- quota : configurer
- sftp : configurer
- fail2ban : configurer
-- ferm/shorewall (pare-feu) : configurer
- agendav/caldavzap + davical
- sympa
- gitolite : rationalisation des adresses de notification dans hooks.mailinglist
- ansible ?
- varnish ?
+- munin, monit, check_mk
--- /dev/null
+#!/bin/sh -eux
+db="$1"
+user="$2"
+sudo -u mysql mysql --batch <<-EOF
+ DROP DATABASE IF EXISTS $db;
+ CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
+ GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
+ FLUSH PRIVILEGES;
+ EOF
--- /dev/null
+#!/bin/sh -eux
+user="$1"
+sudo mysql -u mysql --batch <<-EOF || true
+ DROP USER '$user'@'localhost';
+ EOF
+sudo mysql -u mysql --batch <<-EOF
+ CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
+ EOF
--- /dev/null
+home=/home/"$sv"
+
+rule runit_sv_configure postgres
+rule runit_sv_start postgres
+
+while ! sudo -u postgres psql </dev/null
+do sleep 1; done
+~postgres/bin/createdb "$sv"
+
+rule apt_get_install openerp --force-yes
+ # XXX: --force-yes car les paquets de nightly.openerp.com
+ # ne sont pas signés par OpenPGP..
+rule insserv_remove openerp
+
+rule adduser "$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+rule adduser "$sv"-addon \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home"/addon.d \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 710 -o root -g "$sv" \
+ /etc/sv/"$sv" \
+ /etc/sv/"$sv"/supervise
+sudo install -d -m 1777 -o root -g root \
+ /etc/openerp
+sudo install -d -m 3771 -o "$sv" -g "$sv" \
+ "$home"
+sudo install -d -m 2770 -o "$sv" -g "$sv"-addon \
+ "$home"/addon.d
+sudo install -d -m 750 -o "$sv" -g "$sv" \
+ "$home"/etc \
+ /etc/openerp/"$sv"
+sudo ln -fns \
+ /etc/openerp/"$sv" \
+ "$home"/etc/openerp
+
+sudo adduser git "$sv"-addon
+sudo adduser "$sv" "$sv"-addon
+sudo adduser "$sv" postgres-data
home=/home/"$sv"
cd /
-/usr/bin/sv -w 3 start postgres
-~postgres/bin/createdb "$sv"
-
-getent passwd "$sv" >/dev/null ||
-adduser "$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-getent passwd "$sv" >/dev/null ||
-adduser "$sv"-addon \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home"/addon.d \
- --shell /bin/false \
- --system
-
-install -d -m 710 -o root -g "$sv" \
- /etc/sv/"$sv" \
- /etc/sv/"$sv"/supervise
-install -d -m 3771 -o "$sv" -g "$sv" \
- "$home"
-install -d -m 2770 -o "$sv" -g "$sv"-addon \
- "$home"/addon.d
-install -d -m 750 -o "$sv" -g "$sv" \
- "$home"/etc \
- /etc/openerp/"$sv"
-ln -fns \
- /etc/openerp/"$sv" \
- "$home"/etc/openerp
-
-adduser git "$sv"-addon
-adduser "$sv" "$sv"-addon
-adduser "$sv" postgres-data
-
for addon in \
bikecoop \
bikecoop_l10n_fr \
--- /dev/null
+home=~git/daemon
+rule adduser "$sv"\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo install -d -m 770 -o git -g "$sv" \
+ "$home"
+
+sudo adduser "$sv" git-data
+
+sudo ln -fns \
+ ../pub \
+ "$home"/git.$vm_domainname
+sudo ln -fns \
+ ../pub \
+ "$home"/burette.$vm_domainname
+ # NOTE : rétro-compatibilité
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-home=~git/daemon
-domainname=$(domainname)
-case ${domainname-} in
- (""|"(none)") false;;
- esac
-
-getent passwd "$sv" >/dev/null ||
-adduser "$sv"\
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-install -d -m 770 -o git -g "$sv" \
- "$home"
-
-adduser "$sv" git-data
-
-ln -fns \
- ../pub \
- "$home"/git.$domainname
-ln -fns \
- ../pub \
- "$home"/burette.$domainname
- # NOTE : rétro-compatibilité
+eval "home=~$sv"
exec /usr/bin/chpst \
-u "$sv":"$sv":git-data \
--- /dev/null
+home=~git-data
+rule adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+
+sudo adduser fcgi-"$sv" www-"$sv"
+sudo adduser fcgi-"$sv" git-data
+
+sudo install -d -m 2750 -o git -g fcgi-"$sv" \
+ /etc/gitweb
+sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/gitweb.conf <<-EOF
+ \$commit_oneline_message_width = 70;
+ \$default_projects_order = 'project';
+ \$default_text_plain_charset = 'UTF-8';
+ @diff_opts = ();
+ \$favicon = "static/git-favicon.png";
+ \$feature{'highlight'}{'default'} = [1];
+ \$git_temp = "/run/shm/tmp/gitweb";
+ \$home_text = "/etc/gitweb/home_text.html";
+ \$home_link = "/";
+ \$home_link_str = 'dépôts';
+ \$home_th_age = 'activité';
+ \$home_th_descr = 'description';
+ \$home_th_owner = 'contact';
+ \$home_th_project = 'dépôt';
+ \$javascript = "static/gitweb.js";
+ \$logo = "static/git-logo.png";
+ \$my_uri = "";
+ \$projectroot = "/home/git/pub";
+ \$projects_list = "/etc/gitweb/projects.list";
+ \$projects_list_description_width = 42;
+ \$projects_list_owner_width = 15;
+ \$search_str = "Filtre :";
+ \$site_footer = "/etc/gitweb/site_footer.html";
+ \$site_header = "/etc/gitweb/site_header.html";
+ \$site_name = "git.$vm_domainname";
+ @stylesheets = ("static/gitweb.css");#
+ EOF
+sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
+ /etc/gitweb/home_text.html <<-EOF
+ <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
+ <p>Pour récupérer un dépôt public :</p>
+ <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
+ EOF
+
+sudo ln -fns \
+ /etc/gitweb \
+ ~git/etc/gitweb
