2 set -e -f ${DRY_RUN:+-n} -u
5 do tool
=$
(readlink
"$tool")
11 rule_help
() { # SYNTAX: [--hidden]
12 local hidden
; [ ${1:+set} ] || hidden
=set
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
29 rule_git_configure
() {
32 git config
--replace branch.master.remote .
33 git config
--replace branch.master.merge refs
/remotes
/master
35 tool
=$
(cd "$tool"; cd -)
36 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
37 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/vm
43 git checkout
-f -B master remotes
/master
48 rule_apt_get_install
() { # SYNTAX: $package
49 case $
(dpkg
-s "$1" 2>/dev
/null |
grep '^Status: ') in
50 ("Status: install ok installed");;
52 test ! -x /usr
/bin
/etckeeper ||
53 ! sudo etckeeper unclean ||
54 warn
"/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
55 sudo apt-get
install "$@";;
59 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
65 rule_apt_configure
() {
66 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
67 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
69 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
70 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
72 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
74 Pin: release a=$vm_lsb_name
78 Pin: release a=$vm_lsb_name-backports
81 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
82 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
85 rule apt_get_install apticron
86 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
87 EMAIL="admin@$vm_domainname"
89 # LISTCHANGES_PROFILE="apticron"
91 # SYSTEM="foobar.example.com"
93 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
96 # NOTIFY_NO_UPDATES="0"
98 # CUSTOM_NO_UPDATES_SUBJECT=""
99 # CUSTOM_FROM="root@$vm_fqdn"
102 rule_boot_configure
() {
103 warn
"lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
104 rule apt_get_install grub-pc
105 sudo
install -d -m 644 -o root
-g root
/boot
/grub
106 rule apt_get_install linux-image-
$vm_arch
107 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
110 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
111 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
112 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
113 GRUB_DISABLE_RECOVERY="true"
114 #GRUB_PRELOAD_MODULES="lvm"
116 sudo
install -m 644 -o root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
118 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
120 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
121 rule initramfs_configure
123 rule_dovecot_configure
() {
124 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
125 local hint
="run vm_remote dovecot_key_send before"
126 assert
"test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
127 sudo
install -m 400 -o root
-g root \
128 "$tool"/var
/pub
/x509
/service
/imap
/crt
+crl.self-signed.pem \
129 /etc
/dovecot
/$vm_domainname/imap
/x509
/crt
+crl.self-signed.pem
130 sudo
install -d -m 770 -o root
-g adm \
133 sudo
install -d -m 1777 -o root
-g root \
134 /var
/lib
/dovecot-control \
135 /var
/lib
/dovecot-index
136 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/dovecot
/local.conf
<<-EOF
137 auth_ssl_username_from_cert = yes
139 log_timestamp = "%Y-%m-%d %H:%M:%S "
141 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
142 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
143 # VOIR: http://wiki2.dovecot.org/Quota/FS
144 mail_plugins = \$mail_plugins quota
145 mail_privileged_group = mail
147 args = /home/%u/etc/dovecot/passwd
152 recipient_delimiter = +
153 sieve = ~/etc/mail/filter.sieve
154 sieve_dir = ~/etc/mail/sieve
155 sieve_global_dir = /var/lib/dovecot/sieve/global/
156 sieve_max_script_size = 1M
157 sieve_quota_max_scripts = 0
158 sieve_quota_max_storage = 10M
159 sieve_user_log = ~/var/log/mail/sieve.log
162 mail_plugins = \$mail_plugins imap_quota
165 auth_socket_path = /var/run/dovecot/auth-master
166 hostname = $vm_domainname
169 mail_plugins = \$mail_plugins sieve
170 postmaster_address = contact+dovecot+lda@$vm_domainname
171 syslog_facility = mail
173 protocols = imap sieve
176 unix_listener /var/spool/postfix/private/auth {
182 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
183 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
184 ssl_cipher_list = AES256-SHA
185 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
186 ssl_verify_client_cert = yes
192 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/dovecot-passwd
<<-EOF
194 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
195 install -d -m 770 ~/etc/dovecot
196 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
197 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
200 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
202 sudo service dovecot restart
204 rule_etckeeper_configure
() {
205 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
207 GIT_COMMIT_OPTIONS=""
208 AVOID_DAILY_AUTOCOMMITS=1
209 #AVOID_SPECIAL_FILE_WARNING=1
210 AVOID_COMMIT_BEFORE_INSTALL=1
211 HIGHLEVEL_PACKAGE_MANAGER=apt
212 LOWLEVEL_PACKAGE_MANAGER=dpkg
