--- /dev/null
+#!/bin/sh -eux
+db="$1"
+owner="${2:-$db}"
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ DO LANGUAGE plpgsql \$\$
+ BEGIN
+ IF NOT EXISTS (
+ SELECT *
+ FROM pg_catalog.pg_user
+ WHERE usename = '$owner'
+ LIMIT 1
+ ) THEN
+ CREATE ROLE $owner
+ LOGIN
+ NOCREATEDB
+ NOCREATEROLE
+ NOINHERIT
+ NOSUPERUSER;
+ END IF;
+ END;
+ \$\$;
+ EOF
+case $(sudo -u postgres psql template1 -t -c \
+ "SELECT datname FROM pg_catalog.pg_database WHERE datname = '$db' LIMIT 1") in
+ (" $db") true;;
+ (*)
+ sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ CREATE DATABASE $db WITH OWNER=$owner;
+ EOF
+ ;;
+ esac
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON DATABASE $db FROM public;
+ EOF
+sudo -u postgres psql "$db" -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ GRANT ALL ON SCHEMA public TO $owner WITH GRANT OPTION;
+ EOF
--- /dev/null
+#!/bin/sh -eux
+db="$1"
+owner="${2:-$db}"
+sudo -u postgres psql "$db" -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ DO LANGUAGE plpgsql \$\$
+ BEGIN
+ IF NOT EXISTS (
+ SELECT *
+ FROM pg_catalog.pg_user
+ WHERE usename = '$user'
+ LIMIT 1
+ ) THEN
+ CREATE ROLE $user
+ LOGIN
+ NOCREATEDB
+ NOCREATEROLE
+ NOINHERIT
+ NOSUPERUSER;
+ END IF;
+ END;
+ \$\$;
+ GRANT USAGE ON SCHEMA public TO $user;
+ GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+ EOF
+++ /dev/null
-eval "local home=/home/$sv"
-cd /
-case $(sudo sv status postgres || true) in
- (run:*)
- while ! sudo -u postgres psql </dev/null
- do sleep 0.3; done
- ;;
- (*) set -$- "$@" "$sv"; continue=yes; continue;;
- esac
-case $(sudo sv status "$sv" || true) in
- (run:*) sudo sv stop "$sv";;
- esac
-rule adduser "$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-rule adduser log-"$sv"\
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home"/log \
- --shell /bin/false \
- --system
-rule adduser "$sv"-addon \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home"/addon.d \
- --shell /bin/false \
- --system
-sudo install -d -m 3771 -o "$sv" -g "$sv" \
- "$home"/
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- "$home"/log
-sudo install -d -m 2770 -o "$sv" -g "$sv"-addon \
- "$home"/addon.d
-sudo adduser git "$sv"-addon
-sudo adduser "$sv" "$sv"-addon
-sudo adduser "$sv" postgres-data
-sudo install -d -m 2770 -o "$sv" -g "$sv" \
- /etc/sv/"$sv" \
- /etc/sv/"$sv"/log
-sudo install -d -m 750 -o "$sv" -g "$sv" \
- "$home"/etc \
- /etc/openerp/"$sv"
-sudo ln -fns \
- /etc/openerp/"$sv" \
- "$home"/etc/openerp
-for addon in \
- bikecoop \
- bikecoop_l10n_fr \
- pos_membership \
- remembership \
- cyclofficine_paris_est
- do
- sudo install -d -m 2771 -o "$sv" -g "$sv"-addon \
- "$home"/addon.d/"$addon"
- sudo -u git git \
- --git-dir ~git-data/burette/"$addon".git \
- --work-tree="$home"/addon.d/"$addon" \
- checkout -f master
- #sudo -u git git \
- # --git-dir ~git-data/burette/"$addon".git \
- # --work-tree="$home"/addon.d/"$addon" \
- # clean -d -f -f -x
- sudo install -m 550 -o git -g git /dev/stdin \
- /home/git/pub/burette/"$addon".git/hooks/post-update <<-EOF
- git \
- --git-dir ~git-data/burette/"$addon".git \
- --work-tree="$home"/addon.d/"$addon" \
- checkout -f master
- #git \
- # --git-dir ~git-data/burette/"$addon".git \
- # --work-tree="$home"/addon.d/"$addon" \
- # clean -d -f -f -x
- #sv restart "$sv"
- EOF
- done
-case $(sudo sv status "$sv" || true) in
- (run:*) sudo sv stop "$sv";;
- esac
-rule postgresql_db_add "$sv" "$sv"
-sudo rm -f "$home"/etc/openerp/server.conf
-sudo -u "$sv" openerp-server \
- --addons-path="$home"/addon.d \
- --config "$home"/etc/openerp/server.conf \
- --database="$sv" \
- --db_user="$sv" \
- --debug \
- --init=remembership,pos_membership,bikecoop \
- --load-language=fr_FR \
- --save \
- --stop-after-init \
- --without-demo=base \
- --workers=2
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-$sv"
+eval "home=~$sv/log"
+
+getent passwd log-"$sv" >/dev/null ||
+adduser log-"$sv"\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+
cd "$home"
exec chpst -u log-"$sv":log-"$sv" \
svlogd -v -tt "$home"
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+home=/home/"$sv"
+cd /
+
/usr/bin/sv -w 3 start postgres
-eval "home=~$sv"
+~postgres/bin/createdb "$sv"
+
+getent passwd "$sv" >/dev/null ||
+adduser "$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+getent passwd "$sv" >/dev/null ||
+adduser "$sv"-addon \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home"/addon.d \
+ --shell /bin/false \
+ --system
+
+install -d -m 710 -o root -g "$sv" \
+ /etc/sv/"$sv" \
+ /etc/sv/"$sv"/supervise
+install -d -m 3771 -o "$sv" -g "$sv" \
+ "$home"
+install -d -m 2770 -o "$sv" -g "$sv"-addon \
+ "$home"/addon.d
+install -d -m 750 -o "$sv" -g "$sv" \
+ "$home"/etc \
+ /etc/openerp/"$sv"
+ln -fns \
+ /etc/openerp/"$sv" \
+ "$home"/etc/openerp
+
+adduser git "$sv"-addon
+adduser "$sv" "$sv"-addon
+adduser "$sv" postgres-data
+
+for addon in \
+ bikecoop \
+ bikecoop_l10n_fr \
+ pos_membership \
+ remembership \
+ cyclofficine_paris_est
+ do
+ sudo install -d -m 2771 -o "$sv" -g "$sv"-addon \
+ "$home"/addon.d/"$addon"
+ sudo -u git git \
+ --git-dir ~git-data/burette/"$addon".git \
+ --work-tree="$home"/addon.d/"$addon" \
+ checkout -f master
+ #sudo -u git git \
+ # --git-dir ~git-data/burette/"$addon".git \
+ # --work-tree="$home"/addon.d/"$addon" \
+ # clean -d -f -f -x
+ sudo install -m 550 -o git -g git /dev/stdin \
+ /home/git/pub/burette/"$addon".git/hooks/post-update <<-EOF
+ git \
+ --git-dir ~git-data/burette/"$addon".git \
+ --work-tree="$home"/addon.d/"$addon" \
+ checkout -f master
+ #git \
+ # --git-dir ~git-data/burette/"$addon".git \
+ # --work-tree="$home"/addon.d/"$addon" \
+ # clean -d -f -f -x
+ #sv restart "$sv"
+ EOF
+ done
+
+test -e "$home"/etc/openerp/server.conf ||
+/usr/bin/chpst \
+ -u "$sv":"$sv":"$sv"-addon:postgres-data \
+ /usr/bin/openerp-server \
+ --addons-path="$home"/addon.d \
+ --config "$home"/etc/openerp/server.conf \
+ --database="$sv" \
+ --db_user="$sv" \
+ --debug \
+ --init=remembership,pos_membership,bikecoop \
+ --load-language=fr_FR \
+ --save \
+ --stop-after-init \
+ --without-demo=base \
+ --workers=2
+
exec /usr/bin/chpst \
-u "$sv":"$sv":"$sv"-addon:postgres-data \
- openerp-server \
+ /usr/bin/openerp-server \
--config "$home"/etc/openerp/server.conf
+++ /dev/null
-#!/bin/sh -eux
-rule adduser git-daemon\
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/daemon \
- --shell /bin/false \
- --system
-rule adduser log-git-daemon\
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/log/git-daemon \
- --shell /bin/false \
- --system
-sudo adduser git-daemon git-data
-sudo adduser log-git log-git-daemon
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- /home/git/log/"$sv"
-sudo install -d -m 770 -o git -g "$sv" \
- /home/git/daemon
-sudo ln -fns \
- ../pub \
- /home/git/daemon/git.$vm_domainname
-sudo ln -fns \
- ../pub \
- /home/git/daemon/burette.$vm_domainname
- # NOTE : rétro-compatibilité
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-$sv"
+home=~git/log/daemon
+
+getent passwd log-"$sv" >/dev/null ||
+adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+
+adduser log-git "$sv"
+
cd "$home"
exec chpst -u log-"$sv":log-"$sv" \
svlogd -v -tt "$home"
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-eval "home=~$sv"
+home=~git/daemon
+domainname=$(domainname)
+case ${domainname-} in
+ (""|"(none)") false;;
+ esac
+
+getent passwd "$sv" >/dev/null ||
+adduser "$sv"\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o git -g "$sv" \
+ "$home"
+
+adduser "$sv" git-data
+
+ln -fns \
+ ../pub \
+ "$home"/git.$domainname
+ln -fns \
+ ../pub \
+ "$home"/burette.$domainname
+ # NOTE : rétro-compatibilité
+
exec /usr/bin/chpst \
-u "$sv":"$sv":git-data \
/usr/lib/git-core/git-daemon \
+++ /dev/null
-#!/bin/sh -eux
-rule adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$sv" \
- --shell /bin/false \
- --system
-rule adduser log-fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/"$sv"/spawn-fcgi \
- --shell /bin/false \
- --system
-sudo adduser fcgi-"$sv" www-"$sv"
-sudo adduser fcgi-"$sv" git-data
-sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
- /home/www/log/"$sv"/spawn-fcgi
-sudo install -d -m 2750 -o git -g fcgi-"$sv" \
- /etc/gitweb
-sudo ln -fns /etc/gitweb /home/git/etc/gitweb
-sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/gitweb.conf <<-EOF
- \$commit_oneline_message_width = 70;
- \$default_projects_order = 'project';
- \$default_text_plain_charset = 'UTF-8';
- @diff_opts = ();
- \$favicon = "static/git-favicon.png";
- \$feature{'highlight'}{'default'} = [1];
- \$git_temp = "/run/shm/tmp/gitweb";
- \$home_text = "/etc/gitweb/home_text.html";
- \$home_link = "/";
- \$home_link_str = 'dépôts';
- \$home_th_age = 'activité';
- \$home_th_descr = 'description';
- \$home_th_owner = 'contact';
- \$home_th_project = 'dépôt';
- \$javascript = "static/gitweb.js";
- \$logo = "static/git-logo.png";
- \$my_uri = "";
- \$projectroot = "/home/git/pub";
- \$projects_list = "/etc/gitweb/projects.list";
- \$projects_list_description_width = 42;
- \$projects_list_owner_width = 15;
- \$search_str = "Filtre :";
- \$site_footer = "/etc/gitweb/site_footer.html";
- \$site_header = "/etc/gitweb/site_header.html";
- \$site_name = "git.$vm_domainname";
- @stylesheets = ("static/gitweb.css");#
- EOF
-sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/home_text.html <<-EOF
- <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
- <p>Pour récupérer un dépôt public :</p>
- <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
- EOF
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-fcgi-$sv"
+home=~www/log/"$sv"/spawn-fcgi
+
+getent passwd log-fcgi-"$sv" >/dev/null ||
+adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ "$home"
+
cd "$home"
exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
svlogd -v -tt "$home"
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+home=~git-data
+domainname=$(domainname)
+case ${domainname-} in
+ (""|"(none)") false;;
+ esac
+
+getent passwd fcgi-"$sv" >/dev/null ||
+adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+adduser fcgi-"$sv" www-"$sv"
+adduser fcgi-"$sv" git-data
+
+install -d -m 2750 -o git -g fcgi-"$sv" \
+ /etc/gitweb
+install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/gitweb.conf <<-EOF
+ \$commit_oneline_message_width = 70;
+ \$default_projects_order = 'project';
+ \$default_text_plain_charset = 'UTF-8';
+ @diff_opts = ();
+ \$favicon = "static/git-favicon.png";
+ \$feature{'highlight'}{'default'} = [1];
+ \$git_temp = "/run/shm/tmp/gitweb";
+ \$home_text = "/etc/gitweb/home_text.html";
+ \$home_link = "/";
+ \$home_link_str = 'dépôts';
+ \$home_th_age = 'activité';
+ \$home_th_descr = 'description';
+ \$home_th_owner = 'contact';
+ \$home_th_project = 'dépôt';
+ \$javascript = "static/gitweb.js";
+ \$logo = "static/git-logo.png";
+ \$my_uri = "";
+ \$projectroot = "/home/git/pub";
+ \$projects_list = "/etc/gitweb/projects.list";
+ \$projects_list_description_width = 42;
+ \$projects_list_owner_width = 15;
+ \$search_str = "Filtre :";
+ \$site_footer = "/etc/gitweb/site_footer.html";
+ \$site_header = "/etc/gitweb/site_header.html";
+ \$site_name = "git.$domainname";
+ @stylesheets = ("static/gitweb.css");#
+ EOF
+sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/home_text.html <<-EOF
+ <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
+ <p>Pour récupérer un dépôt public :</p>
+ <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
+ EOF
+
+ln -fns \
+ /etc/gitweb \
+ ~git/etc/gitweb
+
install -d -m 1771 -o root -g root \
/run/spawn-fcgi
install -d -m 1771 -o fcgi-gitweb -g fcgi-gitweb \
/run/shm/tmp/gitweb
+
exec /usr/bin/spawn-fcgi \
-u fcgi-"$sv" \
-g fcgi-"$sv" \
+++ /dev/null
-#!/bin/sh -eux
-rule adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$sv" \
- --shell /bin/false \
- --system
-rule adduser log-fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/spawn-fcgi/"$sv" \
- --shell /bin/false \
- --system
-sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
- /home/www/log/"$sv"/spawn-fcgi
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-fcgi-$sv"
+home=~www/log/"$sv"/spawn-fcgi
+
+getent passwd log-fcgi-"$sv" >/dev/null ||
+adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ "$home"
+
cd "$home"
exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
svlogd -v -tt "$home"
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+home=~www/pub/"$sv"
+
/usr/bin/sv -w 3 start sshd
+
+getent passwd fcgi-"$sv" >/dev/null ||
+adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
install -d -m 1771 -o root -g root \
/run/spawn-fcgi
+
exec /usr/bin/spawn-fcgi \
-u fcgi-"$sv" \
-g fcgi-"$sv" \
+++ /dev/null
-rule adduser log-"$sv"\
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/mysql/log \
- --shell /bin/false \
- --system
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- /home/mysql/log
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-$sv"
+eval "home=~$sv/log"
+
+getent passwd log-"$sv" >/dev/null ||
+adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+
cd "$home"
exec chpst -u log-"$sv":log-"$sv" \
svlogd -v -tt "$home"
-rule adduser log-"$sv"\
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
+rule apt_get_install postgresql-9.1
+rule insserv_remove postgresql
+rule adduser postgres \
--disabled-login \
--disabled-password \
--group \
- --home /home/postgresql/log/9.1/main \
+ --home /home/postgresql \
--shell /bin/false \
--system
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- /home/postgresql/log
+rule adduser postgres-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+sudo usermod --home /home/postgresql postgres
+sudo adduser postgres postgres-data
+sudo rm -rf \
+ /etc/postgresql
+sudo install -d -m 1751 -o postgres -g postgres-data \
+ /home/postgresql \
+ /home/postgresql/etc \
+ /home/postgresql/bin \
+ /etc/postgresql \
+ /etc/postgresql/9.1 \
+ /etc/postgresql/9.1/main
+sudo ln -fns \
+ /etc/postgresql \
+ /home/postgresql/etc/postgresql
+
+if sudo test ! -d /home/postgresql/data
+ then
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql/data
+ sudo -u postgres pg_createcluster \
+ --datadir=/home/postgresql/data \
+ --logfile=/home/postgresql/log/9.1/main/cluster.log \
+ --socketdir=/run/postgresql \
+ 9.1 main
+ fi
+
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF
+ pg_ctl_options = ''
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_ident.conf <<-EOF
+ # MAPNAME SYSTEM-USERNAME PG-USERNAME
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/start.conf <<-EOF
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+ local all postgres peer
+ local all all peer
+ EOF
+sudo install -m 640 -o postgres -g postgres-data \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
+sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \
+ install -m 755 -o root -g root \
+ -t /home/postgresql/bin/ {} +
+
+sudo sv -w 1 start /etc/sv/postgres
+while ! sudo -u postgres psql </dev/null
+do sleep 1; done
+# NOTE: supprime l'accès au schéma public depuis public,
+# de sorte à ce que les différents utilisateurices
+# ne voient pas leurs bases de données entre-elleux ;
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON DATABASE template1 FROM public;
+ REVOKE ALL ON SCHEMA public FROM public;
+ GRANT ALL ON SCHEMA public TO postgres;
+ EOF
+# NOTE: ajoute le support de PL/PGSQL s'il ne l'est pas déjà.
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ CREATE OR REPLACE FUNCTION create_language_plpgsql()
+ RETURNS BOOLEAN AS \$\$
+ CREATE LANGUAGE plpgsql;
+ SELECT TRUE;
+ \$\$ LANGUAGE SQL;
+ SELECT CASE WHEN NOT (
+ SELECT TRUE AS exists
+ FROM pg_language
+ WHERE lanname = 'plpgsql'
+ UNION
+ SELECT FALSE AS exists
+ ORDER BY exists DESC
+ LIMIT 1
+ )
+ THEN
+ create_language_plpgsql()
+ ELSE
+ FALSE
+ END AS plpgsql_created;
+ DROP FUNCTION create_language_plpgsql();
+ EOF
+# NOTE: supprime l'accès à la liste des bases données
+# et utilisateurices depuis public.
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON pg_auth_members FROM public;
+ REVOKE ALL ON pg_authid FROM public;
+ REVOKE ALL ON pg_database FROM public;
+ REVOKE ALL ON pg_group FROM public;
+ REVOKE ALL ON pg_roles FROM public;
+ REVOKE ALL ON pg_settings FROM public;
+ REVOKE ALL ON pg_tablespace FROM public;
+ REVOKE ALL ON pg_user FROM public;
+ EOF
#!/bin/sh -eux
sv=${PWD%/log}
sv=${sv#/etc/sv/}
-eval "home=~log-$sv"
+eval "home=~$sv/log/9.1/main"
+
+getent passwd log-"$sv" >/dev/null ||
+adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 2770 -o postgres -g log-postgres \
+ "$home" \
+ "$home"/9.1 \
+ "$home"/9.1/main
+
cd "$home"
exec chpst -u log-"$sv":log-"$sv" \
svlogd -v -tt "$home"
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-install -d -m 710 -o postgres -g postgres-data \
+home="/home/postgresql"
+
+install -d -m 710 -o "$sv" -g "$sv"-data \
/run/postgresql
-eval "home=~$sv"
+
exec /usr/bin/chpst \
-u "$sv":"$sv":"$sv"-data \
/usr/lib/postgresql/9.1/bin/postgres \
# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
sudo mysql -u root --batch --verbose <<-EOF
DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
- GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
+ DELIMITER //
+ CREATE PROCEDURE mysql.create_user_mysql ()
+ BEGIN
+ IF NOT (EXISTS (SELECT User
+ FROM mysql.user
+ WHERE User='mysql'
+ AND Host='localhost'
+ LIMIT 1))
+ THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ END IF;
+ END;
+ //
+ CALL mysql.create_user_mysql();
+ DROP PROCEDURE mysql.create_user_mysql;
UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
DELETE FROM mysql.db WHERE user = '';
DELETE FROM mysql.user WHERE user = '';
sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
rule runit_configure postfix
}
-rule_postgresql_configure () {
- # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
- rule apt_get_install postgresql-9.1
- rule insserv_remove postgresql
- rule adduser postgres \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/postgresql \
- --shell /bin/false \
- --system
- rule adduser postgres-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/postgresql/data \
- --no-create-home \
- --shell /bin/false \
- --system
- sudo usermod --home /home/postgresql postgres
- sudo adduser postgres postgres-data
- sudo rm -rf \
- /etc/postgresql
- sudo install -d -m 1751 -o postgres -g postgres-data \
- /home/postgresql \
- /home/postgresql/etc \
- /etc/postgresql \
- /etc/postgresql/9.1 \
- /etc/postgresql/9.1/main
- sudo ln -fns \
- /etc/postgresql \
- /home/postgresql/etc/postgresql
- sudo install -d -m 2770 -o postgres -g log-postgres \
- /home/postgresql/log \
- /home/postgresql/log/9.1 \
- /home/postgresql/log/9.1/main
- if sudo test ! -d /home/postgresql/data
- then
- sudo install -d -m 750 -o postgres -g postgres \
- /home/postgresql/data
- sudo -u postgres pg_createcluster \
- --datadir=/home/postgresql/data \
- --logfile=/home/postgresql/log/9.1/main/cluster.log \
- --socketdir=/run/postgresql \
- 9.1 main
- fi
-
- sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF
- pg_ctl_options = ''
- EOF
- sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_ident.conf <<-EOF
- # MAPNAME SYSTEM-USERNAME PG-USERNAME
- EOF
- sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/start.conf <<-EOF
- EOF
- sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
- local all postgres peer
- local all all peer
- EOF
- sudo install -m 640 -o postgres -g postgres-data \
- "$tool"/etc/postgresql/9.1/main/postgresql.conf \
- /etc/postgresql/9.1/main/postgresql.conf
- rule runit_configure postgres
- while ! sudo -u postgres psql </dev/null
- do sleep 1; done
- # NOTE: supprime l'accès au schéma public depuis public,
- # de sorte à ce que les différents utilisateurices
- # ne voient pas leurs bases de données entre-elleux ;
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON DATABASE template1 FROM public;
- REVOKE ALL ON SCHEMA public FROM public;
- GRANT ALL ON SCHEMA public TO postgres;
- EOF
- # NOTE: ajoute le support de PL/PGSQL s'il ne l'est pas déjà.
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- CREATE OR REPLACE FUNCTION create_language_plpgsql()
- RETURNS BOOLEAN AS \$\$
- CREATE LANGUAGE plpgsql;
- SELECT TRUE;
- \$\$ LANGUAGE SQL;
- SELECT CASE WHEN NOT (
- SELECT TRUE AS exists
- FROM pg_language
- WHERE lanname = 'plpgsql'
- UNION
- SELECT FALSE AS exists
- ORDER BY exists DESC
- LIMIT 1
- )
- THEN
- create_language_plpgsql()
- ELSE
- FALSE
- END AS plpgsql_created;
- DROP FUNCTION create_language_plpgsql();
- EOF
- # NOTE: supprime l'accès à la liste des bases données
- # et utilisateurices depuis public.
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON pg_auth_members FROM public;
- REVOKE ALL ON pg_authid FROM public;
- REVOKE ALL ON pg_database FROM public;
- REVOKE ALL ON pg_group FROM public;
- REVOKE ALL ON pg_roles FROM public;
- REVOKE ALL ON pg_settings FROM public;
- REVOKE ALL ON pg_tablespace FROM public;
- REVOKE ALL ON pg_user FROM public;
- EOF
- }
-rule_postgresql_db_add () { # SYNTAX: $db $owner
- local db="$1"
- local owner="${2:-$db}"
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- DO LANGUAGE plpgsql \$\$
- BEGIN
- IF NOT EXISTS (
- SELECT *
- FROM pg_catalog.pg_user
- WHERE usename = '$owner'
- LIMIT 1
- ) THEN
- CREATE ROLE $owner
- LOGIN
- NOCREATEDB
- NOCREATEROLE
- NOINHERIT
- NOSUPERUSER;
- END IF;
- END;
- \$\$;
- EOF
- case $(sudo -u postgres psql template1 -t -c \
- "SELECT datname FROM pg_catalog.pg_database WHERE datname = '$db' LIMIT 1") in
- (" $db") true;;
- (*)
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- CREATE DATABASE $db WITH OWNER=$owner;
- EOF
- ;;
- esac
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON DATABASE $db FROM public;
- EOF
- sudo -u postgres psql "$db" -a -f - <<-EOF
- \set ON_ERROR_STOP on
- GRANT ALL ON SCHEMA public TO $owner WITH GRANT OPTION;
- EOF
- }
-rule_postgresql_db_user_add () { # SYNTAX: $db $user
- local db="$1" user="$2"
- sudo -u postgres psql "$db" -a -f - <<-EOF
- \set ON_ERROR_STOP on
- DO LANGUAGE plpgsql \$\$
- BEGIN
- IF NOT EXISTS (
- SELECT *
- FROM pg_catalog.pg_user
- WHERE usename = '$user'
- LIMIT 1
- ) THEN
- CREATE ROLE $user
- LOGIN
- NOCREATEDB
- NOCREATEROLE
- NOINHERIT
- NOSUPERUSER;
- END IF;
- END;
- \$\$;
- GRANT USAGE ON SCHEMA public TO $user;
- GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
- EOF
- }
rule_postgrey_configure () {
rule apt_get_install postgrey
rule insserv_remove postgrey