TASK: obtenir une installation démarable
@host % ~/tool/ateliers/vm_host chroot
@host % export TRACE=1 LANG=C LC_CTYPE=C
- @host % /root/tool/vm/vm_hosted init
+ @host % /root/tool/vm/local/init # TODO: revoir ça
@host % exit
TASK: initialiser la VM
- @host % ~/tool/ateliers/vm_host vm_configure
- @host % ~/tool/ateliers/vm_host vm_start
- @hosted % vm_hosted user_configure
+ @host % ~/tool/ateliers/vm_host vm_configure
+ @host % ~/tool/ateliers/vm_host vm_start
+ @local % local/user-configure
TASK: démarrer la VM
@host % vm_host vm_start
TASK: ajouter un-e administrateurice $user
@remote % gpg --armor --export --export-options export-clean >var/pub/openpgp/$user.key
@remote % git add var/pub/{openpgp,ssh}/$user.key
@remote % git commit -a -m "Ajout : admin : $user ."
- @remote % ./vm_remote git_push
- @hosted % vm_hosted git_reset
- @hosted % vm_hosted user_admin_add $user
+ @remote % remote/git-push
+ @local % local/git-reset
+ @local % local/user-admin-add $user
TASK: démarrer la VM
@host % vm_host vm_start
- @remote % ./vm_remote key_disk_send
+ @remote % remote/luks-key-disk-send
TASK: pousser des changements locaux sur la VM
- @remote % ./vm_remote push hosted
- @hosted % vm_hosted git_reset
+ @remote % remote/git-push
+ @local % local/git-reset
TASK: se connecter interactivement en root à la VM avec une connection SSH persistante
- @remote % ./vm_remote mosh -l root
+ @remote % remote/mosh -l root
TASK: générer une autorité de certification et des sous-certificats TLS
% export TRACE=all
% random=/dev/urandom gpg_options="-r $USER@ -r $SOME_OTHER_USER@" lib/tool/openssl/make etc/openssl/heureux-cyclage.org
% cd etc/gitolite
% vim conf/gitolite.conf
% git commit
- % ../../vm_remote gitolite_push
+ % ../../remote/gitolite-push
TASK: configurer une zone DNS
- @hosted % vm runit_configure nsd3 -- heureux-cyclage.org
+ @local % local/runit-configure nsd3 -- heureux-cyclage.org
TASK: configurer un membre du groupe php5-fpm
- @remote % ./vm_remote runit_configure nginx -- lhc_www
- @hosted % vm_hosted runit_configure nginx -- lhc_www
+ @remote % remote/runit-configure nginx -- lhc_www
+ @local % local/runit-configure nginx -- lhc_www
TASK: configurer un site nginx
- @hosted % vm_hosted runit_configure nginx -- lhc_www
+ @local % local/runit-configure nginx -- lhc_www
--- /dev/null
+. "$tool"/etc/local.sh
+
+readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g')
+readonly vm_dev_disk_boot="${vm_dev_disk}1"
+
+case $vm_use_lvm in
+ (no)
+ readonly vm_dev_disk_swap="${vm_dev_disk}5"
+ readonly vm_dev_disk_root="${vm_dev_disk}6"
+ readonly vm_dev_disk_var="${vm_dev_disk}7"
+ readonly vm_dev_disk_home="${vm_dev_disk}8"
+ ;;
+ (yes)
+ readonly vm_lvm_pv="${vm_dev_disk}2"
+ readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap
+ readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root
+ readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var
+ readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home
+ ;;
+ (*) exit 1;;
+ esac
--- /dev/null
+readonly PATH=$PATH:/usr/sbin:/sbin
+readonly vm_domainname="heureux-cyclage.org"
+readonly vm_hostname="ateliers"
+readonly vm_fqdn="$vm_hostname.$vm_domainname"
+readonly vm=$vm_hostname
+readonly vm_host="rouf.grenode.net"
+readonly vm_host_nameserver="91.216.110.110"
+
+readonly vm_use_lvm="yes"
+ # - sans LVM :
+ # - on a accès au LVM de l'hôte, mais c'est pas très propre.
+ # - pour l'extension de mémoire, on peut soit :
+ # 1.1. étendre avec lvresize /dev/domU/$vm_fqdn-disk
+ # 1.2. étendre avec sfdisk $vm_dev_disk_home
+ # 1.3. étendre avec resize2fs /dev/mapper/${vm_lvm_lv}_home_deciphered
+ # soit :
+ # 2.1. créer une nouvelle partition sur le LVM de l'hôte
+ # 2.2. l'ajouter comme un disque supplémentaire dans /etc/xen/$vm_fqdn.cfg
+ # 2.3. le monter sur /home2 en pensant à changer DHOME=/home2 dans /etc/adduser.conf
+ # - pour la sauvegarde: on peut soit :
+ # 1. sauvegarder au niveau applicatif (pgdump, mysqldump, etckeeper, git)
+ # 2. sauvegarder incrémentalement avec (duplicity, backup-ninja, BackupPC),
+ # depuis l'hôte pour avoir un snapshot LVM.
+ # - avec LVM :
+ # - question ouverte de la performance du LVM dans du LVM.
+ # - pour l'extension de mémoire, on peut soit :
+ # 1.1. étendre avec lvresize /dev/domU/$vm_fqdn-disk
+ # 1.1. étendre avec pvextend $vm_lvm_pv
+ # 1.1. étendre avec lvresize /dev/${vm_lvm_vg}/${vm_lvm_lv}_home
+ # 1.3. étendre avec resize2fs /dev/mapper/${vm_lvm_lv}_home_deciphered
+ # - pour la sauvegarde: on peut soit :
+ # 1. sauvegarder au niveau applicatif (pgdump, mysqldump, etckeeper, git)
+ # 2. sauvegarder incrémentalement avec (duplicity, backup-ninja, BackupPC),
+ # depuis la VM pour avoir un snapshot LVM.
+
+# Cartographie de la mémoire morte :
+# SATA2 * 2 (/dev/sd{a,b})
+# /dev/sda -> /dev/sda{1,2,3}
+# /dev/sdb -> /dev/sdb{1,2,3}
+# RAID1 logiciel
+# /dev/sd{a,b}1 -> /dev/md0
+# /dev/sd{a,b}2 -> /dev/md1
+# /dev/sd{a,b}3 -> /dev/md2
+# LVM
+# /dev/md0 -> dom0
+# /dev/md2 -> domU -> /dev/mapper/$vm_fqdn-disk
+# LVM
+# /dev/mapper/$vm_fqdn-disk -> /dev/xvda{1,2}
+# /dev/xvda2 -> /dev/mapper/${vm_lvm_vg}-${vm_lvm_lv}_{swap,root,var,home}
+
+case $vm_use_lvm in
+ (no)
+ ;;
+ (yes)
+ readonly vm_lvm_vg=$vm_fqdn
+ readonly vm_lvm_lv=$vm
+ ;;
+ (*)
+ exit 1;;
+ esac
+
+readonly vm_raid_effective_disks=1 # NOTE: RAID1 (mirroring)
+ # NOTE: julm@rouf:~$ sudo pvs /dev/md2 -o+pe_start
+ # PV VG Fmt Attr PSize PFree 1st PE
+ # /dev/md2 domU lvm2 a- 925,64g 470,64g 192,00k <- pas adapté au TRIM SSD, mais on utilise du SATA2
+readonly vm_e2fs_block_size=4096
+ # NOTE: valeur standard pour un disque avec des secteurs de 512 octets :
+ # julm@rouf:~$ grep . /sys/block/sd{a,b}/queue/*_block_size
+ # /sys/block/sda/queue/logical_block_size:512
+ # /sys/block/sda/queue/physical_block_size:512
+ # /sys/block/sdb/queue/logical_block_size:512
+ # /sys/block/sdb/queue/physical_block_size:512
+readonly vm_e2fs_stripe_size=
+ # NOTE: égal au chunk size de mdadm --detail ;
+ # mais ne concerne pas RAID1 où il n'y a pas de changement de disque à effectuer,
+ # et donc pas de chunk size.
+readonly vm_e2fs_stride=${vm_e2fs_stripe_size:+$((vm_e2fs_stripe_size / vm_e2fs_block_size))}
+readonly vm_e2fs_stripe_width=${vm_e2fs_stride:+$((vm_e2fs_stride * vm_raid_effective_disks))}
+vm_e2fs_extended_options=${vm_e2fs_stride:+,stride=$vm_e2fs_stride}${vm_e2fs_stripe_width:+,stripe_width=$vm_e2fs_stripe_width}
+
+readonly vm_arch="amd64"
+readonly vm_bridge="br-gresille"
+readonly vm_ipv4="91.216.110.42" # NOTE: IPv4 publique assignée par Grésille
+readonly vm_lsb_name="wheezy"
+readonly vm_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grésille
+ # NOTE: on part sur wheezy dès le début
+ # dans l'idée de ne pas s'embêter avec
+ # une migration squeeze -> wheezy dans deux mois ;
+ # et parce qu'on juge wheezy « suffisamment stable ».
+++ /dev/null
-#!/bin/sh -eux
-db="$1"
-user="${2:-$1}"
-sudo -u mysql mysql --batch --verbose <<-EOF
- CALL mysql.create_database('$db', '$user', 'localhost');
- EOF
+++ /dev/null
-#!/bin/sh -eux
-user="$1"
-sudo -u mysql mysql -u mysql --batch --verbose <<-EOF
- CALL mysql.create_user('$user', 'localhost');
- EOF
-sudo adduser "$user" mysql-data
+++ /dev/null
-#!/bin/sh
-set -e -f -u -x
-local hint="run before: ./vm_remote runit_configure nginx -- $site"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
--- /dev/null
+#!/bin/sh
+set -e -f -u -x
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+++ /dev/null
-rule apt_get_install gitweb highlight
-
-#sudo adduser www-data git-data
-sudo adduser www-"$site"-tls www-"$site"
--- /dev/null
+"$tool"/local/apt-get-install gitweb highlight
+
+#sudo adduser www-data git-data
+sudo adduser www-"$site"-tls www-"$site"
+++ /dev/null
-#!/bin/sh
-set -e -f -u -x
-local hint="run vm_remote nginx_configure before"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/questionnaires.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
-
--- /dev/null
+#!/bin/sh
+set -e -f -u -x
+local hint="run vm_remote nginx_configure before"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/questionnaires.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+
+++ /dev/null
-pool=lhc_quest
-sudo adduser php5_"$pool" www-"$site"
-sudo adduser www-"$site"-tls www-"$site"
-~mysql/bin/createuser php5_"$pool"
-~mysql/bin/createdb php5_"$pool"
--- /dev/null
+pool=lhc_quest
+sudo adduser php5_"$pool" www-"$site"
+sudo adduser www-"$site"-tls www-"$site"
+~mysql/bin/createuser php5_"$pool"
+~mysql/bin/createdb php5_"$pool"
+++ /dev/null
-local hint="run before: ./vm_remote runit_configure nginx -- $site"
-assert "sudo getent passwd wiki-\"$site\" >/dev/null" hint
-assert "sudo test -f ~wiki-$site/etc/ssh/id_rsa" hint
-
-rule apt_get_install ikiwiki \
- libsearch-xapian-perl
-
-rule adduser fcgi-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
-rule adduser www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
-sudo adduser fcgi-"$site" www-"$site"
-sudo adduser fcgi-"$site" wiki-"$site"
-#sudo adduser www-"$site"-tls www-"$site"
-sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
- /home/lhc/var/ikiwiki/remorque
-
-sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
- /home/lhc/var/ikiwiki/remorque
-sudo install -d -m 2750 -o wiki-"$site" -g git \
- /home/git/hooks/lhc \
- /home/git/hooks/lhc/remorque
-sudo install -m 771 -o git -g git /dev/stdin \
- /home/git/pub/lhc/remorque.git/hooks/post-update <<-EOF
- #!/bin/sh -efux
-
- # The cd below is why we must use this script.
- # The current directory may not be accessible
- # by the user running the ikiwiki.
- # the execution of the ikiwiki wrapper would fail with :
- # "E: Failed to change to directory '...': Permission denied"
- cd /
-
- exec /home/git/hooks/lhc/remorque/post-update.ikiwiki
- EOF
-
-if sudo test -d /home/lhc/var/ikiwiki/remorque/.git
- then sudo -u wiki-"$site" \
- sh -c 'cd /home/lhc/var/ikiwiki/remorque && git pull -v'
- else
- sudo -u wiki-"$site" \
- git clone \
- git@localhost:lhc/remorque \
- /home/lhc/var/ikiwiki/remorque/git
- set +f
- sudo mv -i \
- /home/lhc/var/ikiwiki/remorque/git/.git* \
- /home/lhc/var/ikiwiki/remorque/git/* \
- /home/lhc/var/ikiwiki/remorque/
- sudo rmdir /home/lhc/var/ikiwiki/remorque/git
- fi
-
-sudo install -m 400 -o wiki-"$site" -g wiki-"$site" \
- "$tool"/etc/nginx/site.d/"$site"/ikiwiki.setup \
- /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup
-sudo adduser wiki-"$site" www-"$site"
-sudo install -d -m 2770 -o wiki-"$site" -g fcgi-"$site" \
- /home/www/pub/"$site"/cgi
-cd /
-sudo -u wiki-"$site" ikiwiki \
- --verbose \
- --setup /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup \
- --refresh \
- --wrappers
--- /dev/null
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
+assert "sudo getent passwd wiki-\"$site\" >/dev/null" hint
+assert "sudo test -f ~wiki-$site/etc/ssh/id_rsa" hint
+
+"$tool"/local/apt-get-install ikiwiki \
+ libsearch-xapian-perl
+
+"$tool"/local/adduser fcgi-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+sudo adduser fcgi-"$site" www-"$site"
+sudo adduser fcgi-"$site" wiki-"$site"
+#sudo adduser www-"$site"-tls www-"$site"
+sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
+ /home/lhc/var/ikiwiki/remorque
+
+sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
+ /home/lhc/var/ikiwiki/remorque
+sudo install -d -m 2750 -o wiki-"$site" -g git \
+ /home/git/hooks/lhc \
+ /home/git/hooks/lhc/remorque
+sudo install -m 771 -o git -g git /dev/stdin \
+ /home/git/pub/lhc/remorque.git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+
+ # The cd below is why we must use this script.
+ # The current directory may not be accessible
+ # by the user running the ikiwiki.
+ # the execution of the ikiwiki wrapper would fail with :
+ # "E: Failed to change to directory '...': Permission denied"
+ cd /
+
+ exec /home/git/hooks/lhc/remorque/post-update.ikiwiki
+ EOF
+
+if sudo test -d /home/lhc/var/ikiwiki/remorque/.git
+ then sudo -u wiki-"$site" \
+ sh -c 'cd /home/lhc/var/ikiwiki/remorque && git pull -v'
+ else
+ sudo -u wiki-"$site" \
+ git clone \
+ git@localhost:lhc/remorque \
+ /home/lhc/var/ikiwiki/remorque/git
+ set +f
+ sudo mv -i \
+ /home/lhc/var/ikiwiki/remorque/git/.git* \
+ /home/lhc/var/ikiwiki/remorque/git/* \
+ /home/lhc/var/ikiwiki/remorque/
+ sudo rmdir /home/lhc/var/ikiwiki/remorque/git
+ fi
+
+sudo install -m 400 -o wiki-"$site" -g wiki-"$site" \
+ "$tool"/etc/nginx/site.d/"$site"/ikiwiki.setup \
+ /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup
+sudo adduser wiki-"$site" www-"$site"
+sudo install -d -m 2770 -o wiki-"$site" -g fcgi-"$site" \
+ /home/www/pub/"$site"/cgi
+cd /
+sudo -u wiki-"$site" ikiwiki \
+ --verbose \
+ --setup /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup \
+ --refresh \
+ --wrappers
gpg --decrypt "$tool"/var/sec/ssh/wiki-"$site".gpg |
-rule ssh -l root ' \
+"$tool"/remote/ssh -l root ' \
set -e -f -u -x
sudo install -d -m 1751 -o lhc -g lhc \
/home/lhc \
+++ /dev/null
-#!/bin/sh
-set -e -f -u -x
-local hint="run before: ./vm_remote runit_configure nginx -- $site"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/stats.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
-
--- /dev/null
+#!/bin/sh
+set -e -f -u -x
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/stats.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+
+++ /dev/null
-pool=lhc_stats
-sudo adduser php5_"$pool" www-"$site"
-sudo adduser www-"$site"-tls www-"$site"
-~mysql/bin/createuser php5_"$pool"
-~mysql/bin/createdb php5_"$pool"
--- /dev/null
+pool=lhc_stats
+sudo adduser php5_"$pool" www-"$site"
+sudo adduser www-"$site"-tls www-"$site"
+~mysql/bin/createuser php5_"$pool"
+~mysql/bin/createdb php5_"$pool"
+++ /dev/null
-#!/bin/sh
-set -e -f -u -x
-local hint="run before: ./vm_remote runit_configure nginx -- $site"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
-
--- /dev/null
+#!/bin/sh
+set -e -f -u -x
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+
+++ /dev/null
-sudo adduser php5_lhc_www www-"$site"
-sudo adduser www-"$site"-tls www-"$site"
--- /dev/null
+sudo adduser php5_lhc_www www-"$site"
+sudo adduser www-"$site"-tls www-"$site"
+++ /dev/null
-local hint="run before: ./vm_remote runit_configure nginx -- $site"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/sympa.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
--- /dev/null
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/sympa.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+++ /dev/null
-#!/bin/sh -eux
-db="$1"
-owner="${2:-$db}"
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- DO LANGUAGE plpgsql \$\$
- BEGIN
- IF NOT EXISTS (
- SELECT *
- FROM pg_catalog.pg_user
- WHERE usename = '$owner'
- LIMIT 1
- ) THEN
- CREATE ROLE $owner
- LOGIN
- NOCREATEDB
- NOCREATEROLE
- NOINHERIT
- NOSUPERUSER;
- END IF;
- END;
- \$\$;
- EOF
-case $(sudo -u postgres psql template1 -t -c \
- "SELECT datname FROM pg_catalog.pg_database WHERE datname = '$db' LIMIT 1") in
- (" $db") true;;
- (*)
- sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- CREATE DATABASE $db WITH OWNER=$owner;
- EOF
- ;;
- esac
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON DATABASE $db FROM public;
- EOF
-sudo -u postgres psql "$db" -a -f - <<-EOF
- \set ON_ERROR_STOP on
- GRANT ALL ON SCHEMA public TO $owner WITH GRANT OPTION;
- EOF
+++ /dev/null
-#!/bin/sh -eux
-user="$1"
-db="${2-}"
-sudo -u postgres psql "${db-}" -a -f - <<-EOF
- \set ON_ERROR_STOP on
- DO LANGUAGE plpgsql \$\$
- BEGIN
- IF NOT EXISTS (
- SELECT *
- FROM pg_catalog.pg_user
- WHERE usename = '$user'
- LIMIT 1
- ) THEN
- CREATE ROLE $user
- LOGIN
- NOCREATEDB
- NOCREATEROLE
- NOINHERIT
- NOSUPERUSER;
- END IF;
- END;
- \$\$;
- GRANT USAGE ON SCHEMA public TO $user;
- ${db:+GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;}
- EOF
+++ /dev/null
-home=/home/"$sv"
-
-rule _runit_sv_configure postgres
-rule _runit_sv_start postgres
-while ! sudo -u postgres psql </dev/null
-do sleep 1; done
-rule _runit_sv_configure postfix
-rule _runit_sv_start postfix
-sudo postfix quiet-reload
-
-rule apt_get_install openerp --force-yes
- # XXX: --force-yes car les paquets de nightly.openerp.com
- # ne sont pas signés par OpenPGP..
-rule insserv_remove openerp
-
-sudo -u postgres psql -a -c "DROP USER IF EXISTS openerp;"
-~postgres/bin/createdb "$sv"
-
-rule adduser "$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-rule adduser "$sv"-addon \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home"/addon.d \
- --shell /bin/false \
- --system
-
-sudo install -d -m 710 -o root -g "$sv" \
- /etc/sv/"$sv" \
- /etc/sv/"$sv"/supervise
-sudo install -d -m 1777 -o root -g root \
- /etc/openerp
-sudo install -d -m 3771 -o "$sv" -g "$sv" \
- "$home"
-sudo install -d -m 2770 -o "$sv" -g "$sv"-addon \
- "$home"/addon.d
-sudo install -d -m 750 -o "$sv" -g "$sv" \
- "$home"/etc \
- /etc/openerp/"$sv"
-sudo ln -fns \
- /etc/openerp/"$sv" \
- "$home"/etc/openerp
-
-sudo adduser git "$sv"-addon
-sudo adduser "$sv" "$sv"-addon
-sudo adduser "$sv" postgres-data
--- /dev/null
+home=/home/"$sv"
+
+"$tool"/local/runit-sv-configure postgres
+"$tool"/local/runit-sv-start postgres
+while ! sudo -u postgres psql </dev/null
+do sleep 1; done
+"$tool"/local/runit-sv-configure postfix
+"$tool"/local/runit-sv-start postfix
+sudo postfix quiet-reload
+
+"$tool"/local/apt-get-install openerp --force-yes
+ # XXX: --force-yes car les paquets de nightly.openerp.com
+ # ne sont pas signés par OpenPGP..
+"$tool"/local/insserv-remove openerp
+
+sudo -u postgres psql -a -c "DROP USER IF EXISTS openerp;"
+~postgres/bin/createdb "$sv"
+
+"$tool"/local/adduser "$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser "$sv"-addon \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home"/addon.d \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 710 -o root -g "$sv" \
+ /etc/sv/"$sv" \
+ /etc/sv/"$sv"/supervise
+sudo install -d -m 1777 -o root -g root \
+ /etc/openerp
+sudo install -d -m 3771 -o "$sv" -g "$sv" \
+ "$home"
+sudo install -d -m 2770 -o "$sv" -g "$sv"-addon \
+ "$home"/addon.d
+sudo install -d -m 750 -o "$sv" -g "$sv" \
+ "$home"/etc \
+ /etc/openerp/"$sv"
+sudo ln -fns \
+ /etc/openerp/"$sv" \
+ "$home"/etc/openerp
+
+sudo adduser git "$sv"-addon
+sudo adduser "$sv" "$sv"-addon
+sudo adduser "$sv" postgres-data
+++ /dev/null
-eval "home=~$sv/log"
-
-rule adduser log-"$sv"\
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- "$home"
--- /dev/null
+eval "home=~$sv/log"
+
+"$tool"/local/adduser log-"$sv"\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+++ /dev/null
-rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
-rule insserv_remove dovecot
-local hint="run before: ./vm_remote runit_configure dovecot"
-assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
-sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
- /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
-sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/etc/sieve
-sudo install -d -m 1777 -o root -g root \
- /var/lib/dovecot-control \
- /var/lib/dovecot-index
-m4 \
- --define=VM_DOMAINNAME=$vm_domainname \
- <"$tool"/etc/dovecot/local.conf.m4 |
-sudo install -m 644 -o root -g root /dev/stdin \
- /etc/dovecot/local.conf
-sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
- #!/bin/sh -efux
- # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
- install -d -m 770 ~/etc/dovecot
- install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
- \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
- _EOF
- EOF
--- /dev/null
+"$tool"/local/apt-get-install dovecot-imapd dovecot-managesieved dovecot-sieve
+"$tool"/local/insserv-remove dovecot
+local hint="run before: ./vm_remote runit_configure dovecot"
+assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
+ /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
+sudo install -d -m 770 -o root -g root \
+ /etc/skel/etc/mail \
+ /etc/skel/etc/sieve
+sudo install -d -m 1777 -o root -g root \
+ /var/lib/dovecot-control \
+ /var/lib/dovecot-index
+m4 \
+ --define=VM_DOMAINNAME=$vm_domainname \
+ <"$tool"/etc/dovecot/local.conf.m4 |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/dovecot/local.conf
+sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
+ #!/bin/sh -efux
+ # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
+ install -d -m 770 ~/etc/dovecot
+ install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
+ \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
+ _EOF
+ EOF
-rule _x509_site_key_decrypt imap."$vm_domainname" |
-rule ssh -l root ' \
+"$tool"/remote/site-x509-key-decrypt imap."$vm_domainname" |
+"$tool"/remote/ssh -l root ' \
sudo install -d -m 770 -o root -g root \
/etc/dovecot/'"$vm_domainname"'/ \
/etc/dovecot/'"$vm_domainname"'/imap \
+++ /dev/null
-home=~git/daemon
-rule adduser "$sv"\
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o git -g "$sv" \
- "$home"
-
-sudo adduser "$sv" git-data
-
-sudo ln -fns \
- ../pub \
- "$home"/git.$vm_domainname
-sudo ln -fns \
- ../pub \
- "$home"/burette.$vm_domainname
- # NOTE : rétro-compatibilité
--- /dev/null
+home=~git/daemon
+"$tool"/local/adduser "$sv"\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o git -g "$sv" \
+ "$home"
+
+sudo adduser "$sv" git-data
+
+sudo ln -fns \
+ ../pub \
+ "$home"/git.$vm_domainname
+sudo ln -fns \
+ ../pub \
+ "$home"/burette.$vm_domainname
+ # NOTE : rétro-compatibilité
+++ /dev/null
-home=~git/log/daemon
-
-rule adduser log-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- "$home"
-
-adduser log-git "$sv"
--- /dev/null
+home=~git/log/daemon
+
+"$tool"/local/adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+
+adduser log-git "$sv"
+++ /dev/null
-home=~git-data
-
-rule apt_get_install gitweb highlight
-
-rule adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo adduser fcgi-"$sv" www-"$sv"
-sudo adduser fcgi-"$sv" git-data
-
-sudo install -d -m 2750 -o git -g fcgi-"$sv" \
- /etc/gitweb
-sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/gitweb.conf <<-EOF
- \$commit_oneline_message_width = 70;
- \$default_projects_order = 'project';
- \$default_text_plain_charset = 'UTF-8';
- @diff_opts = ();
- \$favicon = "static/git-favicon.png";
- \$feature{'highlight'}{'default'} = [1];
- \$git_temp = "/run/shm/tmp/gitweb";
- \$home_text = "/etc/gitweb/home_text.html";
- \$home_link = "/";
- \$home_link_str = 'dépôts';
- \$home_th_age = 'activité';
- \$home_th_descr = 'description';
- \$home_th_owner = 'contact';
- \$home_th_project = 'dépôt';
- \$javascript = "static/gitweb.js";
- \$logo = "static/git-logo.png";
- \$my_uri = "";
- \$projectroot = "/home/git/pub";
- \$projects_list = "/etc/gitweb/projects.list";
- \$projects_list_description_width = 42;
- \$projects_list_owner_width = 15;
- \$search_str = "Filtre :";
- \$site_footer = "/etc/gitweb/site_footer.html";
- \$site_header = "/etc/gitweb/site_header.html";
- \$site_name = "git.$vm_domainname";
- @stylesheets = ("static/gitweb.css");#
- EOF
-sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/home_text.html <<-EOF
- <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
- <p>Pour récupérer un dépôt public :</p>
- <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
- EOF
-
-sudo ln -fns \
- /etc/gitweb \
- ~git/etc/gitweb
--- /dev/null
+home=~git-data
+
+"$tool"/local/apt-get-install gitweb highlight
+
+"$tool"/local/adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo adduser fcgi-"$sv" www-"$sv"
+sudo adduser fcgi-"$sv" git-data
+
+sudo install -d -m 2750 -o git -g fcgi-"$sv" \
+ /etc/gitweb
+sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/gitweb.conf <<-EOF
+ \$commit_oneline_message_width = 70;
+ \$default_projects_order = 'project';
+ \$default_text_plain_charset = 'UTF-8';
+ @diff_opts = ();
+ \$favicon = "static/git-favicon.png";
+ \$feature{'highlight'}{'default'} = [1];
+ \$git_temp = "/run/shm/tmp/gitweb";
+ \$home_text = "/etc/gitweb/home_text.html";
+ \$home_link = "/";
+ \$home_link_str = 'dépôts';
+ \$home_th_age = 'activité';
+ \$home_th_descr = 'description';
+ \$home_th_owner = 'contact';
+ \$home_th_project = 'dépôt';
+ \$javascript = "static/gitweb.js";
+ \$logo = "static/git-logo.png";
+ \$my_uri = "";
+ \$projectroot = "/home/git/pub";
+ \$projects_list = "/etc/gitweb/projects.list";
+ \$projects_list_description_width = 42;
+ \$projects_list_owner_width = 15;
+ \$search_str = "Filtre :";
+ \$site_footer = "/etc/gitweb/site_footer.html";
+ \$site_header = "/etc/gitweb/site_header.html";
+ \$site_name = "git.$vm_domainname";
+ @stylesheets = ("static/gitweb.css");#
+ EOF
+sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/home_text.html <<-EOF
+ <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
+ <p>Pour récupérer un dépôt public :</p>
+ <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
+ EOF
+
+sudo ln -fns \
+ /etc/gitweb \
+ ~git/etc/gitweb
+++ /dev/null
-home=~www/log/"$sv"/spawn-fcgi
-
-rule adduser log-fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
- "$home"
--- /dev/null
+home=~www/log/"$sv"/spawn-fcgi
+
+"$tool"/local/adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ "$home"
+++ /dev/null
-rule _www_configure
-
-home=~www-data/"$sv"
-
-rule adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
--- /dev/null
+"$tool"/local/www-init
+
+home=~www-data/"$sv"
+
+"$tool"/local/adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+++ /dev/null
-home=~www/log/"$sv"/spawn-fcgi
-
-rule adduser log-fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
- "$home"
-
-cd "$home"
-exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
- svlogd -v -tt "$home"
--- /dev/null
+home=~www/log/"$sv"/spawn-fcgi
+
+"$tool"/local/adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ "$home"
+
+cd "$home"
+exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
+ svlogd -v -tt "$home"
+++ /dev/null
-rule apt_get_install mysql-server-5.5
-rule insserv_remove mysql
-
-eval "home=~$sv"
-
-rule adduser mysql \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-rule adduser mysql-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home"/data \
- --no-create-home \
- --shell /bin/false \
- --system
-sudo usermod --home "$home" mysql
-sudo adduser mysql mysql-data
-sudo install -d -m 755 -o mysql -g mysql \
- "$home" \
- "$home"/bin
-sudo rm -rf /etc/mysql
-sudo install -d -m 750 -o mysql -g mysql-data \
- /etc/mysql \
- /etc/mysql/conf.d \
- "$home"/etc
-sudo ln -fns \
- /etc/mysql \
- "$home"/etc/mysql
-sudo install -m 644 -o mysql -g mysql \
- "$tool"/etc/mysql/my.cnf \
- /etc/mysql/my.cnf
-if sudo test ! -d "$home"/data
- then
- sudo install -d -m 750 -o mysql -g mysql-data \
- "$home"/data
- sudo -u mysql mysql_install_db \
- --datadir="$home"/data \
- --no-defaults
- fi
-
-sudo find "$tool"/etc/mysql/bin/ -type f -perm /+x -exec \
- install -m 755 -o root -g root \
- -t /home/mysql/bin/ {} +
-
-sudo ln -fns \
- ../sv/"$sv" \
- /etc/service/"$sv"
-rule _runit_sv_start "$sv"
-while ! sudo -u mysql mysql -u mysql </dev/null
-do sleep 1; done
-
-# NOTE:
-# - ajoute l'accès par socket Unix à mysql
-# - ajoute les droits de super-utilisateur à mysql
-# - supprime l'accès par mot-de-passe à root
-# - supprime les bases de données de l'utilisateurice anonyme
-# - supprime l'utilisateurice anonyme
-# NOTE: mémo :
-# GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
-# CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
-# UPDATE mysql.user SET Password='' WHERE user='root';
-# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
-sudo mysql -u root --batch --verbose <<-EOF
- DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
-
- DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
- DELIMITER //
- CREATE PROCEDURE mysql.create_user_mysql ()
- BEGIN
- IF NOT (EXISTS (SELECT User
- FROM mysql.user
- WHERE User='mysql'
- AND Host='localhost'
- LIMIT 1))
- THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
- END IF;
- END;
- //
- CALL mysql.create_user_mysql();
- DROP PROCEDURE mysql.create_user_mysql;
- UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
- DELETE FROM mysql.db WHERE user = '';
- DELETE FROM mysql.user WHERE user = '';
-
- DROP PROCEDURE IF EXISTS mysql.create_user;
- CREATE PROCEDURE mysql.create_user (username VARCHAR(16), hostname VARCHAR(60))
- BEGIN
- IF NOT (EXISTS (SELECT User
- FROM mysql.user
- WHERE User = username
- AND Host = hostname
- LIMIT 1))
- THEN
- SET @QUERY = CONCAT("CREATE USER ", username, "@", hostname, " IDENTIFIED WITH auth_socket");
- PREPARE stmt FROM @QUERY;
- EXECUTE stmt;
- END IF;
- END;
- //
-
- DROP PROCEDURE IF EXISTS mysql.create_database;
- CREATE PROCEDURE mysql.create_database (dbname VARCHAR(16), username VARCHAR(16), hostname VARCHAR(60))
- BEGIN
- IF NOT (EXISTS (SELECT SCHEMA_NAME
- FROM INFORMATION_SCHEMA.SCHEMATA
- WHERE SCHEMA_NAME = dbname
- LIMIT 1))
- THEN
- SET @QUERY = CONCAT("CREATE DATABASE ", dbname, " CHARACTER SET utf8 COLLATE utf8_general_ci");
- PREPARE stmt FROM @QUERY;
- EXECUTE stmt;
- END IF;
- SET @QUERY = CONCAT("GRANT ALL PRIVILEGES ON ", dbname, ".* TO ", username, "@", hostname);
- PREPARE stmt FROM @QUERY;
- EXECUTE stmt;
- END;
- //
-
- FLUSH PRIVILEGES;
- EOF
--- /dev/null
+"$tool"/local/apt-get-install mysql-server-5.5
+"$tool"/local/insserv-remove mysql
+
+eval "home=~$sv"
+
+"$tool"/local/adduser mysql \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser mysql-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home"/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+sudo usermod --home "$home" mysql
+sudo adduser mysql mysql-data
+sudo install -d -m 755 -o mysql -g mysql \
+ "$home" \
+ "$home"/bin
+sudo rm -rf /etc/mysql
+sudo install -d -m 750 -o mysql -g mysql-data \
+ /etc/mysql \
+ /etc/mysql/conf.d \
+ "$home"/etc
+sudo ln -fns \
+ /etc/mysql \
+ "$home"/etc/mysql
+sudo install -m 644 -o mysql -g mysql \
+ "$tool"/etc/mysql/my.cnf \
+ /etc/mysql/my.cnf
+if sudo test ! -d "$home"/data
+ then
+ sudo install -d -m 750 -o mysql -g mysql-data \
+ "$home"/data
+ sudo -u mysql mysql_install_db \
+ --datadir="$home"/data \
+ --no-defaults
+ fi
+
+sudo find "$tool"/etc/mysql/bin/ -type f -perm /+x -exec \
+ install -m 755 -o root -g root \
+ -t /home/mysql/bin/ {} +
+
+sudo ln -fns \
+ ../sv/"$sv" \
+ /etc/service/"$sv"
+"$tool"/local/runit-sv-start "$sv"
+while ! sudo -u mysql mysql -u mysql </dev/null
+do sleep 1; done
+
+# NOTE:
+# - ajoute l'accès par socket Unix à mysql
+# - ajoute les droits de super-utilisateur à mysql
+# - supprime l'accès par mot-de-passe à root
+# - supprime les bases de données de l'utilisateurice anonyme
+# - supprime l'utilisateurice anonyme
+# NOTE: mémo :
+# GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
+# CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
+# UPDATE mysql.user SET Password='' WHERE user='root';
+# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
+sudo mysql -u root --batch --verbose <<-EOF
+ DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+
+ DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
+ DELIMITER //
+ CREATE PROCEDURE mysql.create_user_mysql ()
+ BEGIN
+ IF NOT (EXISTS (SELECT User
+ FROM mysql.user
+ WHERE User='mysql'
+ AND Host='localhost'
+ LIMIT 1))
+ THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ END IF;
+ END;
+ //
+ CALL mysql.create_user_mysql();
+ DROP PROCEDURE mysql.create_user_mysql;
+ UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
+ DELETE FROM mysql.db WHERE user = '';
+ DELETE FROM mysql.user WHERE user = '';
+
+ DROP PROCEDURE IF EXISTS mysql.create_user;
+ CREATE PROCEDURE mysql.create_user (username VARCHAR(16), hostname VARCHAR(60))
+ BEGIN
+ IF NOT (EXISTS (SELECT User
+ FROM mysql.user
+ WHERE User = username
+ AND Host = hostname
+ LIMIT 1))
+ THEN
+ SET @QUERY = CONCAT("CREATE USER ", username, "@", hostname, " IDENTIFIED WITH auth_socket");
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END IF;
+ END;
+ //
+
+ DROP PROCEDURE IF EXISTS mysql.create_database;
+ CREATE PROCEDURE mysql.create_database (dbname VARCHAR(16), username VARCHAR(16), hostname VARCHAR(60))
+ BEGIN
+ IF NOT (EXISTS (SELECT SCHEMA_NAME
+ FROM INFORMATION_SCHEMA.SCHEMATA
+ WHERE SCHEMA_NAME = dbname
+ LIMIT 1))
+ THEN
+ SET @QUERY = CONCAT("CREATE DATABASE ", dbname, " CHARACTER SET utf8 COLLATE utf8_general_ci");
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END IF;
+ SET @QUERY = CONCAT("GRANT ALL PRIVILEGES ON ", dbname, ".* TO ", username, "@", hostname);
+ PREPARE stmt FROM @QUERY;
+ EXECUTE stmt;
+ END;
+ //
+
+ FLUSH PRIVILEGES;
+ EOF
+++ /dev/null
-eval "home=~$sv/log"
-
-rule adduser log-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
- "$home"
--- /dev/null
+eval "home=~$sv/log"
+
+"$tool"/local/adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ "$home"
+++ /dev/null
-rule _runit_sv_configure php5-fpm '*'
-rule _runit_sv_restart php5-fpm
-rule apt_get_install nginx spawn-fcgi fcgiwrap
-rule insserv_remove nginx
-rule insserv_remove fcgiwrap
-
-rule _www_configure
-
-sudo install -d -m 770 -o www -g www \
- /etc/nginx \
- /etc/nginx/conf.d \
- /etc/nginx/site.d \
- /etc/nginx/x509.d
-sudo ln -fns \
- /etc/nginx \
- /home/www/etc/nginx
-sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/nginx.conf \
- /etc/nginx/nginx.conf
-
-for conf in $(find "$tool"/etc/nginx/conf.d \
- -mindepth 1 -maxdepth 1 -type f \
- -name '*.conf' \
- -printf '%f\n')
- do
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/conf.d/"$conf" \
- /etc/nginx/conf.d/"$conf"
- done
-
-for site in $(find "$tool"/etc/nginx/site.d \
- -mindepth 1 -maxdepth 1 -type d \
- -false ${@:+$(printf -- '-or -name %s\n' "$@")} \
- -printf '%f\n')
- do
- rule adduser www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
- rule adduser log-www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/"$site"/nginx \
- --shell /bin/false \
- --system
- sudo install -d -m 771 -o log-www -g log-www \
- /home/www/log/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/site.d/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/x509.d/"$site"
- sudo test -L /home/www/pub/"$site" ||
- sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
- /home/www/pub/"$site"
- sudo adduser www-data www-"$site"
- sudo adduser www-data log-www-"$site"
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/local.conf \
- /etc/nginx/site.d/"$site"/local.conf
- test ! -e "$tool"/etc/nginx/site.d/"$site"/http.conf ||
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/http.conf \
- /etc/nginx/site.d/"$site"/http.conf
- if test -L "$tool"/etc/nginx/site.d/"$site"/site.conf
- then
- sudo cp --force --preserve=links --no-dereference \
- "$tool"/etc/nginx/site.d/"$site"/site.conf \
- /etc/nginx/site.d/"$site"/site.conf
- else
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/site.conf \
- /etc/nginx/site.d/"$site"/site.conf
- fi
- sudo install -m 660 -o www -g www /dev/stdin \
- /etc/nginx/site.d/"$site"/server.conf <<-EOF
- server {
- access_log /home/www/log/$site/nginx/access.log main;
- error_log /home/www/log/$site/nginx/error.log warn;
- root /home/www/pub/$site;
- include /etc/nginx/site.d/$site/local.conf;
- include /etc/nginx/site.d/$site/site.conf;
- }
- EOF
- (
- test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
- . "$tool"/etc/nginx/site.d/"$site"/configure.sh || return 1
- )
- done
--- /dev/null
+"$tool"/local/runit-sv-configure php5-fpm '*'
+"$tool"/local/runit-sv-restart php5-fpm
+"$tool"/local/apt-get-install nginx spawn-fcgi fcgiwrap
+"$tool"/local/insserv-remove nginx
+"$tool"/local/insserv-remove fcgiwrap
+
+"$tool"/local/www-init
+
+sudo install -d -m 770 -o www -g www \
+ /etc/nginx \
+ /etc/nginx/conf.d \
+ /etc/nginx/site.d \
+ /etc/nginx/x509.d
+sudo ln -fns \
+ /etc/nginx \
+ /home/www/etc/nginx
+sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/nginx.conf \
+ /etc/nginx/nginx.conf
+
+for conf in $(find "$tool"/etc/nginx/conf.d \
+ -mindepth 1 -maxdepth 1 -type f \
+ -name '*.conf' \
+ -printf '%f\n')
+ do
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/conf.d/"$conf" \
+ /etc/nginx/conf.d/"$conf"
+ done
+
+for site in $(find "$tool"/etc/nginx/site.d \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false ${@:+$(printf -- '-or -name %s\n' "$@")} \
+ -printf '%f\n')
+ do
+ "$tool"/local/adduser www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+ "$tool"/local/adduser log-www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/"$site"/nginx \
+ --shell /bin/false \
+ --system
+ sudo install -d -m 771 -o log-www -g log-www \
+ /home/www/log/"$site"
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx/site.d/"$site"
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx/x509.d/"$site"
+ sudo test -L /home/www/pub/"$site" ||
+ sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
+ /home/www/pub/"$site"
+ sudo adduser www-data www-"$site"
+ sudo adduser www-data log-www-"$site"
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/local.conf \
+ /etc/nginx/site.d/"$site"/local.conf
+ test ! -e "$tool"/etc/nginx/site.d/"$site"/http.conf ||
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/http.conf \
+ /etc/nginx/site.d/"$site"/http.conf
+ if test -L "$tool"/etc/nginx/site.d/"$site"/site.conf
+ then
+ sudo cp --force --preserve=links --no-dereference \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.conf
+ else
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.conf
+ fi
+ sudo install -m 660 -o www -g www /dev/stdin \
+ /etc/nginx/site.d/"$site"/server.conf <<-EOF
+ server {
+ access_log /home/www/log/$site/nginx/access.log main;
+ error_log /home/www/log/$site/nginx/error.log warn;
+ root /home/www/pub/$site;
+ include /etc/nginx/site.d/$site/local.conf;
+ include /etc/nginx/site.d/$site/site.conf;
+ }
+ EOF
+ (
+ test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/nginx/site.d/"$site"/configure.sh || return 1
+ )
+ done
do
if test -f "$tool"/etc/nginx/site.d/"$site"/x509_host
then
- rule _x509_site_key_decrypt \
+ "$tool"/remote/site-x509-key-decrypt
"$(cat "$tool"/etc/nginx/site.d/"$site"/x509_host)" |
- rule ssh -l root ' \
+ "$tool"/remote/ssh -l root ' \
sudo install -d -m 770 -o root -g root \
/etc/nginx \
/etc/nginx/x509.d \
+++ /dev/null
-rule apt_get_install nsd
-rule insserv_remove nsd3
-
-sudo install -d -m 750 -o root -g nsd \
- /etc/nsd3/zone.d
-{
- cat <<-EOF
- server:
- ip-address: $vm_ipv4
- ip4-only: yes
- EOF
- cat "$tool"/etc/nsd3/nsd.conf
- for zone in $(find "$tool"/etc/nsd3/zone.d \
- -mindepth 1 -maxdepth 1 -type f \
- -false ${@:+$(printf -- '-or -name %s.conf\n' "$@")} \
- -printf '%f\n')
- do zone=${zone%.conf}
- if test -e "$tool"/etc/nsd3/zone.d/"$zone".zone.m4
- then m4 \
- --define=ZONE_DOMAIN=$zone \
- --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$zone".zone.m4) \
- --define=VM_IP4=$vm_ipv4 \
- "$tool"/etc/nsd3/zone.d/"$zone".zone.m4
- else cat "$tool"/etc/nsd3/zone.d/"$zone".zone
- fi |
- sudo install -m 440 -o root -g nsd /dev/stdin \
- /etc/nsd3/zone.d/"$zone".zone
- cat <<-EOF
- zone:
- name: $zone
- zonefile: /etc/nsd3/zone.d/$zone.zone
- $(cat "$tool"/etc/nsd3/zone.d/"$zone".conf)
- EOF
- done
-} |
-sudo install -m 640 -o root -g nsd /dev/stdin \
- /etc/nsd3/nsd.conf
-
-rule _runit_sv_start "$sv"
-sudo nsdc rebuild
-sudo nsdc reload
-#sudo nsdc notify
--- /dev/null
+"$tool"/local/apt-get-install nsd
+"$tool"/local/insserv-remove nsd3
+
+sudo install -d -m 750 -o root -g nsd \
+ /etc/nsd3/zone.d
+{
+ cat <<-EOF
+ server:
+ ip-address: $vm_ipv4
+ ip4-only: yes
+ EOF
+ cat "$tool"/etc/nsd3/nsd.conf
+ for zone in $(find "$tool"/etc/nsd3/zone.d \
+ -mindepth 1 -maxdepth 1 -type f \
+ -false ${@:+$(printf -- '-or -name %s.conf\n' "$@")} \
+ -printf '%f\n')
+ do zone=${zone%.conf}
+ if test -e "$tool"/etc/nsd3/zone.d/"$zone".zone.m4
+ then m4 \
+ --define=ZONE_DOMAIN=$zone \
+ --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$zone".zone.m4) \
+ --define=VM_IP4=$vm_ipv4 \
+ "$tool"/etc/nsd3/zone.d/"$zone".zone.m4
+ else cat "$tool"/etc/nsd3/zone.d/"$zone".zone
+ fi |
+ sudo install -m 440 -o root -g nsd /dev/stdin \
+ /etc/nsd3/zone.d/"$zone".zone
+ cat <<-EOF
+ zone:
+ name: $zone
+ zonefile: /etc/nsd3/zone.d/$zone.zone
+ $(cat "$tool"/etc/nsd3/zone.d/"$zone".conf)
+ EOF
+ done
+} |
+sudo install -m 640 -o root -g nsd /dev/stdin \
+ /etc/nsd3/nsd.conf
+
+"$tool"/local/runit-sv-start "$sv"
+sudo nsdc rebuild
+sudo nsdc reload
+#sudo nsdc notify
+++ /dev/null
-# NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4
-
-rule apt_get_install ntp
-rule insserv_remove ntp
-
-sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
- Europe/Paris
- EOF
-sudo debconf-set-selections <<-EOF
- tzdata tzdata/Areas select Europe
- tzdata tzdata/Zones/Europe select Paris
- EOF
-rule dpkg_reconfigure tzdata
--- /dev/null
+# NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4
+
+"$tool"/local/apt-get-install ntp
+"$tool"/local/insserv-remove ntp
+
+sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
+ Europe/Paris
+ EOF
+sudo debconf-set-selections <<-EOF
+ tzdata tzdata/Areas select Europe
+ tzdata tzdata/Zones/Europe select Paris
+ EOF
+"$tool"/local/dpkg-reconfigure tzdata
+++ /dev/null
-rule apt_get_install php5-fpm php-apc php5-mysql php5-gd
-rule insserv_remove php5-fpm
-
-rule _www_configure
-
-rule adduser php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /etc/php5/fpm \
- --shell /bin/false \
- --system
-rule adduser log-php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/php5/fpm \
- --shell /bin/false \
- --system
-sudo ln -fns \
- /etc/php5/fpm \
- /home/www/etc/php5
-sudo install -d -m 770 -o php5 -g php5 \
- /etc/php5/fpm/conf.d \
- /etc/php5/fpm/pool.d
-sudo install -m 440 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php-fpm.conf \
- /etc/php5/fpm/php-fpm.conf
-sudo install -m 664 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php.ini \
- /etc/php5/fpm/php.ini
-for conf in $(
- test ! -d "$tool"/etc/php5/fpm/conf.d ||
- find "$tool"/etc/php5/fpm/conf.d \
- -mindepth 1 -maxdepth 1 -type f \
- -name '*.conf' \
- -printf '%f\n')
- do
- sudo install -m 660 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/conf.d/"$conf" \
- /etc/php5/fpm/conf.d/"$conf"
- done
-for pool in $(find "$tool"/etc/php5/fpm/pool.d/ \
- -mindepth 1 -maxdepth 1 -type d \
- -false ${@:+$(printf -- '-or -name %s.conf\n' "$@")} \
- -printf '%f\n')
- do pool=${pool%\.conf}
- rule adduser php5_"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /etc/php5/fpm/pool.d \
- --shell /bin/false \
- --system
- rule adduser log-php5-"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /home/www/log/php5/fpm/"$pool" \
- --shell /bin/false \
- --system
- sudo install -d -m 770 -o log-php5 -g log-php5 \
- /home/www/log/php5 \
- /home/www/log/php5/fpm
- sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
- /home/www/log/php5/fpm/"$pool"
- sudo install -m 660 -o php5 -g php5 /dev/stdin \
- /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
- [$pool]
- access.log = /home/www/log/php5/fpm/$pool/access.log
- catch_workers_output = yes
- chdir = /
- env[HOSTNAME] = \$HOSTNAME
- env[TEMP] = /tmp
- env[TMPDIR] = /tmp
- env[TMP] = /tmp
- group = php5_$pool
- #listen = 127.0.0.1:9000
- listen = /run/php5/fpm/$pool
- #listen.allowed_clients = 127.0.0.1
- listen.group = www-data
- listen.mode = 0660
- #listen.owner = www-data
- listen.backlog = -1
- pm = dynamic
- pm.max_children = 5
- pm.max_requests = 200
- pm.max_spare_servers = 4
- pm.min_spare_servers = 2
- pm.start_servers = 3
- pm.status_path = /status
- request_slowlog_timeout = 5s
- request_terminate_timeout = 120s
- rlimit_core = unlimited
- rlimit_files = 131072
- slowlog = /home/www/log/php5/fpm/$pool/slow.log
- user = php5_$pool
- $(cat "$tool"/etc/php5/fpm/pool.d/"$pool".conf)
- EOF
- done
--- /dev/null
+"$tool"/local/apt-get-install php5-fpm php-apc php5-mysql php5-gd
+"$tool"/local/insserv-remove php5-fpm
+
+"$tool"/local/www-init
+
+"$tool"/local/adduser php5 \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /etc/php5/fpm \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser log-php5 \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/php5/fpm \
+ --shell /bin/false \
+ --system
+sudo ln -fns \
+ /etc/php5/fpm \
+ /home/www/etc/php5
+sudo install -d -m 770 -o php5 -g php5 \
+ /etc/php5/fpm/conf.d \
+ /etc/php5/fpm/pool.d
+sudo install -m 440 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/php-fpm.conf \
+ /etc/php5/fpm/php-fpm.conf
+sudo install -m 664 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/php.ini \
+ /etc/php5/fpm/php.ini
+for conf in $(
+ test ! -d "$tool"/etc/php5/fpm/conf.d ||
+ find "$tool"/etc/php5/fpm/conf.d \
+ -mindepth 1 -maxdepth 1 -type f \
+ -name '*.conf' \
+ -printf '%f\n')
+ do
+ sudo install -m 660 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/conf.d/"$conf" \
+ /etc/php5/fpm/conf.d/"$conf"
+ done
+for pool in $(find "$tool"/etc/php5/fpm/pool.d/ \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false ${@:+$(printf -- '-or -name %s.conf\n' "$@")} \
+ -printf '%f\n')
+ do pool=${pool%\.conf}
+ "$tool"/local/adduser php5_"$pool" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --no-create-home \
+ --home /etc/php5/fpm/pool.d \
+ --shell /bin/false \
+ --system
+ "$tool"/local/adduser log-php5-"$pool" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --no-create-home \
+ --home /home/www/log/php5/fpm/"$pool" \
+ --shell /bin/false \
+ --system
+ sudo install -d -m 770 -o log-php5 -g log-php5 \
+ /home/www/log/php5 \
+ /home/www/log/php5/fpm
+ sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
+ /home/www/log/php5/fpm/"$pool"
+ sudo install -m 660 -o php5 -g php5 /dev/stdin \
+ /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
+ [$pool]
+ access.log = /home/www/log/php5/fpm/$pool/access.log
+ catch_workers_output = yes
+ chdir = /
+ env[HOSTNAME] = \$HOSTNAME
+ env[TEMP] = /tmp
+ env[TMPDIR] = /tmp
+ env[TMP] = /tmp
+ group = php5_$pool
+ #listen = 127.0.0.1:9000
+ listen = /run/php5/fpm/$pool
+ #listen.allowed_clients = 127.0.0.1
+ listen.group = www-data
+ listen.mode = 0660
+ #listen.owner = www-data
+ listen.backlog = -1
+ pm = dynamic
+ pm.max_children = 5
+ pm.max_requests = 200
+ pm.max_spare_servers = 4
+ pm.min_spare_servers = 2
+ pm.start_servers = 3
+ pm.status_path = /status
+ request_slowlog_timeout = 5s
+ request_terminate_timeout = 120s
+ rlimit_core = unlimited
+ rlimit_files = 131072
+ slowlog = /home/www/log/php5/fpm/$pool/slow.log
+ user = php5_$pool
+ $(cat "$tool"/etc/php5/fpm/pool.d/"$pool".conf)
+ EOF
+ done
+++ /dev/null
-local hint="run before: ./vm_remote runit_configure postfix"
-assert "sudo test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
-#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
-sudo debconf-set-selections <<-EOF
- postfix postfix/main_mailer_type select No configuration
- EOF
-rule apt_get_install postfix procmail postfix-pcre
-rule insserv_remove postfix
-sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
- *.db
- EOF
-sudo install -d -m 771 -o root -g root \
- /etc/postfix/ \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
-sudo ln -fns \
- ../crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
-sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
-sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
-sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
-sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/header_checks \
- /etc/postfix/$vm_domainname/header_checks
-m4 \
- --define=VM_DOMAINNAME="$vm_domainname" \
- <"$tool"/etc/postfix/aliases.m4 |
-sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/aliases
-sudo newaliases -oA/etc/postfix/aliases
-sudo ln -fns \
- /etc/postfix/aliases \
- /etc/aliases
-cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
- mydomain = $vm_domainname
- myorigin = \$mydomain
- myhostname = $vm_hostname.\$mydomain
- mail_name = \$myhostname
- mydestination = $vm_hostname \$myhostname \$myorigin
- EOF
-sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/main.cf
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/master.cf \
- /etc/postfix/master.cf
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
- /etc/postfix/$vm_domainname/smtp/x509/policy
-sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
- /etc/postfix/$vm_domainname/smtp/header_checks
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
- /etc/postfix/$vm_domainname/smtpd/sender_access
-sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
- /etc/postfix/$vm_domainname/smtpd/client_blacklist
-sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
- /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
-sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/transport \
- /etc/postfix/$vm_domainname/transport
-sudo postmap hash:/etc/postfix/$vm_domainname/transport
-sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/virtual_alias \
- /etc/postfix/$vm_domainname/virtual_alias
-sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
-sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/var/cache/mail \
- /etc/skel/var/log/mail \
- /etc/skel/var/mail
-sudo install -m 660 -o root -g root \
- "$tool"/etc/skel/etc/mail/delivery.procmailrc \
- /etc/skel/etc/mail/delivery.procmailrc
-#-- SYMPA begin
-sudo install -d -m 755 -o root -g root \
- /etc/sympa
-#sudo -u sympa newaliases -oA/etc/mail/sympa/aliases
-sudo install -m 640 -o "$sv" -g sympa \
- "$tool"/etc/sympa/transport \
- /etc/sympa/transport
-sudo install -m 640 -o "$sv" -g sympa \
- "$tool"/etc/sympa/virtual_alias \
- /etc/sympa/virtual_alias
-#-- SYMPA end
--- /dev/null
+local hint="run before: ./vm_remote runit_configure postfix"
+assert "sudo test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
+#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
+sudo debconf-set-selections <<-EOF
+ postfix postfix/main_mailer_type select No configuration
+ EOF
+"$tool"/local/apt-get-install postfix procmail postfix-pcre
+"$tool"/local/insserv-remove postfix
+sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
+ *.db
+ EOF
+sudo install -d -m 771 -o root -g root \
+ /etc/postfix/ \
+ /etc/postfix/$vm_domainname/ \
+ /etc/postfix/$vm_domainname/smtp \
+ /etc/postfix/$vm_domainname/smtp/x509 \
+ /etc/postfix/$vm_domainname/smtp/x509/ca \
+ /etc/postfix/$vm_domainname/smtpd \
+ /etc/postfix/$vm_domainname/smtpd/x509 \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca
+sudo ln -fns \
+ ../crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/header_checks \
+ /etc/postfix/$vm_domainname/header_checks
+m4 \
+ --define=VM_DOMAINNAME="$vm_domainname" \
+ <"$tool"/etc/postfix/aliases.m4 |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/aliases
+sudo newaliases -oA/etc/postfix/aliases
+sudo ln -fns \
+ /etc/postfix/aliases \
+ /etc/aliases
+cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination = $vm_hostname \$myhostname \$myorigin
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/main.cf
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/master.cf \
+ /etc/postfix/master.cf
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
+ /etc/postfix/$vm_domainname/smtp/x509/policy
+sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
+ /etc/postfix/$vm_domainname/smtp/header_checks
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
+ /etc/postfix/$vm_domainname/smtpd/sender_access
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
+ /etc/postfix/$vm_domainname/smtpd/client_blacklist
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
+ /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/transport \
+ /etc/postfix/$vm_domainname/transport
+sudo postmap hash:/etc/postfix/$vm_domainname/transport
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/virtual_alias \
+ /etc/postfix/$vm_domainname/virtual_alias
+sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
+sudo install -d -m 770 -o root -g root \
+ /etc/skel/etc/mail \
+ /etc/skel/var/cache/mail \
+ /etc/skel/var/log/mail \
+ /etc/skel/var/mail
+sudo install -m 660 -o root -g root \
+ "$tool"/etc/skel/etc/mail/delivery.procmailrc \
+ /etc/skel/etc/mail/delivery.procmailrc
+#-- SYMPA begin
+sudo install -d -m 755 -o root -g root \
+ /etc/sympa
+#sudo -u sympa newaliases -oA/etc/mail/sympa/aliases
+sudo install -m 640 -o "$sv" -g sympa \
+ "$tool"/etc/sympa/transport \
+ /etc/sympa/transport
+sudo install -m 640 -o "$sv" -g sympa \
+ "$tool"/etc/sympa/virtual_alias \
+ /etc/sympa/virtual_alias
+#-- SYMPA end
-rule _x509_site_key_decrypt smtpd."$vm_domainname" |
-rule ssh -l root ' \
+"$tool"/remote/site-x509-key-decrypt \
+ smtpd."$vm_domainname" |
+"$tool"/remote/ssh -l root ' \
sudo install -d -m 770 -o root -g root \
/etc/postfix/'"$vm_domainname"'/ \
/etc/postfix/'"$vm_domainname"'/smtpd \
+++ /dev/null
-# DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
-
-#rule apt_get_install postgresql-9.1
-rule insserv_remove postgresql
-rule adduser postgres \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/postgresql \
- --shell /bin/false \
- --system
-rule adduser postgres-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/postgresql/data \
- --no-create-home \
- --shell /bin/false \
- --system
-sudo usermod --home /home/postgresql postgres
-sudo adduser postgres postgres-data
-sudo rm -rf \
- /etc/postgresql
-sudo install -d -m 1751 -o postgres -g postgres-data \
- /home/postgresql \
- /home/postgresql/etc \
- /home/postgresql/bin \
- /etc/postgresql \
- /etc/postgresql/9.1 \
- /etc/postgresql/9.1/main
-sudo ln -fns \
- /etc/postgresql \
- /home/postgresql/etc/postgresql
-
-if sudo test ! -d /home/postgresql/data
- then
- sudo install -d -m 750 -o postgres -g postgres \
- /home/postgresql/data
- sudo -u postgres pg_createcluster \
- --datadir=/home/postgresql/data \
- --logfile=/home/postgresql/log/9.1/main/cluster.log \
- --socketdir=/run/postgresql \
- 9.1 main
- fi
-
-sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF
- pg_ctl_options = ''
- EOF
-sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_ident.conf <<-EOF
- # MAPNAME SYSTEM-USERNAME PG-USERNAME
- admin postgres postgres
- admin root postgres
- EOF
-sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/start.conf <<-EOF
- EOF
-sudo install -m 640 -o postgres -g postgres /dev/stdin \
- /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
- local all postgres peer map=admin
- local all all peer
- EOF
-sudo install -m 640 -o postgres -g postgres-data \
- "$tool"/etc/postgresql/9.1/main/postgresql.conf \
- /etc/postgresql/9.1/main/postgresql.conf
-sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \
- install -m 755 -o root -g root \
- -t /home/postgresql/bin/ {} +
-
-sudo ln -fns \
- ../sv/"$sv" \
- /etc/service/"$sv"
-rule _runit_sv_start "$sv"
-while ! sudo -u postgres psql </dev/null
-do sleep 1; done
-
-# NOTE: supprime l'accès au schéma public depuis public,
-# de sorte à ce que les différents utilisateurices
-# ne voient pas leurs bases de données entre-elleux ;
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON DATABASE template1 FROM public;
- REVOKE ALL ON SCHEMA public FROM public;
- GRANT ALL ON SCHEMA public TO postgres;
- EOF
-# NOTE: ajoute le support de PL/PGSQL s'il ne l'est pas déjà.
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- CREATE OR REPLACE FUNCTION create_language_plpgsql()
- RETURNS BOOLEAN AS \$\$
- CREATE LANGUAGE plpgsql;
- SELECT TRUE;
- \$\$ LANGUAGE SQL;
- SELECT CASE WHEN NOT (
- SELECT TRUE AS exists
- FROM pg_language
- WHERE lanname = 'plpgsql'
- UNION
- SELECT FALSE AS exists
- ORDER BY exists DESC
- LIMIT 1
- )
- THEN
- create_language_plpgsql()
- ELSE
- FALSE
- END AS plpgsql_created;
- DROP FUNCTION create_language_plpgsql();
- EOF
-# NOTE: supprime l'accès à la liste des bases données
-# et utilisateurices depuis public.
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- REVOKE ALL ON ALL TABLES IN SCHEMA pg_catalog FROM public;
- REVOKE ALL ON SCHEMA pg_catalog FROM public;
- -- REVOKE ALL ON pg_auth_members FROM public;
- -- REVOKE ALL ON pg_authid FROM public;
- -- REVOKE ALL ON pg_database FROM public;
- -- REVOKE ALL ON pg_group FROM public;
- -- REVOKE ALL ON pg_roles FROM public;
- -- REVOKE ALL ON pg_settings FROM public;
- -- REVOKE ALL ON pg_tablespace FROM public;
- -- REVOKE ALL ON pg_user FROM public;
- EOF
--- /dev/null
+# DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
+
+#"$tool"/local/apt-get-install postgresql-9.1
+"$tool"/local/insserv-remove postgresql
+"$tool"/local/adduser postgres \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser postgres-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+sudo usermod --home /home/postgresql postgres
+sudo adduser postgres postgres-data
+sudo rm -rf \
+ /etc/postgresql
+sudo install -d -m 1751 -o postgres -g postgres-data \
+ /home/postgresql \
+ /home/postgresql/etc \
+ /home/postgresql/bin \
+ /etc/postgresql \
+ /etc/postgresql/9.1 \
+ /etc/postgresql/9.1/main
+sudo ln -fns \
+ /etc/postgresql \
+ /home/postgresql/etc/postgresql
+
+if sudo test ! -d /home/postgresql/data
+ then
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql/data
+ sudo -u postgres pg_createcluster \
+ --datadir=/home/postgresql/data \
+ --logfile=/home/postgresql/log/9.1/main/cluster.log \
+ --socketdir=/run/postgresql \
+ 9.1 main
+ fi
+
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF
+ pg_ctl_options = ''
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_ident.conf <<-EOF
+ # MAPNAME SYSTEM-USERNAME PG-USERNAME
+ admin postgres postgres
+ admin root postgres
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/start.conf <<-EOF
+ EOF
+sudo install -m 640 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+ local all postgres peer map=admin
+ local all all peer
+ EOF
+sudo install -m 640 -o postgres -g postgres-data \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
+sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \
+ install -m 755 -o root -g root \
+ -t /home/postgresql/bin/ {} +
+
+sudo ln -fns \
+ ../sv/"$sv" \
+ /etc/service/"$sv"
+"$tool"/local/runit-sv-start "$sv"
+while ! sudo -u postgres psql </dev/null
+do sleep 1; done
+
+# NOTE: supprime l'accès au schéma public depuis public,
+# de sorte à ce que les différents utilisateurices
+# ne voient pas leurs bases de données entre-elleux ;
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON DATABASE template1 FROM public;
+ REVOKE ALL ON SCHEMA public FROM public;
+ GRANT ALL ON SCHEMA public TO postgres;
+ EOF
+# NOTE: ajoute le support de PL/PGSQL s'il ne l'est pas déjà.
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ CREATE OR REPLACE FUNCTION create_language_plpgsql()
+ RETURNS BOOLEAN AS \$\$
+ CREATE LANGUAGE plpgsql;
+ SELECT TRUE;
+ \$\$ LANGUAGE SQL;
+ SELECT CASE WHEN NOT (
+ SELECT TRUE AS exists
+ FROM pg_language
+ WHERE lanname = 'plpgsql'
+ UNION
+ SELECT FALSE AS exists
+ ORDER BY exists DESC
+ LIMIT 1
+ )
+ THEN
+ create_language_plpgsql()
+ ELSE
+ FALSE
+ END AS plpgsql_created;
+ DROP FUNCTION create_language_plpgsql();
+ EOF
+# NOTE: supprime l'accès à la liste des bases données
+# et utilisateurices depuis public.
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON ALL TABLES IN SCHEMA pg_catalog FROM public;
+ REVOKE ALL ON SCHEMA pg_catalog FROM public;
+ -- REVOKE ALL ON pg_auth_members FROM public;
+ -- REVOKE ALL ON pg_authid FROM public;
+ -- REVOKE ALL ON pg_database FROM public;
+ -- REVOKE ALL ON pg_group FROM public;
+ -- REVOKE ALL ON pg_roles FROM public;
+ -- REVOKE ALL ON pg_settings FROM public;
+ -- REVOKE ALL ON pg_tablespace FROM public;
+ -- REVOKE ALL ON pg_user FROM public;
+ EOF
+++ /dev/null
-eval "home=~$sv/log/9.1/main"
-
-rule adduser log-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-sudo install -d -m 2770 -o "$sv" -g log-"$sv" \
- "$home" \
- "$home"/9.1 \
- "$home"/9.1/main
--- /dev/null
+eval "home=~$sv/log/9.1/main"
+
+"$tool"/local/adduser log-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 2770 -o "$sv" -g log-"$sv" \
+ "$home" \
+ "$home"/9.1 \
+ "$home"/9.1/main
+++ /dev/null
-rule apt_get_install postgrey
-rule insserv_remove postgrey
--- /dev/null
+"$tool"/local/apt-get-install postgrey
+"$tool"/local/insserv-remove postgrey
+++ /dev/null
-rule apt_get_install openssh-server
-rule insserv_remove ssh
-ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
-( while IFS= read -r line
- do case $line in (*" RSA") return 0; break;; esac
- done; return 1 ) ||
-sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
-sudo rm -f \
- /etc/ssh/ssh_host_dsa_key \
- /etc/ssh/ssh_host_dsa_key.pub \
- /etc/ssh/ssh_host_ecdsa_key \
- /etc/ssh/ssh_host_ecdsa_key.pub
- # NOTE: clefs générées par Debian
-m4 \
- --define=VM_IPV4=$vm_ipv4 \
- <"$tool"/etc/ssh/sshd_config.m4 |
-sudo install -m 640 -o root -g root /dev/stdin \
- /etc/ssh/sshd_config
-sudo install -m 644 -o root -g root \
- "$tool"/etc/ssh/ssh_config \
- /etc/ssh/ssh_config
--- /dev/null
+"$tool"/local/apt-get-install openssh-server
+"$tool"/local/insserv-remove ssh
+ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
+( while IFS= read -r line
+ do case $line in (*" RSA") return 0; break;; esac
+ done; return 1 ) ||
+sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
+sudo rm -f \
+ /etc/ssh/ssh_host_dsa_key \
+ /etc/ssh/ssh_host_dsa_key.pub \
+ /etc/ssh/ssh_host_ecdsa_key \
+ /etc/ssh/ssh_host_ecdsa_key.pub
+ # NOTE: clefs générées par Debian
+m4 \
+ --define=VM_IPV4=$vm_ipv4 \
+ <"$tool"/etc/ssh/sshd_config.m4 |
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/ssh/sshd_config
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/ssh/ssh_config \
+ /etc/ssh/ssh_config
+++ /dev/null
-home=/home/sympa
-
-rule _runit_sv_configure postgres
-rule _runit_sv_start postgres
-while ! sudo -u postgres psql </dev/null
-do sleep 1; done
-~postgres/bin/createuser "$sv"
-sudo -u postgres psql template1 -a -f - <<-EOF
- \set ON_ERROR_STOP on
- -- NOTE: pour /usr/share/sympa/lib/Upgrade.pm
- -- appelant DBI->tables
- GRANT USAGE ON SCHEMA pg_catalog TO $sv;
- GRANT SELECT ON TABLE pg_catalog.pg_class TO $sv;
- GRANT SELECT ON TABLE pg_catalog.pg_description TO $sv;
- GRANT SELECT ON TABLE pg_catalog.pg_namespace TO $sv;
- GRANT SELECT ON TABLE pg_catalog.pg_tablespace TO $sv;
- -- NOTE: pour /usr/share/sympa/bin/create_db.Pg
- -- CREATE SCHEMA $sv AUTHORIZATION $sv;
- -- XXX: ne fonctionne pas à cause de cette vermine :
- -- https://sourcesup.renater.fr/tracker/index.php?func=detail&aid=7459&group_id=23&atid=167
- -- du coup on met les tables de SYMPA dans le schema public :
- GRANT USAGE,CREATE ON SCHEMA public TO $sv;
- EOF
-
-rule adduser "$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-sudo adduser sympa postgres-data
-
-sudo install -d -m 770 -o "$sv" -g "$sv" \
- "$home" \
- "$home"/list_data \
- "$home"/spool
-sudo install -d -m 755 -o root -g root \
- /etc/sympa \
- /etc/sympa/x509.d
-sudo install -m 644 -o root -g root \
- /dev/stdin \
- /etc/sympa/.gitignore <<-EOF
- key_passwd
- EOF
-m4 \
- --define=VM_DOMAINNAME="$vm_domainname" \
- --define=HOME="$home" \
- "$tool"/etc/sympa/sympa.conf.m4 |
-sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \
- /etc/sympa/sympa.conf
-sudo install -m 644 -o "$sv" -g "$sv" /dev/stdin \
- /etc/sympa/facility <<-EOF
- mail
- EOF
-
-for host in $(find "$tool"/etc/sympa/host.d \
- -mindepth 1 -maxdepth 1 -type d \
- -printf '%f\n')
- do
- sudo install -d -m 770 -o "$sv" -g "$sv" \
- /etc/sympa/"$host"
- m4 \
- --define=HOST="$host" \
- "$tool"/etc/sympa/host.d/"$host"/robot.conf.m4 |
- sudo install -m 440 -o "$sv" -g "$sv" /dev/stdin \
- /etc/sympa/"$host"/robot.conf
- sudo install -d -m 770 -o "$sv" -g "$sv" \
- "$home"/list_data/"$host"
- done
-
-sudo debconf-set-selections <<-EOF || true
- sympa sympa/app-password-confirm password
- sympa sympa/password-confirm password
- # Mot de passe de connexion PostgreSQL pour sympa :
- sympa sympa/dbconfig-install boolean true
- sympa sympa/pgsql/app-pass password
- ##sympa sympa/mysql/admin-pass password
- sympa sympa/pgsql/admin-pass password
- # Mot de passe de connexion MySQL pour sympa :
- ##sympa sympa/mysql/app-pass password
- # Faut-il configurer la base de données de sympa avec dbconfig-common ?
