rename

2026-05-21 14:02:15 +00:00 · 2023-12-05 21:06:29 +01:00
parent 2fbfe15b85
commit fab71939ad
11 changed files with 17 additions and 17 deletions
--- a/ssh_lib/init.py
+++ b/ssh_lib/init.py
--- a/ssh_lib/config.py
+++ b/ssh_lib/config.py
@@ -0,0 +1,5 @@
+from pathlib import Path
+
+
+base = Path(__file__).parent.parent
+templates = base / 'templates'
--- a/ssh_lib/dns.py
+++ b/ssh_lib/dns.py
@@ -0,0 +1,29 @@
+import time
+
+from ssh_lib.utils import apt_get_purge, exists, put_str
+
+
+def setup_dns(c):
+    if exists(c, '/etc/network/interfaces'):
+        c.sudo("sed -i '/dns-nameservers/d' /etc/network/interfaces")
+
+    apt_get_purge(c, 'resolvconf')
+    c.sudo('rm -rf /etc/resolvconf')
+
+    c.sudo('systemctl stop systemd-resolved')
+    c.sudo('systemctl disable systemd-resolved')
+
+    print('chattr -i')
+    c.sudo('chattr -i /etc/resolv.conf', warn=True)
+    c.sudo('rm -f /etc/resolv.conf')
+    put_str(
+        c,
+        '/etc/resolv.conf',
+        'nameserver 1.1.1.1\nnameserver 1.0.0.1\nnameserver 2606:4700:4700::1111\nnameserver 2606:4700:4700::1001',
+    )
+    time.sleep(1)
+    print('chattr +i')
+    c.sudo('chattr +i /etc/resolv.conf')
+
+    apt_get_purge(c, 'bind9*')
+    c.sudo('rm -rf /var/cache/bind')
--- a/ssh_lib/kernel.py
+++ b/ssh_lib/kernel.py
@@ -0,0 +1,21 @@
+from ssh_lib.config import templates
+from ssh_lib.utils import apt_get_install, apt_get_purge, put, put_str
+
+
+def setup_kernel_settings(c):
+    put(c, f'{templates}/sysctl/60-optim.conf', '/etc/sysctl.d/')
+
+
+def set_cpu_governor(c):
+    apt_get_install(c, 'cpufrequtils')
+    apt_get_purge(c, 'linux-tools-*')
+    # c.run('systemctl disable ondemand') # not working on 22
+
+    put_str(
+        c,
+        '/etc/default/cpufrequtils',
+        'GOVERNOR="performance"',
+    )
+
+    # check after reboot
+    # cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
--- a/ssh_lib/nginx.py
+++ b/ssh_lib/nginx.py
@@ -0,0 +1,62 @@
+from ssh_lib.config import templates
+from ssh_lib.utils import (
+    apt_get_install,
+    apt_get_purge,
+    apt_get_update,
+    exists,
+    put,
+    put_str,
+    sudo_cmd,
+    ubuntu_codename,
+)
+
+
+def nginx(c):
+    codename = ubuntu_codename(c)
+
+    if not exists(c, '/usr/sbin/nginx'):
+        put_str(
+            c,
+            '/etc/apt/sources.list.d/nginx.list',
+            f'deb http://nginx.org/packages/mainline/ubuntu {codename} nginx',
+        )
+        sudo_cmd(
+            c,
+            'wget --quiet -O - http://nginx.org/keys/nginx_signing.key | apt-key add -',
+        )
+        apt_get_update(c)
+        apt_get_install(c, 'nginx')
+
+    c.sudo('rm -rf /data/nginx/config')
+    c.sudo('mkdir -p /data/nginx/config')
+
+    c.sudo('rm -rf /data/nginx/logs')
+    c.sudo('mkdir -p /data/nginx/logs')
+
+    c.sudo('mkdir -p /data/nginx/sites')
+
+    if not exists(c, '/etc/nginx/ssl/dummy.crt'):
+        c.sudo('mkdir -p /etc/nginx/ssl')
+        c.sudo(
+            'openssl req -x509 -nodes -days 365 -newkey rsa:2048 '
