--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: tmpfs
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# X-Start-Before: nginx
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Initialise tmpfs file systems
+### END INIT INFO
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+. /lib/init/vars.sh
+. /lib/lsb/init-functions
+
+do_start() {
+ if [ -x /etc/rc.local ]
+ then
+ [ "$VERBOSE" != no ] && log_begin_msg "Initialising tmpfs file systems"
+
+ ! mountpoint -q /run ||
+ sudo install -d -m 770 -o www-data -g www-data \
+ /run/nginx \
+ /run/nginx/fastcgi
+
+ ! mountpoint -q /run/shm ||
+ ! test -f /run/shm/.tmpfs ||
+ sudo install -d -m 1777 -o root -g root \
+ /run/shm/cache &&
+ sudo install -d -m 660 -o www-data -g www-data \
+ /run/shm/cache/nginx \
+ /run/shm/cache/nginx/fastcgi \
+ /run/shm/cache/nginx/client_body
+
+ ES=$?
+ [ "$VERBOSE" != no ] && log_end_msg $ES
+ return $ES
+ fi
+ }
+
+case "$1" in
+ (start|restart)
+ do_start
+ ;;
+ (reload|force-reload)
+ echo "Error: argument '$1' not supported" >&2
+ exit 3
+ ;;
+ (stop)
+ ;;
+ (*)
+ echo "Usage: $0 start|restart|stop" >&2
+ exit 3
+ ;;
+ esac
--- /dev/null
+# DOC: http://wiki.nginx.org/HttpFastcgiModule
+fastcgi_buffer_size 128k;
+fastcgi_buffers 4 256k;
+fastcgi_busy_buffers_size 256k;
+fastcgi_connect_timeout 60;
+fastcgi_ignore_client_abort off;
+fastcgi_index index.php;
+fastcgi_intercept_errors on;
+fastcgi_param CONTENT_LENGTH $content_length;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param PATH_INFO $fastcgi_script_name;
+#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param REMOTE_USER $remote_user;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_NAME $server_name;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+fastcgi_read_timeout 180;
+fastcgi_send_timeout 180;
+fastcgi_temp_file_write_size 256k;
--- /dev/null
+events {
+ multi_accept on;
+ use epoll;
+ worker_connections 1024;
+ }
+http {
+ log_format main
+ '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache';
+ access_log /var/log/nginx/access.log main buffer=32k;
+ client_body_buffer_size 4K;
+ # NOTE: % getconf PAGESIZE
+ # 4096
+ client_body_temp_path /run/shm/cache/nginx/client_body 1 2;
+ client_body_timeout 60;
+ client_header_buffer_size 1k;
+ client_header_timeout 60;
+ client_max_body_size 20m;
+ default_type application/octet-stream;
+ error_log /var/log/nginx/error.log warn;
+ error_page 403 = 404;
+ fastcgi_cache_key "$request_method $scheme://$host$request_uri";
+ fastcgi_cache_path /run/shm/cache/nginx/fastcgi
+ levels=1:2
+ keys_zone=microcache:10m
+ inactive=5m
+ max_size=64m;
+ gzip on;
+ gzip_buffers 16 8k;
+ gzip_comp_level 6;
+ gzip_disable "MSIE [1-6]\.";
+ gzip_http_version 1.1;
+ gzip_min_length 1024;
+ gzip_proxied any;
+ gzip_static on;
+ gzip_vary on;
+ gzip_types
+ application/javascript
+ application/json
+ application/rss+xml
+ application/vnd.ms-fontobject
+ application/x-font-ttf
+ application/x-javascript
+ application/xml
+ application/xml+rss
+ font/opentype
+ font/truetype
+ image/svg+xml
+ text/css
+ text/javascript
+ text/plain
+ text/x-component
+ text/xml;
+ include /etc/nginx/mime.types;
+ keepalive_timeout 20;
+ large_client_header_buffers 4 8k;
+ open_file_cache max=200000 inactive=20s;
+ open_file_cache_errors on;
+ open_file_cache_min_uses 2;
+ open_file_cache_valid 30s;
+ open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
+ proxy_cache_use_stale updating;
+ reset_timedout_connection on;
+ send_timeout 60;
+ # NOTE: if the client stops reading data, free up the stale client connection after this much time.
