From 83e693d681091dd363c3060ded2a8ded47bde719 Mon Sep 17 00:00:00 2001
From: Dobli <61doal1mst@hft-stuttgart.de>
Date: Wed, 16 Jan 2019 16:05:16 +0100
Subject: [PATCH] added initial template copy
---
.gitignore | 1 +
README.md | 31 ++-
building_manager.py | 20 +-
template_configs/mosquitto/mosquitto.conf | 2 +
template_configs/nodered/nodered_package.json | 8 +
template_configs/nodered/nodered_settings.js | 249 ++++++++++++++++++
template_configs/ssh/sshd_config | 22 ++
template_configs/traefik/traefik.toml | 43 +++
8 files changed, 368 insertions(+), 8 deletions(-)
create mode 100644 .gitignore
create mode 100644 template_configs/mosquitto/mosquitto.conf
create mode 100644 template_configs/nodered/nodered_package.json
create mode 100644 template_configs/nodered/nodered_settings.js
create mode 100644 template_configs/ssh/sshd_config
create mode 100644 template_configs/traefik/traefik.toml
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..112512c
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+custom_configs/
diff --git a/README.md b/README.md
index 3a4d2df..cf24c48 100644
--- a/README.md
+++ b/README.md
@@ -83,14 +83,41 @@ The openhab-pb stack consists of multiple configuration files that need to be av
**mosquitto**
- *mosquitto.conf*: basic configuration of mosquitto
+ - copy from template folder
- disables anonymous access
- enables usage of password file
- *mosquitto_passwords*: List of users/passwords that gain access to mosquitto
- generated with `mosquitto_passwd`
+ - Uses SHA512 crypt -> maybe generated using pythons crypt library
**nodered**
- *nodered_package.json*: packages to be installed when node red is setup
+ - copy from template folder
- contains entry for openhab package
-- *nodered_settings*: basic node red config
- - contains `httpNodeAuth` for users
\ No newline at end of file
+- *nodered_settings.js*: basic node red config
+ - copy from template folder
+ - contains `httpNodeAuth` for users
+
+**ssh**
+
+- *sshd_config*: basic ssh config
+ - copy from template folder
+- *sftp_users.conf*: file containing users for sftp container
+ - generated, grants access to configuration files
+- *known_hosts*: make backup (volumerize) hosts know internal ssh servers
+ - generated using ssh-keygen
+- *id_rsa/id_rsa.pub*: key pair for passwordless ssh between containers
+ - generated using ssh-keygen
+- *ssh_host_x_key*: hostkey for ssh, X is cryptosystem
+ - generated using ssh-keygen
+
+**traefik**
+
+- *traefik.toml*: basic traefik configuration
+ - copy from template folder
+ - entryPoints.http.auth.basic contains users generated with htpasswd
+
+**volumerize**
+
+- *backup_config_X.json*: backup/volumerize config for each building, X is replaced by building name
\ No newline at end of file
diff --git a/building_manager.py b/building_manager.py
index cdf777d..5660cc7 100755
--- a/building_manager.py
+++ b/building_manager.py
@@ -13,8 +13,10 @@ logging.basicConfig(level=logging.WARNING)
# Directories for config generation
CUSTOM_DIR = 'custom_configs'
TEMPLATE_DIR = 'template_configs'
-CONFIG_DIRS = [
- 'influxdb', 'mosquitto', 'nodered', 'ssh', 'treafik', 'volumerize'
+CONFIG_DIRS = ['mosquitto', 'nodered', 'ssh', 'traefik', 'volumerize']
+TEMPLATE_FILES = [
+ 'mosquitto/mosquitto.conf', 'nodered/nodered_package.json',
+ 'nodered/nodered_settings.js', 'ssh/sshd_config', 'traefik/traefik.toml'
]
# Default Swarm port
@@ -47,10 +49,11 @@ def copy_template_config(base_dir, config_path):
:base_dir: path that contains template and custom folders
:config_path: relative path of config to copy from template
"""
- custom_path = base_dir + '/' + CUSTOM_DIR
- template_path = base_dir + '/' + TEMPLATE_DIR
- print(f'Copy {config_path} from {custom_path to} {template_path}')
- pass
+ custom_path = base_dir + '/' + CUSTOM_DIR + "/" + config_path
+ template_path = base_dir + '/' + TEMPLATE_DIR + "/" + config_path
+
+ logging.info(f'Copy {config_path} from {custom_path} to {template_path}')
+ copy2(template_path, custom_path)
# }}}
@@ -224,8 +227,13 @@ def init_config_dirs_command(args):
