This cookbook aims to normalize setup of a fresh server and set sane defaults for global settings, and work with various initial environments (tested on EC2 images, Hetzner "minimal" installations, and debootstrap-created LXC images). At the moment it supports only Ubuntu, Debian support is planned.
This cookbook is developed on GitHub at https://github.com/3ofcoins/chef-cookbook-sanitize
- apt
- chef-client
- iptables
-
sanitize.iptables
-- if false, does not install and configure iptables; defaults to true. -
sanitize.ip6tables
-- if false, does not install base ip6tables rules along with iptables; defaults to true -
sanitize.keep_access
-- if true, don't disable direct access users (ubuntu user or root password); defaults to false. -
sanitize.ports
-- ifsanitize.iptables
is true, specifies TCP ports to open. It is a dictionary, where keys are port numbers or service names, and values can be:true
-- open port for any source addressfalse
-- don't open port- a string -- will be used as
--src
argument toiptables
- an array of strings -- for many different
--src
entries - TODO: It should be possible to specify a node search query
If the key is a list of ports (
port,port
) or a range (port1:port2
), then themultiport
iptables module will be used.If the value is
true
andsanitize.ip6tables
istrue
, the port will be open in ip6tables; ip6tables treats strings as false.Default:
default['sanitize']['ports']['ssh'] = true
sanitize.accept_interfaces
-- ifsanitize.iptables
is true, specifies interfaces to unconditionally accept traffic. It should be a dictionary, where key is name of interface, and value should be true to accept traffic, or false to not accept (which lets overridetrue
values). Default:
default['sanitize']['accept_interfaces']['lo'] = true
-
sanitize.apt_repositories
-- dictionary of APT repositories to add. Key is repository name, value is remaining attributes of theapt_repository
resource provided by theapt
cookbook (see http://community.opscode.com/cookbooks/apt). If you setdistribution
to"lsb_codename"
,node['lsb']['codename']
attribute will be used instead.:Ubuntu's PPAs can be specified as a simple string, or as a
ppa
key; the second form allows for customizing some of the attributes.
:sanitize => {
:apt_repositories => {
:percona => {
:uri => 'http://repo.percona.com/apt',
:distribution => 'lsb_codename',
:components => [ 'main' ],
:deb_src => true,
:keyserver => 'hkp://keys.gnupg.net',
:key => '1C4CBDCDCD2EFD2A'
},
:ruby_ng => 'ppa:brightbox/ruby-ng',
:nginx => {
:ppa => 'nginx/stable',
:distribution => 'precise' # force distribution regardless of lsb.codename
}
}}
-
sanitize.install_packages
-- a list of packages to install on all machines; defaults to an empty list. -
sanitize.locale.default="en_US.UTF-8"
,sanitize.locale.available=[]
-- list of locales to make available on the server, and a locale to set as default.
Include recipe[sanitize]
in your run list after your user accounts
are created and sudo and ssh is configured, and otherwise as early as
possible. In particular, if you use omnibus_updater
cookbook, it
should be after sanitize
in the run list.
This is the default "base settings" setup. It should be called after shell user accounts and sudo are configured, as it locks default login user and direct root access.
- Deletes
ubuntu
system user - Locks system password for
root
user (assumes that only sudo is used to elevate privileges) - Ensure all FHS-provided directories exist by creating some that
have been found missing on some of the installation (namely,
/opt
) - Sets locale to
en_US.UTF-8
, generates this locale, sets time zone to UTC - Deletes annoying
motd.d
files - Installs vim and sets it as a default system editor
- Installs and configures iptables, opens SSH port (optional, but enabled by default)
- Installs
can-has
command as a symlink toapt-get
- Runs
chef-client::config
Plans for future, in no particular order:
- Depend on and include
openssh-server
; configure SSH known hosts, provide sane SSH server and client configuration defaults - Provide hooks (definitions / LWRP / library) for other cookbooks for commonly used facilities, such as opening up common ports, "backend" http service, SSL keys management, maybe some other "library" functions like helpers for encrypted data bags
- Test with test-kitchen