Chef - Intermediate Topics

base.rb

name "base"
description "Base Server Role"
run_list "recipe[chef-client::delete_validation]", "recipe[chef-client]", "recipe[ntp]", "recipe[motd]", "recipe[users]", "recipe[push-jobs]"
default_attributes(
  "chef_client" => {
    "config" => {
      "ssl_verify_mode" => ":verify_peer"
    }
  },
  "push_jobs" => {
    "package_url" => "https://s3.amazonaws.com/chef-intermediate-topics/opscode-push-jobs-client-1.0.2-1.el6.x86_64.rpm",
    "package_checksum" => "2af78d8dd0d55ed5555227a2997b7d4440f32a90c0190389d418026490a63ca7",
    "whitelist" => {
      "chef-client" => "chef-client"
    }
  }
)

email_handler.rb

require 'rubygems'
require 'pony'

module MyCompany
  class EmailMe < Chef::Handler
  
    def initialize(from_address, to_address)
      @from_address = from_address
      @to_address = to_address
    end

    def report
      status = success? ? "Successful" : "Failed"
      subject = "#{status} Chef run report from #{node.name}"
      report_string = ""
      
      # report on changed resources
      if ! run_status.updated_resources.empty?
      
        # get some info about all the changed resources!
        run_status.updated_resources.each do |r|
          report_string += "The resource #{r.name} was changed in cookbook #{r.cookbook_name} at #{r.source_line}\n"
        end
      else
       report_string += "No resources changed by chef-client\n"
      end

      Pony.mail(:to => @to_address,
                :from => @from_address,
                :subject => subject,
                :body => report_string)
    end
  end
end

fetch_ssl_certificate.sh

echo | openssl s_client -connect EXTERNAL_NAME_GOES_HERE:443 2>&1 | sed -n '/-\+BEGIN/,/-\+END/p' | sudo tee /etc/chef/trusted_certs/cert.pem

iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --match multiport --dports 10000:10003 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

plugin_modules.rb

Ohai.plugin(:Apache) do
  provides "apache/modules"

  collect_data(:default) do
    apache Mash.new
    apache[:modules] = {:static => [], :shared => []}
    modules = shell_out("apachectl -t -D DUMP_MODULES")
    modules.stdout.each_line do |line|
      fullkey, value = line.split(/\(/, 2).map {|i| i.strip}
      apache_mod = fullkey.gsub(/_module/,"")
      dso_type = value.to_s.chomp("\)")
      if dso_type.match(/shared/)
        apache[:modules][:shared] << apache_mod
      elsif dso_type.match(/static/)
        apache[:modules][:static] << apache_mod
      end
    end
  end
end

provider_vhost.rb

use_inline_resources

action :create do
  # Set the document root
  document_root = "/srv/apache/#{new_resource.site_name}"

 # Add a template for Apache virtual host configuration
  template "/etc/httpd/conf.d/#{new_resource.site_name}.conf" do
    source "custom.erb"
    mode "0644"
    variables(
      :document_root => document_root,
      :port => new_resource.site_port
    )
  end
  
  # Add a directory resource to create the document_root
  directory document_root do
    mode "0755"
    recursive true
  end

  # Add a template resource for the virtual host's index.html
  template "#{document_root}/index.html" do
    source "index.html.erb"
    mode "0644"
    variables(
      :site_name => new_resource.site_name,
      :port => new_resource.site_port
    )
  end
end

action :remove do
  file "/etc/httpd/conf.d/#{new_resource.site_name}.conf" do 
    action :delete
  end
end