+ sendfile on;
+ server_names_hash_bucket_size 128;
+ server_tokens off;
+ tcp_nodelay on;
+ # NOTE: don't buffer data-sends (disable Nagle algorithm).
+ # Good for sending frequent small bursts of data in real time.
+ tcp_nopush on;
+ # NOTE: causes nginx to attempt to send its HTTP response head in one packet,
+ # instead of using partial frames.
+ # This is useful for prepending headers before calling sendfile,
+ # or for throughput optimization.
+ types_hash_max_size 2048;
+ include /etc/nginx/site.d/*/server.conf;
+ }
+pid /var/run/nginx.pid;
+user www-data;
+worker_processes 2;
+
+# vim: ft=sh
--- /dev/null
+#!/bin/sh
+set -e -f -u
+sudo rmdir "$home"/pub/www/"$site_dir" || true
+sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir"
--- /dev/null
+../hc.80.git.heureux-cyclage.org/server.conf
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+set -e -f -u
+sudo rmdir "$home"/pub/www/"$site_dir" || true
+sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir"
--- /dev/null
+../hc.80.www.heureux-cyclage.org/server.conf
\ No newline at end of file
--- /dev/null
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ index index.html index.htm index.php;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
+ # NOTE: static repo files for cloning over HTTP
+ root /home/git/repositories/;
+ }
+location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
+ # NOTE: requests that need to go to git-http-backend
+ root /home/git/pub/git
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param REMOTE_USER $remote_user;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ }
+location @gitweb {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ set $no_cache "";
+ if ($request_method !~ ^(GET|HEAD)$) {
+ # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+ set $no_cache "1";
+ }
+ if ($no_cache = "1") {
+ # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+ add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+ add_header X-Microcachable "0";
+ }
+ if ($http_cookie ~* "_mcnc") {
+ # NOTE: bypass cache if no-cache cookie is set.
+ set $no_cache "1";
+ }
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale updating;
+ fastcgi_cache_valid 200 10s;
+ fastcgi_cache_valid 404 30m;
+ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_max_temp_file_size 2M;
+ fastcgi_no_cache $no_cache;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+
+ fastcgi_pass_header Cookie;
+ fastcgi_pass_header Set-Cookie;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_pass unix:/run/nginx/fastcgi/spawn-fcgi.git.80.git.heureux-cyclage.org;
+ }
+root /usr/share/gitweb;
+ssl_session_timeout 5m;
+try_files $uri @gitweb;
+ # NOTE: send anything else to gitweb if it's not a real file
+
+# vim: ft=sh
--- /dev/null
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ index index.html index.htm index.php;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location ~ \.php$ {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ set $no_cache "";
+ if ($request_method !~ ^(GET|HEAD)$) {
+ # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+ set $no_cache "1";
+ }
+ if ($no_cache = "1") {
+ # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+ add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+ add_header X-Microcachable "0";
+ }
+ if ($http_cookie ~* "_mcnc") {
+ # NOTE: bypass cache if no-cache cookie is set
+ set $no_cache "1";
+ }
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale updating;
+ fastcgi_cache_valid 200 10s;
+ fastcgi_cache_valid 404 30m;
+ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_max_temp_file_size 2M;
