From: Julien Moutinho Date: Thu, 14 Mar 2013 11:19:27 +0000 (+0100) Subject: Ajout : vm_hosted : rule_nginx_configure . X-Git-Url:;h=ac6452c7821434c9750210bf75a95e51d876dc3d;p=lhc%2Fateliers.git Ajout : vm_hosted : rule_nginx_configure . --- diff --git a/etc/init.d/tmpfs b/etc/init.d/tmpfs new file mode 100755 index 0000000..adf6c72 --- /dev/null +++ b/etc/init.d/tmpfs @@ -0,0 +1,56 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: tmpfs +# Required-Start: $local_fs +# Required-Stop: $local_fs +# X-Start-Before: nginx +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Initialise tmpfs file systems +### END INIT INFO + +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +. /lib/init/ +. /lib/lsb/init-functions + +do_start() { + if [ -x /etc/rc.local ] + then + [ "$VERBOSE" != no ] && log_begin_msg "Initialising tmpfs file systems" + + ! mountpoint -q /run || + sudo install -d -m 770 -o www-data -g www-data \ + /run/nginx \ + /run/nginx/fastcgi + + ! mountpoint -q /run/shm || + ! test -f /run/shm/.tmpfs || + sudo install -d -m 1777 -o root -g root \ + /run/shm/cache && + sudo install -d -m 660 -o www-data -g www-data \ + /run/shm/cache/nginx \ + /run/shm/cache/nginx/fastcgi \ + /run/shm/cache/nginx/client_body + + ES=$? + [ "$VERBOSE" != no ] && log_end_msg $ES + return $ES + fi + } + +case "$1" in + (start|restart) + do_start + ;; + (reload|force-reload) + echo "Error: argument '$1' not supported" >&2 + exit 3 + ;; + (stop) + ;; + (*) + echo "Usage: $0 start|restart|stop" >&2 + exit 3 + ;; + esac diff --git a/etc/nginx/conf.d/fastcgi.conf b/etc/nginx/conf.d/fastcgi.conf new file mode 100644 index 0000000..57e350e --- /dev/null +++ b/etc/nginx/conf.d/fastcgi.conf @@ -0,0 +1,31 @@ +# DOC: +fastcgi_buffer_size 128k; +fastcgi_buffers 4 256k; +fastcgi_busy_buffers_size 256k; +fastcgi_connect_timeout 60; +fastcgi_ignore_client_abort off; +fastcgi_index index.php; +fastcgi_intercept_errors on; +fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param PATH_INFO $fastcgi_script_name; +#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_NAME $server_name; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_read_timeout 180; +fastcgi_send_timeout 180; +fastcgi_temp_file_write_size 256k; diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..fc2e23d --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,85 @@ +events { + multi_accept on; + use epoll; + worker_connections 1024; + } +http { + log_format main + '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache'; + access_log /var/log/nginx/access.log main buffer=32k; + client_body_buffer_size 4K; + # NOTE: % getconf PAGESIZE + # 4096 + client_body_temp_path /run/shm/cache/nginx/client_body 1 2; + client_body_timeout 60; + client_header_buffer_size 1k; + client_header_timeout 60; + client_max_body_size 20m; + default_type application/octet-stream; + error_log /var/log/nginx/error.log warn; + error_page 403 = 404; + fastcgi_cache_key "$request_method $scheme://$host$request_uri"; + fastcgi_cache_path /run/shm/cache/nginx/fastcgi + levels=1:2 + keys_zone=microcache:10m + inactive=5m + max_size=64m; + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 6; + gzip_disable "MSIE [1-6]\."; + gzip_http_version 1.1; + gzip_min_length 1024; + gzip_proxied any; + gzip_static on; + gzip_vary on; + gzip_types + application/javascript + application/json + application/rss+xml + application/ + application/x-font-ttf + application/x-javascript + application/xml + application/xml+rss + font/opentype + font/truetype + image/svg+xml + text/css + text/javascript + text/plain + text/x-component + text/xml; + include /etc/nginx/mime.types; + keepalive_timeout 20; + large_client_header_buffers 4 8k; + open_file_cache max=200000 inactive=20s; + open_file_cache_errors on; + open_file_cache_min_uses 2; + open_file_cache_valid 30s; + open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; + proxy_cache_use_stale updating; + reset_timedout_connection on; + send_timeout 60; + # NOTE: if the client stops