-Subproject commit 3f7a2f4e12a66d9444e507c21e21f9acc5bed3f5
+Subproject commit dd0f4ab2b20259d1e280760d31dd78285b7cc329
! getent passwd gitweb >/dev/null ||
sudo install -d -m 770 -o gitweb -g gitweb \
/run/tmp/gitweb
+
+ sudo install -d -m 1771 -o root -g root \
+ /run/spawn-fcgi
fi
ES=$?
fastcgi_busy_buffers_size 256k;
fastcgi_connect_timeout 60;
fastcgi_ignore_client_abort off;
-fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_read_timeout 180;
fastcgi_send_timeout 180;
fastcgi_temp_file_write_size 256k;
-fastcgi_param REDIRECT_STATUS 200;
- # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache document_root:$document_root'
- ' fastcgi_script_name:$fastcgi_script_name'
- ' request_filename:$request_filename';
+ '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=32k;
client_body_buffer_size 4K;
# NOTE: % getconf PAGESIZE
--- /dev/null
+#!/bin/sh
+set -e -f -u -x
+local hint="run vm_remote nginx_configure before"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
--- /dev/null
+listen 443;
+include /etc/nginx/conf.d/ssl.conf;
+ssl_certificate /etc/nginx/x509.d/lhc-git-tls/crt.pem;
+ssl_certificate_key /etc/nginx/x509.d/lhc-git-tls/key.pem;
+ssl_session_timeout 5m;
--- /dev/null
+../gitweb/site.conf
\ No newline at end of file
--- /dev/null
+git.heureux-cyclage.org
--- /dev/null
+rule apt_get_install gitweb highlight
+
+sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+sudo install -d -m 550 -o www-"$site" -g www-"$site" \
+ /etc/gitweb \
+ /etc/gitweb/cgi
+sudo install -m 740 -o git -g www-"$site" /dev/stdin \
+ /home/git/etc/gitweb/gitweb.conf <<-EOF
+ \$commit_oneline_message_width = 70;
+ \$default_projects_order = 'age';
+ \$default_text_plain_charset = 'UTF-8';
+ @diff_opts = ();
+ \$favicon = "img/git-favicon.png";
+ \$git_temp = "/run/shm/tmp/gitweb";
+ \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
+ \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
+ \$home_link = "/";
+ \$home_link_str = 'dépôts';
+ \$home_th_age = 'activité';
+ \$home_th_descr = 'description';
+ \$home_th_owner = 'contact';
+ \$home_th_project = 'dépôt';
+ \$javascript = "js/gitweb.js";
+ \$logo = "img/git-logo.png";
+ \$my_uri = "";
+ \$projectroot = "../git";
+ \$projects_list = "/etc/gitolite/projects.list";
+ \$projects_list_description_width = 42;
+ \$projects_list_owner_width = 15;
+ \$search_str = "Filtre :";
+ \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
+ \$site_header = undef;
+ \$site_name = "git.$vm_domainname";
+ \$space_to_nbsp = 0;
+ @stylesheets = ("css/gitweb.css");#
+ \$untabify_tabstop = 2;
+ EOF
+sudo adduser www-data git-data
+sudo adduser www-"$site"-tls www-"$site"
--- /dev/null
+listen 80;
--- /dev/null
+server_name git.heureux-cyclage.org;
+
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ index index.html;
+ root /usr/share/gitweb;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
+ # NOTE: static repo files for cloning over HTTP
+ root /home/git/pub;
+ }
+location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
+ # NOTE: requests that need to go to git-http-backend
+ root /home/git/pub;
+ include /etc/nginx/conf.d/fastcgi.conf;
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /home/git/pub;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param REMOTE_USER $remote_user;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ }
+location @gitweb {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ set $no_cache "0";
+ if ($request_method !~ ^(GET|HEAD)$) {
+ # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+ set $no_cache "1";
+ }
+ if ($no_cache = "1") {
+ # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+ add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+ add_header X-Microcachable "0";
+ }
+ if ($http_cookie ~* "_mcnc") {
+ # NOTE: bypass cache if no-cache cookie is set.