if base_dir is None:
base_dir = os.getcwd()
+ # generate basic config folder
generate_config_folders(base_dir)
+ # copy template configs
+ for template_file in TEMPLATE_FILES:
+ copy_template_config(base_dir, template_file)
+
def assign_building_command(args):
"""Assigns the role of a building to a node
diff --git a/template_configs/mosquitto/mosquitto.conf b/template_configs/mosquitto/mosquitto.conf
new file mode 100644
index 0000000..b933438
--- /dev/null
+++ b/template_configs/mosquitto/mosquitto.conf
@@ -0,0 +1,2 @@
+allow_anonymous false
+password_file /mosquitto/config/passwd
diff --git a/template_configs/nodered/nodered_package.json b/template_configs/nodered/nodered_package.json
new file mode 100644
index 0000000..264f623
--- /dev/null
+++ b/template_configs/nodered/nodered_package.json
@@ -0,0 +1,8 @@
+{
+ "name": "node-red-project",
+ "description": "A Node-RED Project",
+ "version": "0.1.0",
+ "dependencies": {
+ "node-red-contrib-openhab2": "~1.1.3"
+ }
+}
diff --git a/template_configs/nodered/nodered_settings.js b/template_configs/nodered/nodered_settings.js
new file mode 100644
index 0000000..492f300
--- /dev/null
+++ b/template_configs/nodered/nodered_settings.js
@@ -0,0 +1,249 @@
+/**
+ * Copyright JS Foundation and other contributors, http://js.foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+// The `https` setting requires the `fs` module. Uncomment the following
+// to make it available:
+//var fs = require("fs");
+
+module.exports = {
+ // the tcp port that the Node-RED web server is listening on
+ uiPort: process.env.PORT || 1880,
+
+ // By default, the Node-RED UI accepts connections on all IPv4 interfaces.
+ // To listen on all IPv6 addresses, set uiHost to "::",
+ // The following property can be used to listen on a specific interface. For
+ // example, the following would only allow connections from the local machine.
+ //uiHost: "127.0.0.1",
+
+ // Retry time in milliseconds for MQTT connections
+ mqttReconnectTime: 15000,
+
+ // Retry time in milliseconds for Serial port connections
+ serialReconnectTime: 15000,
+
+ // Retry time in milliseconds for TCP socket connections
+ //socketReconnectTime: 10000,
+
+ // Timeout in milliseconds for TCP server socket connections
+ // defaults to no timeout
+ //socketTimeout: 120000,
+
+ // Timeout in milliseconds for HTTP request connections
+ // defaults to 120 seconds
+ //httpRequestTimeout: 120000,
+
+ // The maximum length, in characters, of any message sent to the debug sidebar tab
+ debugMaxLength: 1000,
+
+ // The maximum number of messages nodes will buffer internally as part of their
+ // operation. This applies across a range of nodes that operate on message sequences.
+ // defaults to no limit. A value of 0 also means no limit is applied.
+ //nodeMaxMessageBufferLength: 0,
+
+ // To disable the option for using local files for storing keys and certificates in the TLS configuration
+ // node, set this to true
+ //tlsConfigDisableLocalFiles: true,
+
+ // Colourise the console output of the debug node
+ //debugUseColors: true,
+
+ // The file containing the flows. If not set, it defaults to flows_<hostname>.json
+ //flowFile: 'flows.json',
+
+ // To enabled pretty-printing of the flow within the flow file, set the following
+ // property to true:
+ //flowFilePretty: true,
+
+ // By default, credentials are encrypted in storage using a generated key. To
+ // specify your own secret, set the following property.
+ // If you want to disable encryption of credentials, set this property to false.
+ // Note: once you set this property, do not change it - doing so will prevent
+ // node-red from being able to decrypt your existing credentials and they will be
+ // lost.
+ //credentialSecret: "a-secret-key",
+
+ // By default, all user data is stored in the Node-RED install directory. To
+ // use a different location, the following property can be used
+ //userDir: '/home/nol/.node-red/',
+
+ // Node-RED scans the `nodes` directory in the install directory to find nodes.