214 sudo
install -m 644 -o root
-g root \
215 etc
/etckeeper
/prompt.sh \
216 /etc
/etckeeper
/prompt.sh
217 sudo
install -m 755 -o root
-g root \
218 etc
/etckeeper
/update-ignore.d
/02custom-ignore \
219 /etc
/etckeeper
/update-ignore.d
/02custom-ignore
220 rule apt_get_install etckeeper
221 sudo etckeeper update-ignore
-a
223 rule_filesystem_configure
() {
224 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
225 # <file system> <mount point> <type> <options> <dump> <pass>
226 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
227 proc /proc proc defaults 0 0
228 sysfs /sys sysfs defaults 0 0
229 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
230 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
231 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
232 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
233 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
234 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
236 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
237 # <target name> <source device> <key file> <options>
238 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
239 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
240 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
241 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
243 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
244 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
245 vm.vfs_cache_pressure=50
248 rule_initramfs_configure
() {
249 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
256 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
258 alias scsi_hostadapter xenblk
260 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
266 # NOTE: pour Xen en mode HVM :
267 #modprobe xen-platform-pci
269 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
271 sudo
sed -e '/^configure_networking /s/ &$//' \
272 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
273 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
274 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
275 ( while IFS
= read -r line
276 do case $line in (*" RSA") return 0; break;; esac
280 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
281 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
282 sudo dropbearkey
-t rsa
-s 4096 -f \
283 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
285 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
286 sudo
install -d -m 640 -o root
-g root \
287 /etc
/initramfs-tools
/root \
288 /etc
/initramfs-tools
/root
/.
ssh
290 while IFS
=: read -r group x x users
291 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
294 do eval local home\
; home
="~$user"
295 cat "$home"/etc
/ssh
/authorized_keys
298 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
300 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
301 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
302 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
303 # NOTE: clefs générées par Debian
304 sudo update-initramfs
-u
306 rule_locale_configure
() {
307 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
312 rule_login_configure
() {
313 grep -q '^hvc0$' /etc
/securetty ||
314 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
315 $(cat /etc/securetty)
318 grep -q '^xvc0$' /etc
/securetty ||
319 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
320 $(cat /etc/securetty)
323 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
324 # /etc/inittab: init(8) configuration.
326 # The default runlevel.
329 # Boot-time system configuration/initialization script.
330 # This is run first except when booting in emergency (-b) mode.
331 si::sysinit:/etc/init.d/rcS
333 # What to do in single-user mode.
334 ~~:S:wait:/sbin/sulogin
336 # /etc/init.d executes the S and K scripts upon change
339 # Runlevel 0 is halt.
340 # Runlevel 1 is single-user.
341 # Runlevels 2-5 are multi-user.
342 # Runlevel 6 is reboot.
344 l0:0:wait:/etc/init.d/rc 0
345 l1:1:wait:/etc/init.d/rc 1
346 l2:2:wait:/etc/init.d/rc 2
347 l3:3:wait:/etc/init.d/rc 3
348 l4:4:wait:/etc/init.d/rc 4
349 l5:5:wait:/etc/init.d/rc 5
350 l6:6:wait:/etc/init.d/rc 6
351 # Normally not reached, but fallthrough in case of emergency.
352 z6:6:respawn:/sbin/sulogin
354 # What to do when CTRL-ALT-DEL is pressed.
355 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
357 # What to do when the power fails/returns.
358 pf::powerwait:/etc/init.d/powerfail start
359 pn::powerfailnow:/etc/init.d/powerfail now
360 po::powerokwait:/etc/init.d/powerfail stop
362 # Xen hypervisor console
363 hvc:2345:respawn:/sbin/getty 38400 hvc0
364 #xvc:2345:respawn:/sbin/getty 38400 xvc0
366 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
373 FTMP_FILE /var/log/btmp
375 HUSHLOGIN_FILE .hushlogin
376 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
377 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
378 # NOTE: met les sbin/ dans ENV_PATH ;
379 # - ça n'apporte aucune protection de ne pas les mettre ;
380 # - ça frustre de ne pas les trouver.
387 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
388 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
401 ENCRYPT_METHOD SHA512
403 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
404 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
405 $(cat /etc/pam.d/common-session)
406 session optional pam_umask.so
409 rule_procmail_configure
() {
410 rule apt_get_install procmail
411 sudo
install -d -m 770 -o root
-g adm \
413 /etc
/skel
/var
/cache
/mail \
414 /etc
/skel
/var
/log
/mail \
416 sudo
install -m 660 -o root
-g adm \
417 "$tool"/etc
/skel
/etc
/mail
/delivery.procmailrc \
418 /etc
/skel
/etc
/mail
/delivery.procmailrc
420 rule_postgrey_configure
() {
421 rule apt_get_install postgrey
422 sudo service postgrey restart
424 rule_postfix_configure
() {
425 local hint
="run vm_remote postfix_key_send before"
426 assert
"test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
427 warn
"lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
428 rule apt_get_install postfix
429 sudo
install -d -m 770 -o root
-g root \
430 /etc
/postfix
/$vm_domainname/ \
431 /etc
/postfix
/$vm_domainname/smtp \
432 /etc
/postfix
/$vm_domainname/smtp
/x509 \
433 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
434 /etc
/postfix
/$vm_domainname/smtpd \
435 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
436 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
437 sudo
install -d -m 770 -o root
-g root \
438 /etc
/postfix
/$vm_domainname/ \
439 /etc
/postfix
/$vm_domainname/smtp \
440 /etc
/postfix
/$vm_domainname/smtp
/x509 \
441 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
442 /etc
/postfix
/$vm_domainname/smtpd \
443 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
444 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
446 ..
/crt
+crl.self-signed.pem \
447 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
/crt.pem
448 sudo
install -m 400 -o root
-g root \
449 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
450 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
451 sudo
install -m 400 -o root
-g root \
452 var
/pub
/x509
/service
/smtpd
/crt.pem \
453 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt.pem
454 sudo
install -m 400 -o root
-g root \
455 var
/pub
/x509
/service
/smtpd
/crt
+root.pem \
456 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+root.pem
457 sudo
install -m 400 -o root
-g root \
458 var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
459 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
460 sudo
install -m 660 -o root
-g root \
461 etc
/postfix
/$vm_domainname/header_checks \
462 /etc
/postfix
/$vm_domainname/header_checks
463 sudo
install -m 664 -o root
-g root \
467 cat /dev
/stdin etc
/postfix
/main.cf
<<-EOF |
468 mydomain = $vm_domainname
469 myorigin = \$mydomain
470 myhostname = $vm_hostname.\$mydomain
471 mail_name = \$myhostname
472 mydestination = $vm_hostname \$myhostname \$myorigin
474 sudo
install -m 664 -o root
-g root
/dev
/stdin \
476 sudo
install -m 664 -o root
-g root \
477 etc
/postfix
/master.cf \
478 /etc
/postfix
/master.cf
479 sudo
install -m 660 -o root
-g root \
480 etc
/postfix
/$vm_domainname/smtp
/x509
/policy \
481 /etc
/postfix
/$vm_domainname/smtp
/x509
/policy
482 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtp
/x509
/policy
483 sudo
install -m 660 -o root
-g root \
484 etc
/postfix
/$vm_domainname/smtp
/header_checks \
485 /etc
/postfix
/$vm_domainname/smtp
/header_checks
486 sudo
install -m 660 -o root
-g root \
487 etc
/postfix
/$vm_domainname/smtpd
/sender_access \
488 /etc
/postfix
/$vm_domainname/smtpd
/sender_access
489 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/sender_access
490 sudo
install -m 660 -o root
-g root \
491 etc
/postfix
/$vm_domainname/smtpd
/client_blacklist \
492 /etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
493 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
494 sudo
install -m 660 -o root
-g root \
495 etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts \
496 /etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
497 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
498 sudo
install -m 660 -o root
-g root \
499 etc
/postfix
/$vm_domainname/transport \
500 /etc
/postfix
/$vm_domainname/transport
501 sudo postmap
hash:/etc
/postfix
/$vm_domainname/transport
502 sudo
install -m 660 -o root
-g root \
503 etc
/postfix
/$vm_domainname/virtual_alias \
504 /etc
/postfix
/$vm_domainname/virtual_alias
505 sudo postmap
hash:/etc
/postfix
/$vm_domainname/virtual_alias
506 sudo service postfix restart
508 rule_mail_configure
() {
509 rule postfix_configure
510 rule postgrey_configure
511 rule procmail_configure
512 rule dovecot_configure
514 rule_network_configure
() {
515 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