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-home=~git-data
-domainname=$(domainname)
-case ${domainname-} in
- (""|"(none)") false;;
- esac
-
-getent passwd fcgi-"$sv" >/dev/null ||
-adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
-adduser fcgi-"$sv" www-"$sv"
-adduser fcgi-"$sv" git-data
-
-install -d -m 2750 -o git -g fcgi-"$sv" \
- /etc/gitweb
-install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/gitweb.conf <<-EOF
- \$commit_oneline_message_width = 70;
- \$default_projects_order = 'project';
- \$default_text_plain_charset = 'UTF-8';
- @diff_opts = ();
- \$favicon = "static/git-favicon.png";
- \$feature{'highlight'}{'default'} = [1];
- \$git_temp = "/run/shm/tmp/gitweb";
- \$home_text = "/etc/gitweb/home_text.html";
- \$home_link = "/";
- \$home_link_str = 'dépôts';
- \$home_th_age = 'activité';
- \$home_th_descr = 'description';
- \$home_th_owner = 'contact';
- \$home_th_project = 'dépôt';
- \$javascript = "static/gitweb.js";
- \$logo = "static/git-logo.png";
- \$my_uri = "";
- \$projectroot = "/home/git/pub";
- \$projects_list = "/etc/gitweb/projects.list";
- \$projects_list_description_width = 42;
- \$projects_list_owner_width = 15;
- \$search_str = "Filtre :";
- \$site_footer = "/etc/gitweb/site_footer.html";
- \$site_header = "/etc/gitweb/site_header.html";
- \$site_name = "git.$domainname";
- @stylesheets = ("static/gitweb.css");#
- EOF
-sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \
- /etc/gitweb/home_text.html <<-EOF
- <h2>Forge logicielle publique de l'Heureux Cyclage</h2>
- <p>Pour récupérer un dépôt public :</p>
- <pre>git clone git://git.heureux-cyclage.org/<projet></pre>
- EOF
-
-ln -fns \
- /etc/gitweb \
- ~git/etc/gitweb
install -d -m 1771 -o root -g root \
/run/spawn-fcgi
--- /dev/null
+rule www_configure
+
+home=~www/pub/"$sv"
+
+rule adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-home=~www/pub/"$sv"
/usr/bin/sv -w 3 start sshd
-getent passwd fcgi-"$sv" >/dev/null ||
-adduser fcgi-"$sv" \
- --disabled-login \
- --disabled-password \
- --group \
- --home "$home" \
- --shell /bin/false \
- --system
-
install -d -m 1771 -o root -g root \
/run/spawn-fcgi
--- /dev/null
+rule apt_get_install mysql-server-5.5
+rule insserv_remove mysql
+
+eval "home=~$sv"
+
+rule adduser mysql \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home" \
+ --shell /bin/false \
+ --system
+rule adduser mysql-data \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home "$home"/data \
+ --no-create-home \
+ --shell /bin/false \
+ --system
+sudo usermod --home "$home" mysql
+sudo adduser mysql mysql-data
+sudo install -d -m 751 -o mysql -g mysql \
+ "$home" \
+ "$home"/bin
+sudo rm -rf /etc/mysql
+sudo install -d -m 750 -o mysql -g mysql \
+ /etc/mysql \
+ /etc/mysql/conf.d \
+ "$home"/etc
+sudo ln -fns \
+ /etc/mysql \
+ "$home"/etc/mysql
+sudo install -m 644 -o mysql -g mysql \
+ "$tool"/etc/mysql/my.cnf \
+ /etc/mysql/my.cnf
+if sudo test ! -d "$home"/data
+ then
+ sudo install -d -m 750 -o mysql -g mysql-data \
+ "$home"/data
+ sudo -u mysql mysql_install_db \
+ --datadir="$home"/data \
+ --no-defaults
+ fi
+
+sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \
+ install -m 755 -o root -g root \
+ -t /home/postgresql/bin/ {} +
+
+sudo ln -fns \
+ ../sv/"$sv" \
+ /etc/service/"$sv"
+rule runit_sv_start "$sv"
+while ! sudo -u mysql mysql -u mysql </dev/null
+do sleep 1; done
+
+# NOTE:
+# - ajoute l'accès par socket Unix à mysql
+# - ajoute les droits de super-utilisateur à mysql
+# - supprime l'accès par mot-de-passe à root
+# - supprime les bases de données de l'utilisateurice anonyme
+# - supprime l'utilisateurice anonyme
+# NOTE: mémo :
+# GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
+# CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
+# UPDATE mysql.user SET Password='' WHERE user='root';
+# DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
+sudo mysql -u root --batch --verbose <<-EOF
+ DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+ DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
+ DELIMITER //
+ CREATE PROCEDURE mysql.create_user_mysql ()
+ BEGIN
+ IF NOT (EXISTS (SELECT User
+ FROM mysql.user
+ WHERE User='mysql'
+ AND Host='localhost'
+ LIMIT 1))
+ THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+ END IF;
+ END;
+ //
+ CALL mysql.create_user_mysql();
+ DROP PROCEDURE mysql.create_user_mysql;
+ UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
+ DELETE FROM mysql.db WHERE user = '';
+ DELETE FROM mysql.user WHERE user = '';
+ FLUSH PRIVILEGES;
+ EOF
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-install -d -m 1771 -o mysql -g mysql \
+eval "home=~$sv"
+
+install -d -m 1771 -o "$sv" -g "$sv" \
/run/mysqld \
/run/mysqld/sock
-eval "home=~$sv"
+
exec /usr/bin/chpst \
-u "$sv":"$sv" \
/usr/sbin/mysqld \
--basedir=/usr \
- --datadir=$home/data \
+ --datadir="$home"/data \
--plugin-dir=/usr/lib/mysql/plugin \
--port=3306 \
--socket=/run/mysqld/sock/"$sv" \
- --user=$sv
+ --user="$sv"
--- /dev/null
+rule runit_configure php5-fpm
+rule apt_get_install nginx spawn-fcgi fcgiwrap
+rule insserv_remove nginx
