#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
tool=$0
while test -L "$tool"
do tool=$(readlink "$tool")
done
tool=${tool%/*}
. "$tool"/lib/rule.sh
. "$tool"/etc/vm.sh
rule_help () { # SYNTAX: [--hidden]
local hidden; [ ${1:+set} ] || hidden=set
cat >&2 <<-EOF
DESCRIPTION:
ce script regroupe des règles pour administrer la VM ($vm_fqdn)
_depuis_ la VM hébergée ($vm_fqdn) ;
il sert à la fois d'outil (aisément bidouillable)
et de documentation (préçise).
Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
SYNTAX: $0 \$RULE \${RULE}_SYNTAX
RULES:
$(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
ENVIRONMENT:
TRACE # affiche les commandes avant leur exécution
$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
EOF
}
rule_git_configure () {
(
cd "$tool"
git config --replace branch.master.remote .
git config --replace branch.master.merge refs/remotes/master
local tool
tool=$(cd "$tool"; cd -)
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
)
}
rule_git_reset () {
(
cd "$tool"
git checkout -f -B master remotes/master
git clean -f -d -x
)
}
rule_apt_get_install () { # SYNTAX: $package
sudo apt-get install "$@"
}
rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
export LANG=C
export LC_CTYPE=C
. /etc/profile
}
rule_apache2_configure () {
local -; set +f
rule apt_get_install \
apache2-mpm-itk \
libapache2-mod-php5
# VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
# VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
# NOTE: apache2-mpm-itk semble le plus sécurisé,
# car on est certain que tout est exécuté avec les uid/gid
# assignés au VirtualHost/Directory/Location
# néamoins il se peut qu'une combinaison du genre :
# apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
# soit plus performante (threads et pas forks),
# cependant l'usage de suexec impose des forks il semble..
# et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
# donc pour l'instant : apache2-mpm-itk
rule www_configure
cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
ServerName "$vm_fqdn"
EOF
sudo install -m 660 -o root -g root /dev/stdin \
/etc/apache2/apache2.conf
sudo install -m 660 -o root -g root \
"$tool"/etc/apache2/envvars \
/etc/apache2/envvars
sudo install -m 660 -o root -g root \
"$tool"/etc/apache2/httpd.conf \
/etc/apache2/httpd.conf
#sudo install -m 660 -o root -g root /dev/stdin \
# /etc/apache2/suexec/www-data <<-EOF
# /home
# pub/www/cgi
# EOF
sudo install -m 660 -o root -g root \
"$tool"/etc/apache2/ports.conf \
/etc/apache2/ports.conf
sudo a2enmod actions
sudo a2enmod headers
sudo a2enmod rewrite
sudo a2enmod ssl
sudo a2enmod userdir
local conf
sudo a2dissite "*"
sudo ln -fns \
/etc/apache2 \
/home/www/etc/apache2
for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
do conf=${conf#"$tool"/etc/apache2/site.d/}
local port site
IFS=. read -r port site <<-EOF
${conf%\/VirtualHost\.conf}
EOF
assert 'test "${site:+set}"'
assert 'test "${port:+set}"'
local site_user="$user.$port.$site"
local site_dir="$user.$port.$site"
case $port in
(443)
local hint="run vm_remote apache2_key_send before"
assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
sudo install -d -m 770 -o "$user" -g "$user" \
/etc/apache2 \
/etc/apache2/site.d/"$site_dir" \
/etc/apache2/site.d/"$site_dir"/x509 \
/etc/apache2/site.d/"$site_dir"/x509/ca \
/etc/apache2/site.d/"$site_dir"/x509/empty \
/etc/apache2/site.d/"$site_dir"/x509/rvk \
/etc/apache2/site.d/"$site_dir"/x509/usr
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
/etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
#sudo install -m 664 -o "$user" -g "$user" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
# /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
/etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/crt.pem \
/etc/apache2/site.d/"$site_dir"/x509/crt.pem
;;
esac
case $port in
(80)
cat <<-EOF
AssignUserID $site_user $site_user
CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
DocumentRoot /home/www/pub/$site_dir
ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
ServerName $site
LogLevel Warn
$(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
EOF
;;
(443)
cat <<-EOF
AssignUserID $site_user $site_user
BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
DocumentRoot /home/www/pub/$site_dir
ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
ServerName $site
SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
#SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
# NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
SSLProtocol -All +TLSv1
#SSLRenegBufferSize 262144
SSLSessionCacheTimeout 1200
SSLStrictSNIVHostCheck On
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient None
SSLVerifyDepth 1
