2 set -e -f ${DRY_RUN:+-n} -u
5 do tool
=$
(readlink
"$tool")
11 rule_help
() { # SYNTAX: [--hidden]
12 local hidden
; [ ${1:+set} ] || hidden
=set
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
29 rule_git_configure
() {
32 git config
--replace branch.master.remote .
33 git config
--replace branch.master.merge refs
/remotes
/master
35 tool
=$
(cd "$tool"; cd -)
36 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
37 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/vm
43 git checkout
-f -B master remotes
/master
48 rule_apt_get_install
() { # SYNTAX: $package
49 case $
(dpkg
-s "$1" 2>/dev
/null |
grep '^Status: ') in
50 ("Status: install ok installed");;
52 test ! -x /usr
/bin
/etckeeper ||
53 ! sudo etckeeper unclean ||
54 warn
"/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
55 sudo apt-get
install "$@";;
59 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
65 rule_apt_configure
() {
66 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
67 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
69 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
70 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
72 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
74 Pin: release a=$vm_lsb_name
78 Pin: release a=$vm_lsb_name-backports
81 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
82 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
85 rule apt_get_install apticron
86 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
87 EMAIL="admin@$vm_domainname"
89 # LISTCHANGES_PROFILE="apticron"
91 # SYSTEM="foobar.example.com"
93 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
96 # NOTIFY_NO_UPDATES="0"
98 # CUSTOM_NO_UPDATES_SUBJECT=""
99 # CUSTOM_FROM="root@$vm_fqdn"
102 rule_boot_configure
() {
103 warn
"lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
104 rule apt_get_install grub-pc
105 sudo
install -d -m 644 -o root
-g root
/boot
/grub
106 rule apt_get_install linux-image-
$vm_arch
107 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
110 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
111 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
112 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
113 GRUB_DISABLE_RECOVERY="true"
114 #GRUB_PRELOAD_MODULES="lvm"
116 sudo
install -m 644 -o root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
118 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
120 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
121 rule initramfs_configure
123 rule_dovecot_configure
() {
124 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
125 local hint
="run vm_remote dovecot_key_send before"
126 assert
"test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
127 sudo
install -m 400 -o root
-g root \
128 "$tool"/var
/pub
/x509
/service
/imap
/crt
+crl.self-signed.pem \
129 /etc
/dovecot
/$vm_domainname/imap
/x509
/crt
+crl.self-signed.pem
130 sudo
install -d -m 770 -o root
-g adm \
133 sudo
install -d -m 1777 -o root
-g root \
134 /var
/lib
/dovecot-control \
135 /var
/lib
/dovecot-index
136 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/dovecot
/local.conf
<<-EOF
137 auth_ssl_username_from_cert = yes
139 log_timestamp = "%Y-%m-%d %H:%M:%S "
141 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
142 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
143 # VOIR: http://wiki2.dovecot.org/Quota/FS
144 mail_plugins = \$mail_plugins quota
145 mail_privileged_group = mail
147 args = /home/%u/etc/dovecot/passwd
152 recipient_delimiter = +
153 sieve = ~/etc/mail/filter.sieve
154 sieve_dir = ~/etc/mail/sieve
155 sieve_global_dir = /var/lib/dovecot/sieve/global/
156 sieve_max_script_size = 1M
157 sieve_quota_max_scripts = 0
158 sieve_quota_max_storage = 10M
159 sieve_user_log = ~/var/log/mail/sieve.log
162 mail_plugins = \$mail_plugins imap_quota
165 auth_socket_path = /var/run/dovecot/auth-master
166 hostname = $vm_domainname
169 mail_plugins = \$mail_plugins sieve
170 postmaster_address = contact+dovecot+lda@$vm_domainname
171 syslog_facility = mail
173 protocols = imap sieve
176 unix_listener /var/spool/postfix/private/auth {
182 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
183 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
184 ssl_cipher_list = AES256-SHA
185 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
186 ssl_verify_client_cert = yes
192 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/dovecot-passwd
<<-EOF
194 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
195 install -d -m 770 ~/etc/dovecot
196 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
197 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
200 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
202 sudo service dovecot restart
204 rule_etckeeper_configure
() {
205 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
207 GIT_COMMIT_OPTIONS=""
208 AVOID_DAILY_AUTOCOMMITS=1
209 #AVOID_SPECIAL_FILE_WARNING=1
210 AVOID_COMMIT_BEFORE_INSTALL=1
211 HIGHLEVEL_PACKAGE_MANAGER=apt
212 LOWLEVEL_PACKAGE_MANAGER=dpkg
214 sudo
install -m 644 -o root
-g root \
215 "$tool"/etc
/etckeeper
/prompt.sh \
216 /etc
/etckeeper
/prompt.sh
217 rule apt_get_install etckeeper
219 rule_filesystem_configure
() {
220 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
221 # <file system> <mount point> <type> <options> <dump> <pass>
222 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
223 proc /proc proc defaults 0 0
224 sysfs /sys sysfs defaults 0 0
225 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
226 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
227 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
228 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
229 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
230 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
232 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
233 # <target name> <source device> <key file> <options>
234 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
235 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
236 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
237 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
239 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
240 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
241 vm.vfs_cache_pressure=50
244 rule_initramfs_configure
() {
245 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
252 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
254 alias scsi_hostadapter xenblk
256 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
262 # NOTE: pour Xen en mode HVM :
263 #modprobe xen-platform-pci
265 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
267 sudo
sed -e '/^configure_networking /s/ &$//' \
268 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
269 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
270 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
271 ( while IFS
= read -r line
272 do case $line in (*" RSA") return 0; break;; esac
276 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
277 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
278 sudo dropbearkey
-t rsa
-s 4096 -f \
279 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
281 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
282 sudo
install -d -m 640 -o root
-g root \
283 /etc
/initramfs-tools
/root \
284 /etc
/initramfs-tools
/root
/.
ssh
286 while IFS
=: read -r group x x users
287 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
290 do eval local home\
; home
="~$user"
291 cat "$home"/etc
/ssh
/authorized_keys
294 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
296 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
297 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
298 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
299 # NOTE: clefs générées par Debian
300 sudo update-initramfs
-u
302 rule_locale_configure
() {
303 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
308 rule_login_configure
() {
309 grep -q '^hvc0$' /etc
/securetty ||
310 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
311 $(cat /etc/securetty)
314 grep -q '^xvc0$' /etc
/securetty ||
315 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
316 $(cat /etc/securetty)
319 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
320 # /etc/inittab: init(8) configuration.
322 # The default runlevel.
325 # Boot-time system configuration/initialization script.
326 # This is run first except when booting in emergency (-b) mode.
327 si::sysinit:/etc/init.d/rcS
329 # What to do in single-user mode.
330 ~~:S:wait:/sbin/sulogin
332 # /etc/init.d executes the S and K scripts upon change
335 # Runlevel 0 is halt.
336 # Runlevel 1 is single-user.
337 # Runlevels 2-5 are multi-user.
338 # Runlevel 6 is reboot.
340 l0:0:wait:/etc/init.d/rc 0
341 l1:1:wait:/etc/init.d/rc 1
342 l2:2:wait:/etc/init.d/rc 2
343 l3:3:wait:/etc/init.d/rc 3
344 l4:4:wait:/etc/init.d/rc 4
345 l5:5:wait:/etc/init.d/rc 5
346 l6:6:wait:/etc/init.d/rc 6
347 # Normally not reached, but fallthrough in case of emergency.
348 z6:6:respawn:/sbin/sulogin
350 # What to do when CTRL-ALT-DEL is pressed.
351 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
353 # What to do when the power fails/returns.
354 pf::powerwait:/etc/init.d/powerfail start
355 pn::powerfailnow:/etc/init.d/powerfail now
356 po::powerokwait:/etc/init.d/powerfail stop
358 # Xen hypervisor console
359 hvc:2345:respawn:/sbin/getty 38400 hvc0
360 #xvc:2345:respawn:/sbin/getty 38400 xvc0
362 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
369 FTMP_FILE /var/log/btmp
371 HUSHLOGIN_FILE .hushlogin
372 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
373 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
374 # NOTE: met les sbin/ dans ENV_PATH ;
375 # - ça n'apporte aucune protection de ne pas les mettre ;
376 # - ça frustre de ne pas les trouver.
