work

2026-05-21 14:02:15 +00:00 · 2023-12-04 22:56:27 +01:00
parent c12ed48275
commit f9649c50fc
13 changed files with 150 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 .DS_Store
 /venv
 /.idea
+/temp
--- a/.ruff.toml
+++ b/.ruff.toml
@@ -1,6 +1,6 @@
 target-version = "py310"
 line-length = 100
-
+extend-exclude = ["temp"]

 select = [
  "E",   # pycodestyle errors
@@ -19,24 +19,25 @@ select = [
 ]

 ignore = [
+  'A003',
  'E501',
  'E711',
  'E712',
  'E741',
-  'A003',
+  'F401',
+  'F841',
  'PT004',
-  'SIM108',
  'SIM102',
  'SIM105',
+  'SIM108',
  'SIM115',
-  'F841',
 ]

 [format]
 quote-style = "single"

 [isort]
-known-first-party = ["openfreemaps"]
+known-first-party = ["lib"]
 lines-after-imports = 2

 [flake8-comprehensions]
--- a/init-server.py
+++ b/init-server.py
@@ -2,28 +2,31 @@

 from fabric import Connection

-from openfreemaps.nginx import certbot, nginx
-from openfreemaps.pkg_base import pkg_base, pkg_clean, pkg_upgrade
-from openfreemaps.planetiler import install_planetiler
-from openfreemaps.system import set_cpu_governor, setup_kernel_settings, setup_time
+from lib.nginx import certbot, nginx
+from lib.pkg_base import pkg_base, pkg_clean, pkg_upgrade
+from lib.planetiler import install_planetiler
+from lib.system1 import set_cpu_governor, setup_kernel_settings, setup_time
+from lib.utils import add_user


 def prepare_server(c):
-    pkg_upgrade(c)
-    pkg_clean(c)
-    pkg_base(c)
+    add_user(c, 'ofm')

-    setup_time(c)
-    setup_kernel_settings(c)
-    set_cpu_governor(c)
+    # pkg_upgrade(c)
+    # pkg_clean(c)
+    # pkg_base(c)

-    nginx(c)
-    certbot(c)
+    # setup_time(c)
+    # setup_kernel_settings(c)
+    # set_cpu_governor(c)
+
+    # nginx(c)
+    # certbot(c)

    install_planetiler(c)


-c = Connection(host='map128', port=22)
+c = Connection(host='ofm-o-ca-1', port=22, user='ubuntu')

 prepare_server(c)
 # reboot(c)
--- a/openfreemaps/init.py
+++ b/openfreemaps/init.py
--- a/openfreemaps/config.py
+++ b/openfreemaps/config.py
--- a/lib/dns.py
+++ b/lib/dns.py
@@ -0,0 +1,29 @@
+import time
+
+from lib.utils import apt_get_purge, exists, put_str
+
+
+def setup_dns(c):
+    if exists(c, '/etc/network/interfaces'):
+        c.sudo("sed -i '/dns-nameservers/d' /etc/network/interfaces")
+
+    apt_get_purge(c, 'resolvconf')
+    c.sudo('rm -rf /etc/resolvconf')
+
+    c.sudo('systemctl stop systemd-resolved')
+    c.sudo('systemctl disable systemd-resolved')
+
+    print('chattr -i')
+    c.sudo('chattr -i /etc/resolv.conf', warn=True)
+    c.sudo('rm -f /etc/resolv.conf')
+    put_str(
+        c,
+        '/etc/resolv.conf',
+        'nameserver 1.1.1.1\nnameserver 1.0.0.1\nnameserver 2606:4700:4700::1111\nnameserver 2606:4700:4700::1001',
+    )
+    time.sleep(1)
+    print('chattr +i')
+    c.sudo('chattr +i /etc/resolv.conf')
+
+    apt_get_purge(c, 'bind9*')
+    c.sudo('rm -rf /var/cache/bind')
--- a/openfreemaps/system.py
+++ b/openfreemaps/system.py
@@ -1,28 +1,15 @@
-from openfreemaps.config import templates
-from openfreemaps.utils import (
-    apt_get_install,
-    apt_get_purge,
-    put,
-    put_str,
-)
-
-
-def setup_time(c):
-    apt_get_install(c, 'dbus')
-
-    c.sudo('timedatectl set-local-rtc 0')
-    c.sudo('timedatectl set-ntp 1')
-    c.sudo('timedatectl set-timezone UTC')
+from lib.config import templates
+from lib.utils import apt_get_install, apt_get_purge, put, put_str


 def setup_kernel_settings(c):
    put(c, f'{templates}/sysctl/60-optim.conf', '/etc/sysctl.d/')


-
 def set_cpu_governor(c):
    apt_get_install(c, 'cpufrequtils')
    apt_get_purge(c, 'linux-tools-*')
+    # c.run('systemctl disable ondemand') # not working on 22

    put_str(
        c,
--- a/openfreemaps/nginx.py
+++ b/openfreemaps/nginx.py
@@ -1,5 +1,5 @@
-from openfreemaps.config import templates
-from openfreemaps.utils import (
+from lib.config import templates
+from lib.utils import (
    apt_get_install,
    apt_get_purge,
    apt_get_update,
@@ -45,6 +45,7 @@ def nginx(c):

    put(c, f'{templates}/nginx/nginx.conf', '/etc/nginx/')
    put(c, f'{templates}/nginx/default_disable.conf', '/data/nginx/sites')
+    put(c, f'{templates}/nginx/cloudflare.conf', '/data/nginx/config')

    c.sudo('service nginx restart')