reading data, free up the stale client connection after this much time. + sendfile on; + server_names_hash_bucket_size 128; + server_tokens off; + tcp_nodelay on; + # NOTE: don't buffer data-sends (disable Nagle algorithm). + # Good for sending frequent small bursts of data in real time. + tcp_nopush on; + # NOTE: causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. + # This is useful for prepending headers before calling sendfile, + # or for throughput optimization. + types_hash_max_size 2048; + include /etc/nginx/site.d/*/server.conf; + } +pid /var/run/; +user www-data; +worker_processes 2; + +# vim: ft=sh diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 100644 index 0000000..9cbda68 --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1,4 @@ +#!/bin/sh +set -e -f -u +sudo rmdir "$home"/pub/www/"$site_dir" || true +sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir" diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 120000 index 0000000..a86ddb8 --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1 @@ +../ \ No newline at end of file diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 100644 index 0000000..9cbda68 --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1,4 @@ +#!/bin/sh +set -e -f -u +sudo rmdir "$home"/pub/www/"$site_dir" || true +sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir" diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 120000 index 0000000..2e0700e --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1 @@ +../ \ No newline at end of file diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 100644 index 0000000..f3551fd --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1,67 @@ +client_body_buffer_size 8k; +client_max_body_size 10m; +location / { + index index.html index.htm index.php; + } +location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { + access_log off; + expires 30d; + log_not_found off; + } +location ~ /\. { + access_log off; + deny all; + log_not_found off; + } +location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) { + # NOTE: static repo files for cloning over HTTP + root /home/git/repositories/; + } +location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { + # NOTE: requests that need to go to git-http-backend + root /home/git/pub/git + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git; + fastcgi_param PATH_INFO $uri; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + } +location @gitweb { + include /etc/nginx/conf.d/fastcgi.conf; + set $no_cache ""; + if ($request_method !~ ^(GET|HEAD)$) { + # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. + set $no_cache "1"; + } + if ($no_cache = "1") { + # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). + add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; + add_header X-Microcachable "0"; + } + if ($http_cookie ~* "_mcnc") { + # NOTE: bypass cache if no-cache cookie is set. + set $no_cache "1"; + } + fastcgi_cache_bypass $no_cache; + fastcgi_cache_use_stale updating; + fastcgi_cache_valid 200 10s; + fastcgi_cache_valid 404 30m; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_max_temp_file_size 2M; + fastcgi_no_cache $no_cache; + fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf; + fastcgi_param PATH_INFO $uri; + fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi; + + fastcgi_pass_header Cookie; + fastcgi_pass_header Set-Cookie; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/nginx/fastcgi/; + } +root /usr/share/gitweb; +ssl_session_timeout 5m; +try_files $uri @gitweb; + # NOTE: send anything else to gitweb if it's not a real file + +# vim: ft=sh diff --git a/etc/nginx/site.d/ b/etc/nginx/site.d/ new file mode 100644 index 0000000..89edfa0 --- /dev/null +++ b/etc/nginx/site.d/ @@ -0,0 +1,47 @@ +client_body_buffer_size 8k; +client_max_body_size 10m; +location / { + index index.html index.htm index.php; + } +location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { + access_log off; + expires 30d; + log_not_found off; + } +location ~ /\. { + access_log off; + deny all; + log_not_found off; + } +location ~ \.php$ { + include /etc/nginx/conf.d/fastcgi.conf; + set $no_cache ""; + if ($request_method !