+ // The following property can be used to specify an additional directory to scan.
+ //nodesDir: '/home/nol/.node-red/nodes',
+
+ // By default, the Node-RED UI is available at http://localhost:1880/
+ // The following property can be used to specify a different root path.
+ // If set to false, this is disabled.
+ //httpAdminRoot: '/admin',
+
+ // Some nodes, such as HTTP In, can be used to listen for incoming http requests.
+ // By default, these are served relative to '/'. The following property
+ // can be used to specifiy a different root path. If set to false, this is
+ // disabled.
+ //httpNodeRoot: '/red-nodes',
+
+ // The following property can be used in place of 'httpAdminRoot' and 'httpNodeRoot',
+ // to apply the same root to both parts.
+ //httpRoot: '/red',
+
+ // When httpAdminRoot is used to move the UI to a different root path, the
+ // following property can be used to identify a directory of static content
+ // that should be served at http://localhost:1880/.
+ //httpStatic: '/home/nol/node-red-static/',
+
+ // The maximum size of HTTP request that will be accepted by the runtime api.
+ // Default: 5mb
+ //apiMaxLength: '5mb',
+
+ // If you installed the optional node-red-dashboard you can set it's path
+ // relative to httpRoot
+ //ui: { path: "ui" },
+
+ // Securing Node-RED
+ // -----------------
+ // To password protect the Node-RED editor and admin API, the following
+ // property can be used. See http://nodered.org/docs/security.html for details.
+ //adminAuth: {
+ // type: "credentials",
+ // users: [{
+ // username: "admin",
+ // password: "$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN.",
+ // permissions: "*"
+ // }]
+ //},
+
+ // To password protect the node-defined HTTP endpoints (httpNodeRoot), or
+ // the static content (httpStatic), the following properties can be used.
+ // The pass field is a bcrypt hash of the password.
+ // See http://nodered.org/docs/security.html#generating-the-password-hash
+ //httpNodeAuth:{
+ // user:"user",
+ // pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."
+ //},
+
+ //httpStaticAuth: {user:"user",pass:"$2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN."},
+
+ // The following property can be used to enable HTTPS
+ // See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
+ // for details on its contents.
+ // See the comment at the top of this file on how to load the `fs` module used by
+ // this setting.
+ //
+ //https: {
+ // key: fs.readFileSync('privatekey.pem'),
+ // cert: fs.readFileSync('certificate.pem')
+ //},
+
+ // The following property can be used to cause insecure HTTP connections to
+ // be redirected to HTTPS.
+ //requireHttps: true
+
+ // The following property can be used to disable the editor. The admin API
+ // is not affected by this option. To disable both the editor and the admin
+ // API, use either the httpRoot or httpAdminRoot properties
+ //disableEditor: false,
+
+ // The following property can be used to configure cross-origin resource sharing
+ // in the HTTP nodes.
+ // See https://github.com/troygoode/node-cors#configuration-options for
+ // details on its contents. The following is a basic permissive set of options:
+ //httpNodeCors: {
+ // origin: "*",
+ // methods: "GET,PUT,POST,DELETE"
+ //},
+
+ // If you need to set an http proxy please set an environment variable
+ // called http_proxy (or HTTP_PROXY) outside of Node-RED in the operating system.
+ // For example - http_proxy=http://myproxy.com:8080
+ // (Setting it here will have no effect)
+ // You may also specify no_proxy (or NO_PROXY) to supply a comma separated
+ // list of domains to not proxy, eg - no_proxy=.acme.co,.acme.co.uk
+
+ // The following property can be used to add a custom middleware function
+ // in front of all http in nodes. This allows custom authentication to be
+ // applied to all http in nodes, or any other sort of common request processing.
+ //httpNodeMiddleware: function(req,res,next) {
+ // // Handle/reject the request, or pass it on to the http in node by calling next();
+ // // Optionally skip our rawBodyParser by setting this to true;
+ // //req.skipRawBodyParser = true;
+ // next();
+ //},
+
+ // The following property can be used to verify websocket connection attempts.
+ // This allows, for example, the HTTP request headers to be checked to ensure
+ // they include valid authentication information.