+            '-keyout /etc/nginx/ssl/dummy.key -out /etc/nginx/ssl/dummy.crt '
+            '-subj "/C=US/ST=Dummy/L=Dummy/O=Dummy/CN=example.com"'
+        )
+
+    put(c, f'{templates}/nginx/nginx.conf', '/etc/nginx/')
+    put(c, f'{templates}/nginx/default_disable.conf', '/data/nginx/sites')
+    put(c, f'{templates}/nginx/cloudflare.conf', '/data/nginx/config')
+
+    c.sudo('service nginx restart')
+
+
+def certbot(c):
+    # https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
+    apt_get_install(c, 'snapd')
+    c.sudo('snap install core', warn=True)
+    c.sudo('snap refresh core', warn=True)
+
+    apt_get_purge(c, 'certbot')
+    c.sudo('snap install --classic certbot', warn=True)
+    c.sudo('snap set certbot trust-plugin-with-root=ok')
+    c.sudo('snap install certbot-dns-cloudflare')
--- a/ssh_lib/pkg_base.py
+++ b/ssh_lib/pkg_base.py
@@ -0,0 +1,38 @@
+from ssh_lib.utils import (
+    apt_get_autoremove,
+    apt_get_install,
+    apt_get_purge,
+    apt_get_update,
+    sudo_cmd,
+)
+
+
+def pkg_upgrade(c):
+    apt_get_update(c)
+    c.sudo(
+        'DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y -o Dpkg::Options::="--force-confold"'
+    )
+
+
+def pkg_clean(c):
+    clean_list = [
+        # firewalls
+        'ufw',
+        'nftables',
+        'firewalld',
+        'iptables-persistent',
+        # bloat
+        'ntfs-3g',
+        'popularity-contest',
+        'landscape*',
+        'ubuntu-advantage-tools',
+    ]
+
+    apt_get_purge(c, ' '.join(clean_list))
+    apt_get_autoremove(c)
+    sudo_cmd(c, 'dpkg --list | grep "^rc" | cut -d " " -f 3 | xargs -r dpkg --purge')
+    c.sudo('iptables -L')
+
+
+def pkg_base(c):
+    apt_get_install(c, 'python3 nload iftop')
--- a/ssh_lib/planetiler.py
+++ b/ssh_lib/planetiler.py
@@ -0,0 +1,25 @@
+from ssh_lib.config import templates
+from ssh_lib.utils import apt_get_install, apt_get_update, put
+
+
+PLANETILER_VERSION = '0.7.0'
+
+PLANETILER_DIR = '/data/planetiler/bin'
+PLANETILER_PATH = f'{PLANETILER_DIR}/planetiler.jar'
+
+
+def install_planetiler(c):
+    apt_get_update(c)
+    apt_get_install(c, 'openjdk-17-jdk')
+
+    c.sudo('mkdir -p /data/planetiler/bin')
+
+    c.sudo(
+        f'wget -q https://github.com/onthegomap/planetiler/releases/download/v{PLANETILER_VERSION}/planetiler.jar '
+        f'-O {PLANETILER_PATH}',
+    )
+
+    c.sudo(f'java -jar {PLANETILER_PATH} --help')
+    put(c, templates / 'planetiler' / 'run_planet.sh', PLANETILER_DIR, permissions='755')
+
+    c.sudo('chown -R ofm:ofm /data/planetiler')
--- a/ssh_lib/utils.py
+++ b/ssh_lib/utils.py
@@ -0,0 +1,145 @@
+import os
+import secrets
+import string
+
+
+def put(c, local_path, remote_path, permissions=None, owner='root', group=None):
+    tmp_path = f'/tmp/fabtmp_{random_string(8)}'
+    c.put(local_path, tmp_path)
+
+    if is_dir(c, remote_path):
+        if not remote_path.endswith('/'):
+            remote_path += '/'
+
+        filename = os.path.basename(local_path)
+        remote_path += filename
+
+    c.sudo(f"mv '{tmp_path}' '{remote_path}'")
+    c.sudo(f"rm -rf '{tmp_path}'")
+
+    set_permission(c, remote_path, permissions, owner, group)
+
+
+def put_str(c, remote_path, str_):
+    tmp_file = 'tmp.txt'
+    with open(tmp_file, 'w') as outfile:
+        outfile.write(str_ + '\n')
+    put(c, tmp_file, remote_path)
+    os.remove(tmp_file)
+
+
+def append_str(c, remote_path, str_):
+    tmp_path = f'/tmp/fabtmp_{random_string(8)}'
+    put_str(c, tmp_path, str_)
+
+    sudo_cmd(c, f"cat '{tmp_path}' >> '{remote_path}'")
+    c.sudo(f'rm -f {tmp_path}')
+
+
+def sudo_cmd(c, cmd):
+    cmd = cmd.replace('"', '\\"')
+    c.sudo(f'bash -c "{cmd}"')
+
+
+def set_permission(c, path, permissions=None, owner=None, group=None):
+    if owner:
+        if not group:
+            group = owner
+
+        c.sudo(f"chown {owner}:{group} '{path}'")
+
+    if permissions:
+        c.sudo(f"chmod {permissions} '{path}'")
+
+
+def reboot(c):
+    print('Rebooting')
+    try:
+        c.sudo('reboot')
+    except Exception:
+        pass
+
+
+def exists(c, path):
+    return c.sudo(f"test -e '{path}'", hide=True, warn=True).ok
+
+
+def is_dir(c, path):
+    return c.sudo(f"test -d '{path}'", hide=True, warn=True).ok
+
+
+def random_string(length):
+    return ''.join(secrets.choice(string.ascii_uppercase + string.digits) for _ in range(length))
+
+
+def ubuntu_release(c):
+    return c.run('lsb_release -rs').stdout.strip()[:2]
+
+
+def ubuntu_codename(c):
+    return c.run('lsb_release -cs').stdout.strip()
+
+
+def apt_get_update(c):
+    c.sudo('apt-get update')
+
+
+def apt_get_install(c, pkgs, warn=False):
+    c.sudo(
+        f'DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends {pkgs}',
+        warn=warn,
+    )
+
+
+def apt_get_purge(c, pkgs):
+    c.sudo(f'DEBIAN_FRONTEND=noninteractive apt-get purge -y {pkgs}')
+
+
+def apt_get_autoremove(c):
+    c.sudo('DEBIAN_FRONTEND=noninteractive apt-get autoremove -y')
+
+
+def get_username(c):
+    return c.run('whoami').stdout.strip()
+
+
+def add_user(c, username, passwd=None):
+    # ssh-key login only
+    c.sudo(f'adduser --disabled-password --gecos "" {username}', warn=True)
+    if passwd:
+        c.sudo(f'echo "{username}:{passwd}" | chpasswd')
+
+
+def remove_user(c, username):
+    c.sudo(f'userdel -r {username}', warn=True)
+    c.sudo(f'rm -rf /home/{username}')
+
+
+def enable_sudo(c, username):
+    c.sudo(f'usermod -aG sudo {username}')
+
+
+def ssh_copy_id(c, username, key_file_path):
+    with open(key_file_path) as fp:
+        public_key_str = fp.read()
+
+    if username == 'root':
+        home_dir = '/root'
+    else:
+        home_dir = f'/home/{username}'
+
+    ssh_dir = f'{home_dir}/.ssh'
+
+    c.sudo(f'mkdir -p {ssh_dir}')
+    c.sudo(f'chown {username}:{username} {ssh_dir}')
+
+    put_str(c, f'{ssh_dir}/authorized_keys', public_key_str)
+    set_permission(c, f'{ssh_dir}/authorized_keys', '400', username, username)
+
+
+def setup_time(c):
+    apt_get_install(c, 'dbus')
+
+    c.sudo('timedatectl set-local-rtc 0')
+    c.sudo('timedatectl set-ntp 1')
+    c.sudo('timedatectl set-timezone UTC')