+rule insserv_remove fcgiwrap
+
+rule www_configure
+
+sudo rm -rf \
+ /etc/nginx/conf.d \
+ /etc/nginx/site.d
+sudo install -d -m 770 -o www -g www \
+ /etc/nginx \
+ /etc/nginx/conf.d \
+ /etc/nginx/site.d \
+ /etc/nginx/x509.d
+sudo ln -fns \
+ /etc/nginx \
+ /home/www/etc/nginx
+sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/nginx.conf \
+ /etc/nginx/nginx.conf
+local conf
+for conf in "$tool"/etc/nginx/conf.d/*.conf
+ do conf=${conf#"$tool"/etc/nginx/conf.d/}
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/conf.d/"$conf" \
+ /etc/nginx/conf.d/"$conf"
+ done
+for conf in "$tool"/etc/nginx/site.d/*/site.conf
+ do conf=${conf#"$tool"/etc/nginx/site.d/}
+ local site="${conf%/site.conf}"
+ rule adduser www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+ rule adduser log-www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/"$site"/nginx \
+ --shell /bin/false \
+ --system
+ sudo install -d -m 771 -o log-www -g log-www \
+ /home/www/log/"$site"
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx/site.d/"$site"
+ sudo install -d -m 770 -o www -g www \
+ /etc/nginx/x509.d/"$site"
+ test -L /home/www/pub/"$site" ||
+ sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
+ /home/www/pub/"$site"
+ sudo adduser www-data www-"$site"
+ sudo adduser www-data log-www-"$site"
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/local.conf \
+ /etc/nginx/site.d/"$site"/local.inc
+ sudo install -m 660 -o www -g www \
+ "$tool"/etc/nginx/site.d/"$site"/site.conf \
+ /etc/nginx/site.d/"$site"/site.inc
+ sudo install -m 660 -o www -g www /dev/stdin \
+ /etc/nginx/site.d/"$site"/server.conf <<-EOF
+ server {
+ access_log /home/www/log/$site/nginx/access.log main;
+ error_log /home/www/log/$site/nginx/error.log warn;
+ root /home/www/pub/$site;
+ include /etc/nginx/site.d/$site/local.inc;
+ include /etc/nginx/site.d/$site/site.inc;
+ }
+ EOF
+ test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/nginx/site.d/"$site"/configure.sh
+ done
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
/usr/bin/sv -w 3 start \
lhc-remorque \
gitweb \
php5-fpm
+
install -d -m 770 -o www-data -g www-data \
/run/nginx \
/run/nginx/fastcgi \
/run/shm/cache/nginx \
/run/shm/cache/nginx/fastcgi \
/run/shm/cache/nginx/client_body
+
exec /usr/sbin/nginx \
-c /etc/nginx/nginx.conf \
-g 'daemon off;'
--- /dev/null
+rule apt_get_install nsd
+rule insserv_remove nsd3
+sudo rm -rf \
+ /etc/nsd3/zone.d
+sudo install -d -m 750 -o root -g nsd \
+ /etc/nsd3/zone.d
+{
+ cat <<-EOF
+ server:
+ ip-address: $vm_ipv4
+ ip4-only: yes
+ EOF
+ cat "$tool"/etc/nsd3/nsd.conf
+ local conf
+ for conf in "$tool"/etc/nsd3/zone.d/*.conf
+ do conf=${conf#"$tool"/etc/nsd3/zone.d/}
+ local domain=${conf%.conf}
+ if test -e "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
+ then m4 \
+ --define=ZONE_DOMAIN=$domain \
+ --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$domain".zone.m4) \
+ --define=VM_IP4=$vm_ipv4 \
+ "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
+ else cat "$tool"/etc/nsd3/zone.d/"$domain".zone
+ fi |
+ sudo install -m 440 -o root -g nsd /dev/stdin \
+ /etc/nsd3/zone.d/"$domain".zone
+ sudo install -m 440 -o root -g nsd \
+ "$tool"/etc/nsd3/zone.d/"$conf" \
+ /etc/nsd3/zone.d/"$conf"
+ cat <<-EOF
+ zone:
+ name: $domain
+ zonefile: /etc/nsd3/zone.d/$domain.zone
+ EOF
+ done
+} |
+sudo install -m 640 -o root -g nsd /dev/stdin \
+ /etc/nsd3/nsd.conf
+sudo nsdc rebuild
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
install -d -m 770 -o root -g root \
/run/nsd3
+
exec /usr/sbin/nsd \
-c /etc/nsd3/nsd.conf \
-d
--- /dev/null
+# NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4
+
+rule apt_get_install ntp
+rule insserv_remove ntp
+
+sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
+ Europe/Paris
+ EOF
+sudo debconf-set-selections <<-EOF
+ tzdata tzdata/Areas select Europe
+ tzdata tzdata/Zones/Europe select Paris
+ EOF
+rule dpkg_reconfigure tzdata
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
exec /usr/sbin/ntpd \
-c /etc/ntp.conf \
-g \
--- /dev/null
+rule apt_get_install php5-fpm php-apc
+rule insserv_remove php5-fpm
+
+rule www_configure
+
+rule adduser php5 \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /etc/php5/fpm \
+ --shell /bin/false \
+ --system
+rule adduser log-php5 \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/php5/fpm \
+ --shell /bin/false \
+ --system
+sudo ln -fns \
+ /etc/php5/fpm \
+ /home/www/etc/php5
+sudo rm -rf \
+ /etc/php5/fpm/conf.d \
+ /etc/php5/fpm/pool.d
+sudo install -d -m 770 -o php5 -g php5 \
+ /etc/php5/fpm/conf.d \
+ /etc/php5/fpm/pool.d
+sudo install -m 440 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/php-fpm.conf \
+ /etc/php5/fpm/php-fpm.conf
+local conf
+#for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
+# do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
+# sudo install -m 660 -o php5 -g php5 \
+# "$tool"/etc/php5/fpm/conf.d/"$conf" \
+# /etc/php5/fpm/conf.d/"$conf"
+# done
+for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
+ do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
+ IFS=. read -r pool <<-EOF
+ ${conf%.conf}
+ EOF
+ assert 'test "${pool:+set}"'
+ rule adduser php5-"$pool" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --no-create-home \
+ --home /etc/php5/fpm/pool.d \
+ --shell /bin/false \
+ --system
+ rule adduser log-php5-"$pool" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --no-create-home \
+ --home /home/www/log/php5/fpm/"$pool" \
+ --shell /bin/false \
+ --system
+ sudo install -d -m 770 -o log-php5 -g log-php5 \
+ /home/www/log/php5 \
+ /home/www/log/php5/fpm
+ sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
+ /home/www/log/php5/fpm/"$pool"
+ sudo install -m 660 -o php5 -g php5 /dev/stdin \
+ /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
+ [$pool]
+ access.log = /home/www/log/php5/fpm/$pool/access.log
+ catch_workers_output = yes
+ chdir = /
+ env[HOSTNAME] = \$HOSTNAME
+ env[TEMP] = /tmp
+ env[TMPDIR] = /tmp
+ env[TMP] = /tmp
+ group = php5-$pool
+ #listen = 127.0.0.1:9000
+ listen = /run/php5/fpm/$pool
+ #listen.allowed_clients = 127.0.0.1
+ listen.group = www-data
+ listen.mode = 0660
+ #listen.owner = www-data
+ listen.backlog = -1
+ pm = dynamic
+ pm.max_children = 5
+ pm.max_requests = 200
+ pm.max_spare_servers = 4
+ pm.min_spare_servers = 2
+ pm.start_servers = 3
+ pm.status_path = /status
+ request_slowlog_timeout = 5s
+ request_terminate_timeout = 120s
+ rlimit_core = unlimited
+ rlimit_files = 131072
+ slowlog = /home/www/log/php5/fpm/$pool/slow.log
+ user = php5-$pool
+ $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
+ EOF
+ sudo install -m 664 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/php.ini \
+ /etc/php5/fpm/php.ini
+ done
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
install -d -m 1771 -o php5 -g php5 \
/run/php5 \
/run/php5/fpm \
/run/shm/cache/php5 \
/run/shm/cache/php5/fpm \
/run/shm/tmp/php5
+
exec /usr/sbin/php5-fpm \
--fpm-config /etc/php5/fpm/php-fpm.conf \
--php-ini /etc/php5/fpm/php.ini
--- /dev/null
+local hint="run vm_remote postfix_key_send before"
+assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
+#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
+sudo debconf-set-selections <<-EOF
+ postfix postfix/main_mailer_type select No configuration
+ EOF
+rule apt_get_install postfix procmail
+rule insserv_remove postfix
+sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
+ *.db
+ EOF
+sudo install -d -m 771 -o root -g root \
+ /etc/postfix/ \
+ /etc/postfix/$vm_domainname/ \
+ /etc/postfix/$vm_domainname/smtp \
+ /etc/postfix/$vm_domainname/smtp/x509 \
+ /etc/postfix/$vm_domainname/smtp/x509/ca \
+ /etc/postfix/$vm_domainname/smtpd \
+ /etc/postfix/$vm_domainname/smtpd/x509 \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca
+sudo ln -fns \
+ ../crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
+sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/header_checks \
+ /etc/postfix/$vm_domainname/header_checks
+sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/aliases <<-EOF
+ # See man 5 aliases for format
+ abuse: root
+ admin: root
+ contact: root
+ mailer-daemon: root
+ postmaster: root
+ root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
+ EOF
+sudo newaliases -oA/etc/postfix/aliases
+cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination = $vm_hostname \$myhostname \$myorigin
+ EOF
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/postfix/main.cf
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/master.cf \
+ /etc/postfix/master.cf
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
+ /etc/postfix/$vm_domainname/smtp/x509/policy
+sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
+ /etc/postfix/$vm_domainname/smtp/header_checks
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
+ /etc/postfix/$vm_domainname/smtpd/sender_access
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
+ /etc/postfix/$vm_domainname/smtpd/client_blacklist
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
+ /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/transport \
+ /etc/postfix/$vm_domainname/transport
+sudo postmap hash:/etc/postfix/$vm_domainname/transport
+sudo install -m 640 -o root -g root \
+ "$tool"/etc/postfix/$vm_domainname/virtual_alias \
+ /etc/postfix/$vm_domainname/virtual_alias
+sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
+sudo install -d -m 770 -o root -g root \
+ /etc/skel/etc/mail \
+ /etc/skel/var/cache/mail \
+ /etc/skel/var/log/mail \
+ /etc/skel/var/mail
+sudo install -m 660 -o root -g root \
+ "$tool"/etc/skel/etc/mail/delivery.procmailrc \
+ /etc/skel/etc/mail/delivery.procmailrc
/etc/postfix/postfix-script check
exec /usr/lib/postfix/master \
- -c /etc/postfix \
-
+ -c /etc/postfix
- # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
+# DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
+
rule apt_get_install postgresql-9.1
rule insserv_remove postgresql
rule adduser postgres \
install -m 755 -o root -g root \
-t /home/postgresql/bin/ {} +
-sudo sv -w 1 start /etc/sv/postgres
+sudo ln -fns \
+ ../sv/"$sv" \
+ /etc/service/"$sv"
+rule runit_sv_start "$sv"
