X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;ds=sidebyside;f=vm_hosted;h=9743830488a48aa776f4e38b85070f509e83636e;hb=e80dbf50a89c0b84174e566b85af9593410becfb;hp=b4a73b51007b89399331cad3f7d4fef991a08e2f;hpb=517dfa12da0aee0c546f21166f488dc19f88c2b5;p=lhc%2Fateliers.git
diff --git a/vm_hosted b/vm_hosted
index b4a73b5..9743830 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -7,6 +7,7 @@ while test -L "$tool"
tool=${tool%/*}
. "$tool"/lib/rule.sh
. "$tool"/etc/vm.sh
+export TRACE=1
rule_help () { # SYNTAX: [--hidden]
local hidden; [ ${1:+set} ] || hidden=set
@@ -35,6 +36,16 @@ rule_git_configure () {
tool=$(cd "$tool"; cd -)
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
+ sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+ case \$1 in
+ (refs/remotes/master)
+ cd ..
+ git --git-dir=\$PWD/.git checkout -f -B master remotes/master
+ git --git-dir=\$PWD/.git clean -f -d -x
+ ;;
+ esac
+ EOF
)
}
rule_git_reset () {
@@ -107,52 +118,51 @@ rule_apache2_configure () {
for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
do conf=${conf#"$tool"/etc/apache2/site.d/}
local port site
- IFS=. read -r port site <<-EOF
+ IFS=. read -r port domain <<-EOF
${conf%\/VirtualHost\.conf}
EOF
- assert 'test "${site:+set}"'
assert 'test "${port:+set}"'
- local site_user="$user.$port.$site"
- local site_dir="$user.$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
case $port in
(443)
local hint="run vm_remote apache2_key_send before"
- assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
- sudo install -d -m 770 -o "$user" -g "$user" \
+ assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
/etc/apache2 \
- /etc/apache2/site.d/"$site_dir" \
- /etc/apache2/site.d/"$site_dir"/x509 \
- /etc/apache2/site.d/"$site_dir"/x509/ca \
- /etc/apache2/site.d/"$site_dir"/x509/empty \
- /etc/apache2/site.d/"$site_dir"/x509/rvk \
- /etc/apache2/site.d/"$site_dir"/x509/usr
+ /etc/apache2/site.d/"$site" \
+ /etc/apache2/site.d/"$site"/x509 \
+ /etc/apache2/site.d/"$site"/x509/ca \
+ /etc/apache2/site.d/"$site"/x509/empty \
+ /etc/apache2/site.d/"$site"/x509/rvk \
+ /etc/apache2/site.d/"$site"/x509/usr
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
- #sudo install -m 664 -o "$user" -g "$user" \
+ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+ #sudo install -m 664 -o www."$site" -g www."$site" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
+ # /etc/apache2/site.d/"$site"/x509/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
+ /etc/apache2/site.d/"$site"/x509/ca/crt.pem
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.pem
+ "$tool"/var/pub/x509/"$site"/crt.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.pem
;;
esac
case $port in
(80)
cat <<-EOF
- AssignUserID $site_user $site_user
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ AssignUserID www.$site www.$site
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
- ServerName $site
+ ServerName $domain
LogLevel Warn
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
EOF
;;
@@ -160,26 +170,26 @@ rule_apache2_configure () {
cat <<-EOF
- AssignUserID $site_user $site_user
+ AssignUserID www.$site www.$site
BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
- ServerName $site
- SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
- #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
- SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
+ ServerName $domain
+ SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
+ #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
+ SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
# NOTE: ne publie pas les certificats dâutilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
- SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
- SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
- SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
+ SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
+ SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
+ SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
+ SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
@@ -191,45 +201,45 @@ rule_apache2_configure () {
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient None
SSLVerifyDepth 1
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
EOF
;;
esac |
sudo install -m 660 -o root -g root /dev/stdin \
- /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
+ /etc/apache2/site.d/"$site"/VirtualHost.conf
sudo ln -fns \
- ../site.d/"$site_dir"/VirtualHost.conf \
- /etc/apache2/sites-available/"$site_dir"
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/log/"$site_dir" \
- /home/www/log/"$site_dir"/apache2
+ ../site.d/"$site"/VirtualHost.conf \
+ /etc/apache2/sites-available/"$site"
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
+ /home/www/log/"$site" \
+ /home/www/log/"$site"/apache2
sudo ln -fns \
- /etc/apache2/site.d/"$site_dir" \
- /home/www/etc/apache2/"$site_dir"
- test -e /home/www/pub/"$site_dir" ||
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/pub/"$site_dir"
- getent passwd "$site_user" >/dev/null ||
+ /etc/apache2/site.d/"$site" \
+ /home/www/etc/apache2/"$site"
+ test -e /home/www/pub/"$site" ||
+ sudo install -d -m 2770 -o www."$site" -g www."$site" \
+ /home/www/pub/"$site"
+ getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-password \
--group \
--no-create-home \
- --home /home/www/pub/"$site_dir" \
+ --home /home/www/pub/"$site" \
--shell /bin/false \
--system \
- "$site_user"
- sudo setfacl -m u:"$site_user":--x \
- /home/www/ \
- /home/www/pub/ \
- /home/www/pub/"$site_dir"/
- sudo setfacl -m d:u:"$site_user":rwx \
- "$home"/pub/www/"$site_dir"/
- test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
- . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
- test -e /etc/apache2/sites-enabled/"$site_dir" ||
- sudo a2ensite "$site_dir"
+ www."$site"
+ #sudo setfacl -m u:"www.$site":--x \
+ # /home/www/ \
+ # /home/www/pub/ \
+ # /home/www/pub/"$site"/
+ #sudo setfacl -m d:u:"www.$site":rwx \
+ # "$home"/pub/www/"$site"/
+ test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/apache2/site.d/"$site"/configure.sh
+ test -e /etc/apache2/sites-enabled/"$site" ||
+ sudo a2ensite "$site"
done
sudo service apache2 restart
}
@@ -305,7 +315,7 @@ rule_dovecot_configure () {
sudo install -m 400 -o root -g root \
"$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
/etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
- sudo install -d -m 770 -o root -g adm \
+ sudo install -d -m 770 -o root -g root \
/etc/skel/etc/mail \
/etc/skel/etc/sieve
sudo install -d -m 1777 -o root -g root \
@@ -413,24 +423,7 @@ rule_filesystem_configure () {
${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
EOF
- sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
- LOCK_SIZE=5242880 # NOTE: 5MiB
- RAMLOCK=yes
- RAMSHM=yes
- RAMTMP=yes
- RUN_SIZE=10%
- SHM_SIZE=
- TMP_MODE=1777,nr_inodes=1000k,noatime
- TMP_OVERFLOW_LIMIT=1024
- # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
- # on the root filesystem (overriding RAMTMP).
- TMP_SIZE=200m
- TMPFS_SIZE=20%VM
- EOF
- sudo install -m 775 -o root -g root \
- "$tool"/etc/init.d/tmpfs \
- /etc/init.d/tmpfs
- sudo update-rc.d tmpfs defaults
+ rule tmpfs_configure
}
rule_initramfs_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
@@ -607,10 +600,10 @@ rule_gitolite_configure () {
rmdir "$home"/etc/gitolite/"$d"
done
rule apt_get_install gitweb highlight
- #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
+ #sudo sv restart fcgi.git.80.git.heureux-cyclage.org
#sudo sv restart git-daemon.git.9418
}
-rule_locale_configure () {
+rule_locales_configure () {
sudo debconf-set-selections <<-EOF
locales locales/default_environment_locale select None
locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
@@ -726,7 +719,14 @@ rule_mail_configure () {
}
rule_mysql_configure () {
rule apt_get_install mysql-server-5.5
- sudo service mysql restart
+ sudo install -m 644 -o root -g root \
+ "$tool"/etc/mysql/my.cnf \
+ /etc/mysql/my.cnf
+ if test ! -d /home/mysql; then
+ sudo install -d -m 750 -o mysql -g mysql \
+ /home/mysql
+ sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
+ fi
}
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
@@ -796,7 +796,7 @@ rule_www_configure () {
sudo install -d -m 750 -o www -g www \
/home/www/etc
sudo install -d -m 1771 -o www-data -g www-data \
- /home/www/pub \
+ /home/www/pub
sudo install -d -m 1771 -o log.www -g log.www \
/home/www/log
}
@@ -826,13 +826,13 @@ rule_nginx_configure () {
done
for conf in "$tool"/etc/nginx/site.d/*/server.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\/server\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-login \
@@ -870,7 +870,7 @@ rule_nginx_configure () {
access_log /home/www/log/$site/nginx/access.log main;
error_log /home/www/log/$site/nginx/error.log warn;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
$(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
}
EOF
@@ -883,7 +883,7 @@ rule_nginx_configure () {
error_log /home/www/log/$site/nginx/error.log warn;
keepalive_timeout 70;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
# DOC: http://wiki.nginx.org/HttpSslModule
ssl on;
ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
@@ -899,9 +899,9 @@ rule_nginx_configure () {
esac |
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf
- adduser www-data "$site"
+ adduser www-data www."$site"
test -e /home/www/pub/"$site" ||
- sudo install -d -m 3770 -o "$site" -g "$site" \
+ sudo install -d -m 3770 -o www."$site" -g www."$site" \
/home/www/pub/"$site"
sudo install -d -m 3770 -o log."$site" -g log."$site" \
/home/www/log/"$site"/nginx
@@ -933,14 +933,14 @@ rule_php5_fpm_configure () {
sudo rm -f /etc/php5/fpm/pool.d/*
for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
- getent passwd php5"$site" >/dev/null ||
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
+ getent passwd php5."$site" >/dev/null ||
sudo adduser \
--disabled-login \
--disabled-password \
@@ -955,7 +955,7 @@ rule_php5_fpm_configure () {
/home/www/log/php5/fpm
sudo install -d -m 770 -o log."$site" -g log."$site" \
/home/www/log/"$site"
- sudo adduser php5."$user" www."$site"
+ sudo adduser php5."$site" www."$site"
sudo install -m 660 -o root -g root /dev/stdin \
/etc/php5/fpm/pool.d/"$conf" <<-EOF
[php5.$site]
@@ -1004,15 +1004,8 @@ rule_postfix_configure () {
sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
*.db
EOF
- sudo install -d -m 770 -o root -g root \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
- sudo install -d -m 770 -o root -g root \
+ sudo install -d -m 771 -o root -g root \
+ /etc/postfix/ \
/etc/postfix/$vm_domainname/ \
/etc/postfix/$vm_domainname/smtp \
/etc/postfix/$vm_domainname/smtp/x509 \
@@ -1024,17 +1017,17 @@ rule_postfix_configure () {
../crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 660 -o root -g root \
"$tool"/etc/postfix/$vm_domainname/header_checks \
/etc/postfix/$vm_domainname/header_checks
@@ -1044,6 +1037,7 @@ rule_postfix_configure () {
abuse: root
admin: root
contact: root
+ mailer-daemon: root
postmaster: root
root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
EOF
@@ -1091,6 +1085,12 @@ rule_postfix_configure () {
}
rule_postgresql_configure () {
rule apt_get_install postgresql-9.1
+ if [ ! -d /var/lib/postgresql/9.1/ ]; then
+ pg_createcluster -u postgres --start 9.1 main
+ fi
+ sudo install -m 660 -o root -g root \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
sudo service postgresql restart
}
rule_openerp_configure () {
@@ -1106,22 +1106,32 @@ rule_postgrey_configure () {
}
rule_procmail_configure () {
rule apt_get_install procmail
- sudo install -d -m 770 -o root -g adm \
+ sudo install -d -m 770 -o root -g root \
/etc/skel/etc/mail \
/etc/skel/var/cache/mail \
/etc/skel/var/log/mail \
/etc/skel/var/mail
- sudo install -m 660 -o root -g adm \
+ sudo install -m 660 -o root -g root \
"$tool"/etc/skel/etc/mail/delivery.procmailrc \
/etc/skel/etc/mail/delivery.procmailrc
}
rule_runit_configure () {
rule apt_get_install runit
local -; set +f
- rm -f /etc/service/*
- # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
- for sv in "$tool"/etc/sv/*
- do sv=${sv#"$tool"/etc/sv/}
+ for sv in ${1-/etc/service/*}
+ # NOTE: stoppe les services en retenant leur status de départ
+ do sv=$(basename "$sv")
+ local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
+ local sv_status
+ IFS= read -r sv_status_$sv_hash <<-EOF
+ $(sv status "$sv")
+ EOF
+ rm -f /etc/service/"$sv"
+ done
+ for sv in ${1-"$tool"/etc/sv/*}
+ # NOTE: configure et (re-)démarre les services
+ do sv=$(basename "$sv")
+ local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
sudo install -d -m 770 -o root -g root \
/etc/sv/"$sv"
sudo install -m 770 -o root -g root \
@@ -1135,12 +1145,14 @@ rule_runit_configure () {
"$tool"/etc/sv/"$sv"/log/run \
/etc/sv/"$sv"/log/run
fi
- if test ! -x "$tool"/etc/sv/"$sv"/configure ||
- "$tool"/etc/sv/"$sv"/configure
- then
- ln -fns ../sv/"$sv" /etc/service/"$sv"
- sv restart "$sv"
- else
+ test ! -x "$tool"/etc/sv/"$sv"/configure ||
+ "$tool"/etc/sv/"$sv"/configure
+ ln -fns ../sv/"$sv" /etc/service/"$sv"
+ eval local sv_status=\"\${sv_status_$sv_hash-}\"
+ case $sv_status in
+ ("") sv start "$sv";;
+ (run:*) sv restart "$sv";;
+ esac
done
}
rule_ssh_configure () {
@@ -1205,6 +1217,26 @@ rule_sysctl_configure () {
done
sudo sysctl --system
}
+rule_tmpfs_configure () {
+ sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
+ LOCK_SIZE=5242880 # NOTE: 5MiB
+ RAMLOCK=yes
+ RAMSHM=yes
+ RAMTMP=yes
+ RUN_SIZE=10%
+ SHM_SIZE=
+ TMP_MODE=1777,nr_inodes=1000k,noatime
+ TMP_OVERFLOW_LIMIT=1024
+ # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
+ # on the root filesystem (overriding RAMTMP).
+ TMP_SIZE=200m
+ TMPFS_SIZE=20%VM
+ EOF
+ sudo install -m 775 -o root -g root \
+ "$tool"/etc/init.d/tmpfs \
+ /etc/init.d/tmpfs
+ sudo update-rc.d tmpfs defaults
+ }
rule_time_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
Europe/Paris
@@ -1219,7 +1251,7 @@ rule_time_configure () {
rule_user_add () { # SYNTAX: $user
rule user_configure
local user=$1
- id "$user" >/dev/null ||
+ getent passwd "$user" >/dev/null ||
sudo adduser --disabled-password "$user"
# NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
eval local home\; home="~$user"
@@ -1233,30 +1265,31 @@ rule_user_add () { # SYNTAX: $user
done
}
rule_user_configure () {
- true
- }
-rule_user_admin_add () { # SYNTAX: $user
- rule user_configure
- local user=$1
- id "$user" >/dev/null ||
- sudo adduser --disabled-password "$user"
- eval local home\; home="~$user"
- sudo adduser "$user" sudo
- sudo adduser "$user" users
- sudo install -m 640 -o root -g root \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- local key; local -; set +f
- for key in "$tool"/var/pub/openpgp/*.key
- do sudo -u "$user" gpg --import - <"$key"
- done
- rule user_admin_configure
- }
-rule_user_admin_configure () {
- rule initramfs_configure
- rule user_root_configure
- }
-rule_user_configure () {
+ sudo install -m 660 -o root -g root /dev/stdin \
+ /etc/adduser.conf <<-EOF
+ ADD_EXTRA_GROUPS=1
+ DHOME=/home
+ DIR_MODE=0750
+ DSHELL=/bin/bash
+ EXTRA_GROUPS="users"
+ FIRST_GID=1000
+ FIRST_SYSTEM_GID=100
+ FIRST_SYSTEM_UID=100
+ FIRST_UID=1000
+ GROUPHOMES=no
+ LAST_GID=29999
+ LAST_SYSTEM_GID=999
+ LAST_SYSTEM_UID=999
+ LAST_UID=29999
+ LETTERHOMES=no
+ NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+ QUOTAUSER="" # TODO: init
+ SETGID_HOME=no
+ SKEL=/etc/skel
+ SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
+ USERGROUPS=yes
+ USERS_GID=100
+ EOF
sudo install -d -m 750 -o root -g root \
/etc/skel \
/etc/skel/etc \
@@ -1300,6 +1333,26 @@ rule_user_configure () {
"$tool"/etc/screenrc \
/etc/screenrc
}
+rule_user_admin_add () { # SYNTAX: $user
+ rule user_configure
+ local user=$1
+ getent passwd "$user" >/dev/null ||
+ sudo adduser --disabled-password "$user"
+ eval local home\; home="~$user"
+ sudo adduser "$user" sudo
+ sudo install -m 640 -o root -g root \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+ local key; local -; set +f
+ for key in "$tool"/var/pub/openpgp/*.key
+ do sudo -u "$user" gpg --import - <"$key"
+ done
+ rule user_admin_configure
+ }
+rule_user_admin_configure () {
+ rule initramfs_configure
+ rule user_root_configure
+ }
rule_user_root_configure () {
sudo install -d -m 750 -o root -g root \
/root/etc \
@@ -1326,7 +1379,7 @@ rule_configure () {
rule apt_configure
rule git_configure
rule etckeeper_configure
- rule locale_configure
+ rule locales_configure
rule time_configure
rule network_configure
rule filesystem_configure