# Use logrotate to manage the logfile # # usage: ynh_use_logrotate [logfile] [--non-append] # | arg: logfile - absolute path of logfile # | option: --non-append - Replace the config file instead of appending this new config. # # If no argument provided, a standard directory will be use. /var/log/${app} # You can provide a path with the directory only or with the logfile. # /parentdir/logdir/ # /parentdir/logdir/logfile.log # # It's possible to use this helper several times, each config will be added to the same logrotate config file. # Unless you use the option --non-append ynh_use_logrotate () { local customtee="tee -a" if [ $# -gt 0 ] && [ "$1" == "--non-append" ]; then customtee="tee" # Destroy this argument for the next command. shift elif [ $# -gt 1 ] && [ "$2" == "--non-append" ]; then customtee="tee" fi if [ $# -gt 0 ]; then if [ "$(echo ${1##*.})" == "log" ]; then # Keep only the extension to check if it's a logfile logfile=$1 # In this case, focus logrotate on the logfile else logfile=$1/.log # Else, uses the directory and all logfile into it. fi else logfile="/var/log/${app}/*.log" # Without argument, use a defaut directory in /var/log fi cat > ./${app}-logrotate << EOF # Build a config file for logrotate $logfile { # Rotate if the logfile exceeds 100Mo size 100M # Keep 12 old log maximum rotate 12 # Compress the logs with gzip compress # Compress the log at the next cycle. So keep always 2 non compressed logs delaycompress # Copy and truncate the log to allow to continue write on it. Instead of move the log. copytruncate # Do not do an error if the log is missing missingok # Not rotate if the log is empty notifempty # Keep old logs in the same dir noolddir } EOF sudo mkdir -p $(dirname "$logfile") # Create the log directory, if not exist cat ${app}-logrotate | sudo $customtee /etc/logrotate.d/$app > /dev/null # Append this config to the existing config file, or replace the whole config file (depending on $customtee) } # Remove the app's logrotate config. # # usage: ynh_remove_logrotate ynh_remove_logrotate () { if [ -e "/etc/logrotate.d/$app" ]; then sudo rm "/etc/logrotate.d/$app" fi } # Create a dedicated systemd config # # This will use a template in ../conf/systemd.service # and will replace the following keywords with # global variables that should be defined before calling # this helper : # # __APP__ by $app # __FINALPATH__ by $final_path # # usage: ynh_add_systemd_config ynh_add_systemd_config () { finalsystemdconf="/etc/systemd/system/$app.service" ynh_backup_if_checksum_is_different "$finalsystemdconf" sudo cp ../conf/systemd.service "$finalsystemdconf" # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. # Substitute in a nginx config file only if the variable is not empty if test -n "${final_path:-}"; then ynh_replace_string "__FINALPATH__" "$final_path" "$finalsystemdconf" fi if test -n "${app:-}"; then ynh_replace_string "__APP__" "$app" "$finalsystemdconf" fi ynh_store_file_checksum "$finalsystemdconf" sudo chown root: "$finalsystemdconf" sudo systemctl enable $app sudo systemctl daemon-reload } # Remove the dedicated systemd config # # usage: ynh_remove_systemd_config ynh_remove_systemd_config () { finalsystemdconf="/etc/systemd/system/$app.service" if [ -e "$finalsystemdconf" ]; then sudo systemctl stop $app sudo systemctl disable $app ynh_secure_remove "$finalsystemdconf" fi } # Create a dedicated nginx config # # This will use a template in ../conf/nginx.conf # __PATH__ by $path_url # __DOMAIN__ by $domain # __PORT__ by $port # __NAME__ by $app # __FINALPATH__ by $final_path # # usage: ynh_add_nginx_config ynh_add_nginx_config () { finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup_if_checksum_is_different "$finalnginxconf" sudo cp ../conf/nginx.conf "$finalnginxconf" # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. # Substitute in a nginx config file only if the variable is not empty if test -n "${path_url:-}"; then ynh_replace_string "__PATH__" "$path_url" "$finalnginxconf" fi if test -n "${domain:-}"; then ynh_replace_string "__DOMAIN__" "$domain" "$finalnginxconf" fi if test -n "${port:-}"; then ynh_replace_string "__PORT__" "$port" "$finalnginxconf" fi if test -n "${app:-}"; then ynh_replace_string "__NAME__" "$app" "$finalnginxconf" fi