From 36d090cb2b5c061a72f893534dba986d0cbd391c Mon Sep 17 00:00:00 2001 From: Chris Koeritz Date: Fri, 18 May 2018 21:36:26 -0400 Subject: [PATCH] tore out guts that came from v002 this is lean and mean, and has no really tough content yet. still working on v003, so this script has nothing to remediate yet. --- .../site_avenger/revamp_cakelampvm_v003.sh | 265 +----------------- 1 file changed, 11 insertions(+), 254 deletions(-) diff --git a/scripts/site_avenger/revamp_cakelampvm_v003.sh b/scripts/site_avenger/revamp_cakelampvm_v003.sh index 08cb444e..66e4c89b 100644 --- a/scripts/site_avenger/revamp_cakelampvm_v003.sh +++ b/scripts/site_avenger/revamp_cakelampvm_v003.sh @@ -77,6 +77,8 @@ sep echo "Making some important permission changes..." +############## + # fix up the main web storage. chown -R www-data:www-data /var/www test_or_die "chown www-data" @@ -87,13 +89,15 @@ test_or_die "group_perm www-data" # set up access on some important folders for the developer user. +# set the developer user as uber owner of many things with redeveloper alias. +# (must have run feisty meow "recustomize" command at some point to enable.) redeveloper test_or_die "running redeveloper to fix ownership" -#chown -R developer:developer /home/developer /home/developer/.[a-zA-Z0-9]* -#test_or_die "chown developer home" -#harsh_perm /home/developer/.ssh -#test_or_die "harsh_perm setting on developer .ssh" +############## + +# give the developer control over the apache and bind config files, as well +# as giving the user ownership of the local feisty meow repository. chown -R developer:developer /etc/apache2 /etc/bind test_or_die "chown apache2 and bind to developer" group_perm /etc/apache2 /etc/bind @@ -105,7 +109,7 @@ test_or_die "group perms on feisty meow" ############## -echo "...done with important permission changes." +echo "...done with permission changes." ############## # @@ -113,260 +117,13 @@ echo "...done with important permission changes." # best possible shape without needing to re-release it. # ############## - -sep - -echo "Updating developer welcome file." - -# only update hello if they've still got the file there. we don't want to -# keep forcing our hellos at people. -if [ -f "$HOME/hello.txt" ]; then - # copy the most recent hello file into place for the user. - \cp -f "$FEISTY_MEOW_APEX/production/sites/cakelampvm.com/hello.txt" "$HOME" - test_or_continue "copying hello file for user" -fi - -############## - -# install a better editor app. - -#sep - -#echo "The script is about to install the bluefish editor and some dependencies. -#If the app is not already installed, then this process takes about one minute -#on a slow home DSL internet connection..." - -#apt-get install -y bluefish &> "/tmp/install_bluefish-$(logname).log" -#test_or_continue "installing bluefish editor" - -############## - -# deploy any site updates here to the VM's cakelampvm.com site. -# -# we want to upgrade the default apache site to the latest, since the new -# version mirrors the one on the internet (but with green checks instead -# of red X's) and since we also support https on the new default version. -# we can do this again later if needed, by upping the numbers on the apache -# site config files. our original site was 000 and the new version is 001, -# which we've done as a prefix on the config for some reason. makes the -# code below easy at least. -if [ -L /etc/apache2/sites-enabled/000-default.conf ]; then - - sep - - # the old site is in place still, so let's update that. - echo "Updating default web sites to latest version." - - a2enmod ssl - test_or_die "enabling SSL for secure websites" - - restart_apache - test_or_die "getting SSL loaded in apache" - - a2dissite 000-default - test_or_die "disabling old apache site" - - rm -f /etc/apache2/sites-available/000-default.conf - test_or_die "removing old apache site" - - # copy in our new version of the default page. -#hmmm: would be nice if this worked without mods for any new version, besides just 001. see apache env var file below for example implem. - \cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/default_page.001/* \ - /etc/apache2/sites-available - test_or_die "installing new apache default sites" - - # there should only be ours at this version level and with that prefix. - a2ensite 001-* - test_or_die "enabling new apache default sites" - - restart_apache -fi - -############## - -# fix up the apache site so that HSTS is disabled. otherwise we can't view -# the https site for cakelampvm.com once the domain name switch has occurred. - -sep - -# we operate only on our own specialized tls conf file. hopefully no one has messed with it besides revamp. -# note the use of the character class :blank: below to match spaces or tabs. -search_replace "^[[:blank:]]*Header always set Strict-Transport-Security.*" "# not good for cakelampvm.com -- Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"" /etc/apache2/conf-library/tls-enabling.conf -if [ $? -ne 0 ]; then - echo the apache tls-enabling.conf file seems to have already been patched to disable strict transport security. -else - restart_apache - echo successfully patched the apache tls-enabling.conf file to disable strict transport security. -fi - -############## - -# fix up bind so that we think of any address with cakelampvm.com on the end -# as being on the vm. this is already true for some specific sites, but we -# want the wildcard enabled to ease the use of DNS for windows folks. - -sep - -grep -q "\*[[:blank:]]*IN A[[:blank:]]*10.28.42.20" /etc/bind/cakelampvm.com.conf -if [ $? -eq 0 ]; then - # already present. - echo the bind settings for wildcard domains off of cakelampvm.com seems to already be present. -else - echo " - - -;;;;;; - -; our bind magic, a wildcard domain, for all other sites with cakelampvm.com -; in the domain. this forces any other sites besides the ones above to route -; to the actual vm IP address, which currently is singular and very fixated. -* IN A 10.28.42.20 - IN HINFO \"linux vm\" \"ubuntu\" - -;;;;;; - - - -" >> /etc/bind/cakelampvm.com.conf - restart_bind - echo "successfully added wildcard domains to the cakelampvm.com bind configuration." -fi - -############## - -# fix samba configuration for screwy default of read-only in user homes. -# why cripple a necessary feature by default? - -sep - -pattern="[#;][[:blank:]]*read only = yes" -replacement="read only = no" - -# we just always do the replacement now rather than making it conditional, -# after realizing the sentinel pattern was actually already in the file... -# too much subtlety can get one into trouble. -sed -i "0,/$pattern/{s/$pattern/$replacement/}" /etc/samba/smb.conf -test_or_die "patching samba configuration to enable write acccess on user home dirs" -echo successfully patched the samba configuration to enable writes on user home directories. - -# add in a disabling of the archive bit mapping feature, which hoses up the execute bit -# in an attempt to save the sad old DOS archive bit across the samba connection. -grep -q "map archive" /etc/samba/smb.conf -# if the phrase wasn't found, we need to add it. -if [ $? -ne 0 ]; then - sed -i "s/\[global\]/\[global\]\n\nmap archive = no/" /etc/samba/smb.conf - test_or_die "patching samba configuration to turn off archive bit mapping feature" - echo Successfully fixed Samba to not use the archive bit mapping feature. -fi - -# sweet, looks like that worked... -restart_samba - ############## -# add the latest version of the cakelampvm environment variables for apache. - -sep - -# drop existing file, if already configured. ignore errors. -a2disconf env_vars_cakelampvm &>/dev/null - -# plug in the new version, just stomping anything there. -# note: we only expect to have one version of the env_vars dir at a time in place in feisty... -\cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/env_vars.*/env_vars_cakelampvm.conf /etc/apache2/conf-available -test_or_die "copying environment variables file into place" - -# enable the new version of the config file. -a2enconf env_vars_cakelampvm -test_or_die "enabling the new cakelampvm environment config for apache" - -echo Successfully configured the apache2 environment variables needed for cakelampvm. +#thing 1 ############## -# add in a swap mount if not already configured. - -sep - -# we will only add swap now if explicitly asked for it. this is to avoid creating -# a swap file where the vm is running on an SSD, since that can use up the SSD's lifespan -# too quickly. -if [ ! -z "$ADD_SWAP" ]; then - echo "Checking existing swap partition configuration. -" - - # check for existing swap. - free | grep -q "Swap:[[:blank:]]*[1-9][0-9]" - if [ $? -ne 0 ]; then - # no swap in current session, so add it. - echo "Enabling ramdisk swap partition... -" - add_swap_mount - echo " -Enabled ramdisk swap partition for current boot session." - fi - - # the above just gives this session a swap partition, but we want to have - # the vm boot with one also. - - # check if there is already swap mentioned in the root crontab. we will get root's - # crontab below since this script has to run as sudo. - crontab -l | grep -iq add_swap_mount - if [ $? -ne 0 ]; then - # no existing swap setup in crontab, so add it. - echo " -Adding a boot-time ramdisk swap partition... -" - # need to do it carefully, since sed won't add lines to a null file. we thus - # create a temporary file to do our work in and ignore sed as a tool for this. - tmpfile="$(mktemp junk.XXXXXX)" - crontab -l 2>/dev/null >"$tmpfile" - echo " -# need to explicitly set any variables we will use. -FEISTY_MEOW_APEX=${FEISTY_MEOW_APEX} -# add swap space to increase memory available. -@reboot bash $FEISTY_MEOW_APEX/scripts/system/add_swap_mount.sh -" >>"$tmpfile" - # now install our new version of the crontab. - crontab "$tmpfile" - rm "$tmpfile" - - echo " -Added boot-time ramdisk swap partition to crontab for root." - fi -fi - -############## - -sep - -echo Adding site avenger packages to composer. -# add in site avenger dependencies so we can build avcore properly. -pushd ~ &>/dev/null -sudo -u $(logname) composer config -g repositories.siteavenger composer https://packages.siteavenger.com/ -popd &>/dev/null - -############## - -# make the apache umask set group permissions automatically, so we stop having weird -# permission issues on temp dirs. - -sep - -grep -q "umask" /etc/apache2/envvars -if [ $? -eq 0 ]; then - # already present. - echo the umask configuration for apache already appears to be set. -else - echo " - -# set umask to enable group read/write on files and directories. -umask 002 - -" >> /etc/apache2/envvars - restart_apache - echo "successfully changed apache umask configuration to enable group read/write" -fi +#thing 2 ############## ############## -- 2.34.1