X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=vm_remote;h=64e535362296ebd0fc9056a6498b19b5f03d8b10;hb=22f04b9fac14adc3d3fc98273ba126c3a51792c3;hp=57a3e968d48ab335946cdf10644c4a90d2638cb5;hpb=b7595a000cae850e0702938336ce116376bc7d67;p=lhc%2Fateliers.git

diff --git a/vm_remote b/vm_remote
index 57a3e96..64e5353 100755
--- a/vm_remote
+++ b/vm_remote
@@ -1,8 +1,9 @@
 #!/bin/sh
 set -e -f ${DRY_RUN:+-n} -u
-tool=$(cd "${0%/*}"; cd -)
+tool=$(readlink -e "${0%/*}")
 . "$tool"/lib/rule.sh
 . "$tool"/etc/vm.sh
+TRACE=1
 
 rule_help () { # SYNTAX: [--hidden]
 	local hidden; [ ${1:+set} ] || hidden=set
@@ -27,10 +28,10 @@ rule_git_configure () { # DESCRIPTION: configure ./.git correctement
 	(
 	cd "$tool"
 	git remote rm host || true
-	git remote add host $vm_host:tool/vm
+	git remote add host $vm_host:src/vm
 	git config --replace remote.host.push HEAD:refs/remotes/master
 	git remote rm hosted || true
-	git remote add hosted root@$vm_fqdn:tool/vm
+	git remote add hosted $vm_fqdn:src/vm
 	git config --replace remote.hosted.push HEAD:refs/remotes/master
 	git submodule update --init
 	)
@@ -47,7 +48,7 @@ rule_ssh () {
 	"$tool"/lib/ssh $vm_fqdn "$@"
  }
 rule_mosh () {
-	mosh --ssh="$tool/lib/ssh $*" $vm_fqdn
+	mosh --ssh="$tool/lib/ssh ${ssh-}" -- $vm_fqdn "$@"
  }
 rule__ssh_known_hosts_update () {
 	rule ssh \
@@ -92,44 +93,6 @@ rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTI
 	 done
  }
 
-rule_apache2_key_send () {
-	local -; set +f
-	for conf in "$tool"/etc/nginx/site.d/*/key_send
-	 do conf=${conf#"$tool"/etc/nginx/site.d/}
-		local site=${conf%/key_send}
-		rule _x509_site_key_decrypt \
-		 "$(cat "$tool"/etc/apache2/site.d/"$site"/key_send)" |
-		rule ssh -l root ' \
-			sudo install -d -m 770 -o '"$user"' -g '"$user"' \
-			 /etc/apache2 \
-			 /etc/apache2/x509.d \
-			 /etc/apache2/x509.d/'"$site"'; \
-			sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
-			 /etc/apache2/x509.d/'"$site"'/.gitignore <<-EOF
-				key.pem
-				EOF
-			sudo install -m 400 -o root -g root \
-			 /dev/stdin \
-			 /etc/apache2/x509.d/'"'$site'"'/key.pem
-		 '
-	 done
- }
-rule_dovecot_key_send () {
-	rule _x509_site_key_decrypt imap."$vm_domainname" |
-	rule ssh -l root ' \
-		sudo install -d -m 770 -o root -g root \
-		 /etc/dovecot/'"$vm_domainname"'/ \
-		 /etc/dovecot/'"$vm_domainname"'/imap \
-		 /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \
-		sudo install -m 644 -o root -g root /dev/stdin \
-		 /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
-			key.pem
-			EOF
-		sudo install -m 400 -o root -g root \
-		 /dev/stdin \
-		 /etc/dovecot/"$vm_domainname"/imap/x509/key.pem
-	 '
- }
 rule_gitolite_git () {
 	(
 	cd "$tool"/etc/gitolite
@@ -141,50 +104,108 @@ rule_gitolite_git () {
 		git '"$*"
 	)
  }
-rule_nginx_configure () {
-	local -; set +f
-	for conf in "$tool"/etc/nginx/site.d/*/site.conf
-	 do conf=${conf#"$tool"/etc/nginx/site.d/}
-		local site="${conf%/site.conf}"
-		if test -f "$tool"/etc/nginx/site.d/"$site"/key_send
-		 then
-			rule _x509_site_key_decrypt \
-			 "$(cat "$tool"/etc/nginx/site.d/"$site"/key_send)" |
-			rule ssh -l root ' \
-				sudo install -d -m 770 -o root -g root \
-				 /etc/nginx \
-				 /etc/nginx/x509.d \
-				 /etc/nginx/x509.d/'"'$site'"'; \
-				sudo install -m 644 -o root -g root /dev/stdin \
-				 /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
-					key.pem
-					EOF
-				sudo install -m 400 -o root -g root /dev/stdin \
-				 /etc/nginx/x509.d/'"'$site'"'/key.pem
-			 '
-		 fi
-		test ! -r "$tool"/etc/nginx/site.d/"$site"/remote.sh ||
-		.         "$tool"/etc/nginx/site.d/"$site"/remote.sh
-	 done
+rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
+	if test $# = 0
+	 then
+		set +x
+		rule ssh sudo sv status \
+		 $(sudo find /etc/sv \
+		 -mindepth 1 -maxdepth 1 -type d \
+		 -printf '%p\n' | sort)
+	 else
+		local services=
+		while [ $# -gt 0 ]
+		 do case $1 in
+			 (--) shift; break;;
+			 (*) services="$services $1"; shift;;
+			 esac
+		 done
+		for sv in $(find "$tool"/etc/sv \
+		 -mindepth 1 -maxdepth 1 -type d \
+		 -false $(printf -- '-or -name %s\n' $services) \
+		 -printf '%f\n')
+		 do
+			rule _runit_sv_configure "$sv" "$@"
+		 done
+	 fi
  }
-rule_postfix_key_send () {
-	rule _x509_site_key_decrypt smtpd."$vm_domainname" |
-	rule ssh -l root ' \
-		sudo install -d -m 770 -o root -g root \
-		 /etc/postfix/'"$vm_domainname"'/ \
-		 /etc/postfix/'"$vm_domainname"'/smtpd \
-		 /etc/postfix/'"$vm_domainname"'/smtpd/x509; \
-		sudo install -m 644 -o root -g root /dev/stdin \
-		 /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF
-			key.pem
+rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
+	local sv="$1"; shift
+	(
+	test ! -r "$tool"/etc/sv/"$sv"/remote.sh ||
+	.         "$tool"/etc/sv/"$sv"/remote.sh || return 1
+	)
+ }
+
+
+rule_duplicity_configure () {
+	subkey_caps="e s" \
+	rule gpg_gen_key "backup+$vm_hostname@$vm_domainname" <<-EOF
+		Name-Real: $vm_fqdn
+		Name-Email: backup+$vm_hostname@$vm_domainname
+		Name-Comment: (duplicity)
+		Expire-Date: 0
+		EOF
+ }
+rule_duplicity_key_send () {
+	gpg --export-options export-reset-subkey-passwd \
+	 --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
+	rule ssh gpg --import -
+ }
+rule_gpg () { # SYNTAX: $gpg_options
+	LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@"
+ }
+rule_gpg_gen_key () { # SYNTAX: $uid  ENV: $gpg_options
+	local uid="$1"
+	install -d -m 700 \
+	 var/pub/openpgp
+	install -d -m 700 \
+	 var/sec \
+	 var/sec/openpgp
+	if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
+	 then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
+			$(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
 			EOF
-		sudo install -m 644 -o root -g root /dev/stdin \
-		 /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
-			key.pem
+	 fi
+	if ! rule gpg --list-keys -- "$uid" >/dev/null
+	 then
+		rule gpg --batch --gen-key
+			# DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
+			Key-Type: RSA
+			Key-Length: 4096
+			Key-Usage: sign
+			Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+			Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
+			$(cat -)
+			%commit
+			EOF
+	 fi
+	caps=$(
+		rule gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
+		 -- "$uid" |
+		sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
+	 )
+	for cap in ${subkey_caps:-}
+	 do
+		test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
+		printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
+		rule gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
+		 --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
+			$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+			EOF
+	 done
+ }
+rule_mysql_backup () {
+	mkdir -p "$tool"/var/backup/mysql
+	rule ssh -l backup '
+		for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
+			SELECT schema_name
+				FROM information_schema.schemata
+				WHERE schema_name NOT IN ("information_schema", "performance_schema");
 			EOF
-		install -m 400 -o root -g root \
-		 /dev/stdin \
-		 /etc/postfix/'"'$vm_domainname'"'/smtpd/x509/key.pem
+		 ); do
+			$db
+		 done
 	 '
  }