+ fastcgi_no_cache $no_cache;
+ fastcgi_pass_header Cookie;
+ fastcgi_pass_header Set-Cookie;
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_pass unix:/run/nginx/fastcgi/php5-fpm.hc.80.www.heureux-cyclage.org;
+ }
+server_name www.heureux-cyclage.org heureux-cyclage.org;
+
+# vim: ft=sh
--- /dev/null
+[global]
+daemonize = yes
+emergency_restart_interval = 1m
+emergency_restart_threshold = 10
+error_log = syslog
+;events.mechanism = epoll
+log_level = notice
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[error_reporting] = 0
+php_admin_value[memory_limit] = 128M
+php_flag[display_errors] = off
+pid = /run/php5-fpm.pid
+process.max = 128
+process_control_timeout = 10s
+;rlimit_core = 0
+rlimit_files = 1024
+syslog.facility = daemon
+syslog.ident = php-fpm
+
+include=/etc/php5/fpm/pool.d/*.conf
--- /dev/null
+[apc]
+apc.cache_by_default = 1
+apc.canonicalize = 1
+apc.coredump_unmap = 0
+apc.enable_cli = 0
+apc.enabled = 1
+apc.file_update_protection=2
+apc.filters =
+apc.gc_ttl = 3600
+apc.include_once_override = 0
+apc.localcache = 1
+apc.localcache.size = 256
+apc.max_file_size = 1M
+apc.mmap_file_mask = /tmp/apc.XXXXXX
+apc.num_files_hint = 512
+apc.optimization = 0
+apc.report_autofilter = 0
+apc.rfc1867 = 0
+apc.rfc1867_freq = 0
+apc.rfc1867_name = "APC_UPLOAD_PROGRESS"
+apc.rfc1867_prefix = "upload_"
+apc.shm_segments = 1
+apc.shm_size = 256M
+apc.slam_defense = 1
+apc.stat = 0 # NOTE: set to 1 when developping
+apc.stat_ctime = 0
+apc.ttl = 3600
+apc.use_request_time = 1
+apc.user_entries_hint=4096
+apc.user_ttl = 7200
+apc.write_lock = 1
+[Assertion]
+[bcmath]
+bcmath.scale = 0
+[browscap]
+[CLI Server]
+cli_server.color = On
+[COM]
+[Date]
+[dba]
+[exif]
+[filter]
+[gd]
+[iconv]
+[Interbase]
+ibase.allow_persistent = 1
+ibase.dateformat = "%Y-%m-%d"
+ibase.max_links = -1
+ibase.max_persistent = -1
+ibase.timeformat = "%H:%M:%S"
+ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
+[intl]
+[ldap]
+ldap.max_links = -1
+[mail function]
+SMTP = localhost
+mail.add_x_header = On
+smtp_port = 25
+[mbstring]
+[mcrypt]
+[MSSQL]
+mssql.allow_persistent = On
+mssql.compatability_mode = Off
+mssql.max_links = -1
+mssql.max_persistent = -1
+mssql.min_error_severity = 10
+mssql.min_message_severity = 10
+mssql.secure_connection = Off
+[MySQL]
+mysql.allow_local_infile = On
+mysql.allow_persistent = On
+mysql.cache_size = 2000
+mysql.connect_timeout = 60
+mysql.default_host =
+mysql.default_password =
+mysql.default_port =
+mysql.default_socket =
+mysql.default_user =
+mysql.max_links = -1
+mysql.max_persistent = -1
+mysql.trace_mode = Off
+[MySQLi]
+mysqli.allow_persistent = On
+mysqli.cache_size = 2000
+mysqli.default_host =
+mysqli.default_port = 3306
+mysqli.default_pw =
+mysqli.default_socket =
+mysqli.default_user =
+mysqli.max_links = -1
+mysqli.max_persistent = -1
+mysqli.reconnect = Off
+[mysqlnd]
+mysqlnd.collect_memory_statistics = Off
+mysqlnd.collect_statistics = On
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.defaultbinmode = 1
+odbc.defaultlrl = 4096
+odbc.max_links = -1
+odbc.max_persistent = -1
+[OCI8]
+[PHP]
+allow_url_fopen = Off
+allow_url_fopen = Off ; DEFAULT: On
+allow_url_include = Off
+asp_tags = Off
+auto_append_file =
+auto_globals_jit = On
+auto_prepend_file =
+default_charset = "UTF-8" ; DEFAULT:
+default_mimetype = "text/html"
+default_socket_timeout = 30
+default_socket_timeout = 30 ; DEFAULT: 60
+disable_classes =
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
+display_errors = Off
+display_startup_errors = Off
+doc_root =
+enable_dl = Off
+engine = On
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+expose_php = On
+file_uploads = On
+html_errors = On
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+ignore_user_abort = Off # ; DEFAULT:
+implicit_flush = Off
+log_errors = On
+log_errors_max_len = 1024
+max_execution_time = 30
+max_file_uploads = 20
+max_input_time = 60
+memory_limit = 128M
+mysql.allow_persistent = Off ; DEFAULT:
+output_buffering = 4096
+post_max_size = 15M ; DEFAULT: 8M
+precision = 14
+register_argc_argv = Off
+report_memleaks = On
+request_order = "GP"
+serialize_precision = 17
+short_open_tag = Off ; DEFAULT: On
+track_errors = Off
+unserialize_callback_func =
+upload_max_filesize = 20M ; DEFAULT: 2M
+user_dir =
+variables_order = "GPCS"
+zend.enable_gc = On
+zlib.output_compression = Off
+[Pcre]
+[Pdo]
+[Pdo_mysql]
+pdo_mysql.cache_size = 2000
+pdo_mysql.default_socket=
+[Phar]
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+pgsql.max_links = -1
+pgsql.max_persistent = -1
+[Session]
+session.auto_start = 0
+session.bug_compat_42 = Off
+session.bug_compat_warn = Off
+session.cache_expire = 180
+session.cache_limiter = nocache
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.gc_probability = 0
+session.hash_bits_per_character = 5
+session.hash_function = 0
+session.name = PHPSESSID
+session.referer_check =
+session.save_handler = files
+session.serialize_handler = php
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.use_trans_sid = 0
+url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
+[soap]
+soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_limit = 5
+soap.wsdl_cache_ttl=86400
+[SQL]
+sql.safe_mode = Off
+[sqlite3]
+[sqlite]
+[Sybase-CT]
+sybct.allow_persistent = On
+sybct.max_links = -1
+sybct.max_persistent = -1
+sybct.min_client_severity = 10
+sybct.min_server_severity = 10
+[sysvshm]
+[Tidy]
+tidy.clean_output = Off
--- /dev/null
+hc.80.www.heureux-cyclage.org.conf
\ No newline at end of file
--- /dev/null
+pm.max_children = 15
+pm.max_requests = 200
+pm.max_spare_servers = 15
+pm.min_spare_servers = 2
+pm.process_idle_timeout = 60s
+pm.start_servers = 3
+request_slowlog_timeout = 5s
+request_terminate_timeout = 120s
+rlimit_core = unlimited
+rlimit_files = 131072
+security.limit_extensions = .php
local hint="run vm_remote dovecot_key_send before"
assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
+ "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
/etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
sudo install -d -m 770 -o root -g adm \
/etc/skel/etc/mail \
pre-down ip address delete $vm_ipv4/32 dev \$IFACE
EOF
}
+rule_www_configure () {
+ getent passwd www >/dev/null ||
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www \
+ --shell /bin/false \
+ --system \
+ www
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home ~www/log \
+ --shell /bin/false \
+ --system \
+ log.www
+ #sudo adduser www www-data
+ sudo adduser www log.www
+ #sudo adduser log log.www
+ usermod --home /home/www/pub www-data
+ sudo install -d -m 751 -o www -g www \
+ /home/www
+ sudo install -d -m 750 -o www -g www \
+ /home/www/etc
+ sudo install -d -m 1771 -o www-data -g www-data \
+ /home/www/pub \
+ sudo install -d -m 1771 -o log.www -g log.www \
+ /home/www/log
+ }
+rule_nginx_configure () {
+ local -; set +f
+ rule apt_get_install nginx
+ rule www_configure
+ sudo rm -rf \
+ /etc/nginx/conf.d \
+ /etc/nginx/site.d
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx \
+ /etc/nginx/conf.d \
+ /etc/nginx/site.d
+ sudo ln -fns \
+ /etc/nginx \
+ /home/www/etc/nginx
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/nginx.conf \
+ /etc/nginx/nginx.conf
+ local conf
+ for conf in "$tool"/etc/nginx/conf.d/*.conf
+ do conf=${conf#"$tool"/etc/nginx/conf.d/}
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/conf.d/"$conf" \
+ /etc/nginx/conf.d/"$conf"
+ done
+ for conf in "$tool"/etc/nginx/site.d/*/server.conf
+ do conf=${conf#"$tool"/etc/nginx/site.d/}
+ local port site
+ IFS=. read -r port site <<-EOF
+ ${conf%\/server\.conf}
+ EOF
+ assert 'test "${port:+set}"'
+ assert 'test "${site:+set}"'
+ site="$port.$site"
+ getent passwd www."$site" >/dev/null ||
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home ~www-data/"$site" \
+ --shell /bin/false \
+ --system \
+ www."$site"
+ getent passwd log."$site" >/dev/null ||
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --shell /bin/false \
+ --system \
+ log."$site"
+ sudo usermod --home ~www/log/"$site"/nginx log."$site"
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx/site.d/"$site"
+ case $port in
+ (443)
+ local hint="run vm_remote nginx_key_send before"
+ assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
+ sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/"$site"/crt+ca.pem \
+ /etc/nginx/site.d/"$site"/x509/crt.pem
+ ;;
+ esac
+ case $port in
+ (80)
+ cat <<-EOF
+ server {
+ listen $port;
+ access_log /home/www/log/$site/nginx/access.log main;
+ error_log /home/www/log/$site/nginx/error.log warn;
+ root /home/www/pub/$site;
+ server_name $site;
+ $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+ }
+ EOF
+ ;;
+ (443)
+ cat <<-EOF
+ server {
+ listen $port;
+ access_log /home/www/log/$site/nginx/access.log main;
+ error_log /home/www/log/$site/nginx/error.log warn;
+ keepalive_timeout 70;
+ root /home/www/pub/$site;
+ server_name $site;
+ # DOC: http://wiki.nginx.org/HttpSslModule
+ ssl on;
+ ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
+ ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
+ ssl_ciphers HIGH:!ADH:!MD5;
+ ssl_prefer_server_ciphers on;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_session_cache shared:SSL:10m;
+ $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+ }
+ EOF
+ ;;
+ esac |
+ sudo install -m 660 -o www -g www /dev/stdin \
+ /etc/nginx/site.d/"$site"/server.conf
+ adduser www-data "$site"
+ test -e /home/www/pub/"$site" ||
+ sudo install -d -m 3770 -o "$site" -g "$site" \
+ /home/www/pub/"$site"
+ sudo install -d -m 3770 -o log."$site" -g log."$site" \
+ /home/www/log/"$site"/nginx
+ test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/nginx/site.d/"$site"/configure.sh
+ done
+ rule apt_get_install spawn-fcgi fcgiwrap
+ sudo insserv --remove fcgiwrap
+ rule tmpfs_configure
+ sudo service nginx restart
+ }
+rule_php5_fpm_configure () {
+ local -; set +f
+ rule apt_get_install \
+ php5-fpm \
+ php-apc
+ getent passwd php5 >/dev/null ||
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --shell /bin/false \
+ --system \
+ php5
+ local conf
+ sudo ln -fns \
+ /etc/php5-fpm \
+ /home/www/etc/php5
+ sudo rm -f /etc/php5/fpm/pool.d/*
+ for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
+ do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
+ local port site
+ IFS=. read -r port site <<-EOF
+ ${conf%\.conf}
+ EOF
+ assert 'test "${port:+set}"'
+ assert 'test "${site:+set}"'
+ site="$port.$site"
+ getent passwd php5"$site" >/dev/null ||
+ sudo adduser \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --no-create-home \
+ --home ~www/pub/"$site" \
+ --shell /bin/false \
+ --system \
+ php5."$site"
+ sudo install -d -m 770 -o php5 -g php5 \
+ /home/www/log/php5 \
+ /home/www/log/php5/fpm
+ sudo install -d -m 770 -o log."$site" -g log."$site" \
+ /home/www/log/"$site"
+ sudo adduser php5."$user" www."$site"
+ sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/php5/fpm/pool.d/"$conf" <<-EOF
+ [php5.$site]
+ access.log = /home/www/log/$site/php5/fpm/access.log
+ catch_workers_output = yes
+ chdir = /
+ env[HOSTNAME] = \$HOSTNAME
+ env[TEMP] = /tmp
+ env[TMPDIR] = /tmp
+ env[TMP] = /tmp
+ group = www-data
+ listen = /run/nginx/fastcgi/php5.$site
+ #listen = 127.0.0.1:9000
+ #listen.allowed_clients = 127.0.0.1
+ listen.backlog = -1
+ pm = dynamic
+ pm.max_children = 5
+ pm.max_requests = 200
+ pm.max_spare_servers = 4
+ pm.min_spare_servers = 2
+ pm.start_servers = 3
+ pm.status_path = /status
+ request_slowlog_timeout = 5s
+ request_terminate_timeout = 120s
+ rlimit_core = unlimited
+ rlimit_files = 131072
+ slowlog = /home/www/log/$site/php5/fpm/slow.log
+ user = $php5_user
+ $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
+ EOF
+ sudo install -m 664 -o root -g root \
+ "$tool"/etc/php5/fpm/php.ini \
+ /etc/php5/fpm/php.ini
+ done
+ rule tmpfs_configure
+ sudo service php5-fpm restart
+ }
rule_postfix_configure () {
local hint="run vm_remote postfix_key_send before"
assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
../crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+ "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/service/smtpd/crt.pem \
+ "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
/etc/postfix/$vm_domainname/smtpd/x509/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/service/smtpd/crt+root.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
+ "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+ "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 660 -o root -g root \
"$tool"/etc/postfix/$vm_domainname/header_checks \
/etc/skel/etc/ssh
sudo install -d -m 770 -o root -g adm \
/etc/skel/var \
- /etc/skel/var/log \
/etc/skel/var/cache \
- /etc/skel/var/cache/ssh
+ /etc/skel/var/log \
+ /etc/skel/var/run \
+ /etc/skel/var/run/ssh
sudo ln -fns etc/ssh /etc/skel/.ssh
sudo ln -fns etc/gpg /etc/skel/.gnupg
sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
rule filesystem_configure
rule login_configure
rule ssh_configure
- rule mail_configure
- rule apache2_configure
rule user_root_configure
rule boot_configure
rule user_configure
+ rule mail_configure
+ #rule apache2_configure
+ rule nginx_configure
+ rule php5_fpm_configure
}
rule_luks_key_change () {
rule _x509_service_key_send_deciphered imap \
/etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@"
}
+rule_nginx_key_send () {
+ local -; set +f
+ for conf in "$tool"/etc/nginx/site.d/*/server.conf
+ do conf=${conf#"$tool"/etc/nginx/site.d/}
+ local user port service site
+ IFS=. read -r user port service site <<-EOF
+ ${conf%\/server\.conf}
+ EOF
+ assert 'test "${user:+set}"'
+ assert 'test "${service:+set}"'
+ assert 'test "${site:+set}"'
+ assert 'test "${port:+set}"'
+ local site_dir="$user.$port.$service.$site"
+ case $port in
+ (443)
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/nginx \
+ /etc/nginx/site.d \
+ /etc/nginx/site.d/'"$site_dir"' \
+ /etc/nginx/site.d/'"$site_dir"'/x509; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/nginx/site.d/'"$site_dir"'/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ '
+ rule _x509_service_key_send_deciphered $service \
+ /etc/nginx/"$site_dir"/x509/key.pem -l root "$@"
+ ;;
+ esac
+ done
+ }
rule_postfix_key_send () {
rule ssh -l root ' \
sudo install -d -m 770 -o root -g root \