X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;f=vm_hosted;h=c0193150da97652f8d749a6f6f47a3528019248a;hb=7dfa5cc70cc4219ac73876528d211f5c465e3812;hp=91ec25ae0babdd15b705013bb33943849999f1bc;hpb=a34a5ff2b077d249462b1626b706d8dc21347f5a;p=lhc%2Fateliers.git

diff --git a/vm_hosted b/vm_hosted
index 91ec25a..c019315 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -511,7 +511,7 @@ rule_gitolite_configure () {
 	 --shell /bin/false \
 	 --system
 	sudo adduser git        git-data
-	sudo install -d -m 770 -o git -g git \
+	sudo install -d -m 750 -o git -g git \
 	 /etc/gitolite \
 	 /home/git/etc \
 	 /home/git/etc/ssh
@@ -717,28 +717,78 @@ rule_mysql_configure () {
 	 --disabled-password \
 	 --group \
 	 --home /home/mysql/data \
+	 --no-create-home \
 	 --shell /bin/false \
 	 --system
 	sudo usermod --home /home/mysql mysql
 	sudo adduser mysql mysql-data
-	sudo install -m 640 -o mysql -g mysql \
+	sudo install -m 644 -o mysql -g mysql \
 	 "$tool"/etc/mysql/my.cnf \
 	        /etc/mysql/my.cnf
 	sudo install -d -m 751 -o mysql -g mysql \
 	 /home/mysql
-	sudo install -d -m 750 -o mysql-data -g mysql-data \
-	 /home/mysql/data
-	if test ! -d /home/mysql/data
+	sudo rm -rf /etc/mysql
+	sudo install -d -m 750 -o mysql -g mysql \
+	 /etc/mysql \
+	 /home/mysql/etc
+	sudo ln -fns \
+	            /etc/mysql \
+	 /home/mysql/etc/mysql
+	if sudo test ! -d /home/mysql/data
 	 then
+		sudo install -d -m 750 -o mysql -g mysql-data \
+		 /home/mysql/data
 		sudo -u mysql mysql_install_db \
-		 --no-defaults \
-		 --datadir=/home/mysql/data
+		 --datadir=/home/mysql/data \
+		 --no-defaults
 	 fi
 	sudo service tmpfs restart
+	sudo insserv -r mysql
+	sudo chmod ugo-x /etc/init.d/mysql
 	case $(sudo sv status mysql || true) in
-	 (run:*) sudo sv restart mysql
+	 (''|run:*|*"s, normally up;"*)
+		sudo sv restart mysql
+		case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
+		 ("/run/mysqld/sock/ CREATE mysql")
+			# NOTE:
+			# - ajoute l'accÃ¨s par socket Unix Ã  mysql
+			# - ajoute les droits de super-utilisateur Ã  mysql
+			# - supprime l'accÃ¨s par mot-de-passe Ã  root
+			# - supprime les bases de donnÃ©es de l'utilisateurice anonyme
+			# - supprime l'utilisateurice anonyme
+			# NOTE: mÃ©mo :
+			#   GRANT USAGE ON *.* TO 'root'@'*' IDENTIFIED WITH auth_socket;
+			#   CREATE USER 'root'@'localhost' IDENTIFIED WITH auth_socket;
+			#   UPDATE mysql.user SET Password='' WHERE user='root';
+			#   DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
+			sudo mysql -u root --batch --verbose <<-EOF
+				DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
+				GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+				UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
+				DELETE FROM mysql.db   WHERE user = '';
+				DELETE FROM mysql.user WHERE user = '';
+				FLUSH PRIVILEGES;
+				EOF
+			;;
+		 esac
 	 esac
  }
+rule_mysql_db_add () { # SYNTAX: $user $db
+	sudo -u mysql mysql --batch <<-EOF
+		DROP   DATABASE IF EXISTS $db;
+		CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
+		GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
+		FLUSH PRIVILEGES;
+		EOF
+ }
+rule_mysql_user_add () { # SYNTAX: $user
+	sudo mysql -u mysql --batch <<-EOF || true
+		DROP   USER '$user'@'localhost';
+		EOF
+	sudo mysql -u mysql --batch <<-EOF
+		CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
+		EOF
+ }
 rule_network_configure () {
 	sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
 		$vm
@@ -748,6 +798,10 @@ rule_network_configure () {
 		$(cat /etc/hosts)
 		127.0.0.1 $vm_fqdn $vm
 		EOF
+	sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+		search ${vm_host#*.}
+		nameserver ${vm_host_nameserver}
+		EOF
 	sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
 		auto lo
 		iface lo inet loopback
@@ -853,7 +907,9 @@ rule_nginx_configure () {
 	 done
 	rule apt_get_install spawn-fcgi fcgiwrap
 	sudo insserv --remove fcgiwrap
+	sudo chmod ugo-x /etc/init.d/fcgiwrap
 	#sudo insserv --remove nginx
+	#sudo chmod ugo-x /etc/init.d/nginx
 	rule tmpfs_configure
 	sudo service php5-fpm restart
 		# NOTE: relance les processus du pool
@@ -901,6 +957,7 @@ rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement
 	} |
 	sudo install -m 640 -o root -g nsd /dev/stdin \
 	 /etc/nsd3/nsd.conf
+	sudo nsdc rebuild
 	sudo service nsd3 restart
  }
 rule_php5_fpm_configure () {
@@ -1102,14 +1159,118 @@ rule_postfix_configure () {
 	sudo service postfix restart
  }
 rule_postgresql_configure () {
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
 	rule apt_get_install postgresql-9.1
-	if [ ! -d /var/lib/postgresql/9.1/ ]; then
-	    pg_createcluster -u postgres --start 9.1 main
-	fi
-	sudo install -m 660 -o root -g root \
-		"$tool"/etc/postgresql/9.1/main/postgresql.conf \
-		/etc/postgresql/9.1/main/postgresql.conf
-	sudo service postgresql restart
+	rule adduser postgres \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home /home/postgresql \
+	 --shell /bin/false \
+	 --system
+	rule adduser postgres-data \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home /home/postgresql/data \
+	 --no-create-home \
+	 --shell /bin/false \
+	 --system
+	sudo usermod --home /home/postgresql postgres
+	sudo adduser postgres postgres-data
+	sudo rm -rf \
+	 /etc/postgresql
+	sudo install -d -m 750 -o postgres -g postgres \
+	 /home/postgresql \
+	 /home/postgresql/etc \
+	 /etc/postgresql \
+	 /etc/postgresql/9.1 \
+	 /etc/postgresql/9.1/main
+	sudo ln -fns \
+	                 /etc/postgresql \
+	 /home/postgresql/etc/postgresql
+	sudo install -d -m 751 -o postgres -g postgres \
+	 /home/postgresql/log \
+	 /home/postgresql/log/9.1
+	sudo service tmpfs restart
+	if sudo test ! -d /home/postgresql/data
+	 then
+		sudo install -d -m 750 -o postgres -g postgres \
+		 /home/postgresql/data
+		(
+		cd /
+		sudo -u postgres pg_createcluster \
+		 --datadir=/home/postgresql/data \
+		 --logfile=/home/postgresql/log/9.1/main  \
+		 --socketdir=/run/postgresql/sock \
+		 --start 9.1 main
+		)
+	 fi
+	sudo install -m 770 -o postgres -g postgres /dev/stdin \
+	 /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+		local all postgres peer
+		local all all      peer
+		EOF
+	sudo install -m 660 -o postgres -g postgres \
+	 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+	        /etc/postgresql/9.1/main/postgresql.conf
+	sudo insserv -r postgresql
+	sudo chmod ugo-x /etc/init.d/postgresql
+	case $(sudo sv status postgres || true) in
+	 (''|run:*|*"s, normally up;"*)
+		sudo sv restart postgres
+		(
+		cd /
+		case $(sudo inotifywait -e create -- /run/postgresql/sock/) in
+		 ("/run/postgresql/sock/ CREATE .s.PGSQL."*)
+			# NOTE:
+			# - supprime l'accÃ¨s au schÃ©ma public depuis public,
+			#   de sorte Ã  ce que les diffÃ©rents utilisateurices
+			#   ne voient pas leurs bases de donnÃ©es entre-elleux ;
+			# - ajoute le support de PL/PGSQL.
+			sudo -u postgres psql template1 -f - <<-EOF
+				REVOKE ALL ON DATABASE template1 FROM public;
+				REVOKE ALL ON SCHEMA   public    FROM public;
+				GRANT  ALL ON SCHEMA   public    TO   postgres;
+				CREATE LANGUAGE plpgsql;
+				EOF
+			# NOTE:
+			# - supprime l'accÃ¨s Ã  la liste des bases donnÃ©es
+			#   et utilisateurices depuis public.
+			sudo -u postgres psql template1 -f - <<-EOF
+				REVOKE ALL ON pg_auth_members FROM public;
+				REVOKE ALL ON pg_authid       FROM public;
+				REVOKE ALL ON pg_database     FROM public;
+				REVOKE ALL ON pg_group        FROM public;
+				REVOKE ALL ON pg_roles        FROM public;
+				REVOKE ALL ON pg_settings     FROM public;
+				REVOKE ALL ON pg_tablespace   FROM public;
+				REVOKE ALL ON pg_user         FROM public;
+				EOF
+			;;
+		 esac
+		)
+		;;
+	 esac
+ }
+rule_postgresql_db_add () { # SYNTAX: $db $db_user
+	local db="$1" db_user="$2"
+	sudo -u postgresql psql template1 -f - <<-EOF
+		CREATE ROLE $db      NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
+		CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+		GRANT $db TO $db_user;
+		CREATE DATABASE $db WITH OWNER=$db_user;
+		REVOKE ALL ON DATABASE $db FROM public;
+		EOF
+ }
+rule_postgresql_db_user_add () { # SYNTAX: $db $user
+	local db="$1" user="$2"
+	sudo -u postgresql psql template1 -f - <<-EOF
+		CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+		GRANT USAGE ON SCHEMA public TO $user;
+		GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+		GRANT $db TO $user;
+		EOF
  }
 rule_openerp_configure () {
 	sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
@@ -1133,7 +1294,7 @@ rule_procmail_configure () {
 	 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
 	        /etc/skel/etc/mail/delivery.procmailrc
  }
-rule_runit_configure () {
+rule_runit_configure () { # SYNTAX: $service
 	rule apt_get_install runit
 	local -; set +f
 	for sv in ${1-/etc/service/*}
@@ -1283,6 +1444,23 @@ rule_time_configure () {
 	rule dpkg_reconfigure tzdata
 	rule apt_get_install ntp
  }
+rule_unbound_configure () {
+	sudo apt-get install unbound m4
+	sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF
+		search ${vm_host#*.}
+		nameserver 127.0.0.1
+		#nameserver ${vm_host_nameserver}
+		EOF
+	sudo install -m 440 -o unbound -g unbound \
+	 "$tool"/etc/unbound/named.cache \
+	 /etc/unbound/named.cache
+	m4 \
+	 --define=OUTGOING_INTERFACE=$vm_ipv4 \
+	 <"$tool"/etc/unbound/unbound.conf |
+	sudo install -m 440 -o unbound -g unbound /dev/stdin \
+	 /etc/unbound/unbound.conf
+	sudo service unbound restart
+ }
 rule_user_add () { # SYNTAX: $user
 	rule user_configure
 	local user=$1