2
0
mirror of https://github.com/frappe/bench.git synced 2025-01-25 07:58:24 +00:00

Added command to setup firewall (#326)

* Added command to setup firewall

* Added validation to check for ansible, added ufw for ubuntu and debian
This commit is contained in:
Valmik 2016-10-13 11:49:27 +05:30 committed by Rushabh Mehta
parent 1783cbc84f
commit 97d44518d3
4 changed files with 61 additions and 2 deletions

2
bench/cli.py Normal file → Executable file
View File

@ -47,7 +47,7 @@ def check_uid():
sys.exit(1) sys.exit(1)
def cmd_requires_root(): def cmd_requires_root():
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx'): if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx', 'firewall'):
return True return True
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'): if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'):
return True return True

View File

@ -75,6 +75,14 @@ def setup_env():
from bench.utils import setup_env from bench.utils import setup_env
setup_env() setup_env()
@click.command('firewall')
def setup_firewall():
"Setup firewall"
from bench.utils import run_playbook
click.confirm('Setting up the firewall will block all ports except 80, 443 and 22\n'
'Do you want to continue?',
abort=True)
run_playbook('production/setup_firewall.yml')
@click.command('lets-encrypt') @click.command('lets-encrypt')
@click.argument('site') @click.argument('site')
@ -171,3 +179,4 @@ setup.add_command(setup_fonts)
setup.add_command(add_domain) setup.add_command(add_domain)
setup.add_command(remove_domain) setup.add_command(remove_domain)
setup.add_command(sync_domains) setup.add_command(sync_domains)
setup.add_command(setup_firewall)

View File

@ -685,3 +685,10 @@ def set_git_remote_url(git_url, bench_path='.'):
app_dir = bench.app.get_repo_dir(app, bench_path=bench_path) app_dir = bench.app.get_repo_dir(app, bench_path=bench_path)
if os.path.exists(os.path.join(app_dir, '.git')): if os.path.exists(os.path.join(app_dir, '.git')):
exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir) exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
def run_playbook(playbook_name):
if not find_executable('ansible'):
print "Ansible is needed to run this command, please install it using 'pip install ansible'"
sys.exit(1)
args = ['ansible-playbook', '-c', 'local', playbook_name]
subprocess.check_call(args, cwd=os.path.join(os.path.dirname(bench.__path__[0]), 'playbooks'))

View File

@ -0,0 +1,43 @@
- name: Setup Firewall
user: root
hosts: localhost
tasks:
# For CentOS
- name: Install firewalld
yum: name=firewalld state=present
when: ansible_distribution == 'CentOS'
- name: Enable Firewall
service: name=firewalld state=started enabled=yes
when: ansible_distribution == 'CentOS'
- name: Add firewall rules
firewalld: port={{ item }}/tcp permanent=true state=enabled
with_items:
- 80
- 443
- 22
when: ansible_distribution == 'CentOS'
- name: Restart Firewall
service: name=firewalld state=restarted enabled=yes
when: ansible_distribution == 'CentOS'
# For Ubuntu / Debian
- name: Install ufw
apt: name=ufw state=present
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
- name: Enable Firewall
ufw: state=enabled policy=deny
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
- name: Add firewall rules
ufw: rule=allow proto=tcp port={{ item }}
with_items:
- 80
- 443
- 22
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'