while ! sudo -u postgres psql </dev/null
do sleep 1; done
+
# NOTE: supprime l'accès au schéma public depuis public,
# de sorte à ce que les différents utilisateurices
# ne voient pas leurs bases de données entre-elleux ;
--- /dev/null
+rule apt_get_install postgrey
+rule insserv_remove postgrey
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
install -d -m 2710 -o postgrey -g postfix \
/run/postgrey
+
exec /usr/bin/chpst \
-u "$sv":"$sv" \
/usr/sbin/postgrey \
--- /dev/null
+rule apt_get_install openssh-server
+rule insserv_remove ssh
+ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
+( while IFS= read -r line
+ do case $line in (*" RSA") return 0; break;; esac
+ done; return 1 ) ||
+sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
+sudo rm -f \
+ /etc/ssh/ssh_host_dsa_key \
+ /etc/ssh/ssh_host_dsa_key.pub \
+ /etc/ssh/ssh_host_ecdsa_key \
+ /etc/ssh/ssh_host_ecdsa_key.pub
+ # NOTE: clefs générées par Debian
+m4 \
+ --define=VM_IPV4=$vm_ipv4 \
+ <"$tool"/etc/ssh/sshd_config.m4 |
+sudo install -m 640 -o root -g root /dev/stdin \
+ /etc/ssh/sshd_config
+sudo install -m 644 -o root -g root \
+ "$tool"/etc/ssh/ssh_config \
+ /etc/ssh/ssh_config
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
-install -d -m 755 -o root -g root /run/sshd
+
+install -d -m 755 -o root -g root \
+ /run/sshd
install -d -m 1777 -o root -g root \
/run/shm/cache \
/run/shm/tmp
+
exec /usr/sbin/sshd -D
--- /dev/null
+sudo apt-get install unbound
+rule insserv_remove unbound
+
+sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+ search ${vm_host#*.}
+ nameserver 127.0.0.1
+ #nameserver ${vm_host_nameserver}
+ EOF
+sudo install -m 440 -o unbound -g unbound \
+ "$tool"/etc/unbound/named.cache \
+ /etc/unbound/named.cache
+
+m4 \
+ --define=OUTGOING_INTERFACE=$vm_ipv4 \
+ <"$tool"/etc/unbound/unbound.conf |
+sudo install -m 440 -o unbound -g unbound /dev/stdin \
+ /etc/unbound/unbound.conf
#!/bin/sh -eux
exec 2>&1
sv=${PWD#/etc/sv/}
+
/usr/bin/sv -w 3 start nsd3
+
exec /usr/sbin/unbound \
-c /etc/unbound/unbound.conf \
-d
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main
EOF
+ sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
+ deb http://nightly.openerp.com/7.0/nightly/deb/ ./
+ EOF
sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
Package: *
Pin: release a=$vm_lsb_name
# et davantage sécurisant.
EOF
}
-rule_dovecot_configure () {
- rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
- rule insserv_remove dovecot
- local hint="run vm_remote dovecot_key_send before"
- assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
- /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
- sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/etc/sieve
- sudo install -d -m 1777 -o root -g root \
- /var/lib/dovecot-control \
- /var/lib/dovecot-index
- m4 \
- --define=VM_DOMAINNAME=$vm_domainname \
- <"$tool"/etc/dovecot/local.conf.m4 |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/dovecot/local.conf
- sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
- #!/bin/sh -efux
- # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
- install -d -m 770 ~/etc/dovecot
- install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
- \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
- _EOF
- EOF
- rule runit_configure dovecot
- }
rule_etckeeper_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
VCS=git
xvc0
EOF
}
-rule_mail_configure () {
- rule postfix_configure
- rule postgrey_configure
- rule procmail_configure
- rule dovecot_configure
- }
-rule_mysql_configure () {
- rule apt_get_install mysql-server-5.5
- rule insserv_remove mysql
- rule adduser mysql \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/mysql \
- --shell /bin/false \
- --system
- rule adduser mysql-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/mysql/data \
- --no-create-home \
- --shell /bin/false \
- --system
- sudo usermod --home /home/mysql mysql
- sudo adduser mysql mysql-data
- sudo install -d -m 751 -o mysql -g mysql \
- /home/mysql
- sudo rm -rf /etc/mysql
- sudo install -d -m 750 -o mysql -g mysql \
- /etc/mysql \
- /etc/mysql/conf.d \
- /home/mysql/etc
- sudo ln -fns \
- /etc/mysql \
- /home/mysql/etc/mysql
- sudo install -m 644 -o mysql -g mysql \
- "$tool"/etc/mysql/my.cnf \
- /etc/mysql/my.cnf
- if sudo test ! -d /home/mysql/data
- then
- sudo install -d -m 750 -o mysql -g mysql-data \
- /home/mysql/data
- sudo -u mysql mysql_install_db \
- --datadir=/home/mysql/data \
- --no-defaults
- fi
- rule runit_configure mysql
- while ! sudo -u mysql mysql -u mysql </dev/null
- do sleep 0.3; done
- # NOTE:
- # - ajoute l'accès par socket Unix à mysql
- # - ajoute les droits de super-utilisateur à mysql
- # - supprime l'accès par mot-de-passe à root
- # - supprime les bases de données de l'utilisateurice anonyme
- # - supprime l'utilisateurice anonyme
- # NOTE: mémo :
- # GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
- # CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
- # UPDATE mysql.user SET Password='' WHERE user='root';
- # DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
- sudo mysql -u root --batch --verbose <<-EOF
- DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
- DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
- DELIMITER //
- CREATE PROCEDURE mysql.create_user_mysql ()
- BEGIN
- IF NOT (EXISTS (SELECT User
- FROM mysql.user
- WHERE User='mysql'
- AND Host='localhost'
- LIMIT 1))
- THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
- END IF;
- END;
- //
- CALL mysql.create_user_mysql();
- DROP PROCEDURE mysql.create_user_mysql;
- UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
- DELETE FROM mysql.db WHERE user = '';
- DELETE FROM mysql.user WHERE user = '';
- FLUSH PRIVILEGES;
- EOF
- }
-rule_mysql_db_add () { # SYNTAX: $user $db
- sudo -u mysql mysql --batch <<-EOF
- DROP DATABASE IF EXISTS $db;
- CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
- GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
- FLUSH PRIVILEGES;
- EOF
- }
-rule_mysql_user_add () { # SYNTAX: $user
- sudo mysql -u mysql --batch <<-EOF || true
- DROP USER '$user'@'localhost';
- EOF
- sudo mysql -u mysql --batch <<-EOF
- CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
- EOF
- }
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
$vm
sudo install -m 640 -o root -g root /dev/stdin \
/etc/network/interfaces
}
-rule_nginx_configure () {
- local -; set +f
- rule php5_fpm_configure
- rule apt_get_install nginx spawn-fcgi fcgiwrap
- rule insserv_remove nginx
- rule insserv_remove fcgiwrap
- sudo rm -rf \
- /etc/nginx/conf.d \
- /etc/nginx/site.d
- sudo install -d -m 770 -o www -g www \
- /etc/nginx \
- /etc/nginx/conf.d \
- /etc/nginx/site.d \
- /etc/nginx/x509.d
- sudo ln -fns \
- /etc/nginx \
- /home/www/etc/nginx
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/nginx.conf \
- /etc/nginx/nginx.conf
- local conf
- for conf in "$tool"/etc/nginx/conf.d/*.conf
- do conf=${conf#"$tool"/etc/nginx/conf.d/}
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/conf.d/"$conf" \
- /etc/nginx/conf.d/"$conf"
- done
- for conf in "$tool"/etc/nginx/site.d/*/site.conf
- do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site="${conf%/site.conf}"
- rule adduser www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
- rule adduser log-www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/"$site"/nginx \
- --shell /bin/false \
- --system
- sudo install -d -m 771 -o log-www -g log-www \
- /home/www/log/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/site.d/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/x509.d/"$site"
- test -L /home/www/pub/"$site" ||
- sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
- /home/www/pub/"$site"
- sudo adduser www-data www-"$site"
- sudo adduser www-data log-www-"$site"
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/local.conf \
- /etc/nginx/site.d/"$site"/local.inc
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/site.conf \
- /etc/nginx/site.d/"$site"/site.inc
- sudo install -m 660 -o www -g www /dev/stdin \
- /etc/nginx/site.d/"$site"/server.conf <<-EOF
- server {
- access_log /home/www/log/$site/nginx/access.log main;
- error_log /home/www/log/$site/nginx/error.log warn;
- root /home/www/pub/$site;
- include /etc/nginx/site.d/$site/local.inc;
- include /etc/nginx/site.d/$site/site.inc;
- }
- EOF
- test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
- . "$tool"/etc/nginx/site.d/"$site"/configure.sh
- done
- rule runit_configure nginx
- }
-rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement
- local -; set +f
- rule apt_get_install nsd
- rule insserv_remove nsd3
- sudo rm -rf \
- /etc/nsd3/zone.d
- sudo install -d -m 750 -o root -g nsd \
- /etc/nsd3/zone.d
- {
- cat <<-EOF
- server:
- ip-address: $vm_ipv4
- ip4-only: yes
- EOF
- cat "$tool"/etc/nsd3/nsd.conf
- local conf
- for conf in "$tool"/etc/nsd3/zone.d/*.conf
- do conf=${conf#"$tool"/etc/nsd3/zone.d/}
- local domain=${conf%.conf}
- if test -e "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
- then m4 \
- --define=ZONE_DOMAIN=$domain \
- --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$domain".zone.m4) \
- --define=VM_IP4=$vm_ipv4 \
- "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
- else cat "$tool"/etc/nsd3/zone.d/"$domain".zone
- fi |
- sudo install -m 440 -o root -g nsd /dev/stdin \
- /etc/nsd3/zone.d/"$domain".zone
- sudo install -m 440 -o root -g nsd \
- "$tool"/etc/nsd3/zone.d/"$conf" \
- /etc/nsd3/zone.d/"$conf"
- cat <<-EOF
- zone:
- name: $domain
- zonefile: /etc/nsd3/zone.d/$domain.zone
- EOF
- done
- } |
- sudo install -m 640 -o root -g nsd /dev/stdin \
- /etc/nsd3/nsd.conf
- sudo nsdc rebuild
- rule runit_configure nsd3
- }
-rule_ntp_configure () {
- # NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4
- rule apt_get_install ntp
- rule insserv_remove ntp
- rule runit_configure ntp
- }
-rule_openerp_configure () {
- sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
- deb http://nightly.openerp.com/7.0/nightly/deb/ ./
- EOF
- sudo install -d -m 1777 -o root -g root \
- /etc/openerp
- rule apt_get_install openerp --force-yes
- # XXX: --force-yes car les paquets de nightly.openerp.com
- # ne sont pas signés par OpenPGP..
