Commit ac248110 authored by aguestuser's avatar aguestuser
Browse files

Merge branch '101-add-splashpage' into 'master'

Resolve "splash page at signalboost.info"

Closes #101

See merge request team-friendo/signalboost!89
parents e4187ac6 5a5eeca0
No preview for this file type
......@@ -26,6 +26,7 @@
*retry
*/inventory
# text editors
.idea/*
/.vscode/settings.json
......@@ -43,3 +44,6 @@ signal_data
/ansible/files/deploy_keys/signalboost_ssh_key
/ansible/files/deploy_keys/signalboost_ssh_key.pub
/ansible/inventory.tmpl
/splash/ansible/inventory.tmpl
/splash/.env
/splash/ansible/inventory
......@@ -4,3 +4,5 @@ ansible/files/deploy_keys/signalboost_ssh_key
ansible/files/deploy_keys/signalboost_ssh_key.pub
ansible/inventory.tmpl
bin/get-machine
splash/.env
splash/ansible/inventory.tmpl
......@@ -21,7 +21,9 @@
"dev": "docker-compose -f docker-compose-dev.yml up",
"start": "docker-compose up -d",
"stop": "docker-compose down",
"update": "./bin/dev/update"
"update": "./bin/dev/update",
"splash:dev": "cd splash && docker-compose -f docker-compose-dev.yml up",
"splash:prod": "cd splash && docker-compose up"
},
"engines": {
"node": "10.16.3"
......
# Logs
logs
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
# Runtime data
pids
*.pid
*.seed
*.pid.lock
# Directory for instrumented libs generated by jscoverage/JSCover
lib-cov
# Coverage directory used by tools like istanbul
coverage
# nyc test coverage
.nyc_output
# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
.grunt
# Bower dependency directory (https://bower.io/)
bower_components
# node-waf configuration
.lock-wscript
# Compiled binary addons (http://nodejs.org/api/addons.html)
build/Release
# Dependency directories
node_modules/
jspm_packages/
# Typescript v1 declaration files
typings/
# Optional npm cache directory
.npm
# Optional eslint cache
.eslintcache
# Optional REPL history
.node_repl_history
# Output of 'npm pack'
*.tgz
# dotenv environment variable files
.env*
# gatsby files
.cache/
public
# Mac files
.DS_Store
# Yarn
yarn-error.log
.pnp/
.pnp.js
# Yarn Integrity file
.yarn-integrity
.cache
package.json
package-lock.json
public
{
"endOfLine": "lf",
"semi": false,
"singleQuote": false,
"tabWidth": 2,
"trailingComma": "es5"
}
The MIT License (MIT)
Copyright (c) 2015 gatsbyjs
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
<!-- AUTO-GENERATED-CONTENT:START (STARTER) -->
<p align="center">
<a href="https://www.gatsbyjs.org">
<img alt="Gatsby" src="https://www.gatsbyjs.org/monogram.svg" width="60" />
</a>
</p>
<h1 align="center">
Gatsby's default starter
</h1>
Kick off your project with this default boilerplate. This starter ships with the main Gatsby configuration files you might need to get up and running blazing fast with the blazing fast app generator for React.
_Have another more specific idea? You may want to check out our vibrant collection of [official and community-created starters](https://www.gatsbyjs.org/docs/gatsby-starters/)._
## 🚀 Quick start
1. **Create a Gatsby site.**
Use the Gatsby CLI to create a new site, specifying the default starter.
```shell
# create a new Gatsby site using the default starter
gatsby new my-default-starter https://github.com/gatsbyjs/gatsby-starter-default
```
1. **Start developing.**
Navigate into your new site’s directory and start it up.
```shell
cd my-default-starter/
gatsby develop
```
1. **Open the source code and start editing!**
Your site is now running at `http://localhost:8000`!
_Note: You'll also see a second link: _`http://localhost:8000/___graphql`_. This is a tool you can use to experiment with querying your data. Learn more about using this tool in the [Gatsby tutorial](https://www.gatsbyjs.org/tutorial/part-five/#introducing-graphiql)._
Open the `my-default-starter` directory in your code editor of choice and edit `src/pages/index.js`. Save your changes and the browser will update in real time!
## 🧐 What's inside?
A quick look at the top-level files and directories you'll see in a Gatsby project.
.
├── node_modules
├── src
├── .gitignore
├── .prettierrc
├── gatsby-browser.js
├── gatsby-config.js
├── gatsby-node.js
├── gatsby-ssr.js
├── LICENSE
├── package-lock.json
├── package.json
└── README.md
1. **`/node_modules`**: This directory contains all of the modules of code that your project depends on (npm packages) are automatically installed.
