Skip to content

Commit

Permalink
Adding Vagrantfile and automated doorman provisioning
Browse files Browse the repository at this point in the history
  • Loading branch information
Javier Marcos committed Aug 17, 2016
1 parent 590da8e commit 718e945
Show file tree
Hide file tree
Showing 8 changed files with 496 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,3 +161,10 @@ database/
doorman/static/css/bootstrap.css
doorman/static/libs/
doorman/static/public/

# Vagrant artifacts
.vagrant

# Avoid commiting secrets
certificate.crt
private.key
23 changes: 23 additions & 0 deletions Vagrantfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.define :doorman_server do |doorman_server|
doorman_server.vm.box = "ubuntu/trusty64"
doorman_server.vm.hostname = "doorman"
doorman_server.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
doorman_server.vm.provision "shell",
path: "tools/provision.sh",
preserve_order: true,
privileged: false
doorman_server.vm.network :private_network, ip: "10.11.22.33"
doorman_server.vm.provider :virtualbox do |v|
v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
v.customize ["modifyvm", :id, "--memory", 4096]
v.customize ["modifyvm", :id, "--cpus", 2]
v.customize ["modifyvm", :id, "--name", "doorman_server"]
end
end
end
132 changes: 132 additions & 0 deletions tools/lib.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
#!/bin/bash

# doorman: Functions for provisioning scripts in Ubuntu/CentOS
#

function log() {
echo "[+] - $1"
}

function error() {
echo "[!] - $1"
exit 1
}

function set_motd() {
python -mplatform | grep -qi "Ubuntu" && set_motd_ubuntu || log "Not ready for CentOS"
}

function set_motd_ubuntu() {
# If the cloudguest MOTD exists, disable it
if [[ -f /etc/update-motd.d/51/cloudguest ]]; then
sudo chmod -x /etc/update-motd.d/51-cloudguest
fi
sudo cp /vagrant/tools/motd-doorman.sh /etc/update-motd.d/10-help-text
}

function activate_repos() {
python -mplatform | grep -qi "Ubuntu" && sudo apt-get update || log "No apt-get for CentOS"
}

function package() {
python -mplatform | grep -qi "Ubuntu" && package_ubuntu $1 || package_centos $1
}

function package_ubuntu() {
if [[ -n "$(dpkg --get-selections | grep -w "^$1$")" ]]; then
log "$1 is already installed. skipping."
else
log "Installing $1"
sudo DEBIAN_FRONTEND=noninteractive apt-get install $1 -y --no-install-recommends
fi
}

function package_centos() {
if [[ -n "$(rpm -qa | grep -w "^$1$")" ]]; then
log "$1 is already installed. skipping."
else
log "Installing $1"
sudo yum -y install $1
fi
}

function repo_osquery() {
python -mplatform | grep -qi "Ubuntu" && repo_osquery_ubuntu $1 || repo_osquery_centos $1
}

function repo_osquery_ubuntu() {
log "Adding osquery repository keys"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
log "Adding osquery repository"
sudo add-apt-repository "deb [arch=amd64] https://osquery-packages.s3.amazonaws.com/trusty trusty main"
}

function repo_osquery_centos() {
log "Adding osquery repository"
sudo rpm -ivh https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-s3-centos7-repo-1-0.0.noarch.rpm
}

function repo_postgresql_ubuntu() {
log "Adding PostgreSQL repository keys"
wget --quiet -O - https://postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
log "Adding PostgreSQL repository"
sudo add-apt-repository "deb https://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main" -y
}

function self_signed_cert() {
local __dir=$1
local __cert="$__dir/certificate.crt"
local __key="$__dir/private.key"
local __subj="/C=US/O=doorman/CN=localhost"

log "Setting up server SSL certificates"
sudo mkdir -p $__dir
log "Generating doorman key: $__key"
sudo openssl genrsa -out $__key 2048
log "Generating doorman certificate: $__cert"
sudo openssl req -x509 -new -nodes -key $__key -days 365 -out $__cert -subj $__subj
}

function own_cert() {
local __cert=$1
local __key=$2
local __dir=$3

log "Using own certificate ($__cert) and key ($__key)"
sudo cp "$__cert" "$__dir/certificate.crt"
sudo cp "$__key" "$__dir/private.key"
}

function letsencrypt_cert() {
local __email=$1
local __domain=$2
local __dir=$3

dl "https://dl.eff.org/certbot-auto" /usr/bin/certbot-auto
sudo chmod a+x /usr/bin/certbot-auto
/usr/bin/certbot-auto certonly -n --agree-tos --standalone --standalone-supported-challenges tls-sni-01 -m "$__email" -d "$__domain"
sudo ln -s "/etc/letsencrypt/live/$__domain/cert.pem" "$__cert"
sudo ln -s "/etc/letsencrypt/live/$__domain/privkey.pem" "$__key"
}

function setup_postgresql() {
local __path=$1
local __port=$2
local __owner=$3

log "PostgreSQL permissions"
sudo cp tools/pg_hba.conf /etc/postgresql/9.4/main/pg_hba.conf
sudo su - $__owner -c 'service postgresql restart'
log "Setting up PostgreSQL in $__path, on port $__port"
sudo mkdir -p $__path
sudo chown $__owner.$__owner $__path
sudo su - $__owner -c "/usr/lib/postgresql/9.4/bin/initdb $__path"
sudo su - $__owner -c "/usr/lib/postgresql/9.4/bin/pg_ctl -D $__path -l $__path/pg.log -o -p$__port start"
sudo su - $__owner -c "/usr/lib/postgresql/9.4/bin/createdb -h localhost -p $__port doorman"
}

function setup_nginx() {
log "Setting up nginx as proxy"
sudo cp /vagrant/tools/nginx.conf /etc/nginx/sites-available/default
sudo service nginx restart
}
10 changes: 10 additions & 0 deletions tools/motd-doorman.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/sh

printf " _ \n"
printf " | | \n"
printf " __| | ___ ___ _ __ _ __ ___ __ _ _ __ \n"
printf " / _\` |/ _ \\ / _ \\| '__| '_ \` _ \\ / _\` | '_ \\ \n"
printf " | (_| | (_) | (_) | | | | | | | | (_| | | | | \n"
printf " \\__,_|\\___/ \\___/|_| |_| |_| |_|\\__,_|_| |_| \n"
printf " \n"
printf " \n"
12 changes: 12 additions & 0 deletions tools/nginx.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
server {
listen 80;

location / {
proxy_pass https://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
25 changes: 25 additions & 0 deletions tools/osquery.flags
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
--pidfile=/tmp/osquery.pid
--host_identifier=uuid
--database_path=/tmp/osquery.db
--config_plugin=tls
--config_tls_endpoint=/config
--config_tls_refresh=10
--config_tls_max_attempts=3
--enroll_tls_endpoint=/enroll
--enroll_secret_env=ENROLL_SECRET
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/distributed/read
--distributed_tls_write_endpoint=/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/log
--logger_tls_period=5
--tls_hostname=localhost:5000
--tls_server_certs=/opt/doorman/certificate.crt
--log_result_events=false
--pack_delimiter=/
--utc
--verbose
--tls_dump=true
12 changes: 12 additions & 0 deletions tools/pg_hba.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Database administrative login by Unix domain socket
local all postgres trust
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
Loading

0 comments on commit 718e945

Please sign in to comment.