dépôts / lhc / ateliers.git / blob
? search:


004ac6425f872c5a12378cd501f1c752ade10643
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g adm \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
417 LOCK_SIZE=5242880 # NOTE: 5MiB
418 RAMLOCK=yes
419 RAMSHM=yes
420 RAMTMP=yes
421 RUN_SIZE=10%
422 SHM_SIZE=
423 TMP_MODE=1777,nr_inodes=1000k,noatime
424 TMP_OVERFLOW_LIMIT=1024
425 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
426 # on the root filesystem (overriding RAMTMP).
427 TMP_SIZE=200m
428 TMPFS_SIZE=20%VM
429 EOF
430 sudo install -m 775 -o root -g root \
431 "$tool"/etc/init.d/tmpfs \
432 /etc/init.d/tmpfs
433 sudo update-rc.d tmpfs defaults
434 }
435 rule_initramfs_configure () {
436 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
437 MODULES=most
438 BUSYBOX=y
439 KEYMAP=y
440 COMPRESS=gzip
441 DEVICE=eth0
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
444 alias eth0 xennet
445 alias scsi_hostadapter xenblk
446 EOF
447 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
448 sha1_generic
449 sha256_generic
450 sha512_generic
451 aes-x86_64
452 xts
453 # NOTE: pour Xen en mode HVM :
454 #modprobe xen-platform-pci
455 EOF
456 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
457 EOF
458 sudo sed -e '/^configure_networking /s/ &$//' \
459 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
460 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
461 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
462 ( while IFS= read -r line
463 do case $line in (*" RSA") return 0; break;; esac
464 done; return 1 ) ||
465 {
466 sudo rm -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
468 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
469 sudo dropbearkey -t rsa -s 4096 -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
471 }
472 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
473 sudo install -d -m 640 -o root -g root \
474 /etc/initramfs-tools/root \
475 /etc/initramfs-tools/root/.ssh
476 getent group sudo |
477 while IFS=: read -r group x x users
478 do while test -n "$users" && IFS=, read -r user users <<-EOF
479 $users
480 EOF
481 do eval local home\; home="~$user"
482 cat "$home"/etc/ssh/authorized_keys
483 done
484 done |
485 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
486 sudo rm -f \
487 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
488 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
489 /etc/initramfs-tools/root/.ssh/id_rsa
490 # NOTE: clefs générées par Debian
491 sudo update-initramfs -u
492 }
493 rule_locale_configure () {
494 sudo debconf-set-selections <<-EOF
495 locales locales/default_environment_locale select None
496 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
497 EOF
498 rule dpkg_reconfigure locales
499 }
500 rule_login_configure () {
501 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
502 # /etc/inittab: init(8) configuration.
503
504 # The default runlevel.
505 id:2:initdefault:
506
507 # Boot-time system configuration/initialization script.
508 # This is run first except when booting in emergency (-b) mode.
509 si::sysinit:/etc/init.d/rcS
510
511 # What to do in single-user mode.
512 ~~:S:wait:/sbin/sulogin
513
514 # /etc/init.d executes the S and K scripts upon change
515 # of runlevel.
516 #
517 # Runlevel 0 is halt.
518 # Runlevel 1 is single-user.
519 # Runlevels 2-5 are multi-user.
520 # Runlevel 6 is reboot.
521
522 l0:0:wait:/etc/init.d/rc 0
523 l1:1:wait:/etc/init.d/rc 1
524 l2:2:wait:/etc/init.d/rc 2
525 l3:3:wait:/etc/init.d/rc 3
526 l4:4:wait:/etc/init.d/rc 4
527 l5:5:wait:/etc/init.d/rc 5
528 l6:6:wait:/etc/init.d/rc 6
529 # Normally not reached, but fallthrough in case of emergency.
530 z6:6:respawn:/sbin/sulogin
531
532 # What to do when CTRL-ALT-DEL is pressed.
533 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
534
535 # What to do when the power fails/returns.
536 pf::powerwait:/etc/init.d/powerfail start
537 pn::powerfailnow:/etc/init.d/powerfail now
538 po::powerokwait:/etc/init.d/powerfail stop
539
540 # Xen hypervisor console
541 hvc:2345:respawn:/sbin/getty 38400 hvc0
542 #xvc:2345:respawn:/sbin/getty 38400 xvc0
543 EOF
544 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
545 MAIL_DIR /var/mail
546 FAILLOG_ENAB yes
547 LOG_UNKFAIL_ENAB no
548 LOG_OK_LOGINS no
549 SYSLOG_SU_ENAB yes
550 SYSLOG_SG_ENAB yes
551 FTMP_FILE /var/log/btmp
552 SU_NAME su
553 HUSHLOGIN_FILE .hushlogin
554 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
555 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
556 # NOTE: met les sbin/ dans ENV_PATH ;
557 # - ça n'apporte aucune protection de ne pas les mettre ;
558 # - ça frustre de ne pas les trouver.
559 TTYGROUP tty
560 TTYPERM 0600
561 ERASECHAR 0177
562 KILLCHAR 025
563 UMASK 007
564 # NOTE: rwxrwx--- ;
565 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
566 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
567 PASS_MAX_DAYS 99999
568 PASS_MIN_DAYS 0
569 PASS_WARN_AGE 7
570 UID_MIN 1000
571 UID_MAX 60000
572 GID_MIN 1000
573 GID_MAX 60000
574 LOGIN_RETRIES 3
575 LOGIN_TIMEOUT 60
576 CHFN_RESTRICT rwh
577 DEFAULT_HOME yes
578 USERGROUPS_ENAB yes
579 ENCRYPT_METHOD SHA512
580 EOF
581 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
582 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
583 $(cat /etc/pam.d/common-session)
584 session optional pam_umask.so
585 EOF
586 grep -q '^hvc0$' /etc/securetty ||
587 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
588 $(cat /etc/securetty)
589 hvc0
590 EOF
591 grep -q '^xvc0$' /etc/securetty ||
592 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
593 $(cat /etc/securetty)
594 xvc0
595 EOF
596 }
597 rule_mail_configure () {
598 rule postfix_configure
599 rule postgrey_configure
600 rule procmail_configure
601 rule dovecot_configure
602 }
603 rule_mysql_configure () {
604 rule apt_get_install mysql-server-5.5
605 sudo service mysql restart
606 }
607 rule_network_configure () {
608 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
609 $vm
610 EOF
611 grep -q " $vm\$" /etc/hosts ||
612 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
613 $(cat /etc/hosts)
614 127.0.0.1 $vm_fqdn $vm
615 EOF
616 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
617 auto lo
618 iface lo inet loopback
619
620 auto eth0=grenode
621 iface grenode inet static
622 address $vm_ipv4
623 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
624 network $vm_ipv4
625 broadcast $vm_ipv4
626 netmask 255.255.255.255
627 mtu 1300
628 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
629 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
630 #
631 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
632 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
633 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
634 #
635 # --- soupirail.grenode.net ping statistics ---
636 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
637 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
638 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
639 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
640 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
641 #
642 # --- soupirail.grenode.net ping statistics ---
643 # 0 packets transmitted, 0 received, +1 errors
644 post-up ip address add $vm_ipv4/32 dev \$IFACE
645 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
646 EOF
647 }
648 rule_www_configure () {
649 getent passwd www >/dev/null ||
650 sudo adduser \
651 --disabled-login \
652 --disabled-password \
653 --group \
654 --home /home/www \
655 --shell /bin/false \
656 --system \
657 www
658 sudo adduser \
659 --disabled-login \
660 --disabled-password \
661 --group \
662 --home ~www/log \
663 --shell /bin/false \
664 --system \
665 log.www
666 #sudo adduser www www-data
667 sudo adduser www log.www
668 #sudo adduser log log.www
669 usermod --home /home/www/pub www-data
670 sudo install -d -m 751 -o www -g www \
671 /home/www
672 sudo install -d -m 750 -o www -g www \
673 /home/www/etc
674 sudo install -d -m 1771 -o www-data -g www-data \
675 /home/www/pub \
676 sudo install -d -m 1771 -o log.www -g log.www \
677 /home/www/log
678 }
679 rule_nginx_configure () {
680 local -; set +f
681 rule apt_get_install nginx
682 rule www_configure
683 sudo rm -rf \
684 /etc/nginx/conf.d \
685 /etc/nginx/site.d
686 sudo install -d -m 770 -o www -g www \
687 /etc/nginx \
688 /etc/nginx/conf.d \
689 /etc/nginx/site.d
690 sudo ln -fns \
691 /etc/nginx \
692 /home/www/etc/nginx
693 sudo install -m 660 -o www -g www \
694 "$tool"/etc/nginx/nginx.conf \
695 /etc/nginx/nginx.conf
696 local conf
697 for conf in "$tool"/etc/nginx/conf.d/*.conf
698 do conf=${conf#"$tool"/etc/nginx/conf.d/}
699 sudo install -m 660 -o www -g www \
700 "$tool"/etc/nginx/conf.d/"$conf" \
701 /etc/nginx/conf.d/"$conf"
702 done
703 for conf in "$tool"/etc/nginx/site.d/*/server.conf
704 do conf=${conf#"$tool"/etc/nginx/site.d/}
705 local port site
706 IFS=. read -r port site <<-EOF
707 ${conf%\/server\.conf}
708 EOF
709 assert 'test "${port:+set}"'
710 assert 'test "${site:+set}"'
711 site="$port.$site"
712 getent passwd www."$site" >/dev/null ||
713 sudo adduser \
714 --disabled-login \
715 --disabled-password \
716 --group \
717 --home ~www-data/"$site" \
718 --shell /bin/false \
719 --system \
720 www."$site"
721 getent passwd log."$site" >/dev/null ||
722 sudo adduser \
723 --disabled-login \
724 --disabled-password \
725 --group \
726 --shell /bin/false \
727 --system \
728 log."$site"
729 sudo usermod --home ~www/log/"$site"/nginx log."$site"
730 sudo install -d -m 770 -o www -g www \
731 /etc/nginx/site.d/"$site"
732 case $port in
733 (443)
734 local hint="run vm_remote nginx_key_send before"
735 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
736 sudo install -m 664 -o www -g www \
737 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
738 /etc/nginx/site.d/"$site"/x509/crt.pem
739 ;;
740 esac
741 case $port in
742 (80)
743 cat <<-EOF
744 server {
745 listen $port;
746 access_log /home/www/log/$site/nginx/access.log main;
747 error_log /home/www/log/$site/nginx/error.log warn;
748 root /home/www/pub/$site;
749 server_name $site;
750 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
751 }
752 EOF
753 ;;
754 (443)
755 cat <<-EOF
756 server {
757 listen $port;
758 access_log /home/www/log/$site/nginx/access.log main;
759 error_log /home/www/log/$site/nginx/error.log warn;
760 keepalive_timeout 70;
761 root /home/www/pub/$site;
762 server_name $site;
763 # DOC: http://wiki.nginx.org/HttpSslModule
764 ssl on;
765 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
766 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
767 ssl_ciphers HIGH:!ADH:!MD5;
768 ssl_prefer_server_ciphers on;
769 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
770 ssl_session_cache shared:SSL:10m;
771 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
772 }
773 EOF
774 ;;
775 esac |
776 sudo install -m 660 -o www -g www /dev/stdin \
777 /etc/nginx/site.d/"$site"/server.conf
778 adduser www-data "$site"
779 test -e /home/www/pub/"$site" ||
780 sudo install -d -m 3770 -o "$site" -g "$site" \
781 /home/www/pub/"$site"
782 sudo install -d -m 3770 -o log."$site" -g log."$site" \
783 /home/www/log/"$site"/nginx
784 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
785 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
786 done
787 rule apt_get_install spawn-fcgi fcgiwrap
788 sudo insserv --remove fcgiwrap
789 rule tmpfs_configure
790 sudo service nginx restart
791 }
792 rule_php5_fpm_configure () {
793 local -; set +f
794 rule apt_get_install \
795 php5-fpm \
796 php-apc
797 getent passwd php5 >/dev/null ||
798 sudo adduser \
799 --disabled-login \
800 --disabled-password \
801 --group \
802 --shell /bin/false \
803 --system \
804 php5
805 local conf
806 sudo ln -fns \
807 /etc/php5-fpm \
808 /home/www/etc/php5
809 sudo rm -f /etc/php5/fpm/pool.d/*
810 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
811 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
812 local port site
813 IFS=. read -r port site <<-EOF
814 ${conf%\.conf}
815 EOF
816 assert 'test "${port:+set}"'
817 assert 'test "${site:+set}"'
818 site="$port.$site"
819 getent passwd php5"$site" >/dev/null ||
820 sudo adduser \
821 --disabled-login \
822 --disabled-password \
823 --group \
824 --no-create-home \
825 --home ~www/pub/"$site" \
826 --shell /bin/false \
827 --system \
828 php5."$site"
829 sudo install -d -m 770 -o php5 -g php5 \
830 /home/www/log/php5 \
831 /home/www/log/php5/fpm
832 sudo install -d -m 770 -o log."$site" -g log."$site" \
833 /home/www/log/"$site"
834 sudo adduser php5."$user" www."$site"
835 sudo install -m 660 -o root -g root /dev/stdin \
836 /etc/php5/fpm/pool.d/"$conf" <<-EOF
837 [php5.$site]
838 access.log = /home/www/log/$site/php5/fpm/access.log
839 catch_workers_output = yes
840 chdir = /
841 env[HOSTNAME] = \$HOSTNAME
842 env[TEMP] = /tmp
843 env[TMPDIR] = /tmp
844 env[TMP] = /tmp
845 group = www-data
846 listen = /run/nginx/fastcgi/php5.$site
847 #listen = 127.0.0.1:9000
848 #listen.allowed_clients = 127.0.0.1
849 listen.backlog = -1
850 pm = dynamic
851 pm.max_children = 5
852 pm.max_requests = 200
853 pm.max_spare_servers = 4
854 pm.min_spare_servers = 2
855 pm.start_servers = 3
856 pm.status_path = /status
857 request_slowlog_timeout = 5s
858 request_terminate_timeout = 120s
859 rlimit_core = unlimited
860 rlimit_files = 131072
861 slowlog = /home/www/log/$site/php5/fpm/slow.log
862 user = $php5_user
863 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
864 EOF
865 sudo install -m 664 -o root -g root \
866 "$tool"/etc/php5/fpm/php.ini \
867 /etc/php5/fpm/php.ini
868 done
869 rule tmpfs_configure
870 sudo service php5-fpm restart
871 }
872 rule_postfix_configure () {
873 local hint="run vm_remote postfix_key_send before"
874 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
875 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
876 sudo debconf-set-selections <<-EOF
877 postfix postfix/main_mailer_type select No configuration
878 EOF
879 rule apt_get_install postfix
880 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
881 *.db
882 EOF
883 sudo install -d -m 770 -o root -g root \
884 /etc/postfix/$vm_domainname/ \
885 /etc/postfix/$vm_domainname/smtp \
886 /etc/postfix/$vm_domainname/smtp/x509 \
887 /etc/postfix/$vm_domainname/smtp/x509/ca \
888 /etc/postfix/$vm_domainname/smtpd \
889 /etc/postfix/$vm_domainname/smtpd/x509 \
890 /etc/postfix/$vm_domainname/smtpd/x509/ca
891 sudo install -d -m 770 -o root -g root \
892 /etc/postfix/$vm_domainname/ \
893 /etc/postfix/$vm_domainname/smtp \
894 /etc/postfix/$vm_domainname/smtp/x509 \
895 /etc/postfix/$vm_domainname/smtp/x509/ca \
896 /etc/postfix/$vm_domainname/smtpd \
897 /etc/postfix/$vm_domainname/smtpd/x509 \
898 /etc/postfix/$vm_domainname/smtpd/x509/ca
899 sudo ln -fns \
900 ../crt+crl.self-signed.pem \
901 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
902 sudo install -m 400 -o root -g root \
903 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
904 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
905 sudo install -m 400 -o root -g root \
906 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
907 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
908 sudo install -m 400 -o root -g root \
909 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
910 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
911 sudo install -m 400 -o root -g root \
912 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
913 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
914 sudo install -m 660 -o root -g root \
915 "$tool"/etc/postfix/$vm_domainname/header_checks \
916 /etc/postfix/$vm_domainname/header_checks
917 sudo install -m 664 -o root -g root /dev/stdin \
918 /etc/postfix/aliases <<-EOF
919 # See man 5 aliases for format
920 abuse: root
921 admin: root
922 contact: root
923 postmaster: root
924 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
925 EOF
926 sudo newaliases -oA/etc/postfix/aliases
927 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
928 mydomain = $vm_domainname
929 myorigin = \$mydomain
930 myhostname = $vm_hostname.\$mydomain
931 mail_name = \$myhostname
932 mydestination = $vm_hostname \$myhostname \$myorigin
933 EOF
934 sudo install -m 664 -o root -g root /dev/stdin \
935 /etc/postfix/main.cf
936 sudo install -m 664 -o root -g root \
937 "$tool"/etc/postfix/master.cf \
938 /etc/postfix/master.cf
939 sudo install -m 660 -o root -g root \
940 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
941 /etc/postfix/$vm_domainname/smtp/x509/policy
942 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
943 sudo install -m 660 -o root -g root \
944 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
945 /etc/postfix/$vm_domainname/smtp/header_checks
946 sudo install -m 660 -o root -g root \
947 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
948 /etc/postfix/$vm_domainname/smtpd/sender_access
949 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
950 sudo install -m 660 -o root -g root \
951 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
952 /etc/postfix/$vm_domainname/smtpd/client_blacklist
953 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
954 sudo install -m 660 -o root -g root \
955 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
956 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
957 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
958 sudo install -m 660 -o root -g root \
959 "$tool"/etc/postfix/$vm_domainname/transport \
960 /etc/postfix/$vm_domainname/transport
961 sudo postmap hash:/etc/postfix/$vm_domainname/transport
962 sudo install -m 660 -o root -g root \
963 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
964 /etc/postfix/$vm_domainname/virtual_alias
965 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
966 sudo service postfix restart
967 }
968 rule_openerp_configure () {
969 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
970 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
971 EOF
972 sudo apt-get update
973 rule apt_get_install openerp
974 }
975 rule_postgrey_configure () {
976 rule apt_get_install postgrey
977 sudo service postgrey restart
978 }
979 rule_procmail_configure () {
980 rule apt_get_install procmail
981 sudo install -d -m 770 -o root -g adm \
982 /etc/skel/etc/mail \
983 /etc/skel/var/cache/mail \
984 /etc/skel/var/log/mail \
985 /etc/skel/var/mail
986 sudo install -m 660 -o root -g adm \
987 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
988 /etc/skel/etc/mail/delivery.procmailrc
989 }
990 rule_ssh_configure () {
991 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
992 ( while IFS= read -r line
993 do case $line in (*" RSA") return 0; break;; esac
994 done; return 1 ) ||
995 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
996 sudo rm -f \
997 /etc/ssh/ssh_host_dsa_key \
998 /etc/ssh/ssh_host_dsa_key.pub \
999 /etc/ssh/ssh_host_ecdsa_key \
1000 /etc/ssh/ssh_host_ecdsa_key.pub
1001 # NOTE: clefs générées par Debian
1002 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1003 Port 22
1004 ListenAddress $vm_ipv4
1005 #ListenAddress ::
1006 Protocol 2
1007 Compression yes
1008 HostKey /etc/ssh/ssh_host_rsa_key
1009 UsePrivilegeSeparation yes
1010 KeyRegenerationInterval 3600
1011 ServerKeyBits 768
1012 SyslogFacility AUTH
1013 LogLevel INFO
1014 LoginGraceTime 120
1015 PermitRootLogin yes
1016 StrictModes yes
1017 RSAAuthentication yes
1018 PubkeyAuthentication yes
1019 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1020 IgnoreRhosts yes
1021 RhostsRSAAuthentication no
1022 HostbasedAuthentication no
1023 IgnoreUserKnownHosts no
1024 PermitEmptyPasswords no
1025 ChallengeResponseAuthentication no
1026 PasswordAuthentication no
1027 KerberosAuthentication no
1028 GSSAPIAuthentication no
1029 X11Forwarding no
1030 X11DisplayOffset 10
1031 PrintMotd no
1032 DebianBanner no
1033 PrintLastLog yes
1034 TCPKeepAlive yes
1035 ClientAliveInterval 0
1036 AcceptEnv LANG LC_*
1037 Subsystem sftp /usr/lib/openssh/sftp-server
1038 UsePAM yes
1039 EOF
1040 sudo service ssh restart
1041 }
1042 rule_sysctl_configure () {
1043 local -; set +f
1044 for conf in "$tool"/etc/sysctl.d/*.conf
1045 do conf=${conf#"$tool"/etc/sysctl.d/}
1046 sudo install -m 660 -o root -g root \
1047 "$tool"/etc/sysctl.d/"$conf" \
1048 /etc/sysctl.d/"$conf"
1049 done
1050 sudo sysctl --system
1051 }
1052 rule_time_configure () {
1053 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1054 Europe/Paris
1055 EOF
1056 sudo debconf-set-selections <<-EOF
1057 tzdata tzdata/Areas select Europe
1058 tzdata tzdata/Zones/Europe select Paris
1059 EOF
1060 rule dpkg_reconfigure tzdata
1061 rule apt_get_install ntp
1062 }
1063 rule_user_add () { # SYNTAX: $user
1064 rule user_configure
1065 local user=$1
1066 id "$user" >/dev/null ||
1067 sudo adduser --disabled-password "$user"
1068 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1069 eval local home\; home="~$user"
1070 sudo adduser "$user" users
1071 sudo install -m 640 -o root -g root \
1072 "$tool"/var/pub/ssh/"$user".key \
1073 "$home"/etc/ssh/authorized_keys
1074 local key; local -; set +f
1075 for key in "$tool"/var/pub/openpgp/*.key
1076 do sudo -u "$user" gpg --import - <"$key"
1077 done
1078 }
1079 rule_user_configure () {
1080 true
1081 }
1082 rule_user_admin_add () { # SYNTAX: $user
1083 rule user_configure
1084 local user=$1
1085 id "$user" >/dev/null ||
1086 sudo adduser --disabled-password "$user"
1087 eval local home\; home="~$user"
1088 sudo adduser "$user" sudo
1089 sudo adduser "$user" users
1090 sudo install -m 640 -o root -g root \
1091 "$tool"/var/pub/ssh/"$user".key \
1092 "$home"/etc/ssh/authorized_keys
1093 local key; local -; set +f
1094 for key in "$tool"/var/pub/openpgp/*.key
1095 do sudo -u "$user" gpg --import - <"$key"
1096 done
1097 rule user_admin_configure
1098 }
1099 rule_user_admin_configure () {
1100 rule initramfs_configure
1101 rule user_root_configure
1102 }
1103 rule_user_configure () {
1104 sudo install -d -m 750 -o root -g adm \
1105 /etc/skel/etc \
1106 /etc/skel/etc/gpg \
1107 /etc/skel/etc/ssh
1108 sudo install -d -m 770 -o root -g adm \
1109 /etc/skel/var \
1110 /etc/skel/var/cache \
1111 /etc/skel/var/log \
1112 /etc/skel/var/run \
1113 /etc/skel/var/run/ssh
1114 sudo ln -fns etc/ssh /etc/skel/.ssh
1115 sudo ln -fns etc/gpg /etc/skel/.gnupg
1116 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1117 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1118 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1119 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1120 EOF
1121 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1122 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1123 EOF
1124 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1125 Defaults env_keep = " \\
1126 EDITOR \\
1127 GIT_AUTHOR_NAME \\
1128 GIT_AUTHOR_EMAIL \\
1129 GIT_COMMITTER_NAME \\
1130 GIT_COMMITTER_EMAIL \\
1131 "
1132 EOF
1133 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1134 #!/bin/sh -efu
1135 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1136 sudo /bin/sh -e -f -u -c \
1137 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1138 EOF
1139 sudo install -m 644 -o root -g root \
1140 "$tool"/etc/bash.bashrc \
1141 /etc/bash.bashrc
1142 sudo install -m 644 -o root -g root \
1143 "$tool"/etc/screenrc \
1144 /etc/screenrc
1145 }
1146 rule_user_root_configure () {
1147 sudo install -d -m 750 -o root -g adm \
1148 /root/etc \
1149 /root/etc/gpg \
1150 /root/etc/ssh
1151 sudo ln -fns etc/gpg /root/.gnupg
1152 sudo ln -fns etc/ssh /root/.ssh
1153 getent group sudo |
1154 while IFS=: read -r group x x users
1155 do while test -n "$users" && IFS=, read -r user users <<-EOF
1156 $users
1157 EOF
1158 do eval local home\; home="~$user"
1159 cat "$home"/etc/ssh/authorized_keys
1160 done
1161 done |
1162 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1163 local key; local -; set +f
1164 for key in "$tool"/var/pub/openpgp/*.key
1165 do sudo gpg --import "$key"
1166 done
1167 }
1168 rule_configure () {
1169 rule apt_configure
1170 rule git_configure
1171 rule etckeeper_configure
1172 rule locale_configure
1173 rule time_configure
1174 rule network_configure
1175 rule filesystem_configure
1176 rule login_configure
1177 rule ssh_configure
1178 rule user_root_configure
1179 rule boot_configure
1180 rule sysctl_configure
1181 rule user_configure
1182 rule mail_configure
1183 #rule apache2_configure
1184 rule nginx_configure
1185 rule php5_fpm_configure
1186 }
1187
1188 rule_luks_key_change () {
1189 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1190 }
1191
1192 rule=${1:-help}
1193 ${1+shift}
1194 case $rule in
1195 (help);;
1196 (*)
1197 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1198 ;;
1199 esac
1200 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org