~ ^(GET|HEAD)$) { + # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. + set $no_cache "1"; + } + if ($no_cache = "1") { + # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). + add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; + add_header X-Microcachable "0"; + } + if ($http_cookie ~* "_mcnc") { + # NOTE: bypass cache if no-cache cookie is set + set $no_cache "1"; + } + fastcgi_cache_bypass $no_cache; + fastcgi_cache_use_stale updating; + fastcgi_cache_valid 200 10s; + fastcgi_cache_valid 404 30m; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_max_temp_file_size 2M; + fastcgi_no_cache $no_cache; + fastcgi_pass_header Cookie; + fastcgi_pass_header Set-Cookie; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/nginx/fastcgi/; + } +server_name; + +# vim: ft=sh diff --git a/etc/php5/fpm/php-fpm.conf b/etc/php5/fpm/php-fpm.conf new file mode 100644 index 0000000..88831d7 --- /dev/null +++ b/etc/php5/fpm/php-fpm.conf @@ -0,0 +1,21 @@ +[global] +daemonize = yes +emergency_restart_interval = 1m +emergency_restart_threshold = 10 +error_log = syslog +;events.mechanism = epoll +log_level = notice +php_admin_flag[log_errors] = on +php_admin_value[error_log] = syslog +php_admin_value[error_reporting] = 0 +php_admin_value[memory_limit] = 128M +php_flag[display_errors] = off +pid = /run/ +process.max = 128 +process_control_timeout = 10s +;rlimit_core = 0 +rlimit_files = 1024 +syslog.facility = daemon +syslog.ident = php-fpm + +include=/etc/php5/fpm/pool.d/*.conf diff --git a/etc/php5/fpm/php.ini b/etc/php5/fpm/php.ini new file mode 100644 index 0000000..43566a8 --- /dev/null +++ b/etc/php5/fpm/php.ini @@ -0,0 +1,206 @@ +[apc] +apc.cache_by_default = 1 +apc.canonicalize = 1 +apc.coredump_unmap = 0 +apc.enable_cli = 0 +apc.enabled = 1 +apc.file_update_protection=2 +apc.filters = +apc.gc_ttl = 3600 +apc.include_once_override = 0 +apc.localcache = 1 +apc.localcache.size = 256 +apc.max_file_size = 1M +apc.mmap_file_mask = /tmp/apc.XXXXXX +apc.num_files_hint = 512 +apc.optimization = 0 +apc.report_autofilter = 0 +apc.rfc1867 = 0 +apc.rfc1867_freq = 0 +apc.rfc1867_name = "APC_UPLOAD_PROGRESS" +apc.rfc1867_prefix = "upload_" +apc.shm_segments = 1 +apc.shm_size = 256M +apc.slam_defense = 1 +apc.stat = 0 # NOTE: set to 1 when developping +apc.stat_ctime = 0 +apc.ttl = 3600 +apc.use_request_time = 1 +apc.user_entries_hint=4096 +apc.user_ttl = 7200 +apc.write_lock = 1 +[Assertion] +[bcmath] +bcmath.scale = 0 +[browscap] +[CLI Server] +cli_server.color = On +[COM] +[Date] +[dba] +[exif] +[filter] +[gd] +[iconv] +[Interbase] +ibase.allow_persistent = 1 +ibase.dateformat = "%Y-%m-%d" +ibase.max_links = -1 +ibase.max_persistent = -1 +ibase.timeformat = "%H:%M:%S" +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" +[intl] +[ldap] +ldap.max_links = -1 +[mail function] +SMTP = localhost +mail.add_x_header = On +smtp_port = 25 +[mbstring] +[mcrypt] +[MSSQL] +mssql.allow_persistent = On +mssql.compatability_mode = Off +mssql.max_links = -1 +mssql.max_persistent = -1 +mssql.min_error_severity = 10 +mssql.min_message_severity = 10 +mssql.secure_connection = Off +[MySQL] +mysql.allow_local_infile = On +mysql.allow_persistent = On +mysql.cache_size = 2000 +mysql.connect_timeout = 60 +mysql.default_host = +mysql.default_password = +mysql.default_port = +mysql.default_socket = +mysql.default_user = +mysql.max_links = -1 +mysql.max_persistent = -1 +mysql.trace_mode = Off +[MySQLi] +mysqli.allow_persistent = On +mysqli.cache_size = 2000 +mysqli.default_host = +mysqli.default_port = 3306 +mysqli.default_pw = +mysqli.default_socket = +mysqli.default_user = +mysqli.max_links = -1 +mysqli.max_persistent = -1 +mysqli.reconnect = Off +[mysqlnd] +mysqlnd.collect_memory_statistics = Off +mysqlnd.collect_statistics = On +[ODBC] +odbc.allow_persistent = On +odbc.check_persistent = On +odbc.defaultbinmode = 1 +odbc.defaultlrl = 4096 +odbc.max_links = -1 +odbc.max_persistent = -1 +[OCI8] +[PHP] +allow_url_fopen = Off +allow_url_fopen = Off ; DEFAULT: On +allow_url_include = Off +asp_tags = Off +auto_append_file = +auto_globals_jit = On +auto_prepend_file = +default_charset = "UTF-8" ; DEFAULT: +default_mimetype = "text/html" +default_socket_timeout = 30 +default_socket_timeout = 30 ; DEFAULT: 60 +disable_classes = +disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, +display_errors = Off +display_startup_errors = Off +doc_root = +enable_dl = Off +engine = On +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +expose_php = On +file_uploads = On +html_errors = On +ignore_repeated_errors = Off +ignore_repeated_source = Off +ignore_user_abort = Off # ; DEFAULT: +implicit_flush = Off +log_errors = On +log_errors_max_len = 1024 +max_execution_time = 30 +max_file_uploads = 20 +max_input_time = 60 +memory_limit = 128M +mysql.allow_persistent = Off ; DEFAULT: +output_buffering = 4096 +post_max_size = 15M ; DEFAULT: 8M +precision = 14 +register_argc_argv = Off +report_memleaks = On +request_order = "GP" +serialize_precision = 17 +short_open_tag = Off ; DEFAULT: On +track_errors = Off +unserialize_callback_func = +upload_max_filesize = 20M ; DEFAULT: 2M +user_dir = +variables_order = "GPCS" +zend.enable_gc = On +zlib.output_compression = Off +[Pcre] +[Pdo] +[Pdo_mysql] +pdo_mysql.cache_size = 2000 +pdo_mysql.default_socket= +[Phar] +[PostgreSQL] +pgsql.allow_persistent = On +pgsql.auto_reset_persistent = Off +pgsql.ignore_notice = 0 +pgsql.log_notice = 0 +pgsql.max_links = -1 +pgsql.max_persistent = -1 +[Session] +session.auto_start = 0 +session.bug_compat_42 = Off +session.bug_compat_warn = Off +session.cache_expire = 180 +session.cache_limiter = nocache +session.cookie_domain = +session.cookie_httponly = +session.cookie_lifetime = 0 +session.cookie_path = / +session.gc_divisor = 1000 +session.gc_maxlifetime = 1440 +session.gc_probability = 0 +session.hash_bits_per_character = 5 +session.hash_function = 0 = PHPSESSID +session.referer_check = +session.save_handler = files +session.serialize_handler = php +session.use_cookies = 1 +session.use_only_cookies = 1 +session.use_trans_sid = 0 +url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" +[soap] +soap.wsdl_cache_dir="/tmp" +soap.wsdl_cache_enabled=1 +soap.wsdl_cache_limit = 5 +soap.wsdl_cache_ttl=86400 +[SQL] +sql.safe_mode = Off +[sqlite3] +[sqlite] +[Sybase-CT] +sybct.allow_persistent = On +sybct.max_links = -1 +sybct.max_persistent = -1 +sybct.min_client_severity = 10 +sybct.min_server_severity = 10 +[sysvshm] +[Tidy] +tidy.clean_output = Off diff --git a/etc/php5/fpm/pool.d/ b/etc/php5/fpm/pool.d/ new file mode 120000 index 0000000..f847fde --- /dev/null +++ b/etc/php5/fpm/pool.d/ @@ -0,0 +1 @@ \ No newline at end of file diff --git a/etc/php5/fpm/pool.d/ b/etc/php5/fpm/pool.d/ new file mode 100644 index 0000000..9f4f8c1 --- /dev/null +++ b/etc/php5/fpm/pool.d/ @@ -0,0 +1,11 @@ +pm.max_children = 15 +pm.max_requests = 200 +pm.max_spare_servers = 15 +pm.min_spare_servers = 2 +pm.process_idle_timeout = 60s +pm.start_servers = 3 +request_slowlog_timeout = 5s +request_terminate_timeout = 120s +rlimit_core = unlimited +rlimit_files = 131072 +security.limit_extensions = .php diff --git a/vm_hosted b/vm_hosted index 59e4056..a793041 100755 --- a/vm_hosted +++ b/vm_hosted @@ -293,7 +293,7 @@ rule_dovecot_configure () { local hint="run vm_remote dovecot_key_send before" assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \ + "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \ /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem sudo install -d -m 770 -o root -g adm \ /etc/skel/etc/mail \ @@ -624,6 +624,230 @@ rule_network_configure () { pre-down ip address delete $vm_ipv4/32 dev \$IFACE EOF } +rule_www_configure () { + getent passwd www >/dev/null || + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www \ + --shell /bin/false \ + --system \ + www + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --home ~www/log \ + --shell /bin/false \ + --system \ + log.www + #sudo adduser www www-data + sudo adduser www log.www + #sudo adduser log log.www + usermod --home /home/www/pub www-data + sudo install -d -m 751 -o www -g www \ + /home/www + sudo install -d -m 750 -o www -g www \ + /home/www/etc + sudo install -d -m 1771 -o www-data -g www-data \ + /home/www/pub \ + sudo install -d -m 1771 -o log.www -g log.www \ + /home/www/log + } +rule_nginx_configure () { + local -; set +f + rule apt_get_install nginx + rule www_configure + sudo rm -rf \ + /etc/nginx/conf.d \ + /etc/nginx/site.d + sudo install -d -m 770 -o www -g www \ + /etc/nginx \ + /etc/nginx/conf.d \ + /etc/nginx/site.d + sudo ln -fns \ + /etc/nginx \ + /home/www/etc/nginx + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/nginx.conf \ + /etc/nginx/nginx.conf + local conf + for conf in "$tool"/etc/nginx/conf.d/*.conf + do conf=${conf#"$tool"/etc/nginx/conf.d/} + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/conf.d/"$conf" \ + /etc/nginx/conf.d/"$conf" + done + for conf in "$tool"/etc/nginx/site.d/*/server.conf + do conf=${conf#"$tool"/etc/nginx/site.d/} + local port site + IFS=. read -r port site <<-EOF + ${conf%\/server\.conf} + EOF + assert 'test "${port:+set}"' + assert 'test "${site:+set}"' + site="$port.$site" + getent passwd www."$site" >/dev/null || + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --home ~www-data/"$site" \ + --shell /bin/false \ + --system \ + www."$site" + getent passwd log."$site" >/dev/null || + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --shell /bin/false \ + --system \ + log."$site" + sudo usermod --home ~www/log/"$site"/nginx log."$site" + sudo install -d -m 770 -o www -g www \ + /etc/nginx/site.d/"$site" + case $port in + (443) + local hint="run vm_remote nginx_key_send before" + assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint + sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/"$site"/crt+ca.pem \ + /etc/nginx/site.d/"$site"/x509/crt.pem + ;; + esac + case $port in + (80) + cat <<-EOF + server { + listen $port; + access_log /home/www/log/$site/nginx/access.log main; + error_log /home/www/log/$site/nginx/error.log warn; + root /home/www/pub/$site; + server_name $site; + $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) + } + EOF + ;; + (443) + cat <<-EOF + server { + listen $port; + access_log /home/www/log/$site/nginx/access.log main; + error_log /home/www/log/$site/nginx/error.log warn; + keepalive_timeout 70; + root /home/www/pub/$site; + server_name $site; + # DOC: + ssl on; + ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem; + ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem; + ssl_ciphers HIGH:!ADH:!MD5; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:10m; + $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) + } + EOF + ;; + esac | + sudo install -m 660 -o www -g www /dev/stdin \ + /etc/nginx/site.d/"$site"/server.conf + adduser www-data "$site" + test -e /home/www/pub/"$site" || + sudo install -d -m 3770 -o "$site" -g "$site" \ + /home/www/pub/"$site" + sudo install -d -m 3770 -o log."$site" -g log."$site" \ + /home/www/log/"$site"/nginx + test ! -r "$tool"/etc/nginx/site.d/"$site"/ || + . "$tool"/etc/nginx/site.d/"$site"/ + done + rule apt_get_install spawn-fcgi fcgiwrap + sudo insserv --remove fcgiwrap + rule tmpfs_configure + sudo service nginx restart + } +rule_php5_fpm_configure () { + local -; set +f + rule apt_get_install \ + php5-fpm \ + php-apc + getent passwd php5 >/dev/null || + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --shell /bin/false \ + --system \ + php5 + local conf + sudo ln -fns \ + /etc/php5-fpm \ + /home/www/etc/php5 + sudo rm -f /etc/php5/fpm/pool.d/* + for conf in "$tool"/etc/php5/fpm/pool.d/*.conf + do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} + local port site + IFS=. read -r port site <<-EOF + ${conf%\.conf} + EOF + assert 'test "${port:+set}"' + assert 'test "${site:+set}"' + site="$port.