#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
-. "$tool"/functions.sh
-. "$tool"/vm.sh
-test "$(hostname --fqdn)" = "$vm_fqdn"
+. "$tool"/lib/functions.sh
+. "$tool"/etc/vm.sh
rule_help () {
cat >&2 <<-EOF
GIT_COMMIT_OPTIONS=""
AVOID_DAILY_AUTOCOMMITS=1
#AVOID_SPECIAL_FILE_WARNING=1
- #AVOID_COMMIT_BEFORE_INSTALL=1
+ AVOID_COMMIT_BEFORE_INSTALL=1
HIGHLEVEL_PACKAGE_MANAGER=apt
LOWLEVEL_PACKAGE_MANAGER=dpkg
EOF
network $vm_ipv4
broadcast $vm_ipv4
netmask 255.255.255.255
- mtu 1300 # TODO: voir si c'est nécessaire à Lyon
+ #mtu 1300
post-up ip address add $vm_ipv4/32 dev \$IFACE
pre-down ip address delete $vm_ipv4/32 dev \$IFACE
EOF
deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
EOF
mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
- deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
+ #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
EOF
mk_reg mod= own= /etc/apt/preferences <<-EOF
Package: *
HUSHLOGIN_FILE .hushlogin
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- # NOTE: met les sbin/ dans ENV_PATH ;
- # - ça n'apporte aucune protection de ne pas les mettre ;
- # - ça frustre de ne pas les trouver.
+ # NOTE: met les sbin/ dans ENV_PATH ;
+ # - ça n'apporte aucune protection de ne pas les mettre ;
+ # - ça frustre de ne pas les trouver.
TTYGROUP tty
TTYPERM 0600
ERASECHAR 0177
KILLCHAR 025
- # NOTE: rwxrwx--- ;
- # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
- # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
UMASK 007
+ # NOTE: rwxrwx--- ;
+ # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
+ # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
mk_lnk etc/gpg /root/.gnupg
mk_lnk etc/ssh /root/.ssh
getent group sudo |
- while IFS=: read -r group x x users
- do while IFS=, read -r user
- do eval local home\; home="~$user"
- cat "$home"/etc/ssh/authorized_keys
- done <<-EOF
+ while test -n "$users" && IFS=: read -r group x x users
+ do while IFS=, read -r user users <<-EOF
$users
EOF
+ do eval local home\; home="~$user"
+ cat "$home"/etc/ssh/authorized_keys
+ done
done |
mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
- sudo find "$tool"/key -type f -name '*.gpg.pub' -exec gpg --import {} \;
+ sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
}
rule__initramfs_init () {
mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
/etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
/etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
/etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
- #mk_reg mod=640 own=root:root </dev/null \
- # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
- # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
- ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
( while IFS= read -r line
do case $line in (*" RSA") return 0; break;; esac
done; return 1 ) ||
sudo dropbearkey -t rsa -s 4096 -f \
/etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
- ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
( while IFS= read -r line
do case $line in (*" DSA") return 0; break;; esac
done; return 1 ) ||
/etc/initramfs-tools/root/.ssh
getent group sudo |
while IFS=: read -r group x x users
- do while IFS=, read -r user
- do eval local home\; home="~$user"
- cat "$home"/etc/ssh/authorized_keys
- done <<-EOF
+ do while test -n "$users" && IFS=, read -r user users <<-EOF
$users
EOF
+ do eval local home\; home="~$user"
+ cat "$home"/etc/ssh/authorized_keys
+ done
done |
mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
sudo rm -f \
sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
rule__initramfs_init
}
+rule_apticron_init () {
+ sudo apt-get install --reinstall apticron
+ mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
+ EMAIL="admin@heureux-cyclage.org"
+ # DIFF_ONLY="1"
+ # LISTCHANGES_PROFILE="apticron"
+ # ALL_FQDNS="1"
+ # SYSTEM="foobar.example.com"
+ # IPADDRESSNUM="1"
+ # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
+ # NOTIFY_HOLDS="0"
+ # NOTIFY_NEW="0"
+ # NOTIFY_NO_UPDATES="0"
+ # CUSTOM_SUBJECT=""
+ # CUSTOM_NO_UPDATES_SUBJECT=""
+ # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
+ EOF
+ sudo service apticron restart
+ }
rule__bin_init () {
mk_lnk "$tool"/vm_hosted /usr/local/sbin/
}
mk_dir mod=700 own="root:adm" /etc/skel/tmp
mk_lnk etc/ssh /etc/skel/.ssh
mk_lnk etc/gpg /etc/skel/.gnupg
- ssh-keygen -F "$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
( while IFS= read -r line
do case $line in (*" RSA") return 0; break;; esac
done; return 1 ) ||
# NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
eval local home\; home="~$user"
sudo adduser "$user" sudo
- ssh_key_add user=$user "$tool"/key/"$user".ssh.pub "$home"/etc/ssh/authorized_keys
+ mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
+ <"$tool"/var/pub/ssh/"$user".key
rule__initramfs_init
rule__user_root_init
- sudo gpg --import "$tool"/key/"$user".gpg.pub
+ sudo -u "$user" find "$tool"/var/pub/openpgp \
+ -type f -name '*.key' -exec gpg --import {} \;
}
rule_user_mail_format () {
mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
rule=${1:-help}
${1+shift}
-set "${TRACE:+-x}"
+case $rule in
+ (help);;
+ (*)
+ test "$(hostname --fqdn)" = "$vm_fqdn"
+ ${TRACE:+set -x}
+ ;;
+ esac
rule_$rule "$@"