Add stack upgrade fail2ban

wo/cli/plugins/stack_pref.py

@@ -97,12 +97,9 @@ def pre_pref(self, apt_packages):
     # add nginx repository
     if set(WOVar.wo_nginx).issubset(set(apt_packages)):
         if (WOVar.wo_distro == 'ubuntu'):
-            if not os.path.isfile(
+            Log.info(self, "Adding repository for NGINX, please wait...")
-                'wordops-ubuntu-nginx-wo-{0}.list'
+            WORepo.add(self, ppa=WOVar.wo_nginx_repo)
-                    .format(WOVar.wo_platform_codename)):
+            Log.debug(self, 'Adding ppa for Nginx')
-                Log.info(self, "Adding repository for NGINX, please wait...")
-                WORepo.add(self, ppa=WOVar.wo_nginx_repo)
-                Log.debug(self, 'Adding ppa for Nginx')
         else:
             if not WOFileUtils.grepcheck(
                     self, '/etc/apt/sources.list/wo-repo.list',
@@ -117,11 +114,8 @@ def pre_pref(self, apt_packages):
             ('php7.2-fpm' in apt_packages) or ('php7.4-fpm' in apt_packages)):
         if (WOVar.wo_distro == 'ubuntu'):
             Log.debug(self, 'Adding ppa for PHP')
-            if not os.path.isfile(
+            Log.info(self, "Adding repository for PHP, please wait...")
-                '/etc/apt/sources.list.d/ondrej-ubuntu-php-{0}.list'
+            WORepo.add(self, ppa=WOVar.wo_php_repo)
-                    .format(WOVar.wo_platform_codename)):
-                Log.info(self, "Adding repository for PHP, please wait...")
-                WORepo.add(self, ppa=WOVar.wo_php_repo)
         else:
             # Add repository for php
             if (WOVar.wo_platform_codename == 'buster'):
@@ -144,13 +138,9 @@ def pre_pref(self, apt_packages):
     # add redis repository
     if set(WOVar.wo_redis).issubset(set(apt_packages)):
         if WOVar.wo_distro == 'ubuntu':
-            if not os.path.isfile(
+            Log.info(self, "Adding repository for Redis, please wait...")
-                '/etc/apt/sources.list.d/'
+            Log.debug(self, 'Adding ppa for redis')
-                'chris-lea-ubuntu-redis-server-{0}.list'
+            WORepo.add(self, ppa=WOVar.wo_redis_repo)
-                    .format(WOVar.wo_platform_codename)):
-                Log.info(self, "Adding repository for Redis, please wait...")
-                Log.debug(self, 'Adding ppa for redis')
-                WORepo.add(self, ppa=WOVar.wo_redis_repo)
         else:
             if not WOFileUtils.grepcheck(
                     self, '/etc/apt/sources.list/wo-repo.list',
@@ -164,12 +154,8 @@ def pre_pref(self, apt_packages):
         if WOVar.wo_distro == 'ubuntu':
             if (WOVar.wo_platform_codename == 'bionic' or
                     WOVar.wo_platform_codename == 'xenial'):
-                if not os.path.exists(
+                Log.debug(self, 'Adding ppa for nano')
-                        '/etc/apt/sources.list.d/'
+                WORepo.add(self, ppa=WOVar.wo_ubuntu_backports)
-                        'jonathonf-ubuntu-backports-{0}.list'
-                        .format(WOVar.wo_platform_codename)):
-                    Log.debug(self, 'Adding ppa for nano')
-                    WORepo.add(self, ppa=WOVar.wo_ubuntu_backports)
 
 
 def post_pref(self, apt_packages, packages, upgrade=False):
@@ -997,35 +983,34 @@ def post_pref(self, apt_packages, packages, upgrade=False):
             WOGit.add(self, ["/etc/mysql"], msg="Adding MySQL into Git")
 
         # create fail2ban configuration files
-        if set(WOVar.wo_fail2ban).issubset(set(apt_packages)):
+        if "fail2ban" in apt_packages:
             WOService.restart_service(self, 'fail2ban')
             WOGit.add(self, ["/etc/fail2ban"],
                       msg="Adding Fail2ban into Git")
-            if not os.path.isfile("/etc/fail2ban/jail.d/custom.conf"):
+            Log.info(self, "Configuring Fail2Ban")
-                Log.info(self, "Configuring Fail2Ban")
+            data = dict(release=WOVar.wo_version)
-                data = dict(release=WOVar.wo_version)
+            WOTemplate.deploy(
-                WOTemplate.deploy(
+                self,
-                    self,
+                '/etc/fail2ban/jail.d/custom.conf',
-                    '/etc/fail2ban/jail.d/custom.conf',
+                'fail2ban.mustache',
-                    'fail2ban.mustache',
+                data, overwrite=False)
-                    data, overwrite=False)
+            WOTemplate.deploy(
-                WOTemplate.deploy(
+                self,
-                    self,
+                '/etc/fail2ban/filter.d/wo-wordpress.conf',
-                    '/etc/fail2ban/filter.d/wo-wordpress.conf',
+                'fail2ban-wp.mustache',
-                    'fail2ban-wp.mustache',
+                data, overwrite=False)
-                    data, overwrite=False)
+            WOTemplate.deploy(
-                WOTemplate.deploy(
+                self,
-                    self,
+                '/etc/fail2ban/filter.d/nginx-forbidden.conf',
-                    '/etc/fail2ban/filter.d/nginx-forbidden.conf',
+                'fail2ban-forbidden.mustache',
-                    'fail2ban-forbidden.mustache',
+                data, overwrite=False)
-                    data, overwrite=False)
 
-                if not WOService.reload_service(self, 'fail2ban'):
+            if not WOService.reload_service(self, 'fail2ban'):
-                    WOGit.rollback(
+                WOGit.rollback(
-                        self, ['/etc/fail2ban'], msg="Rollback f2b config")
+                    self, ['/etc/fail2ban'], msg="Rollback f2b config")
-                else:
+            else:
-                    WOGit.add(self, ["/etc/fail2ban"],
+                WOGit.add(self, ["/etc/fail2ban"],
-                              msg="Adding Fail2ban into Git")
+                          msg="Adding Fail2ban into Git")
 
         # Proftpd configuration
         if "proftpd-basic" in apt_packages:

wo/cli/plugins/stack_upgrade.py

@@ -26,6 +26,8 @@ class WOStackUpgradeController(CementBaseController):
                 dict(help='Upgrade web stack', action='store_true')),
             (['--admin'],
                 dict(help='Upgrade admin tools stack', action='store_true')),
+            (['--security'],
+                dict(help='Upgrade security stack', action='store_true')),
             (['--nginx'],
                 dict(help='Upgrade Nginx stack', action='store_true')),
             (['--php'],
@@ -44,6 +46,8 @@ class WOStackUpgradeController(CementBaseController):
                 dict(help='Upgrade Redis', action='store_true')),
             (['--netdata'],
                 dict(help='Upgrade Netdata', action='store_true')),
+            (['--fail2ban'],
+                dict(help='Upgrade Fail2Ban', action='store_true')),
             (['--dashboard'],
                 dict(help='Upgrade WordOps Dashboard', action='store_true')),
             (['--composer'],
@@ -71,18 +75,15 @@ class WOStackUpgradeController(CementBaseController):
         packages = []
         self.msg = []
         pargs = self.app.pargs
-        if ((not pargs.web) and (not pargs.nginx) and
+        if not (pargs.web or pargs.nginx or pargs.php or
-            (not pargs.php) and
+                pargs.php72 or pargs.php73 or pargs.php74 or pargs.mysql or
-            (not pargs.php72) and (not pargs.php73) and
+                pargs.ngxblocker or pargs.all or pargs.netdata or
-            (not pargs.php74) and
+                pargs.wpcli or pargs.composer or pargs.phpmyadmin or
-            (not pargs.mysql) and (not pargs.ngxblocker) and
+                pargs.adminer or pargs.dashboard or pargs.mysqltuner or
-            (not pargs.all) and (not pargs.wpcli) and
+                pargs.redis or pargs.fail2ban or pargs.security):
-            (not pargs.netdata) and (not pargs.composer) and
-            (not pargs.phpmyadmin) and (not pargs.adminer) and
-            (not pargs.dashboard) and (not pargs.mysqltuner) and
-                (not pargs.redis)):
             pargs.web = True
             pargs.admin = True
+            pargs.security = True
 
         if pargs.php:
             pargs.php72 = True
@@ -90,8 +91,8 @@ class WOStackUpgradeController(CementBaseController):
         if pargs.all:
             pargs.web = True
             pargs.admin = True
+            pargs.security = True
             pargs.redis = True
-            pargs.ngxblocker = True
 
         if pargs.web:
             pargs.nginx = True
@@ -110,6 +111,10 @@ class WOStackUpgradeController(CementBaseController):
             pargs.adminer = True
             pargs.mysqltuner = True
 
+        if pargs.security:
+            pargs.ngxblocker = True
+            pargs.fail2ban = True
+
         # nginx
         if pargs.nginx:
             if WOAptGet.is_installed(self, 'nginx-custom'):
@@ -149,6 +154,11 @@ class WOStackUpgradeController(CementBaseController):
             if WOAptGet.is_installed(self, 'redis-server'):
                 apt_packages = apt_packages + ['redis-server']
 
+        # fail2ban
+        if pargs.fail2ban:
+            if WOAptGet.is_installed(self, 'fail2ban'):
+                apt_packages = apt_packages + ['fail2ban']
+
         # wp-cli
         if pargs.wpcli:
             if os.path.isfile('/usr/local/bin/wp'):
@@ -267,26 +277,26 @@ class WOStackUpgradeController(CementBaseController):
         else:
             pre_stack(self)
             if (apt_packages):
-                if (("php7.2-fpm" not in apt_packages) and
+                if not ("php7.2-fpm" in apt_packages or
-                        ("php7.3-fpm" not in apt_packages) and
+                        "php7.3-fpm" in apt_packages or
-                        ("php7.4-fpm" not in apt_packages) and
+                        "php7.4-fpm" in apt_packages or
-                        ("redis-server" not in apt_packages) and
+                        "redis-server" in apt_packages or
-                        ("nginx-custom" not in apt_packages) and
+                        "nginx-custom" in apt_packages or
-                        ("mariadb-server" not in apt_packages)):
+                        "mariadb-server" in apt_packages):
                     pass
                 else:
-                    Log.info(
+                    Log.warn(
                         self, "Your sites may be down for few seconds if "
                         "you are upgrading Nginx, PHP-FPM, MariaDB or Redis")
                 # Check prompt
-                if ((not pargs.no_prompt) and (not pargs.force)):
+                if not (pargs.no_prompt or pargs.force):
                     start_upgrade = input("Do you want to continue:[y/N]")
                     if start_upgrade != "Y" and start_upgrade != "y":
                         Log.error(self, "Not starting package update")
-                Log.wait(self, "Updating APT packages")
+                Log.wait(self, "Updating APT cache")
                 # apt-get update
                 WOAptGet.update(self)
-                Log.valide(self, "Updating APT packages")
+                Log.valide(self, "Updating APT cache")
 
                 # additional pre_pref
                 if "nginx-custom" in apt_packages:

wo/core/apt_repo.py

@@ -48,9 +48,21 @@ class WORepo():
                 Log.debug(self, "{0}".format(e))
                 Log.error(self, "Unable to add repo")
         if ppa is not None:
+            ppa_split = ppa.split(':')[1]
+            ppa_author = ppa_split.split('/')[0]
+            Log.debug(self, "ppa_author = {0}".format(ppa_author))
+            ppa_package = ppa_split.split('/')[1]
+            Log.debug(self, "ppa_package = {0}".format(ppa_package))
+            if os.path.exists(
+                '/etc/apt/sources.list.d/{0}-ubuntu-{1}-{2}.list'
+                    .format(ppa_author,
+                            ppa_package, WOVar.wo_platform_codename)):
+                Log.debug(self, "ppa already added")
+                return True
             if WOShellExec.cmd_exec(
                     self, "LC_ALL=C.UTF-8 add-apt-repository -y '{ppa_name}'"
                     .format(ppa_name=ppa)):
+                Log.debug(self, "Added PPA {0}".format(ppa))
                 return True
         return False