mirror of
https://github.com/frappe/bench.git
synced 2025-01-10 09:02:10 +00:00
Added command to setup firewall (#326)
* Added command to setup firewall * Added validation to check for ansible, added ufw for ubuntu and debian
This commit is contained in:
parent
1783cbc84f
commit
97d44518d3
2
bench/cli.py
Normal file → Executable file
2
bench/cli.py
Normal file → Executable file
@ -47,7 +47,7 @@ def check_uid():
|
||||
sys.exit(1)
|
||||
|
||||
def cmd_requires_root():
|
||||
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx'):
|
||||
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx', 'firewall'):
|
||||
return True
|
||||
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'):
|
||||
return True
|
||||
|
@ -75,6 +75,14 @@ def setup_env():
|
||||
from bench.utils import setup_env
|
||||
setup_env()
|
||||
|
||||
@click.command('firewall')
|
||||
def setup_firewall():
|
||||
"Setup firewall"
|
||||
from bench.utils import run_playbook
|
||||
click.confirm('Setting up the firewall will block all ports except 80, 443 and 22\n'
|
||||
'Do you want to continue?',
|
||||
abort=True)
|
||||
run_playbook('production/setup_firewall.yml')
|
||||
|
||||
@click.command('lets-encrypt')
|
||||
@click.argument('site')
|
||||
@ -171,3 +179,4 @@ setup.add_command(setup_fonts)
|
||||
setup.add_command(add_domain)
|
||||
setup.add_command(remove_domain)
|
||||
setup.add_command(sync_domains)
|
||||
setup.add_command(setup_firewall)
|
||||
|
@ -684,4 +684,11 @@ def set_git_remote_url(git_url, bench_path='.'):
|
||||
|
||||
app_dir = bench.app.get_repo_dir(app, bench_path=bench_path)
|
||||
if os.path.exists(os.path.join(app_dir, '.git')):
|
||||
exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
|
||||
exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
|
||||
|
||||
def run_playbook(playbook_name):
|
||||
if not find_executable('ansible'):
|
||||
print "Ansible is needed to run this command, please install it using 'pip install ansible'"
|
||||
sys.exit(1)
|
||||
args = ['ansible-playbook', '-c', 'local', playbook_name]
|
||||
subprocess.check_call(args, cwd=os.path.join(os.path.dirname(bench.__path__[0]), 'playbooks'))
|
||||
|
43
playbooks/production/setup_firewall.yml
Executable file
43
playbooks/production/setup_firewall.yml
Executable file
@ -0,0 +1,43 @@
|
||||
- name: Setup Firewall
|
||||
user: root
|
||||
hosts: localhost
|
||||
|
||||
tasks:
|
||||
# For CentOS
|
||||
- name: Install firewalld
|
||||
yum: name=firewalld state=present
|
||||
when: ansible_distribution == 'CentOS'
|
||||
|
||||
- name: Enable Firewall
|
||||
service: name=firewalld state=started enabled=yes
|
||||
when: ansible_distribution == 'CentOS'
|
||||
|
||||
- name: Add firewall rules
|
||||
firewalld: port={{ item }}/tcp permanent=true state=enabled
|
||||
with_items:
|
||||
- 80
|
||||
- 443
|
||||
- 22
|
||||
when: ansible_distribution == 'CentOS'
|
||||
|
||||
- name: Restart Firewall
|
||||
service: name=firewalld state=restarted enabled=yes
|
||||
when: ansible_distribution == 'CentOS'
|
||||
|
||||
# For Ubuntu / Debian
|
||||
- name: Install ufw
|
||||
apt: name=ufw state=present
|
||||
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||
|
||||
- name: Enable Firewall
|
||||
ufw: state=enabled policy=deny
|
||||
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||
|
||||
- name: Add firewall rules
|
||||
ufw: rule=allow proto=tcp port={{ item }}
|
||||
with_items:
|
||||
- 80
|
||||
- 443
|
||||
- 22
|
||||
when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
|
||||
|
Loading…
Reference in New Issue
Block a user