518 grep -q " $vm\$" /etc
/hosts ||
519 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
521 127.0.0.1 $vm_fqdn $vm
523 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
525 iface lo inet loopback
528 iface grenode inet static
530 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
533 netmask 255.255.255.255
535 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
536 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
538 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
539 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
540 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
542 # --- soupirail.grenode.net ping statistics ---
543 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
544 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
545 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
546 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
547 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
549 # --- soupirail.grenode.net ping statistics ---
550 # 0 packets transmitted, 0 received, +1 errors
551 post-up ip address add $vm_ipv4/32 dev \$IFACE
552 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
555 rule_ssh_configure
() {
556 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
557 ( while IFS
= read -r line
558 do case $line in (*" RSA") return 0; break;; esac
560 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
562 /etc
/ssh
/ssh_host_dsa_key \
563 /etc
/ssh
/ssh_host_dsa_key.pub \
564 /etc
/ssh
/ssh_host_ecdsa_key \
565 /etc
/ssh
/ssh_host_ecdsa_key.pub
566 # NOTE: clefs générées par Debian
567 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
569 ListenAddress $vm_ipv4
573 HostKey /etc/ssh/ssh_host_rsa_key
574 UsePrivilegeSeparation yes
575 KeyRegenerationInterval 3600
582 RSAAuthentication yes
583 PubkeyAuthentication yes
584 AuthorizedKeysFile %h/etc/ssh/authorized_keys
586 RhostsRSAAuthentication no
587 HostbasedAuthentication no
588 IgnoreUserKnownHosts no
589 PermitEmptyPasswords no
590 ChallengeResponseAuthentication no
591 PasswordAuthentication no
592 KerberosAuthentication no
593 GSSAPIAuthentication no
600 ClientAliveInterval 0
602 Subsystem sftp /usr/lib/openssh/sftp-server
605 sudo service
ssh restart
607 rule_user_admin_add
() { # SYNTAX: $user
609 id
"$user" >/dev
/null ||
610 sudo adduser
--disabled-password "$user"
611 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
612 eval local home\
; home
="~$user"
613 sudo adduser
"$user" sudo
614 sudo
install -m 640 -o root
-g root \
615 "$tool"/var
/pub
/ssh
/"$user".key \
616 "$home"/etc
/ssh
/authorized_keys
617 local key
; local -; set +f
618 for key
in "$tool"/var
/pub
/openpgp
/*.key
619 do sudo
-u "$user" gpg
--import "$key"
621 rule user_admin_configure
623 rule_user_admin_configure
() {
624 rule initramfs_configure
625 rule user_root_configure
627 rule_user_configure
() {
628 sudo
install -d -m 750 -o root
-g adm \
631 sudo
install -d -m 770 -o root
-g adm \
632 /etc
/skel
/etc
/apache2 \
635 /etc
/skel
/var
/cache \
636 /etc
/skel
/var
/cache
/ssh
637 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
638 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
639 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
640 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
641 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
642 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
644 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
645 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
647 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
648 Defaults env_keep = " \\
652 GIT_COMMITTER_NAME \\
653 GIT_COMMITTER_EMAIL \\
656 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/passwd-init
<<-EOF
658 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
659 sudo /bin/sh -e -f -u -c \
660 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
662 sudo
install -m 644 -o root
-g root \
665 sudo
install -m 644 -o root
-g root \
669 rule_user_root_configure
() {
670 sudo
install -d -m 750 -o root
-g adm \
674 sudo
ln -fns etc
/gpg
/root
/.gnupg
675 sudo
ln -fns etc
/ssh /root
/.
ssh
677 while IFS
=: read -r group x x users
678 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
681 do eval local home\
; home
="~$user"
682 cat "$home"/etc
/ssh
/authorized_keys
685 sudo
install -m 640 -o root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
686 local key
; local -; set +f
687 for key
in "$tool"/var
/pub
/openpgp
/*.key
688 do sudo gpg
--import "$key"
694 rule etckeeper_configure
695 rule locale_configure
696 rule network_configure
697 rule filesystem_configure
700 rule user_root_configure
705 rule_luks_key_change
() {
706 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
714 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn