dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_openerp_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g adm \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
417 LOCK_SIZE=5242880 # NOTE: 5MiB
418 RAMLOCK=yes
419 RAMSHM=yes
420 RAMTMP=yes
421 RUN_SIZE=10%
422 SHM_SIZE=
423 TMP_MODE=1777,nr_inodes=1000k,noatime
424 TMP_OVERFLOW_LIMIT=1024
425 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
426 # on the root filesystem (overriding RAMTMP).
427 TMP_SIZE=200m
428 TMPFS_SIZE=20%VM
429 EOF
430 sudo install -m 775 -o root -g root \
431 "$tool"/etc/init.d/tmpfs \
432 /etc/init.d/tmpfs
433 sudo update-rc.d tmpfs defaults
434 }
435 rule_initramfs_configure () {
436 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
437 MODULES=most
438 BUSYBOX=y
439 KEYMAP=y
440 COMPRESS=gzip
441 DEVICE=eth0
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
444 alias eth0 xennet
445 alias scsi_hostadapter xenblk
446 EOF
447 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
448 sha1_generic
449 sha256_generic
450 sha512_generic
451 aes-x86_64
452 xts
453 # NOTE: pour Xen en mode HVM :
454 #modprobe xen-platform-pci
455 EOF
456 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
457 EOF
458 sudo sed -e '/^configure_networking /s/ &$//' \
459 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
460 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
461 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
462 ( while IFS= read -r line
463 do case $line in (*" RSA") return 0; break;; esac
464 done; return 1 ) ||
465 {
466 sudo rm -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
468 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
469 sudo dropbearkey -t rsa -s 4096 -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
471 }
472 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
473 sudo install -d -m 640 -o root -g root \
474 /etc/initramfs-tools/root \
475 /etc/initramfs-tools/root/.ssh
476 getent group sudo |
477 while IFS=: read -r group x x users
478 do while test -n "$users" && IFS=, read -r user users <<-EOF
479 $users
480 EOF
481 do eval local home\; home="~$user"
482 cat "$home"/etc/ssh/authorized_keys
483 done
484 done |
485 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
486 sudo rm -f \
487 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
488 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
489 /etc/initramfs-tools/root/.ssh/id_rsa
490 # NOTE: clefs générées par Debian
491 sudo update-initramfs -u
492 }
493 rule_locale_configure () {
494 sudo debconf-set-selections <<-EOF
495 locales locales/default_environment_locale select None
496 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
497 EOF
498 rule dpkg_reconfigure locales
499 }
500 rule_login_configure () {
501 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
502 # /etc/inittab: init(8) configuration.
503
504 # The default runlevel.
505 id:2:initdefault:
506
507 # Boot-time system configuration/initialization script.
508 # This is run first except when booting in emergency (-b) mode.
509 si::sysinit:/etc/init.d/rcS
510
511 # What to do in single-user mode.
512 ~~:S:wait:/sbin/sulogin
513
514 # /etc/init.d executes the S and K scripts upon change
515 # of runlevel.
516 #
517 # Runlevel 0 is halt.
518 # Runlevel 1 is single-user.
519 # Runlevels 2-5 are multi-user.
520 # Runlevel 6 is reboot.
521
522 l0:0:wait:/etc/init.d/rc 0
523 l1:1:wait:/etc/init.d/rc 1
524 l2:2:wait:/etc/init.d/rc 2
525 l3:3:wait:/etc/init.d/rc 3
526 l4:4:wait:/etc/init.d/rc 4
527 l5:5:wait:/etc/init.d/rc 5
528 l6:6:wait:/etc/init.d/rc 6
529 # Normally not reached, but fallthrough in case of emergency.
530 z6:6:respawn:/sbin/sulogin
531
532 # What to do when CTRL-ALT-DEL is pressed.
533 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
534
535 # What to do when the power fails/returns.
536 pf::powerwait:/etc/init.d/powerfail start
537 pn::powerfailnow:/etc/init.d/powerfail now
538 po::powerokwait:/etc/init.d/powerfail stop
539
540 # Xen hypervisor console
541 hvc:2345:respawn:/sbin/getty 38400 hvc0
542 #xvc:2345:respawn:/sbin/getty 38400 xvc0
543 EOF
544 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
545 MAIL_DIR /var/mail
546 FAILLOG_ENAB yes
547 LOG_UNKFAIL_ENAB no
548 LOG_OK_LOGINS no
549 SYSLOG_SU_ENAB yes
550 SYSLOG_SG_ENAB yes
551 FTMP_FILE /var/log/btmp
552 SU_NAME su
553 HUSHLOGIN_FILE .hushlogin
554 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
555 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
556 # NOTE: met les sbin/ dans ENV_PATH ;
557 # - ça n'apporte aucune protection de ne pas les mettre ;
558 # - ça frustre de ne pas les trouver.
559 TTYGROUP tty
560 TTYPERM 0600
561 ERASECHAR 0177
562 KILLCHAR 025
563 UMASK 007
564 # NOTE: rwxrwx--- ;
565 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
566 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
567 PASS_MAX_DAYS 99999
568 PASS_MIN_DAYS 0
569 PASS_WARN_AGE 7
570 UID_MIN 1000
571 UID_MAX 60000
572 GID_MIN 1000
573 GID_MAX 60000
574 LOGIN_RETRIES 3
575 LOGIN_TIMEOUT 60
576 CHFN_RESTRICT rwh
577 DEFAULT_HOME yes
578 USERGROUPS_ENAB yes
579 ENCRYPT_METHOD SHA512
580 EOF
581 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
582 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
583 $(cat /etc/pam.d/common-session)
584 session optional pam_umask.so
585 EOF
586 grep -q '^hvc0$' /etc/securetty ||
587 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
588 $(cat /etc/securetty)
589 hvc0
590 EOF
591 grep -q '^xvc0$' /etc/securetty ||
592 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
593 $(cat /etc/securetty)
594 xvc0
595 EOF
596 }
597 rule_mail_configure () {
598 rule postfix_configure
599 rule postgrey_configure
600 rule procmail_configure
601 rule dovecot_configure
602 }
603 rule_network_configure () {
604 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
605 $vm
606 EOF
607 grep -q " $vm\$" /etc/hosts ||
608 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
609 $(cat /etc/hosts)
610 127.0.0.1 $vm_fqdn $vm
611 EOF
612 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
613 auto lo
614 iface lo inet loopback
615
616 auto eth0=grenode
617 iface grenode inet static
618 address $vm_ipv4
619 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
620 network $vm_ipv4
621 broadcast $vm_ipv4
622 netmask 255.255.255.255
623 mtu 1300
624 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
625 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
626 #
627 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
628 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
629 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
630 #
631 # --- soupirail.grenode.net ping statistics ---
632 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
633 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
634 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
635 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
636 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
637 #
638 # --- soupirail.grenode.net ping statistics ---
639 # 0 packets transmitted, 0 received, +1 errors
640 post-up ip address add $vm_ipv4/32 dev \$IFACE
641 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
642 EOF
643 }
644 rule_www_configure () {
645 getent passwd www >/dev/null ||
646 sudo adduser \
647 --disabled-login \
648 --disabled-password \
649 --group \
650 --home /home/www \
651 --shell /bin/false \
652 --system \
653 www
654 sudo adduser \
655 --disabled-login \
656 --disabled-password \
657 --group \
658 --home ~www/log \
659 --shell /bin/false \
660 --system \
661 log.www
662 #sudo adduser www www-data
663 sudo adduser www log.www
664 #sudo adduser log log.www
665 usermod --home /home/www/pub www-data
666 sudo install -d -m 751 -o www -g www \
667 /home/www
668 sudo install -d -m 750 -o www -g www \
669 /home/www/etc
670 sudo install -d -m 1771 -o www-data -g www-data \
671 /home/www/pub \
672 sudo install -d -m 1771 -o log.www -g log.www \
673 /home/www/log
674 }
675 rule_nginx_configure () {
676 local -; set +f
677 rule apt_get_install nginx
678 rule www_configure
679 sudo rm -rf \
680 /etc/nginx/conf.d \
681 /etc/nginx/site.d
682 sudo install -d -m 770 -o www -g www \
683 /etc/nginx \
684 /etc/nginx/conf.d \
685 /etc/nginx/site.d
686 sudo ln -fns \
687 /etc/nginx \
688 /home/www/etc/nginx
689 sudo install -m 660 -o www -g www \
690 "$tool"/etc/nginx/nginx.conf \
691 /etc/nginx/nginx.conf
692 local conf
693 for conf in "$tool"/etc/nginx/conf.d/*.conf
694 do conf=${conf#"$tool"/etc/nginx/conf.d/}
695 sudo install -m 660 -o www -g www \
696 "$tool"/etc/nginx/conf.d/"$conf" \
697 /etc/nginx/conf.d/"$conf"
698 done