@@ -52,10 +53,10 @@ def nginx(c):
 def certbot(c):
    # https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
    apt_get_install(c, 'snapd')
-    c.run('snap install core', warn=True)
-    c.run('snap refresh core', warn=True)
+    c.sudo('snap install core', warn=True)
+    c.sudo('snap refresh core', warn=True)

    apt_get_purge(c, 'certbot')
-    c.run('snap install --classic certbot', warn=True)
-    c.run('snap set certbot trust-plugin-with-root=ok')
-    c.run('snap install certbot-dns-cloudflare')
+    c.sudo('snap install --classic certbot', warn=True)
+    c.sudo('snap set certbot trust-plugin-with-root=ok')
+    c.sudo('snap install certbot-dns-cloudflare')
--- a/openfreemaps/pkg_base.py
+++ b/openfreemaps/pkg_base.py
@@ -1,4 +1,4 @@
-from openfreemaps.utils import (
+from lib.utils import (
    apt_get_autoremove,
    apt_get_install,
    apt_get_purge,
@@ -20,11 +20,18 @@ def pkg_clean(c):
        'ufw',
        'nftables',
        'firewalld',
+        'iptables-persistent',
+        # bloat
+        'ntfs-3g',
+        'popularity-contest',
+        'landscape*',
+        'ubuntu-advantage-tools',
    ]

    apt_get_purge(c, ' '.join(clean_list))
    apt_get_autoremove(c)
    sudo_cmd(c, 'dpkg --list | grep "^rc" | cut -d " " -f 3 | xargs -r dpkg --purge')
+    c.sudo('iptables -L')


 def pkg_base(c):
--- a/openfreemaps/planetiler.py
+++ b/openfreemaps/planetiler.py
@@ -1,5 +1,5 @@
-from openfreemaps.config import templates
-from openfreemaps.utils import apt_get_install, apt_get_update, put
+from lib.config import templates
+from lib.utils import apt_get_install, apt_get_update, put


 PLANETILER_VERSION = '0.7.0'
@@ -12,12 +12,12 @@ def install_planetiler(c):
    apt_get_update(c)
    apt_get_install(c, 'openjdk-17-jdk')

-    c.run('mkdir -p /data/planetiler/bin')
+    c.sudo('mkdir -p /data/planetiler/bin')

-    c.run(
+    c.sudo(
        f'wget -q https://github.com/onthegomap/planetiler/releases/download/v{PLANETILER_VERSION}/planetiler.jar '
        f'-O {PLANETILER_PATH}',
    )

-    c.run(f'java -jar {PLANETILER_PATH} --help')
+    c.sudo(f'java -jar {PLANETILER_PATH} --help')
    put(c, templates / 'planetiler' / 'run_planet.sh', PLANETILER_DIR, permissions='755')
--- a/openfreemaps/utils.py
+++ b/openfreemaps/utils.py
@@ -101,3 +101,45 @@ def apt_get_autoremove(c):

 def get_username(c):
    return c.run('whoami').stdout.strip()
+
+
+def add_user(c, username, passwd=None):
+    # ssh-key login only
+    c.sudo(f'adduser --disabled-password --gecos "" {username}', warn=True)
+    if passwd:
+        c.sudo(f'echo "{username}:{passwd}" | chpasswd')
+
+
+def remove_user(c, username):
+    c.sudo(f'userdel -r {username}', warn=True)
+    c.sudo(f'rm -rf /home/{username}')
+
+
+def enable_sudo(c, username):
+    c.sudo(f'usermod -aG sudo {username}')
+
+
+def ssh_copy_id(c, username, key_file_path):
+    with open(key_file_path) as fp:
+        public_key_str = fp.read()
+
+    if username == 'root':
+        home_dir = '/root'
+    else:
+        home_dir = f'/home/{username}'
+
+    ssh_dir = f'{home_dir}/.ssh'
+
+    c.sudo(f'mkdir -p {ssh_dir}')
+    c.sudo(f'chown {username}:{username} {ssh_dir}')
+
+    put_str(c, f'{ssh_dir}/authorized_keys', public_key_str)
+    set_permission(c, f'{ssh_dir}/authorized_keys', '400', username, username)
+
+
+def setup_time(c):
+    apt_get_install(c, 'dbus')
+
+    c.sudo('timedatectl set-local-rtc 0')
+    c.sudo('timedatectl set-ntp 1')
+    c.sudo('timedatectl set-timezone UTC')
--- a/setup.py
+++ b/setup.py
@@ -6,6 +6,6 @@ requirements = ['fabric', 'ruff']
 setup(
    python_requires='>=3.10',
    install_requires=requirements,
-    name='openfreemaps',
-    packages=['openfreemaps'],
+    name='lib',
+    packages=['lib'],
 )
--- a/templates/nginx/cloudflare.conf
+++ b/templates/nginx/cloudflare.conf
@@ -0,0 +1,30 @@
+# https://www.cloudflare.com/ips/
+
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+# use any of the following two
+real_ip_header CF-Connecting-IP;
+#real_ip_header X-Forwarded-For;
+