+ set $no_cache "1";
+ }
+ fastcgi_cache_bypass $no_cache;
+ fastcgi_cache_use_stale updating;
+ fastcgi_cache_valid 200 10s;
+ fastcgi_cache_valid 404 30m;
+ fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_max_temp_file_size 2M;
+ fastcgi_no_cache $no_cache;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param REDIRECT_STATUS 200;
+ # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
+ fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+
+ fastcgi_pass_header Cookie;
+ fastcgi_pass_header Set-Cookie;
+ fastcgi_split_path_info ^(.+\.cgi)(/.+)$;
+
+ fastcgi_pass unix:/run/spawn-fcgi/gitweb;
+ }
+try_files $uri @gitweb;
+ # NOTE: send anything else to gitweb if it's not a real file
+
+# vim: ft=sh
+++ /dev/null
-#!/bin/sh
-set -e -f -u -x
-local hint="run vm_remote nginx_key_send before"
-assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
-sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
- /etc/nginx/x509.d/"$site"/crt.pem
-
-sudo rmdir ~www-data/"$site" || true
-sudo ln -fns "${site%-tls}" ~www-data/"$site"
+++ /dev/null
-git.heureux-cyclage.org
+++ /dev/null
-listen 443;
-include /etc/nginx/conf.d/ssl.conf;
-ssl_certificate /etc/nginx/x509.d/lhc-git-tls/crt.pem;
-ssl_certificate_key /etc/nginx/x509.d/lhc-git-tls/key.pem;
+++ /dev/null
-../lhc-git/site.conf
\ No newline at end of file
+++ /dev/null
-sudo adduser php5-lhc-git www-"$site"
-sudo adduser php5-lhc-git git-data
-sudo adduser www-data git-data
-sudo adduser www-"$site"-tls www-"$site"
+++ /dev/null
-listen 80;
+++ /dev/null
-server_name git.heureux-cyclage.org;
-
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-location / {
- index index.html index.htm index.php;
- root /usr/share/gitweb;
- }
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
- access_log off;
- expires 30d;
- log_not_found off;
- }
-location ~ /\. {
- access_log off;
- deny all;
- log_not_found off;
- }
-location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
- # NOTE: static repo files for cloning over HTTP
- root /home/git/pub;
- }
-location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
- # NOTE: requests that need to go to git-http-backend
- root /home/git/pub;
- include /etc/nginx/conf.d/fastcgi.conf;
- fastcgi_param GIT_HTTP_EXPORT_ALL "";
- fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param REMOTE_USER $remote_user;
- fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
- }
-location @gitweb {
- include /etc/nginx/conf.d/fastcgi.conf;
- set $no_cache "0";
- if ($request_method !~ ^(GET|HEAD)$) {
- # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
- set $no_cache "1";
- }
- if ($no_cache = "1") {
- # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
- add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
- add_header X-Microcachable "0";
- }
- if ($http_cookie ~* "_mcnc") {
- # NOTE: bypass cache if no-cache cookie is set.
- set $no_cache "1";
- }
- fastcgi_cache_bypass $no_cache;
- fastcgi_cache_use_stale updating;
- fastcgi_cache_valid 200 10s;
- fastcgi_cache_valid 404 30m;
- fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
- fastcgi_max_temp_file_size 2M;
- fastcgi_no_cache $no_cache;
- fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
- fastcgi_param PATH_INFO $uri;
- fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
-
- fastcgi_pass_header Cookie;
- fastcgi_pass_header Set-Cookie;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
-
- fastcgi_pass unix:/run/php5/fpm/gitweb;
- }
-ssl_session_timeout 5m;
-try_files $uri @gitweb;
- # NOTE: send anything else to gitweb if it's not a real file
-
-# vim: ft=sh
--- /dev/null
+local hint="run vm_remote nginx_configure before"
+assert "sudo getent passwd wiki-\"$site\" >/dev/null" hint
+assert "sudo test -f ~wiki-$site/etc/ssh/id_rsa" hint
+
+rule apt_get_install ikiwiki \
+ libsearch-xapian-perl
+
+rule adduser fcgi-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+rule adduser www-"$site" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$site" \
+ --shell /bin/false \
+ --system
+sudo adduser fcgi-"$site" www-"$site"
+sudo adduser fcgi-"$site" wiki-"$site"
+#sudo adduser www-"$site"-tls www-"$site"
+sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
+ /home/lhc/var/ikiwiki/remorque
+
+sudo install -d -m 2770 -o wiki-"$site" -g wiki-"$site" \
+ /home/lhc/var/ikiwiki/remorque
+sudo install -d -m 2750 -o wiki-"$site" -g git \
+ /home/git/hooks/remorque
+sudo install -m 3771 -o git -g git /dev/stdin \
+ /home/git/pub/remorqueatelier.git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+
+ # The cd below is why we must use this script.
+ # The current directory may not be accessible
+ # by the user running the ikiwiki.