if test -n "${final_path:-}"; then ynh_replace_string "__FINALPATH__" "$final_path" "$finalnginxconf" fi ynh_store_file_checksum "$finalnginxconf" sudo systemctl reload nginx } # Remove the dedicated nginx config # # usage: ynh_remove_nginx_config ynh_remove_nginx_config () { ynh_secure_remove "/etc/nginx/conf.d/$domain.d/$app.conf" sudo systemctl reload nginx } # Create a dedicated php-fpm config # # usage: ynh_add_fpm_config ynh_add_fpm_config () { finalphpconf="/etc/php5/fpm/pool.d/$app.conf" ynh_backup_if_checksum_is_different "$finalphpconf" sudo cp ../conf/php-fpm.conf "$finalphpconf" ynh_replace_string "__NAMETOCHANGE__" "$app" "$finalphpconf" ynh_replace_string "__FINALPATH__" "$final_path" "$finalphpconf" ynh_replace_string "__USER__" "$app" "$finalphpconf" sudo chown root: "$finalphpconf" ynh_store_file_checksum "$finalphpconf" if [ -e "../conf/php-fpm.ini" ] then finalphpini="/etc/php5/fpm/conf.d/20-$app.ini" ynh_backup_if_checksum_is_different "$finalphpini" sudo cp ../conf/php-fpm.ini "$finalphpini" sudo chown root: "$finalphpini" ynh_store_file_checksum "$finalphpini" fi sudo systemctl reload php5-fpm } # Remove the dedicated php-fpm config # # usage: ynh_remove_fpm_config ynh_remove_fpm_config () { ynh_secure_remove "/etc/php5/fpm/pool.d/$app.conf" ynh_secure_remove "/etc/php5/fpm/conf.d/20-$app.ini" 2>&1 sudo systemctl reload php5-fpm } # Create a dedicated fail2ban config (jail and filter conf files) # # usage: ynh_add_fail2ban_config "list of others variables to replace" # # | arg: list of others variables to replace separeted by a space # | for example : 'var_1 var_2 ...' # # This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf # __APP__ by $app # # You can dynamically replace others variables by example : # __VAR_1__ by $var_1 # __VAR_2__ by $var_2 # # Note about the "failregex" option: # regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # # You can find some more explainations about how to make a regex here : # https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters # # Note that the logfile need to exist before to call this helper !! # # Generally your template will look like that by example (for synapse): # # f2b_jail.conf: # [__APP__] # enabled = true # port = http,https # filter = __APP__ # logpath = /var/log/__APP__/logfile.log # maxretry = 3 # # f2b_filter.conf: # [INCLUDES] # before = common.conf # [Definition] # # # Part of regex definition (just used to make more easy to make the global regex) # __synapse_start_line = .? \- synapse\..+ \- # # # Regex definition. # failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- \- \d+ \- Received request\: POST /_matrix/client/r0/login\??%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$ # # ignoreregex = # # To validate your regex you can test with this command: # fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf ynh_add_fail2ban_config () { local others_var=${1:-} finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" ynh_backup_if_checksum_is_different "$finalfail2banjailconf" ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" cp ../conf/f2b_jail.conf $finalfail2banjailconf cp ../conf/f2b_filter.conf $finalfail2banfilterconf if test -n "${app:-}"; then ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf" ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf" fi # Replace all other variable given as arguments for var_to_replace in $others_var; do # ${var_to_replace^^} make the content of the variable on upper-cases # ${!var_to_replace} get the content of the variable named $var_to_replace ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf" ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf" done ynh_store_file_checksum "$finalfail2banjailconf" ynh_store_file_checksum "$finalfail2banfilterconf" systemctl try-reload-or-restart fail2ban local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")" if [[ -n "$fail2ban_error" ]]; then echo "[ERR] Fail2ban failed to load the jail for $app" >&2 echo "WARNING${fail2ban_error#*WARNING}" >&2 fi } # Remove the dedicated fail2ban config (jail and filter conf files) # # usage: ynh_remove_fail2ban_config ynh_remove_fail2ban_config () { ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" systemctl try-reload-or-restart fail2ban }