-#archive_command = '' # command to use to archive a logfile segment
-#archive_mode = off # allows archiving to be done
-#archive_timeout = 0 # force a logfile segment switch after this
+#archive_command = '' # command to use to archive a logfile segment
+#archive_mode = off # allows archiving to be done
+#archive_timeout = 0 # force a logfile segment switch after this
#array_nulls = on
-#authentication_timeout = 1min # 1s-600s
-#autovacuum = on # Enable autovacuum subprocess? 'on'
-#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
-#autovacuum_analyze_threshold = 50 # min number of row updates before
-#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
-#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
-#autovacuum_naptime = 1min # time between autovacuum runs
-#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
-#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
-#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
-#autovacuum_vacuum_threshold = 50 # min number of row updates before
-#backslash_quote = safe_encoding # on, off, or safe_encoding
-#bgwriter_delay = 200ms # 10-10000ms between rounds
-#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round
-#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round
-#bonjour = off # advertise server via Bonjour
-#bonjour_name = '' # defaults to the computer name
-#bytea_output = 'hex' # hex, escape
+#authentication_timeout = 1min # 1s-600s
+#autovacuum = on # Enable autovacuum subprocess? 'on'
+#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
+#autovacuum_analyze_threshold = 50 # min number of row updates before
+#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
+#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
+#autovacuum_naptime = 1min # time between autovacuum runs
+#autovacuum_vacuum_cost_delay = 20ms # default vacuum cost delay for
+#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
+#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
+#autovacuum_vacuum_threshold = 50 # min number of row updates before
+#backslash_quote = safe_encoding # on, off, or safe_encoding
+#bgwriter_delay = 200ms # 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100 # 0-1000 max buffers written/round
+#bgwriter_lru_multiplier = 2.0 # 0-10.0 multipler on buffers scanned/round
+bonjour = off # advertise server via Bonjour
+#bonjour_name = '' # defaults to the computer name
+#bytea_output = 'hex' # hex, escape
#check_function_bodies = on
-#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
-#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each
-#checkpoint_timeout = 5min # range 30s-1h
-#checkpoint_warning = 30s # 0 disables
-#client_encoding = sql_ascii # actually, defaults to database
-#client_min_messages = notice # values in order of decreasing detail:
-#commit_delay = 0 # range 0-100000, in microseconds
-#commit_siblings = 5 # range 1-1000
-#constraint_exclusion = partition # on, off, or partition
-#cpu_index_tuple_cost = 0.005 # same scale as above
-#cpu_operator_cost = 0.0025 # same scale as above
-#cpu_tuple_cost = 0.01 # same scale as above
-#cursor_tuple_fraction = 0.1 # range 0.0-1.0
-#custom_variable_classes = '' # list of custom variable class names
-data_directory = '/var/lib/postgresql/9.1/main' # use data in another directory
+#checkpoint_completion_target = 0.5 # checkpoint target duration, 0.0 - 1.0
+#checkpoint_segments = 3 # in logfile segments, min 1, 16MB each
+#checkpoint_timeout = 5min # range 30s-1h
+#checkpoint_warning = 30s # 0 disables
+#client_encoding = sql_ascii # actually, defaults to database
+#client_min_messages = notice # values in order of decreasing detail:
+#commit_delay = 0 # range 0-100000, in microseconds
+#commit_siblings = 5 # range 1-1000
+#constraint_exclusion = partition # on, off, or partition
+#cpu_index_tuple_cost = 0.005 # same scale as above
+#cpu_operator_cost = 0.0025 # same scale as above
+#cpu_tuple_cost = 0.01 # same scale as above
+#cursor_tuple_fraction = 0.1 # range 0.0-1.0
+#custom_variable_classes = '' # list of custom variable class names
+data_directory = '/home/postgresql/data' # use data in another directory
datestyle = 'iso, dmy'
#db_user_namespace = off
#deadlock_timeout = 1s
#debug_print_parse = off
#debug_print_plan = off
#debug_print_rewritten = off
-#default_statistics_target = 100 # range 1-10000
-#default_tablespace = '' # a tablespace name, '' uses the default
+#default_statistics_target = 100 # range 1-10000
+#default_tablespace = '' # a tablespace name, '' uses the default
default_text_search_config = 'pg_catalog.french'
#default_transaction_deferrable = off
#default_transaction_isolation = 'read committed'
#enable_sort = on
#enable_tidscan = on
#escape_string_warning = on
-#exit_on_error = off # terminate session on any error?