2. **`/src`**: This directory will contain all of the code related to what you will see on the front-end of your site (what you see in the browser) such as your site header or a page template. `src` is a convention for “source code”.
3. **`.gitignore`**: This file tells git which files it should not track / not maintain a version history for.
4. **`.prettierrc`**: This is a configuration file for [Prettier](https://prettier.io/). Prettier is a tool to help keep the formatting of your code consistent.
5. **`gatsby-browser.js`**: This file is where Gatsby expects to find any usage of the [Gatsby browser APIs](https://www.gatsbyjs.org/docs/browser-apis/) (if any). These allow customization/extension of default Gatsby settings affecting the browser.
6. **`gatsby-config.js`**: This is the main configuration file for a Gatsby site. This is where you can specify information about your site (metadata) like the site title and description, which Gatsby plugins you’d like to include, etc. (Check out the [config docs](https://www.gatsbyjs.org/docs/gatsby-config/) for more detail).
7. **`gatsby-node.js`**: This file is where Gatsby expects to find any usage of the [Gatsby Node APIs](https://www.gatsbyjs.org/docs/node-apis/) (if any). These allow customization/extension of default Gatsby settings affecting pieces of the site build process.
8. **`gatsby-ssr.js`**: This file is where Gatsby expects to find any usage of the [Gatsby server-side rendering APIs](https://www.gatsbyjs.org/docs/ssr-apis/) (if any). These allow customization of default Gatsby settings affecting server-side rendering.
9. **`LICENSE`**: Gatsby is licensed under the MIT license.
10. **`package-lock.json`** (See `package.json` below, first). This is an automatically generated file based on the exact versions of your npm dependencies that were installed for your project. **(You won’t change this file directly).**
11. **`package.json`**: A manifest file for Node.js projects, which includes things like metadata (the project’s name, author, etc). This manifest is how npm knows which packages to install for your project.
12. **`README.md`**: A text file containing useful reference information about your project.
## 🎓 Learning Gatsby
Looking for more guidance? Full documentation for Gatsby lives [on the website](https://www.gatsbyjs.org/). Here are some places to start:
- **For most developers, we recommend starting with our [in-depth tutorial for creating a site with Gatsby](https://www.gatsbyjs.org/tutorial/).** It starts with zero assumptions about your level of ability and walks through every step of the process.
- **To dive straight into code samples, head [to our documentation](https://www.gatsbyjs.org/docs/).** In particular, check out the _Guides_, _API Reference_, and _Advanced Tutorials_ sections in the sidebar.
## 💫 Deploy
[![Deploy to Netlify](https://www.netlify.com/img/deploy/button.svg)](https://app.netlify.com/start/deploy?repository=https://github.com/gatsbyjs/gatsby-starter-default)
<!-- AUTO-GENERATED-CONTENT:END -->
[defaults]
#stdout_callback = json
#stdout_callback = debug
stdout_callback = unixy
../../docker
\ No newline at end of file
# Fail2Ban configuration file.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
bantime = 10800
maxretry = 3
ignoreip = 127.0.0.1
findtime = 600
#
# JAILS
#
[sshd]
enabled = true
port = ssh
[sshd-ddos]
enabled = true
---
- name: Deploy Splash
become: true
hosts: splash
environment:
NODE_ENV: production
vars:
homedir: /srv/splash
env_file: "files/.env"
secrets_method: copy
tasks:
#########
# CLONE #
#########
- name: Pull signalboost repository from 0xacab
git:
repo: https://0xacab.org/team-friendo/signalboost
dest: "{{ homedir }}"
force: true
version: "{{ branch | default('master') }}"
tags: clone
- name: Deploy environment file using blackbox
command: ./bin/blackbox/postdeploy
args:
chdir: "{{ homedir }}"
tags: clone
when: secrets_method == "blackbox"
- name: Deploy environment file by copying local file
copy:
src: "{{ env_file }}"
dest: "{{ homedir }}/.env"
tags: clone
when: secrets_method == "copy"
#######################
# BUILD DOCKER IMAGES #
#######################
- name: Load base dockerfiles
copy:
src: files/docker/
dest: /srv/splash/docker/
tags: docker
- name: Build splash container
command: docker build -f /srv/splash/docker/sigbalboost_splash.dockerfile -t signalboost_splash:latest /srv/splash
register: build_output
tags: docker
########
# STOP #
########
- name: Stop app
command: ./bin/shutdown
args:
chdir: "{{ homedir }}"
tags: stop
###########
# PREPARE #
###########
- name: Install node packages
command: "docker-compose run --entrypoint 'yarn install' splash"
args:
chdir: "{{ homedir }}"
tags: prepare
- name: Stop container used for install
command: "docker-compose down"
args:
chdir: "{{ homedir }}"
tags: prepare
#########
# START #
#########
- name: Start app
docker_service:
project_src: "{{ homedir }}"
state: present
register: docker_up_result
# - debug:
# var: docker_up_result
######################
# AVAILABILITY CHECK #
######################
- name: Ping nextcloud instance until it is available
shell: ./bin/check-availability
args:
chdir: "{{ homedir }}"
register: health_check_output
changed_when: false
failed_when: health_check_output.rc != 0
tags: health_check
../files
\ No newline at end of file
---
- name: Perform Advanced Hardening
hosts: signalboost
become: true
tasks:
- name: Run dev-sec os-hardening role
import_role:
name: dev-sec.os-hardening
---
- import_playbook: provision.yml
- import_playbook: deploy.yml
- import_playbook: harden.yml
---
- name: Provision system dependencies & users, perform basic hardening
become: true
hosts: splash
vars:
ansible_user: root
secrets_method: copy
# docker dependencies (pip packages)
pip_install_packages:
- name: docker
- name: docker-compose
# docker dependencies (ansible roles)
roles:
- geerlingguy.pip
- geerlingguy.docker
handlers:
- name: restart fail2ban
service: name=fail2ban state=restarted
- name: restart ssh
service: name=ssh state=restarted
- name: reload ufw
ufw:
state: reloaded
tasks:
#######################
# SYSTEM DEPENDENCIES #
#######################
- name: update apt packages
apt:
update_cache: yes
cache_valid_time: 3600
tags: packages
- name: upgrade apt packages
apt: upgrade=yes
tags: packages
- name: Install basic packages
apt:
cache_valid_time: 3600
name:
- sudo
- curl
- gnupg
- fail2ban
- ufw
- tmux
- git
- htop
- lsof
- rsync
- python3
- emacs-nox
tags: packages
######################
# ENABLE SWAP MEMORY #
######################
- name: Allocate 1GB to /swapfile
command: dd if=/dev/zero of=/swapfile bs=1M count=1024
register: write_swapfile
args:
creates: /swapfile
- name: Set swapfile permissions
file: path=/swapfile mode=600
- name: Create swapfile
command: mkswap /swapfile
register: create_swapfile
when: write_swapfile.changed
- name: Enable swapfile
command: swapon /swapfile
when: create_swapfile.changed
- name: Add swapfile to /etc/fstab
lineinfile:
path: /etc/fstab
line: "/swapfile none swap sw 0 0"
state: present
##########
# ADMINS #
##########
- name: Make sure we have a sshusers groups
group:
name: sshusers
state: present
- name: Add admin users
user:
name: "{{ item.name }}"
groups:
- sudo
- sshusers
append: yes
shell: /bin/bash
with_items: "{{ admins }}"
- name: Set authorized keys
authorized_key:
user: "{{ item.name }}"
state: present
key: "{{ item.ssh_key }}"
with_items: "{{ admins }}"
- name: Allow sudo group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: visudo -cf %s
###################
# BASIC HARDENING #
###################
# ssh
- name: ssh hardening
import_role:
name: dev-sec.ssh-hardening
vars:
ssh_allow_groups: sshusers
- name: unlock admin users
become: yes
command: "usermod -p '*' {{ item.name }}"
ignore_errors: True
changed_when: False
loop: "{{ admins }}"
# firewall
- ufw: state=enabled policy=allow
tags: ufw
- name: default (incoming) policy
ufw:
policy: deny
direction: incoming
notify: reload ufw
tags: ufw
- name: default (outgoing) policy
ufw:
policy: allow
direction: outgoing
notify: reload ufw
tags: ufw
- name: limit ssh
ufw:
rule: limit
port: ssh
proto: tcp
notify: reload ufw
tags: ufw
- name: allow http
ufw:
rule: allow
port: http
notify: reload ufw
tags: ufw
- name: allow https
ufw:
rule: allow
port: https
notify: reload ufw
tags: ufw
# fail2ban
- name: Copy fail2ban configuration into place
become: true
copy:
src: "files/jail.local"
dest: /etc/fail2ban/jail.local
notify: restart fail2ban
tags: hardening
- name: Ensure fail2ban is started
service: name=fail2ban state=started
tags: hardening
#!/usr/bin/env bash
pushd `pwd`> /dev/null # store current dir
cd `dirname "$0"` # cd to script path
cd ..
echo "--- rebuilding splash page docker image..."
docker build -t signalboost_splash:latest -f ./docker/signalboost_splash.dockerfile .
echo "--- ...rebuilt signald docker image!"
echo "--- DONE!"
pushd > /dev/null
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment