# cependant l'usage de suexec impose des forks il semble..
# et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
# donc pour l'instant : apache2-mpm-itk
+ sudo rm -rf \
+ /etc/apache2/site.d
+ sudo install -d -m 770 -o www -g www \
+ /etc/apache2 \
+ /etc/apache2/site.d \
+ /etc/apache2/x509.d
cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
ServerName "$vm_fqdn"
EOF
sudo install -d -m 770 -o www-"$site" -g www-"$site" \
/etc/apache2 \
/etc/apache2/site.d/"$site" \
- /etc/apache2/site.d/"$site"/x509 \
- /etc/apache2/site.d/"$site"/x509/ca \
- /etc/apache2/site.d/"$site"/x509/empty \
- /etc/apache2/site.d/"$site"/x509/rvk \
- /etc/apache2/site.d/"$site"/x509/usr
+ /etc/apache2/x509.d/"$site" \
+ /etc/apache2/x509.d/"$site"/ca \
+ /etc/apache2/x509.d/"$site"/empty \
+ /etc/apache2/x509.d/"$site"/rvk \
+ /etc/apache2/x509.d/"$site"/usr
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+ /etc/apache2/x509.d/"$site"/crt.self-signed.pem
#sudo install -m 664 -o www-"$site" -g www-"$site" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/site.d/"$site"/x509/rvk.pem
+ # /etc/apache2/x509.d/"$site"/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/site.d/"$site"/x509/ca/crt.pem
+ /etc/apache2/x509.d/"$site"/ca/crt.pem
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/site.d/"$site"/x509/crt.pem
+ "$tool"/var/pub/x509/"$site"/crt.pem \
+ /etc/apache2/x509.d/"$site"/crt.pem
;;
esac
case $site in
ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
- SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
- #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
- SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
+ SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem
+ SSLCACertificatePath /etc/apache2/x509.d/$site/usr/
+ #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem
+ SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem
+ SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/
# NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
- SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
- SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
- SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
+ SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/
+ SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
+ SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem
+ SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
# CUSTOM_NO_UPDATES_SUBJECT=""
# CUSTOM_FROM="root@$vm_fqdn"
EOF
+ sudo install -m 660 -o root -g root /dev/stdin /etc/apt/apt.conf.d/01proxy-grenode <<-EOF
+ Acquire::http::Proxy "http://outils.grenode.net:3142";
+ EOF
}
rule_boot_configure () {
#warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
rule adduser git \
--disabled-password \
--group \
+ --home /home/git \
--shell /bin/bash \
--system
sudo chfn --full-name git git
--disabled-login \
--disabled-password \
--group \
- --home ~git/log \
+ --home /home/git/log \
+ --shell /bin/false \
+ --system
+ rule adduser git-data\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/pub \
--shell /bin/false \
--system
rule adduser git-daemon\
--home /home/git/pub \
--shell /bin/false \
--system
+ rule adduser log-git-daemon\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/log/git-daemon \
+ --shell /bin/false \
+ --system
+ sudo adduser git git-data
+ sudo adduser git-daemon git-data
+ sudo adduser log-git log-git-daemon
sudo install -d -m 770 -o git -g git \
/etc/gitolite \
- ~git/etc \
- ~git/etc/ssh \
- ~git/pub
- sudo install -d -m 770 -o log-git -g log-git \
- ~git/log \
- ~git/log/gitolite \
- ~git/log/gitolite/perf
+ /home/git/etc \
+ /home/git/etc/ssh
+ sudo install -d -m 751 -o git -g git \
+ /home/git
+ sudo install -d -m 3771 -o git-data -g git-data \
+ /home/git/pub
+ sudo install -d -m 1771 -o git -g git \
+ /home/git/log
+ sudo install -d -m 2770 -o git -g log-git \
+ /home/git/log/gitolite \
+ /home/git/log/gitolite/perf
+ sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \
+ /home/git/log/git-daemon
sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
/etc/gitweb \
/etc/gitweb/cgi
- sudo ln -fns /etc/gitolite ~git/etc/gitolite
- sudo ln -fns /etc/gitweb ~git/etc/gitweb
- sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
- sudo ln -fns etc/ssh ~git/.ssh
+ sudo ln -fns /etc/gitolite /home/git/etc/gitolite
+ sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+ sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
+ sudo ln -fns etc/ssh /home/git/.ssh
sudo install -m 770 -o git -g git /dev/stdin \
- ~git/etc/gitolite/gitolite.rc <<-EOF
+ /home/git/etc/gitolite/gitolite.rc <<-EOF
#\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
#\$BIG_INFO_CAP = 20;
#\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
1;
EOF
sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
- ~git/etc/gitweb/gitweb.conf <<-EOF
+ /home/git/etc/gitweb/gitweb.conf <<-EOF
\$commit_oneline_message_width = 70;
\$default_projects_order = 'age';
\$default_text_plain_charset = 'UTF-8';
EOF
sudo install -m 600 -o git -g git \
"$tool"/var/pub/ssh/git.key \
- ~git/etc/ssh/git.pub
+ /home/git/etc/ssh/git.pub
sudo -u git \
GL_RC=/home/git/etc/gitolite/gitolite.rc \
GIT_AUTHOR_NAME=git \
- gl-setup -q ~git/etc/ssh/git.pub git
+ gl-setup -q /home/git/etc/ssh/git.pub git
local d
for d in doc logs src
- do test ! -d ~git/etc/gitolite/"$d" ||
- rmdir ~git/etc/gitolite/"$d"
+ do test ! -d /home/git/etc/gitolite/"$d" ||
+ rmdir /home/git/etc/gitolite/"$d"
done
rule apt_get_install gitweb highlight
sudo service tmpfs restart
"$tool"/etc/nginx/conf.d/"$conf" \
/etc/nginx/conf.d/"$conf"
done
- for conf in "$tool"/etc/nginx/site.d/*/server.conf
+ for conf in "$tool"/etc/nginx/site.d/*/site.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site="${conf%/server.conf}"
+ local site="${conf%/site.conf}"
rule adduser www-"$site" \
--disabled-login \
--disabled-password \
sudo install -d -m 770 -o www -g www \
/etc/nginx/x509.d/"$site"
test -L /home/www/pub/"$site" ||
- sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
+ sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
/home/www/pub/"$site"
sudo adduser www-data www-"$site"
sudo adduser www-data log-www-"$site"
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/local.conf \
+ /etc/nginx/site.d/"$site"/local.inc
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.inc
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf <<-EOF
server {
access_log /home/www/log/$site/nginx/access.log main;
error_log /home/www/log/$site/nginx/error.log warn;
root /home/www/pub/$site;
- ssl_certificate /etc/nginx/x509.d/$site/crt.pem;
- ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
- $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
- $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+ include /etc/nginx/site.d/$site/local.inc;
+ include /etc/nginx/site.d/$site/site.inc;
}
EOF
- test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
. "$tool"/etc/nginx/site.d/"$site"/configure.sh
done
sudo insserv --remove fcgiwrap
sudo insserv --remove nginx
rule tmpfs_configure
- case $(sv status nginx) in
- (run:*) sudo sv restart nginx
- esac
+ sudo service php5-fpm restart
+ # NOTE: relance les processus du pool
+ # pour leur donner les droits
+ # de leurs groupes supplémentaires.
+ sudo service nginx restart
+ #case $(sv status nginx) in
+ # (run:*) sudo sv restart nginx
+ # esac
}
rule_php5_fpm_configure () {
local -; set +f
--disabled-password \
--group \
--no-create-home \
- --home /home/www/log/php5/fpm \
+ --home /home/www/log/php5/fpm/"$pool" \
--shell /bin/false \
--system
sudo install -d -m 770 -o log-php5 -g log-php5 \
LAST_SYSTEM_UID=999
LAST_UID=29999
LETTERHOMES=no
- NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+ NAME_REGEX="^[a-z][-a-z0-9_]*\$"
QUOTAUSER="" # TODO: init
SETGID_HOME=no
SKEL=/etc/skel