383 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
384 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
397 ENCRYPT_METHOD SHA512
399 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
400 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
401 $(cat /etc/pam.d/common-session)
402 session optional pam_umask.so
405 rule_procmail_configure
() {
406 rule apt_get_install procmail
407 sudo
install -d -m 770 -o root
-g adm \
409 /etc
/skel
/var
/cache
/mail \
410 /etc
/skel
/var
/log
/mail \
412 sudo
install -m 660 -o root
-g adm \
413 "$tool"/etc
/skel
/etc
/mail
/delivery.procmailrc \
414 /etc
/skel
/etc
/mail
/delivery.procmailrc
416 rule_postgrey_configure
() {
417 rule apt_get_install postgrey
418 sudo service postgrey restart
420 rule_postfix_configure
() {
421 local hint
="run vm_remote postfix_key_send before"
422 assert
"test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
423 warn
"lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
424 rule apt_get_install postfix
425 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/postfix
/.gitignore
<<-EOF
428 sudo
install -d -m 770 -o root
-g root \
429 /etc
/postfix
/$vm_domainname/ \
430 /etc
/postfix
/$vm_domainname/smtp \
431 /etc
/postfix
/$vm_domainname/smtp
/x509 \
432 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
433 /etc
/postfix
/$vm_domainname/smtpd \
434 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
435 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
436 sudo
install -d -m 770 -o root
-g root \
437 /etc
/postfix
/$vm_domainname/ \
438 /etc
/postfix
/$vm_domainname/smtp \
439 /etc
/postfix
/$vm_domainname/smtp
/x509 \
440 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
441 /etc
/postfix
/$vm_domainname/smtpd \
442 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
443 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
445 ..
/crt
+crl.self-signed.pem \
446 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
/crt.pem
447 sudo
install -m 400 -o root
-g root \
448 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
449 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
450 sudo
install -m 400 -o root
-g root \
451 var
/pub
/x509
/service
/smtpd
/crt.pem \
452 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt.pem
453 sudo
install -m 400 -o root
-g root \
454 var
/pub
/x509
/service
/smtpd
/crt
+root.pem \
455 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+root.pem
456 sudo
install -m 400 -o root
-g root \
457 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
458 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
459 sudo
install -m 660 -o root
-g root \
460 etc
/postfix
/$vm_domainname/header_checks \
461 /etc
/postfix
/$vm_domainname/header_checks
462 sudo
install -m 664 -o root
-g root \
463 etc
/postfix
/aliases \
465 sudo newaliases
-oA/etc
/postfix
/aliases
466 cat /dev
/stdin etc
/postfix
/main.cf
<<-EOF |
467 mydomain = $vm_domainname
468 myorigin = \$mydomain
469 myhostname = $vm_hostname.\$mydomain
470 mail_name = \$myhostname
471 mydestination = $vm_hostname \$myhostname \$myorigin
473 sudo
install -m 664 -o root
-g root
/dev
/stdin \
475 sudo
install -m 664 -o root
-g root \
476 etc
/postfix
/master.cf \
477 /etc
/postfix
/master.cf
478 sudo
install -m 660 -o root
-g root \
479 etc
/postfix
/$vm_domainname/smtp
/x509
/policy \
480 /etc
/postfix
/$vm_domainname/smtp
/x509
/policy
481 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtp
/x509
/policy
482 sudo
install -m 660 -o root
-g root \
483 etc
/postfix
/$vm_domainname/smtp
/header_checks \
484 /etc
/postfix
/$vm_domainname/smtp
/header_checks
485 sudo
install -m 660 -o root
-g root \
486 etc
/postfix
/$vm_domainname/smtpd
/sender_access \
487 /etc
/postfix
/$vm_domainname/smtpd
/sender_access
488 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/sender_access
489 sudo
install -m 660 -o root
-g root \
490 etc
/postfix
/$vm_domainname/smtpd
/client_blacklist \
491 /etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
492 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
493 sudo
install -m 660 -o root
-g root \
494 etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts \
495 /etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
496 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
497 sudo
install -m 660 -o root
-g root \
498 etc
/postfix
/$vm_domainname/transport \
499 /etc
/postfix
/$vm_domainname/transport
500 sudo postmap
hash:/etc
/postfix
/$vm_domainname/transport
501 sudo
install -m 660 -o root
-g root \
502 etc
/postfix
/$vm_domainname/virtual_alias \
503 /etc
/postfix
/$vm_domainname/virtual_alias
504 sudo postmap
hash:/etc
/postfix
/$vm_domainname/virtual_alias
505 sudo service postfix restart
507 rule_mail_configure
() {
508 rule postfix_configure
509 rule postgrey_configure
510 rule procmail_configure
511 rule dovecot_configure
513 rule_network_configure
() {
514 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
517 grep -q " $vm\$" /etc
/hosts ||
518 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
520 127.0.0.1 $vm_fqdn $vm
522 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
524 iface lo inet loopback
527 iface grenode inet static
529 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
532 netmask 255.255.255.255
534 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
535 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
537 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
538 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
539 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
541 # --- soupirail.grenode.net ping statistics ---
542 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
543 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
544 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
545 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
546 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
548 # --- soupirail.grenode.net ping statistics ---
549 # 0 packets transmitted, 0 received, +1 errors
550 post-up ip address add $vm_ipv4/32 dev \$IFACE
551 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
554 rule_ssh_configure
() {
555 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
556 ( while IFS
= read -r line
557 do case $line in (*" RSA") return 0; break;; esac
559 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
561 /etc
/ssh
/ssh_host_dsa_key \
562 /etc
/ssh
/ssh_host_dsa_key.pub \
563 /etc
/ssh
/ssh_host_ecdsa_key \
564 /etc
/ssh
/ssh_host_ecdsa_key.pub
565 # NOTE: clefs générées par Debian
566 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
568 ListenAddress $vm_ipv4
572 HostKey /etc/ssh/ssh_host_rsa_key
573 UsePrivilegeSeparation yes
574 KeyRegenerationInterval 3600
581 RSAAuthentication yes
582 PubkeyAuthentication yes
583 AuthorizedKeysFile %h/etc/ssh/authorized_keys
585 RhostsRSAAuthentication no
586 HostbasedAuthentication no
587 IgnoreUserKnownHosts no
588 PermitEmptyPasswords no
589 ChallengeResponseAuthentication no
590 PasswordAuthentication no
591 KerberosAuthentication no
592 GSSAPIAuthentication no
599 ClientAliveInterval 0
601 Subsystem sftp /usr/lib/openssh/sftp-server
604 sudo service
ssh restart
606 rule_user_admin_add
() { # SYNTAX: $user
608 id
"$user" >/dev
/null ||
609 sudo adduser
--disabled-password "$user"
610 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
611 eval local home\
; home
="~$user"
612 sudo adduser
"$user" sudo
613 sudo
install -m 640 -o root
-g root \
614 "$tool"/var
/pub
/ssh
/"$user".key \
615 "$home"/etc
/ssh
/authorized_keys
616 local key
; local -; set +f
617 for key
in "$tool"/var
/pub
/openpgp
/*.key
618 do sudo
-u "$user" gpg
--import "$key"
620 rule user_admin_configure
622 rule_user_admin_configure
() {
623 rule initramfs_configure
624 rule user_root_configure
626 rule_user_configure
() {
627 sudo
install -d -m 750 -o root
-g adm \
630 sudo
install -d -m 770 -o root
-g adm \
631 /etc
/skel
/etc
/apache2 \
634 /etc
/skel
/var
/cache \
635 /etc
/skel
/var
/cache
/ssh
636 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
637 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
638 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
639 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
640 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
641 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
643 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
644 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
646 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
647 Defaults env_keep = " \\
651 GIT_COMMITTER_NAME \\
652 GIT_COMMITTER_EMAIL \\
655 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/passwd-init
<<-EOF
657 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
658 sudo /bin/sh -e -f -u -c \
659 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
661 sudo
install -m 644 -o root
-g root \
664 sudo
install -m 644 -o root
-g root \
668 rule_user_root_configure
() {
669 sudo
install -d -m 750 -o root
-g adm \
673 sudo
ln -fns etc
/gpg
/root
/.gnupg
674 sudo
ln -fns etc
/ssh /root
/.
ssh
676 while IFS
=: read -r group x x users
677 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
680 do eval local home\
; home
="~$user"
681 cat "$home"/etc
/ssh
/authorized_keys
684 sudo
install -m 640 -o root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
685 local key
; local -; set +f
686 for key
in "$tool"/var
/pub
/openpgp
/*.key
687 do sudo gpg
--import "$key"
693 rule etckeeper_configure
694 rule locale_configure
695 rule network_configure
696 rule filesystem_configure
699 rule user_root_configure
704 rule_luks_key_change
() {
705 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
713 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn