Several improvements

* logging improvements * gpg keys import improvements
2019-09-06 02:23:40 +02:00
parent 391e13c709
commit 0e356edba9
8 changed files with 152 additions and 71 deletions
--- a/wo/cli/plugins/site_functions.py
+++ b/wo/cli/plugins/site_functions.py
@@ -736,7 +736,7 @@ def setupwp_plugin(self, plugin_name, plugin_option, plugin_data, data):
                                         ))
        except CommandExecutionError as e:
            Log.failed(self, "Setting plugin {0}"
-                                   .format(plugin_name))
+                       .format(plugin_name))
            Log.debug(self, "{0}".format(e))
            raise SiteError("plugin setup failed")
        else:
--- a/wo/cli/plugins/stack.py
+++ b/wo/cli/plugins/stack.py
@@ -548,6 +548,7 @@ class WOStackController(CementBaseController):
            pargs.proftpd = True
            pargs.utils = True
            pargs.redis = True
+            pargs.security = True
            packages = packages + ['/var/www/22222/htdocs']

        if pargs.web:
--- a/wo/cli/plugins/stack_pref.py
+++ b/wo/cli/plugins/stack_pref.py
@@ -26,6 +26,7 @@ from wo.core.variables import WOVariables


 def pre_pref(self, apt_packages):
+    apt_repo_key = []
    """Pre settings to do before installation packages"""

    if (set(["mariadb-server"]).issubset(set(apt_packages)) or
@@ -41,12 +42,8 @@ def pre_pref(self, apt_packages):
                      'MariaDB.pref', 'w') as mysql_pref_file:
                mysql_pref_file.write(mysql_pref)
            WORepo.add(self, repo_url=WOVariables.wo_mysql_repo)
-            Log.debug(self, 'Adding key for {0}'
-                      .format(WOVariables.wo_mysql_repo))
-            WORepo.add_key(self, '0xcbcb082a1bb943db',
-                           keyserver="keyserver.ubuntu.com")
-            WORepo.add_key(self, '0xF1656F24C74CD1D8',
-                           keyserver="keyserver.ubuntu.com")
+            apt_repo_key = (apt_repo_key +
+                            ['0xcbcb082a1bb943db', '0xF1656F24C74CD1D8'])
    if set(["mariadb-server"]).issubset(set(apt_packages)):
        # generate random 24 characters root password
        chars = ''.join(random.sample(string.ascii_letters, 24))
@@ -114,6 +111,8 @@ def pre_pref(self, apt_packages):
            WORepo.add(self, ppa=WOVariables.wo_nginx_repo)
            Log.debug(self, 'Adding ppa for Nginx')
        else:
+            apt_repo_key = apt_repo_key + WOVariables.wo_nginx_key
+
            WORepo.add(self, repo_url=WOVariables.wo_nginx_repo)
            Log.debug(self, 'Adding repository for Nginx')
            WORepo.add_key(self, WOVariables.wo_nginx_key)
@@ -137,6 +136,7 @@ def pre_pref(self, apt_packages):
            Log.debug(self, 'Adding repo_url of php for debian')
            WORepo.add(self, repo_url=WOVariables.wo_php_repo)
            Log.debug(self, 'Adding deb.sury GPG key')
+            apt_repo_key = apt_repo_key + WOVariables.wo_php_key
            WORepo.add_key(self, WOVariables.wo_php_key)
    # add redis repository
    if set(['redis-server']).issubset(set(apt_packages)):
@@ -145,6 +145,9 @@ def pre_pref(self, apt_packages):
            Log.debug(self, 'Adding ppa for redis')
            WORepo.add(self, ppa=WOVariables.wo_redis_repo)

+    if (apt_repo_key):
+        WORepo.add_key(self, apt_repo_key)
+

 def post_pref(self, apt_packages, packages, upgrade=False):
    """Post activity after installation of packages"""
@@ -367,7 +370,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
            WOTemplate.render(
                self,
                '/etc/nginx/sites-available/22222',
-                '22222.mustache', data, overwrite=False)
+                '22222.mustache', data, overwrite=True)
            passwd = ''.join([random.choice
                              (string.ascii_letters + string.digits)
                              for n in range(24)])
--- a/wo/cli/templates/nextcloud.mustache
+++ b/wo/cli/templates/nextcloud.mustache
@@ -0,0 +1,82 @@
+# WordOps nextcloud configuration
+    add_header X-Robots-Tag none;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header Referrer-Policy no-referrer;
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+	# Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+	    location / {
+        rewrite ^ /index.php$request_uri;
+    }
+
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+        deny all;
+    }
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+        deny all;
+    }
+
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param HTTPS on;
+        # Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;
+        # Enable pretty urls
+        fastcgi_param front_controller_active true;
+        fastcgi_pass {{upstream}};
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+        try_files $uri/ =404;
+        index index.php;
+    }
+
+    # Adding the cache control header for js, css and map files
+    # Make sure it is BELOW the PHP block
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
+        # Add headers to serve security related headers (It is intended to
+        # have those duplicated to the ones above)
+        # Before enabling Strict-Transport-Security headers please read into
+        # this topic first.
+        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header Referrer-Policy no-referrer;
+
+        # Optional: Don't log access to assets
+        access_log off;
+    }
+
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        try_files $uri /index.php$request_uri;
+        # Optional: Don't log access to other assets
+        access_log off;
+    }