git config --replace branch.master.merge refs/remotes/master
local tool
tool=$(cd "$tool"; cd -)
- sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
+ install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
#!/bin/sh -efux
case \$1 in
(refs/remotes/master)
$users
EOF
do eval local home\; home="~$user"
- cat "$home"/etc/ssh/authorized_keys
+ sudo cat "$home"/etc/ssh/authorized_keys
done
done |
- sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/initramfs-tools/root/.ssh/authorized_keys
sudo rm -f \
/etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
/etc/initramfs-tools/root/.ssh/id_rsa.pub \
\$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
\$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
#\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
- \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
+ \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*";
#\$GL_HOSTNAME = "git.$vm_domainname";
# NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
#\$GL_HTTP_ANON_USER = "mob";
--disabled-password \
--group \
--home /home/mysql/data \
+ --no-create-home \
--shell /bin/false \
--system
sudo usermod --home /home/mysql mysql
sudo adduser mysql mysql-data
- sudo install -m 640 -o mysql -g mysql \
+ sudo install -m 644 -o mysql -g mysql \
"$tool"/etc/mysql/my.cnf \
/etc/mysql/my.cnf
sudo install -d -m 751 -o mysql -g mysql \
/home/mysql
- sudo install -d -m 750 -o mysql-data -g mysql-data \
- /home/mysql/data
- if test ! -d /home/mysql/data
+ sudo rm -rf /etc/mysql
+ sudo install -d -m 750 -o mysql -g mysql \
+ /etc/mysql \
+ /home/mysql/etc
+ sudo ln -fns \
+ /etc/mysql \
+ /home/mysql/etc/mysql
+ if sudo test ! -d /home/mysql/data
then
+ sudo install -d -m 750 -o mysql -g mysql-data \
+ /home/mysql/data
sudo -u mysql mysql_install_db \
- --no-defaults \
- --datadir=/home/mysql/data
+ --datadir=/home/mysql/data \
+ --no-defaults
fi
sudo service tmpfs restart
+ sudo insserv -r mysql
case $(sudo sv status mysql || true) in
- (run:*) sudo sv restart mysql
+ (''|run:*|*"s, normally up;"*)
+ sudo sv restart mysql
+ case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
+ ("/run/mysqld/sock/ CREATE mysql")
+ # NOTE:
+ # - ajoute l'accès par socket Unix à mysql
+ # - ajoute les droits de super-utilisateur à mysql
+ # - supprime l'accès par mot-de-passe à root
+ # - supprime les bases de données de l'utilisateurice anonyme
+ # - supprime l'utilisateurice anonyme
+ # NOTE: mémo :
+ # GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
+ # CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
+ # UPDATE mysql.user SET Password='' WHERE user='root';
+ # DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
+ sudo mysql -u root --batch --verbose <<-EOF
+ DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
+ DELETE FROM mysql.db WHERE user = '';
+ DELETE FROM mysql.user WHERE user = '';
+ FLUSH PRIVILEGES;
+ EOF
+ ;;
+ esac
esac
}
+rule_mysql_db_add () { # SYNTAX: $user $db
+ sudo -u mysql mysql --batch <<-EOF
+ DROP DATABASE IF EXISTS $db;
+ CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
+ GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
+ FLUSH PRIVILEGES;
+ EOF
+ }
+rule_mysql_user_add () { # SYNTAX: $user
+ sudo mysql -u mysql --batch <<-EOF || true
+ DROP USER '$user'@'localhost';
+ EOF
+ sudo mysql -u mysql --batch <<-EOF
+ CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
+ EOF
+ }
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
$vm
$(cat /etc/hosts)
127.0.0.1 $vm_fqdn $vm
EOF
+ sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+ search ${vm_host#*.}
+ nameserver ${vm_host_nameserver}
+ EOF
sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
auto lo
iface lo inet loopback
pre-down ip address delete $vm_ipv4/32 dev \$IFACE
EOF
}
-rule_www_configure () {
- rule adduser www \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www \
- --shell /bin/false \
- --system
- rule adduser log-www \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log \
- --shell /bin/false \
- --system
- #sudo adduser www www-data
- sudo adduser www log-www
- #sudo adduser log log-www
- usermod --home /home/www/pub www-data
- sudo install -d -m 751 -o www -g www \
- /home/www
- sudo install -d -m 750 -o www -g www \
- /home/www/etc
- sudo install -d -m 1771 -o www-data -g www-data \
- /home/www/pub
- sudo install -d -m 1771 -o log-www -g log-www \
- /home/www/log
- }
rule_nginx_configure () {
local -; set +f
rule apt_get_install nginx
# de leurs groupes supplémentaires.
sudo service nginx restart
}
+rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement
+ local -; set +f
+ rule apt_get_install nsd m4
+ sudo rm -rf \
+ /etc/nsd3/zone.d
+ sudo install -d -m 750 -o root -g nsd \
+ /etc/nsd3/zone.d
+ {
+ cat <<-EOF
+ server:
+ ip-address: $vm_ipv4
+ ip4-only: yes
+ EOF
+ cat "$tool"/etc/nsd3/nsd.conf
+ local conf
+ for conf in "$tool"/etc/nsd3/zone.d/*.conf
+ do conf=${conf#"$tool"/etc/nsd3/zone.d/}
+ local domain=${conf%.conf}
+ if test -e "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
+ then m4 \
+ --define=ZONE_DOMAIN=$domain \
+ --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$domain".zone.m4) \
+ --define=VM_IP4=$vm_ipv4 \
+ "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
+ else cat "$tool"/etc/nsd3/zone.d/"$domain".zone
+ fi |
+ sudo install -m 440 -o root -g nsd /dev/stdin \
+ /etc/nsd3/zone.d/"$domain".zone
+ sudo install -m 440 -o root -g nsd \
+ "$tool"/etc/nsd3/zone.d/"$conf" \
+ /etc/nsd3/zone.d/"$conf"
+ cat <<-EOF
+ zone:
+ name: $domain
+ zonefile: /etc/nsd3/zone.d/$domain.zone
+ EOF
+ done
+ } |
+ sudo install -m 640 -o root -g nsd /dev/stdin \
+ /etc/nsd3/nsd.conf
+ sudo service nsd3 restart
+ }
rule_php5_fpm_configure () {
local -; set +f
rule apt_get_install \
sudo service postfix restart
}
rule_postgresql_configure () {
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
rule apt_get_install postgresql-9.1
- if [ ! -d /var/lib/postgresql/9.1/ ]; then
- pg_createcluster -u postgres --start 9.1 main
- fi
- sudo install -m 660 -o root -g root \
- "$tool"/etc/postgresql/9.1/main/postgresql.conf \
- /etc/postgresql/9.1/main/postgresql.conf
- sudo service postgresql restart
+ rule adduser postgres \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql \
+ --shell /bin/false \
+ --system
+ rule adduser postgres-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+ sudo usermod --home /home/postgresql postgres
+ sudo adduser postgres postgres-data
+ sudo rm -rf \
+ /etc/postgresql
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql \
+ /home/postgresql/etc \
+ /etc/postgresql \
+ /etc/postgresql/9.1 \
+ /etc/postgresql/9.1/main
+ sudo ln -fns \
+ /etc/postgresql \
+ /home/postgresql/etc/postgresql
+ sudo install -d -m 751 -o postgres -g postgres \
+ /home/postgresql/log \
+ /home/postgresql/log/9.1
+ sudo service tmpfs restart
+ if sudo test ! -d /home/postgresql/data
+ then
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql/data
+ (
+ cd /
+ sudo -u postgres pg_createcluster \
+ --datadir=/home/postgresql/data \
+ --logfile=/home/postgresql/log/9.1/main \
+ --socketdir=/run/postgresql/sock \
+ --start 9.1 main
+ )
+ fi
+ sudo install -m 770 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+ local all postgres peer
+ local all all peer
+ EOF
+ sudo install -m 660 -o postgres -g postgres \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
+ sudo insserv -r postgresql
+ case $(sudo sv status postgres || true) in
+ (''|run:*|*"s, normally up;"*)
+ sudo sv restart postgres
+ (
+ cd /
+ case $(sudo inotifywait -e create -- /run/postgresql/sock/) in
+ ("/run/postgresql/sock/ CREATE .s.PGSQL."*)
+ # NOTE:
+ # - supprime l'accès au schéma public depuis public,
+ # de sorte à ce que les différents utilisateurices
+ # ne voient pas leurs bases de données entre-elleux ;
+ # - ajoute le support de PL/PGSQL
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON DATABASE template1 FROM public;
+ REVOKE ALL ON SCHEMA public FROM public;
+ GRANT ALL ON SCHEMA public TO postgres;
+ CREATE LANGUAGE plpgsql;
+ EOF
+ # NOTE:
+ # - supprime l'accès à la liste des bases données
+ # et utilisateurices depuis public.
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON pg_auth_members FROM public;
+ REVOKE ALL ON pg_authid FROM public;
+ REVOKE ALL ON pg_database FROM public;
+ REVOKE ALL ON pg_group FROM public;
+ REVOKE ALL ON pg_roles FROM public;
+ REVOKE ALL ON pg_settings FROM public;
+ REVOKE ALL ON pg_tablespace FROM public;
+ REVOKE ALL ON pg_user FROM public;
+ EOF
+ ;;
+ esac
+ )
+ ;;
+ esac
+ }
+rule_postgresql_db_add () { # SYNTAX: $db $db_user
+ local db="$1" db_user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $db NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
+ CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT $db TO $db_user;
+ CREATE DATABASE $db WITH OWNER=$db_user;
+ REVOKE ALL ON DATABASE $db FROM public;
+ EOF
+ }
+rule_postgresql_db_user_add () { # SYNTAX: $db $user
+ local db="$1" user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT USAGE ON SCHEMA public TO $user;
+ GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+ GRANT $db TO $user;
+ EOF
}
rule_openerp_configure () {
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
"$tool"/etc/skel/etc/mail/delivery.procmailrc \
/etc/skel/etc/mail/delivery.procmailrc
}
-rule_runit_configure () {
+rule_runit_configure () { # SYNTAX: $service
rule apt_get_install runit
local -; set +f
for sv in ${1-/etc/service/*}
rule dpkg_reconfigure tzdata
rule apt_get_install ntp
}
+rule_unbound_configure () {
+ sudo apt-get install unbound m4
+ sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+ search ${vm_host#*.}
+ nameserver 127.0.0.1
+ #nameserver ${vm_host_nameserver}
+ EOF
+ sudo install -m 440 -o unbound -g unbound \
+ "$tool"/etc/unbound/named.cache \
+ /etc/unbound/named.cache
+ m4 \
+ --define=OUTGOING_INTERFACE=$vm_ipv4 \
+ <"$tool"/etc/unbound/unbound.conf |
+ sudo install -m 440 -o unbound -g unbound /dev/stdin \
+ /etc/unbound/unbound.conf
+ sudo service unbound restart
+ }
rule_user_add () { # SYNTAX: $user
rule user_configure
local user=$1
$users
EOF
do eval local home\; home="~$user"
- cat "$home"/etc/ssh/authorized_keys
+ sudo cat "$home"/etc/ssh/authorized_keys
done
done |
sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
do sudo gpg --import "$key"
done
}
+rule_www_configure () {
+ rule adduser www \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www \
+ --shell /bin/false \
+ --system
+ rule adduser log-www \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log \
+ --shell /bin/false \
+ --system
+ #sudo adduser www www-data
+ sudo adduser www log-www
+ #sudo adduser log log-www
+ usermod --home /home/www/pub www-data
+ sudo install -d -m 751 -o www -g www \
+ /home/www
+ sudo install -d -m 750 -o www -g www \
+ /home/www/etc
+ sudo install -d -m 1771 -o www-data -g www-data \
+ /home/www/pub
+ sudo install -d -m 1771 -o log-www -g log-www \
+ /home/www/log
+ }
rule_configure () {
rule apt_configure
rule git_configure
rule php5_fpm_configure
rule nginx_configure
#rule apache2_configure
+ rule nsd3_configure
rule runit_configure
}