dépôts / lhc / ateliers.git / blob
? search:


1ffd17654001188654ccc4cb84589633e9515b1e
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
253 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
254 EOF
255 sudo apt-get update
256 rule apt_get_install apticron
257 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
258 EMAIL="admin@$vm_domainname"
259 # DIFF_ONLY="1"
260 # LISTCHANGES_PROFILE="apticron"
261 # ALL_FQDNS="1"
262 # SYSTEM="foobar.example.com"
263 # IPADDRESSNUM="1"
264 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
265 # NOTIFY_HOLDS="0"
266 # NOTIFY_NEW="0"
267 # NOTIFY_NO_UPDATES="0"
268 # CUSTOM_SUBJECT=""
269 # CUSTOM_NO_UPDATES_SUBJECT=""
270 # CUSTOM_FROM="root@$vm_fqdn"
271 EOF
272 }
273 rule_boot_configure () {
274 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
275 sudo debconf-set-selections <<-EOF
276 grub-pc grub-pc/install_devices multiselect
277 EOF
278 rule apt_get_install grub-pc
279 sudo install -d -m 644 -o root -g root /boot/grub
280 rule apt_get_install linux-image-$vm_arch
281 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
282 GRUB_DEFAULT=0
283 GRUB_TIMEOUT=5
284 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
285 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
286 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
287 GRUB_DISABLE_RECOVERY="true"
288 #GRUB_PRELOAD_MODULES="lvm"
289 EOF
290 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
291 (hd0) /dev/xvda
292 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
293 EOF
294 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
295 rule initramfs_configure
296 rule apt_get_install molly-guard
297 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
298 ALWAYS_QUERY_HOSTNAME=true
299 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
300 # néamoins demander tout le temps n'est pas trop contraignant
301 # et davantage sécurisant.
302 EOF
303 }
304 rule_dovecot_configure () {
305 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
306 local hint="run vm_remote dovecot_key_send before"
307 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
308 sudo install -m 400 -o root -g root \
309 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
310 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
311 sudo install -d -m 770 -o root -g adm \
312 /etc/skel/etc/mail \
313 /etc/skel/etc/sieve
314 sudo install -d -m 1777 -o root -g root \
315 /var/lib/dovecot-control \
316 /var/lib/dovecot-index
317 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
318 auth_ssl_username_from_cert = yes
319 listen = *
320 log_timestamp = "%Y-%m-%d %H:%M:%S "
321 mail_debug = yes
322 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
323 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
324 # VOIR: http://wiki2.dovecot.org/Quota/FS
325 mail_plugins = \$mail_plugins quota
326 mail_privileged_group = mail
327 passdb {
328 args = /home/%u/etc/dovecot/passwd
329 driver = passwd-file
330 }
331 plugin {
332 quota = fs:user
333 recipient_delimiter = +
334 sieve = ~/etc/mail/filter.sieve
335 sieve_dir = ~/etc/mail/sieve
336 sieve_global_dir = /var/lib/dovecot/sieve/global/
337 sieve_max_script_size = 1M
338 sieve_quota_max_scripts = 0
339 sieve_quota_max_storage = 10M
340 sieve_user_log = ~/var/log/mail/sieve.log
341 }
342 protocol imap {
343 mail_plugins = \$mail_plugins imap_quota
344 }
345 protocol lda {
346 auth_socket_path = /var/run/dovecot/auth-master
347 hostname = $vm_domainname
348 info_log_path =
349 log_path =
350 mail_plugins = \$mail_plugins sieve
351 postmaster_address = contact+dovecot+lda@$vm_domainname
352 syslog_facility = mail
353 }
354 protocols = imap sieve
355 service auth {
356 user = root
357 unix_listener /var/spool/postfix/private/auth {
358 mode = 0660
359 user = postfix
360 group = postfix
361 }
362 }
363 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
364 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
365 ssl_cipher_list = AES256-SHA
366 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
367 ssl_verify_client_cert = yes
368 userdb {
369 driver = passwd
370 }
371 verbose_ssl = no
372 EOF
373 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
374 #!/bin/sh -efux
375 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
376 install -d -m 770 ~/etc/dovecot
377 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
378 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
379 _EOF
380 EOF
381 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
382 EOF
383 sudo service dovecot restart
384 }
385 rule_etckeeper_configure () {
386 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
387 VCS=git
388 GIT_COMMIT_OPTIONS=""
389 AVOID_DAILY_AUTOCOMMITS=1
390 #AVOID_SPECIAL_FILE_WARNING=1
391 AVOID_COMMIT_BEFORE_INSTALL=1
392 HIGHLEVEL_PACKAGE_MANAGER=apt
393 LOWLEVEL_PACKAGE_MANAGER=dpkg
394 EOF
395 sudo install -m 644 -o root -g root \
396 "$tool"/etc/etckeeper/prompt.sh \
397 /etc/etckeeper/prompt.sh
398 rule apt_get_install etckeeper
399 }
400 rule_filesystem_configure () {
401 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
402 # <file system> <mount point> <type> <options> <dump> <pass>
403 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
404 proc /proc proc defaults 0 0
405 sysfs /sys sysfs defaults 0 0
406 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
407 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
408 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
409 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
410 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
411 EOF
412 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
413 # <target name> <source device> <key file> <options>
414 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
415 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
416 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
417 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
418 EOF
419 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
420 LOCK_SIZE=5242880 # NOTE: 5MiB
421 RAMLOCK=yes
422 RAMSHM=yes
423 RAMTMP=yes
424 RUN_SIZE=10%
425 SHM_SIZE=
426 TMP_MODE=1777,nr_inodes=1000k,noatime
427 TMP_OVERFLOW_LIMIT=1024
428 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
429 # on the root filesystem (overriding RAMTMP).
430 TMP_SIZE=200m
431 TMPFS_SIZE=20%VM
432 EOF
433 sudo install -m 775 -o root -g root \
434 "$tool"/etc/init.d/tmpfs \
435 /etc/init.d/tmpfs
436 sudo update-rc.d tmpfs defaults
437 }
438 rule_initramfs_configure () {
439 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
440 MODULES=most
441 BUSYBOX=y
442 KEYMAP=y
443 COMPRESS=gzip
444 DEVICE=eth0
445 EOF
446 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
447 alias eth0 xennet
448 alias scsi_hostadapter xenblk
449 EOF
450 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
451 sha1_generic
452 sha256_generic
453 sha512_generic
454 aes-x86_64
455 xts
456 # NOTE: pour Xen en mode HVM :
457 #modprobe xen-platform-pci
458 EOF
459 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
460 EOF
461 sudo sed -e '/^configure_networking /s/ &$//' \
462 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
463 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
464 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
465 ( while IFS= read -r line
466 do case $line in (*" RSA") return 0; break;; esac
467 done; return 1 ) ||
468 {
469 sudo rm -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
471 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
472 sudo dropbearkey -t rsa -s 4096 -f \
473 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
474 }
475 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
476 sudo install -d -m 640 -o root -g root \
477 /etc/initramfs-tools/root \
478 /etc/initramfs-tools/root/.ssh
479 getent group sudo |
480 while IFS=: read -r group x x users
481 do while test -n "$users" && IFS=, read -r user users <<-EOF
482 $users
483 EOF
484 do eval local home\; home="~$user"
485 cat "$home"/etc/ssh/authorized_keys
486 done
487 done |
488 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
489 sudo rm -f \
490 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
491 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
492 /etc/initramfs-tools/root/.ssh/id_rsa
493 # NOTE: clefs générées par Debian
494 sudo update-initramfs -u
495 }
496 rule_locale_configure () {
497 sudo debconf-set-selections <<-EOF
498 locales locales/default_environment_locale select None
499 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
500 EOF
501 rule dpkg_reconfigure locales
502 }
503 rule_login_configure () {
504 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
505 # /etc/inittab: init(8) configuration.
506
507 # The default runlevel.
508 id:2:initdefault:
509
510 # Boot-time system configuration/initialization script.
511 # This is run first except when booting in emergency (-b) mode.
512 si::sysinit:/etc/init.d/rcS
513
514 # What to do in single-user mode.
515 ~~:S:wait:/sbin/sulogin
516
517 # /etc/init.d executes the S and K scripts upon change
518 # of runlevel.
519 #
520 # Runlevel 0 is halt.
521 # Runlevel 1 is single-user.
522 # Runlevels 2-5 are multi-user.
523 # Runlevel 6 is reboot.
524
525 l0:0:wait:/etc/init.d/rc 0
526 l1:1:wait:/etc/init.d/rc 1
527 l2:2:wait:/etc/init.d/rc 2
528 l3:3:wait:/etc/init.d/rc 3
529 l4:4:wait:/etc/init.d/rc 4
530 l5:5:wait:/etc/init.d/rc 5
531 l6:6:wait:/etc/init.d/rc 6
532 # Normally not reached, but fallthrough in case of emergency.
533 z6:6:respawn:/sbin/sulogin
534
535 # What to do when CTRL-ALT-DEL is pressed.
536 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
537
538 # What to do when the power fails/returns.
539 pf::powerwait:/etc/init.d/powerfail start
540 pn::powerfailnow:/etc/init.d/powerfail now
541 po::powerokwait:/etc/init.d/powerfail stop
542
543 # Xen hypervisor console
544 hvc:2345:respawn:/sbin/getty 38400 hvc0
545 #xvc:2345:respawn:/sbin/getty 38400 xvc0
546 EOF
547 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
548 MAIL_DIR /var/mail
549 FAILLOG_ENAB yes
550 LOG_UNKFAIL_ENAB no
551 LOG_OK_LOGINS no
552 SYSLOG_SU_ENAB yes
553 SYSLOG_SG_ENAB yes
554 FTMP_FILE /var/log/btmp
555 SU_NAME su
556 HUSHLOGIN_FILE .hushlogin
557 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
558 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
559 # NOTE: met les sbin/ dans ENV_PATH ;
560 # - ça n'apporte aucune protection de ne pas les mettre ;
561 # - ça frustre de ne pas les trouver.
562 TTYGROUP tty
563 TTYPERM 0600
564 ERASECHAR 0177
565 KILLCHAR 025
566 UMASK 007
567 # NOTE: rwxrwx--- ;
568 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
569 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
570 PASS_MAX_DAYS 99999
571 PASS_MIN_DAYS 0
572 PASS_WARN_AGE 7
573 UID_MIN 1000
574 UID_MAX 60000
575 GID_MIN 1000
576 GID_MAX 60000
577 LOGIN_RETRIES 3
578 LOGIN_TIMEOUT 60
579 CHFN_RESTRICT rwh
580 DEFAULT_HOME yes
581 USERGROUPS_ENAB yes
582 ENCRYPT_METHOD SHA512
583 EOF
584 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
585 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
586 $(cat /etc/pam.d/common-session)
587 session optional pam_umask.so
588 EOF
589 grep -q '^hvc0$' /etc/securetty ||
590 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
591 $(cat /etc/securetty)
592 hvc0
593 EOF
594 grep -q '^xvc0$' /etc/securetty ||
595 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
596 $(cat /etc/securetty)
597 xvc0
598 EOF
599 }
600 rule_mail_configure () {
601 rule postfix_configure
602 rule postgrey_configure
603 rule procmail_configure
604 rule dovecot_configure
605 }
606 rule_network_configure () {
607 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
608 $vm
609 EOF
610 grep -q " $vm\$" /etc/hosts ||
611 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
612 $(cat /etc/hosts)
613 127.0.0.1 $vm_fqdn $vm
614 EOF
615 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
616 auto lo
617 iface lo inet loopback
618
619 auto eth0=grenode
620 iface grenode inet static
621 address $vm_ipv4
622 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
623 network $vm_ipv4
624 broadcast $vm_ipv4
625 netmask 255.255.255.255
626 mtu 1300
627 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
628 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
629 #
630 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
631 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
632 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
633 #
634 # --- soupirail.grenode.net ping statistics ---
635 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
636 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
637 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
638 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
639 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
640 #
641 # --- soupirail.grenode.net ping statistics ---
642 # 0 packets transmitted, 0 received, +1 errors
643 post-up ip address add $vm_ipv4/32 dev \$IFACE
644 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
645 EOF
646 }
647 rule_www_configure () {
648 getent passwd www >/dev/null ||
649 sudo adduser \
650 --disabled-login \
651 --disabled-password \
652 --group \
653 --home /home/www \
654 --shell /bin/false \
655 --system \
656 www
657 sudo adduser \
658 --disabled-login \
659 --disabled-password \
660 --group \
661 --home ~www/log \
662 --shell /bin/false \
663 --system \
664 log.www
665 #sudo adduser www www-data
666 sudo adduser www log.www
667 #sudo adduser log log.www
668 usermod --home /home/www/pub www-data
669 sudo install -d -m 751 -o www -g www \
670 /home/www
671 sudo install -d -m 750 -o www -g www \
672 /home/www/etc
673 sudo install -d -m 1771 -o www-data -g www-data \
674 /home/www/pub \
675 sudo install -d -m 1771 -o log.www -g log.www \
676 /home/www/log
677 }
678 rule_nginx_configure () {
679 local -; set +f
680 rule apt_get_install nginx
681 rule www_configure
682 sudo rm -rf \
683 /etc/nginx/conf.d \
684 /etc/nginx/site.d
685 sudo install -d -m 770 -o www -g www \
686 /etc/nginx \
687 /etc/nginx/conf.d \
688 /etc/nginx/site.d
689 sudo ln -fns \
690 /etc/nginx \
691 /home/www/etc/nginx
692 sudo install -m 660 -o www -g www \
693 "$tool"/etc/nginx/nginx.conf \
694 /etc/nginx/nginx.conf
695 local conf
696 for conf in "$tool"/etc/nginx/conf.d/*.conf
697 do conf=${conf#"$tool"/etc/nginx/conf.d/}
698 sudo install -m 660 -o www -g www \
699 "$tool"/etc/nginx/conf.d/"$conf" \
700 /etc/nginx/conf.d/"$conf"
701 done
702 for conf in "$tool"/etc/nginx/site.d/*/server.conf
703 do conf=${conf#"$tool"/etc/nginx/site.d/}
704 local port site
705 IFS=. read -r port site <<-EOF
706 ${conf%\/server\.conf}
707 EOF
708 assert 'test "${port:+set}"'
709 assert 'test "${site:+set}"'
710 site="$port.$site"
711 getent passwd www."$site" >/dev/null ||
712 sudo adduser \
713 --disabled-login \
714 --disabled-password \
715 --group \
716 --home ~www-data/"$site" \
717 --shell /bin/false \
718 --system \
719 www."$site"
720 getent passwd log."$site" >/dev/null ||
721 sudo adduser \
722 --disabled-login \
723 --disabled-password \
724 --group \
725 --shell /bin/false \
726 --system \
727 log."$site"
728 sudo usermod --home ~www/log/"$site"/nginx log."$site"
729 sudo install -d -m 770 -o www -g www \
730 /etc/nginx/site.d/"$site"
731 case $port in
732 (443)
733 local hint="run vm_remote nginx_key_send before"
734 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
735 sudo install -m 664 -o www -g www \
736 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
737 /etc/nginx/site.d/"$site"/x509/crt.pem
738 ;;
739 esac
740 case $port in
741 (80)
742 cat <<-EOF
743 server {
744 listen $port;
745 access_log /home/www/log/$site/nginx/access.log main;
746 error_log /home/www/log/$site/nginx/error.log warn;
747 root /home/www/pub/$site;
748 server_name $site;
749 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
750 }
751 EOF
752 ;;
753 (443)
754 cat <<-EOF
755 server {
756 listen $port;
757 access_log /home/www/log/$site/nginx/access.log main;
758 error_log /home/www/log/$site/nginx/error.log warn;
759 keepalive_timeout 70;
760 root /home/www/pub/$site;
761 server_name $site;
762 # DOC: http://wiki.nginx.org/HttpSslModule
763 ssl on;
764 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
765 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
766 ssl_ciphers HIGH:!ADH:!MD5;
767 ssl_prefer_server_ciphers on;
768 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
769 ssl_session_cache shared:SSL:10m;
770 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
771 }
772 EOF
773 ;;
774 esac |
775 sudo install -m 660 -o www -g www /dev/stdin \
776 /etc/nginx/site.d/"$site"/server.conf
777 adduser www-data "$site"
778 test -e /home/www/pub/"$site" ||
779 sudo install -d -m 3770 -o "$site" -g "$site" \
780 /home/www/pub/"$site"
781 sudo install -d -m 3770 -o log."$site" -g log."$site" \
782 /home/www/log/"$site"/nginx
783 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
784 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
785 done
786 rule apt_get_install spawn-fcgi fcgiwrap
787 sudo insserv --remove fcgiwrap
788 rule tmpfs_configure
789 sudo service nginx restart
790 }
791 rule_php5_fpm_configure () {
792 local -; set +f
793 rule apt_get_install \
794 php5-fpm \
795 php-apc
796 getent passwd php5 >/dev/null ||
797 sudo adduser \
798 --disabled-login \
799 --disabled-password \
800 --group \
801 --shell /bin/false \
802 --system \
803 php5
804 local conf
805 sudo ln -fns \
806 /etc/php5-fpm \
807 /home/www/etc/php5
808 sudo rm -f /etc/php5/fpm/pool.d/*
809 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
810 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
811 local port site
812 IFS=. read -r port site <<-EOF
813 ${conf%\.conf}
814 EOF
815 assert 'test "${port:+set}"'
816 assert 'test "${site:+set}"'
817 site="$port.$site"
818 getent passwd php5"$site" >/dev/null ||
819 sudo adduser \
820 --disabled-login \
821 --disabled-password \
822 --group \
823 --no-create-home \
824 --home ~www/pub/"$site" \
825 --shell /bin/false \
826 --system \
827 php5."$site"
828 sudo install -d -m 770 -o php5 -g php5 \
829 /home/www/log/php5 \
830 /home/www/log/php5/fpm
831 sudo install -d -m 770 -o log."$site" -g log."$site" \
832 /home/www/log/"$site"
833 sudo adduser php5."$user" www."$site"
834 sudo install -m 660 -o root -g root /dev/stdin \
835 /etc/php5/fpm/pool.d/"$conf" <<-EOF
836 [php5.$site]
837 access.log = /home/www/log/$site/php5/fpm/access.log
838 catch_workers_output = yes
839 chdir = /
840 env[HOSTNAME] = \$HOSTNAME
841 env[TEMP] = /tmp
842 env[TMPDIR] = /tmp
843 env[TMP] = /tmp
844 group = www-data
845 listen = /run/nginx/fastcgi/php5.$site
846 #listen = 127.0.0.1:9000
847 #listen.allowed_clients = 127.0.0.1
848 listen.backlog = -1
849 pm = dynamic
850 pm.max_children = 5
851 pm.max_requests = 200
852 pm.max_spare_servers = 4
853 pm.min_spare_servers = 2
854 pm.start_servers = 3
855 pm.status_path = /status
856 request_slowlog_timeout = 5s
857 request_terminate_timeout = 120s
858 rlimit_core = unlimited
859 rlimit_files = 131072
860 slowlog = /home/www/log/$site/php5/fpm/slow.log
861 user = $php5_user
862 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
863 EOF
864 sudo install -m 664 -o root -g root \
865 "$tool"/etc/php5/fpm/php.ini \
866 /etc/php5/fpm/php.ini
867 done
868 rule tmpfs_configure
869 sudo service php5-fpm restart
870 }
871 rule_postfix_configure () {
872 local hint="run vm_remote postfix_key_send before"
873 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
874 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
875 sudo debconf-set-selections <<-EOF
876 postfix postfix/main_mailer_type select No configuration
877 EOF
878 rule apt_get_install postfix
879 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
880 *.db
881 EOF
882 sudo install -d -m 770 -o root -g root \
883 /etc/postfix/$vm_domainname/ \
884 /etc/postfix/$vm_domainname/smtp \
885 /etc/postfix/$vm_domainname/smtp/x509 \
886 /etc/postfix/$vm_domainname/smtp/x509/ca \
887 /etc/postfix/$vm_domainname/smtpd \
888 /etc/postfix/$vm_domainname/smtpd/x509 \
889 /etc/postfix/$vm_domainname/smtpd/x509/ca
890 sudo install -d -m 770 -o root -g root \
891 /etc/postfix/$vm_domainname/ \
892 /etc/postfix/$vm_domainname/smtp \
893 /etc/postfix/$vm_domainname/smtp/x509 \
894 /etc/postfix/$vm_domainname/smtp/x509/ca \
895 /etc/postfix/$vm_domainname/smtpd \
896 /etc/postfix/$vm_domainname/smtpd/x509 \
897 /etc/postfix/$vm_domainname/smtpd/x509/ca
898 sudo ln -fns \
899 ../crt+crl.self-signed.pem \
900 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
901 sudo install -m 400 -o root -g root \
902 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
903 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
904 sudo install -m 400 -o root -g root \
905 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
906 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
907 sudo install -m 400 -o root -g root \
908 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
909 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
910 sudo install -m 400 -o root -g root \
911 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
912 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
913 sudo install -m 660 -o root -g root \
914 "$tool"/etc/postfix/$vm_domainname/header_checks \
915 /etc/postfix/$vm_domainname/header_checks
916 sudo install -m 664 -o root -g root /dev/stdin \
917 /etc/postfix/aliases <<-EOF
918 # See man 5 aliases for format
919 abuse: root
920 admin: root
921 contact: root
922 postmaster: root
923 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
924 EOF
925 sudo newaliases -oA/etc/postfix/aliases
926 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
927 mydomain = $vm_domainname
928 myorigin = \$mydomain
929 myhostname = $vm_hostname.\$mydomain
930 mail_name = \$myhostname
931 mydestination = $vm_hostname \$myhostname \$myorigin
932 EOF
933 sudo install -m 664 -o root -g root /dev/stdin \
934 /etc/postfix/main.cf
935 sudo install -m 664 -o root -g root \
936 "$tool"/etc/postfix/master.cf \
937 /etc/postfix/master.cf
938 sudo install -m 660 -o root -g root \
939 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
940 /etc/postfix/$vm_domainname/smtp/x509/policy
941 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
942 sudo install -m 660 -o root -g root \
943 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
944 /etc/postfix/$vm_domainname/smtp/header_checks
945 sudo install -m 660 -o root -g root \
946 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
947 /etc/postfix/$vm_domainname/smtpd/sender_access
948 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
949 sudo install -m 660 -o root -g root \
950 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
951 /etc/postfix/$vm_domainname/smtpd/client_blacklist
952 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
953 sudo install -m 660 -o root -g root \
954 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
955 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
956 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
957 sudo install -m 660 -o root -g root \
958 "$tool"/etc/postfix/$vm_domainname/transport \
959 /etc/postfix/$vm_domainname/transport
960 sudo postmap hash:/etc/postfix/$vm_domainname/transport
961 sudo install -m 660 -o root -g root \
962 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
963 /etc/postfix/$vm_domainname/virtual_alias
964 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
965 sudo service postfix restart
966 }
967 rule_postgrey_configure () {
968 rule apt_get_install postgrey
969 sudo service postgrey restart
970 }
971 rule_procmail_configure () {
972 rule apt_get_install procmail
973 sudo install -d -m 770 -o root -g adm \
974 /etc/skel/etc/mail \
975 /etc/skel/var/cache/mail \
976 /etc/skel/var/log/mail \
977 /etc/skel/var/mail
978 sudo install -m 660 -o root -g adm \
979 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
980 /etc/skel/etc/mail/delivery.procmailrc
981 }
982 rule_ssh_configure () {
983 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
984 ( while IFS= read -r line
985 do case $line in (*" RSA") return 0; break;; esac
986 done; return 1 ) ||
987 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
988 sudo rm -f \
989 /etc/ssh/ssh_host_dsa_key \
990 /etc/ssh/ssh_host_dsa_key.pub \
991 /etc/ssh/ssh_host_ecdsa_key \
992 /etc/ssh/ssh_host_ecdsa_key.pub
993 # NOTE: clefs générées par Debian
994 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
995 Port 22
996 ListenAddress $vm_ipv4
997 #ListenAddress ::
998 Protocol 2
999 Compression yes
1000 HostKey /etc/ssh/ssh_host_rsa_key
1001 UsePrivilegeSeparation yes
1002 KeyRegenerationInterval 3600
1003 ServerKeyBits 768
1004 SyslogFacility AUTH
1005 LogLevel INFO
1006 LoginGraceTime 120
1007 PermitRootLogin yes
1008 StrictModes yes
1009 RSAAuthentication yes
1010 PubkeyAuthentication yes
1011 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1012 IgnoreRhosts yes
1013 RhostsRSAAuthentication no
1014 HostbasedAuthentication no
1015 IgnoreUserKnownHosts no
1016 PermitEmptyPasswords no
1017 ChallengeResponseAuthentication no
1018 PasswordAuthentication no
1019 KerberosAuthentication no
1020 GSSAPIAuthentication no
1021 X11Forwarding no
1022 X11DisplayOffset 10
1023 PrintMotd no
1024 DebianBanner no
1025 PrintLastLog yes
1026 TCPKeepAlive yes
1027 ClientAliveInterval 0
1028 AcceptEnv LANG LC_*
1029 Subsystem sftp /usr/lib/openssh/sftp-server
1030 UsePAM yes
1031 EOF
1032 sudo service ssh restart
1033 }
1034 rule_sysctl_configure () {
1035 local -; set +f
1036 for conf in "$tool"/etc/sysctl.d/*.conf
1037 do conf=${conf#"$tool"/etc/sysctl.d/}
1038 sudo install -m 660 -o root -g root \
1039 "$tool"/etc/sysctl.d/"$conf" \
1040 /etc/sysctl.d/"$conf"
1041 done
1042 sudo sysctl --system
1043 }
1044 rule_time_configure () {
1045 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1046 Europe/Paris
1047 EOF
1048 sudo debconf-set-selections <<-EOF
1049 tzdata tzdata/Areas select Europe
1050 tzdata tzdata/Zones/Europe select Paris
1051 EOF
1052 rule dpkg_reconfigure tzdata
1053 rule apt_get_install ntp
1054 }
1055 rule_user_add () { # SYNTAX: $user
1056 rule user_configure
1057 local user=$1
1058 id "$user" >/dev/null ||
1059 sudo adduser --disabled-password "$user"
1060 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1061 eval local home\; home="~$user"
1062 sudo adduser "$user" users
1063 sudo install -m 640 -o root -g root \
1064 "$tool"/var/pub/ssh/"$user".key \
1065 "$home"/etc/ssh/authorized_keys
1066 local key; local -; set +f
1067 for key in "$tool"/var/pub/openpgp/*.key
1068 do sudo -u "$user" gpg --import - <"$key"
1069 done
1070 }
1071 rule_user_configure () {
1072 true
1073 }
1074 rule_user_admin_add () { # SYNTAX: $user
1075 rule user_configure
1076 local user=$1
1077 id "$user" >/dev/null ||
1078 sudo adduser --disabled-password "$user"
1079 eval local home\; home="~$user"
1080 sudo adduser "$user" sudo
1081 sudo adduser "$user" users
1082 sudo install -m 640 -o root -g root \
1083 "$tool"/var/pub/ssh/"$user".key \
1084 "$home"/etc/ssh/authorized_keys
1085 local key; local -; set +f
1086 for key in "$tool"/var/pub/openpgp/*.key
1087 do sudo -u "$user" gpg --import - <"$key"
1088 done
1089 rule user_admin_configure
1090 }
1091 rule_user_admin_configure () {
1092 rule initramfs_configure
1093 rule user_root_configure
1094 }
1095 rule_user_configure () {
1096 sudo install -d -m 750 -o root -g adm \
1097 /etc/skel/etc \
1098 /etc/skel/etc/gpg \
1099 /etc/skel/etc/ssh
1100 sudo install -d -m 770 -o root -g adm \
1101 /etc/skel/var \
1102 /etc/skel/var/cache \
1103 /etc/skel/var/log \
1104 /etc/skel/var/run \
1105 /etc/skel/var/run/ssh
1106 sudo ln -fns etc/ssh /etc/skel/.ssh
1107 sudo ln -fns etc/gpg /etc/skel/.gnupg
1108 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1109 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1110 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1111 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1112 EOF
1113 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1114 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1115 EOF
1116 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1117 Defaults env_keep = " \\
1118 EDITOR \\
1119 GIT_AUTHOR_NAME \\
1120 GIT_AUTHOR_EMAIL \\
1121 GIT_COMMITTER_NAME \\
1122 GIT_COMMITTER_EMAIL \\
1123 "
1124 EOF
1125 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1126 #!/bin/sh -efu
1127 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1128 sudo /bin/sh -e -f -u -c \
1129 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1130 EOF
1131 sudo install -m 644 -o root -g root \
1132 "$tool"/etc/bash.bashrc \
1133 /etc/bash.bashrc
1134 sudo install -m 644 -o root -g root \
1135 "$tool"/etc/screenrc \
1136 /etc/screenrc
1137 }
1138 rule_user_root_configure () {
1139 sudo install -d -m 750 -o root -g adm \
1140 /root/etc \
1141 /root/etc/gpg \
1142 /root/etc/ssh
1143 sudo ln -fns etc/gpg /root/.gnupg
1144 sudo ln -fns etc/ssh /root/.ssh
1145 getent group sudo |
1146 while IFS=: read -r group x x users
1147 do while test -n "$users" && IFS=, read -r user users <<-EOF
1148 $users
1149 EOF
1150 do eval local home\; home="~$user"
1151 cat "$home"/etc/ssh/authorized_keys
1152 done
1153 done |
1154 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1155 local key; local -; set +f
1156 for key in "$tool"/var/pub/openpgp/*.key
1157 do sudo gpg --import "$key"
1158 done
1159 }
1160 rule_configure () {
1161 rule apt_configure
1162 rule git_configure
1163 rule etckeeper_configure
1164 rule locale_configure
1165 rule time_configure
1166 rule network_configure
1167 rule filesystem_configure
1168 rule login_configure
1169 rule ssh_configure
1170 rule user_root_configure
1171 rule boot_configure
1172 rule sysctl_configure
1173 rule user_configure
1174 rule mail_configure
1175 #rule apache2_configure
1176 rule nginx_configure
1177 rule php5_fpm_configure
1178 }
1179
1180 rule_luks_key_change () {
1181 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1182 }
1183
1184 rule=${1:-help}
1185 ${1+shift}
1186 case $rule in
1187 (help);;
1188 (*)
1189 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1190 ;;
1191 esac
1192 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org