+ # the execution of the ikiwiki wrapper would fail with :
+ # "E: Failed to change to directory '...': Permission denied"
+ cd /
+
+ exec /home/git/hooks/remorque/post-update.ikiwiki
+ EOF
+
+if test -d /home/lhc/var/ikiwiki/remorque/.git
+ then sudo -u wiki-"$site" \
+ sh -c 'cd /home/lhc/var/ikiwiki/remorque && git pull -v'
+ else
+ (
+ eval cd ~wiki-"$site"
+ set +f
+ sudo -u wiki-"$site" \
+ git clone \
+ git@localhost:remorqueatelier \
+ /home/lhc/var/ikiwiki/remorque/git
+ sudo mv -i \
+ /home/lhc/var/ikiwiki/remorque/git/.git* \
+ /home/lhc/var/ikiwiki/remorque/git/* \
+ /home/lhc/var/ikiwiki/remorque/
+ )
+ sudo rmdir /home/lhc/var/ikiwiki/remorque/git
+ fi
+
+sudo install -m 400 -o wiki-"$site" -g wiki-"$site" \
+ "$tool"/etc/nginx/site.d/"$site"/ikiwiki.setup \
+ /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup
+eval cd ~wiki-"$site"
+sudo adduser wiki-"$site" www-"$site"
+
+sudo install -d -m 2770 -o wiki-"$site" -g fcgi-"$site" \
+ /home/www/pub/"$site"/cgi
+
+sudo -u wiki-"$site" ikiwiki \
+ --verbose \
+ --setup /home/lhc/var/ikiwiki/remorque/etc/ikiwiki.setup \
+ --refresh \
+ --wrappers
--- /dev/null
+#!/usr/bin/perl
+
+use IkiWiki::Setup::Standard {
+ wikiname => 'Remorque Atelier',
+ adminemail => 'admin+lhc-remorque@heureux-cyclage.org',
+ adminuser => [qw{
+ julm
+ lchevalier
+ }],
+ banned_users => [],
+ srcdir => "/home/lhc/var/ikiwiki/remorque",
+ destdir => "/home/www/pub/lhc-remorque",
+ #templatedir => "/home/lhc/var/ikiwiki/remorque/tmpl",
+ templatedir => '/usr/share/ikiwiki/templates',
+ underlaydir => '/usr/share/ikiwiki/basewiki',
+ url => '/',
+ cgiurl => '/cgi/ikiwiki.cgi',
+ #prefsurl => "https://$ENV{site}/cgi/ikiwiki.cgi",
+ #cgi_wrapper => 'cgi/ikiwiki.cgi',
+ #cgi_wrappermode => '02750',
+ cgiauthurl => "https://remorque.heureux-cyclage.org/auth/cgi/ikiwiki.cgi",
+ httpauth_pagespec => '!*/Discussion and !tmp',
+ anonok_pagespec => '*/Discussion or tmp',
+ locked_pages => '(user(git) and * and !*/Discussion and !tmp) and !*/Discussion',
+ rcs => "git",
+ historyurl => "/git/?p=remorqueatelier.git;a=history;f=[[file]]",
+ diffurl => "/git/?p=remorqueatelier.git;a=blobdiff;f=[[file]];h=[[sha1_to]];hp=[[sha1_from]];hb=[[sha1_commit]];hpb=[[sha1_parent]]",
+ gitorigin_branch => "origin",
+ gitmaster_branch => "master",
+ wrappers => [
+ { cgi => 1
+ , wrapper => "/home/www/pub/lhc-remorque/cgi/ikiwiki.cgi"
+ , wrappermode => "00750"
+ }
+ , { post_commit => 1
+ , wrapper => "/home/git/hooks/remorque/post-update.ikiwiki"
+ , wrappermode => "06750"
+ , wrapper_background_command => ""
+ }
+ # , { post_commit => 1
+ # , wrapper => "/home/git/pub/remorqueatelier/hooks/post-receive.iki"
+ # , wrappermode => "06750"
+ # , wrapper_background_command => ""
+ # }
+ # , { test_receive => 1
+ # , wrapper => "/home/git/pub/remorqueatelier.git/hooks/pre-receive.iki"
+ # , wrappermode => "06750"
+ # }
+ ],
+ #untrusted_committers => undef,
+ add_plugins => [qw{
+ 404
+ attachment
+ brokenlinks
+ cutpaste
+ editdiff
+ favicon
+ htmlscrubber
+ httpauth
+ img
+ inline
+ link
+ lockedit
+ map
+ orphans
+ pagecount
+ pagestats
+ progress
+ recentchanges
+ recentchangesdiff
+ remove
+ rename
+ repolist
+ search
+ sidebar
+ table
+ tag
+ template
+ toc
+ }],
+ disable_plugins => [qw{
+ anonok
+ httpauth
+ mail
+ more
+ openid
+ passwordauth
+ rename
+ shortcut
+ signinedit
+ toggle
+ }],
+ verbose => 1,
+ #syslog => 1,
+ usedirs => 1,
+ prefix_directives => 1,
+ indexpages => 0,
+ discussion => 1,
+ discussionpage => 'Discussion',
+ html5 => 0,
+ sslcookie => 1,
+ default_pageext => 'mdwn',
+ htmlext => 'xhtml',
+ timeformat => '%c',