+ //webSocketNodeVerifyClient: function(info) {
+ // // 'info' has three properties:
+ // // - origin : the value in the Origin header
+ // // - req : the HTTP request
+ // // - secure : true if req.connection.authorized or req.connection.encrypted is set
+ // //
+ // // The function should return true if the connection should be accepted, false otherwise.
+ // //
+ // // Alternatively, if this function is defined to accept a second argument, callback,
+ // // it can be used to verify the client asynchronously.
+ // // The callback takes three arguments:
+ // // - result : boolean, whether to accept the connection or not
+ // // - code : if result is false, the HTTP error status to return
+ // // - reason: if result is false, the HTTP reason string to return
+ //},
+
+ // Anything in this hash is globally available to all functions.
+ // It is accessed as context.global.
+ // eg:
+ // functionGlobalContext: { os:require('os') }
+ // can be accessed in a function block as:
+ // context.global.os
+
+ functionGlobalContext: {
+ // os:require('os'),
+ // jfive:require("johnny-five"),
+ // j5board:require("johnny-five").Board({repl:false})
+ },
+
+ // The following property can be used to order the categories in the editor
+ // palette. If a node's category is not in the list, the category will get
+ // added to the end of the palette.
+ // If not set, the following default order is used:
+ //paletteCategories: ['subflows', 'input', 'output', 'function', 'social', 'mobile', 'storage', 'analysis', 'advanced'],
+
+ // Configure the logging output
+ logging: {
+ // Only console logging is currently supported
+ console: {
+ // Level of logging to be recorded. Options are:
+ // fatal - only those errors which make the application unusable should be recorded
+ // error - record errors which are deemed fatal for a particular request + fatal errors
+ // warn - record problems which are non fatal + errors + fatal errors
+ // info - record information about the general running of the application + warn + error + fatal errors
+ // debug - record information which is more verbose than info + info + warn + error + fatal errors
+ // trace - record very detailed logging + debug + info + warn + error + fatal errors
+ // off - turn off all logging (doesn't affect metrics or audit)
+ level: "info",
+ // Whether or not to include metric events in the log output
+ metrics: false,
+ // Whether or not to include audit events in the log output
+ audit: false
+ }
+ },
+
+ // Customising the editor
+ editorTheme: {
+ projects: {
+ // To enable the Projects feature, set this value to true
+ enabled: false
+ }
+ }
+}
diff --git a/template_configs/ssh/sshd_config b/template_configs/ssh/sshd_config
new file mode 100644
index 0000000..ccda7ac
--- /dev/null
+++ b/template_configs/ssh/sshd_config
@@ -0,0 +1,22 @@
+# Secure defaults
+# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# Faster connection
+# See: https://github.com/atmoz/sftp/issues/11
+UseDNS no
+
+# Limited access
+PermitRootLogin no
+X11Forwarding no
+AllowTcpForwarding no
+
+# Force sftp and chroot jail
+Subsystem sftp internal-sftp
+#ForceCommand internal-sftp
+#ChrootDirectory %h
+
+# Enable this for more logs
+#LogLevel VERBOSE
diff --git a/template_configs/traefik/traefik.toml b/template_configs/traefik/traefik.toml
new file mode 100644
index 0000000..54fcde0
--- /dev/null
+++ b/template_configs/traefik/traefik.toml
@@ -0,0 +1,43 @@
+################################################################
+# entryPoints configuration
+################################################################
+# defaultEntryPoints = ["http"]
+
+# [entryPoints]
+ # [entryPoints.http]
+ # address = ":80"
+
+ # [entryPoints.foo]
+ # address = ":8082"
+
+ # [entryPoints.bar]
+ # address = ":8083"
+
+################################################################
+# API and dashboard configuration
+################################################################
+#[api]
+# entryPoint = "bar"
+
+################################################################
+# Docker configuration backend
+################################################################
+debug = true
+
+defaultEntryPoints = ["http"]
+
+[entryPoints]
+ [entryPoints.http]
+ address = ":80"
+ [entryPoints.http.auth.basic]
+ users = ["ohuser:$apr1$ffMQdoZd$1uEyKkwOKH3QS9ovOAzYj1"]
+
+
+# [retry]
+
+# [docker]
+# endpoint = "unix:///var/run/docker.sock"
+# exposedByDefault = true
+# watch = true
+# swarmmode = true
+
--
GitLab