$(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
EOF
;;
esac |
sudo install -m 660 -o root -g root /dev/stdin \
/etc/apache2/site.d/"$site_dir"/VirtualHost.conf
sudo ln -fns \
../site.d/"$site_dir"/VirtualHost.conf \
/etc/apache2/sites-available/"$site_dir"
sudo install -d -m 770 -o "$user" -g "$user" \
/home/www/log/"$site_dir" \
/home/www/log/"$site_dir"/apache2
sudo ln -fns \
/etc/apache2/site.d/"$site_dir" \
/home/www/etc/apache2/"$site_dir"
test -e /home/www/pub/"$site_dir" ||
sudo install -d -m 770 -o "$user" -g "$user" \
/home/www/pub/"$site_dir"
getent passwd "$site_user" >/dev/null ||
sudo adduser \
--disabled-password \
--group \
--no-create-home \
--home /home/www/pub/"$site_dir" \
--shell /bin/false \
--system \
"$site_user"
sudo setfacl -m u:"$site_user":--x \
/home/www/ \
/home/www/pub/ \
/home/www/pub/"$site_dir"/
sudo setfacl -m d:u:"$site_user":rwx \
"$home"/pub/www/"$site_dir"/
test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
. "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
test -e /etc/apache2/sites-enabled/"$site_dir" ||
sudo a2ensite "$site_dir"
done
sudo service apache2 restart
}
rule_apt_configure () {
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
EOF
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
#deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
EOF
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
Package: *
Pin: release a=$vm_lsb_name
Pin-Priority: 170
Package: *
Pin: release a=$vm_lsb_name-backports
Pin-Priority: 200
EOF
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
deb http://nightly.openerp.com/trunk/nightly/deb/ ./
EOF
sudo apt-get update
rule apt_get_install apticron
sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
EMAIL="admin@$vm_domainname"
# DIFF_ONLY="1"
# LISTCHANGES_PROFILE="apticron"
# ALL_FQDNS="1"
# SYSTEM="foobar.example.com"
# IPADDRESSNUM="1"
# IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
# NOTIFY_HOLDS="0"
# NOTIFY_NEW="0"
# NOTIFY_NO_UPDATES="0"
# CUSTOM_SUBJECT=""
# CUSTOM_NO_UPDATES_SUBJECT=""
# CUSTOM_FROM="root@$vm_fqdn"
EOF
}
rule_boot_configure () {
warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
rule apt_get_install grub-pc
sudo install -d -m 644 -o root -g root /boot/grub
rule apt_get_install linux-image-$vm_arch
sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
GRUB_DISABLE_RECOVERY="true"
#GRUB_PRELOAD_MODULES="lvm"
EOF
sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
(hd0) /dev/xvda
(hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
EOF
sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
rule initramfs_configure
}
rule_dovecot_configure () {
rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
local hint="run vm_remote dovecot_key_send before"
assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
sudo install -m 400 -o root -g root \
"$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
/etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
sudo install -d -m 770 -o root -g adm \
/etc/skel/etc/mail \
/etc/skel/etc/sieve
sudo install -d -m 1777 -o root -g root \
/var/lib/dovecot-control \
/var/lib/dovecot-index
sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
auth_ssl_username_from_cert = yes
listen = *
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_debug = yes
mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
# NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
# VOIR: http://wiki2.dovecot.org/Quota/FS
mail_plugins = \$mail_plugins quota
mail_privileged_group = mail
passdb {
args = /home/%u/etc/dovecot/passwd
driver = passwd-file
}
plugin {
quota = fs:user
recipient_delimiter = +
sieve = ~/etc/mail/filter.sieve
sieve_dir = ~/etc/mail/sieve
sieve_global_dir = /var/lib/dovecot/sieve/global/
sieve_max_script_size = 1M
sieve_quota_max_scripts = 0
sieve_quota_max_storage = 10M
sieve_user_log = ~/var/log/mail/sieve.log
}
protocol imap {
mail_plugins = \$mail_plugins imap_quota
}
protocol lda {
auth_socket_path = /var/run/dovecot/auth-master
hostname = $vm_domainname
info_log_path =
log_path =
mail_plugins = \$mail_plugins sieve
postmaster_address = contact+dovecot+lda@$vm_domainname
syslog_facility = mail
}
protocols = imap sieve
service auth {
user = root
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
ssl_ca =
LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
/dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
/dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
/dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
# NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
/dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
EOF
sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
#