$site" + getent passwd php5"$site" >/dev/null || + sudo adduser \ + --disabled-login \ + --disabled-password \ + --group \ + --no-create-home \ + --home ~www/pub/"$site" \ + --shell /bin/false \ + --system \ + php5."$site" + sudo install -d -m 770 -o php5 -g php5 \ + /home/www/log/php5 \ + /home/www/log/php5/fpm + sudo install -d -m 770 -o log."$site" -g log."$site" \ + /home/www/log/"$site" + sudo adduser php5."$user" www."$site" + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/php5/fpm/pool.d/"$conf" <<-EOF + [php5.$site] + access.log = /home/www/log/$site/php5/fpm/access.log + catch_workers_output = yes + chdir = / + env[HOSTNAME] = \$HOSTNAME + env[TEMP] = /tmp + env[TMPDIR] = /tmp + env[TMP] = /tmp + group = www-data + listen = /run/nginx/fastcgi/php5.$site + #listen = + #listen.allowed_clients = + listen.backlog = -1 + pm = dynamic + pm.max_children = 5 + pm.max_requests = 200 + pm.max_spare_servers = 4 + pm.min_spare_servers = 2 + pm.start_servers = 3 + pm.status_path = /status + request_slowlog_timeout = 5s + request_terminate_timeout = 120s + rlimit_core = unlimited + rlimit_files = 131072 + slowlog = /home/www/log/$site/php5/fpm/slow.log + user = $php5_user + $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") + EOF + sudo install -m 664 -o root -g root \ + "$tool"/etc/php5/fpm/php.ini \ + /etc/php5/fpm/php.ini + done + rule tmpfs_configure + sudo service php5-fpm restart + } rule_postfix_configure () { local hint="run vm_remote postfix_key_send before" assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint @@ -652,16 +876,16 @@ rule_postfix_configure () { ../crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \ + "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/service/smtpd/crt.pem \ + "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/service/smtpd/crt+root.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem + "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \ + "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 660 -o root -g root \ "$tool"/etc/postfix/$vm_domainname/header_checks \ @@ -831,9 +1055,10 @@ rule_user_configure () { /etc/skel/etc/ssh sudo install -d -m 770 -o root -g adm \ /etc/skel/var \ - /etc/skel/var/log \ /etc/skel/var/cache \ - /etc/skel/var/cache/ssh + /etc/skel/var/log \ + /etc/skel/var/run \ + /etc/skel/var/run/ssh sudo ln -fns etc/ssh /etc/skel/.ssh sudo ln -fns etc/gpg /etc/skel/.gnupg sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF @@ -898,11 +1123,13 @@ rule_configure () { rule filesystem_configure rule login_configure rule ssh_configure - rule mail_configure - rule apache2_configure rule user_root_configure rule boot_configure rule user_configure + rule mail_configure + #rule apache2_configure + rule nginx_configure + rule php5_fpm_configure } rule_luks_key_change () { diff --git a/vm_remote b/vm_remote index 68735c3..d52b595 100755 --- a/vm_remote +++ b/vm_remote @@ -144,6 +144,38 @@ rule_dovecot_key_send () { rule _x509_service_key_send_deciphered imap \ /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@" } +rule_nginx_key_send () { + local -; set +f + for conf in "$tool"/etc/nginx/site.d/*/server.conf + do conf=${conf#"$tool"/etc/nginx/site.d/} + local user port service site + IFS=. read -r user port service site <<-EOF + ${conf%\/server\.conf} + EOF + assert 'test "${user:+set}"' + assert 'test "${service:+set}"' + assert 'test "${site:+set}"' + assert 'test "${port:+set}"' + local site_dir="$user.$port.$service.$site" + case $port in + (443) + rule ssh -l root ' \ + sudo install -d -m 770 -o root -g root \ + /etc/nginx \ + /etc/nginx/site.d \ + /etc/nginx/site.d/'"$site_dir"' \ + /etc/nginx/site.d/'"$site_dir"'/x509; \ + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/nginx/site.d/'"$site_dir"'/x509/.gitignore <<-EOF + key.pem + EOF + ' + rule _x509_service_key_send_deciphered $service \ + /etc/nginx/"$site_dir"/x509/key.pem -l root "$@" + ;; + esac + done + } rule_postfix_key_send () { rule ssh -l root ' \ sudo install -d -m 770 -o root -g root \