.
Default:
default['sanitize']['ports']['ssh'] = true
-
sanitize.apt_repositories
-- dictionary of APT repositories to
add. Key is repository name, value is remaining attributes of the
apt_repository
resource provided by theapt
cookbook (see
http://community.opscode.com/cookbooks/apt). If you set
distribution
to"lsb_codename"
,node['lsb']['codename']
attribute will be used instead. Example::sanitize => {
:apt_repositories => {
:percona => {
:uri => 'http://repo.percona.com/apt',
:distribution => 'lsb_codename',
:components => [ 'main' ],
:deb_src => true,
:keyserver => 'hkp://keys.gnupg.net',
:key => '1C4CBDCDCD2EFD2A'
}}} sanitize.install_packages
-- a list of packages to install on all
machines; defaults to an empty list.
Usage
Include recipe[sanitize]
in your run list after your user accounts
are created and sudo and ssh is configured, and otherwise as early as
possible. In particular, if you use omnibus_updater
cookbook, it
should be after sanitize
in the run list.
sanitize::default
This is the default "base settings" setup. It should be called
after shell user accounts and sudo are configured, as it locks
default login user and direct root access.
- Deletes
ubuntu
system user - Locks system password for
root
user (assumes that only sudo is used to elevate privileges) - Ensure all FHS-provided directories exist by creating some that
have been found missing on some of the installation (namely,
/opt
) - Sets locale to
en_US.UTF-8
, generates this locale, sets time zone to UTC - Changes mode of
/var/log/chef/client.log
to0600
-- readable only for root, as it may contain sensitive data - Deletes annoying
motd.d
files - Installs vim and sets it as a default system editor
- Installs and configures iptables, opens SSH port (optional, but enabled by default)
- Installs
can-has
command as a symlink toapt-get
- Runs
chef-client::config
andomnibus_updater
recipes
Roadmap
Plans for future, in no particular order:
- Depend on and include
openssh-server
; configure SSH known hosts, provide sane SSH server and client configuration defaults - Provide hooks (definitions / LWRP / library) for other cookbooks for commonly used facilities, such as opening up common ports, "backend" http service, SSL keys management, maybe some other "library" functions like helpers for encrypted data bags
- Test with test-kitchen
Dependent cookbooks
apt >= 0.0.0 |
chef-client >= 0.0.0 |
dmg >= 0.0.0 |
homebrew >= 0.0.0 |
iptables >= 0.0.0 |
omnibus_updater >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.