- rule insserv_remove openerp
- }
-rule_php5_fpm_configure () {
- local -; set +f
- rule apt_get_install php5-fpm php-apc
- rule insserv_remove php5-fpm
- rule adduser php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /etc/php5/fpm \
- --shell /bin/false \
- --system
- rule adduser log-php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/php5/fpm \
- --shell /bin/false \
- --system
- sudo ln -fns \
- /etc/php5/fpm \
- /home/www/etc/php5
- sudo rm -rf \
- /etc/php5/fpm/conf.d \
- /etc/php5/fpm/pool.d
- sudo install -d -m 770 -o php5 -g php5 \
- /etc/php5/fpm/conf.d \
- /etc/php5/fpm/pool.d
- sudo install -m 440 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php-fpm.conf \
- /etc/php5/fpm/php-fpm.conf
- local conf
- #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
- # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
- # sudo install -m 660 -o php5 -g php5 \
- # "$tool"/etc/php5/fpm/conf.d/"$conf" \
- # /etc/php5/fpm/conf.d/"$conf"
- # done
- for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
- do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
- IFS=. read -r pool <<-EOF
- ${conf%.conf}
- EOF
- assert 'test "${pool:+set}"'
- rule adduser php5-"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /etc/php5/fpm/pool.d \
- --shell /bin/false \
- --system
- rule adduser log-php5-"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /home/www/log/php5/fpm/"$pool" \
- --shell /bin/false \
- --system
- sudo install -d -m 770 -o log-php5 -g log-php5 \
- /home/www/log/php5 \
- /home/www/log/php5/fpm
- sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
- /home/www/log/php5/fpm/"$pool"
- sudo install -m 660 -o php5 -g php5 /dev/stdin \
- /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
- [$pool]
- access.log = /home/www/log/php5/fpm/$pool/access.log
- catch_workers_output = yes
- chdir = /
- env[HOSTNAME] = \$HOSTNAME
- env[TEMP] = /tmp
- env[TMPDIR] = /tmp
- env[TMP] = /tmp
- group = php5-$pool
- #listen = 127.0.0.1:9000
- listen = /run/php5/fpm/$pool
- #listen.allowed_clients = 127.0.0.1
- listen.group = www-data
- listen.mode = 0660
- #listen.owner = www-data
- listen.backlog = -1
- pm = dynamic
- pm.max_children = 5
- pm.max_requests = 200
- pm.max_spare_servers = 4
- pm.min_spare_servers = 2
- pm.start_servers = 3
- pm.status_path = /status
- request_slowlog_timeout = 5s
- request_terminate_timeout = 120s
- rlimit_core = unlimited
- rlimit_files = 131072
- slowlog = /home/www/log/php5/fpm/$pool/slow.log
- user = php5-$pool
- $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
- EOF
- sudo install -m 664 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php.ini \
- /etc/php5/fpm/php.ini
- done
- rule runit_configure php5-fpm
- }
-rule_postfix_configure () {
- local hint="run vm_remote postfix_key_send before"
- assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
- #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
- sudo debconf-set-selections <<-EOF
- postfix postfix/main_mailer_type select No configuration
- EOF
- rule apt_get_install postfix
- rule insserv_remove postfix
- sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
- *.db
- EOF
- sudo install -d -m 771 -o root -g root \
- /etc/postfix/ \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
- sudo ln -fns \
- ../crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/header_checks \
- /etc/postfix/$vm_domainname/header_checks
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/aliases <<-EOF
- # See man 5 aliases for format
- abuse: root
- admin: root
- contact: root
- mailer-daemon: root
- postmaster: root
- root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
- EOF
- sudo newaliases -oA/etc/postfix/aliases
- cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
- mydomain = $vm_domainname
- myorigin = \$mydomain
- myhostname = $vm_hostname.\$mydomain
- mail_name = \$myhostname
- mydestination = $vm_hostname \$myhostname \$myorigin
- EOF
- sudo install -m 640 -o root -g root /dev/stdin \
- /etc/postfix/main.cf
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/master.cf \
- /etc/postfix/master.cf
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
- /etc/postfix/$vm_domainname/smtp/x509/policy
- sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
- /etc/postfix/$vm_domainname/smtp/header_checks
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
- /etc/postfix/$vm_domainname/smtpd/sender_access
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
- /etc/postfix/$vm_domainname/smtpd/client_blacklist
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
- /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/transport \
- /etc/postfix/$vm_domainname/transport
- sudo postmap hash:/etc/postfix/$vm_domainname/transport
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/virtual_alias \
- /etc/postfix/$vm_domainname/virtual_alias
- sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
- rule runit_configure postfix
- }
-rule_postgrey_configure () {
- rule apt_get_install postgrey
- rule insserv_remove postgrey
- rule runit_configure postgrey
- }
-rule_procmail_configure () {
- rule apt_get_install procmail
- sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/var/cache/mail \
- /etc/skel/var/log/mail \
- /etc/skel/var/mail
- sudo install -m 660 -o root -g root \
- "$tool"/etc/skel/etc/mail/delivery.procmailrc \
- /etc/skel/etc/mail/delivery.procmailrc
- }
rule_runit_configure () { # SYNTAX: $sv
rule apt_get_install runit
local -; set +f
("ok: down:"*) true;;
(*) false;;
esac' '' {} +
- set -$- ${1-"$tool"/etc/sv/*}
- while test -n "$*"
- do local first=yes
- for sv in "$@"
- do sv=${sv##*/}
- case $first in
- (yes) shift $#; first=;;
- esac
- rule _runit_sv_configure "$sv"
- rule runit_sv_restart "$sv"
- done
+ for sv in ${1-"$tool"/etc/sv/*}
+ do sv=${sv##*/}
+ rule runit_sv_configure "$sv"
+ rule runit_sv_start "$sv"
done
- sudo find -L /etc/service -type l -delete
+ #sleep 3
+ #sudo find -L /etc/service -type l -delete
}
-rule__runit_sv_configure () { # SYNTAX: $sv
+rule_runit_sv_configure () { # SYNTAX: $sv
local sv="$1"
sudo install -d -m 770 -o root -g root \
/etc/sv/"$sv"
"$tool"/etc/sv/"$sv"/log/run \
/etc/sv/"$sv"/log/run
fi
- local continue=
+ (
test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
. "$tool"/etc/sv/"$sv"/configure.sh
- case $continue in
- (yes) continue;;
- esac
+ test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh ||
+ . "$tool"/etc/sv/"$sv"/log/configure.sh
+ )
sudo ln -fns \
../sv/"$sv" \
/etc/service/"$sv"
esac
done
}
+rule_runit_sv_start () { # SYNTAX: $sv
+ local sv="$1"
+ while true
+ do case $(sudo sv start "$sv") in
+ ("fail: $sv: runsv not running") sleep 1;;
+ ("warning: $sv: unable to open supervise/ok: file does not exists") sleep 1;;
+ (*) break;;
+ esac
+ done
+ }
rule_shorewall_configure () {
# DOC: http://shorewall.net/Introduction.html
local -; set +f
# done
#sudo shorewall safe-restart
}
-rule_ssh_configure () {
- rule apt_get_install openssh-server
- rule insserv_remove ssh
- ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
- ( while IFS= read -r line
- do case $line in (*" RSA") return 0; break;; esac
- done; return 1 ) ||
- sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
- sudo rm -f \
- /etc/ssh/ssh_host_dsa_key \
- /etc/ssh/ssh_host_dsa_key.pub \
- /etc/ssh/ssh_host_ecdsa_key \
- /etc/ssh/ssh_host_ecdsa_key.pub
- # NOTE: clefs générées par Debian
- m4 \
- --define=VM_IPV4=$vm_ipv4 \
- <"$tool"/etc/ssh/sshd_config.m4 |
- sudo install -m 640 -o root -g root /dev/stdin \
- /etc/ssh/sshd_config
- sudo install -m 644 -o root -g root \
- "$tool"/etc/ssh/ssh_config \
- /etc/ssh/ssh_config
- rule runit_configure sshd
- }
rule_sysctl_configure () {
local -; set +f
for conf in "$tool"/etc/sysctl.d/*.conf
"$tool"/etc/sysctl.d/"$conf" \
/etc/sysctl.d/"$conf"
done
+ sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/sysctl.d/local-kernel-name.conf <<-EOF
+ kernel.hostname = $vm_hostname
+ kernel.domainname = $vm_domainname
+ EOF
sudo sysctl --system
}
rule_tmpfs_configure () {
TMPFS_SIZE=20%VM
EOF
}
-rule_time_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
- Europe/Paris
- EOF
- sudo debconf-set-selections <<-EOF
- tzdata tzdata/Areas select Europe
- tzdata tzdata/Zones/Europe select Paris
- EOF
- rule dpkg_reconfigure tzdata
- rule ntp_configure
- }
-rule_unbound_configure () {
- sudo apt-get install unbound
- rule insserv_remove unbound
- sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
- search ${vm_host#*.}
- nameserver 127.0.0.1
- #nameserver ${vm_host_nameserver}
- EOF
- sudo install -m 440 -o unbound -g unbound \
- "$tool"/etc/unbound/named.cache \
- /etc/unbound/named.cache
- m4 \
- --define=OUTGOING_INTERFACE=$vm_ipv4 \
- <"$tool"/etc/unbound/unbound.conf |
- sudo install -m 440 -o unbound -g unbound /dev/stdin \
- /etc/unbound/unbound.conf
- rule runit_configure unbound
- }
rule_user_add () { # SYNTAX: $user
local user="$1"; shift
rule adduser "$user" --disabled-password "$@"
rule boot_configure
rule sysctl_configure
rule user_configure
- rule mail_configure
rule gitolite_configure
- rule www_configure
- rule nginx_configure
- #rule apache2_configure
- rule nsd3_configure
- rule unbound_configure
- rule postgresql_configure
- rule mysql_configure
rule shorewall_configure
rule runit_configure
}