-external_pid_file = '/var/run/postgresql/9.1-main.pid' # write an extra PID file
-#extra_float_digits = 0 # min -15, max 3
+#exit_on_error = off # terminate session on any error?
+external_pid_file = '/run/postgresql/9.1-main.pid' # write an extra PID file
+#extra_float_digits = 0 # min -15, max 3
#from_collapse_limit = 8
-#fsync = on # turns forced synchronization on or off
-#full_page_writes = on # recover from partial page writes
+#fsync = on # turns forced synchronization on or off
+#full_page_writes = on # recover from partial page writes
#geqo = on
-#geqo_effort = 5 # range 1-10
-#geqo_generations = 0 # selects default based on effort
-#geqo_pool_size = 0 # selects default based on effort
-#geqo_seed = 0.0 # range 0.0-1.0
-#geqo_selection_bias = 2.0 # range 1.5-2.0
+#geqo_effort = 5 # range 1-10
+#geqo_generations = 0 # selects default based on effort
+#geqo_pool_size = 0 # selects default based on effort
+#geqo_seed = 0.0 # range 0.0-1.0
+#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_threshold = 12
-hba_file = '/etc/postgresql/9.1/main/pg_hba.conf' # host-based authentication file
-#hot_standby = off # "on" allows queries during recovery
-#hot_standby_feedback = off # send info from standby to prevent
-ident_file = '/etc/postgresql/9.1/main/pg_ident.conf' # ident configuration file
+hba_file = '/etc/postgresql/9.1/main/pg_hba.conf' # host-based authentication file
+#hot_standby = off # "on" allows queries during recovery
+#hot_standby_feedback = off # send info from standby to prevent
+ident_file = '/etc/postgresql/9.1/main/pg_ident.conf' # ident configuration file
#intervalstyle = 'postgres'
-#join_collapse_limit = 8 # 1 disables collapsing of explicit
+#join_collapse_limit = 8 # 1 disables collapsing of explicit
#krb_caseins_users = off
#krb_server_keyfile = ''
-#krb_srvname = 'postgres' # (Kerberos only)
-lc_messages = 'fr_FR.utf8' # locale for system error message
-lc_monetary = 'fr_FR.utf8' # locale for monetary formatting
-lc_numeric = 'fr_FR.utf8' # locale for number formatting
-lc_time = 'fr_FR.utf8' # locale for time formatting
-#listen_addresses = 'localhost' # what IP address(es) to listen on;
+#krb_srvname = 'postgres' # (Kerberos only)
+lc_messages = 'fr_FR.utf8' # locale for system error message
+lc_monetary = 'fr_FR.utf8' # locale for monetary formatting
+lc_numeric = 'fr_FR.utf8' # locale for number formatting
+lc_time = 'fr_FR.utf8' # locale for time formatting
+#listen_addresses = 'localhost' # what IP address(es) to listen on;
#lo_compat_privileges = off
#local_preload_libraries = ''
-#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
+#log_autovacuum_min_duration = -1 # -1 disables, 0 logs all actions and
#log_checkpoints = off
#log_connections = off
-#log_destination = 'stderr' # Valid values are combinations of
-#log_directory = 'pg_log' # directory where log files are written,
+log_destination = 'stderr'
+#log_directory = 'pg_log' # directory where log files are written,
#log_disconnections = off
#log_duration = off
-#log_error_verbosity = default # terse, default, or verbose messages
+#log_error_verbosity = default # terse, default, or verbose messages
#log_executor_stats = off
-#log_file_mode = 0600 # creation mode for log files,
-#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
+#log_file_mode = 0600 # creation mode for log files,
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
#log_hostname = off
-log_line_prefix = '%t ' # special values:
-#log_lock_waits = off # log lock waits >= deadlock_timeout
-#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
-#log_min_error_statement = error # values in order of decreasing detail:
-#log_min_messages = warning # values in order of decreasing detail:
+log_line_prefix = '%t ' # special values:
+#log_lock_waits = off # log lock waits >= deadlock_timeout
+#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
+#log_min_error_statement = error # values in order of decreasing detail:
+#log_min_messages = warning # values in order of decreasing detail:
#log_parser_stats = off
#log_planner_stats = off
-#log_rotation_age = 1d # Automatic rotation of logfiles will
-#log_rotation_size = 10MB # Automatic rotation of logfiles will
-#log_statement = 'none' # none, ddl, mod, all
+#log_rotation_age = 1d # Automatic rotation of logfiles will
+#log_rotation_size = 10MB # Automatic rotation of logfiles will
+#log_statement = 'none' # none, ddl, mod, all
#log_statement_stats = off
-#log_temp_files = -1 # log temporary files equal or larger
+#log_temp_files = -1 # log temporary files equal or larger
#log_timezone = '(defaults to server environment setting)'
-#log_truncate_on_rotation = off # If on, an existing log file with the
-#logging_collector = off # Enable capturing of stderr and csvlog
-#maintenance_work_mem = 16MB # min 1MB
-max_connections = 100 # (change requires restart)
-#max_files_per_process = 1000 # min 25
-#max_locks_per_transaction = 64 # min 10
-#max_pred_locks_per_transaction = 64 # min 10
-#max_prepared_transactions = 0 # zero disables the feature
-#max_stack_depth = 2MB # min 100kB
-#max_standby_archive_delay = 30s # max delay before canceling queries
-#max_standby_streaming_delay = 30s # max delay before canceling queries
-#max_wal_senders = 0 # max number of walsender processes
-#password_encryption = on
-port = 5432 # (change requires restart)
+#log_truncate_on_rotation = off # If on, an existing log file with the
+#logging_collector = off # Enable capturing of stderr and csvlog
+#maintenance_work_mem = 16MB # min 1MB
+max_connections = 100 # (change requires restart)
+#max_files_per_process = 1000 # min 25
+#max_locks_per_transaction = 64 # min 10
+#max_pred_locks_per_transaction = 64 # min 10
+#max_prepared_transactions = 0 # zero disables the feature
+#max_stack_depth = 2MB # min 100kB
+#max_standby_archive_delay = 30s # max delay before canceling queries
+#max_standby_streaming_delay = 30s # max delay before canceling queries
+#max_wal_senders = 0 # max number of walsender processes
+password_encryption = on
+port = 5432 # (change requires restart)
#quote_all_identifiers = off
-#random_page_cost = 4.0 # same scale as above
-#replication_timeout = 60s # in milliseconds; 0 disables
-#restart_after_crash = on # reinitialize after backend crash?
-#search_path = '"$user",public' # schema names
-#seq_page_cost = 1.0 # measured on an arbitrary scale
+#random_page_cost = 4.0
+#replication_timeout = 60s # in milliseconds; 0 disables
+#restart_after_crash = on # reinitialize after backend crash?
+#search_path = '"$user",public' # schema names
+#seq_page_cost = 1.0 # measured on an arbitrary scale
#session_replication_role = 'origin'
-shared_buffers = 32MB # min 128kB
-#shared_preload_libraries = '' # (change requires restart)
-#silent_mode = off # Run server silently.
+shared_buffers = 128MB # min 128kB
+#shared_preload_libraries = '' # (change requires restart)
+#silent_mode = off # Run server silently.
#sql_inheritance = on
-#ssl = off # (change requires restart)
-#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
-#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
+ssl = off # (change requires restart)
+#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
+#ssl_renegotiation_limit = 512MB # amount of data between renegotiations
#standard_conforming_strings = on
-#statement_timeout = 0 # in milliseconds, 0 is disabled
+#statement_timeout = 0 # in milliseconds, 0 is disabled
#stats_temp_directory = 'pg_stat_tmp'
-#superuser_reserved_connections = 3 # (change requires restart)
+#superuser_reserved_connections = 3 # (change requires restart)
#synchronize_seqscans = on
-#synchronous_commit = on # synchronization level; on, off, or local
-#synchronous_standby_names = '' # standby servers that provide sync rep
-#tcp_keepalives_count = 0 # TCP_KEEPCNT;
-#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
-#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
-#temp_buffers = 8MB # min 800kB
-#temp_tablespaces = '' # a list of tablespace names, '' uses
+#synchronous_commit = on # synchronization level; on, off, or local
+#synchronous_standby_names = '' # standby servers that provide sync rep
+#tcp_keepalives_count = 0 # TCP_KEEPCNT;
+#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
+#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
+#temp_buffers = 8MB # min 800kB
+#temp_tablespaces = '' # a list of tablespace names, '' uses
#timezone = '(defaults to server environment setting)'
#timezone_abbreviations = 'Default' # Select the set of available time zone
#track_activities = on
-#track_activity_query_size = 1024 # (change requires restart)
+#track_activity_query_size = 1024 # (change requires restart)
#track_counts = on
-#track_functions = none # none, pl, all
+#track_functions = none # none, pl, all
#transform_null_equals = off
-unix_socket_directory = '/var/run/postgresql' # (change requires restart)
-#unix_socket_group = '' # (change requires restart)
-#unix_socket_permissions = 0777 # begin with 0 to use octal notation
+unix_socket_directory = '/run/postgresql/sock' # (change requires restart)
+unix_socket_group = 'postgres-data' # (change requires restart)
+unix_socket_permissions = 0770 # begin with 0 to use octal notation
#update_process_title = on
-#vacuum_cost_delay = 0ms # 0-100 milliseconds
-#vacuum_cost_limit = 200 # 1-10000 credits
-#vacuum_cost_page_dirty = 20 # 0-10000 credits
-#vacuum_cost_page_hit = 1 # 0-10000 credits
-#vacuum_cost_page_miss = 10 # 0-10000 credits
-#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
+#vacuum_cost_delay = 0ms # 0-100 milliseconds
+#vacuum_cost_limit = 200 # 1-10000 credits
+#vacuum_cost_page_dirty = 20 # 0-10000 credits
+#vacuum_cost_page_hit = 1 # 0-10000 credits
+#vacuum_cost_page_miss = 10 # 0-10000 credits
+#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed
#vacuum_freeze_min_age = 50000000
#vacuum_freeze_table_age = 150000000
-#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
-#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables
-#wal_level = minimal # minimal, archive, or hot_standby
-#wal_receiver_status_interval = 10s # send replies at least this often
-#wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds
-#wal_sync_method = fsync # the default is the first option
-#wal_writer_delay = 200ms # 1-10000 milliseconds
-#work_mem = 1MB # min 64kB
+#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
+#wal_keep_segments = 0 # in logfile segments, 16MB each; 0 disables
+#wal_level = minimal # minimal, archive, or hot_standby
+#wal_receiver_status_interval = 10s # send replies at least this often
+#wal_sender_delay = 1s # walsender cycle time, 1-10000 milliseconds
+#wal_sync_method = fsync # the default is the first option
+#wal_writer_delay = 200ms # 1-10000 milliseconds
+#work_mem = 1MB # min 64kB
#xmlbinary = 'base64'
#xmloption = 'content'
/etc/mysql/my.cnf
sudo install -d -m 751 -o mysql -g mysql \
/home/mysql
+ sudo rm -rf /etc/mysql
+ sudo install -d -m 750 -o mysql -g mysql \
+ /etc/mysql \
+ /home/mysql/etc
+ sudo ln -fns \
+ /etc/mysql \
+ /home/mysql/etc/mysql
if sudo test ! -d /home/mysql/data
then
sudo install -d -m 750 -o mysql -g mysql-data \
/home/mysql/data
sudo -u mysql mysql_install_db \
- --no-defaults \
- --datadir=/home/mysql/data
+ --datadir=/home/mysql/data \
+ --no-defaults
fi
sudo service tmpfs restart
+ sudo insserv -r mysql
case $(sudo sv status mysql || true) in
(''|run:*|*"s, normally up;"*)
sudo sv restart mysql
case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
("/run/mysqld/sock/ CREATE mysql")
# NOTE:
- # - ajoute l'accès par socket Unix à root
+ # - ajoute l'accès par socket Unix à mysql
+ # - ajoute les droits de super-utilisateur à mysql