699 for conf in "$tool"/etc/nginx/site.d/*/server.conf
700 do conf=${conf#"$tool"/etc/nginx/site.d/}
701 local port site
702 IFS=. read -r port site <<-EOF
703 ${conf%\/server\.conf}
704 EOF
705 assert 'test "${port:+set}"'
706 assert 'test "${site:+set}"'
707 site="$port.$site"
708 getent passwd www."$site" >/dev/null ||
709 sudo adduser \
710 --disabled-login \
711 --disabled-password \
712 --group \
713 --home ~www-data/"$site" \
714 --shell /bin/false \
715 --system \
716 www."$site"
717 getent passwd log."$site" >/dev/null ||
718 sudo adduser \
719 --disabled-login \
720 --disabled-password \
721 --group \
722 --shell /bin/false \
723 --system \
724 log."$site"
725 sudo usermod --home ~www/log/"$site"/nginx log."$site"
726 sudo install -d -m 770 -o www -g www \
727 /etc/nginx/site.d/"$site"
728 case $port in
729 (443)
730 local hint="run vm_remote nginx_key_send before"
731 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
732 sudo install -m 664 -o www -g www \
733 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
734 /etc/nginx/site.d/"$site"/x509/crt.pem
735 ;;
736 esac
737 case $port in
738 (80)
739 cat <<-EOF
740 server {
741 listen $port;
742 access_log /home/www/log/$site/nginx/access.log main;
743 error_log /home/www/log/$site/nginx/error.log warn;
744 root /home/www/pub/$site;
745 server_name $site;
746 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
747 }
748 EOF
749 ;;
750 (443)
751 cat <<-EOF
752 server {
753 listen $port;
754 access_log /home/www/log/$site/nginx/access.log main;
755 error_log /home/www/log/$site/nginx/error.log warn;
756 keepalive_timeout 70;
757 root /home/www/pub/$site;
758 server_name $site;
759 # DOC: http://wiki.nginx.org/HttpSslModule
760 ssl on;
761 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
762 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
763 ssl_ciphers HIGH:!ADH:!MD5;
764 ssl_prefer_server_ciphers on;
765 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
766 ssl_session_cache shared:SSL:10m;
767 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
768 }
769 EOF
770 ;;
771 esac |
772 sudo install -m 660 -o www -g www /dev/stdin \
773 /etc/nginx/site.d/"$site"/server.conf
774 adduser www-data "$site"
775 test -e /home/www/pub/"$site" ||
776 sudo install -d -m 3770 -o "$site" -g "$site" \
777 /home/www/pub/"$site"
778 sudo install -d -m 3770 -o log."$site" -g log."$site" \
779 /home/www/log/"$site"/nginx
780 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
781 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
782 done
783 rule apt_get_install spawn-fcgi fcgiwrap
784 sudo insserv --remove fcgiwrap
785 rule tmpfs_configure
786 sudo service nginx restart
787 }
788 rule_php5_fpm_configure () {
789 local -; set +f
790 rule apt_get_install \
791 php5-fpm \
792 php-apc
793 getent passwd php5 >/dev/null ||
794 sudo adduser \
795 --disabled-login \
796 --disabled-password \
797 --group \
798 --shell /bin/false \
799 --system \
800 php5
801 local conf
802 sudo ln -fns \
803 /etc/php5-fpm \
804 /home/www/etc/php5
805 sudo rm -f /etc/php5/fpm/pool.d/*
806 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
807 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
808 local port site
809 IFS=. read -r port site <<-EOF
810 ${conf%\.conf}
811 EOF
812 assert 'test "${port:+set}"'
813 assert 'test "${site:+set}"'
814 site="$port.$site"
815 getent passwd php5"$site" >/dev/null ||
816 sudo adduser \
817 --disabled-login \
818 --disabled-password \
819 --group \
820 --no-create-home \
821 --home ~www/pub/"$site" \
822 --shell /bin/false \
823 --system \
824 php5."$site"
825 sudo install -d -m 770 -o php5 -g php5 \
826 /home/www/log/php5 \
827 /home/www/log/php5/fpm
828 sudo install -d -m 770 -o log."$site" -g log."$site" \
829 /home/www/log/"$site"
830 sudo adduser php5."$user" www."$site"
831 sudo install -m 660 -o root -g root /dev/stdin \
832 /etc/php5/fpm/pool.d/"$conf" <<-EOF
833 [php5.$site]
834 access.log = /home/www/log/$site/php5/fpm/access.log
835 catch_workers_output = yes
836 chdir = /
837 env[HOSTNAME] = \$HOSTNAME
838 env[TEMP] = /tmp
839 env[TMPDIR] = /tmp
840 env[TMP] = /tmp
841 group = www-data
842 listen = /run/nginx/fastcgi/php5.$site
843 #listen = 127.0.0.1:9000
844 #listen.allowed_clients = 127.0.0.1
845 listen.backlog = -1
846 pm = dynamic
847 pm.max_children = 5
848 pm.max_requests = 200
849 pm.max_spare_servers = 4
850 pm.min_spare_servers = 2
851 pm.start_servers = 3
852 pm.status_path = /status
853 request_slowlog_timeout = 5s
854 request_terminate_timeout = 120s
855 rlimit_core = unlimited
856 rlimit_files = 131072
857 slowlog = /home/www/log/$site/php5/fpm/slow.log
858 user = $php5_user
859 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
860 EOF
861 sudo install -m 664 -o root -g root \
862 "$tool"/etc/php5/fpm/php.ini \
863 /etc/php5/fpm/php.ini
864 done
865 rule tmpfs_configure
866 sudo service php5-fpm restart
867 }
868 rule_postfix_configure () {
869 local hint="run vm_remote postfix_key_send before"
870 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
871 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
872 sudo debconf-set-selections <<-EOF
873 postfix postfix/main_mailer_type select No configuration
874 EOF
875 rule apt_get_install postfix
876 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
877 *.db
878 EOF
879 sudo install -d -m 770 -o root -g root \
880 /etc/postfix/$vm_domainname/ \
881 /etc/postfix/$vm_domainname/smtp \
882 /etc/postfix/$vm_domainname/smtp/x509 \
883 /etc/postfix/$vm_domainname/smtp/x509/ca \
884 /etc/postfix/$vm_domainname/smtpd \
885 /etc/postfix/$vm_domainname/smtpd/x509 \
886 /etc/postfix/$vm_domainname/smtpd/x509/ca
887 sudo install -d -m 770 -o root -g root \
888 /etc/postfix/$vm_domainname/ \
889 /etc/postfix/$vm_domainname/smtp \
890 /etc/postfix/$vm_domainname/smtp/x509 \
891 /etc/postfix/$vm_domainname/smtp/x509/ca \
892 /etc/postfix/$vm_domainname/smtpd \
893 /etc/postfix/$vm_domainname/smtpd/x509 \
894 /etc/postfix/$vm_domainname/smtpd/x509/ca
895 sudo ln -fns \
896 ../crt+crl.self-signed.pem \
897 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
898 sudo install -m 400 -o root -g root \
899 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
900 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
901 sudo install -m 400 -o root -g root \
902 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
903 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
904 sudo install -m 400 -o root -g root \
905 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
906 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
907 sudo install -m 400 -o root -g root \
908 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
909 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
910 sudo install -m 660 -o root -g root \
911 "$tool"/etc/postfix/$vm_domainname/header_checks \
912 /etc/postfix/$vm_domainname/header_checks
913 sudo install -m 664 -o root -g root /dev/stdin \
914 /etc/postfix/aliases <<-EOF
915 # See man 5 aliases for format
916 abuse: root
917 admin: root
918 contact: root
919 postmaster: root
920 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
921 EOF
922 sudo newaliases -oA/etc/postfix/aliases
923 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
924 mydomain = $vm_domainname
925 myorigin = \$mydomain
926 myhostname = $vm_hostname.\$mydomain
927 mail_name = \$myhostname
928 mydestination = $vm_hostname \$myhostname \$myorigin
929 EOF
930 sudo install -m 664 -o root -g root /dev/stdin \
931 /etc/postfix/main.cf
932 sudo install -m 664 -o root -g root \
933 "$tool"/etc/postfix/master.cf \
934 /etc/postfix/master.cf
935 sudo install -m 660 -o root -g root \
936 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
937 /etc/postfix/$vm_domainname/smtp/x509/policy
938 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
939 sudo install -m 660 -o root -g root \
940 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
941 /etc/postfix/$vm_domainname/smtp/header_checks
942 sudo install -m 660 -o root -g root \
943 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
944 /etc/postfix/$vm_domainname/smtpd/sender_access
945 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
946 sudo install -m 660 -o root -g root \
947 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
948 /etc/postfix/$vm_domainname/smtpd/client_blacklist
949 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
950 sudo install -m 660 -o root -g root \
951 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
952 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
953 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
954 sudo install -m 660 -o root -g root \
955 "$tool"/etc/postfix/$vm_domainname/transport \
956 /etc/postfix/$vm_domainname/transport
957 sudo postmap hash:/etc/postfix/$vm_domainname/transport
958 sudo install -m 660 -o root -g root \
959 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
960 /etc/postfix/$vm_domainname/virtual_alias
961 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
962 sudo service postfix restart
963 }
964 rule_openerp_configure () {
965 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
966 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
967 EOF
968 sudo apt-get update
969 rule apt_get_install openerp
970 }
971 rule_postgrey_configure () {
972 rule apt_get_install postgrey
973 sudo service postgrey restart
974 }
975 rule_procmail_configure () {
976 rule apt_get_install procmail
977 sudo install -d -m 770 -o root -g adm \
978 /etc/skel/etc/mail \
979 /etc/skel/var/cache/mail \
980 /etc/skel/var/log/mail \
981 /etc/skel/var/mail
982 sudo install -m 660 -o root -g adm \
983 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
984 /etc/skel/etc/mail/delivery.procmailrc
985 }
986 rule_ssh_configure () {
987 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
988 ( while IFS= read -r line
989 do case $line in (*" RSA") return 0; break;; esac
990 done; return 1 ) ||
991 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
992 sudo rm -f \
993 /etc/ssh/ssh_host_dsa_key \
994 /etc/ssh/ssh_host_dsa_key.pub \
995 /etc/ssh/ssh_host_ecdsa_key \
996 /etc/ssh/ssh_host_ecdsa_key.pub
997 # NOTE: clefs générées par Debian
998 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
999 Port 22
1000 ListenAddress $vm_ipv4
1001 #ListenAddress ::
1002 Protocol 2
1003 Compression yes
1004 HostKey /etc/ssh/ssh_host_rsa_key
1005 UsePrivilegeSeparation yes
1006 KeyRegenerationInterval 3600
1007 ServerKeyBits 768
1008 SyslogFacility AUTH
1009 LogLevel INFO
1010 LoginGraceTime 120
1011 PermitRootLogin yes
1012 StrictModes yes
1013 RSAAuthentication yes
1014 PubkeyAuthentication yes
1015 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1016 IgnoreRhosts yes
1017 RhostsRSAAuthentication no
1018 HostbasedAuthentication no
1019 IgnoreUserKnownHosts no
1020 PermitEmptyPasswords no
1021 ChallengeResponseAuthentication no
1022 PasswordAuthentication no
1023 KerberosAuthentication no
1024 GSSAPIAuthentication no
1025 X11Forwarding no
1026 X11DisplayOffset 10
1027 PrintMotd no
1028 DebianBanner no
1029 PrintLastLog yes
1030 TCPKeepAlive yes
1031 ClientAliveInterval 0
1032 AcceptEnv LANG LC_*
1033 Subsystem sftp /usr/lib/openssh/sftp-server
1034 UsePAM yes
1035 EOF
1036 sudo service ssh restart
1037 }
1038 rule_sysctl_configure () {
1039 local -; set +f
1040 for conf in "$tool"/etc/sysctl.d/*.conf
1041 do conf=${conf#"$tool"/etc/sysctl.d/}
1042 sudo install -m 660 -o root -g root \
1043 "$tool"/etc/sysctl.d/"$conf" \
1044 /etc/sysctl.d/"$conf"
1045 done
1046 sudo sysctl --system
1047 }
1048 rule_time_configure () {
1049 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1050 Europe/Paris
1051 EOF
1052 sudo debconf-set-selections <<-EOF
1053 tzdata tzdata/Areas select Europe
1054 tzdata tzdata/Zones/Europe select Paris
1055 EOF
1056 rule dpkg_reconfigure tzdata
1057 rule apt_get_install ntp
1058 }
1059 rule_user_add () { # SYNTAX: $user
1060 rule user_configure
1061 local user=$1
1062 id "$user" >/dev/null ||
1063 sudo adduser --disabled-password "$user"
1064 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1065 eval local home\; home="~$user"
1066 sudo adduser "$user" users
1067 sudo install -m 640 -o root -g root \
1068 "$tool"/var/pub/ssh/"$user".key \
1069 "$home"/etc/ssh/authorized_keys
1070 local key; local -; set +f
1071 for key in "$tool"/var/pub/openpgp/*.key
1072 do sudo -u "$user" gpg --import - <"$key"
1073 done
1074 }
1075 rule_user_configure () {
1076 true
1077 }
1078 rule_user_admin_add () { # SYNTAX: $user
1079 rule user_configure
1080 local user=$1
1081 id "$user" >/dev/null ||
1082 sudo adduser --disabled-password "$user"
1083 eval local home\; home="~$user"
1084 sudo adduser "$user" sudo
1085 sudo adduser "$user" users
1086 sudo install -m 640 -o root -g root \
1087 "$tool"/var/pub/ssh/"$user".key \
1088 "$home"/etc/ssh/authorized_keys
1089 local key; local -; set +f
1090 for key in "$tool"/var/pub/openpgp/*.key
1091 do sudo -u "$user" gpg --import - <"$key"
1092 done
1093 rule user_admin_configure
1094 }
1095 rule_user_admin_configure () {
1096 rule initramfs_configure
1097 rule user_root_configure
1098 }
1099 rule_user_configure () {
1100 sudo install -d -m 750 -o root -g adm \
1101 /etc/skel/etc \
1102 /etc/skel/etc/gpg \
1103 /etc/skel/etc/ssh
1104 sudo install -d -m 770 -o root -g adm \
1105 /etc/skel/var \
1106 /etc/skel/var/cache \
1107 /etc/skel/var/log \
1108 /etc/skel/var/run \
1109 /etc/skel/var/run/ssh
1110 sudo ln -fns etc/ssh /etc/skel/.ssh
1111 sudo ln -fns etc/gpg /etc/skel/.gnupg
1112 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1113 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1114 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1115 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1116 EOF
1117 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1118 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1119 EOF
1120 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1121 Defaults env_keep = " \\
1122 EDITOR \\
1123 GIT_AUTHOR_NAME \\
1124 GIT_AUTHOR_EMAIL \\
1125 GIT_COMMITTER_NAME \\
1126 GIT_COMMITTER_EMAIL \\
1127 "
1128 EOF
1129 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1130 #!/bin/sh -efu
1131 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1132 sudo /bin/sh -e -f -u -c \
1133 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1134 EOF
1135 sudo install -m 644 -o root -g root \
1136 "$tool"/etc/bash.bashrc \
1137 /etc/bash.bashrc
1138 sudo install -m 644 -o root -g root \
1139 "$tool"/etc/screenrc \
1140 /etc/screenrc
1141 }
1142 rule_user_root_configure () {
1143 sudo install -d -m 750 -o root -g adm \
1144 /root/etc \
1145 /root/etc/gpg \
1146 /root/etc/ssh
1147 sudo ln -fns etc/gpg /root/.gnupg
1148 sudo ln -fns etc/ssh /root/.ssh
1149 getent group sudo |
1150 while IFS=: read -r group x x users
1151 do while test -n "$users" && IFS=, read -r user users <<-EOF
1152 $users
1153 EOF
1154 do eval local home\; home="~$user"
1155 cat "$home"/etc/ssh/authorized_keys
1156 done
1157 done |
1158 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1159 local key; local -; set +f
1160 for key in "$tool"/var/pub/openpgp/*.key
1161 do sudo gpg --import "$key"
1162 done
1163 }
1164 rule_configure () {
1165 rule apt_configure
1166 rule git_configure
1167 rule etckeeper_configure
1168 rule locale_configure
1169 rule time_configure
1170 rule network_configure
1171 rule filesystem_configure
1172 rule login_configure
1173 rule ssh_configure
1174 rule user_root_configure
1175 rule boot_configure
1176 rule sysctl_configure
1177 rule user_configure
1178 rule mail_configure
1179 #rule apache2_configure
1180 rule nginx_configure
1181 rule php5_fpm_configure
1182 }
1183
1184 rule_luks_key_change () {
1185 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1186 }
1187
1188 rule=${1:-help}
1189 ${1+shift}
1190 case $rule in
1191 (help);;
1192 (*)
1193 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1194 ;;
1195 esac
1196 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org