for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
do conf=${conf#"$tool"/etc/apache2/site.d/}
local port site
- IFS=. read -r port site <<-EOF
+ IFS=. read -r port domain <<-EOF
${conf%\/VirtualHost\.conf}
EOF
- assert 'test "${site:+set}"'
assert 'test "${port:+set}"'
- local site_user="$user.$port.$site"
- local site_dir="$user.$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
case $port in
(443)
local hint="run vm_remote apache2_key_send before"
- assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
- sudo install -d -m 770 -o "$user" -g "$user" \
+ assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
/etc/apache2 \
- /etc/apache2/site.d/"$site_dir" \
- /etc/apache2/site.d/"$site_dir"/x509 \
- /etc/apache2/site.d/"$site_dir"/x509/ca \
- /etc/apache2/site.d/"$site_dir"/x509/empty \
- /etc/apache2/site.d/"$site_dir"/x509/rvk \
- /etc/apache2/site.d/"$site_dir"/x509/usr
+ /etc/apache2/site.d/"$site" \
+ /etc/apache2/site.d/"$site"/x509 \
+ /etc/apache2/site.d/"$site"/x509/ca \
+ /etc/apache2/site.d/"$site"/x509/empty \
+ /etc/apache2/site.d/"$site"/x509/rvk \
+ /etc/apache2/site.d/"$site"/x509/usr
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
- #sudo install -m 664 -o "$user" -g "$user" \
+ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+ #sudo install -m 664 -o www."$site" -g www."$site" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
+ # /etc/apache2/site.d/"$site"/x509/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
+ /etc/apache2/site.d/"$site"/x509/ca/crt.pem
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.pem
+ "$tool"/var/pub/x509/"$site"/crt.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.pem
;;
esac
case $port in
(80)
cat <<-EOF
<VirtualHost *:$port>
- AssignUserID $site_user $site_user
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ AssignUserID www.$site www.$site
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
- ServerName $site
+ ServerName $domain
LogLevel Warn
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
</VirtualHost>
EOF
;;
cat <<-EOF
<IfModule mod_ssl.c>
<VirtualHost *:$port>
- AssignUserID $site_user $site_user
+ AssignUserID www.$site www.$site
BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
- ServerName $site
- SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
- #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
- SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
+ ServerName $domain
+ SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
+ #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
+ SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
# NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
- SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
- SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
- SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
+ SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
+ SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
+ SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
+ SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient None
SSLVerifyDepth 1
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
</VirtualHost>
</IfModule>
EOF
;;
esac |
sudo install -m 660 -o root -g root /dev/stdin \
- /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
+ /etc/apache2/site.d/"$site"/VirtualHost.conf
sudo ln -fns \
- ../site.d/"$site_dir"/VirtualHost.conf \
- /etc/apache2/sites-available/"$site_dir"
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/log/"$site_dir" \
- /home/www/log/"$site_dir"/apache2
+ ../site.d/"$site"/VirtualHost.conf \
+ /etc/apache2/sites-available/"$site"
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
+ /home/www/log/"$site" \
+ /home/www/log/"$site"/apache2
sudo ln -fns \
- /etc/apache2/site.d/"$site_dir" \
- /home/www/etc/apache2/"$site_dir"
- test -e /home/www/pub/"$site_dir" ||
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/pub/"$site_dir"
- getent passwd "$site_user" >/dev/null ||
+ /etc/apache2/site.d/"$site" \
+ /home/www/etc/apache2/"$site"
+ test -e /home/www/pub/"$site" ||
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
+ /home/www/pub/"$site"
+ getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-password \
--group \
--no-create-home \
- --home /home/www/pub/"$site_dir" \
+ --home /home/www/pub/"$site" \
--shell /bin/false \
--system \
- "$site_user"
- sudo setfacl -m u:"$site_user":--x \
- /home/www/ \
- /home/www/pub/ \
- /home/www/pub/"$site_dir"/
- sudo setfacl -m d:u:"$site_user":rwx \
- "$home"/pub/www/"$site_dir"/
- test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
- . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
- test -e /etc/apache2/sites-enabled/"$site_dir" ||
- sudo a2ensite "$site_dir"
+ www."$site"
+ #sudo setfacl -m u:"www.$site":--x \
+ # /home/www/ \
+ # /home/www/pub/ \
+ # /home/www/pub/"$site"/
+ #sudo setfacl -m d:u:"www.$site":rwx \
+ # "$home"/pub/www/"$site"/
+ test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/apache2/site.d/"$site"/configure.sh
+ test -e /etc/apache2/sites-enabled/"$site" ||
+ sudo a2ensite "$site"
done
sudo service apache2 restart
}
${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
- LOCK_SIZE=5242880 # NOTE: 5MiB
- RAMLOCK=yes
- RAMSHM=yes
- RAMTMP=yes
- RUN_SIZE=10%
- SHM_SIZE=
- TMP_MODE=1777,nr_inodes=1000k,noatime
- TMP_OVERFLOW_LIMIT=1024
- # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
- # on the root filesystem (overriding RAMTMP).
- TMP_SIZE=200m
- TMPFS_SIZE=20%VM
- EOF
- sudo install -m 775 -o root -g root \
- "$tool"/etc/init.d/tmpfs \
- /etc/init.d/tmpfs
- sudo update-rc.d tmpfs defaults
+ rule tmpfs_configure
}
rule_initramfs_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
#sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
#sudo sv restart git-daemon.git.9418
}
-rule_locale_configure () {
+rule_locales_configure () {
sudo debconf-set-selections <<-EOF
locales locales/default_environment_locale select None
locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
done
for conf in "$tool"/etc/nginx/site.d/*/server.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\/server\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-login \
access_log /home/www/log/$site/nginx/access.log main;
error_log /home/www/log/$site/nginx/error.log warn;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
$(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
}
EOF
error_log /home/www/log/$site/nginx/error.log warn;
keepalive_timeout 70;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
# DOC: http://wiki.nginx.org/HttpSslModule
ssl on;
ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
esac |
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf
- adduser www-data "$site"
+ adduser www-data www."$site"
test -e /home/www/pub/"$site" ||
- sudo install -d -m 3770 -o "$site" -g "$site" \
+ sudo install -d -m 3770 -o www."$site" -g www."$site" \
/home/www/pub/"$site"
sudo install -d -m 3770 -o log."$site" -g log."$site" \
/home/www/log/"$site"/nginx
sudo rm -f /etc/php5/fpm/pool.d/*
for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
- getent passwd php5"$site" >/dev/null ||
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
+ getent passwd php5."$site" >/dev/null ||
sudo adduser \
--disabled-login \
--disabled-password \
/home/www/log/php5/fpm
sudo install -d -m 770 -o log."$site" -g log."$site" \
/home/www/log/"$site"
- sudo adduser php5."$user" www."$site"
+ sudo adduser php5."$site" www."$site"
sudo install -m 660 -o root -g root /dev/stdin \
/etc/php5/fpm/pool.d/"$conf" <<-EOF
[php5.$site]
sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
*.db
EOF
- sudo install -d -m 770 -o root -g root \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
- sudo install -d -m 770 -o root -g root \
+ sudo install -d -m 771 -o root -g root \
+ /etc/postfix/ \
/etc/postfix/$vm_domainname/ \
/etc/postfix/$vm_domainname/smtp \
/etc/postfix/$vm_domainname/smtp/x509 \
../crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 660 -o root -g root \
"$tool"/etc/postfix/$vm_domainname/header_checks \
/etc/postfix/$vm_domainname/header_checks
}
rule_postgresql_configure () {
rule apt_get_install postgresql-9.1
+ if [ ! -d /var/lib/postgresql/9.1/ ]; then
+ pg_createcluster -u postgres --start 9.1 main
+ fi
+ sudo install -m 660 -o root -g root \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
sudo service postgresql restart
}
rule_openerp_configure () {
then
ln -fns ../sv/"$sv" /etc/service/"$sv"
sv restart "$sv"
- else
+ fi
done
}
rule_ssh_configure () {
done
sudo sysctl --system
}
+rule_tmpfs_configure () {
+ sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
+ LOCK_SIZE=5242880 # NOTE: 5MiB
+ RAMLOCK=yes
+ RAMSHM=yes
+ RAMTMP=yes
+ RUN_SIZE=10%
+ SHM_SIZE=
+ TMP_MODE=1777,nr_inodes=1000k,noatime
+ TMP_OVERFLOW_LIMIT=1024
+ # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
+ # on the root filesystem (overriding RAMTMP).
+ TMP_SIZE=200m
+ TMPFS_SIZE=20%VM
+ EOF
+ sudo install -m 775 -o root -g root \
+ "$tool"/etc/init.d/tmpfs \
+ /etc/init.d/tmpfs
+ sudo update-rc.d tmpfs defaults
+ }
rule_time_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
Europe/Paris
rule_user_add () { # SYNTAX: $user
rule user_configure
local user=$1
- id "$user" >/dev/null ||
+ getent passwd "$user" >/dev/null ||
sudo adduser --disabled-password "$user"
# NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
eval local home\; home="~$user"
done
}
rule_user_configure () {
- true
- }
-rule_user_admin_add () { # SYNTAX: $user
- rule user_configure
- local user=$1
- id "$user" >/dev/null ||
- sudo adduser --disabled-password "$user"
- eval local home\; home="~$user"
- sudo adduser "$user" sudo
- sudo adduser "$user" users
- sudo install -m 640 -o root -g root \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- local key; local -; set +f
- for key in "$tool"/var/pub/openpgp/*.key
- do sudo -u "$user" gpg --import - <"$key"
- done
- rule user_admin_configure
- }
-rule_user_admin_configure () {
- rule initramfs_configure
- rule user_root_configure
- }
-rule_user_configure () {
+ sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/adduser.conf <<-EOF
+ ADD_EXTRA_GROUPS=1
+ DHOME=/home
+ DIR_MODE=0750
+ DSHELL=/bin/bash
+ EXTRA_GROUPS="users"
+ FIRST_GID=1000
+ FIRST_SYSTEM_GID=100
+ FIRST_SYSTEM_UID=100
+ FIRST_UID=1000
+ GROUPHOMES=no
+ LAST_GID=29999
+ LAST_SYSTEM_GID=999
+ LAST_SYSTEM_UID=999
+ LAST_UID=29999
+ LETTERHOMES=no
+ NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+ QUOTAUSER="" # TODO: init
+ SETGID_HOME=no
+ SKEL=/etc/skel
+ SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
+ USERGROUPS=yes
+ USERS_GID=100
+ EOF
sudo install -d -m 750 -o root -g root \
/etc/skel \
/etc/skel/etc \
"$tool"/etc/screenrc \
/etc/screenrc
}
+rule_user_admin_add () { # SYNTAX: $user
+ rule user_configure
+ local user=$1
+ getent passwd "$user" >/dev/null ||
+ sudo adduser --disabled-password "$user"
+ eval local home\; home="~$user"
+ sudo adduser "$user" sudo
+ sudo install -m 640 -o root -g root \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+ local key; local -; set +f
+ for key in "$tool"/var/pub/openpgp/*.key
+ do sudo -u "$user" gpg --import - <"$key"
+ done
+ rule user_admin_configure
+ }
+rule_user_admin_configure () {
+ rule initramfs_configure
+ rule user_root_configure
+ }
rule_user_root_configure () {
sudo install -d -m 750 -o root -g root \
/root/etc \
rule apt_configure
rule git_configure
rule etckeeper_configure
- rule locale_configure
+ rule locales_configure
rule time_configure
rule network_configure
rule filesystem_configure