@hosted % vm_hosted git_reset
TASK: se connecter interactivement en root à la VM avec une connection SSH persistante
@remote % ./vm_remote mosh -l root
-TASK: générer une autorité de certification et un sous-certificat TLS
+TASK: générer une autorité de certification et des sous-certificats TLS
% export TRACE=all
% random=/dev/urandom gpg_options="-r $USER@ -r $SOME_OTHER_USER@" lib/tool/openssl/make etc/openssl/heureux-cyclage.org
% random=/dev/urandom gpg_options="-r $USER@ -r $SOME_OTHER_USER@" lib/tool/openssl/make etc/openssl/*.heureux-cyclage.org
% git commit
% ../../vm_remote gitolite_push
TASK: configurer une zone DNS
- % vm runit_configure nsd3 -- heureux-cyclage.org
+ @hosted % vm runit_configure nsd3 -- heureux-cyclage.org
TASK: configurer un membre du groupe php5-fpm
- % vm runit_configure nginx -- lhc-www
+ @remote % ./vm_remote runit_configure nginx -- lhc_www
+ @hosted % vm_hosted runit_configure nginx -- lhc_www
TASK: configurer un site nginx
- % vm runit_configure nginx -- www.heureux-cyclage.org
+ @hosted % vm_hosted runit_configure nginx -- lhc_www
#!/bin/sh
set -e -f -u -x
-local hint="run vm_remote nginx_configure before"
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
-local hint="run vm_remote nginx_configure before"
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
assert "sudo getent passwd wiki-\"$site\" >/dev/null" hint
assert "sudo test -f ~wiki-$site/etc/ssh/id_rsa" hint
#!/bin/sh
set -e -f -u -x
-local hint="run vm_remote nginx_configure before"
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/stats.heureux-cyclage.org/crt+ca.pem \
#!/bin/sh
set -e -f -u -x
-local hint="run vm_remote nginx_configure before"
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
-local hint="run vm_remote nginx_configure before"
+local hint="run before: ./vm_remote runit_configure nginx -- $site"
assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/sympa.heureux-cyclage.org/crt+ca.pem \
home=/home/"$sv"
-rule runit_sv_configure postgres
-rule runit_sv_start postgres
+rule _runit_sv_configure postgres
+rule _runit_sv_start postgres
while ! sudo -u postgres psql </dev/null
do sleep 1; done
-rule runit_sv_configure postfix
-rule runit_sv_start postfix
+rule _runit_sv_configure postfix
+rule _runit_sv_start postfix
sudo postfix quiet-reload
rule apt_get_install openerp --force-yes
rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
rule insserv_remove dovecot
-local hint="run vm_remote dovecot_key_send before"
+local hint="run before: ./vm_remote runit_configure dovecot"
assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
sudo install -m 400 -o root -g root \
"$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
--- /dev/null
+rule _x509_site_key_decrypt imap."$vm_domainname" |
+rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/dovecot/'"$vm_domainname"'/ \
+ /etc/dovecot/'"$vm_domainname"'/imap \
+ /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 400 -o root -g root \
+ /dev/stdin \
+ /etc/dovecot/"$vm_domainname"/imap/x509/key.pem
+ '
-rule www_configure
+rule _www_configure
home=~www-data/"$sv"
-rule runit_sv_configure php5-fpm '*'
-rule runit_sv_restart php5-fpm
+rule _runit_sv_configure php5-fpm '*'
+rule _runit_sv_restart php5-fpm
rule apt_get_install nginx spawn-fcgi fcgiwrap
rule insserv_remove nginx
rule insserv_remove fcgiwrap
-rule www_configure
+rule _www_configure
sudo install -d -m 770 -o www -g www \
/etc/nginx \
--- /dev/null
+for site in $(find "$tool"/etc/nginx/site.d \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false ${@:+$(printf -- '-or -name %s\n' "$@")} \
+ -printf '%f\n')
+ do
+ if test -f "$tool"/etc/nginx/site.d/"$site"/x509_host
+ then
+ rule _x509_site_key_decrypt \
+ "$(cat "$tool"/etc/nginx/site.d/"$site"/x509_host)" |
+ rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/nginx \
+ /etc/nginx/x509.d \
+ /etc/nginx/x509.d/'"'$site'"'; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 400 -o root -g root /dev/stdin \
+ /etc/nginx/x509.d/'"'$site'"'/key.pem
+ '
+ fi
+ test ! -r "$tool"/etc/nginx/site.d/"$site"/remote.sh ||
+ . "$tool"/etc/nginx/site.d/"$site"/remote.sh
+ done
rule apt_get_install php5-fpm php-apc php5-mysql php5-gd
rule insserv_remove php5-fpm
-rule www_configure
+rule _www_configure
rule adduser php5 \
--disabled-login \
sudo install -m 664 -o php5 -g php5 \
"$tool"/etc/php5/fpm/php.ini \
/etc/php5/fpm/php.ini
-for conf in $(find "$tool"/etc/php5/fpm/conf.d \
- -mindepth 1 -maxdepth 1 -type f \
- -name '*.conf' \
- -printf '%f\n' || true)
+for conf in $(
+ test ! -d "$tool"/etc/php5/fpm/conf.d ||
+ find "$tool"/etc/php5/fpm/conf.d \
+ -mindepth 1 -maxdepth 1 -type f \
+ -name '*.conf' \
+ -printf '%f\n')
do
sudo install -m 660 -o php5 -g php5 \
"$tool"/etc/php5/fpm/conf.d/"$conf" \
rlimit_files = 131072
slowlog = /home/www/log/php5/fpm/$pool/slow.log
user = ${pool}__php5
- $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
+ $(cat "$tool"/etc/php5/fpm/pool.d/"$pool".conf)
EOF
done
-local hint="run vm_remote postfix_key_send before"
+local hint="run before: ./vm_remote runit_configure $sv"
assert "sudo test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
sudo debconf-set-selections <<-EOF
--- /dev/null
+rule _x509_site_key_decrypt smtpd."$vm_domainname" |
+rule ssh -l root ' \
+ sudo install -d -m 770 -o root -g root \
+ /etc/postfix/'"$vm_domainname"'/ \
+ /etc/postfix/'"$vm_domainname"'/smtpd \
+ /etc/postfix/'"$vm_domainname"'/smtpd/x509; \
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ sudo install -m 644 -o root -g root /dev/stdin \
+ /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
+ key.pem
+ EOF
+ install -m 400 -o root -g root \
+ /dev/stdin \
+ /etc/postfix/'"'$vm_domainname'"'/smtpd/x509/key.pem
+ '
sudo install -m 640 -o root -g root /dev/stdin \
/etc/network/interfaces
}
-rule_runit_configure () { # SYNTAX: $sv -- $configure_options
- #rule apt_get_install runit
+rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
+ rule apt_get_install runit
if test $# = 0
then
set +x
-false $(printf -- '-or -name %s\n' $services) \
-printf '%f\n')
do
- rule runit_sv_configure "$sv" "$@"
- rule runit_sv_start "$sv"
+ rule _runit_sv_configure "$sv" "$@"
+ rule _runit_sv_start "$sv"
done
#sleep 3
#sudo find -L /etc/service -type l -delete
fi
}
-rule_runit_sv_configure () { # SYNTAX: $sv $configure_options
+rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
local sv="$1"; shift
sudo install -d -m 770 -o root -g root \
/etc/sv/"$sv"
../sv/"$sv" \
/etc/service/"$sv"
}
-rule_runit_sv_restart () { # SYNTAX: $sv
+rule__runit_sv_restart () { # SYNTAX: $sv
local sv="$1"
while true
do case $(sudo sv restart "$sv" | tee /dev/stderr) in
esac
done
}
-rule_runit_sv_start () { # SYNTAX: $sv
+rule__runit_sv_start () { # SYNTAX: $sv
local sv="$1"
while true
do case $(sudo sv start "$sv" | tee /dev/stderr) in
do sudo gpg --import "$key"
done
}
-rule_www_configure () {
+rule__www_configure () {
rule adduser www \
--disabled-login \
--disabled-password \
done
}
-rule_apache2_key_send () {
- local -; set +f
- for conf in "$tool"/etc/nginx/site.d/*/key_send
- do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site=${conf%/key_send}
- rule _x509_site_key_decrypt \
- "$(cat "$tool"/etc/apache2/site.d/"$site"/x509_host)" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o '"$user"' -g '"$user"' \
- /etc/apache2 \
- /etc/apache2/x509.d \
- /etc/apache2/x509.d/'"$site"'; \
- sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
- /etc/apache2/x509.d/'"$site"'/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 400 -o root -g root \
- /dev/stdin \
- /etc/apache2/x509.d/'"'$site'"'/key.pem
- '
- done
- }
-rule_dovecot_key_send () {
- rule _x509_site_key_decrypt imap."$vm_domainname" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/dovecot/'"$vm_domainname"'/ \
- /etc/dovecot/'"$vm_domainname"'/imap \
- /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 400 -o root -g root \
- /dev/stdin \
- /etc/dovecot/"$vm_domainname"/imap/x509/key.pem
- '
- }
rule_gitolite_git () {
(
cd "$tool"/etc/gitolite
git '"$*"
)
}
-rule_nginx_configure () {
- local -; set +f
- for conf in "$tool"/etc/nginx/site.d/*/site.conf
- do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site="${conf%/site.conf}"
- if test -f "$tool"/etc/nginx/site.d/"$site"/x509_host
- then
- rule _x509_site_key_decrypt \
- "$(cat "$tool"/etc/nginx/site.d/"$site"/x509_host)" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/nginx \
- /etc/nginx/x509.d \
- /etc/nginx/x509.d/'"'$site'"'; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 400 -o root -g root /dev/stdin \
- /etc/nginx/x509.d/'"'$site'"'/key.pem
- '
- fi
- test ! -r "$tool"/etc/nginx/site.d/"$site"/remote.sh ||
- . "$tool"/etc/nginx/site.d/"$site"/remote.sh
- done
+rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
+ if test $# = 0
+ then
+ set +x
+ rule ssh sudo sv status \
+ $(sudo find /etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%p\n' | sort)
+ else
+ local services=
+ while [ $# -gt 0 ]
+ do case $1 in
+ (--) shift; break;;
+ (*) services="$services $1"; shift;;
+ esac
+ done
+ for sv in $(find "$tool"/etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false $(printf -- '-or -name %s\n' $services) \
+ -printf '%f\n')
+ do
+ rule _runit_sv_configure "$sv" "$@"
+ done
+ fi
}
-rule_postfix_key_send () {
- rule _x509_site_key_decrypt smtpd."$vm_domainname" |
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/postfix/'"$vm_domainname"'/ \
- /etc/postfix/'"$vm_domainname"'/smtpd \
- /etc/postfix/'"$vm_domainname"'/smtpd/x509; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
- key.pem
- EOF
- install -m 400 -o root -g root \
- /dev/stdin \
- /etc/postfix/'"'$vm_domainname'"'/smtpd/x509/key.pem
- '
+rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
+ local sv="$1"; shift
+ (
+ test ! -r "$tool"/etc/sv/"$sv"/remote.sh ||
+ . "$tool"/etc/sv/"$sv"/remote.sh || return 1
+ )
}
rule=${1:-help}