+ locale => 'fr_FR.UTF-8',
+ #userdir => 'usr',
+ numbacklinks => 10,
+ hardlink => 0,
+ umask => 002,
+ #wrappergroup => 'ikiwiki',
+ #libdir => '/home/lhc/var/ikiwiki/remorqueatelier/.ikiwiki',
+ libdir => '',
+ ENV => {},
+ #include => '^\\.htaccess$',
+ exclude => '^/etc$',
+ #wiki_file_chars => '-[:alnum:]+/.:_@’()&',
+ wiki_file_chars => '-[:alnum:]+/.:_',
+ allow_symlinks_before_srcdir => 1,
+ #htmlscrubber_skip => '!*/Discussion',
+ #rss => 0,
+ atom => 1,
+ #allowrss => 0,
+ allowatom => 1,
+ pingurl => [],
+ #blogspam_pagespec => 'postcomment(*)',
+ #blogspam_options => 'blacklist=1.2.3.4,blacklist=8.7.6.5,max-links=10',
+ #blogspam_server => '',
+ #moderate_pagespec => 'user(http://*)',
+ #openid_realm => '',
+ #openid_cgiurl => '',
+ #openidsignup => 'http://myopenid.com/',
+ account_creation_password => 'w3_sh411_0v3rc0m3',
+ password_cost => 8,
+ #tohighlight => '.c .h .cpp .pl .py Makefile:make',
+ #multimarkdown => 0,
+ #allowed_attachments =>
+ # ' (mimetype(image/*) and maxsize(100kb))
+ # or (mimetype(application/pdf) and maxsize(2mb)
+ # )',
+ #virus_checker => 'clamdscan -',
+ #comments_pagespec => 'blog/* and !*/Discussion',
+ #comments_closed_pagespec => 'blog/controversial or blog/flamewar',
+ #comments_pagename => '',
+ #comments_allowdirectives => 0,
+ #comments_allowauthor => 0,
+ #comments_commit => 1,
+ #getsource_mimetype => 'text/plain; charset=utf-8',
+ #mirrorlist => {},
+ repositories =>
+ [ "git://git.heureux-cyclage.org/remorqueatelier.git"
+ , "git\@git.heureux-cyclage.org:remorqueatelier.git"
+ ],
+ omega_cgi => '/usr/lib/cgi-bin/omega/omega',
+ search_pagespec => '* and !recentchanges/*',
+ #websetup_force_plugins => [],
+ #websetup_unsafe => [],
+ #websetup_show_unsafe => 1,
+ #archivebase => 'archives',
+ #archive_pagespec => 'posts/* and !*/Discussion',
+ #directive_description_dir => 'ikiwiki/directive',
+ #teximg_dvipng => '',
+ #teximg_prefix => '\\documentclass{article}
+ #\\usepackage{amsmath}
+ #\\usepackage{amsfonts}
+ #\\usepackage{amssymb}
+ #\\pagestyle{empty}
+ #\\begin{document}
+ #',
+ #teximg_postfix => '\\end{document}',
+ #aggregateinternal => 1,
+ #aggregate_webtrigger => 0,
+ #camelcase_ignore => [],
+ #pinger_timeout => 15,
+ #prettydateformat => '%X, %B %o, %Y',
+ recentchangespage => 'recentchanges',
+ recentchangesnum => 100,
+ #rsync_command => 'rsync -qa --delete . user@host:/path/to/docroot/',
+ global_sidebars => '*',
+ #tagbase => 'tag',
+ #add_underlays => [qw{/home/fai/wiki.underlay}],
+ #add_templates => [qw{/home/fai/.ikiwiki/templates}],
+ external_links => qr{^(git)(/.*|$)},
+ attachment =>
+ { insert => 'Lier'
+ , rename => 'Renommer'
+ , remove => 'Détacher'
+ , upload => 'Attacher'
+ },
+ backlinks =>
+ { map_tmpl => 'map-doc'
+ , map_id => 'backlink'
+ , tmpl => 'page.tmpl'
+ , page => 'backlinks'
+ , title => 'rétro-liens'
+ },
+ edit =>
+ { title => 'édition'
+ , save => 'Sauvegarder'
+ , preview => 'Apercevoir'
+ , cancel => 'Annuler'
+ , remove => 'Supprimer'
+ , rename => 'Bouger'
+ , diff => 'Comparer'
+ , location => 'Emplacement'
+ , type => 'Type'
+ },
+ tag =>
+ { map_tmpl => 'map-doc'
+ , map_id => 'backlink'
+ , tmpl => 'page.tmpl'
+ , page => 'tag'
+ , title => 'étiquette'
+ },
+ toc =>
+ { id => 'may-be-invalid'
+ , back => '↑ '
+ },
+ default_file => 'default.mdwn'
+ }
--- /dev/null
+listen 80;
--- /dev/null
+gpg --decrypt "$tool"/var/sec/ssh/wiki-"$site".gpg |
+rule ssh -l root ' \
+ set -e -f -u -x
+ sudo install -d -m 1751 -o lhc -g lhc \
+ /home/lhc \
+ /home/lhc/var \
+ /home/lhc/var/ikiwiki
+ sudo install -d -m 2770 -o wiki-'"'$site'"' -g wiki-'"'$site'"' \
+ /home/lhc/var/ikiwiki/remorque
+ getent passwd wiki-'"'$site'"' >/dev/null ||
+ sudo adduser wiki-'"'$site'"' \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/lhc/var/ikiwiki/"$site" \
+ --shell /bin/false \
+ --system
+ sudo install -d -m 750 -o wiki-'"'$site'"' -g wiki-'"'$site'"' \
+ /home/lhc/var/ikiwiki/remorque/etc/ssh
+ sudo install -m 400 -o wiki-'"'$site'"' -g wiki-'"'$site'"' /dev/stdin \
+ /home/lhc/var/ikiwiki/remorque/etc/ssh/id_rsa
+ '
--- /dev/null
+server_name remorque.heureux-cyclage.org;
+
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+ try_files $uri $uri/index.xhtml = 404;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+ access_log off;
+ expires 30d;
+ log_not_found off;
+ }
+location ~ /\. {
+ access_log off;
+ deny all;
+ log_not_found off;
+ }
+location /cgi/ikiwiki.cgi {
+ include /etc/nginx/conf.d/fastcgi.conf;
+ fastcgi_index cgi/ikiwiki.cgi;
+ fastcgi_pass unix:/run/spawn-fcgi/lhc-remorque;
+ }
+
+# vim: ft=sh
#!/bin/sh
set -e -f -u -x
-local hint="run vm_remote nginx_key_send before"
+local hint="run vm_remote nginx_configure before"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
+++ /dev/null
-www.heureux-cyclage.org
--- /dev/null
+www.heureux-cyclage.org
client_body_buffer_size 8k;
client_max_body_size 10m;
location / {
- root /home/www/pub/lhc-www;
index index.html index.htm index.php;
}
location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
fastcgi_cache_valid 200 10s;
fastcgi_cache_valid 404 10m;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+ fastcgi_index index.php;
fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
+ fastcgi_param REDIRECT_STATUS 200;
+ # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_pass_header Cookie;
fastcgi_pass_header Set-Cookie;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
+++ /dev/null
-pm.max_children = 15
-pm.max_requests = 200
-pm.max_spare_servers = 15
-pm.min_spare_servers = 2
-pm.process_idle_timeout = 60s
-pm.start_servers = 3
-request_slowlog_timeout = 5s
-request_terminate_timeout = 120s
-rlimit_core = unlimited
-rlimit_files = 131072
-security.limit_extensions = .php
+++ /dev/null
-#!/bin/sh -efux
--- /dev/null
+#!/bin/sh -eux
+rule adduser git-daemon\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/pub \
+ --shell /bin/false \
+ --system
+rule adduser log-git-daemon\
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/git/log/git-daemon \
+ --shell /bin/false \
+ --system
+sudo adduser git-daemon git-data
+sudo adduser log-git log-git-daemon
+sudo install -d -m 770 -o log-"$sv" -g log-"$sv" \
+ /home/git/log/"$sv"
-#!/bin/sh -efux
-user=git-daemon
-cd /home/git/log/git-daemon/
-exec chpst -u log-"$user":log-"$user" \
- /usr/bin/svlogd -tt /home/git/log/git-daemon/
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+eval "home=~log-$sv"
+cd "$home"
+exec chpst -u log-"$sv":log-"$sv" \
+ svlogd -v -tt "$home"
-#!/bin/sh -efux
+#!/bin/sh -eux
exec 2>&1
+sv=${PWD#/etc/sv/}
+eval "home=~$sv"
exec /usr/bin/chpst \
- -u git-daemon:git-daemon \
- /usr/bin/git daemon \
- --base-path=/home/git/pub \
+ -u "$sv":"$sv":git-data \
+ /usr/lib/git-core/git-daemon \
+ --base-path="$home" \
--interpolated-path=/home/git/srv/%H%D \
--reuseaddr \
--user-path=pub/git \
--verbose \
-- \
- /home/git/pub/git
+ "$home"
--- /dev/null
+#!/bin/sh -eux
+rule adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$sv" \
+ --shell /bin/false \
+ --system
+rule adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/"$sv"/spawn-fcgi \
+ --shell /bin/false \
+ --system
+sudo adduser fcgi-"$sv" www-"$sv"
+#sudo adduser fcgi-"$site" git-data
+sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ /home/www/log/"$sv"/spawn-fcgi
--- /dev/null
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+eval "home=~log-fcgi-$sv"
+cd "$home"
+exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
+ svlogd -v -tt "$home"
--- /dev/null
+#!/bin/sh -eux
+exec 2>&1
+sv=${PWD#/etc/sv/}
+exec /usr/bin/spawn-fcgi \
+ -u fcgi-"$sv" \
+ -g fcgi-"$sv" \
+ -U www-data \
+ -G www-data \
+ -M 0660 \
+ -n \
+ -s /run/spawn-fcgi/"$sv" \
+ -- /usr/bin/multiwatch \
+ --forks 3 \
+ -- /usr/sbin/fcgiwrap
--- /dev/null
+#!/bin/sh -eux
+rule adduser fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/pub/"$sv" \
+ --shell /bin/false \
+ --system
+rule adduser log-fcgi-"$sv" \
+ --disabled-login \
+ --disabled-password \
+ --group \
+ --home /home/www/log/spawn-fcgi/"$sv" \
+ --shell /bin/false \
+ --system
+sudo install -d -m 770 -o log-fcgi-"$sv" -g log-fcgi-"$sv" \
+ /home/www/log/"$sv"/spawn-fcgi
--- /dev/null
+#!/bin/sh -eux
+sv=${PWD%/log}
+sv=${sv#/etc/sv/}
+eval "home=~log-fcgi-$sv"
+cd "$home"
+exec chpst -u log-fcgi-"$sv":log-fcgi-"$sv" \
+ svlogd -v -tt "$home"
--- /dev/null
+#!/bin/sh -eux
+exec 2>&1
+sv=${PWD#/etc/sv/}
+exec /usr/bin/spawn-fcgi \
+ -u fcgi-"$sv" \
+ -g fcgi-"$sv" \
+ -U www-data \
+ -G www-data \
+ -M 0660 \
+ -n \
+ -s /run/spawn-fcgi/"$sv" \
+ -- /usr/bin/multiwatch \
+ --forks 3 \
+ -- /usr/sbin/fcgiwrap
-#!/bin/sh -efux
+#!/bin/sh -eux
exec 2>&1
+sv=${PWD#/etc/sv/}
+eval "home=~$sv"
exec /usr/bin/chpst \
- -u mysql:mysql \
+ -u "$sv":"$sv" \
/usr/sbin/mysqld \
--basedir=/usr \
- --datadir=/home/mysql \
+ --datadir=$home \
--pid-file=/var/run/mysqld/mysqld.pid \
--plugin-dir=/usr/lib/mysql/plugin \
--port=3306 \
--socket=/var/run/mysqld/mysqld.sock \
- --user=mysql
+ --user=$sv
--- /dev/null
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChfJh3qeZ2gl1O4ItqVG1G0AJAd5/tkUFrcP0NSpXyVtLQ4AG0VXKQ/BWTBFIBmKjzmSRzMru83uWW4nqP012GrZaxGOCb53/rUkGbiW5lcbP5bwcqADmmDIHI4DNlQud32pMjKHpJwjhm0tSiYsuAvbUZ+W43rh5bWN186izOsW64SdGf74n7+9WR1OEgkYqxnV+oYObrdtYX2M9oAukm4EP7sCsYVui8GFzUB8wX+kfXB6JxwJP0hYcoPWyU+UrQ0tb6mQF7c6MXvOW0P5lFWgsW0GeVjR4fj9xSiDGnbfT1SsdoJ5SE4fRuX1mwb7wsywjSuDGmPluio432aoChcOOD7EYPvbP7/Z9DjeMh7pu4cPhD6PcMZNaae/M/rytbGE6pirwYfsGukWYmCRV5RFLkqH/2jc6L/HAnKoyX9ZmtV9T9tZUdpoPnnqm2c28xrH1mpiorAq8ZK0lMzUJ7cfuOL4wgdAU3u2TQUkrA5meTi0i4cgrnNPWpdK/sQeM/UFKHeHRRU7srRvaHUHZ7coi3RCBuAC2EpiuLkniclbdD1dJ5m6as+XQid7awXxgzC9DjtnvFJkk8fn5UmgDWZBp5FlBWKQQ2wPOiTWrqseSc8yh5rfECKThQAGp5F0JV2/6sLTLsq9TFuR890aHJCUZXFzWXfeYoRDIifqgHeQ== wiki-lhc-remorque@ateliers.heureux-cyclage.org
. /etc/profile
}
-rule_apache2_configure () {
+rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour
local -; set +f
rule apt_get_install \
apache2-mpm-itk \
--home /home/git/log \
--shell /bin/false \
--system
- rule adduser git-data\
+ rule adduser git-data \
--disabled-login \
--disabled-password \
--group \
--home /home/git/pub \
--shell /bin/false \
--system
- rule adduser git-daemon\
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/pub \
- --shell /bin/false \
- --system
- rule adduser log-git-daemon\
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/log/git-daemon \
- --shell /bin/false \
- --system
sudo adduser git git-data
- sudo adduser git-daemon git-data
- sudo adduser log-git log-git-daemon
sudo install -d -m 770 -o git -g git \
/etc/gitolite \
/home/git/etc \
/home/git/etc/ssh
sudo install -d -m 751 -o git -g git \
/home/git
- sudo install -d -m 3771 -o git-data -g git-data \
+ sudo install -d -m 2770 -o git-data -g git-data \
/home/git/pub
sudo install -d -m 1771 -o git -g git \
/home/git/log
sudo install -d -m 2770 -o git -g log-git \
/home/git/log/gitolite \
/home/git/log/gitolite/perf
- sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \
- /home/git/log/git-daemon
- sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
- /etc/gitweb \
- /etc/gitweb/cgi
+ sudo install -d -m 3771 -o git -g git \
+ /home/git/hooks
sudo ln -fns /etc/gitolite /home/git/etc/gitolite
sudo ln -fns /etc/gitweb /home/git/etc/gitweb
sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
\$WEB_INTERFACE = "gitweb";
1;
EOF
- sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
- /home/git/etc/gitweb/gitweb.conf <<-EOF
- \$commit_oneline_message_width = 70;
- \$default_projects_order = 'age';
- \$default_text_plain_charset = 'UTF-8';
- @diff_opts = ();
- \$favicon = "img/git-favicon.png";
- \$git_temp = "/run/shm/tmp/gitweb";
- \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
- \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
- \$home_link = "/";
- \$home_link_str = 'dépôts';
- \$home_th_age = 'activité';
- \$home_th_descr = 'description';
- \$home_th_owner = 'contact';
- \$home_th_project = 'dépôt';
- \$javascript = "js/gitweb.js";
- \$logo = "img/git-logo.png";
- \$my_uri = "";
- \$projectroot = "../git";
- \$projects_list = "/etc/gitolite/projects.list";
- \$projects_list_description_width = 42;
- \$projects_list_owner_width = 15;
- \$search_str = "Filtre :";
- \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
- \$site_header = undef;
- \$site_name = "git.$vm_domainname";
- \$space_to_nbsp = 0;
- @stylesheets = ("css/gitweb.css");#
- \$untabify_tabstop = 2;
- EOF
sudo install -m 600 -o git -g git \
"$tool"/var/pub/ssh/git.key \
- /home/git/etc/ssh/git.pub
+ /home/git/etc/ssh/git.pub
sudo -u git \
GL_RC=/home/git/etc/gitolite/gitolite.rc \
GIT_AUTHOR_NAME=git \
do test ! -d /home/git/etc/gitolite/"$d" ||
rmdir /home/git/etc/gitolite/"$d"
done
- rule apt_get_install gitweb highlight
sudo service tmpfs restart
}
rule_locales_configure () {
rule_mysql_configure () {
rule apt_get_install mysql-server-5.5
sudo install -m 644 -o root -g root \
- "$tool"/etc/mysql/my.cnf \
- /etc/mysql/my.cnf
- if test ! -d /home/mysql; then
- sudo install -d -m 750 -o mysql -g mysql \
- /home/mysql
- sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
- fi
+ "$tool"/etc/mysql/my.cnf \
+ /etc/mysql/my.cnf
+ if test ! -d /home/mysql
+ then
+ sudo install -d -m 750 -o mysql -g mysql /home/mysql
+ sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql
+ sudo usermod --home /home/mysql mysql
+ fi
}
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
--disabled-login \
--disabled-password \
--group \
- --home /home/www-data/"$site" \
+ --home /home/www/pub/"$site" \
--shell /bin/false \
--system
rule adduser log-www-"$site" \
--home /home/www/log/"$site"/nginx \
--shell /bin/false \
--system
- sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
+ sudo install -d -m 771 -o log-www -g log-www \
/home/www/log/"$site"
sudo install -d -m 770 -o www -g www \
/etc/nginx/site.d/"$site"
"$tool"/etc/sv/"$sv"/log/run \
/etc/sv/"$sv"/log/run
fi
- test ! -x "$tool"/etc/sv/"$sv"/configure ||
- "$tool"/etc/sv/"$sv"/configure
+ test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
+ . "$tool"/etc/sv/"$sv"/configure.sh
ln -fns ../sv/"$sv" /etc/service/"$sv"
eval local sv_status=\"\${sv_status_$sv_hash-}\"
case $sv_status in
- ("") sv start "$sv";;
+ ("") true;;
(run:*) sv restart "$sv";;
esac
done
/etc/ssh/ssh_host_ecdsa_key \
/etc/ssh/ssh_host_ecdsa_key.pub
# NOTE: clefs générées par Debian
- sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
- Port 22
- ListenAddress $vm_ipv4
- #ListenAddress ::
- Protocol 2
+ sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
+ AcceptEnv LANG LC_*
+ AuthorizedKeysFile %h/etc/ssh/authorized_keys
+ ChallengeResponseAuthentication no
+ ClientAliveInterval 0
Compression yes
+ DebianBanner no
+ GSSAPIAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
- UsePrivilegeSeparation yes
+ HostbasedAuthentication no
+ IgnoreRhosts yes
+ IgnoreUserKnownHosts no
+ KerberosAuthentication no
KeyRegenerationInterval 3600
- ServerKeyBits 768
- SyslogFacility AUTH
+ Port 22
+ ListenAddress 127.0.0.1
+ ListenAddress $vm_ipv4
LogLevel INFO
LoginGraceTime 120
+ PasswordAuthentication no
+ PermitEmptyPasswords no
PermitRootLogin yes
- StrictModes yes
- RSAAuthentication yes
+ PrintLastLog yes
+ PrintMotd no
+ Protocol 2
PubkeyAuthentication yes
- AuthorizedKeysFile %h/etc/ssh/authorized_keys
- IgnoreRhosts yes
+ RSAAuthentication yes
RhostsRSAAuthentication no
- HostbasedAuthentication no
- IgnoreUserKnownHosts no
- PermitEmptyPasswords no
- ChallengeResponseAuthentication no
- PasswordAuthentication no
- KerberosAuthentication no
- GSSAPIAuthentication no
- X11Forwarding no
- X11DisplayOffset 10
- PrintMotd no
- DebianBanner no
- PrintLastLog yes
- TCPKeepAlive yes
- ClientAliveInterval 0
- AcceptEnv LANG LC_*
+ ServerKeyBits 768
+ StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
+ SyslogFacility AUTH
+ TCPKeepAlive yes
UsePAM yes
+ UsePrivilegeSeparation yes
+ X11DisplayOffset 10
+ X11Forwarding no
+ EOF
+ sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/ssh_config <<-EOF
+ Host *
+ #Compression yes
+ #CompressionLevel 9
+ #ControlMaster auto
+ #ControlPath ~/var/run/ssh/%h-%p-%r.sock
+ GSSAPIAuthentication no
+ GSSAPIDelegateCredentials no
+ HashKnownHosts yes
+ IdentityFile ~/etc/ssh/id_dsa
+ IdentityFile ~/etc/ssh/id_rsa
+ IdentityFile ~/etc/ssh/identity
+ SendEnv LANG LC_*
+ StrictHostKeyChecking ask
+ UserKnownHostsFile ~/etc/ssh/known_hosts
EOF
sudo service ssh restart
}
rule sysctl_configure
rule user_configure
rule mail_configure
+ rule gitolite_configure
rule www_configure
rule php5_fpm_configure
rule nginx_configure
#rule apache2_configure
- rule gitolite_configure
rule runit_configure
}
/etc/dovecot/"$vm_domainname"/imap/x509/key.pem
'
}
-rule_gitolite_configure () {
+rule_gitolite_git () {
(
cd "$tool"/etc/gitolite
GIT_SSH=../../lib/ssh \
SSH_ASKPASS='"$tool"'/lib/ssh-pass \
SSH_ID=git \
ssh-add '"$tool"'/var/sec/ssh/git </dev/null && \
- git push -v origin '"$*"
+ git '"$*"
)
}
-rule_nginx_key_send () {
+rule_nginx_configure () {
local -; set +f
- for conf in "$tool"/etc/nginx/site.d/*/key_send
+ for conf in "$tool"/etc/nginx/site.d/*/site.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site=${conf%/key_send}
- rule _x509_site_key_decrypt \
- "$(cat "$tool"/etc/nginx/site.d/"$site"/key_send)" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/nginx \
- /etc/nginx/x509.d \
- /etc/nginx/x509.d/'"'$site'"'; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 400 -o root -g root \
- /dev/stdin \
- /etc/nginx/x509.d/'"'$site'"'/key.pem
- '
+ local site="${conf%/site.conf}"
+ if test -f "$tool"/etc/nginx/site.d/"$site"/key_send
+ then
+ rule _x509_site_key_decrypt \
+ "$(cat "$tool"/etc/nginx/site.d/"$site"/key_send)" |
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/nginx \
+ /etc/nginx/x509.d \
+ /etc/nginx/x509.d/'"'$site'"'; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 400 -o root -g root /dev/stdin \
+ /etc/nginx/x509.d/'"'$site'"'/key.pem
+ '
+ fi
+ test ! -r "$tool"/etc/nginx/site.d/"$site"/remote.sh ||
+ . "$tool"/etc/nginx/site.d/"$site"/remote.sh
done
}
rule_postfix_key_send () {