diff --git a/hotfixes/T1261-srv-data.sls b/hotfixes/T1261-srv-data.sls
new file mode 100644
index 0000000..943365e
--- /dev/null
+++ b/hotfixes/T1261-srv-data.sls
@@ -0,0 +1,21 @@
+# -------------------------------------------------------------
+# Salt — Hotfixes to mitigate bugs and security issues
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Created: 2017-10-17
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# T1261
+# We now provision /srv/data instead of /data for Docker
+# containers data. As such, we ensure a symlink exists
+# on servers still using /data.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if not salt['file.directory_exists']('/srv/data') and salt['file.directory_exists']('/data') %}
+srv_data_symlink:
+ file.symlink:
+ - name: /srv/data
+ - target: /data
+{% endif %}
diff --git a/hotfixes/init.sls b/hotfixes/init.sls
index 24acffa..a3ca6f2 100644
--- a/hotfixes/init.sls
+++ b/hotfixes/init.sls
@@ -1,10 +1,11 @@
# -------------------------------------------------------------
# Salt — Hotfixes to mitigate bugs and security issues
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-02-27
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .CVE-2017-6074
+ - .T1261-srv-data
diff --git a/roles/mailserver/certificates/files/update-smtp-certificates.sh b/roles/mailserver/certificates/files/update-smtp-certificates.sh
index cba2148..8b40c02 100755
--- a/roles/mailserver/certificates/files/update-smtp-certificates.sh
+++ b/roles/mailserver/certificates/files/update-smtp-certificates.sh
@@ -1,31 +1,31 @@
#!/bin/sh
# -------------------------------------------------------------
# Deploy mail certificate to SMTP server
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-11-03
# License: Trivial work, not eligible to copyright
# Source file: roles/mailserver/certificates/files/update-smtp-certificates.sh
# -------------------------------------------------------------
#
#
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
#
: ${CONTAINER_NAME='mailserver'}
-: ${CERT_DIR='/data/letsencrypt/etc/live/mail.nasqueron.org-0001'}
+: ${CERT_DIR='/srv/data/letsencrypt/etc/live/mail.nasqueron.org-0001'}
: ${CONTAINER_DIR="/var/lib/lxc/$CONTAINER_NAME/rootfs"}
cp $CERT_DIR/fullchain.pem $CONTAINER_DIR/etc/ssl/certs/mailserver.crt
cp $CERT_DIR/privkey.pem $CONTAINER_DIR/etc/ssl/private/mailserver.key
# Mail servers can read the certificate as root before dropping privileges
chown 0:0 $CONTAINER_DIR/etc/ssl/private/mailserver.key
chmod 400 $CONTAINER_DIR/etc/ssl/private/mailserver.key
lxc-attach -n $CONTAINER_NAME -- service postfix restart
lxc-attach -n $CONTAINER_NAME -- service dovecot restart
diff --git a/roles/mastodon/public/init.sls b/roles/mastodon/public/init.sls
index cd0c688..0828e44 100644
--- a/roles/mastodon/public/init.sls
+++ b/roles/mastodon/public/init.sls
@@ -1,17 +1,17 @@
# -------------------------------------------------------------
# Salt — Provision social.nasqueron.org public directories
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-10-13
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-/data/mastodon/public/support:
+/srv/data/mastodon/public/support:
file.recurse:
- source: salt://wwwroot/nasqueron.org/mastodon/support
- exclude_pat: E@.git
- include_empty: True
- clean: True
- dir_mode: 711
- file_mode: 644
diff --git a/roles/phabricator/containers/files/run-devcentral.sh b/roles/phabricator/containers/files/run-devcentral.sh
index a03a962..1189fd7 100755
--- a/roles/phabricator/containers/files/run-devcentral.sh
+++ b/roles/phabricator/containers/files/run-devcentral.sh
@@ -1,98 +1,98 @@
#!/bin/sh
# -------------------------------------------------------------
# Phabricator — Nasqueron instance
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
# Created: 2015-04-22
# Description: Phabricator instance for Nasqueron
# License: Trivial work, not eligible to copyright
# Image: nasqueron/phabricator
# Source file: roles/phabricator/containers/files/run-devcentral.sh
# -------------------------------------------------------------
#
#
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
#
# -------------------------------------------------------------
# Container parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
INSTANCE_NAME=devcentral
PORT=31080
DOMAIN=$INSTANCE_NAME.nasqueron.org
-DATA_DIRECTORY=/data/$INSTANCE_NAME
+DATA_DIRECTORY=/srv/data/$INSTANCE_NAME
MYSQL_INSTANCE=acquisitariat
# -------------------------------------------------------------
# Phabricator parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PHABRICATOR_URL=http://$DOMAIN
PHABRICATOR_TITLE="Nasqueron DevCentral"
PHABRICATOR_ALT_FILE_DOMAIN="https://phabricator-files-for-devcentral-nasqueron.spacetechnology.net"
# -------------------------------------------------------------
# Deployment of our Phabricator code parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
REPO_LOGIN=git
REPO_HOST=bitbucket.org
PHABRICATOR_PROD_REPO="ssh://git@bitbucket.org/nasqueron/devcentral-phabricator"
PHABRICATOR_PROD_BRANCH=production
# -------------------------------------------------------------
# Ensure container isn't already running
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker-container-status $INSTANCE_NAME > /dev/null
if [ "$?" -lt 2 ]; then
echo "Container is already running."
echo "To force relaunch, try docker stop $INSTANCE_NAME ; docker rm $INSTANCE_NAME ; $0"
exit 1
fi
# -------------------------------------------------------------
# Container launch
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -t -d \
--link $MYSQL_INSTANCE:mysql \
-v $DATA_DIRECTORY/repo:/var/repo \
-v $DATA_DIRECTORY/conf:/opt/phabricator/conf \
-p $PORT:80 \
-e PHABRICATOR_URL=$PHABRICATOR_URL \
-e PHABRICATOR_TITLE="$PHABRICATOR_TITLE" \
-e PHABRICATOR_ALT_FILE_DOMAIN="$PHABRICATOR_ALT_FILE_DOMAIN" \
-e PHABRICATOR_PROD_REPO=$PHABRICATOR_PROD_REPO \
-e PHABRICATOR_PROD_BRANCH=$PHABRICATOR_PROD_BRANCH \
-e PHABRICATOR_USE_MAILGUN=1 \
-e PHABRICATOR_DOMAIN=$DOMAIN \
-e PHABRICATOR_BOT=xessife \
--name $INSTANCE_NAME nasqueron/phabricator
# -------------------------------------------------------------
# DevCentral specific branch deployment
#
# Deploys our version
# As we change static resources, restart php-fpm is a good idea:
# if someone asks the page while we were pulling our version,
# the old celerity map would be kept by APCu.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker exec $INSTANCE_NAME sh -c 'mkdir -p /root/.ssh && \
cp /opt/phabricator/conf/deploy-keys/* /root/.ssh'
docker exec $INSTANCE_NAME ssh -o StrictHostKeyChecking=no ${REPO_LOGIN}@${REPO_HOST}
docker exec $INSTANCE_NAME sh -c 'cd /opt/phabricator && \
git remote add private "$PHABRICATOR_PROD_REPO" && \
git fetch --all && \
git checkout $PHABRICATOR_PROD_BRANCH && \
sv restart php-fpm && sv restart phd'
echo "Deployment done at `date`."
exit 0
diff --git a/roles/phabricator/containers/files/run-wolfphab.sh b/roles/phabricator/containers/files/run-wolfphab.sh
index 1d145a4..907d1d1 100755
--- a/roles/phabricator/containers/files/run-wolfphab.sh
+++ b/roles/phabricator/containers/files/run-wolfphab.sh
@@ -1,81 +1,81 @@
#!/bin/sh
# -------------------------------------------------------------
# Phabricator — Wolfplex instance
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Sébastien Santoro aka Dereckson
# Project: Nasqueron
# Created: 2015-10-25
# Description: Phabricator instance for Nasqueron
# License: Trivial work, not eligible to copyright
# Image: nasqueron/phabricator
# Source file: roles/phabricator/containers/files/run-wolfphab.sh
# -------------------------------------------------------------
#
#
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
#
# -------------------------------------------------------------
# Container parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
INSTANCE_NAME=wolfphab
PORT=35080
DOMAIN=phabricator.wolfplex.be
-DATA_DIRECTORY=/data/$INSTANCE_NAME
+DATA_DIRECTORY=/srv/data/$INSTANCE_NAME
MYSQL_INSTANCE=acquisitariat
MYSQL_NAMESPACE=wolfphab
# -------------------------------------------------------------
# Phabricator parameters
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PHABRICATOR_URL=https://$DOMAIN
PHABRICATOR_TITLE="Wolfplex Phabricator"
PHABRICATOR_ALT_FILE_DOMAIN="https://phabricator-files-for-wolfplex.nasqueron.org"
# -------------------------------------------------------------
# Ensure container isn't already running
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker-container-status $INSTANCE_NAME > /dev/null
if [ "$?" -lt 2 ]; then
echo "Container is already running."
