. "$tool"/lib/rule.sh
. "$tool"/etc/vm.sh
export TRACE=1
-cd /
rule_help () { # SYNTAX: [--hidden]
local hidden; [ ${1:+set} ] || hidden=set
sudo adduser "$@" "$user"
}
rule_apt_get_install () { # SYNTAX: $package
- sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@"
+ sudo \
+ DEBIAN_FRONTEND=noninteractive \
+ DEBIAN_PRIORITY=low \
+ apt-get install --yes "$@"
}
rule_dpkg_reconfigure () { # SYNTAX: $package
- sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
+ sudo \
+ DEBIAN_FRONTEND=noninteractive \
+ DEBIAN_PRIORITY=low \
+ dpkg-reconfigure "$@"
}
rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
sudo service apache2 restart
}
rule_apt_configure () {
- sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
+ sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
deb http://ftp.rezopole.net/debian $vm_lsb_name main
EOF
- sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
+ sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main
EOF
- sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
+ sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
+ deb http://nightly.openerp.com/7.0/nightly/deb/ ./
+ EOF
+ sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
Package: *
Pin: release a=$vm_lsb_name
Pin-Priority: 200
# et davantage sécurisant.
EOF
}
-rule_dovecot_configure () {
- rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
- rule insserv_remove dovecot
- local hint="run vm_remote dovecot_key_send before"
- assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
- /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
- sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/etc/sieve
- sudo install -d -m 1777 -o root -g root \
- /var/lib/dovecot-control \
- /var/lib/dovecot-index
- m4 \
- --define=VM_DOMAINNAME=$vm_domainname \
- <"$tool"/etc/dovecot/local.conf.m4 |
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/dovecot/local.conf
- sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
- #!/bin/sh -efux
- # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
- install -d -m 770 ~/etc/dovecot
- install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
- \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
- _EOF
- EOF
- rule runit_configure dovecot
- }
rule_etckeeper_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
VCS=git
xvc0
EOF
}
-rule_mail_configure () {
- rule postfix_configure
- rule postgrey_configure
- rule procmail_configure
- rule dovecot_configure
- }
-rule_mysql_configure () {
- rule apt_get_install mysql-server-5.5
- rule insserv_remove mysql
- rule adduser mysql \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/mysql \
- --shell /bin/false \
- --system
- rule adduser mysql-data \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/mysql/data \
- --no-create-home \
- --shell /bin/false \
- --system
- sudo usermod --home /home/mysql mysql
- sudo adduser mysql mysql-data
- sudo install -d -m 751 -o mysql -g mysql \
- /home/mysql
- sudo rm -rf /etc/mysql
- sudo install -d -m 750 -o mysql -g mysql \
- /etc/mysql \
- /etc/mysql/conf.d \
- /home/mysql/etc
- sudo ln -fns \
- /etc/mysql \
- /home/mysql/etc/mysql
- sudo install -m 644 -o mysql -g mysql \
- "$tool"/etc/mysql/my.cnf \
- /etc/mysql/my.cnf
- if sudo test ! -d /home/mysql/data
- then
- sudo install -d -m 750 -o mysql -g mysql-data \
- /home/mysql/data
- sudo -u mysql mysql_install_db \
- --datadir=/home/mysql/data \
- --no-defaults
- fi
- rule runit_configure mysql
- while ! sudo -u mysql mysql -u mysql </dev/null
- do sleep 0.3; done
- # NOTE:
- # - ajoute l'accès par socket Unix à mysql
- # - ajoute les droits de super-utilisateur à mysql
- # - supprime l'accès par mot-de-passe à root
- # - supprime les bases de données de l'utilisateurice anonyme
- # - supprime l'utilisateurice anonyme
- # NOTE: mémo :
- # GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
- # CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
- # UPDATE mysql.user SET Password='' WHERE user='root';
- # DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
- sudo mysql -u root --batch --verbose <<-EOF
- DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
- DROP PROCEDURE IF EXISTS mysql.create_user_mysql;
- DELIMITER //
- CREATE PROCEDURE mysql.create_user_mysql ()
- BEGIN
- IF NOT (EXISTS (SELECT User
- FROM mysql.user
- WHERE User='mysql'
- AND Host='localhost'
- LIMIT 1))
- THEN GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
- END IF;
- END;
- //
- CALL mysql.create_user_mysql();
- DROP PROCEDURE mysql.create_user_mysql;
- UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
- DELETE FROM mysql.db WHERE user = '';
- DELETE FROM mysql.user WHERE user = '';
- FLUSH PRIVILEGES;
- EOF
- }
-rule_mysql_db_add () { # SYNTAX: $user $db
- sudo -u mysql mysql --batch <<-EOF
- DROP DATABASE IF EXISTS $db;
- CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
- GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
- FLUSH PRIVILEGES;
- EOF
- }
-rule_mysql_user_add () { # SYNTAX: $user
- sudo mysql -u mysql --batch <<-EOF || true
- DROP USER '$user'@'localhost';
- EOF
- sudo mysql -u mysql --batch <<-EOF
- CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
- EOF
- }
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
$vm
sudo install -m 640 -o root -g root /dev/stdin \
/etc/network/interfaces
}
-rule_nginx_configure () {
- local -; set +f
- rule php5_fpm_configure
- rule apt_get_install nginx spawn-fcgi fcgiwrap
- rule insserv_remove nginx
- rule insserv_remove fcgiwrap
- sudo rm -rf \
- /etc/nginx/conf.d \
- /etc/nginx/site.d
- sudo install -d -m 770 -o www -g www \
- /etc/nginx \
- /etc/nginx/conf.d \
- /etc/nginx/site.d \
- /etc/nginx/x509.d
- sudo ln -fns \
- /etc/nginx \
- /home/www/etc/nginx
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/nginx.conf \
- /etc/nginx/nginx.conf
- local conf
- for conf in "$tool"/etc/nginx/conf.d/*.conf
- do conf=${conf#"$tool"/etc/nginx/conf.d/}
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/conf.d/"$conf" \
- /etc/nginx/conf.d/"$conf"
- done
- for conf in "$tool"/etc/nginx/site.d/*/site.conf
- do conf=${conf#"$tool"/etc/nginx/site.d/}
- local site="${conf%/site.conf}"
- rule adduser www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system
- rule adduser log-www-"$site" \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/"$site"/nginx \
- --shell /bin/false \
- --system
- sudo install -d -m 771 -o log-www -g log-www \
- /home/www/log/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/site.d/"$site"
- sudo install -d -m 770 -o www -g www \
- /etc/nginx/x509.d/"$site"
- test -L /home/www/pub/"$site" ||
- sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
- /home/www/pub/"$site"
- sudo adduser www-data www-"$site"
- sudo adduser www-data log-www-"$site"
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/local.conf \
- /etc/nginx/site.d/"$site"/local.inc
- sudo install -m 660 -o www -g www \
- "$tool"/etc/nginx/site.d/"$site"/site.conf \
- /etc/nginx/site.d/"$site"/site.inc
- sudo install -m 660 -o www -g www /dev/stdin \
- /etc/nginx/site.d/"$site"/server.conf <<-EOF
- server {
- access_log /home/www/log/$site/nginx/access.log main;
- error_log /home/www/log/$site/nginx/error.log warn;
- root /home/www/pub/$site;
- include /etc/nginx/site.d/$site/local.inc;
- include /etc/nginx/site.d/$site/site.inc;
- }
- EOF
- test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
- . "$tool"/etc/nginx/site.d/"$site"/configure.sh
- done
- rule runit_configure nginx
- }
-rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement
- local -; set +f
- rule apt_get_install nsd
- rule insserv_remove nsd3
- sudo rm -rf \
- /etc/nsd3/zone.d
- sudo install -d -m 750 -o root -g nsd \
- /etc/nsd3/zone.d
- {
- cat <<-EOF
- server:
- ip-address: $vm_ipv4
- ip4-only: yes
- EOF
- cat "$tool"/etc/nsd3/nsd.conf
- local conf
- for conf in "$tool"/etc/nsd3/zone.d/*.conf
- do conf=${conf#"$tool"/etc/nsd3/zone.d/}
- local domain=${conf%.conf}
- if test -e "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
- then m4 \
- --define=ZONE_DOMAIN=$domain \
- --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$domain".zone.m4) \
- --define=VM_IP4=$vm_ipv4 \
- "$tool"/etc/nsd3/zone.d/"$domain".zone.m4
- else cat "$tool"/etc/nsd3/zone.d/"$domain".zone
- fi |
- sudo install -m 440 -o root -g nsd /dev/stdin \
- /etc/nsd3/zone.d/"$domain".zone
- sudo install -m 440 -o root -g nsd \
- "$tool"/etc/nsd3/zone.d/"$conf" \
- /etc/nsd3/zone.d/"$conf"
- cat <<-EOF
- zone:
- name: $domain
- zonefile: /etc/nsd3/zone.d/$domain.zone
- EOF
- done
- } |
- sudo install -m 640 -o root -g nsd /dev/stdin \
- /etc/nsd3/nsd.conf
- sudo nsdc rebuild
- rule runit_configure nsd3
- }
-rule_ntp_configure () {
- # NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4
- rule apt_get_install ntp
- rule insserv_remove ntp
- rule runit_configure ntp
- }
-rule_openerp_configure () {
- sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
- deb http://nightly.openerp.com/7.0/nightly/deb/ ./
- EOF
- sudo install -d -m 1777 -o root -g root \
- /etc/openerp
- rule apt_get_install openerp --force-yes
- # XXX: --force-yes car les paquets de nightly.openerp.com
- # ne sont pas signés par OpenPGP..
- rule insserv_remove openerp
- }
-rule_php5_fpm_configure () {
- local -; set +f
- rule apt_get_install php5-fpm php-apc
- rule insserv_remove php5-fpm
- rule adduser php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /etc/php5/fpm \
- --shell /bin/false \
- --system
- rule adduser log-php5 \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/log/php5/fpm \
- --shell /bin/false \
- --system
- sudo ln -fns \
- /etc/php5/fpm \
- /home/www/etc/php5
- sudo rm -rf \
- /etc/php5/fpm/conf.d \
- /etc/php5/fpm/pool.d
- sudo install -d -m 770 -o php5 -g php5 \
- /etc/php5/fpm/conf.d \
- /etc/php5/fpm/pool.d
- sudo install -m 440 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php-fpm.conf \
- /etc/php5/fpm/php-fpm.conf
- local conf
- #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
- # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
- # sudo install -m 660 -o php5 -g php5 \
- # "$tool"/etc/php5/fpm/conf.d/"$conf" \
- # /etc/php5/fpm/conf.d/"$conf"
- # done
- for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
- do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
- IFS=. read -r pool <<-EOF
- ${conf%.conf}
- EOF
- assert 'test "${pool:+set}"'
- rule adduser php5-"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /etc/php5/fpm/pool.d \
- --shell /bin/false \
- --system
- rule adduser log-php5-"$pool" \
- --disabled-login \
- --disabled-password \
- --group \
- --no-create-home \
- --home /home/www/log/php5/fpm/"$pool" \
- --shell /bin/false \
- --system
- sudo install -d -m 770 -o log-php5 -g log-php5 \
- /home/www/log/php5 \
- /home/www/log/php5/fpm
- sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
- /home/www/log/php5/fpm/"$pool"
- sudo install -m 660 -o php5 -g php5 /dev/stdin \
- /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
- [$pool]
- access.log = /home/www/log/php5/fpm/$pool/access.log
- catch_workers_output = yes
- chdir = /
- env[HOSTNAME] = \$HOSTNAME
- env[TEMP] = /tmp
- env[TMPDIR] = /tmp
- env[TMP] = /tmp
- group = php5-$pool
- #listen = 127.0.0.1:9000
- listen = /run/php5/fpm/$pool
- #listen.allowed_clients = 127.0.0.1
- listen.group = www-data
- listen.mode = 0660
- #listen.owner = www-data
- listen.backlog = -1
- pm = dynamic
- pm.max_children = 5
- pm.max_requests = 200
- pm.max_spare_servers = 4
- pm.min_spare_servers = 2
- pm.start_servers = 3
- pm.status_path = /status
- request_slowlog_timeout = 5s
- request_terminate_timeout = 120s
- rlimit_core = unlimited
- rlimit_files = 131072
- slowlog = /home/www/log/php5/fpm/$pool/slow.log
- user = php5-$pool
- $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
- EOF
- sudo install -m 664 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php.ini \
- /etc/php5/fpm/php.ini
- done
- rule runit_configure php5-fpm
- }
-rule_postfix_configure () {
- local hint="run vm_remote postfix_key_send before"
- assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
- #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
- sudo debconf-set-selections <<-EOF
- postfix postfix/main_mailer_type select No configuration
- EOF
- rule apt_get_install postfix
- rule insserv_remove postfix
- sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
- *.db
- EOF
- sudo install -d -m 771 -o root -g root \
- /etc/postfix/ \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
- sudo ln -fns \
- ../crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
- sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/header_checks \
- /etc/postfix/$vm_domainname/header_checks
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/aliases <<-EOF
- # See man 5 aliases for format
- abuse: root
- admin: root
- contact: root
- mailer-daemon: root
- postmaster: root
- root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
- EOF
- sudo newaliases -oA/etc/postfix/aliases
- cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
- mydomain = $vm_domainname
- myorigin = \$mydomain
- myhostname = $vm_hostname.\$mydomain
- mail_name = \$myhostname
- mydestination = $vm_hostname \$myhostname \$myorigin
- EOF
- sudo install -m 640 -o root -g root /dev/stdin \
- /etc/postfix/main.cf
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/master.cf \
- /etc/postfix/master.cf
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
- /etc/postfix/$vm_domainname/smtp/x509/policy
- sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
- /etc/postfix/$vm_domainname/smtp/header_checks
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
- /etc/postfix/$vm_domainname/smtpd/sender_access
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
- /etc/postfix/$vm_domainname/smtpd/client_blacklist
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
- /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
- sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/transport \
- /etc/postfix/$vm_domainname/transport
- sudo postmap hash:/etc/postfix/$vm_domainname/transport
- sudo install -m 640 -o root -g root \
- "$tool"/etc/postfix/$vm_domainname/virtual_alias \
- /etc/postfix/$vm_domainname/virtual_alias
- sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
- rule runit_configure postfix
- }
-rule_postgrey_configure () {
- rule apt_get_install postgrey
- rule insserv_remove postgrey
- rule runit_configure postgrey
- }
-rule_procmail_configure () {
- rule apt_get_install procmail
- sudo install -d -m 770 -o root -g root \
- /etc/skel/etc/mail \
- /etc/skel/var/cache/mail \
- /etc/skel/var/log/mail \
- /etc/skel/var/mail
- sudo install -m 660 -o root -g root \
- "$tool"/etc/skel/etc/mail/delivery.procmailrc \
- /etc/skel/etc/mail/delivery.procmailrc
- }
-rule_runit_configure () { # SYNTAX: $sv
+rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
rule apt_get_install runit
- local -; set +f
- sudo find /etc/sv -mindepth 1 -maxdepth 1 -type d -name "${1:-*}" -exec \
- /bin/sh -efux -c 'case $(sv stop "$1") in
- (*": runsv not running") true;;
- (*": unable to open supervise/ok: file does not exist") true;;
- ("ok: down:"*) true;;
- (*) false;;
- esac' '' {} +
- set -$- ${1-"$tool"/etc/sv/*}
- while test -n "$*"
- do local first=yes
- for sv in "$@"
- do sv=${sv##*/}
- case $first in
- (yes) shift $#; first=;;
+ if test $# = 0
+ then
+ set +x
+ sudo sv status \
+ $(sudo find /etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%p\n' | sort)
+ else
+ local services=
+ while [ $# -gt 0 ]
+ do case $1 in
+ (--) shift; break;;
+ (*) services="$services $1"; shift;;
esac
- rule _runit_sv_configure "$sv"
- rule runit_sv_restart "$sv"
done
- done
- sudo find -L /etc/service -type l -delete
+ #for sv in $(sudo find /etc/sv \
+ # -mindepth 1 -maxdepth 1 -type d \
+ # -false $(printf -- '-or -name %s\n' $services) \
+ # -printf '%f\n')
+ # do
+ # case $(sudo sv stop "$sv" | tee /dev/stderr) in
+ # (*": runsv not running") true;;
+ # (*": unable to open supervise/ok: file does not exist") true;;
+ # ("ok: down:"*) true;;
+ # (*) false;;
+ # esac
+ # done
+ for sv in $(find "$tool"/etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false $(printf -- '-or -name %s\n' $services) \
+ -printf '%f\n')
+ do
+ rule _runit_sv_configure "$sv" "$@"
+ rule _runit_sv_start "$sv"
+ done
+ #sleep 3
+ #sudo find -L /etc/service -type l -delete
+ fi
}
-rule__runit_sv_configure () { # SYNTAX: $sv
- local sv="$1"
+rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
+ local sv="$1"; shift
sudo install -d -m 770 -o root -g root \
/etc/sv/"$sv"
sudo install -m 770 -o root -g root \
"$tool"/etc/sv/"$sv"/log/run \
/etc/sv/"$sv"/log/run
fi
- local continue=
+ (
test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
- . "$tool"/etc/sv/"$sv"/configure.sh
- case $continue in
- (yes) continue;;
- esac
+ . "$tool"/etc/sv/"$sv"/configure.sh || return 1
+ )
+ (
+ test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh ||
+ . "$tool"/etc/sv/"$sv"/log/configure.sh || return 1
+ )
sudo ln -fns \
../sv/"$sv" \
/etc/service/"$sv"
}
-rule_runit_sv_restart () { # SYNTAX: $sv
+rule__runit_sv_restart () { # SYNTAX: $sv
local sv="$1"
while true
- do case $(sudo sv restart "$sv") in
- ("fail: $sv: runsv not running") sleep 1;;
- ("warning: $sv: unable to open supervise/ok: file does not exists") sleep 1;;
+ do case $(sudo sv restart "$sv" | tee /dev/stderr) in
+ (*": runsv not running") sleep 1;;
+ (*": unable to open supervise/ok: file does not exist") sleep 1;;
+ (*) break;;
+ esac
+ done
+ }
+rule__runit_sv_start () { # SYNTAX: $sv
+ local sv="$1"
+ while true
+ do case $(sudo sv start "$sv" | tee /dev/stderr) in
+ (*": runsv not running") sleep 1;;
+ (*": unable to open supervise/ok: file does not exist") sleep 1;;
(*) break;;
esac
done
# done
#sudo shorewall safe-restart
}
-rule_ssh_configure () {
- rule apt_get_install openssh-server
- rule insserv_remove ssh
- ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
- ( while IFS= read -r line
- do case $line in (*" RSA") return 0; break;; esac
- done; return 1 ) ||
- sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
- sudo rm -f \
- /etc/ssh/ssh_host_dsa_key \
- /etc/ssh/ssh_host_dsa_key.pub \
- /etc/ssh/ssh_host_ecdsa_key \
- /etc/ssh/ssh_host_ecdsa_key.pub
- # NOTE: clefs générées par Debian
- m4 \
- --define=VM_IPV4=$vm_ipv4 \
- <"$tool"/etc/ssh/sshd_config.m4 |
- sudo install -m 640 -o root -g root /dev/stdin \
- /etc/ssh/sshd_config
- sudo install -m 644 -o root -g root \
- "$tool"/etc/ssh/ssh_config \
- /etc/ssh/ssh_config
- rule runit_configure sshd
- }
rule_sysctl_configure () {
local -; set +f
for conf in "$tool"/etc/sysctl.d/*.conf
"$tool"/etc/sysctl.d/"$conf" \
/etc/sysctl.d/"$conf"
done
+ sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/sysctl.d/local-kernel-name.conf <<-EOF
+ kernel.hostname = $vm_hostname
+ kernel.domainname = $vm_domainname
+ EOF
sudo sysctl --system
}
rule_tmpfs_configure () {
TMPFS_SIZE=20%VM
EOF
}
-rule_time_configure () {
- sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
- Europe/Paris
- EOF
- sudo debconf-set-selections <<-EOF
- tzdata tzdata/Areas select Europe
- tzdata tzdata/Zones/Europe select Paris
- EOF
- rule dpkg_reconfigure tzdata
- rule ntp_configure
- }
-rule_unbound_configure () {
- sudo apt-get install unbound
- rule insserv_remove unbound
- sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
- search ${vm_host#*.}
- nameserver 127.0.0.1
- #nameserver ${vm_host_nameserver}
- EOF
- sudo install -m 440 -o unbound -g unbound \
- "$tool"/etc/unbound/named.cache \
- /etc/unbound/named.cache
- m4 \
- --define=OUTGOING_INTERFACE=$vm_ipv4 \
- <"$tool"/etc/unbound/unbound.conf |
- sudo install -m 440 -o unbound -g unbound /dev/stdin \
- /etc/unbound/unbound.conf
- rule runit_configure unbound
- }
rule_user_add () { # SYNTAX: $user
local user="$1"; shift
rule adduser "$user" --disabled-password "$@"
sudo install -m 644 -o root -g root \
"$tool"/etc/bash.bashrc \
/etc/bash.bashrc
+ sudo install -m 644 -o root -g root \
+ "$tool"/etc/inputrc \
+ /etc/inputrc
sudo install -m 644 -o root -g root \
"$tool"/etc/screenrc \
/etc/screenrc
for sh in "$tool"/etc/user.d/*/configure.sh
do sh=${sh#"$tool"/etc/user.d/}
local user="${sh%/configure.sh}"
- . "$tool"/etc/user.d/"$sh"
+ (
+ . "$tool"/etc/user.d/"$sh" || return 1
+ )
done
}
rule_user_admin_add () { # SYNTAX: $user
do sudo gpg --import "$key"
done
}
-rule_www_configure () {
+rule__www_configure () {
rule adduser www \
--disabled-login \
--disabled-password \
rule boot_configure
rule sysctl_configure
rule user_configure
- rule mail_configure
rule gitolite_configure
- rule www_configure
- rule nginx_configure
- #rule apache2_configure
- rule nsd3_configure
- rule unbound_configure
- rule postgresql_configure
- rule mysql_configure
rule shorewall_configure
rule runit_configure
}
(help);;
(*)
assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
+ cd /
;;
esac
rule $rule "$@"