git remote rm hosted || true
git remote add hosted root@$vm_fqdn:tool/vm
git config --replace remote.hosted.push HEAD:refs/remotes/master
+ git submodule update --init
)
}
rule_git_push () { # SYNTAX: {host|hosted} $git_push_options
-o HashKnownHosts=no \
whoami
}
-rule_luks_key_send () { # NOTE: envoie la clef de déchiffrement des partitions au démarrage de la VM.
+
+rule__x509_service_key_send_deciphered () { # SYNTAX: $service $remote_destination ${ssh_options-}
+ local service="$1"; shift
+ local remote_destination="$1"; shift
+ gpg --decrypt "var/sec/x509/$vm_domainname/$service/key.pass.gpg" |
+ openssl rsa -passin 'stdin' \
+ -in "var/sec/x509/$vm_domainname/$service/key.pem" \
+ -out '/dev/stdout' |
+ rule ssh "$@" ' \
+ install -m 400 -o root -g root \
+ /dev/stdin \
+ '"$remote_destination"' \
+ '
+ }
+
+rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
gpg --decrypt var/sec/luks/$vm_fqdn.key.gpg |
"$tool"/lib/ssh root@$vm_fqdn "$@" \
-o CheckHostIP=no \
-o HostKeyAlias=init.$vm_fqdn \
tee /lib/cryptsetup/passfifo \>/dev/null
}
-rule_luks_key_backup () { # NOTE: sauvegarde localement les entêtes des partitions chiffrées. ENVIRONMENT: $gpg_recipient
+rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées.
+ test "${*+set}" || set -- --recipient "$USER@"
for part in root var home
do
mkdir -p var/sec/luks
cat "$tmp";
shred >/dev/null --remove "$tmp"; \
' |
- gpg --encrypt --recipient "${gpg_recipient:-$USER@}" \
+ gpg "$@" --encrypt \
-o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg
done
}
+rule_apache2_key_send () {
+ local -; set +f
+ for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
+ do conf=${conf#"$tool"/etc/apache2/site.d/}
+ local user port service site
+ IFS=. read -r user port service site <<-EOF
+ ${conf%\/VirtualHost\.conf}
+ EOF
+ assert 'test "${user:+set}"'
+ assert 'test "${service:+set}"'
+ assert 'test "${site:+set}"'
+ assert 'test "${port:+set}"'
+ local site_dir="$user.$port.$service.$site"
+ case $port in
+ (443)
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o '"$user"' -g '"$user"' \
+ /etc/apache2 \
+ /etc/apache2/site.d/'"$site_dir"' \
+ /etc/apache2/site.d/'"$site_dir"'/x509; \
+ sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
+ /etc/apache2/site.d/'"$site_dir"'/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ '
+ rule _x509_service_key_send_deciphered $service \
+ ~"$user"/etc/apache2/"$site_dir"/x509/key.pem -l root "$@"
+ ;;
+ esac
+ done
+ }
+rule_dovecot_key_send () {
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/dovecot/'"$vm_domainname"'/ \
+ /etc/dovecot/'"$vm_domainname"'/imap \
+ /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ '
+ rule _x509_service_key_send_deciphered imap \
+ /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@"
+ }
+rule_nginx_key_send () {
+ local -; set +f
+ for conf in "$tool"/etc/nginx/site.d/*/server.conf
+ do conf=${conf#"$tool"/etc/nginx/site.d/}
+ local user port service site
+ IFS=. read -r user port service site <<-EOF
+ ${conf%\/server\.conf}
+ EOF
+ assert 'test "${user:+set}"'
+ assert 'test "${service:+set}"'
+ assert 'test "${site:+set}"'
+ assert 'test "${port:+set}"'
+ local site_dir="$user.$port.$service.$site"
+ case $port in
+ (443)
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/nginx \
+ /etc/nginx/site.d \
+ /etc/nginx/site.d/'"$site_dir"' \
+ /etc/nginx/site.d/'"$site_dir"'/x509; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/nginx/site.d/'"$site_dir"'/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ '
+ rule _x509_service_key_send_deciphered $service \
+ /etc/nginx/"$site_dir"/x509/key.pem -l root "$@"
+ ;;
+ esac
+ done
+ }
+rule_postfix_key_send () {
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/postfix/'"$vm_domainname"'/ \
+ /etc/postfix/'"$vm_domainname"'/smptd \
+ /etc/postfix/'"$vm_domainname"'/smptd/x509; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ '
+ rule _x509_service_key_send_deciphered smtpd \
+ /etc/postfix/$vm_domainname/smtpd/x509/key.pem -l root "$@"
+ }
+
rule=${1:-help}
${1+shift}
case $rule in