echo "To force relaunch, try docker stop $INSTANCE_NAME ; docker rm $INSTANCE_NAME ; $0"
exit 1
fi
# -------------------------------------------------------------
# Container launch
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
docker run -t -d \
--link $MYSQL_INSTANCE:mysql \
-v $DATA_DIRECTORY/repo:/var/repo \
-v $DATA_DIRECTORY/conf:/opt/phabricator/conf \
-p $PORT:80 \
-e PHABRICATOR_URL=$PHABRICATOR_URL \
-e PHABRICATOR_TITLE="$PHABRICATOR_TITLE" \
-e PHABRICATOR_ALT_FILE_DOMAIN="$PHABRICATOR_ALT_FILE_DOMAIN" \
-e PHABRICATOR_STORAGE_NAMESPACE="$MYSQL_NAMESPACE" \
--name $INSTANCE_NAME nasqueron/phabricator
docker exec $INSTANCE_NAME sh -c 'cd /opt/phabricator && \
bin/config set mysql.host mysql && \
bin/config set mysql.pass $MYSQL_ENV_MYSQL_ROOT_PASSWORD && \
bin/config set storage.default-namespace $PHABRICATOR_STORAGE_NAMESPACE && \
bin/config set phabricator.base-uri $PHABRICATOR_URL && \
bin/config set security.alternate-file-domain "$PHABRICATOR_ALT_FILE_DOMAIN" && \
bin/config set mailgun.domain $DOMAIN && \
rm -f /etc/nginx/sites-enabled/default && \
chown -R app /var/repo'
# Fixes bug phd doesn't run at the very first container launch
docker exec $INSTANCE_NAME sv restart phd
echo "Deployment done at `date`."
exit 0
diff --git a/scripts/byTasks/HTTP/check-letsencrypt-certificates b/scripts/byTasks/HTTP/check-letsencrypt-certificates
index 9502917..69b7645 100755
--- a/scripts/byTasks/HTTP/check-letsencrypt-certificates
+++ b/scripts/byTasks/HTTP/check-letsencrypt-certificates
@@ -1,108 +1,108 @@
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Let's encrypt — Certificates web server configuration checker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2016-06-05
# Description: Check if /.well-known/acme-challenge works
# for the mapping directory webserver for each
# certificate to renew.
# License: BSD-2-Clause
# -------------------------------------------------------------
# -------------------------------------------------------------
# Table of contents
# -------------------------------------------------------------
#
# :: Configuration
# :: Checker code
# :: Run task
#
# -------------------------------------------------------------
import os
import random
import string
import urllib2
# -------------------------------------------------------------
# Configuration
# -------------------------------------------------------------
dirs = {
"/usr/local/etc/letsencrypt/renewal",
- "/data/letsencrypt/etc/renewal"
+ "/srv/data/letsencrypt/etc/renewal"
}
# -------------------------------------------------------------
# Checker code
# -------------------------------------------------------------
def checkDirectories(dirs):
for dir in dirs:
if os.path.isdir(dir):
checkDirectory(dir)
def checkDirectory(dir):
for file in os.listdir(dir):
if file.endswith(".conf"):
fullpath = os.path.join(dir, file)
checkCertificate(fullpath)
def checkCertificate(file):
lines = [line.rstrip('\n') for line in open(file)]
skip = True
for line in lines:
if not skip:
checkMappingLine(line)
if line == "[[webroot_map]]":
skip = False
def checkMappingLine(line):
params = line.split(' = ')
checkMapping(params[0], params[1])
def getChallenge():
chars = string.ascii_letters + string.digits
return ''.join([random.choice(chars) for n in xrange(32)])
def checkMapping(domain, dir):
challenge = getChallenge()
writeChallengeFile(dir, challenge)
checkChallenge(domain, challenge)
def writeChallengeFile(dir, challenge):
challengeFile = os.path.join(dir, ".well-known", "acme-challenge", "qa")
with open(challengeFile, "w") as file:
file.write(challenge)
def checkChallenge(domain, challenge):
url = 'http://' + domain + '/.well-known/acme-challenge/qa'
try:
content = urllib2.urlopen(url).read()
if not content == challenge:
print domain, "DOES NOT MATCH"
except urllib2.HTTPError as err:
print domain, err.code
# -------------------------------------------------------------
# Run task
# -------------------------------------------------------------
checkDirectories(dirs)