# - supprime l'accès par mot-de-passe à root
# - supprime les bases de données de l'utilisateurice anonyme
# - supprime l'utilisateurice anonyme
# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
sudo mysql -u root --batch --verbose <<-EOF
DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
- GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH auth_socket;
- UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='root';
+ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
DELETE FROM mysql.db WHERE user = '';
DELETE FROM mysql.user WHERE user = '';
FLUSH PRIVILEGES;
esac
}
rule_mysql_db_add () { # SYNTAX: $user $db
- sudo mysql --batch -u root <<-EOF
+ sudo -u mysql mysql --batch <<-EOF
DROP DATABASE IF EXISTS $db;
CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
EOF
}
rule_mysql_user_add () { # SYNTAX: $user
- sudo mysql --batch -u root <<-EOF
+ sudo mysql -u mysql --batch <<-EOF || true
DROP USER '$user'@'localhost';
+ EOF
+ sudo mysql -u mysql --batch <<-EOF
CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
EOF
}
sudo service postfix restart
}
rule_postgresql_configure () {
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
rule apt_get_install postgresql-9.1
- if [ ! -d /var/lib/postgresql/9.1/ ]; then
- pg_createcluster -u postgres --start 9.1 main
- fi
- sudo install -m 660 -o root -g root \
- "$tool"/etc/postgresql/9.1/main/postgresql.conf \
- /etc/postgresql/9.1/main/postgresql.conf
- sudo service postgresql restart
+ rule adduser postgres \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql \
+ --shell /bin/false \
+ --system
+ rule adduser postgres-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/postgresql/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+ sudo usermod --home /home/postgresql postgres
+ sudo adduser postgres postgres-data
+ sudo rm -rf \
+ /etc/postgresql
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql \
+ /home/postgresql/etc \
+ /etc/postgresql \
+ /etc/postgresql/9.1 \
+ /etc/postgresql/9.1/main
+ sudo ln -fns \
+ /etc/postgresql \
+ /home/postgresql/etc/postgresql
+ sudo install -d -m 751 -o postgres -g postgres \
+ /home/postgresql/log \
+ /home/postgresql/log/9.1
+ sudo service tmpfs restart
+ if sudo test ! -d /home/postgresql/data
+ then
+ sudo install -d -m 750 -o postgres -g postgres \
+ /home/postgresql/data
+ (
+ cd /
+ sudo -u postgres pg_createcluster \
+ --datadir=/home/postgresql/data \
+ --logfile=/home/postgresql/log/9.1/main \
+ --socketdir=/run/postgresql/sock \
+ --start 9.1 main
+ )
+ fi
+ sudo install -m 770 -o postgres -g postgres /dev/stdin \
+ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+ local all postgres peer
+ local all all peer
+ EOF
+ sudo install -m 660 -o postgres -g postgres \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
+ sudo insserv -r postgresql
+ case $(sudo sv status postgres || true) in
+ (''|run:*|*"s, normally up;"*)
+ sudo sv restart postgres
+ (
+ cd /
+ case $(sudo inotifywait -e create -- /run/postgresql/sock/) in
+ ("/run/postgresql/sock/ CREATE .s.PGSQL."*)
+ # NOTE:
+ # - supprime l'accès au schéma public depuis public,
+ # de sorte à ce que les différents utilisateurices
+ # ne voient pas leurs bases de données entre-elleux ;
+ # - ajoute le support de PL/PGSQL
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON DATABASE template1 FROM public;
+ REVOKE ALL ON SCHEMA public FROM public;
+ GRANT ALL ON SCHEMA public TO postgres;
+ CREATE LANGUAGE plpgsql;
+ EOF
+ # NOTE:
+ # - supprime l'accès à la liste des bases données
+ # et utilisateurices depuis public.
+ sudo -u postgres psql template1 -f - <<-EOF
+ REVOKE ALL ON pg_auth_members FROM public;
+ REVOKE ALL ON pg_authid FROM public;
+ REVOKE ALL ON pg_database FROM public;
+ REVOKE ALL ON pg_group FROM public;
+ REVOKE ALL ON pg_roles FROM public;
+ REVOKE ALL ON pg_settings FROM public;
+ REVOKE ALL ON pg_tablespace FROM public;
+ REVOKE ALL ON pg_user FROM public;
+ EOF
+ ;;
+ esac
+ )
+ ;;
+ esac
+ }
+rule_postgresql_db_add () { # SYNTAX: $db $db_user
+ local db="$1" db_user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $db NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
+ CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT $db TO $db_user;
+ CREATE DATABASE $db WITH OWNER=$db_user;
+ REVOKE ALL ON DATABASE $db FROM public;
+ EOF
+ }
+rule_postgresql_db_user_add () { # SYNTAX: $db $user
+ local db="$1" user="$2"
+ sudo -u postgresql psql template1 -f - <<-EOF
+ CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+ GRANT USAGE ON SCHEMA public TO $user;
+ GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+ GRANT $db TO $user;
+ EOF
}
rule_openerp_configure () {
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF