mirror of
https://github.com/frappe/bench.git
synced 2025-01-25 07:58:24 +00:00
Added command to setup firewall (#326)
* Added command to setup firewall * Added validation to check for ansible, added ufw for ubuntu and debian
This commit is contained in:
parent
1783cbc84f
commit
97d44518d3
2
bench/cli.py
Normal file → Executable file
2
bench/cli.py
Normal file → Executable file
@ -47,7 +47,7 @@ def check_uid():
|
|||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
def cmd_requires_root():
|
def cmd_requires_root():
|
||||||
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx'):
|
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx', 'firewall'):
|
||||||
return True
|
return True
|
||||||
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'):
|
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'):
|
||||||
return True
|
return True
|
||||||
|
@ -75,6 +75,14 @@ def setup_env():
|
|||||||
from bench.utils import setup_env
|
from bench.utils import setup_env
|
||||||
setup_env()
|
setup_env()
|
||||||
|
|
||||||
|
@click.command('firewall')
|
||||||
|
def setup_firewall():
|
||||||
|
"Setup firewall"
|
||||||
|
from bench.utils import run_playbook
|
||||||
|
click.confirm('Setting up the firewall will block all ports except 80, 443 and 22\n'
|
||||||
|
'Do you want to continue?',
|
||||||
|
abort=True)
|
||||||
|
run_playbook('production/setup_firewall.yml')
|
||||||
|
|
||||||
@click.command('lets-encrypt')
|
@click.command('lets-encrypt')
|
||||||
@click.argument('site')
|
@click.argument('site')
|
||||||
@ -171,3 +179,4 @@ setup.add_command(setup_fonts)
|
|||||||
setup.add_command(add_domain)
|
setup.add_command(add_domain)
|
||||||
setup.add_command(remove_domain)
|
setup.add_command(remove_domain)
|
||||||
setup.add_command(sync_domains)
|
setup.add_command(sync_domains)
|
||||||
|
setup.add_command(setup_firewall)
|
||||||
|
@ -685,3 +685,10 @@ def set_git_remote_url(git_url, bench_path='.'):
|
|||||||
app_dir = bench.app.get_repo_dir(app, bench_path=bench_path)
|
app_dir = bench.app.get_repo_dir(app, bench_path=bench_path)
|
||||||
if os.path.exists(os.path.join(app_dir, '.git')):
|
if os.path.exists(os.path.join(app_dir, '.git')):
|
||||||
exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
|
exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
|
||||||
|
|
||||||
|
def run_playbook(playbook_name):
|
||||||
|
if not find_executable('ansible'):
|
||||||
|
print "Ansible is needed to run this command, please install it using 'pip install ansible'"
|
||||||
|
sys.exit(1)
|
||||||
|
args = ['ansible-playbook', '-c', 'local', playbook_name]
|
||||||
|
subprocess.check_call(args, cwd=os.path.join(os.path.dirname(bench.__path__[0]), 'playbooks'))
|
||||||
|
43
playbooks/production/setup_firewall.yml
Executable file
43
playbooks/production/setup_firewall.yml
Executable file
@ -0,0 +1,43 @@
|
|||||||
|
- name: Setup Firewall
|
||||||
|
user: root
|
||||||
|
hosts: localhost
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
# For CentOS
|
||||||
|
- name: Install firewalld
|
||||||
|
yum: name=firewalld state=present
|
||||||
|
when: ansible_distribution == 'CentOS'
|
||||||
|
|
||||||
|
- name: Enable Firewall
|
||||||
|
service: name=firewalld state=started enabled=yes
|
||||||
|
when: ansible_distribution == 'CentOS'
|
||||||
|
|
||||||
|
- name: Add firewall rules
|
||||||
|
firewalld: port={{ item }}/tcp permanent=true state=enabled
|
||||||
|
with_items:
|
||||||
|
- 80
|
||||||
|
- 443
|
||||||
|
- 22
|
||||||
|
when: ansible_distribution == 'CentOS'
|
||||||
|
|
||||||
|
- name: Restart Firewall
|
||||||
|
service: name=firewalld state=restarted enabled=yes
|
||||||
|
when: ansible_distribution == 'CentOS'
|
||||||
|
|
||||||
|
# For Ubuntu / Debian
|
||||||
|
- name: Install ufw
|
||||||
|
apt: name=ufw state=present
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
|
||||||
|
- name: Enable Firewall
|
||||||
|
ufw: state=enabled policy=deny
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
|
||||||
|
- name: Add firewall rules
|
||||||
|
ufw: rule=allow proto=tcp port={{ item }}
|
||||||
|
with_items:
|
||||||
|
- 80
|
||||||
|
- 443
|
||||||
|
- 22
|
||||||
|
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||||
|
|
Loading…
x
Reference in New Issue
Block a user