- sympa sympa/dbconfig-install boolean true
- # Nom d'hôte du serveur pour sympa :
- sympa sympa/remote/newhost string
- sympa sympa/listmaster string postmaster@$vm_domainname
- sympa wwsympa/wwsympa_url string https://$sv.$vm_domainname/wws
- sympa wwsympa/webserver_restart boolean false
- sympa sympa/remote/port string
- sympa sympa/pgsql/manualconf note
- # Faut-il sauvegarder la base de données pour sympa avant la mise à jour ?
- sympa sympa/upgrade-backup boolean true
- sympa sympa/pgsql/changeconf boolean false
- # Nom d'hôte du serveur « sympa » :
- sympa sympa/hostname string $sv.$vm_domainname
- sympa sympa/pgsql/authmethod-user select unix socket
- # Faut-il mettre à jour la base de données pour sympa avec dbconfig-common ?
- sympa sympa/dbconfig-upgrade boolean true
- sympa sympa/use_soap boolean false
- # Nom de la base de données pour sympa :
- sympa sympa/db/dbname string $sv
- sympa sympa/internal/skip-preseed boolean true
- # Type de serveur de bases de données à utiliser avec sympa :
- sympa sympa/database-type select pgsql
- # Répertoire pour la base de données pour sympa :
- sympa sympa/db/basepath string
- # Nom d'hôte du serveur de bases de données pour sympa :
- sympa sympa/remote/host select /run/postgresql/
- sympa wwsympa/fastcgi boolean true
- sympa sympa/internal/reconfiguring boolean false
- # Identifiant pour sympa :
- sympa sympa/db/app-user string $sv
- # Faut-il purger la base de données pour sympa ?
- sympa sympa/purge boolean false
- sympa sympa/remove-error select abort
- sympa wwsympa/webserver_type select Other
- ##sympa sympa/mysql/admin-user string root
- # Faut-il défaire la configuration de la base de donnée de sympa avec dbconfig-common ?
- sympa sympa/dbconfig-remove boolean
- # Méthode de connexion pour la base de données MySQL de sympa:
- ##sympa sympa/mysql/method select unix socket
- # Faut-il réinstaller la base de données pour sympa ?
- sympa sympa/dbconfig-reinstall boolean false
- sympa sympa/pgsql/admin-user string postgres
- sympa sympa/upgrade-error select abort
- sympa sympa/language select fr
- # Méthode de connexion pour la base de données PostgreSQL de sympa :
- sympa sympa/pgsql/method select unix socket
- sympa sympa/install-error select abort
- #sympa sympa/pgsql/no-empty-passwords error
- sympa sympa/pgsql/authmethod-admin select unix socket
- EOF
-sudo install -d -m 755 -o root -g root \
- /etc/dbconfig-common
-sudo install -m 600 -o root -g root /dev/stdin \
- /etc/dbconfig-common/sympa.conf <<-EOF
- dbc_authmethod_admin='ident'
- dbc_authmethod_user='ident'
- dbc_basepath=''
- dbc_dbadmin='postgres'
- dbc_dbname='sympa'
- dbc_dbpass=''
- dbc_dbport=''
- dbc_dbserver='/run/postgresql'
- dbc_dbtype='pgsql'
- dbc_dbuser='$sv'
- dbc_install='true'
- dbc_remove=''
- dbc_ssl=''
- dbc_upgrade='true'
- EOF
-
-! sudo etckeeper unclean ||
-sudo etckeeper commit -m "rule_runit_configure $sv"
-
-rule apt_get_install --no-install-recommends sympa
- # NOTE: évite d'installer apache2 ..
-
-rule insserv_remove sympa
--- /dev/null
+home=/home/sympa
+
+"$tool"/local/runit-sv-configure postgres
+"$tool"/local/runit-sv-start postgres
+while ! sudo -u postgres psql </dev/null
+do sleep 1; done
+~postgres/bin/createuser "$sv"
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ -- NOTE: pour /usr/share/sympa/lib/Upgrade.pm
+ -- appelant DBI->tables
+ GRANT USAGE ON SCHEMA pg_catalog TO $sv;
+ GRANT SELECT ON TABLE pg_catalog.pg_class TO $sv;
+ GRANT SELECT ON TABLE pg_catalog.pg_description TO $sv;
+ GRANT SELECT ON TABLE pg_catalog.pg_namespace TO $sv;
+ GRANT SELECT ON TABLE pg_catalog.pg_tablespace TO $sv;
+ -- NOTE: pour /usr/share/sympa/bin/create_db.Pg
+ -- CREATE SCHEMA $sv AUTHORIZATION $sv;
+ -- XXX: ne fonctionne pas à cause de cette vermine :
+ -- https://sourcesup.renater.fr/tracker/index.php?func=detail&aid=7459&group_id=23&atid=167
+ -- du coup on met les tables de SYMPA dans le schema public :
+ GRANT USAGE,CREATE ON SCHEMA public TO $sv;
+ EOF
+
+"$tool"/local/adduser "$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+sudo adduser sympa postgres-data
+
+sudo install -d -m 770 -o "$sv" -g "$sv" \
+ "$home" \
+ "$home"/list_data \
+ "$home"/spool
+sudo install -d -m 755 -o root -g root \
+ /etc/sympa \
+ /etc/sympa/x509.d
+sudo install -m 644 -o root -g root \
+ /dev/stdin \
+ /etc/sympa/.gitignore <<-EOF
+ key_passwd
+ EOF
+m4 \
+ --define=VM_DOMAINNAME="$vm_domainname" \
+ --define=HOME="$home" \
+ "$tool"/etc/sympa/sympa.conf.m4 |
+sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/sympa.conf
+sudo install -m 644 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/facility <<-EOF
+ mail
+ EOF
+
+for host in $(find "$tool"/etc/sympa/host.d \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%f\n')
+ do
+ sudo install -d -m 770 -o "$sv" -g "$sv" \
+ /etc/sympa/"$host"
+ m4 \
+ --define=HOST="$host" \
+ "$tool"/etc/sympa/host.d/"$host"/robot.conf.m4 |
+ sudo install -m 440 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/"$host"/robot.conf
+ sudo install -d -m 770 -o "$sv" -g "$sv" \
+ "$home"/list_data/"$host"
+ done
+
+sudo debconf-set-selections <<-EOF || true
+ sympa sympa/app-password-confirm password
+ sympa sympa/password-confirm password
+ # Mot de passe de connexion PostgreSQL pour sympa :
+ sympa sympa/dbconfig-install boolean true
+ sympa sympa/pgsql/app-pass password
+ ##sympa sympa/mysql/admin-pass password
+ sympa sympa/pgsql/admin-pass password
+ # Mot de passe de connexion MySQL pour sympa :
+ ##sympa sympa/mysql/app-pass password
+ # Faut-il configurer la base de données de sympa avec dbconfig-common ?
+ sympa sympa/dbconfig-install boolean true
+ # Nom d'hôte du serveur pour sympa :
+ sympa sympa/remote/newhost string
+ sympa sympa/listmaster string postmaster@$vm_domainname
+ sympa wwsympa/wwsympa_url string https://$sv.$vm_domainname/wws
+ sympa wwsympa/webserver_restart boolean false
+ sympa sympa/remote/port string
+ sympa sympa/pgsql/manualconf note
+ # Faut-il sauvegarder la base de données pour sympa avant la mise à jour ?
+ sympa sympa/upgrade-backup boolean true
+ sympa sympa/pgsql/changeconf boolean false
+ # Nom d'hôte du serveur « sympa » :
+ sympa sympa/hostname string $sv.$vm_domainname
+ sympa sympa/pgsql/authmethod-user select unix socket
+ # Faut-il mettre à jour la base de données pour sympa avec dbconfig-common ?
+ sympa sympa/dbconfig-upgrade boolean true
+ sympa sympa/use_soap boolean false
+ # Nom de la base de données pour sympa :
+ sympa sympa/db/dbname string $sv
+ sympa sympa/internal/skip-preseed boolean true
+ # Type de serveur de bases de données à utiliser avec sympa :
+ sympa sympa/database-type select pgsql
+ # Répertoire pour la base de données pour sympa :
+ sympa sympa/db/basepath string
+ # Nom d'hôte du serveur de bases de données pour sympa :
+ sympa sympa/remote/host select /run/postgresql/
+ sympa wwsympa/fastcgi boolean true
+ sympa sympa/internal/reconfiguring boolean false
+ # Identifiant pour sympa :
+ sympa sympa/db/app-user string $sv
+ # Faut-il purger la base de données pour sympa ?
+ sympa sympa/purge boolean false
+ sympa sympa/remove-error select abort
+ sympa wwsympa/webserver_type select Other
+ ##sympa sympa/mysql/admin-user string root
+ # Faut-il défaire la configuration de la base de donnée de sympa avec dbconfig-common ?
+ sympa sympa/dbconfig-remove boolean
+ # Méthode de connexion pour la base de données MySQL de sympa:
+ ##sympa sympa/mysql/method select unix socket
+ # Faut-il réinstaller la base de données pour sympa ?
+ sympa sympa/dbconfig-reinstall boolean false
+ sympa sympa/pgsql/admin-user string postgres
+ sympa sympa/upgrade-error select abort
+ sympa sympa/language select fr
+ # Méthode de connexion pour la base de données PostgreSQL de sympa :
+ sympa sympa/pgsql/method select unix socket
+ sympa sympa/install-error select abort
+ #sympa sympa/pgsql/no-empty-passwords error
+ sympa sympa/pgsql/authmethod-admin select unix socket
+ EOF
+sudo install -d -m 755 -o root -g root \
+ /etc/dbconfig-common
+sudo install -m 600 -o root -g root /dev/stdin \
+ /etc/dbconfig-common/sympa.conf <<-EOF
+ dbc_authmethod_admin='ident'
+ dbc_authmethod_user='ident'
+ dbc_basepath=''
+ dbc_dbadmin='postgres'
+ dbc_dbname='sympa'
+ dbc_dbpass=''
+ dbc_dbport=''
+ dbc_dbserver='/run/postgresql'
+ dbc_dbtype='pgsql'
+ dbc_dbuser='$sv'
+ dbc_install='true'
+ dbc_remove=''
+ dbc_ssl=''
+ dbc_upgrade='true'
+ EOF
+
+! sudo etckeeper unclean ||
+sudo etckeeper commit -m "rule_runit_configure $sv"
+
+"$tool"/local/apt-get-install --no-install-recommends sympa
+ # NOTE: évite d'installer apache2 ..
+
+"$tool"/local/insserv-remove sympa
+++ /dev/null
-sudo apt-get install unbound
-rule insserv_remove unbound
-
-sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
- search ${vm_host#*.}
- nameserver 127.0.0.1
- #nameserver ${vm_host_nameserver}
- EOF
-sudo install -m 440 -o unbound -g unbound \
- "$tool"/etc/unbound/named.cache \
- /etc/unbound/named.cache
-
-m4 \
- --define=OUTGOING_INTERFACE=$vm_ipv4 \
- <"$tool"/etc/unbound/unbound.conf |
-sudo install -m 440 -o unbound -g unbound /dev/stdin \
- /etc/unbound/unbound.conf
--- /dev/null
+sudo apt-get install unbound
+"$tool"/local/insserv-remove unbound
+
+sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+ search ${vm_host#*.}
+ nameserver 127.0.0.1
+ #nameserver ${vm_host_nameserver}
+ EOF
+sudo install -m 440 -o unbound -g unbound \
+ "$tool"/etc/unbound/named.cache \
+ /etc/unbound/named.cache
+
+m4 \
+ --define=OUTGOING_INTERFACE=$vm_ipv4 \
+ <"$tool"/etc/unbound/unbound.conf |
+sudo install -m 440 -o unbound -g unbound /dev/stdin \
+ /etc/unbound/unbound.conf
+++ /dev/null
-rule runit_configure sympa
-
-sv=sympa
-#home=~www-data/"$sv"
-home=~sympa/"$sv"
-
-#sudo adduser "$sv" www-sympa
-
-sudo install -d -o 2770 -o "$sv" -g "$sv" \
- "$home"/wwsarchive \
- "$home"/wwsbounce
-# TODO: quota
-
-m4 \
- --define=HOME="$home" \
- "$tool"/etc/sympa/wwsympa.conf.m4 |
-sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \
- /etc/sympa/wwsympa.conf
--- /dev/null
+"$tool"/local/runit-sv-configure sympa
+"$tool"/local/runit-sv-start sympa
+
+sv=sympa
+#home=~www-data/"$sv"
+home=~sympa/"$sv"
+
+#sudo adduser "$sv" www-sympa
+
+sudo install -d -o 2770 -o "$sv" -g "$sv" \
+ "$home"/wwsarchive \
+ "$home"/wwsbounce
+# TODO: quota
+
+m4 \
+ --define=HOME="$home" \
+ "$tool"/etc/sympa/wwsympa.conf.m4 |
+sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/wwsympa.conf
+++ /dev/null
-rule user_add "$user" \
- --gecos "Cyclofficine de Paris Est,,,,contact@cyclocoop.org" \
--- /dev/null
+"$tool"/local/user-add "$user" \
+ --gecos "Cyclofficine de Paris Est,,,,contact@cyclocoop.org" \
+++ /dev/null
-rule user_add "$user" \
- --gecos "Heureux Cyclage,,,,contact@heureux-cyclage.org"
--- /dev/null
+"$tool"/local/user-add "$user" \
+ --gecos "Heureux Cyclage,,,,contact@heureux-cyclage.org"
+++ /dev/null
-rule user_add "$user" \
- --gecos "uN p’Tit véLo dAnS La Tête,,,,contact@ptitvelo.net"
--- /dev/null
+"$tool"/local/user-add "$user" \
+ --gecos "uN p’Tit véLo dAnS La Tête,,,,contact@ptitvelo.net"
+++ /dev/null
-rule user_add "$user" \
- --gecos "Vélorution Île-de-France,,,,contact@velorution.org"
--- /dev/null
+"$tool"/local/user-add "$user" \
+ --gecos "Vélorution Île-de-France,,,,contact@velorution.org"
+++ /dev/null
-rule user_add "$user" \
- --gecos "Comité Vélos en Ville Marseille,,,,contact@velosenville.org"
--- /dev/null
+"$tool"/local/user-add "$user" \
+ --gecos "Comité Vélos en Ville Marseille,,,,contact@velosenville.org"
+++ /dev/null
-#!/bin/sh
-# DESCRIPTION: ce fichier regroupe les variables propres à la VM
-
-readonly PATH=$PATH:/usr/sbin:/sbin
-readonly vm_domainname="heureux-cyclage.org"
-readonly vm_hostname="ateliers"
-readonly vm_fqdn="$vm_hostname.$vm_domainname"
-readonly vm=$vm_hostname
-readonly vm_host="rouf.grenode.net"
-readonly vm_host_nameserver="91.216.110.110"
-
-readonly vm_use_lvm="yes"
- # - sans LVM :
- # - on a accès au LVM de l'hôte, mais c'est pas très propre.
- # - pour l'extension de mémoire, on peut soit :
- # 1.1. étendre avec lvresize /dev/domU/$vm_fqdn-disk
- # 1.2. étendre avec sfdisk $vm_dev_disk_home
- # 1.3. étendre avec resize2fs /dev/mapper/${vm_lvm_lv}_home_deciphered
- # soit :
- # 2.1. créer une nouvelle partition sur le LVM de l'hôte
- # 2.2. l'ajouter comme un disque supplémentaire dans /etc/xen/$vm_fqdn.cfg
- # 2.3. le monter sur /home2 en pensant à changer DHOME=/home2 dans /etc/adduser.conf
- # - pour la sauvegarde: on peut soit :
- # 1. sauvegarder au niveau applicatif (pgdump, mysqldump, etckeeper, git)
- # 2. sauvegarder incrémentalement avec (duplicity, backup-ninja, BackupPC),
- # depuis l'hôte pour avoir un snapshot LVM.
- # - avec LVM :
- # - question ouverte de la performance du LVM dans du LVM.
- # - pour l'extension de mémoire, on peut soit :
- # 1.1. étendre avec lvresize /dev/domU/$vm_fqdn-disk
- # 1.1. étendre avec pvextend $vm_lvm_pv
- # 1.1. étendre avec lvresize /dev/${vm_lvm_vg}/${vm_lvm_lv}_home
- # 1.3. étendre avec resize2fs /dev/mapper/${vm_lvm_lv}_home_deciphered
- # - pour la sauvegarde: on peut soit :
- # 1. sauvegarder au niveau applicatif (pgdump, mysqldump, etckeeper, git)
- # 2. sauvegarder incrémentalement avec (duplicity, backup-ninja, BackupPC),
- # depuis la VM pour avoir un snapshot LVM.
-
-# Cartographie de la mémoire morte :
-# SATA2 * 2 (/dev/sd{a,b})
-# /dev/sda -> /dev/sda{1,2,3}
-# /dev/sdb -> /dev/sdb{1,2,3}
-# RAID1 logiciel
-# /dev/sd{a,b}1 -> /dev/md0
-# /dev/sd{a,b}2 -> /dev/md1
-# /dev/sd{a,b}3 -> /dev/md2
-# LVM
-# /dev/md0 -> dom0
-# /dev/md2 -> domU -> /dev/mapper/$vm_fqdn-disk
-# LVM
-# /dev/mapper/$vm_fqdn-disk -> /dev/xvda{1,2}
-# /dev/xvda2 -> /dev/mapper/${vm_lvm_vg}-${vm_lvm_lv}_{swap,root,var,home}
-
-case $vm_use_lvm in
- (no)
- ;;
- (yes)
- readonly vm_lvm_vg=$vm_fqdn
- readonly vm_lvm_lv=$vm
- ;;
- (*)
- exit 1;;
- esac
-
-readonly vm_raid_effective_disks=1 # NOTE: RAID1 (mirroring)
- # NOTE: julm@rouf:~$ sudo pvs /dev/md2 -o+pe_start
- # PV VG Fmt Attr PSize PFree 1st PE
- # /dev/md2 domU lvm2 a- 925,64g 470,64g 192,00k <- pas adapté au TRIM SSD, mais on utilise du SATA2
-readonly vm_e2fs_block_size=4096
- # NOTE: valeur standard pour un disque avec des secteurs de 512 octets :
- # julm@rouf:~$ grep . /sys/block/sd{a,b}/queue/*_block_size
- # /sys/block/sda/queue/logical_block_size:512
- # /sys/block/sda/queue/physical_block_size:512
- # /sys/block/sdb/queue/logical_block_size:512
- # /sys/block/sdb/queue/physical_block_size:512
-readonly vm_e2fs_stripe_size=
- # NOTE: égal au chunk size de mdadm --detail ;
- # mais ne concerne pas RAID1 où il n'y a pas de changement de disque à effectuer,
- # et donc pas de chunk size.
-readonly vm_e2fs_stride=${vm_e2fs_stripe_size:+$((vm_e2fs_stripe_size / vm_e2fs_block_size))}
-readonly vm_e2fs_stripe_width=${vm_e2fs_stride:+$((vm_e2fs_stride * vm_raid_effective_disks))}
- vm_e2fs_extended_options=${vm_e2fs_stride:+,stride=$vm_e2fs_stride}${vm_e2fs_stripe_width:+,stripe_width=$vm_e2fs_stripe_width}
-
-readonly vm_arch="amd64"
-readonly vm_bridge="br-gresille"
-readonly vm_ipv4="91.216.110.42" # NOTE: IPv4 publique assignée par Grésille
-readonly vm_lsb_name="wheezy"
-readonly vm_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grésille
- # NOTE: on part sur wheezy dès le début
- # dans l'idée de ne pas s'embêter avec
- # une migration squeeze -> wheezy dans deux mois ;
- # et parce qu'on juge wheezy « suffisamment stable ».
-
-rule_env () { # DESCRIPTION: affiche les $vm_*
- set | grep '^vm_'
- }
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/disk-mount
+"$tool"/host/part-lvm-mount
+"$tool"/host/part-root-mount
+"$tool"/host/part-boot-mount
+"$tool"/host/part-var-mount
+#"$tool"/host/part-home-mount
+
+mountpoint -q /mnt/$vm_fqdn/proc ||
+sudo mount -t proc proc /mnt/$vm_fqdn/proc
+mountpoint -q /mnt/$vm_fqdn/sys ||
+sudo mount -t sysfs sys /mnt/$vm_fqdn/sys
+mountpoint -q /mnt/$vm_fqdn/dev ||
+sudo mount --bind /dev /mnt/$vm_fqdn/dev
+if test -d /mnt/$vm_fqdn/root/src/vm/.git
+ then
+ mountpoint -q /mnt/$vm_fqdn/root/src/vm ||
+ sudo mount --bind "$tool" /mnt/$vm_fqdn/root/src/vm
+ else
+ sudo rsync -a "$tool"/ /mnt/$vm_fqdn/root/src/vm
+ fi
+sudo chroot /mnt/$vm_fqdn /bin/bash || true
+"$tool"/host/chroot-clean
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! sudo mountpoint -q /mnt/$vm_fqdn/root/src/vm ||
+sudo umount -v /mnt/$vm_fqdn/root/src/vm
+! mountpoint -q /mnt/$vm_fqdn/dev ||
+sudo umount -v /mnt/$vm_fqdn/dev
+! mountpoint -q /mnt/$vm_fqdn/sys ||
+sudo umount -v /mnt/$vm_fqdn/sys
+! mountpoint -q /mnt/$vm_fqdn/proc ||
+sudo umount -v /mnt/$vm_fqdn/proc
+"$tool"/host/part-home-umount
+"$tool"/host/part-var-umount
+"$tool"/host/part-boot-umount
+"$tool"/host/part-root-umount
+"$tool"/host/disk-umount
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/disk-mount
+"$tool"/host/part-lvm-mount
+"$tool"/host/part-root-mount
+"$tool"/host/part-boot-mount
+"$tool"/host/part-var-mount
+sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ LANG=C LC_CTYPE=C debootstrap \
+ --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
+ --exclude=vim-tiny \
+ --include=$(printf '%s,' \
+ acl \
+ bsdmainutils \
+ busybox \
+ ca-certificates \
+ console-setup \
+ cryptsetup \
+ dash \
+ dnsutils \
+ dropbear \
+ etckeeper \
+ git-core \
+ gnupg \
+ hashalot \
+ htop \
+ ifupdown \
+ initramfs-tools \
+ kbd \
+ less \
+ locales \
+ lvm2 \
+ m4 \
+ mosh \
+ molly-guard \
+ ncurses-term \
+ openssh-client \
+ openssh-server \
+ openssl \
+ pciutils \
+ procps \
+ quota \
+ quotatool \
+ rsync \
+ screen \
+ sudo \
+ sysprofile \
+ vim-nox \
+ wget \
+ zsh \
+ ) \
+ $vm_lsb_name /mnt/$vm_fqdn/ \
+ http://ftp.fr.debian.org/debian/
+"$tool"/host/part-var-umount
+"$tool"/host/part-boot-umount
+"$tool"/host/part-root-umount
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+case $vm_use_lvm in
+ (no)
+ sudo sfdisk $vm_dev_disk <<-EOF
+ # partition table of $vm_dev_disk
+ unit: sectors
+
+ ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable
+ ${vm_dev_disk}2 : start= 498015, size=418927005, Id= 5
+ ${vm_dev_disk}3 : start= 0, size= 0, Id= 0
+ ${vm_dev_disk}4 : start= 0, size= 0, Id= 0
+ ${vm_dev_disk}5 : start= 498078, size= 1959867, Id=82
+ ${vm_dev_disk}6 : start= 2458008, size= 29302497, Id=83
+ ${vm_dev_disk}7 : start= 31760568, size= 9767457, Id=83
+ ${vm_dev_disk}8 : start= 41528088, size=377896932, Id=83
+ EOF
+ ;;
+ (yes)
+ sudo sfdisk $vm_dev_disk <<-EOF
+ # partition table of $vm_dev_disk
+ unit: sectors
+
+ ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable
+ ${vm_dev_disk}2 : start= 498015, size=418927005, Id=8E
+ EOF
+ ;;
+ (*) exit 1;;
+ esac
+#sudo partprobe $vm_dev_disk
+sudo kpartx -u -v /dev/domU/$vm_fqdn-disk
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+sudo kpartx -a -v /dev/domU/$vm_fqdn-disk
+#sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-boot-umount
+case $vm_use_lvm in
+ (yes)
+ "$tool"/host/part-lvm-umount
+ ;;
+ (no)
+ "$tool"/host/part-root-umount
+ "$tool"/host/part-var-umount
+ "$tool"/host/part-home-umount
+ ;;
+ (*) exit 1;;
+ esac
+sudo kpartx -d -v /dev/domU/$vm_fqdn-disk
+#sudo xm block-detach 0 $vm_dev_disk
+# XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé :
+# utiliser xm block-detach 0 $vm_dev_disk --force ;
+# ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ;
+# ôter les mappages concernés dans /etc/lvm/cache/.cache,
+# et pour bien trouver tous les mappages :
+# % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk
+# enfin, ôter l'éventuel verrou dans /var/lock/lvm/
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+cd "$tool"
+git config --replace branch.master.remote .
+git config --replace branch.master.merge refs/remotes/master
+local tool
+tool=$(cd "$tool"; cd -)
+install -m 770 /dev/stdin \
+ .git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+ case \$1 in
+ (refs/remotes/master)
+ cd ..
+ #git --git-dir=\$PWD/.git checkout -f -B master remotes/master &&
+ git --git-dir=\$PWD/.git checkout HEAD'^' &&
+ git --git-dir=\$PWD/.git branch -f master remotes/master &&
+ git --git-dir=\$PWD/.git checkout master
+ git --git-dir=\$PWD/.git clean -f -d -x
+ ;;
+ esac
+ EOF
--- /dev/null
+. "$tool"/etc/host.sh
+set -x
+test "$(hostname --fqdn)" = "$vm_host"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+mount | grep -q "^$vm_dev_disk_boot " ||
+sudo mke2fs -t ext2 -c -c -m 5 -T small \
+ -E resize=1G${vm_e2fs_extended_options} \
+ -L ${vm_lvm_lv}_boot $vm_dev_disk_boot
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+mountpoint -q /mnt/$vm_fqdn
+test -d /mnt/$vm_fqdn/boot
+mountpoint -q /mnt/$vm_fqdn/boot ||
+sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! mountpoint -q /mnt/$vm_fqdn/boot ||
+sudo umount -v /mnt/$vm_fqdn/boot
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-luks-format home
+"$tool"/host/part-luks-mount home
+sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \
+ -E resize=400G${vm_e2fs_extended_options} \
+ -L ${vm_lvm_lv}_home \
+ /dev/mapper/${vm_lvm_lv}_home_deciphered
+ # NOTE: -O quota pas supporté par e2fsprogs/squeeze
+"$tool"/host/part-luks-umount home
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-luks-mount home
+mountpoint -q /mnt/$vm_fqdn/home ||
+sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_home_deciphered /mnt/$vm_fqdn/home
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! mountpoint -q /mnt/$vm_fqdn/home ||
+sudo umount -v /mnt/$vm_fqdn/home
+"$tool"/host/part-luks-umount home
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+# NOTE: la clef de chiffrement est dérivée de celle de /,
+# / doit être déchiffrée pour que cela fonctionne.
+part="$1"
+eval "dev=\"\$vm_dev_disk_$part\""
+test ! -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
+sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered |
+cryptsetup luksFormat --hash=sha512 --key-size=512 \
+ --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+part="$1"
+eval "dev=\"\$vm_dev_disk_$part\""
+test -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered ||
+sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered |
+cryptsetup luksOpen --key-file=- $dev ${vm_lvm_lv}_${part}_deciphered"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+part="$1"
+eval "dev=\"\$vm_dev_disk_$part\""
+test ! -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered ||
+sudo cryptsetup luksClose ${vm_lvm_lv}_${part}_deciphered
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-lvm-umount
+! sudo vgs | grep -q "^ $vm_lvm_vg " ||
+sudo vgremove $vm_lvm_vg
+sudo pvcreate --dataalignment 512k $vm_lvm_pv
+sudo vgcreate --dataalignment 512k $vm_lvm_vg $vm_lvm_pv
+sudo lvcreate --contiguous y -n ${vm_lvm_lv}_swap -L 1G $vm_lvm_vg
+sudo lvcreate --contiguous y -n ${vm_lvm_lv}_root -L 15G $vm_lvm_vg
+sudo lvcreate --contiguous y -n ${vm_lvm_lv}_var -L 5G $vm_lvm_vg
+sudo lvcreate --contiguous y -n ${vm_lvm_lv}_home -l 99%FREE $vm_lvm_vg
+"$tool"/host/part-lvm-umount
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+case $vm_use_lvm in
+ (yes)
+ sudo vgchange -a y $vm_lvm_vg
+ ;;
+ (*) exit 1;;
+ esac
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+case $vm_use_lvm in
+ (yes)
+ "$tool"/host/part-root-umount
+ "$tool"/host/part-var-umount
+ "$tool"/host/part-home-umount
+ ! sudo vgs | grep -q "^ $vm_lvm_vg " ||
+ sudo vgchange -a n $vm_lvm_vg
+ ;;
+ (*) exit 1;;
+ esac
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+part="$1"
+eval "sudo dd if=/dev/urandom of=\$vm_dev_disk_$part"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+part="$1"
+eval "pkill -USR1 -f \"^dd if=/dev/urandom of=\$vm_dev_disk_$part\""
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+if ! mount | grep -q "^$vm_dev_disk_root "
+ then
+ sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \
+ --cipher=aes-xts-essiv:sha256 --align-payload=8 $vm_dev_disk_root
+ sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered
+ sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \
+ -E resize=30G${vm_e2fs_extended_options} \
+ -L ${vm_lvm_lv}_root \
+ /dev/mapper/${vm_lvm_lv}_root_deciphered
+ ! mountpoint -q /mnt/$vm_fqdn
+ sudo mount -v /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn
+ sudo install -d -m 770 -o root -g root \
+ /mnt/$vm_fqdn/boot \
+ /mnt/$vm_fqdn/dev \
+ /mnt/$vm_fqdn/home \
+ /mnt/$vm_fqdn/proc \
+ /mnt/$vm_fqdn/root \
+ /mnt/$vm_fqdn/root/src \
+ /mnt/$vm_fqdn/root/src/$vm \
+ /mnt/$vm_fqdn/sys \
+ /mnt/$vm_fqdn/var
+ sudo umount -v /mnt/$vm_fqdn
+ sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered
+ fi
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+test -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
+sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered
+mountpoint -q /mnt/$vm_fqdn ||
+sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! mountpoint -q /mnt/$vm_fqdn ||
+sudo umount -v /mnt/$vm_fqdn
+! test -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
+sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-luks-format swap
+"$tool"/host/part-luks-mount swap
+sudo mkswap -f -L ${vm_lvm_lv}_swap \
+ /dev/mapper/${vm_lvm_lv}_swap_deciphered
+"$tool"/host/part-luks-umount swap
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-luks-format var
+"$tool"/host/part-luks-mount var
+sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \
+ -E resize=10G${vm_e2fs_extended_options} \
+ -L ${vm_lvm_lv}_var \
+ /dev/mapper/${vm_lvm_lv}_var_deciphered
+"$tool"/host/part-luks-umount var
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+"$tool"/host/part-luks-mount var
+mountpoint -q /mnt/$vm_fqdn/var ||
+sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_var_deciphered /mnt/$vm_fqdn/var
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! mountpoint -q /mnt/$vm_fqdn/var ||
+sudo umount -v /mnt/$vm_fqdn/var
+"$tool"/host/part-luks-umount var
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+! pgrep -f "sudo xm console $vm_fqdn"
+info 'Ctrl-] pour se détacher de la console'
+sudo xm console $vm_fqdn
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+sudo install -m 644 -u root -g root /dev/stdin \
+ /etc/xen/$vm_fqdn.cfg <<-EOF
+ # -*- mode: python; -*-
+ # DOC: http://wiki.xen.org/wiki/Xen_Linux_PV_on_HVM_drivers
+ import os, re
+ name = "$vm_fqdn"
+ arch = os.uname()[4]
+ memory = 2048
+ vcpus = 1
+ pae = 1
+ acpi = 1
+ apic = 1
+ vif = ['mac=$vm_mac,bridge=$vm_bridge']
+ disk = ['phy:/dev/domU/$vm_fqdn-disk,hda,w']
+ device_model = 'qemu-dm'
+ # HVM :
+ #kernel = "/usr/lib/xen-4.0/boot/hvmloader"
+ #builder = 'hvm'
+ #xen_platform_pci = 1 # NOTE: the guest VM can use optimized PV on HVM drivers
+ # PV :
+ #kernel = "pv-grub.gz" # NOTE: pas encore dans Debian car il ne fonctionne qu'avec grub-legacy
+ #extra = "(hd0,0)/grub/grub.cfg"
+ bootloader = '/usr/bin/pygrub'
+
+ # boot on floppy (a), hard disk (c) or CD-ROM (d)
+ #boot = 'd'
+
+ #vnc = 1
+ #sdl = 0
+ #vncconsole = 0
+ #vnclisten = "0.0.0.0"
+ #vncpasswd = ""
+ #usbdevice = 'tablet'
+
+ keymap = 'fr'
+ serial = 'pty'
+ on_poweroff = 'destroy'
+ on_reboot = 'restart'
+ on_crash = 'restart'
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+test ! -e /dev/domU/$vm_fqdn-disk1
+sudo xm create $vm_fqdn.cfg
+"$tool"/host/xen-vm-attach
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+sudo xm shutdown $vm_fqdn
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/host/lib.sh
+
+sudo xm destroy $vm_fqdn
+++ /dev/null
-#!/bin/sh
-
-. "$tool"/lib/log.sh
-
-rule () {
- local -
- local rule="$1"; shift
- info "$*" rule
- ${TRACE:+set -x}
- rule_$rule "$@"
- }
-#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u
+#!/bin/sh -eux
tool=${0%/*}/..
ssh \
-o StrictHostKeyChecking=yes \
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+getent passwd "$user" >/dev/null ||
+sudo adduser "$@" "$user"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
+ deb http://ftp.rezopole.net/debian $vm_lsb_name main
+ EOF
+sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
+ deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main
+ EOF
+sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
+ deb http://nightly.openerp.com/7.0/nightly/deb/ ./
+ EOF
+sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
+ Package: *
+ Pin: release a=$vm_lsb_name
+ Pin-Priority: 200
+
+ Package: *
+ Pin: release a=$vm_lsb_name-backports
+ Pin-Priority: 170
+ EOF
+sudo apt-get update
+"$tool"/local/apt-get-install apticron
+m4 \
+ --define=VM_DOMAINNAME=$vm_domainname \
+ <"$tool"/etc/apticron/apticron.conf.m4 |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/apticron/apticron.conf
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo \
+ DEBIAN_FRONTEND=noninteractive \
+ DEBIAN_PRIORITY=low \
+ apt-get install --yes "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo debconf-set-selections <<-EOF
+ grub-pc grub-pc/install_devices multiselect
+ EOF
+"$tool"/local/apt-get-install grub-pc
+sudo install -d -m 644 -o root -g root /boot/grub
+"$tool"/local/apt-get-install linux-image-$vm_arch
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/default/grub <<-EOF
+ GRUB_DEFAULT=0
+ GRUB_TIMEOUT=5
+ GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
+ GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+ GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
+ GRUB_DISABLE_RECOVERY="true"
+ #GRUB_PRELOAD_MODULES="lvm"
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /boot/grub/device.map <<-EOF
+ (hd0) /dev/xvda
+ (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
+ EOF
+sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
+"$tool"/local/initramfs-configure
+"$tool"/local/apt-get-install molly-guard
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/molly-guard/rc <<-EOF
+ ALWAYS_QUERY_HOSTNAME=true
+ # NOTE: une alternative est de dire à sudo de conserver les SSH_*
+ # néamoins demander tout le temps n'est pas trop contraignant
+ # et davantage sécurisant.
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/apt-configure
+"$tool"/local/git-configure
+"$tool"/local/etckeeper-configure
+"$tool"/local/locales-configure
+"$tool"/local/time-configure
+"$tool"/local/network-configure
+"$tool"/local/filesystem-configure
+"$tool"/local/login-configure
+"$tool"/local/ssh-configure
+"$tool"/local/user-root-configure
+"$tool"/local/boot-configure
+"$tool"/local/sysctl-configure
+"$tool"/local/user-configure
+"$tool"/local/gitolite-configure
+"$tool"/local/shorewall-configure
+"$tool"/local/runit-configure '*' -- '*'
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo \
+ DEBIAN_FRONTEND=noninteractive \
+ DEBIAN_PRIORITY=low \
+ dpkg-reconfigure "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/apt-get-install duplicity
+home="/home/backup"
+"$tool"/local/adduser backup \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/bash \
+ --system
+sudo usermod --home "$home" backup
+sudo install -d -m 750 -o backup -g backup \
+ "$home" \
+ "$home"/etc \
+ "$home"/etc/gpg \
+ "$home"/etc/ssh
+sudo install -d -m 770 -o backup -g backup \
+ "$home"/mysql \
+ "$home"/postgres
+getent group sudo backup |
+while IFS=: read -r group x x users
+ do while test -n "$users" && IFS=, read -r user users <<-EOF
+ $users
+ EOF
+ do eval home="~$user"
+ sudo cat "$home"/etc/ssh/authorized_keys
+ done
+ done |
+sudo install -m 640 -o backup -g backup /dev/stdin \
+ "$home"/etc/ssh/authorized_keys
+sudo ln -fns etc/gpg "$home"/.gnupg
+#sudo adduser backup mysql-data
+#sudo adduser backup postgres-data
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/etckeeper/etckeeper.conf <<-EOF
+ VCS=git
+ GIT_COMMIT_OPTIONS=""
+ AVOID_DAILY_AUTOCOMMITS=1
+ #AVOID_SPECIAL_FILE_WARNING=1
+ AVOID_COMMIT_BEFORE_INSTALL=1
+ HIGHLEVEL_PACKAGE_MANAGER=apt
+ LOWLEVEL_PACKAGE_MANAGER=dpkg
+ EOF
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/etckeeper/prompt.sh \
+ /etc/etckeeper/prompt.sh
+"$tool"/local/apt-get-install etckeeper
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+m4 \
+ --define=VM_LVM_LV=$vm_lvm_lv \
+ --define=VM_LVM_VG=$vm_lvm_vg \
+ <"$tool"/etc/fstab.m4 |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/fstab
+m4 \
+ --define=VM_LVM_LV=$vm_lvm_lv \
+ --define=VM_LVM_VG=$vm_lvm_vg \
+ <"$tool"/etc/crypttab.m4 |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/crypttab
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/default/tmpfs <<-EOF
+ LOCK_SIZE=5242880 # NOTE: 5MiB
+ RAMLOCK=yes
+ RAMSHM=yes
+ RAMTMP=yes
+ RUN_SIZE=10%
+ SHM_SIZE=
+ TMP_MODE=1777,nr_inodes=1000k,noatime
+ TMP_OVERFLOW_LIMIT=1024
+ # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
+ # on the root filesystem (overriding RAMTMP).
+ TMP_SIZE=200m
+ TMPFS_SIZE=20%VM
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+cd "$tool"
+git config --replace branch.master.remote .
+git config --replace branch.master.merge refs/remotes/master
+install -m 770 /dev/stdin \
+ .git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+ case \$1 in
+ (refs/remotes/master)
+ cd ..
+ git --git-dir=\$PWD/.git checkout -f -B master remotes/master
+ git --git-dir=\$PWD/.git clean -f -d -x
+ ;;
+ esac
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+cd "$tool"
+git checkout -f -B master remotes/master
+git clean -f -d -x
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo debconf-set-selections <<-EOF
+ gitolite gitolite/gituser string git
+ gitolite gitolite/adminkey string
+ gitolite gitolite/gitdir string /home/git
+ EOF
+"$tool"/local/apt-get-install gitolite
+"$tool"/local/adduser git \
+ --disabled-password \
+ --group \
+ --home /home/git \
+ --shell /bin/bash \
+ --system
+sudo chfn --full-name git git
+"$tool"/local/adduser log-git \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/log \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser git-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/pub \
+ --shell /bin/false \
+ --system
+sudo adduser git git-data
+sudo install -d -m 750 -o git -g git \
+ /etc/gitolite \
+ /home/git/etc \
+ /home/git/etc/ssh
+sudo install -d -m 751 -o git -g git \
+ /home/git
+sudo install -d -m 2770 -o git-data -g git-data \
+ /home/git/pub
+sudo install -d -m 1771 -o git -g git \
+ /home/git/log
+sudo install -d -m 2770 -o git -g log-git \
+ /home/git/log/gitolite \
+ /home/git/log/gitolite/perf
+sudo install -d -m 3771 -o git -g git \
+ /home/git/hooks
+sudo ln -fns /etc/gitolite /home/git/etc/gitolite
+sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
+sudo ln -fns etc/ssh /home/git/.ssh
+sudo install -m 770 -o git -g git /dev/stdin \
+ /home/git/etc/gitolite/gitolite.rc <<-EOF
+ #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
+ #\$BIG_INFO_CAP = 20;
+ #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
+ # NOTE: Please use single quotes, not double quotes.
+ #\$GITWEB_URI_ESCAPE = 0;
+ \$GIT_PATH = "";
+ #\$GL_ADC_PATH = "";
+ \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
+ #\$GL_ALL_INCLUDES_SPECIAL = 0;
+ #\$GL_ALL_READ_ALL = 0;
+ \$GL_BIG_CONFIG = 0;
+ \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
+ \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
+ #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
+ \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*";
+ #\$GL_HOSTNAME = "git.$vm_domainname";
+ # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
+ #\$GL_HTTP_ANON_USER = "mob";
+ \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
+ \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
+ #\$GL_NICE_VALUE = 0;
+ \$GL_NO_CREATE_REPOS = 0;
+ \$GL_NO_DAEMON_NO_GITWEB = 0;
+ \$GL_NO_SETUP_AUTHKEYS = 0;
+ \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
+ \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
+ #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
+ #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
+ \$GL_SITE_INFO = "git.$vm_domainname";
+ #\$GL_SLAVE_MODE = 0;
+ \$GL_WILDREPOS = 0;
+ #\$GL_WILDREPOS_DEFPERMS = 'R @all';
+ \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
+ \$HTPASSWD_FILE = "";
+ \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list";
+ \$REPO_BASE = "pub";
+ \$REPO_UMASK = 0007;
+ \$RSYNC_BASE = "";
+ \$SVNSERVE = "";
+ #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
+ \$WEB_INTERFACE = "gitweb";
+ 1;
+ EOF
+sudo install -m 600 -o git -g git \
+ "$tool"/var/pub/ssh/git.key \
+ /home/git/etc/ssh/git.pub
+sudo -u git \
+ GL_RC=/home/git/etc/gitolite/gitolite.rc \
+ GIT_AUTHOR_NAME=git \
+ gl-setup -q /home/git/etc/ssh/git.pub git
+for d in doc logs src
+ do test ! -d /home/git/etc/gitolite/"$d" ||
+ rmdir /home/git/etc/gitolite/"$d"
+ done
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/initramfs-tools/initramfs.conf <<-EOF
+ MODULES=most
+ BUSYBOX=y
+ KEYMAP=y
+ COMPRESS=gzip
+ DEVICE=eth0
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/modprobe.d/xen-pv.conf <<-EOF
+ alias eth0 xennet
+ alias scsi_hostadapter xenblk
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/modules <<-EOF
+ sha1_generic
+ sha256_generic
+ sha512_generic
+ aes-x86_64
+ xts
+ # NOTE: pour Xen en mode HVM :
+ #modprobe xen-platform-pci
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/initramfs-tools/modules <<-EOF
+ EOF
+sudo sed -e '/^configure_networking /s/ &$//' \
+ -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
+ # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
+ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
+( while IFS= read -r line
+ do case $line in (*" RSA") return 0; break;; esac
+ done; return 1 ) ||
+ {
+sudo rm -f \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
+sudo dropbearkey -t rsa -s 4096 -f \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
+ }
+# NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
+sudo install -d -m 640 -o root -g root \
+ /etc/initramfs-tools/root \
+ /etc/initramfs-tools/root/.ssh
+getent group sudo |
+while IFS=: read -r group x x users
+ do while test -n "$users" && IFS=, read -r user users <<-EOF
+ $users
+ EOF
+ do eval home="~$user"
+ sudo cat "$home"/etc/ssh/authorized_keys
+ done
+ done |
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/initramfs-tools/root/.ssh/authorized_keys
+sudo rm -f \
+ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
+ /etc/initramfs-tools/root/.ssh/id_rsa.pub \
+ /etc/initramfs-tools/root/.ssh/id_rsa
+ # NOTE: clefs générées par Debian
+sudo update-initramfs -u
--- /dev/null
+. "$tool"/etc/local.sh
+set -x
+test "$(hostname --fqdn)" = "$vm_fqdn"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo debconf-set-selections <<-EOF
+ locales locales/default_environment_locale select None
+ locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
+ EOF
+"$tool"/local/dpkg-reconfigure locales
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/inittab \
+ /etc/inittab
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/login.defs \
+ /etc/login.defs
+grep -q '^session optional pam_umask.so\>' \
+ /etc/pam.d/common-session ||
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/pam.d/common-session <<-EOF
+ $(cat /etc/pam.d/common-session)
+ session optional pam_umask.so
+ EOF
+grep -q '^hvc0$' \
+ /etc/securetty ||
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/securetty <<-EOF
+ $(cat /etc/securetty)
+ hvc0
+ EOF
+grep -q '^xvc0$' /etc/securetty ||
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/securetty <<-EOF
+ $(cat /etc/securetty)
+ xvc0
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
--- /dev/null
+#!/bin/sh -eux
+db="$1"
+user="${2:-$1}"
+sudo -u mysql mysql --batch --verbose <<-EOF
+ CALL mysql.create_database('$db', '$user', 'localhost');
+ EOF
--- /dev/null
+#!/bin/sh -eux
+user="$1"
+sudo -u mysql mysql -u mysql --batch --verbose <<-EOF
+ CALL mysql.create_user('$user', 'localhost');
+ EOF
+sudo adduser "$user" mysql-data
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/hostname <<-EOF
+ $vm
+ EOF
+grep -q " $vm\$" /etc/hosts ||
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/hosts <<-EOF
+ $(cat /etc/hosts)
+ 127.0.0.1 $vm_fqdn $vm
+ EOF
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/resolv.conf <<-EOF
+ search ${vm_host#*.}
+ nameserver ${vm_host_nameserver}
+ EOF
+m4 \
+ --define=VM_IPV4=$vm_ipv4 \
+ <"$tool"/etc/network/interfaces.m4 |
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/network/interfaces
--- /dev/null
+#!/bin/sh -efu
+# DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
+sudo /bin/sh -e -f -u -c \
+ 'case $(/usr/bin/passwd --status "$SUDO_USER") in ("$SUDO_USER L "*) /usr/bin/passwd $SUDO_USER;; esac'
--- /dev/null
+#!/bin/sh -eux
+db="$1"
+owner="${2:-$db}"
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ DO LANGUAGE plpgsql \$\$
+ BEGIN
+ IF NOT EXISTS (
+ SELECT *
+ FROM pg_catalog.pg_user
+ WHERE usename = '$owner'
+ LIMIT 1
+ ) THEN
+ CREATE ROLE $owner
+ LOGIN
+ NOCREATEDB
+ NOCREATEROLE
+ NOINHERIT
+ NOSUPERUSER;
+ END IF;
+ END;
+ \$\$;
+ EOF
+case $(sudo -u postgres psql template1 -t -c \
+ "SELECT datname FROM pg_catalog.pg_database WHERE datname = '$db' LIMIT 1") in
+ (" $db") true;;
+ (*)
+ sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ CREATE DATABASE $db WITH OWNER=$owner;
+ EOF
+ ;;
+ esac
+sudo -u postgres psql template1 -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ REVOKE ALL ON DATABASE $db FROM public;
+ EOF
+sudo -u postgres psql "$db" -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ GRANT ALL ON SCHEMA public TO $owner WITH GRANT OPTION;
+ EOF
--- /dev/null
+#!/bin/sh -eux
+user="$1"
+db="${2-}"
+sudo -u postgres psql "${db-}" -a -f - <<-EOF
+ \set ON_ERROR_STOP on
+ DO LANGUAGE plpgsql \$\$
+ BEGIN
+ IF NOT EXISTS (
+ SELECT *
+ FROM pg_catalog.pg_user
+ WHERE usename = '$user'
+ LIMIT 1
+ ) THEN
+ CREATE ROLE $user
+ LOGIN
+ NOCREATEDB
+ NOCREATEROLE
+ NOINHERIT
+ NOSUPERUSER;
+ END IF;
+ END;
+ \$\$;
+ GRANT USAGE ON SCHEMA public TO $user;
+ ${db:+GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;}
+ EOF
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv [...] -- $sv_options
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/apt-get-install runit
+if test $# = 0
+ then
+ set +x
+ sudo sv status \
+ $(sudo find /etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%p\n' | sort)
+ else
+ services=
+ while [ $# -gt 0 ]
+ do case $1 in
+ (--) shift; break;;
+ (*) services="$services ${1#etc/sv/}"; shift;;
+ esac
+ done
+ #for sv in $(sudo find /etc/sv \
+ # -mindepth 1 -maxdepth 1 -type d \
+ # -false $(printf -- '-or -name %s\n' $services) \
+ # -printf '%f\n')
+ # do
+ # case $(sudo sv stop "$sv" | tee /dev/stderr) in
+ # (*": runsv not running") true;;
+ # (*": unable to open supervise/ok: file does not exist") true;;
+ # ("ok: down:"*) true;;
+ # (*) false;;
+ # esac
+ # done
+ for sv in $(find "$tool"/etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false $(printf -- '-or -name %s\n' $services) \
+ -printf '%f\n')
+ do
+ "$tool"/local/runit-sv-configure "$sv" "$@"
+ "$tool"/local/runit-sv-start "$sv"
+ done
+ #sleep 3
+ #sudo find -L /etc/service -type l -delete
+ fi
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv [...] -- $configure_options
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sv="$1"; shift
+sudo install -d -m 770 -o root -g root \
+ /etc/sv/"$sv"
+sudo install -m 770 -o root -g root \
+ "$tool"/etc/sv/"$sv"/run \
+ /etc/sv/"$sv"/run
+if test -e "$tool"/etc/sv/"$sv"/log/run
+ then
+ sudo install -d -m 770 -o root -g root \
+ /etc/sv/"$sv"/log
+ sudo install -m 770 -o root -g root \
+ "$tool"/etc/sv/"$sv"/log/run \
+ /etc/sv/"$sv"/log/run
+ fi
+(
+test ! -r "$tool"/etc/sv/"$sv"/local.sh ||
+. "$tool"/etc/sv/"$sv"/local.sh || return 1
+)
+(
+test ! -r "$tool"/etc/sv/"$sv"/log/local.sh ||
+. "$tool"/etc/sv/"$sv"/log/local.sh || return 1
+)
+sudo ln -fns \
+ ../sv/"$sv" \
+ /etc/service/"$sv"
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sv="$1"
+while true
+ do case $(sudo sv restart "$sv" | tee /dev/stderr) in
+ (*": runsv not running") sleep 1;;
+ (*": unable to open supervise/ok: file does not exist") sleep 1;;
+ (*) break;;
+ esac
+ done
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sv="$1"
+while true
+ do case $(sudo sv start "$sv" | tee /dev/stderr) in
+ (*": runsv not running") sleep 1;;
+ (*": unable to open supervise/ok: file does not exist") sleep 1;;
+ (*) break;;
+ esac
+ done
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv [...] -- $configure_options
+# DOC: http://shorewall.net/Introduction.html
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/apt-get-install shorewall
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/default/shorewall <<-EOF
+ INITLOG=/dev/null
+ OPTIONS=""
+ RESTARTOPTIONS=""
+ SAFESTOP=0
+ STARTOPTIONS=""
+ startup=1
+ EOF
+for conf in "$tool"/etc/shorewall/*
+ do conf=${conf#"$tool"/etc/shorewall/}
+ sudo test ! -f "$tool"/etc/shorewall/"$conf" ||
+ sudo install -m 640 -o root -g root \
+ "$tool"/etc/shorewall/"$conf" \
+ /etc/shorewall/"$conf"
+ done
+sudo install -d -m 750 -o root -g root \
+ /etc/shorewall/macro.d
+for conf in "$tool"/etc/shorewall/macro.d/*
+ do conf=${conf#"$tool"/etc/shorewall/macro.d/}
+ sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" ||
+ sudo install -m 640 -o root -g root \
+ "$tool"/etc/shorewall/macro.d/"$conf" \
+ /etc/shorewall/macro.d/"$conf"
+ done
+sudo install -d -m 750 -o root -g root \
+ /etc/shorewall/action.d
+#for conf in "$tool"/etc/shorewall/action.d/*
+# do conf=${conf#"$tool"/etc/shorewall/action.d/}
+# sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" ||
+# sudo install -m 640 -o root -g root \
+# "$tool"/etc/shorewall/action.d/"$conf" \
+# /etc/shorewall/action.d/"$conf"
+# done
+#sudo shorewall safe-restart
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+for conf in "$tool"/etc/sysctl.d/*.conf
+ do conf=${conf#"$tool"/etc/sysctl.d/}
+ sudo install -m 660 -o root -g root \
+ "$tool"/etc/sysctl.d/"$conf" \
+ /etc/sysctl.d/"$conf"
+ done
+sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/sysctl.d/local-kernel-name.conf <<-EOF
+ kernel.hostname = $vm_hostname
+ kernel.domainname = $vm_domainname
+ EOF
+sudo sysctl --system
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $user
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+user="$1"; shift
+"$tool"/local/adduser "$user" --disabled-password "$@"
+ # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
+eval home="~$user"
+sudo adduser "$user" users
+sudo install -m 640 -o "$user" -g "$user" \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+gpg \
+ --homedir "$tool"/var/pub/openpgp/ \
+ --no-default-keyring \
+ --secret-keyring /dev/null \
+ --export |
+sudo -u "$user" gpg --import -
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $user
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/user-configure
+user=$1
+"$tool"/local/adduser "$user" --disabled-password
+eval home="~$user"
+sudo adduser "$user" sudo
+sudo install -m 640 -o root -g root \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+gpg \
+ --homedir "$tool"/var/pub/openpgp/ \
+ --no-default-keyring \
+ --secret-keyring /dev/null \
+ --export |
+sudo -u "$user" gpg --import -
+"$tool"/local/initramfs-configure
+"$tool"/local/user-root-configure
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $user
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/apt-get-install bash-completion
+sudo install -m 660 -o root -g root \
+ "$tool"/etc/adduser.conf \
+ /etc/adduser.conf
+sudo install -d -m 750 -o root -g root \
+ /etc/skel \
+ /etc/skel/etc \
+ /etc/skel/etc/gpg \
+ /etc/skel/etc/ssh
+sudo install -d -m 770 -o root -g root \
+ /etc/skel/var \
+ /etc/skel/var/cache \
+ /etc/skel/var/log \
+ /etc/skel/var/run \
+ /etc/skel/var/run/ssh
+sudo ln -fns etc/ssh /etc/skel/.ssh
+sudo ln -fns etc/gpg /etc/skel/.gnupg
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/sudoers.d/passwd-init <<-EOF
+ %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
+ case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
+ ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
+ EOF
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/sudoers.d/etckeeper-unclean <<-EOF
+ %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean
+ EOF
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/sudoers.d/env_keep <<-EOF
+ Defaults env_keep = " \\
+ EDITOR \\
+ GIT_AUTHOR_NAME \\
+ GIT_AUTHOR_EMAIL \\
+ GIT_COMMITTER_NAME \\
+ GIT_COMMITTER_EMAIL \\
+ "
+ EOF
+sudo install -m 755 -o root -g root \
+ "$tool"/local/passwd-init \
+ /usr/local/bin/passwd-init
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/bash.bashrc \
+ /etc/bash.bashrc
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/inputrc \
+ /etc/inputrc
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/screenrc \
+ /etc/screenrc
+for sh in "$tool"/etc/user.d/*/local.sh
+ do sh=${sh#"$tool"/etc/user.d/}
+ user="${sh%/local.sh}"
+ (
+ . "$tool"/etc/user.d/"$sh" || return 1
+ )
+ done
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $user
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+sudo install -d -m 750 -o root -g root \
+ /root/etc \
+ /root/etc/gpg \
+ /root/etc/ssh
+sudo ln -fns etc/gpg /root/.gnupg
+sudo ln -fns etc/ssh /root/.ssh
+getent group sudo |
+while IFS=: read -r group x x users
+ do while test -n "$users" && IFS=, read -r user users <<-EOF
+ $users
+ EOF
+ do eval home="~$user"
+ sudo cat "$home"/etc/ssh/authorized_keys
+ done
+ done |
+sudo install -m 640 -o root -g root /dev/stdin \
+ /root/etc/ssh/authorized_keys
+gpg \
+ --homedir "$tool"/var/pub/openpgp/ \
+ --no-default-keyring \
+ --secret-keyring /dev/null \
+ --export |
+sudo gpg --import -
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $user
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/local/lib.sh
+
+"$tool"/local/adduser www \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www \
+ --shell /bin/false \
+ --system
+"$tool"/local/adduser log-www \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log \
+ --shell /bin/false \
+ --system
+#sudo adduser www www-data
+sudo adduser www log-www
+#sudo adduser log log-www
+usermod --home /home/www/pub www-data
+sudo install -d -m 751 -o www -g www \
+ /home/www
+sudo install -d -m 750 -o www -g www \
+ /home/www/etc
+sudo install -d -m 1771 -o www-data -g www-data \
+ /home/www/pub
+sudo install -d -m 1771 -o log-www -g log-www \
+ /home/www/log
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+subkey_caps="e s" \
+"$tool"/remote/gpg-gen-key "backup+$vm_hostname@$vm_domainname" <<-EOF
+ Name-Real: $vm_fqdn
+ Name-Email: backup+$vm_hostname@$vm_domainname
+ Name-Comment: (duplicity)
+ Expire-Date: 0
+ EOF
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+gpg --export-options export-reset-subkey-passwd \
+ --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
+"$tool"/remote/ssh gpg --import -
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+git remote rm host || true
+git remote add host $vm_host:src/vm
+git config --replace remote.host.push HEAD:refs/remotes/master
+git remote rm local || true
+git remote add local $vm_fqdn:src/vm
+git config --replace remote.local.push HEAD:refs/remotes/master
+git submodule update --init
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+remote=${1:-$vm_fqdn}; shift
+GIT_SSH="$tool"/remote/ssh git push -v "$remote" "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@"
--- /dev/null
+#!/bin/sh -eu
+# DESCRIPTION: génère une clef OpenPGP primaire pour $uid et une clef secondaire par $subkey_caps
+# SYNTAX: $uid
+# ENV: $gpg_options
+# ENV: $subkey_caps
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+uid="$1"
+install -d -m 700 \
+ var/pub/openpgp
+install -d -m 700 \
+ var/sec \
+ var/sec/openpgp
+if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
+ $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
+ EOF
+ fi
+if ! "$tool"/remote/gpg --list-keys -- "$uid" >/dev/null
+ then
+ "$tool"/remote/gpg --batch --gen-key
+ # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
+ Key-Type: RSA
+ Key-Length: 4096
+ Key-Usage: sign
+ Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+ Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
+ $(cat -)
+ %commit
+ EOF
+ fi
+caps=$(
+ "$tool"/remote/gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
+ -- "$uid" |
+ sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
+ )
+for cap in ${subkey_caps:-}
+ do
+ test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
+ printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
+ "$tool"/remote/gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
+ --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
+ $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+ EOF
+ done
--- /dev/null
+. "$tool"/etc/local.sh
+set -x
+test ! "$(hostname --fqdn)" = "$vm_fqdn"
+test ! "$(hostname --fqdn)" = "$vm_host"
--- /dev/null
+#!/bin/sh -eu
+# DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées.
+# SYNTAX: ${gpg_options:---recipient $USER@}
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+test $# -gt 0 || set -- --recipient "$USER@"
+for part in root var home
+ do
+ mkdir -p var/sec/luks
+ "$tool"/remote/ssh -l root ' \
+ set -e -f -u;
+ exec 2>/dev/null;
+ tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run);
+ cryptsetup luksHeaderBackup >/dev/null \
+ /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \
+ --header-backup-file "$tmp"; \
+ cat "$tmp";
+ shred >/dev/null --remove "$tmp"; \
+ ' |
+ gpg "$@" --encrypt \
+ -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg
+ done
--- /dev/null
+#!/bin/sh -eu
+# DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+gpg --decrypt "$tool"/var/sec/luks/$vm_fqdn.key.gpg |
+"$tool"/remote/ssh root@$vm_fqdn "$@" \
+ -o CheckHostIP=no \
+ -o HostKeyAlias=init.$vm_fqdn \
+ tee /lib/cryptsetup/passfifo \>/dev/null
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+mosh --ssh="$tool/remote/ssh ${ssh_options-}" -- $vm_fqdn "$@"
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+mkdir -p "$tool"/var/backup/mysql
+"$tool"/remote/ssh -l backup '
+ for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
+ SELECT schema_name
+ FROM information_schema.schemata
+ WHERE schema_name NOT IN ("information_schema", "performance_schema");
+ EOF
+ ); do
+ echo $db
+ done
+ '
--- /dev/null
+#!/bin/sh -eu
+# SYNTAX: $sv [...] -- $sv_options
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+if test $# = 0
+ then
+ set +x
+ "$tool"/remote/ssh sudo sv status \
+ $(sudo find /etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%p\n' | sort)
+ else
+ services=
+ while [ $# -gt 0 ]
+ do case $1 in
+ (--) shift; break;;
+ (*) services="$services ${1#etc/sv/}"; shift;;
+ esac
+ done
+ for sv in $(find "$tool"/etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false $(printf -- '-or -name %s\n' $services) \
+ -printf '%f\n')
+ do
+ (
+ test ! -r "$tool"/etc/sv/"$sv"/remote.sh ||
+ . "$tool"/etc/sv/"$sv"/remote.sh || return 1
+ )
+ done
+ fi
--- /dev/null
+#!/bin/sh -eu
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+site="$1"; shift
+gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg |
+openssl rsa -passin 'stdin' \
+ -in var/sec/x509/"$site"/key.pem \
+ -out '/dev/stdout'
--- /dev/null
+#!/bin/sh -eux
+tool=${0%/*}/..
+ssh \
+ -o StrictHostKeyChecking=yes \
+ -o UserKnownHostsFile="$tool"/etc/openssh/known_hosts \
+ -o HashKnownHosts=no \
+ "$@"
--- /dev/null
+#!/bin/sh
+set -e -f -u
+tool=${0%/*}/..
+gpg --decrypt "$tool"/var/sec/ssh/$SSH_ID.pass.gpg
--- /dev/null
+#!/bin/sh -eux
+tool=$(readlink -e "${0%/*}/..")
+. "$tool"/remote/lib.sh
+
+"$tool"/remote/ssh \
+ -o CheckHostIP=no \
+ -o HashKnownHosts=no \
+ -o StrictHostKeyChecking=no \
+ whoami
+++ /dev/null
-#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u
-tool=${0%/*}
-. "$tool"/lib/rule.sh
-. "$tool"/etc/vm.sh
-export TRACE=1
-
-rule_help () { # SYNTAX: [--hidden]
- local hidden; [ ${1:+set} ] || hidden=set
- cat >&2 <<-EOF
- DESCRIPTION:
- ce script regroupe des règles pour administrer la VM ($vm_fqdn)
- _depuis_ son hôte ($vm_host) ;
- il sert à la fois d'outil (aisément bidouillable)
- et de documentation (préçise).
- Voir \`$tool/vm_hosted' pour les règles côté VM hébergée.
- SYNTAX: $0 \$RULE \${RULE}_SYNTAX
- RULES:
- $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
- ENVIRONMENT:
- TRACE # affiche les commandes avant leur exécution
- $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
- EOF
- }
-
-readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g')
-readonly vm_dev_disk_boot="${vm_dev_disk}1"
-
-rule_git_configure () {
- (
- cd "$tool"
- git config --replace branch.master.remote .
- git config --replace branch.master.merge refs/remotes/master
- local tool
- tool=$(cd "$tool"; cd -)
- install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
- #!/bin/sh -efux
- case \$1 in
- (refs/remotes/master)
- cd ..
- #git --git-dir=\$PWD/.git checkout -f -B master remotes/master &&
- git --git-dir=\$PWD/.git checkout HEAD'^' &&
- git --git-dir=\$PWD/.git branch -f master remotes/master &&
- git --git-dir=\$PWD/.git checkout master
- git --git-dir=\$PWD/.git clean -f -d -x
- ;;
- esac
- EOF
- )
- }
-
-rule_vm_configure () {
- sudo install -m 644 -u root -g root /dev/stdin /etc/xen/$vm_fqdn.cfg <<-EOF
- # -*- mode: python; -*-
- # DOC: http://wiki.xen.org/wiki/Xen_Linux_PV_on_HVM_drivers
- import os, re
- name = "$vm_fqdn"
- arch = os.uname()[4]
- memory = 2048
- vcpus = 1
- pae = 1
- acpi = 1
- apic = 1
- vif = ['mac=$vm_mac,bridge=$vm_bridge']
- disk = ['phy:/dev/domU/$vm_fqdn-disk,hda,w']
- device_model = 'qemu-dm'
- # HVM :
- #kernel = "/usr/lib/xen-4.0/boot/hvmloader"
- #builder = 'hvm'
- #xen_platform_pci = 1 # NOTE: the guest VM can use optimized PV on HVM drivers
- # PV :
- #kernel = "pv-grub.gz" # NOTE: pas encore dans Debian car il ne fonctionne qu'avec grub-legacy
- #extra = "(hd0,0)/grub/grub.cfg"
- bootloader = '/usr/bin/pygrub'
-
- # boot on floppy (a), hard disk (c) or CD-ROM (d)
- #boot = 'd'
-
- #vnc = 1
- #sdl = 0
- #vncconsole = 0
- #vnclisten = "0.0.0.0"
- #vncpasswd = ""
- #usbdevice = 'tablet'
-
- keymap = 'fr'
- serial = 'pty'
- on_poweroff = 'destroy'
- on_reboot = 'restart'
- on_crash = 'restart'
- EOF
- }
-rule_vm_start () {
- test ! -e /dev/domU/$vm_fqdn-disk1
- sudo xm create $vm_fqdn.cfg
- rule vm_attach
- }
-rule_vm_attach () {
- assert '! pgrep -f "sudo xm console $vm_fqdn"'
- info 'Ctrl-] pour se détacher de la console'
- sudo xm console $vm_fqdn
- }
-rule_vm_stop () {
- sudo xm shutdown $vm_fqdn
- }
-rule_vm_stop_force () {
- sudo xm destroy $vm_fqdn
- }
-
-rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte
- sudo kpartx -a -v /dev/domU/$vm_fqdn-disk
- #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w
- }
-rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte
- rule part_boot_umount
- case $vm_use_lvm in
- (yes)
- rule part_lvm_umount
- ;;
- (no)
- rule part_root_umount
- rule part_var_umount
- rule part_home_umount
- ;;
- (*) exit 1;;
- esac
- sudo kpartx -d -v /dev/domU/$vm_fqdn-disk
- #sudo xm block-detach 0 $vm_dev_disk
- # XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé :
- # utiliser xm block-detach 0 $vm_dev_disk --force ;
- # ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ;
- # ôter les mappages concernés dans /etc/lvm/cache/.cache,
- # et pour bien trouver tous les mappages :
- # % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk
- # enfin, ôter l'éventuel verrou dans /var/lock/lvm/
- }
-
-case $vm_use_lvm in
- (no)
- readonly vm_dev_disk_swap="${vm_dev_disk}5"
- readonly vm_dev_disk_root="${vm_dev_disk}6"
- readonly vm_dev_disk_var="${vm_dev_disk}7"
- readonly vm_dev_disk_home="${vm_dev_disk}8"
- ;;
- (yes)
- readonly vm_lvm_pv="${vm_dev_disk}2"
- readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap
- readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root
- readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var
- readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home
- ;;
- (*) exit 1;;
- esac
-
-rule_disk_format () { # DESCRIPTION: partitionnage du disque de la VM
- case $vm_use_lvm in
- (no)
- sudo sfdisk $vm_dev_disk <<-EOF
- # partition table of $vm_dev_disk
- unit: sectors
-
- ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable
- ${vm_dev_disk}2 : start= 498015, size=418927005, Id= 5
- ${vm_dev_disk}3 : start= 0, size= 0, Id= 0
- ${vm_dev_disk}4 : start= 0, size= 0, Id= 0
- ${vm_dev_disk}5 : start= 498078, size= 1959867, Id=82
- ${vm_dev_disk}6 : start= 2458008, size= 29302497, Id=83
- ${vm_dev_disk}7 : start= 31760568, size= 9767457, Id=83
- ${vm_dev_disk}8 : start= 41528088, size=377896932, Id=83
- EOF
- ;;
- (yes)
- sudo sfdisk $vm_dev_disk <<-EOF
- # partition table of $vm_dev_disk
- unit: sectors
-
- ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable
- ${vm_dev_disk}2 : start= 498015, size=418927005, Id=8E
- EOF
- ;;
- (*) exit 1;;
- esac
- #sudo partprobe $vm_dev_disk
- sudo kpartx -u -v /dev/domU/$vm_fqdn-disk
- }
-
-rule_part_lvm_format () {
- rule part_lvm_umount
- ! sudo vgs | grep -q "^ $vm_lvm_vg " ||
- sudo vgremove $vm_lvm_vg
- sudo pvcreate --dataalignment 512k $vm_lvm_pv
- sudo vgcreate --dataalignment 512k $vm_lvm_vg $vm_lvm_pv
- sudo lvcreate --contiguous y -n ${vm_lvm_lv}_swap -L 1G $vm_lvm_vg
- sudo lvcreate --contiguous y -n ${vm_lvm_lv}_root -L 15G $vm_lvm_vg
- sudo lvcreate --contiguous y -n ${vm_lvm_lv}_var -L 5G $vm_lvm_vg
- sudo lvcreate --contiguous y -n ${vm_lvm_lv}_home -l 99%FREE $vm_lvm_vg
- rule part_lvm_umount
- }
-rule_part_lvm_mount () {
- case $vm_use_lvm in
- (yes)
- sudo vgchange -a y $vm_lvm_vg
- ;;
- (*) exit 1;;
- esac
- }
-rule_part_lvm_umount () {
- case $vm_use_lvm in
- (yes)
- rule part_root_umount
- rule part_var_umount
- rule part_home_umount
- ! sudo vgs | grep -q "^ $vm_lvm_vg " ||
- sudo vgchange -a n $vm_lvm_vg
- ;;
- (*) exit 1;;
- esac
- }
-
-rule_part_randomize () { # SYNTAX: $part # NOTE: à anticiper
- local part="$1"
- eval "sudo dd if=/dev/urandom of=\$vm_dev_disk_$part"
- }
-rule_part_randomize_stat () { # SYNTAX: $part # DESCRIPTION: fait afficher la progression de rule_part_randomize
- local part="$1"
- eval "pkill -USR1 -f \"^dd if=/dev/urandom of=\$vm_dev_disk_$part\""
- }
-rule__part_encrypted_format () { # SYNTAX: $part # DESCRIPTION: formatage d'une partition distincte de /
- # NOTE: la clef de chiffrement est dérivée de celle de /,
- # / doit être déchiffrée pour que cela fonctionne.
- local part="$1"
- eval "local dev=\"\$vm_dev_disk_$part\""
- test ! -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
- sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered |
- cryptsetup luksFormat --hash=sha512 --key-size=512 \
- --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev"
- }
-rule__part_encrypted_mount () { # SYNTAX: $part
- local part="$1"
- eval "local dev=\"\$vm_dev_disk_$part\""
- test -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered ||
- sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered |
- cryptsetup luksOpen --key-file=- $dev ${vm_lvm_lv}_${part}_deciphered"
- }
-rule__part_encrypted_umount () { # SYNTAX: $part
- local part="$1"
- eval "local dev=\"\$vm_dev_disk_$part\""
- test ! -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered ||
- sudo cryptsetup luksClose ${vm_lvm_lv}_${part}_deciphered
- }
-
-rule_part_root_format () {
- if ! mount | grep -q "^$vm_dev_disk_root "
- then
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \
- --cipher=aes-xts-essiv:sha256 --align-payload=8 $vm_dev_disk_root
- sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered
- sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \
- -E resize=30G${vm_e2fs_extended_options} \
- -L ${vm_lvm_lv}_root \
- /dev/mapper/${vm_lvm_lv}_root_deciphered
- ! mountpoint -q /mnt/$vm_fqdn
- sudo mount -v /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn
- sudo install -d -m 770 -o root -g root \
- /mnt/$vm_fqdn/boot \
- /mnt/$vm_fqdn/dev \
- /mnt/$vm_fqdn/home \
- /mnt/$vm_fqdn/proc \
- /mnt/$vm_fqdn/root \
- /mnt/$vm_fqdn/root/src \
- /mnt/$vm_fqdn/root/src/$vm \
- /mnt/$vm_fqdn/sys \
- /mnt/$vm_fqdn/var
- sudo umount -v /mnt/$vm_fqdn
- sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered
- fi
- }
-rule_part_root_mount () {
- test -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
- sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered
- mountpoint -q /mnt/$vm_fqdn ||
- sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn
- }
-rule_part_root_umount () {
- ! mountpoint -q /mnt/$vm_fqdn ||
- sudo umount -v /mnt/$vm_fqdn
- ! test -e /dev/mapper/${vm_lvm_lv}_root_deciphered ||
- sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered
- }
-rule_part_swap_format () {
- rule _part_encrypted_format swap
- rule _part_encrypted_mount swap
- sudo mkswap -f -L ${vm_lvm_lv}_swap \
- /dev/mapper/${vm_lvm_lv}_swap_deciphered
- rule _part_encrypted_umount swap
- }
-rule_part_boot_format () {
- mount | grep -q "^$vm_dev_disk_boot " ||
- sudo mke2fs -t ext2 -c -c -m 5 -T small \
- -E resize=1G${vm_e2fs_extended_options} \
- -L ${vm_lvm_lv}_boot $vm_dev_disk_boot
- }
-rule_part_boot_mount () {
- mountpoint -q /mnt/$vm_fqdn
- test -d /mnt/$vm_fqdn/boot
- mountpoint -q /mnt/$vm_fqdn/boot ||
- sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot
- }
-rule_part_boot_umount () {
- ! mountpoint -q /mnt/$vm_fqdn/boot ||
- sudo umount -v /mnt/$vm_fqdn/boot
- }
-rule_part_var_format () {
- rule _part_encrypted_format var
- rule _part_encrypted_mount var
- sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \
- -E resize=10G${vm_e2fs_extended_options} \
- -L ${vm_lvm_lv}_var \
- /dev/mapper/${vm_lvm_lv}_var_deciphered
- rule _part_encrypted_umount var
- }
-rule_part_var_mount () {
- rule _part_encrypted_mount var
- mountpoint -q /mnt/$vm_fqdn/var ||
- sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_var_deciphered /mnt/$vm_fqdn/var
- }
-rule_part_var_umount () {
- ! mountpoint -q /mnt/$vm_fqdn/var ||
- sudo umount -v /mnt/$vm_fqdn/var
- rule _part_encrypted_umount var
- }
-rule_part_home_format () {
- rule _part_encrypted_format home
- rule _part_encrypted_mount home
- sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \
- -E resize=400G${vm_e2fs_extended_options} \
- -L ${vm_lvm_lv}_home \
- /dev/mapper/${vm_lvm_lv}_home_deciphered
- # NOTE: -O quota pas supporté par e2fsprogs/squeeze
- rule _part_encrypted_umount home
- }
-rule_part_home_mount () {
- rule _part_encrypted_mount home
- mountpoint -q /mnt/$vm_fqdn/home ||
- sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_home_deciphered /mnt/$vm_fqdn/home
- }
-rule_part_home_umount () {
- ! mountpoint -q /mnt/$vm_fqdn/home ||
- sudo umount -v /mnt/$vm_fqdn/home
- rule _part_encrypted_umount home
- }
-
-rule_debian_install () {
- rule disk_mount
- rule part_lvm_mount
- rule part_root_mount
- rule part_boot_mount
- rule part_var_mount
- sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ LANG=C LC_CTYPE=C debootstrap \
- --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
- --exclude=vim-tiny \
- --include=$(printf '%s,' \
- acl \
- bsdmainutils \
- busybox \
- ca-certificates \
- console-setup \
- cryptsetup \
- dash \
- dnsutils \
- dropbear \
- etckeeper \
- git-core \
- gnupg \
- hashalot \
- htop \
- ifupdown \
- initramfs-tools \
- kbd \
- less \
- locales \
- lvm2 \
- m4 \
- mosh \
- molly-guard \
- ncurses-term \
- openssh-client \
- openssh-server \
- openssl \
- pciutils \
- procps \
- quota \
- quotatool \
- rsync \
- screen \
- sudo \
- sysprofile \
- vim-nox \
- wget \
- zsh \
- ) \
- $vm_lsb_name /mnt/$vm_fqdn/ \
- http://ftp.fr.debian.org/debian/
- rule part_var_umount
- rule part_boot_umount
- rule part_root_umount
- }
-
-rule_chroot () {
- rule disk_mount
- rule part_lvm_mount
- rule part_root_mount
- rule part_boot_mount
- rule part_var_mount
- #rule_part_home_mount
- mountpoint -q /mnt/$vm_fqdn/proc ||
- sudo mount -t proc proc /mnt/$vm_fqdn/proc
- mountpoint -q /mnt/$vm_fqdn/sys ||
- sudo mount -t sysfs sys /mnt/$vm_fqdn/sys
- mountpoint -q /mnt/$vm_fqdn/dev ||
- sudo mount --bind /dev /mnt/$vm_fqdn/dev
- if test -d /mnt/$vm_fqdn/root/src/vm/.git
- then
- mountpoint -q /mnt/$vm_fqdn/root/src/vm ||
- sudo mount --bind "$tool" /mnt/$vm_fqdn/root/src/vm
- else
- sudo rsync -a "$tool"/ /mnt/$vm_fqdn/root/src/vm
- fi
- sudo chroot /mnt/$vm_fqdn /bin/bash || true
- rule _chroot_clean
- }
-rule__chroot_clean () {
- ! sudo mountpoint -q /mnt/$vm_fqdn/root/src/vm ||
- sudo umount -v /mnt/$vm_fqdn/root/src/vm
- ! mountpoint -q /mnt/$vm_fqdn/dev ||
- sudo umount -v /mnt/$vm_fqdn/dev
- ! mountpoint -q /mnt/$vm_fqdn/sys ||
- sudo umount -v /mnt/$vm_fqdn/sys
- ! mountpoint -q /mnt/$vm_fqdn/proc ||
- sudo umount -v /mnt/$vm_fqdn/proc
- rule part_home_umount
- rule part_var_umount
- rule part_boot_umount
- rule part_root_umount
- rule disk_umount
- }
-
-rule=${1:-help}
-${1+shift}
-case $rule in
- (help);;
- (*)
- assert 'test "$(hostname --fqdn)" = "$vm_host"' vm_host
- ;;
- esac
-rule $rule "$@"
+++ /dev/null
-#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u
-tool=$0
-while test -L "$tool"
- do tool=$(readlink "$tool")
- done
-tool=${tool%/*}
-. "$tool"/lib/rule.sh
-. "$tool"/etc/vm.sh
-export TRACE=1
-
-rule_help () { # SYNTAX: [--hidden]
- local hidden; [ ${1:+set} ] || hidden=set
- cat >&2 <<-EOF
- DESCRIPTION:
- ce script regroupe des règles pour administrer la VM ($vm_fqdn)
- _depuis_ la VM hébergée ($vm_fqdn) ;
- il sert à la fois d'outil (aisément bidouillable)
- et de documentation (préçise).
- Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
- SYNTAX: $0 \$RULE \${RULE}_SYNTAX
- RULES:
- $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
- ENVIRONMENT:
- TRACE # affiche les commandes avant leur exécution
- $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
- EOF
- }
-
-rule_git_configure () {
- (
- cd "$tool"
- git config --replace branch.master.remote .
- git config --replace branch.master.merge refs/remotes/master
- local tool
- tool=$(cd "$tool"; cd -)
- install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
- #!/bin/sh -efux
- case \$1 in
- (refs/remotes/master)
- cd ..
- git --git-dir=\$PWD/.git checkout -f -B master remotes/master
- git --git-dir=\$PWD/.git clean -f -d -x
- ;;
- esac
- EOF
- )
- }
-rule_git_reset () {
- (
- cd "$tool"
- git checkout -f -B master remotes/master
- git clean -f -d -x
- )
- }
-
-rule_adduser () {
- local user="$1"; shift
- getent passwd "$user" >/dev/null ||
- sudo adduser "$@" "$user"
- }
-rule_apt_get_install () { # SYNTAX: $package
- sudo \
- DEBIAN_FRONTEND=noninteractive \
- DEBIAN_PRIORITY=low \
- apt-get install --yes "$@"
- }
-rule_dpkg_reconfigure () { # SYNTAX: $package
- sudo \
- DEBIAN_FRONTEND=noninteractive \
- DEBIAN_PRIORITY=low \
- dpkg-reconfigure "$@"
- }
-
-rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
- export LANG=C
- export LC_CTYPE=C
- . /etc/profile
- }
-
-rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour
- local -; set +f
- rule apt_get_install \
- apache2-mpm-itk \
- libapache2-mod-php5
- # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
- # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
- # NOTE: apache2-mpm-itk semble le plus sécurisé,
- # car on est certain que tout est exécuté avec les uid/gid
- # assignés au VirtualHost/Directory/Location
- # néamoins il se peut qu'une combinaison du genre :
- # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
- # soit plus performante (threads et pas forks),
- # cependant l'usage de suexec impose des forks il semble..
- # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
- # donc pour l'instant : apache2-mpm-itk
- sudo rm -rf \
- /etc/apache2/site.d
- sudo install -d -m 770 -o www -g www \
- /etc/apache2 \
- /etc/apache2/site.d \
- /etc/apache2/x509.d
- cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
- ServerName "$vm_fqdn"
- EOF
- sudo install -m 660 -o root -g root /dev/stdin \
- /etc/apache2/apache2.conf
- sudo install -m 660 -o root -g root \
- "$tool"/etc/apache2/envvars \
- /etc/apache2/envvars
- sudo install -m 660 -o root -g root \
- "$tool"/etc/apache2/httpd.conf \
- /etc/apache2/httpd.conf
- #sudo install -m 660 -o root -g root /dev/stdin \
- # /etc/apache2/suexec/www-data <<-EOF
- # /home
- # pub/www/cgi
- # EOF
- sudo install -m 660 -o root -g root \
- "$tool"/etc/apache2/ports.conf \
- /etc/apache2/ports.conf
- sudo a2enmod actions
- sudo a2enmod headers
- sudo a2enmod rewrite
- sudo a2enmod ssl
- sudo a2enmod userdir
- local conf
- sudo a2dissite "*"
- sudo ln -fns \
- /etc/apache2 \
- /home/www/etc/apache2
- for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
- do conf=${conf#"$tool"/etc/apache2/site.d/}
- local site=${conf%/VirtualHost.conf}
- case $site in
- (*-tls)
- local hint="run vm_remote apache2_key_send before"
- assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
- sudo install -d -m 770 -o www-"$site" -g www-"$site" \
- /etc/apache2 \
- /etc/apache2/site.d/"$site" \
- /etc/apache2/x509.d/"$site" \
- /etc/apache2/x509.d/"$site"/ca \
- /etc/apache2/x509.d/"$site"/empty \
- /etc/apache2/x509.d/"$site"/rvk \
- /etc/apache2/x509.d/"$site"/usr
- sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/x509.d/"$site"/crt.self-signed.pem
- #sudo install -m 664 -o www-"$site" -g www-"$site" \
- # "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/x509.d/"$site"/rvk.pem
- sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/x509.d/"$site"/ca/crt.pem
- sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/x509.d/"$site"/crt.pem
- ;;
- esac
- case $site in
- (*-tls)
- cat <<-EOF
- <IfModule mod_ssl.c>
- <VirtualHost *:$port>
- AssignUserID www-$site www-$site
- BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
- BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
- #CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
- #ErrorLog "/dev/null"
- LogLevel Warn
- SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/x509.d/$site/usr/
- #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem
- SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/
- # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/
- SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
- SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem
- SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem
- SSLCipherSuite AES+RSA+SHA256
- SSLEngine On
- SSLInsecureRenegotiation Off
- SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
- SSLProtocol -All +TLSv1
- #SSLRenegBufferSize 262144
- SSLSessionCacheTimeout 1200
- SSLStrictSNIVHostCheck On
- SSLUserName SSL_CLIENT_S_DN_CN
- SSLVerifyClient None
- SSLVerifyDepth 1
- $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
- </VirtualHost>
- </IfModule>
- EOF
- ;;
- (*)
- cat <<-EOF
- <VirtualHost *:$port>
- AssignUserID www-$site www-$site
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
- #CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
- #ErrorLog "/dev/null"
- LogLevel Warn
- $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
- </VirtualHost>
- EOF
- ;;
- esac |
- sudo install -m 660 -o root -g root /dev/stdin \
- /etc/apache2/site.d/"$site"/VirtualHost.conf
- sudo ln -fns \
- ../site.d/"$site"/VirtualHost.conf \
- /etc/apache2/sites-available/"$site"
- sudo install -d -m 770 -o www-"$site" -g www-"$site" \
- /home/www/log/"$site" \
- /home/www/log/"$site"/apache2
- sudo ln -fns \
- /etc/apache2/site.d/"$site" \
- /home/www/etc/apache2/"$site"
- test -e /home/www/pub/"$site" ||
- sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
- /home/www/pub/"$site"
- rule adduser www-"$site"
- --disabled-password \
- --group \
- --no-create-home \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
- #sudo setfacl -m u:"www-$site":--x \
- # /home/www/ \
- # /home/www/pub/ \
- # /home/www/pub/"$site"/
- #sudo setfacl -m d:u:"www-$site":rwx \
- # "$home"/pub/www/"$site"/
- test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
- . "$tool"/etc/apache2/site.d/"$site"/configure.sh
- test -e /etc/apache2/sites-enabled/"$site" ||
- sudo a2ensite "$site"
- done
- sudo service apache2 restart
- }
-rule_apt_configure () {
- sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
- deb http://ftp.rezopole.net/debian $vm_lsb_name main
- EOF
- sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
- deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main
- EOF
- sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
- deb http://nightly.openerp.com/7.0/nightly/deb/ ./
- EOF
- sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
- Package: *
- Pin: release a=$vm_lsb_name
- Pin-Priority: 200
-
- Package: *
- Pin: release a=$vm_lsb_name-backports
- Pin-Priority: 170
- EOF
- sudo apt-get update
- rule apt_get_install apticron
- m4 \
- --define=VM_DOMAINNAME=$vm_domainname \
- <"$tool"/etc/apticron/apticron.conf.m4 |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/apticron/apticron.conf
- }
-rule_boot_configure () {
- #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
- sudo debconf-set-selections <<-EOF
- grub-pc grub-pc/install_devices multiselect
- EOF
- rule apt_get_install grub-pc
- sudo install -d -m 644 -o root -g root /boot/grub
- rule apt_get_install linux-image-$vm_arch
- sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
- GRUB_DEFAULT=0
- GRUB_TIMEOUT=5
- GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
- GRUB_CMDLINE_LINUX_DEFAULT="quiet"
- GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
- GRUB_DISABLE_RECOVERY="true"
- #GRUB_PRELOAD_MODULES="lvm"
- EOF
- sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
- (hd0) /dev/xvda
- (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
- EOF
- sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
- rule initramfs_configure
- rule apt_get_install molly-guard
- sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
- ALWAYS_QUERY_HOSTNAME=true
- # NOTE: une alternative est de dire à sudo de conserver les SSH_*
- # néamoins demander tout le temps n'est pas trop contraignant
- # et davantage sécurisant.
- EOF
- }
-rule_duplicity_configure () {
- rule apt_get_install duplicity
- home="/home/backup"
- rule adduser backup \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/bash \
- --system
- sudo usermod --home "$home" backup
- sudo install -d -m 750 -o backup -g backup \
- "$home" \
- "$home"/etc \
- "$home"/etc/gpg \
- "$home"/etc/ssh
- sudo install -d -m 770 -o backup -g backup \
- "$home"/mysql \
- "$home"/postgres
- getent group sudo backup |
- while IFS=: read -r group x x users
- do while test -n "$users" && IFS=, read -r user users <<-EOF
- $users
- EOF
- do eval local home\; home="~$user"
- sudo cat "$home"/etc/ssh/authorized_keys
- done
- done |
- sudo install -m 640 -o backup -g backup /dev/stdin \
- "$home"/etc/ssh/authorized_keys
- sudo ln -fns etc/gpg "$home"/.gnupg
- #sudo adduser backup mysql-data
- #sudo adduser backup postgres-data
- }
-rule_etckeeper_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
- VCS=git
- GIT_COMMIT_OPTIONS=""
- AVOID_DAILY_AUTOCOMMITS=1
- #AVOID_SPECIAL_FILE_WARNING=1
- AVOID_COMMIT_BEFORE_INSTALL=1
- HIGHLEVEL_PACKAGE_MANAGER=apt
- LOWLEVEL_PACKAGE_MANAGER=dpkg
- EOF
- sudo install -m 644 -o root -g root \
- "$tool"/etc/etckeeper/prompt.sh \
- /etc/etckeeper/prompt.sh
- rule apt_get_install etckeeper
- }
-rule_filesystem_configure () {
- m4 \
- --define=VM_LVM_LV=$vm_lvm_lv \
- --define=VM_LVM_VG=$vm_lvm_vg \
- <"$tool"/etc/fstab.m4 |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/fstab
- m4 \
- --define=VM_LVM_LV=$vm_lvm_lv \
- --define=VM_LVM_VG=$vm_lvm_vg \
- <"$tool"/etc/crypttab.m4 |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/crypttab
- rule tmpfs_configure
- }
-rule_initramfs_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
- MODULES=most
- BUSYBOX=y
- KEYMAP=y
- COMPRESS=gzip
- DEVICE=eth0
- EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
- alias eth0 xennet
- alias scsi_hostadapter xenblk
- EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
- sha1_generic
- sha256_generic
- sha512_generic
- aes-x86_64
- xts
- # NOTE: pour Xen en mode HVM :
- #modprobe xen-platform-pci
- EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
- EOF
- sudo sed -e '/^configure_networking /s/ &$//' \
- -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
- # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
- ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
- ( while IFS= read -r line
- do case $line in (*" RSA") return 0; break;; esac
- done; return 1 ) ||
- {
- sudo rm -f \
- /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
- /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
- sudo dropbearkey -t rsa -s 4096 -f \
- /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
- }
- # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
- sudo install -d -m 640 -o root -g root \
- /etc/initramfs-tools/root \
- /etc/initramfs-tools/root/.ssh
- getent group sudo |
- while IFS=: read -r group x x users
- do while test -n "$users" && IFS=, read -r user users <<-EOF
- $users
- EOF
- do eval local home\; home="~$user"
- sudo cat "$home"/etc/ssh/authorized_keys
- done
- done |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/initramfs-tools/root/.ssh/authorized_keys
- sudo rm -f \
- /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
- /etc/initramfs-tools/root/.ssh/id_rsa.pub \
- /etc/initramfs-tools/root/.ssh/id_rsa
- # NOTE: clefs générées par Debian
- sudo update-initramfs -u
- }
-rule_insserv_remove () { # SYNTAX: $sv
- local sv="$1"
- #sudo chmod u+x /etc/init.d/"$sv"
- sudo insserv --force --remove "$sv"
- sudo test ! -x /etc/init.d/"$sv" ||
- sudo /etc/init.d/"$sv" stop
- sudo chmod ugo-x /etc/init.d/"$sv"
- }
-rule_gitolite_configure () {
- sudo debconf-set-selections <<-EOF
- gitolite gitolite/gituser string git
- gitolite gitolite/adminkey string
- gitolite gitolite/gitdir string /home/git
- EOF
- rule apt_get_install gitolite
- rule adduser git \
- --disabled-password \
- --group \
- --home /home/git \
- --shell /bin/bash \
- --system
- sudo chfn --full-name git git
- rule adduser log-git \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/log \
- --shell /bin/false \
- --system
- rule adduser git-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/pub \
- --shell /bin/false \
- --system
- sudo adduser git git-data
- sudo install -d -m 750 -o git -g git \
- /etc/gitolite \
- /home/git/etc \
- /home/git/etc/ssh
- sudo install -d -m 751 -o git -g git \
- /home/git
- sudo install -d -m 2770 -o git-data -g git-data \
- /home/git/pub
- sudo install -d -m 1771 -o git -g git \
- /home/git/log
- sudo install -d -m 2770 -o git -g log-git \
- /home/git/log/gitolite \
- /home/git/log/gitolite/perf
- sudo install -d -m 3771 -o git -g git \
- /home/git/hooks
- sudo ln -fns /etc/gitolite /home/git/etc/gitolite
- sudo ln -fns /etc/gitweb /home/git/etc/gitweb
- sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
- sudo ln -fns etc/ssh /home/git/.ssh
- sudo install -m 770 -o git -g git /dev/stdin \
- /home/git/etc/gitolite/gitolite.rc <<-EOF
- #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
- #\$BIG_INFO_CAP = 20;
- #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
- # NOTE: Please use single quotes, not double quotes.
- #\$GITWEB_URI_ESCAPE = 0;
- \$GIT_PATH = "";
- #\$GL_ADC_PATH = "";
- \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
- #\$GL_ALL_INCLUDES_SPECIAL = 0;
- #\$GL_ALL_READ_ALL = 0;
- \$GL_BIG_CONFIG = 0;
- \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
- \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
- #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
- \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*";
- #\$GL_HOSTNAME = "git.$vm_domainname";
- # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
- #\$GL_HTTP_ANON_USER = "mob";
- \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
- \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
- #\$GL_NICE_VALUE = 0;
- \$GL_NO_CREATE_REPOS = 0;
- \$GL_NO_DAEMON_NO_GITWEB = 0;
- \$GL_NO_SETUP_AUTHKEYS = 0;
- \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
- \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
- #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
- #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
- \$GL_SITE_INFO = "git.$vm_domainname";
- #\$GL_SLAVE_MODE = 0;
- \$GL_WILDREPOS = 0;
- #\$GL_WILDREPOS_DEFPERMS = 'R @all';
- \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
- \$HTPASSWD_FILE = "";
- \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list";
- \$REPO_BASE = "pub";
- \$REPO_UMASK = 0007;
- \$RSYNC_BASE = "";
- \$SVNSERVE = "";
- #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
- \$WEB_INTERFACE = "gitweb";
- 1;
- EOF
- sudo install -m 600 -o git -g git \
- "$tool"/var/pub/ssh/git.key \
- /home/git/etc/ssh/git.pub
- sudo -u git \
- GL_RC=/home/git/etc/gitolite/gitolite.rc \
- GIT_AUTHOR_NAME=git \
- gl-setup -q /home/git/etc/ssh/git.pub git
- local d
- for d in doc logs src
- do test ! -d /home/git/etc/gitolite/"$d" ||
- rmdir /home/git/etc/gitolite/"$d"
- done
- }
-rule_locales_configure () {
- sudo debconf-set-selections <<-EOF
- locales locales/default_environment_locale select None
- locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
- EOF
- rule dpkg_reconfigure locales
- }
-rule_login_configure () {
- sudo install -m 644 -o root -g root \
- "$tool"/etc/inittab \
- /etc/inittab
- sudo install -m 644 -o root -g root \
- "$tool"/etc/login.defs \
- /etc/login.defs
- grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
- sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
- $(cat /etc/pam.d/common-session)
- session optional pam_umask.so
- EOF
- grep -q '^hvc0$' /etc/securetty ||
- sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
- $(cat /etc/securetty)
- hvc0
- EOF
- grep -q '^xvc0$' /etc/securetty ||
- sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
- $(cat /etc/securetty)
- xvc0
- EOF
- }
-rule_network_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
- $vm
- EOF
- grep -q " $vm\$" /etc/hosts ||
- sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
- $(cat /etc/hosts)
- 127.0.0.1 $vm_fqdn $vm
- EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
- search ${vm_host#*.}
- nameserver ${vm_host_nameserver}
- EOF
- m4 \
- --define=VM_IPV4=$vm_ipv4 \
- <"$tool"/etc/network/interfaces.m4 |
- sudo install -m 640 -o root -g root /dev/stdin \
- /etc/network/interfaces
- }
-rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
- rule apt_get_install runit
- if test $# = 0
- then
- set +x
- sudo sv status \
- $(sudo find /etc/sv \
- -mindepth 1 -maxdepth 1 -type d \
- -printf '%p\n' | sort)
- else
- local services=
- while [ $# -gt 0 ]
- do case $1 in
- (--) shift; break;;
- (*) services="$services $1"; shift;;
- esac
- done
- #for sv in $(sudo find /etc/sv \
- # -mindepth 1 -maxdepth 1 -type d \
- # -false $(printf -- '-or -name %s\n' $services) \
- # -printf '%f\n')
- # do
- # case $(sudo sv stop "$sv" | tee /dev/stderr) in
- # (*": runsv not running") true;;
- # (*": unable to open supervise/ok: file does not exist") true;;
- # ("ok: down:"*) true;;
- # (*) false;;
- # esac
- # done
- for sv in $(find "$tool"/etc/sv \
- -mindepth 1 -maxdepth 1 -type d \
- -false $(printf -- '-or -name %s\n' $services) \
- -printf '%f\n')
- do
- rule _runit_sv_configure "$sv" "$@"
- rule _runit_sv_start "$sv"
- done
- #sleep 3
- #sudo find -L /etc/service -type l -delete
- fi
- }
-rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
- local sv="$1"; shift
- sudo install -d -m 770 -o root -g root \
- /etc/sv/"$sv"
- sudo install -m 770 -o root -g root \
- "$tool"/etc/sv/"$sv"/run \
- /etc/sv/"$sv"/run
- if test -e "$tool"/etc/sv/"$sv"/log/run
- then
- sudo install -d -m 770 -o root -g root \
- /etc/sv/"$sv"/log
- sudo install -m 770 -o root -g root \
- "$tool"/etc/sv/"$sv"/log/run \
- /etc/sv/"$sv"/log/run
- fi
- (
- test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
- . "$tool"/etc/sv/"$sv"/configure.sh || return 1
- )
- (
- test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh ||
- . "$tool"/etc/sv/"$sv"/log/configure.sh || return 1
- )
- sudo ln -fns \
- ../sv/"$sv" \
- /etc/service/"$sv"
- }
-rule__runit_sv_restart () { # SYNTAX: $sv
- local sv="$1"
- while true
- do case $(sudo sv restart "$sv" | tee /dev/stderr) in
- (*": runsv not running") sleep 1;;
- (*": unable to open supervise/ok: file does not exist") sleep 1;;
- (*) break;;
- esac
- done
- }
-rule__runit_sv_start () { # SYNTAX: $sv
- local sv="$1"
- while true
- do case $(sudo sv start "$sv" | tee /dev/stderr) in
- (*": runsv not running") sleep 1;;
- (*": unable to open supervise/ok: file does not exist") sleep 1;;
- (*) break;;
- esac
- done
- }
-rule_shorewall_configure () {
- # DOC: http://shorewall.net/Introduction.html
- local -; set +f
- rule apt_get_install shorewall
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/default/shorewall <<-EOF
- INITLOG=/dev/null
- OPTIONS=""
- RESTARTOPTIONS=""
- SAFESTOP=0
- STARTOPTIONS=""
- startup=1
- EOF
- local conf
- for conf in "$tool"/etc/shorewall/*
- do conf=${conf#"$tool"/etc/shorewall/}
- sudo test ! -f "$tool"/etc/shorewall/"$conf" ||
- sudo install -m 640 -o root -g root \
- "$tool"/etc/shorewall/"$conf" \
- /etc/shorewall/"$conf"
- done
- sudo install -d -m 750 -o root -g root \
- /etc/shorewall/macro.d
- for conf in "$tool"/etc/shorewall/macro.d/*
- do conf=${conf#"$tool"/etc/shorewall/macro.d/}
- sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" ||
- sudo install -m 640 -o root -g root \
- "$tool"/etc/shorewall/macro.d/"$conf" \
- /etc/shorewall/macro.d/"$conf"
- done
- sudo install -d -m 750 -o root -g root \
- /etc/shorewall/action.d
- #for conf in "$tool"/etc/shorewall/action.d/*
- # do conf=${conf#"$tool"/etc/shorewall/action.d/}
- # sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" ||
- # sudo install -m 640 -o root -g root \
- # "$tool"/etc/shorewall/action.d/"$conf" \
- # /etc/shorewall/action.d/"$conf"
- # done
- #sudo shorewall safe-restart
- }
-rule_sysctl_configure () {
- local -; set +f
- for conf in "$tool"/etc/sysctl.d/*.conf
- do conf=${conf#"$tool"/etc/sysctl.d/}
- sudo install -m 660 -o root -g root \
- "$tool"/etc/sysctl.d/"$conf" \
- /etc/sysctl.d/"$conf"
- done
- sudo install -m 660 -o root -g root /dev/stdin \
- /etc/sysctl.d/local-kernel-name.conf <<-EOF
- kernel.hostname = $vm_hostname
- kernel.domainname = $vm_domainname
- EOF
- sudo sysctl --system
- }
-rule_tmpfs_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
- LOCK_SIZE=5242880 # NOTE: 5MiB
- RAMLOCK=yes
- RAMSHM=yes
- RAMTMP=yes
- RUN_SIZE=10%
- SHM_SIZE=
- TMP_MODE=1777,nr_inodes=1000k,noatime
- TMP_OVERFLOW_LIMIT=1024
- # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
- # on the root filesystem (overriding RAMTMP).
- TMP_SIZE=200m
- TMPFS_SIZE=20%VM
- EOF
- }
-rule_user_add () { # SYNTAX: $user
- local user="$1"; shift
- rule adduser "$user" --disabled-password "$@"
- # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
- eval local home\; home="~$user"
- sudo adduser "$user" users
- sudo install -m 640 -o "$user" -g "$user" \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- gpg \
- --homedir "$tool"/var/pub/openpgp/ \
- --no-default-keyring \
- --secret-keyring /dev/null \
- --export |
- sudo -u "$user" gpg --import -
- }
-rule_user_configure () {
- rule apt_get_install bash-completion
- sudo install -m 660 -o root -g root \
- "$tool"/etc/adduser.conf \
- /etc/adduser.conf
- sudo install -d -m 750 -o root -g root \
- /etc/skel \
- /etc/skel/etc \
- /etc/skel/etc/gpg \
- /etc/skel/etc/ssh
- sudo install -d -m 770 -o root -g root \
- /etc/skel/var \
- /etc/skel/var/cache \
- /etc/skel/var/log \
- /etc/skel/var/run \
- /etc/skel/var/run/ssh
- sudo ln -fns etc/ssh /etc/skel/.ssh
- sudo ln -fns etc/gpg /etc/skel/.gnupg
- sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
- %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
- case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
- ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
- EOF
- sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
- %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean
- EOF
- sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
- Defaults env_keep = " \\
- EDITOR \\
- GIT_AUTHOR_NAME \\
- GIT_AUTHOR_EMAIL \\
- GIT_COMMITTER_NAME \\
- GIT_COMMITTER_EMAIL \\
- "
- EOF
- sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
- #!/bin/sh -efu
- # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
- sudo /bin/sh -e -f -u -c \
- 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
- EOF
- sudo install -m 644 -o root -g root \
- "$tool"/etc/bash.bashrc \
- /etc/bash.bashrc
- sudo install -m 644 -o root -g root \
- "$tool"/etc/inputrc \
- /etc/inputrc
- sudo install -m 644 -o root -g root \
- "$tool"/etc/screenrc \
- /etc/screenrc
- local sh; local -; set +f
- for sh in "$tool"/etc/user.d/*/configure.sh
- do sh=${sh#"$tool"/etc/user.d/}
- local user="${sh%/configure.sh}"
- (
- . "$tool"/etc/user.d/"$sh" || return 1
- )
- done
- }
-rule_user_admin_add () { # SYNTAX: $user
- rule user_configure
- local user=$1
- rule adduser "$user" --disabled-password
- eval local home\; home="~$user"
- sudo adduser "$user" sudo
- sudo install -m 640 -o root -g root \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- gpg \
- --homedir "$tool"/var/pub/openpgp/ \
- --no-default-keyring \
- --secret-keyring /dev/null \
- --export |
- sudo -u "$user" gpg --import -
- rule user_admin_configure
- }
-rule_user_admin_configure () {
- rule initramfs_configure
- rule user_root_configure
- }
-rule_user_root_configure () {
- sudo install -d -m 750 -o root -g root \
- /root/etc \
- /root/etc/gpg \
- /root/etc/ssh
- sudo ln -fns etc/gpg /root/.gnupg
- sudo ln -fns etc/ssh /root/.ssh
- getent group sudo |
- while IFS=: read -r group x x users
- do while test -n "$users" && IFS=, read -r user users <<-EOF
- $users
- EOF
- do eval local home\; home="~$user"
- sudo cat "$home"/etc/ssh/authorized_keys
- done
- done |
- sudo install -m 640 -o root -g root /dev/stdin \
- /root/etc/ssh/authorized_keys
- gpg \
- --homedir "$tool"/var/pub/openpgp/ \
- --no-default-keyring \
- --secret-keyring /dev/null \
- --export |
- sudo gpg --import -
- }
-rule__www_configure () {
- rule adduser www \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www \
- --shell /bin/false \
- --system
- rule adduser log-www \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log \
- --shell /bin/false \
- --system
- #sudo adduser www www-data
- sudo adduser www log-www
- #sudo adduser log log-www
- usermod --home /home/www/pub www-data
- sudo install -d -m 751 -o www -g www \
- /home/www
- sudo install -d -m 750 -o www -g www \
- /home/www/etc
- sudo install -d -m 1771 -o www-data -g www-data \
- /home/www/pub
- sudo install -d -m 1771 -o log-www -g log-www \
- /home/www/log
- }
-rule_configure () {
- rule apt_configure
- rule git_configure
- rule etckeeper_configure
- rule locales_configure
- rule time_configure
- rule network_configure
- rule filesystem_configure
- rule login_configure
- rule ssh_configure
- rule user_root_configure
- rule boot_configure
- rule sysctl_configure
- rule user_configure
- rule gitolite_configure
- rule shorewall_configure
- rule runit_configure
- }
-
-rule_luks_key_change () {
- sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
- }
-
-rule=${1:-help}
-${1+shift}
-case $rule in
- (help);;
- (*)
- assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
- cd /
- ;;
- esac
-rule $rule "$@"
+++ /dev/null
-#!/bin/sh
-set -e -f ${DRY_RUN:+-n} -u
-tool=$(readlink -e "${0%/*}")
-. "$tool"/lib/rule.sh
-. "$tool"/etc/vm.sh
-TRACE=1
-
-rule_help () { # SYNTAX: [--hidden]
- local hidden; [ ${1:+set} ] || hidden=set
- cat >&2 <<-EOF
- DESCRIPTION:
- ce script regroupe des règles pour administrer la VM ($vm_fqdn)
- _depuis_ une machine distante ;
- il sert à la fois d'outil (aisément bidouillable)
- et de documentation (préçise).
- Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
- Voir \`$tool/vm_hosted' pour les règles côté VM hébergée ($vm_fqdn).
- SYNTAX: $0 \$RULE \${RULE}_SYNTAX
- RULES:
- $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
- ENVIRONMENT:
- TRACE # affiche les commandes avant leur exécution
- $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
- EOF
- }
-
-rule_git_configure () { # DESCRIPTION: configure ./.git correctement
- (
- cd "$tool"
- git remote rm host || true
- git remote add host $vm_host:src/vm
- git config --replace remote.host.push HEAD:refs/remotes/master
- git remote rm hosted || true
- git remote add hosted $vm_fqdn:src/vm
- git config --replace remote.hosted.push HEAD:refs/remotes/master
- git submodule update --init
- )
- }
-rule_git_push () { # SYNTAX: {host|hosted} $git_push_options
- (
- cd "$tool"
- local remote=${1#remote=}; shift
- GIT_SSH=./lib/ssh git push -v "$remote" "$@"
- )
- }
-
-rule_ssh () {
- "$tool"/lib/ssh $vm_fqdn "$@"
- }
-rule_mosh () {
- mosh --ssh="$tool/lib/ssh ${ssh-}" -- $vm_fqdn "$@"
- }
-rule__ssh_known_hosts_update () {
- rule ssh \
- -o StrictHostKeyChecking=no \
- -o CheckHostIP=no \
- -o HashKnownHosts=no \
- whoami
- }
-
-rule__x509_site_key_decrypt () { # SYNTAX: $site
- local site="$1"; shift
- gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg |
- openssl rsa -passin 'stdin' \
- -in var/sec/x509/"$site"/key.pem \
- -out '/dev/stdout'
- }
-
-rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
- gpg --decrypt var/sec/luks/$vm_fqdn.key.gpg |
- "$tool"/lib/ssh root@$vm_fqdn "$@" \
- -o CheckHostIP=no \
- -o HostKeyAlias=init.$vm_fqdn \
- tee /lib/cryptsetup/passfifo \>/dev/null
- }
-rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées.
- test "${*+set}" || set -- --recipient "$USER@"
- for part in root var home
- do
- mkdir -p var/sec/luks
- rule ssh -l root ' \
- set -e -f -u;
- exec 2>/dev/null;
- tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run);
- cryptsetup luksHeaderBackup >/dev/null \
- /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \
- --header-backup-file "$tmp"; \
- cat "$tmp";
- shred >/dev/null --remove "$tmp"; \
- ' |
- gpg "$@" --encrypt \
- -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg
- done
- }
-
-rule_gitolite_git () {
- (
- cd "$tool"/etc/gitolite
- GIT_SSH=../../lib/ssh \
- ssh-agent sh -c ' \
- SSH_ASKPASS='"$tool"'/lib/ssh-pass \
- SSH_ID=git \
- ssh-add '"$tool"'/var/sec/ssh/git </dev/null && \
- git '"$*"
- )
- }
-rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
- if test $# = 0
- then
- set +x
- rule ssh sudo sv status \
- $(sudo find /etc/sv \
- -mindepth 1 -maxdepth 1 -type d \
- -printf '%p\n' | sort)
- else
- local services=
- while [ $# -gt 0 ]
- do case $1 in
- (--) shift; break;;
- (*) services="$services $1"; shift;;
- esac
- done
- for sv in $(find "$tool"/etc/sv \
- -mindepth 1 -maxdepth 1 -type d \
- -false $(printf -- '-or -name %s\n' $services) \
- -printf '%f\n')
- do
- rule _runit_sv_configure "$sv" "$@"
- done
- fi
- }
-rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
- local sv="$1"; shift
- (
- test ! -r "$tool"/etc/sv/"$sv"/remote.sh ||
- . "$tool"/etc/sv/"$sv"/remote.sh || return 1
- )
- }
-
-
-rule_duplicity_configure () {
- subkey_caps="e s" \
- rule gpg_gen_key "backup+$vm_hostname@$vm_domainname" <<-EOF
- Name-Real: $vm_fqdn
- Name-Email: backup+$vm_hostname@$vm_domainname
- Name-Comment: (duplicity)
- Expire-Date: 0
- EOF
- }
-rule_duplicity_key_send () {
- gpg --export-options export-reset-subkey-passwd \
- --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
- rule ssh gpg --import -
- }
-rule_gpg () { # SYNTAX: $gpg_options
- LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@"
- }
-rule_gpg_gen_key () { # SYNTAX: $uid ENV: $gpg_options
- local uid="$1"
- install -d -m 700 \
- var/pub/openpgp
- install -d -m 700 \
- var/sec \
- var/sec/openpgp
- if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
- then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
- $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
- EOF
- fi
- if ! rule gpg --list-keys -- "$uid" >/dev/null
- then
- rule gpg --batch --gen-key
- # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
- Key-Type: RSA
- Key-Length: 4096
- Key-Usage: sign
- Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
- Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
- $(cat -)
- %commit
- EOF
- fi
- caps=$(
- rule gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
- -- "$uid" |
- sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
- )
- for cap in ${subkey_caps:-}
- do
- test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
- printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
- rule gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
- --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
- $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
- EOF
- done
- }
-rule_mysql_backup () {
- mkdir -p "$tool"/var/backup/mysql
- rule ssh -l backup '
- for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
- SELECT schema_name
- FROM information_schema.schemata
- WHERE schema_name NOT IN ("information_schema", "performance_schema");
- EOF
- ); do
- $db
- done
- '
- }
-
-rule=${1:-help}
-${1+shift}
-case $rule in
- (help);;
- (*)
- assert 'test ! "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
- assert 'test ! "$(hostname --fqdn)" = "$vm_host"' vm_host
- ;;
- esac
-rule $rule "$@"