2 set -e -f ${DRY_RUN:+-n} -u
5 do tool
=$
(readlink
"$tool")
11 rule_help
() { # SYNTAX: [--hidden]
12 local hidden
; [ ${1:+set} ] || hidden
=set
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
29 rule_git_configure
() {
32 git config
--replace branch.master.remote .
33 git config
--replace branch.master.merge refs
/remotes
/master
35 tool
=$
(cd "$tool"; cd -)
36 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
37 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/vm
43 git checkout
-f -B master remotes
/master
48 rule_apt_get_install
() { # SYNTAX: $package
49 sudo apt-get
install "$@"
52 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
58 rule_apt_configure
() {
59 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
60 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
62 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
63 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
65 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
67 Pin: release a=$vm_lsb_name
71 Pin: release a=$vm_lsb_name-backports
74 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
75 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
78 rule apt_get_install apticron
79 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
80 EMAIL="admin@$vm_domainname"
82 # LISTCHANGES_PROFILE="apticron"
84 # SYSTEM="foobar.example.com"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
89 # NOTIFY_NO_UPDATES="0"
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
95 rule_boot_configure
() {
96 warn
"lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo
install -d -m 644 -o root
-g root
/boot
/grub
99 rule apt_get_install linux-image-
$vm_arch
100 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
109 sudo
install -m 644 -o root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
113 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
116 rule_dovecot_configure
() {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint
="run vm_remote dovecot_key_send before"
119 assert
"test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo
install -m 400 -o root
-g root \
121 "$tool"/var
/pub
/x509
/service
/imap
/crt
+crl.self-signed.pem \
122 /etc
/dovecot
/$vm_domainname/imap
/x509
/crt
+crl.self-signed.pem
123 sudo
install -d -m 770 -o root
-g adm \
126 sudo
install -d -m 1777 -o root
-g root \
127 /var
/lib
/dovecot-control \
128 /var
/lib
/dovecot-index
129 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/dovecot
/local.conf
<<-EOF
130 auth_ssl_username_from_cert = yes
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
140 args = /home/%u/etc/dovecot/passwd
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
155 mail_plugins = \$mail_plugins imap_quota
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
166 protocols = imap sieve
169 unix_listener /var/spool/postfix/private/auth {
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
185 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/dovecot-passwd
<<-EOF
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
193 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
195 sudo service dovecot restart
197 rule_etckeeper_configure
() {
198 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
207 sudo
install -m 644 -o root
-g root \
208 "$tool"/etc
/etckeeper
/prompt.sh \
209 /etc
/etckeeper
/prompt.sh
210 rule apt_get_install etckeeper
212 rule_filesystem_configure
() {
213 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
214 # <file system> <mount point> <type> <options> <dump> <pass>
215 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
216 proc /proc proc defaults 0 0
217 sysfs /sys sysfs defaults 0 0
218 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
219 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
220 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
221 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
222 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
223 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
225 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
226 # <target name> <source device> <key file> <options>
227 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
228 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
229 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
230 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
232 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
233 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
234 vm.vfs_cache_pressure=50
237 rule_initramfs_configure
() {
238 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
245 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
247 alias scsi_hostadapter xenblk
249 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
255 # NOTE: pour Xen en mode HVM :
256 #modprobe xen-platform-pci
258 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
260 sudo
sed -e '/^configure_networking /s/ &$//' \
261 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
262 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
263 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
264 ( while IFS
= read -r line
265 do case $line in (*" RSA") return 0; break;; esac
269 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
270 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
271 sudo dropbearkey
-t rsa
-s 4096 -f \
272 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
274 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
275 sudo
install -d -m 640 -o root
-g root \
276 /etc
/initramfs-tools
/root \
277 /etc
/initramfs-tools
/root
/.
ssh
279 while IFS
=: read -r group x x users
280 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
283 do eval local home\
; home
="~$user"
284 cat "$home"/etc
/ssh
/authorized_keys
287 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
289 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
290 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
291 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
292 # NOTE: clefs générées par Debian
293 sudo update-initramfs
-u
295 rule_locale_configure
() {
296 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
301 rule_login_configure
() {
302 grep -q '^hvc0$' /etc
/securetty ||
303 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
304 $(cat /etc/securetty)
307 grep -q '^xvc0$' /etc
/securetty ||
308 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
309 $(cat /etc/securetty)
312 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
313 # /etc/inittab: init(8) configuration.
315 # The default runlevel.
318 # Boot-time system configuration/initialization script.
319 # This is run first except when booting in emergency (-b) mode.
320 si::sysinit:/etc/init.d/rcS
322 # What to do in single-user mode.
323 ~~:S:wait:/sbin/sulogin
325 # /etc/init.d executes the S and K scripts upon change
328 # Runlevel 0 is halt.
329 # Runlevel 1 is single-user.
330 # Runlevels 2-5 are multi-user.
331 # Runlevel 6 is reboot.
333 l0:0:wait:/etc/init.d/rc 0
334 l1:1:wait:/etc/init.d/rc 1
335 l2:2:wait:/etc/init.d/rc 2
336 l3:3:wait:/etc/init.d/rc 3
337 l4:4:wait:/etc/init.d/rc 4
338 l5:5:wait:/etc/init.d/rc 5
339 l6:6:wait:/etc/init.d/rc 6
340 # Normally not reached, but fallthrough in case of emergency.
341 z6:6:respawn:/sbin/sulogin
343 # What to do when CTRL-ALT-DEL is pressed.
344 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
346 # What to do when the power fails/returns.
347 pf::powerwait:/etc/init.d/powerfail start
348 pn::powerfailnow:/etc/init.d/powerfail now
349 po::powerokwait:/etc/init.d/powerfail stop
351 # Xen hypervisor console
352 hvc:2345:respawn:/sbin/getty 38400 hvc0
353 #xvc:2345:respawn:/sbin/getty 38400 xvc0
355 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
362 FTMP_FILE /var/log/btmp
364 HUSHLOGIN_FILE .hushlogin
365 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
366 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
367 # NOTE: met les sbin/ dans ENV_PATH ;
368 # - ça n'apporte aucune protection de ne pas les mettre ;
369 # - ça frustre de ne pas les trouver.
376 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
377 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
390 ENCRYPT_METHOD SHA512
392 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
393 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
394 $(cat /etc/pam.d/common-session)
395 session optional pam_umask.so
398 rule_procmail_configure
() {
399 rule apt_get_install procmail
400 sudo
install -d -m 770 -o root
-g adm \
402 /etc
/skel
/var
/cache
/mail \
403 /etc
/skel
/var
/log
/mail \
405 sudo
install -m 660 -o root
-g adm \
406 "$tool"/etc
/skel
/etc
/mail
/delivery.procmailrc \
407 /etc
/skel
/etc
/mail
/delivery.procmailrc
409 rule_postgrey_configure
() {
410 rule apt_get_install postgrey
411 sudo service postgrey restart
413 rule_postfix_configure
() {
414 local hint
="run vm_remote postfix_key_send before"
415 assert
"test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
416 warn
"lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
417 rule apt_get_install postfix
418 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/postfix
/.gitignore
<<-EOF
421 sudo
install -d -m 770 -o root
-g root \
422 /etc
/postfix
/$vm_domainname/ \
423 /etc
/postfix
/$vm_domainname/smtp \
424 /etc
/postfix
/$vm_domainname/smtp
/x509 \
425 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
426 /etc
/postfix
/$vm_domainname/smtpd \
427 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
428 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
429 sudo
install -d -m 770 -o root
-g root \
430 /etc
/postfix
/$vm_domainname/ \
431 /etc
/postfix
/$vm_domainname/smtp \
432 /etc
/postfix
/$vm_domainname/smtp
/x509 \
433 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
434 /etc
/postfix
/$vm_domainname/smtpd \
435 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
436 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
438 ..
/crt
+crl.self-signed.pem \
439 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
/crt.pem
440 sudo
install -m 400 -o root
-g root \
441 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
442 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
443 sudo
install -m 400 -o root
-g root \
444 var
/pub
/x509
/service
/smtpd
/crt.pem \
445 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt.pem
446 sudo
install -m 400 -o root
-g root \
447 var
/pub
/x509
/service
/smtpd
/crt
+root.pem \
448 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+root.pem
449 sudo
install -m 400 -o root
-g root \
450 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
451 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
452 sudo
install -m 660 -o root
-g root \
453 etc
/postfix
/$vm_domainname/header_checks \
454 /etc
/postfix
/$vm_domainname/header_checks
455 sudo
install -m 664 -o root
-g root \
456 etc
/postfix
/aliases \
458 sudo newaliases
-oA/etc
/postfix
/aliases
459 cat /dev
/stdin etc
/postfix
/main.cf
<<-EOF |
460 mydomain = $vm_domainname
461 myorigin = \$mydomain
462 myhostname = $vm_hostname.\$mydomain
463 mail_name = \$myhostname
464 mydestination = $vm_hostname \$myhostname \$myorigin
466 sudo
install -m 664 -o root
-g root
/dev
/stdin \
468 sudo
install -m 664 -o root
-g root \
469 etc
/postfix
/master.cf \
470 /etc
/postfix
/master.cf
471 sudo
install -m 660 -o root
-g root \
472 etc
/postfix
/$vm_domainname/smtp
/x509
/policy \
473 /etc
/postfix
/$vm_domainname/smtp
/x509
/policy
474 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtp
/x509
/policy
475 sudo
install -m 660 -o root
-g root \
476 etc
/postfix
/$vm_domainname/smtp
/header_checks \
477 /etc
/postfix
/$vm_domainname/smtp
/header_checks
478 sudo
install -m 660 -o root
-g root \
479 etc
/postfix
/$vm_domainname/smtpd
/sender_access \
480 /etc
/postfix
/$vm_domainname/smtpd
/sender_access
481 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/sender_access
482 sudo
install -m 660 -o root
-g root \
483 etc
/postfix
/$vm_domainname/smtpd
/client_blacklist \
484 /etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
485 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
486 sudo
install -m 660 -o root
-g root \
487 etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts \
488 /etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
489 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
490 sudo
install -m 660 -o root
-g root \
491 etc
/postfix
/$vm_domainname/transport \
492 /etc
/postfix
/$vm_domainname/transport
493 sudo postmap
hash:/etc
/postfix
/$vm_domainname/transport
494 sudo
install -m 660 -o root
-g root \
495 etc
/postfix
/$vm_domainname/virtual_alias \
496 /etc
/postfix
/$vm_domainname/virtual_alias
497 sudo postmap
hash:/etc
/postfix
/$vm_domainname/virtual_alias
498 sudo service postfix restart
500 rule_mail_configure
() {
501 rule postfix_configure
502 rule postgrey_configure
503 rule procmail_configure
504 rule dovecot_configure
506 rule_network_configure
() {
507 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
510 grep -q " $vm\$" /etc
/hosts ||
511 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
513 127.0.0.1 $vm_fqdn $vm
515 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
517 iface lo inet loopback
520 iface grenode inet static
522 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
525 netmask 255.255.255.255
527 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
528 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
530 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
531 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
532 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
534 # --- soupirail.grenode.net ping statistics ---
535 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
536 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
537 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
538 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
539 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
541 # --- soupirail.grenode.net ping statistics ---
542 # 0 packets transmitted, 0 received, +1 errors
543 post-up ip address add $vm_ipv4/32 dev \$IFACE
544 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
547 rule_ssh_configure
() {
548 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
549 ( while IFS
= read -r line
550 do case $line in (*" RSA") return 0; break;; esac
552 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
554 /etc
/ssh
/ssh_host_dsa_key \
555 /etc
/ssh
/ssh_host_dsa_key.pub \
556 /etc
/ssh
/ssh_host_ecdsa_key \
557 /etc
/ssh
/ssh_host_ecdsa_key.pub
558 # NOTE: clefs générées par Debian
559 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
561 ListenAddress $vm_ipv4
565 HostKey /etc/ssh/ssh_host_rsa_key
566 UsePrivilegeSeparation yes
567 KeyRegenerationInterval 3600
574 RSAAuthentication yes
575 PubkeyAuthentication yes
576 AuthorizedKeysFile %h/etc/ssh/authorized_keys
578 RhostsRSAAuthentication no
579 HostbasedAuthentication no
580 IgnoreUserKnownHosts no
581 PermitEmptyPasswords no
582 ChallengeResponseAuthentication no
583 PasswordAuthentication no
584 KerberosAuthentication no
585 GSSAPIAuthentication no
592 ClientAliveInterval 0
594 Subsystem sftp /usr/lib/openssh/sftp-server
597 sudo service
ssh restart
599 rule_user_admin_add
() { # SYNTAX: $user
601 id
"$user" >/dev
/null ||
602 sudo adduser
--disabled-password "$user"
603 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
604 eval local home\
; home
="~$user"
605 sudo adduser
"$user" sudo
606 sudo
install -m 640 -o root
-g root \
607 "$tool"/var
/pub
/ssh
/"$user".key \
608 "$home"/etc
/ssh
/authorized_keys
609 local key
; local -; set +f
610 for key
in "$tool"/var
/pub
/openpgp
/*.key
611 do sudo
-u "$user" gpg
--import "$key"
613 rule user_admin_configure
615 rule_user_admin_configure
() {
616 rule initramfs_configure
617 rule user_root_configure
619 rule_user_configure
() {
620 sudo
install -d -m 750 -o root
-g adm \
623 sudo
install -d -m 770 -o root
-g adm \
624 /etc
/skel
/etc
/apache2 \
627 /etc
/skel
/var
/cache \
628 /etc
/skel
/var
/cache
/ssh
629 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
630 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
631 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
632 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
633 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
634 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
636 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
637 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
639 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
640 Defaults env_keep = " \\
644 GIT_COMMITTER_NAME \\
645 GIT_COMMITTER_EMAIL \\
648 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/passwd-init
<<-EOF
650 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
651 sudo /bin/sh -e -f -u -c \
652 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
654 sudo
install -m 644 -o root
-g root \
657 sudo
install -m 644 -o root
-g root \
661 rule_user_root_configure
() {
662 sudo
install -d -m 750 -o root
-g adm \
666 sudo
ln -fns etc
/gpg
/root
/.gnupg
667 sudo
ln -fns etc
/ssh /root
/.
ssh
669 while IFS
=: read -r group x x users
670 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
673 do eval local home\
; home
="~$user"
674 cat "$home"/etc
/ssh
/authorized_keys
677 sudo
install -m 640 -o root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
678 local key
; local -; set +f
679 for key
in "$tool"/var
/pub
/openpgp
/*.key
680 do sudo gpg
--import "$key"
686 rule etckeeper_configure
687 rule locale_configure
688 rule network_configure
689 rule filesystem_configure
692 rule user_root_configure
697 rule_luks_key_change
() {
698 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
706 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn