/run/php5 \
/run/php5/fpm \
/run/shm/cache/php5 \
- /run/shm/cache/php5/fpm
+ /run/shm/cache/php5/fpm \
+ /run/shm/tmp/php5
! getent passwd gitweb >/dev/null ||
sudo install -d -m 770 -o gitweb -g gitweb \
-# DOC: http://wiki.nginx.org/HttpFastcgiModule
+## DOC: http://wiki.nginx.org/HttpFastcgiModule
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param HTTPS $https;
fastcgi_param PATH_INFO $fastcgi_script_name;
#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param REQUEST_URI $request_uri;
-fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_NAME $server_name;
fastcgi_read_timeout 180;
fastcgi_send_timeout 180;
fastcgi_temp_file_write_size 256k;
+fastcgi_param REDIRECT_STATUS 200;
+ # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
+# DOC: http://blog.martinfjordvald.com/2010/07/nginx-primer/
+daemon on;
events {
multi_accept on;
use epoll;
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache';
+ '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache document_root:$document_root'
+ ' fastcgi_script_name:$fastcgi_script_name'
+ ' request_filename:$request_filename';
access_log /var/log/nginx/access.log main buffer=32k;
client_body_buffer_size 4K;
# NOTE: % getconf PAGESIZE
keys_zone=microcache:10m
inactive=5m
max_size=64m;
+ fastcgi_cache microcache;
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
+++ /dev/null
-listen 443;
--- /dev/null
+listen 443;
+include /etc/nginx/conf.d/ssl.conf;
+ssl_certificate /etc/nginx/x509.d/lhc-git-tls/crt.pem;
+ssl_certificate_key /etc/nginx/x509.d/lhc-git-tls/key.pem;
+++ /dev/null
-include /etc/nginx/conf.d/ssl.conf;
-include /etc/nginx/site.d/lhc-git-tls/server.conf;
--- /dev/null
+../lhc-git/site.conf
\ No newline at end of file
-sudo adduser php5-gitweb www-"$site"
+sudo adduser php5-lhc-git www-"$site"
+sudo adduser php5-lhc-git git-data
+sudo adduser www-data git-data
sudo adduser www-"$site"-tls www-"$site"
+++ /dev/null
-listen 80;
--- /dev/null
+listen 80;
+++ /dev/null
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-location / {
- index index.html index.htm index.php;
- root /usr/share/gitweb;
- }
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
- access_log off;
- expires 30d;
- log_not_found off;
- }
-location ~ /\. {
- access_log off;
- deny all;
- log_not_found off;
- }
-location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
- # NOTE: static repo files for cloning over HTTP
- root /home/git/pub;
- }
-location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
- # NOTE: requests that need to go to git-http-backend
- root /home/git/pub;
- fastcgi_param GIT_HTTP_EXPORT_ALL "";
- fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param REMOTE_USER $remote_user;
- fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
- }
-location @gitweb {
- include /etc/nginx/conf.d/fastcgi.conf;
- set $no_cache "";
- if ($request_method !~ ^(GET|HEAD)$) {
- # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
- set $no_cache "1";
- }
- if ($no_cache = "1") {
- # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
- add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
- add_header X-Microcachable "0";
- }
- if ($http_cookie ~* "_mcnc") {
- # NOTE: bypass cache if no-cache cookie is set.
- set $no_cache "1";
- }
- fastcgi_cache_bypass $no_cache;
- fastcgi_cache_use_stale updating;
- fastcgi_cache_valid 200 10s;
- fastcgi_cache_valid 404 30m;
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
- fastcgi_no_cache $no_cache;
- fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
-
- fastcgi_pass_header Cookie;
- fastcgi_pass_header Set-Cookie;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
-
- fastcgi_pass unix:/run/php5/fpm/gitweb;
- }
-ssl_session_timeout 5m;
-try_files $uri @gitweb;
- # NOTE: send anything else to gitweb if it's not a real file
-server_name git.heureux-cyclage.org
-
-# vim: ft=sh
--- /dev/null
+server_name git.heureux-cyclage.org;
+
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ index index.html index.htm index.php;
+ root /usr/share/gitweb;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
+ # NOTE: static repo files for cloning over HTTP
+ root /home/git/pub;
+ }
+location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
+ # NOTE: requests that need to go to git-http-backend
+ root /home/git/pub;
+ include /etc/nginx/conf.d/fastcgi.conf;
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param REMOTE_USER $remote_user;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ }
+location @gitweb {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ set $no_cache "0";
+ if ($request_method !~ ^(GET|HEAD)$) {
+ # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+ set $no_cache "1";
+ }
+ if ($no_cache = "1") {
+ # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+ add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+ add_header X-Microcachable "0";
+ }
+ if ($http_cookie ~* "_mcnc") {
+ # NOTE: bypass cache if no-cache cookie is set.
+ set $no_cache "1";
+ }
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale updating;
+ fastcgi_cache_valid 200 10s;
+ fastcgi_cache_valid 404 30m;
+ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_max_temp_file_size 2M;
+ fastcgi_no_cache $no_cache;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+
+ fastcgi_pass_header Cookie;
+ fastcgi_pass_header Set-Cookie;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_pass unix:/run/php5/fpm/gitweb;
+ }
+ssl_session_timeout 5m;
+try_files $uri @gitweb;
+ # NOTE: send anything else to gitweb if it's not a real file
+
+# vim: ft=sh
#!/bin/sh
set -e -f -u -x
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
local hint="run vm_remote nginx_key_send before"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
/etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+
+++ /dev/null
-listen 443;
--- /dev/null
+listen 443;
+include /etc/nginx/conf.d/ssl.conf;
+ssl_certificate /etc/nginx/x509.d/lhc-www-tls/crt.pem;
+ssl_certificate_key /etc/nginx/x509.d/lhc-www-tls/key.pem;
+++ /dev/null
-include /etc/nginx/conf.d/ssl.conf;
-include /etc/nginx/site.d/lhc-www-tls/server.conf;
--- /dev/null
+../lhc-www/site.conf
\ No newline at end of file
+sudo adduser php5-lhc-www www-"$site"
sudo adduser www-"$site"-tls www-"$site"
+++ /dev/null
-listen 80;
--- /dev/null
+listen 80;
+++ /dev/null
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-location / {
- index index.html index.htm index.php;
- }
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
- access_log off;
- expires 30d;
- log_not_found off;
- }
-location ~ /\. {
- access_log off;
- deny all;
- log_not_found off;
- }
-location ~ \.php$ {
- include /etc/nginx/conf.d/fastcgi.conf;
- set $no_cache "";
- if ($request_method !~ ^(GET|HEAD)$) {
- # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
- set $no_cache "1";
- }
- if ($no_cache = "1") {
- # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
- add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
- add_header X-Microcachable "0";
- }
- if ($http_cookie ~* "_mcnc") {
- # NOTE: bypass cache if no-cache cookie is set
- set $no_cache "1";
- }
- fastcgi_cache_bypass $no_cache;
- fastcgi_cache_use_stale updating;
- fastcgi_cache_valid 200 10s;
- fastcgi_cache_valid 404 30m;
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
- fastcgi_no_cache $no_cache;
- fastcgi_pass_header Cookie;
- fastcgi_pass_header Set-Cookie;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
-
- fastcgi_pass unix:/run/php5/fpm/lhc-www;
- }
-server_name www.heureux-cyclage.org heureux-cyclage.org;
-
-# vim: ft=sh
--- /dev/null
+server_name www.heureux-cyclage.org heureux-cyclage.org;
+
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ root /home/www/pub/lhc-www;
+ index index.html index.htm index.php;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location ~ \.php$ {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ set $no_cache "0";
+ if ($request_method !~ ^(GET|HEAD)$) {
+ # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+ set $no_cache "1";
+ }
+ if ($no_cache = "1") {
+ # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+ add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+ add_header X-Microcachable "0";
+ }
+ if ($http_cookie ~* "_mcnc") {
+ # NOTE: bypass cache if no-cache cookie is set
+ set $no_cache "1";
+ }
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale updating;
+ fastcgi_cache_valid 200 10s;
+ fastcgi_cache_valid 404 10m;
+ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_max_temp_file_size 2M;
+ fastcgi_no_cache $no_cache;
+ fastcgi_pass_header Cookie;
+ fastcgi_pass_header Set-Cookie;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_pass unix:/run/php5/fpm/lhc-www;
+ }
+
+# vim: ft=sh
apc.localcache = 1
apc.localcache.size = 256
apc.max_file_size = 1M
-apc.mmap_file_mask = /tmp/apc.XXXXXX
+apc.mmap_file_mask = /run/shm/tmp/php5/apc.XXXXXX
apc.num_files_hint = 512
apc.optimization = 0
apc.report_autofilter = 0
#!/bin/sh -efux
user=git-daemon
-install -d -m 770 -o log."$user" -g log."$user" /home/git/log/git-daemon/
-exec chpst -u log."$user" svlogd -tt /home/git/log/git-daemon/
+cd /home/git/log/git-daemon/
+exec chpst -u log-"$user":log-"$user" \
+ /usr/bin/svlogd -tt /home/git/log/git-daemon/
exec /usr/bin/chpst \
-u git-daemon:git-daemon \
/usr/bin/git daemon \
- --base-path=/home/git/pub/git \
- --interpolated-path=/home/git/srv/git/%H%D \
+ --base-path=/home/git/pub \
+ --interpolated-path=/home/git/srv/%H%D \
--reuseaddr \
- --syslog \
--user-path=pub/git \
--verbose \
-- \
+++ /dev/null
-#!/bin/sh -efux
+++ /dev/null
-#!/bin/sh -efux
-install -d -m 770 -o log.www -g log.www ~www/log/nginx/
-exec chpst -u log.www svlogd -tt ~www/log/nginx/
+++ /dev/null
-#!/bin/sh -efux
-exec 2>&1
-exec /usr/sbin/nginx
# cependant l'usage de suexec impose des forks il semble..
# et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
# donc pour l'instant : apache2-mpm-itk
+ sudo rm -rf \
+ /etc/apache2/site.d
+ sudo install -d -m 770 -o www -g www \
+ /etc/apache2 \
+ /etc/apache2/site.d \
+ /etc/apache2/x509.d
cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
ServerName "$vm_fqdn"
EOF
sudo install -d -m 770 -o www-"$site" -g www-"$site" \
/etc/apache2 \
/etc/apache2/site.d/"$site" \
- /etc/apache2/site.d/"$site"/x509 \
- /etc/apache2/site.d/"$site"/x509/ca \
- /etc/apache2/site.d/"$site"/x509/empty \
- /etc/apache2/site.d/"$site"/x509/rvk \
- /etc/apache2/site.d/"$site"/x509/usr
+ /etc/apache2/x509.d/"$site" \
+ /etc/apache2/x509.d/"$site"/ca \
+ /etc/apache2/x509.d/"$site"/empty \
+ /etc/apache2/x509.d/"$site"/rvk \
+ /etc/apache2/x509.d/"$site"/usr
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+ /etc/apache2/x509.d/"$site"/crt.self-signed.pem
#sudo install -m 664 -o www-"$site" -g www-"$site" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/site.d/"$site"/x509/rvk.pem
+ # /etc/apache2/x509.d/"$site"/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/site.d/"$site"/x509/ca/crt.pem
+ /etc/apache2/x509.d/"$site"/ca/crt.pem
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/site.d/"$site"/x509/crt.pem
+ "$tool"/var/pub/x509/"$site"/crt.pem \
+ /etc/apache2/x509.d/"$site"/crt.pem
;;
esac
case $site in
ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
- SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
- #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
- SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
+ SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem
+ SSLCACertificatePath /etc/apache2/x509.d/$site/usr/
+ #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem
+ SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem
+ SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/
# NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
- SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
- SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
- SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
+ SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/
+ SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
+ SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem
+ SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
rule adduser git \
--disabled-password \
--group \
+ --home /home/git \
--shell /bin/bash \
--system
sudo chfn --full-name git git
--disabled-login \
--disabled-password \
--group \
- --home ~git/log \
+ --home /home/git/log \
+ --shell /bin/false \
+ --system
+ rule adduser git-data\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/pub \
--shell /bin/false \
--system
rule adduser git-daemon\
--home /home/git/pub \
--shell /bin/false \
--system
+ rule adduser log-git-daemon\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/log/git-daemon \
+ --shell /bin/false \
+ --system
+ sudo adduser git git-data
+ sudo adduser git-daemon git-data
+ sudo adduser log-git log-git-daemon
sudo install -d -m 770 -o git -g git \
/etc/gitolite \
- ~git/etc \
- ~git/etc/ssh \
- ~git/pub
- sudo install -d -m 770 -o log-git -g log-git \
- ~git/log \
- ~git/log/gitolite \
- ~git/log/gitolite/perf
+ /home/git/etc \
+ /home/git/etc/ssh
+ sudo install -d -m 751 -o git -g git \
+ /home/git
+ sudo install -d -m 3771 -o git-data -g git-data \
+ /home/git/pub
+ sudo install -d -m 1771 -o git -g git \
+ /home/git/log
+ sudo install -d -m 2770 -o git -g log-git \
+ /home/git/log/gitolite \
+ /home/git/log/gitolite/perf
+ sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \
+ /home/git/log/git-daemon
sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
/etc/gitweb \
/etc/gitweb/cgi
- sudo ln -fns /etc/gitolite ~git/etc/gitolite
- sudo ln -fns /etc/gitweb ~git/etc/gitweb
- sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
- sudo ln -fns etc/ssh ~git/.ssh
+ sudo ln -fns /etc/gitolite /home/git/etc/gitolite
+ sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+ sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
+ sudo ln -fns etc/ssh /home/git/.ssh
sudo install -m 770 -o git -g git /dev/stdin \
- ~git/etc/gitolite/gitolite.rc <<-EOF
+ /home/git/etc/gitolite/gitolite.rc <<-EOF
#\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
#\$BIG_INFO_CAP = 20;
#\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
1;
EOF
sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
- ~git/etc/gitweb/gitweb.conf <<-EOF
+ /home/git/etc/gitweb/gitweb.conf <<-EOF
\$commit_oneline_message_width = 70;
\$default_projects_order = 'age';
\$default_text_plain_charset = 'UTF-8';
EOF
sudo install -m 600 -o git -g git \
"$tool"/var/pub/ssh/git.key \
- ~git/etc/ssh/git.pub
+ /home/git/etc/ssh/git.pub
sudo -u git \
GL_RC=/home/git/etc/gitolite/gitolite.rc \
GIT_AUTHOR_NAME=git \
- gl-setup -q ~git/etc/ssh/git.pub git
+ gl-setup -q /home/git/etc/ssh/git.pub git
local d
for d in doc logs src
- do test ! -d ~git/etc/gitolite/"$d" ||
- rmdir ~git/etc/gitolite/"$d"
+ do test ! -d /home/git/etc/gitolite/"$d" ||
+ rmdir /home/git/etc/gitolite/"$d"
done
rule apt_get_install gitweb highlight
sudo service tmpfs restart
"$tool"/etc/nginx/conf.d/"$conf" \
/etc/nginx/conf.d/"$conf"
done
- for conf in "$tool"/etc/nginx/site.d/*/server.conf
+ for conf in "$tool"/etc/nginx/site.d/*/site.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site="${conf%/server.conf}"
+ local site="${conf%/site.conf}"
rule adduser www-"$site" \
--disabled-login \
--disabled-password \
sudo install -d -m 770 -o www -g www \
/etc/nginx/x509.d/"$site"
test -L /home/www/pub/"$site" ||
- sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
+ sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
/home/www/pub/"$site"
sudo adduser www-data www-"$site"
sudo adduser www-data log-www-"$site"
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/local.conf \
+ /etc/nginx/site.d/"$site"/local.inc
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.inc
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf <<-EOF
server {
access_log /home/www/log/$site/nginx/access.log main;
error_log /home/www/log/$site/nginx/error.log warn;
root /home/www/pub/$site;
- ssl_certificate /etc/nginx/x509.d/$site/crt.pem;
- ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
- $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
- $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+ include /etc/nginx/site.d/$site/local.inc;
+ include /etc/nginx/site.d/$site/site.inc;
}
EOF
- test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
. "$tool"/etc/nginx/site.d/"$site"/configure.sh
done
sudo insserv --remove fcgiwrap
sudo insserv --remove nginx
rule tmpfs_configure
- case $(sv status nginx) in
- (run:*) sudo sv restart nginx
- esac
+ sudo service php5-fpm restart
+ # NOTE: relance les processus du pool
+ # pour leur donner les droits
+ # de leurs groupes supplémentaires.
+ sudo service nginx restart
+ #case $(sv status nginx) in
+ # (run:*) sudo sv restart nginx
+ # esac
}
rule_php5_fpm_configure () {
local -; set +f
--disabled-password \
--group \
--no-create-home \
- --home /home/www/log/php5/fpm \
+ --home /home/www/log/php5/fpm/"$pool" \
--shell /bin/false \
--system
sudo install -d -m 770 -o log-php5 -g log-php5 \
LAST_SYSTEM_UID=999
LAST_UID=29999
LETTERHOMES=no
- NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+ NAME_REGEX="^[a-z][-a-z0-9_]*\$"
QUOTAUSER="" # TODO: init
SETGID_HOME=no
SKEL=/etc/skel
rule_apache2_key_send () {
local -; set +f
- for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
- do conf=${conf#"$tool"/etc/apache2/site.d/}
- local port domain
- IFS=. read -r port domain <<-EOF
- ${conf%/VirtualHost.conf}
- EOF
- assert 'test "${port:+set}"'
- assert 'test "${domain:+set}"'
- local site="$port.$domain"
- case $port in
- (443)
- rule _x509_site_key_decrypt "$domain" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o '"$user"' -g '"$user"' \
- /etc/apache2 \
- /etc/apache2/site.d/'"$site"' \
- /etc/apache2/site.d/'"$site"'/x509; \
- sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
- /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 400 -o root -g root \
- /dev/stdin \
- /etc/apache2/'"'$site'"'/x509/key.pem
- '
- ;;
- esac
+ for conf in "$tool"/etc/nginx/site.d/*/key_send
+ do conf=${conf#"$tool"/etc/nginx/site.d/}
+ local site=${conf%/key_send}
+ rule _x509_site_key_decrypt \
+ "$(cat "$tool"/etc/apache2/site.d/"$site"/key_send)" |
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o '"$user"' -g '"$user"' \
+ /etc/apache2 \
+ /etc/apache2/x509.d \
+ /etc/apache2/x509.d/'"$site"'; \
+ sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
+ /etc/apache2/x509.d/'"$site"'/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 400 -o root -g root \
+ /dev/stdin \
+ /etc/apache2/x509.d/'"'$site'"'/key.pem
+ '
done
}
rule_dovecot_key_send () {
/etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
key.pem
EOF
-
- install -m 400 -o root -g root \
+ sudo install -m 400 -o root -g root \
/dev/stdin \
/etc/nginx/x509.d/'"'$site'"'/key.pem
'