Merge pull request #66 from TalkingQuickly/feature/2021-upgrade

fixes: sshd configuration not being applied by default

Berksfile

@@ -1,33 +1,26 @@
 source "https://api.berkshelf.com"
 
-# cookbook 'apt', github: 'opscode-cookbooks/apt'
-cookbook 'apt-chef', '~> 1.0.0'
+cookbook 'apt', '~> 7.4.0'
 
-# cookbook 'fail2ban', github: 'opscode-cookbooks/fail2ban'
-cookbook 'fail2ban', '~> 2.3.0'
+cookbook 'fail2ban', '~> 6.3.2'
 
-# cookbook 'hostnames', github: 'nathantsoi/chef-cookbook-hostname'
 cookbook 'hostnames', '= 0.3.1'
 
 cookbook 'locale', '~> 1.1.0'
 
 cookbook 'memcached', '~> 6.1.0'
 
-#cookbook 'mysql', github: 'opscode-cookbooks/mysql'
 cookbook 'mysql', '~> 5.6.3'
 
 cookbook 'ntp', '~> 3.7.0'
 
-#cookbook 'openssh', github: 'opscode-cookbooks/openssh'
-cookbook 'openssh', '= 1.2.2'
+cookbook 'openssh', '~> 2.9.0'
 
 cookbook 'postgresql', '~> 8.2.1'
 
-# cookbook 'sudo', github: 'opscode-cookbooks/sudo'
-cookbook 'sudo', '~> 2.9.0'
+cookbook 'sudo', '~> 5.4.6'
 
 cookbook 'ufw', '~> 3.2.1'
-cookbook 'firewall', '~> 2.7.0'
 
 cookbook 'nginx', '~> 11.4.0'
 

Berksfile.lock

@@ -1,7 +1,6 @@
 DEPENDENCIES
-  apt-chef (~> 1.0.0)
-  fail2ban (~> 2.3.0)
-  firewall (~> 2.7.0)
+  apt (~> 7.4.0)
+  fail2ban (~> 6.3.2)
   hostnames (= 0.3.1)
   locale (~> 1.1.0)
   memcached (~> 6.1.0)
@@ -16,7 +15,7 @@ DEPENDENCIES
   mysql (~> 5.6.3)
   nginx (~> 11.4.0)
   ntp (~> 3.7.0)
-  openssh (= 1.2.2)
+  openssh (~> 2.9.0)
   postgresql (~> 8.2.1)
   rails_gem_dependencies-tlq
     git: https://github.com/TalkingQuickly/rails_gem_dependencies-tlq.git
@@ -27,24 +26,22 @@ DEPENDENCIES
   ruby_rbenv
     git: https://github.com/sous-chefs/ruby_rbenv.git
     revision: 35c775e5e0371cb798f5049a56dc8330bd196f15
-  sudo (~> 2.9.0)
+  sudo (~> 5.4.6)
   ufw (~> 3.2.1)
   users (~> 5.5.0)
 
 GRAPH
-  apt (2.9.2)
-  apt-chef (1.0.0)
-    apt (>= 0.0.0)
+  apt (7.4.0)
   chef-sugar (5.1.12)
-  fail2ban (2.3.0)
+  fail2ban (6.3.2)
     yum-epel (>= 0.0.0)
   firewall (2.7.0)
     chef-sugar (>= 0.0.0)
   homebrew (5.1.0)
   hostnames (0.3.1)
     hostsfile (>= 0.0.0)
   hostsfile (2.4.5)
-  iptables (2.2.0)
+  iptables (7.1.0)
   locale (1.1.0)
   memcached (6.1.0)
   monit-tlq (0.5.0)
@@ -55,8 +52,8 @@ GRAPH
     ohai (~> 5.2)
   ntp (3.7.0)
   ohai (5.3.0)
-  openssh (1.2.2)
-    iptables (>= 0.0.0)
+  openssh (2.9.0)
+    iptables (>= 7.0)
   postgresql (8.2.1)
     apt (>= 0.0.0)
     yum-epel (>= 0.0.0)
@@ -71,7 +68,7 @@ GRAPH
     yum-epel (>= 0.0.0)
   ruby_rbenv (2.6.0)
   selinux_policy (2.4.3)
-  sudo (2.9.0)
+  sudo (5.4.6)
   ufw (3.2.1)
     firewall (>= 2.0)
   ulimit (1.1.1)

Changelog.md

@@ -1,3 +1,9 @@
+## 5.0.1 (22nd March 2021)
+* Upgrades sudo, ufw, apt and fail2ban cookbooks to latest versions
+* Fixes issue where sshd configuration wasn't in the default server role run list
+* Adds a wrapper cookbook for the current community sudo cookbook
+* 
+
 ## 5.0.0 (March 2021)
 
 * Updates to support latest Chef Workstation instead of legacy ChefDK

VERSION

@@ -1 +1 @@
-5.0.0
+5.0.1

roles/server.json

@@ -12,7 +12,8 @@
           "${distro_id} stable",
           "${distro_id} ${distro_codename}-security"
         ],
-        "automatic_reboot" : true
+        "automatic_reboot" : true,
+        "auto_fix_interrupted_dpkg" : true
       }
     },
     "authorization": {
@@ -51,14 +52,14 @@
   "json_class": "Chef::Role",
   "run_list": [
     "recipe[apt::default]",
-    "recipe[rdr_users_wrapper::default]",
-    "recipe[firewall::default]",
     "recipe[ufw::default]",
+    "recipe[openssh::default]",
+    "recipe[fail2ban::default]",
+    "recipe[rdr_sudo_wrapper::default]",
+    "recipe[rdr_users_wrapper::default]",
     "recipe[apt::unattended-upgrades]",
     "recipe[ntp::default]",
-    "recipe[sudo::default]",
     "recipe[locale::default]",
-    "recipe[fail2ban::default]",
     "recipe[monit-tlq::default]",
     "recipe[monit_configs-tlq::system]"
   ],

site-cookbooks/rdr_sudo_wrapper/.delivery/project.toml

@@ -0,0 +1,32 @@
+# Delivery for Local Phases Execution
+#
+# This file allows you to execute test phases locally on a workstation or
+# in a CI pipeline. The delivery-cli will read this file and execute the
+# command(s) that are configured for each phase. You can customize them
+# by just modifying the phase key on this file.
+#
+# By default these phases are configured for Cookbook Workflow only
+#
+
+[local_phases]
+unit = "chef exec rspec spec/"
+lint = "chef exec cookstyle"
+# foodcritic has been deprecated in favor of cookstyle so we skip the syntax
+# phase now.
+syntax = "echo skipping syntax phase. Use lint phase instead."
+provision = "chef exec kitchen create"
+deploy = "chef exec kitchen converge"
+smoke = "chef exec kitchen verify"
+# The functional phase is optional, you can define it by uncommenting
+# the line below and running the command: `delivery local functional`
+# functional = ""
+cleanup = "chef exec kitchen destroy"
+
+# Remote project.toml file
+#
+# Instead of the local phases above, you may specify a remote URI location for
+# the `project.toml` file. This is useful for teams that wish to centrally
+# manage the behavior of the `delivery local` command across many different
+# projects.
+#
+# remote_file = "https://url/project.toml"

site-cookbooks/rdr_sudo_wrapper/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/rdr_sudo_wrapper/CHANGELOG.md

@@ -0,0 +1,10 @@
+# rdr_sudo_wrapper CHANGELOG
+
+This file is used to list changes made in each version of the rdr_sudo_wrapper cookbook.
+
+## 0.1.0
+
+Initial release.
+
+- change 0
+- change 1

site-cookbooks/rdr_sudo_wrapper/LICENSE

@@ -0,0 +1,3 @@
+Copyright 2021 The Authors
+
+All rights reserved, do not redistribute.

site-cookbooks/rdr_sudo_wrapper/Policyfile.rb

@@ -0,0 +1,16 @@
+# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
+#
+# For more information on the Policyfile feature, visit
+# https://docs.chef.io/policyfile/
+
+# A name that describes what the system you're building with Chef does.
+name 'rdr_sudo_wrapper'
+
+# Where to find external cookbooks:
+default_source :supermarket
+
+# run_list: chef-client will run these recipes in the order specified.
+run_list 'rdr_sudo_wrapper::default'
+
+# Specify a custom source for a single cookbook:
+cookbook 'rdr_sudo_wrapper', path: '.'

site-cookbooks/rdr_sudo_wrapper/README.md

@@ -0,0 +1,4 @@
+# rdr_sudo_wrapper
+
+TODO: Enter the cookbook description here.
+

site-cookbooks/rdr_sudo_wrapper/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/rdr_sudo_wrapper/kitchen.yml

@@ -0,0 +1,32 @@
+---
+driver:
+  name: vagrant
+
+## The forwarded_port port feature lets you connect to ports on the VM guest via
+## localhost on the host.
+## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
+
+#  network:
+#    - ["forwarded_port", {guest: 80, host: 8080}]
+
+provisioner:
+  name: chef_zero
+
+  ## product_name and product_version specifies a specific Chef product and version to install.
+  ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
+  #  product_name: chef
+  #  product_version: 16
+
+verifier:
+  name: inspec
+
+platforms:
+  - name: ubuntu-20.04
+  - name: centos-8
+
+suites:
+  - name: default
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes: