Commit Graph

144 Commits

Author SHA1 Message Date
Greg Price 0f836f51a5 generate-self-signed-cert: Fix a mostly-harmless bug.
Thanks to the magic of `set -x`, I noticed this:
```
+ cat
++ ssl-cert
/tmp/src/zulip-server/scripts/setup/generate-self-signed-cert: line 49: ssl-cert: command not found
+ apt-get install -y openssl
[...]
```

In other words, we were trying to run `ssl-cert` -- the name of a
Debian package I meant to refer to in a comment inside the templated
temporary config file for `openssl req` -- as if it were a command.
It wasn't, hence the error.

Because `set -e` has loopholes like a sieve, this didn't cause the
script to exit, just produced this funny output and presumably caused
the config file's comment to be missing a word.  In principle, it
could do something surprising if for some reason there were a command
named `ssl-cert` on PATH.

Fix it.
2018-01-23 18:08:52 -08:00
Greg Price f26b34405e install --self-signed-cert: Generate our own, rather than use system's.
This gives us just one way of adopting a self-signed cert, rather than
one script which would generate a new one and an option to another
which would symlink to the system's snakeoil cert.  Now those two
codepaths converge, and do the same thing.

The small advantage of generating our own over the alternative is that
it lets us set the name in the cert to EXTERNAL_HOST, rather than the
system's hostname as embedded in the system snakeoil certs.  Not a big
deal, but might make things go slightly smoother if some browsers are
lenient (in a way that they probably shouldn't be.)
2018-01-23 18:08:52 -08:00
Greg Price c27f36a82a install: Rename generate-self-signed-cert.
This script generates one certificate.
2018-01-23 18:08:52 -08:00
Greg Price d258e48f3d install: Replace our generate-self-signed-certs script.
Take the core of the logic from how Debian generates the system's
/etc/ssl/certs/ssl-cert-snakeoil.pem ; that gives me more confidence
in the various config choices, and it also demonstrates a much cleaner
way to use the `openssl` tool.  Also replace the outer shell logic for
CLI and logging with a cleaner version.
2018-01-23 18:08:52 -08:00
Greg Price ac88f8ae1b setup-certbot: Stop automatically "agreeing" to the LE TOS.
It's not appropriate for our script to pass the `--agree-tos` flag
without any evidence of the user actually having any knowledge of,
let alone intent to agree to, any such ToS.  Stop doing that.
Fortunately this script hasn't been part of any release, so it's
likely that no users have gone down this path.
2018-01-22 18:55:46 -08:00
Rhea Parekh 460e9b4634 Scripts: Add script for resetting postgres sequences for imports. 2017-12-01 06:38:08 -08:00
Aditya Bansal 79576797b0 thumbor: Auto generate thumbor_key and add it to zulip settings. 2017-11-16 22:34:14 -08:00
Greg Price a56fca81f1 setup-certbot: Require hostname and email.
The script already won't work without them; so if the user gets the
invocation wrong, give a halfway-reasonable error rather than just
crash into the ground.
2017-11-15 21:50:41 -08:00
Greg Price df8548aaf1 setup-certbot: Fix the usage message, and add the recently-added options. 2017-11-15 21:50:41 -08:00
Greg Price 8f387ba4d4 setup-certbot: Add option to choose verification method.
This allows the installer to continue using this script for the
`standalone` method, while the no-argument form now uses the same
`webroot` method as the renewal cron job, suitable for running
by hand to adopt Certbot after initial install.
2017-11-15 21:50:41 -08:00
Greg Price 7c887a6741 setup-certbot: Use set -x.
When there's a failure, this can make it much less confusing
to figure out.
2017-11-15 21:50:41 -08:00
Greg Price ae901309fc certbot: Control auto-renew with a zulip.conf setting.
This causes the cron job to run only when a Zulip-managed certbot
install is actually set up.

Inside `install`, zulip.conf doesn't yet exist when we run
setup-certbot, so we write the setting later.  But we also give
setup-certbot the ability to write the setting itself, so that we
can recommend it in instructions for adopting certbot in an
existing Zulip installation.
2017-11-15 21:50:41 -08:00
Greg Price dd32348fca setup-certbot: Eliminate obnoxious wget spew. 2017-11-15 21:50:41 -08:00
Greg Price 3f1f70fae2 setup-certbot: Treat potential existing certs with kid gloves.
This helps make this script suitable to run on existing installations,
by mitigating any worry about clobbering existing certs with links to
the new ones, in case the admin changes their mind or was using the
certs for something else too.
2017-11-15 21:50:41 -08:00
Tim Abbott 2afc3b9e50 certbot: Move path to /usr/local/sbin.
[greg: fixed typo bug]
2017-11-15 21:50:41 -08:00
Tim Abbott 38dc43fdf8 certbot: Use --standalone mode during installer.
This should help avoid problems, since we don't need to install
`nginx` before using this mode.
2017-11-08 12:32:26 -08:00
rht 8b6b4e043f install: Add option to get certs via certbot.
While this doesn't quite complete our plans for certbot support (it's
not documented, etc.), this is a great stride forward.
2017-10-27 17:19:34 -07:00
Tim Abbott be619fe881 lint: Wrap many very long lines in the Python codebase.
This decreases the maximum line length in our Python codebase to 130.
2017-10-26 17:31:58 -07:00
Tim Abbott 8c8613c3c7 install: Add comments documenting installer wrapper. 2017-10-01 15:48:36 -07:00
rht 71188d7b0a scripts: Remove import print_function. 2017-09-29 15:43:30 -07:00
rht b937e1fede Remove the rest of `import six` outside zerver.lib.
We no longer need the six module, now that we're Python 3 only.
2017-09-27 17:09:15 -07:00
julianasobreira df2d448f7b python: Add lint rule banning 'from os.path import'.
This enforces our use of a consistent style in how we access Python
modules; "from os.path import dirname" is a particularly popular
abbreviation inconsistent with our style, and so it deserves a lint
rule.

Commit message and error text tweaked by tabbott.

Fixes #6543.
2017-09-22 04:55:38 -07:00
Tim Abbott b8e7369dee mypy: Remove type: ignores not needed in Python 3. 2017-08-25 11:04:20 -07:00
Greg Price a099e698e2 py3: Switch almost all shebang lines to use `python3`.
This causes `upgrade-zulip-from-git`, as well as a no-option run of
`tools/build-release-tarball`, to produce a Zulip install running
Python 3, rather than Python 2.  In particular this means that the
virtualenv we create, in which all application code runs, is Python 3.

One shebang line, on `zulip-ec2-configure-interfaces`, explicitly
keeps Python 2, and at least one external ops script, `wal-e`, also
still runs on Python 2.  See discussion on the respective previous
commits that made those explicit.  There may also be some other
third-party scripts we use, outside of this source tree and running
outside our virtualenv, that still run on Python 2.
2017-08-16 17:54:43 -07:00
Greg Price 0debc3f7ea install: Update a comment for our post-/root/zulip world.
We may not necessarily be running out of /root/zulip or any particular path,
but the point this comment was really trying to make in the first place stands.
Make it more clearly and still-accurately.
2017-08-15 17:41:07 -07:00
Pweaver (Paul Weaver) 1afaa67c7c deps: Change npm to yarn for reliablity, security, and speed. 2017-08-05 12:29:06 -07:00
Tim Abbott 53e4d8562b lint: Add a lint check for bare `type: ignore`s. 2017-07-27 16:31:55 -07:00
rht 614e3bb1ef scripts: Add script to autogenerate a self-signed SSL cert.
This will simplify step 1 of prod-install instruction to reduce
suffering in testing/experimenting production environments.

Attribution: the scripts/setup/configure-certs is based on @galexrt's
5c0daf6211

Further tweaked by tabbott to rename the script and edit the messages.
2017-07-16 17:22:32 -07:00
Tim Abbott c1d2654f3a setup-apt-repo: Add pgroonga code for Debian stretch.
The Groonga apt repository for Debian has a slightly different
structure.
2017-07-14 17:22:20 -07:00
EdOverflow 86cfed3e81 Update generate_secrets.py 2017-07-11 12:43:46 -07:00
sinwar 9cab965601 install-node: hardcode the path for npm.
This replaces nvm in npm-wrapper by harcoding the path the way we do
with node.  The main benefit is that this saves a few hundred
milliseconds every time we invoke npm.
2017-07-06 17:44:28 -07:00
Tim Abbott b70986469c generate_secrets: Fix handling of missing trailing newlines.
When we added support for automatically adding new secrets in
generate_secrets.py, we failed to account for the possibility that a
human editor might have let the secrets file without a trailing
newline.

We address this by adding a leading newline before our new secret.

Fixes #5209.
2017-06-03 23:17:04 -07:00
Tim Abbott 11adbf5783 generate_secrets: Fix placement of mypy type: ignore. 2017-05-17 00:05:57 -07:00
Tim Abbott b01ba5f389 generate_secrets: Fix mypy errors.
I'm pretty sure these errors reflect a problem with Typeshed, but
don't have time to investigate.
2017-05-16 23:28:44 -07:00
Tim Abbott 2c6a91e24a scripts: Make generate_secrets.py idempotent.
Now, generate_secrets.py will never overwrite existing secrets.  In
addition to being a safer model in generate, this fixes 2 significant
issues:

(1) It makes it much easier to preserve secrets like Oauth tokens in a
development environment (previously, provision would destroy them).
(2) It makes it possible to automatically add new secrets as part of
the upgrade process.  In particular, this is useful for the
zulip_org_id settings.

Fixes #4797.
2017-05-16 22:15:25 -07:00
Tim Abbott 03b5200d8b generate_secrets: Reformat list of autogenerated secrets. 2017-05-16 22:15:25 -07:00
rht 00e057bf44 install-node: bypass nvm wrapper for faster node startup.
This fixes a significant performance issue with LaTeX rendering (and
other things that invoked node) where starting up node took a few
hundred milliseconds due to nvm initialization.

Tweaked by tabbott to avoid copying the node binary itself, instead
using a tiny wrapper script.

This is important primarily because it's possible a future version of
node will expect to find libraries/dependencies/etc. installed via NVM
at some path related to the path of the node binary itself, and that's
more guaranteed with this new model.

Fixes #4618.
2017-05-09 09:17:54 -07:00
Alexander Trost 889547ff5e configure-rabbitmq: Add support for RABBITMQ_NODE flag.
This can potentially be used by things like a Docker configuration
that runs RabbitMQ on another server.
2017-04-29 15:03:05 -07:00
Tim Abbott 55a9101573 settings: Add support for ZULIP_ORG secrets.
These can be used to authenticate the current Zulip server to
zulip.org.
2017-04-18 23:00:10 -07:00
Feorlen 10ccfcdc8e Set umask 022 before starting prod install.
Fixes #2372.
2017-03-25 23:59:44 -07:00
Rishi Gupta 2bbfdeeb7b Fix more errors caught by mypy 0.501.
Another set of relatively easy to review changes.
2017-03-03 14:15:38 -08:00
Tim Abbott 51d3ab1cb7 initialize-database: Clean up final instructions.
Fixes #3678.
2017-02-21 20:19:16 -08:00
Tim Abbott de99f48ce7 lint: Clean up E401 PEP-8 rule. 2017-01-23 21:36:39 -08:00
anirudhjain75 beaa62cafa mypy: Convert several directories to use typing.Text.
Specifically, these directories are converted: [analytics/, scripts/,
tools/, zerver/management/, zilencer/, zproject/]
2016-12-07 20:51:05 -08:00
Tommy Ip 46b7d54b3e pep8: Fix E701 violations. 2016-11-30 20:45:09 +00:00
Anders Kaseorg 207cf6302b Always start python via shebang lines.
This is preparation for supporting using Python 3 in production.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2016-11-26 14:46:37 -08:00
Tim Abbott 8821b269bf flush-memcached: Replace 'set -x' with more clear output.
Similar to `terminate-psql-sessions`, this was just unnecessary spam
output.
2016-10-14 17:10:06 -07:00
Tim Abbott 382c8853f3 terminate-psql-sessions: Remove set -x.
Now that we're no longer actively debugging this tool, there's no need
to have it print everything it's doing.

This will make `test-backend` a lot nicer to use.
2016-10-14 17:08:05 -07:00
Tim Abbott 14f6e4c740 scripts: Stop using apt-add-repository.
Unfortunately, apt-add-repository is highly unreliable and was causing
problems both in Travis CI and with developers provisioning their
environment.
2016-10-11 22:10:36 -07:00
Diptanshu8 d7253b144c generate-secrets: Refactor to make development/production explicit.
generate-secrets.py now requires --development for development environment
setup or --production for production environment setup (and one of these
options is mandatory).

This solves the problem that it was somewhat easy to accidentally run
generate-secrets.py without the `-d` option while doing manual development
environment setup.

Fixes: #1911.
2016-10-06 17:12:49 -07:00