X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;f=vm_hosted;fp=vm_hosted;h=ed42445f9fd41537e00370ca956452b3593a2609;hb=8eb1ec9c265b8994222499cfcc0ca376d4efbdb3;hp=a502f9dbb8005e47af836542ad54f3abbbbc1f1e;hpb=e3ac8939191e19965d4645676f38ef011fc9874f;p=lhc%2Fateliers.git diff --git a/vm_hosted b/vm_hosted index a502f9d..ed42445 100755 --- a/vm_hosted +++ b/vm_hosted @@ -260,21 +260,11 @@ rule_apt_configure () { EOF sudo apt-get update rule apt_get_install apticron - sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF - EMAIL="admin@$vm_domainname" - # DIFF_ONLY="1" - # LISTCHANGES_PROFILE="apticron" - # ALL_FQDNS="1" - # SYSTEM="foobar.example.com" - # IPADDRESSNUM="1" - # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" - # NOTIFY_HOLDS="0" - # NOTIFY_NEW="0" - # NOTIFY_NO_UPDATES="0" - # CUSTOM_SUBJECT="" - # CUSTOM_NO_UPDATES_SUBJECT="" - # CUSTOM_FROM="root@$vm_fqdn" - EOF + m4 \ + --define=VM_DOMAINNAME=$vm_domainname \ + <"$tool"/etc/apticron/apticron.conf.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/apticron/apticron.conf } rule_boot_configure () { #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" @@ -321,62 +311,11 @@ rule_dovecot_configure () { sudo install -d -m 1777 -o root -g root \ /var/lib/dovecot-control \ /var/lib/dovecot-index - sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u - # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc - # VOIR: http://wiki2.dovecot.org/Quota/FS - mail_plugins = \$mail_plugins quota - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - plugin { - quota = fs:user - recipient_delimiter = + - sieve = ~/etc/mail/filter.sieve - sieve_dir = ~/etc/mail/sieve - sieve_global_dir = /var/lib/dovecot/sieve/global/ - sieve_max_script_size = 1M - sieve_quota_max_scripts = 0 - sieve_quota_max_storage = 10M - sieve_user_log = ~/var/log/mail/sieve.log - } - protocol imap { - mail_plugins = \$mail_plugins imap_quota - } - protocol lda { - auth_socket_path = /var/run/dovecot/auth-master - hostname = $vm_domainname - info_log_path = - log_path = - mail_plugins = \$mail_plugins sieve - postmaster_address = contact+dovecot+lda@$vm_domainname - syslog_facility = mail - } - protocols = imap sieve - service auth { - user = root - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } - } - ssl_ca = - LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 - proc /proc proc defaults 0 0 - sysfs /sys sysfs defaults 0 0 - /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 - # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. - /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0 - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF - # - ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg - ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - EOF + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/fstab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/fstab + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/crypttab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/crypttab rule tmpfs_configure } rule_initramfs_configure () { @@ -607,90 +538,12 @@ rule_locales_configure () { rule dpkg_reconfigure locales } rule_login_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF - # /etc/inittab: init(8) configuration. - - # The default runlevel. - id:2:initdefault: - - # Boot-time system configuration/initialization script. - # This is run first except when booting in emergency (-b) mode. - si::sysinit:/etc/init.d/rcS - - # What to do in single-user mode. - ~~:S:wait:/sbin/sulogin - - # /etc/init.d executes the S and K scripts upon change - # of runlevel. - # - # Runlevel 0 is halt. - # Runlevel 1 is single-user. - # Runlevels 2-5 are multi-user. - # Runlevel 6 is reboot. - - l0:0:wait:/etc/init.d/rc 0 - l1:1:wait:/etc/init.d/rc 1 - l2:2:wait:/etc/init.d/rc 2 - l3:3:wait:/etc/init.d/rc 3 - l4:4:wait:/etc/init.d/rc 4 - l5:5:wait:/etc/init.d/rc 5 - l6:6:wait:/etc/init.d/rc 6 - # Normally not reached, but fallthrough in case of emergency. - z6:6:respawn:/sbin/sulogin - - # What to do when CTRL-ALT-DEL is pressed. - ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now - - # What to do when the power fails/returns. - pf::powerwait:/etc/init.d/powerfail start - pn::powerfailnow:/etc/init.d/powerfail now - po::powerokwait:/etc/init.d/powerfail stop - - # Xen hypervisor console - hvc:2345:respawn:/sbin/getty 38400 hvc0 - #xvc:2345:respawn:/sbin/getty 38400 xvc0 - - #-- runit begin - SV:123456:respawn:/usr/sbin/runsvdir-start - #-- runit end - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF - MAIL_DIR /var/mail - FAILLOG_ENAB yes - LOG_UNKFAIL_ENAB no - LOG_OK_LOGINS no - SYSLOG_SU_ENAB yes - SYSLOG_SG_ENAB yes - FTMP_FILE /var/log/btmp - SU_NAME su - HUSHLOGIN_FILE .hushlogin - ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - # NOTE: met les sbin/ dans ENV_PATH ; - # - ça n'apporte aucune protection de ne pas les mettre ; - # - ça frustre de ne pas les trouver. - TTYGROUP tty - TTYPERM 0600 - ERASECHAR 0177 - KILLCHAR 025 - UMASK 007 - # NOTE: rwxrwx--- ; - # - donne une même confiance au groupe propriétaire qu'au propriétaire ; - # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 - PASS_WARN_AGE 7 - UID_MIN 1000 - UID_MAX 60000 - GID_MIN 1000 - GID_MAX 60000 - LOGIN_RETRIES 3 - LOGIN_TIMEOUT 60 - CHFN_RESTRICT rwh - DEFAULT_HOME yes - USERGROUPS_ENAB yes - ENCRYPT_METHOD SHA512 - EOF + sudo install -m 644 -o root -g root \ + "$tool"/etc/inittab \ + /etc/inittab + sudo install -m 644 -o root -g root \ + "$tool"/etc/login.defs \ + /etc/login.defs grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF $(cat /etc/pam.d/common-session) @@ -808,37 +661,11 @@ rule_network_configure () { search ${vm_host#*.} nameserver ${vm_host_nameserver} EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - mtu 1300 - # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode - # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. - # - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. - # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms - # - # --- soupirail.grenode.net ping statistics --- - # 1 packets transmitted, 1 received, 0% packet loss, time 0ms - # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. - # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) - # - # --- soupirail.grenode.net ping statistics --- - # 0 packets transmitted, 0 received, +1 errors - post-up ip address add $vm_ipv4/32 dev \$IFACE - pre-down ip address delete $vm_ipv4/32 dev \$IFACE - EOF + m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/network/interfaces.m4 | + sudo install -m 640 -o root -g root /dev/stdin \ + /etc/network/interfaces } rule_nginx_configure () { local -; set +f @@ -920,7 +747,7 @@ rule_nginx_configure () { } rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement local -; set +f - rule apt_get_install nsd m4 + rule apt_get_install nsd rule insserv_remove nsd3 sudo rm -rf \ /etc/nsd3/zone.d @@ -1225,7 +1052,19 @@ rule_postgresql_configure () { --socketdir=/run/postgresql \ 9.1 main fi - sudo install -m 770 -o postgres -g postgres /dev/stdin \ + + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF + pg_ctl_options = '' + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/pg_ident.conf <<-EOF + # MAPNAME SYSTEM-USERNAME PG-USERNAME + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/start.conf <<-EOF + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF local all postgres peer local all all peer @@ -1236,7 +1075,7 @@ rule_postgresql_configure () { rule runit_sv_configure postgres rule runit_sv_restart postgres while ! sudo -u postgres psql