dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_{hosted,remote} : chemins et noms, suite.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10 export TRACE=1
11
12 rule_help () { # SYNTAX: [--hidden]
13 local hidden; [ ${1:+set} ] || hidden=set
14 cat >&2 <<-EOF
15 DESCRIPTION:
16 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
17 _depuis_ la VM hébergée ($vm_fqdn) ;
18 il sert à la fois d'outil (aisément bidouillable)
19 et de documentation (préçise).
20 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
21 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 RULES:
23 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 ENVIRONMENT:
25 TRACE # affiche les commandes avant leur exécution
26 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
27 EOF
28 }
29
30 rule_git_configure () {
31 (
32 cd "$tool"
33 git config --replace branch.master.remote .
34 git config --replace branch.master.merge refs/remotes/master
35 local tool
36 tool=$(cd "$tool"; cd -)
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
38 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
39 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
40 #!/bin/sh -efux
41 case \$1 in
42 (refs/remotes/master)
43 cd ..
44 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
45 git --git-dir=\$PWD/.git clean -f -d -x
46 ;;
47 esac
48 EOF
49 )
50 }
51 rule_git_reset () {
52 (
53 cd "$tool"
54 git checkout -f -B master remotes/master
55 git clean -f -d -x
56 )
57 }
58
59 rule_adduser () {
60 local user="$1"; shift
61 getent passwd "$user" >/dev/null ||
62 sudo adduser "$@" "$user"
63 }
64 rule_apt_get_install () { # SYNTAX: $package
65 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
66 }
67 rule_dpkg_reconfigure () { # SYNTAX: $package
68 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
69 }
70
71 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
72 export LANG=C
73 export LC_CTYPE=C
74 . /etc/profile
75 }
76
77 rule_apache2_configure () {
78 local -; set +f
79 rule apt_get_install \
80 apache2-mpm-itk \
81 libapache2-mod-php5
82 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
83 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
84 # NOTE: apache2-mpm-itk semble le plus sécurisé,
85 # car on est certain que tout est exécuté avec les uid/gid
86 # assignés au VirtualHost/Directory/Location
87 # néamoins il se peut qu'une combinaison du genre :
88 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
89 # soit plus performante (threads et pas forks),
90 # cependant l'usage de suexec impose des forks il semble..
91 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
92 # donc pour l'instant : apache2-mpm-itk
93 sudo rm -rf \
94 /etc/apache2/site.d
95 sudo install -d -m 770 -o www -g www \
96 /etc/apache2 \
97 /etc/apache2/site.d \
98 /etc/apache2/x509.d
99 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
100 ServerName "$vm_fqdn"
101 EOF
102 sudo install -m 660 -o root -g root /dev/stdin \
103 /etc/apache2/apache2.conf
104 sudo install -m 660 -o root -g root \
105 "$tool"/etc/apache2/envvars \
106 /etc/apache2/envvars
107 sudo install -m 660 -o root -g root \
108 "$tool"/etc/apache2/httpd.conf \
109 /etc/apache2/httpd.conf
110 #sudo install -m 660 -o root -g root /dev/stdin \
111 # /etc/apache2/suexec/www-data <<-EOF
112 # /home
113 # pub/www/cgi
114 # EOF
115 sudo install -m 660 -o root -g root \
116 "$tool"/etc/apache2/ports.conf \
117 /etc/apache2/ports.conf
118 sudo a2enmod actions
119 sudo a2enmod headers
120 sudo a2enmod rewrite
121 sudo a2enmod ssl
122 sudo a2enmod userdir
123 local conf
124 sudo a2dissite "*"
125 sudo ln -fns \
126 /etc/apache2 \
127 /home/www/etc/apache2
128 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
129 do conf=${conf#"$tool"/etc/apache2/site.d/}
130 local site=${conf%/VirtualHost.conf}
131 case $site in
132 (*-tls)
133 local hint="run vm_remote apache2_key_send before"
134 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
135 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
136 /etc/apache2 \
137 /etc/apache2/site.d/"$site" \
138 /etc/apache2/x509.d/"$site" \
139 /etc/apache2/x509.d/"$site"/ca \
140 /etc/apache2/x509.d/"$site"/empty \
141 /etc/apache2/x509.d/"$site"/rvk \
142 /etc/apache2/x509.d/"$site"/usr
143 sudo install -m 664 -o www -g www \
144 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
145 /etc/apache2/x509.d/"$site"/crt.self-signed.pem
146 #sudo install -m 664 -o www-"$site" -g www-"$site" \
147 # "$tool"/var/pub/x509/"$site"/rvk.pem \
148 # /etc/apache2/x509.d/"$site"/rvk.pem
149 sudo install -m 664 -o www -g www \
150 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
151 /etc/apache2/x509.d/"$site"/ca/crt.pem
152 sudo install -m 664 -o www -g www \
153 "$tool"/var/pub/x509/"$site"/crt.pem \
154 /etc/apache2/x509.d/"$site"/crt.pem
155 ;;
156 esac
157 case $site in
158 (*-tls)
159 cat <<-EOF
160 <IfModule mod_ssl.c>
161 <VirtualHost *:$port>
162 AssignUserID www-$site www-$site
163 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
164 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
165 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
166 #CustomLog "/dev/null" Combined
167 DocumentRoot /home/www/pub/$site
168 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
169 #ErrorLog "/dev/null"
170 LogLevel Warn
171 SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem
172 SSLCACertificatePath /etc/apache2/x509.d/$site/usr/
173 #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem
174 SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem
175 SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/
176 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
177 SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/
178 SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
179 SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem
180 SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem
181 SSLCipherSuite AES+RSA+SHA256
182 SSLEngine On
183 SSLInsecureRenegotiation Off
184 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
185 SSLProtocol -All +TLSv1
186 #SSLRenegBufferSize 262144
187 SSLSessionCacheTimeout 1200
188 SSLStrictSNIVHostCheck On
189 SSLUserName SSL_CLIENT_S_DN_CN
190 SSLVerifyClient None
191 SSLVerifyDepth 1
192 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
193 </VirtualHost>
194 </IfModule>
195 EOF
196 ;;
197 (*)
198 cat <<-EOF
199 <VirtualHost *:$port>
200 AssignUserID www-$site www-$site
201 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
202 #CustomLog "/dev/null" Combined
203 DocumentRoot /home/www/pub/$site
204 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
205 #ErrorLog "/dev/null"
206 LogLevel Warn
207 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
208 </VirtualHost>
209 EOF
210 ;;
211 esac |
212 sudo install -m 660 -o root -g root /dev/stdin \
213 /etc/apache2/site.d/"$site"/VirtualHost.conf
214 sudo ln -fns \
215 ../site.d/"$site"/VirtualHost.conf \
216 /etc/apache2/sites-available/"$site"
217 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
218 /home/www/log/"$site" \
219 /home/www/log/"$site"/apache2
220 sudo ln -fns \
221 /etc/apache2/site.d/"$site" \
222 /home/www/etc/apache2/"$site"
223 test -e /home/www/pub/"$site" ||
224 sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
225 /home/www/pub/"$site"
226 rule adduser www-"$site"
227 --disabled-password \
228 --group \
229 --no-create-home \
230 --home /home/www/pub/"$site" \
231 --shell /bin/false \
232 --system
233 #sudo setfacl -m u:"www-$site":--x \
234 # /home/www/ \
235 # /home/www/pub/ \
236 # /home/www/pub/"$site"/
237 #sudo setfacl -m d:u:"www-$site":rwx \
238 # "$home"/pub/www/"$site"/
239 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
240 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
241 test -e /etc/apache2/sites-enabled/"$site" ||
242 sudo a2ensite "$site"
243 done
244 sudo service apache2 restart
245 }
246 rule_apt_configure () {
247 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
248 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
249 EOF
250 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
251 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
252 EOF
253 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
254 Package: *
255 Pin: release a=$vm_lsb_name
256 Pin-Priority: 170
257
258 Package: *
259 Pin: release a=$vm_lsb_name-backports
260 Pin-Priority: 200
261 EOF
262 sudo apt-get update
263 rule apt_get_install apticron
264 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
265 EMAIL="admin@$vm_domainname"
266 # DIFF_ONLY="1"
267 # LISTCHANGES_PROFILE="apticron"
268 # ALL_FQDNS="1"
269 # SYSTEM="foobar.example.com"
270 # IPADDRESSNUM="1"
271 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
272 # NOTIFY_HOLDS="0"
273 # NOTIFY_NEW="0"
274 # NOTIFY_NO_UPDATES="0"
275 # CUSTOM_SUBJECT=""
276 # CUSTOM_NO_UPDATES_SUBJECT=""
277 # CUSTOM_FROM="root@$vm_fqdn"
278 EOF
279 }
280 rule_boot_configure () {
281 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
282 sudo debconf-set-selections <<-EOF
283 grub-pc grub-pc/install_devices multiselect
284 EOF
285 rule apt_get_install grub-pc
286 sudo install -d -m 644 -o root -g root /boot/grub
287 rule apt_get_install linux-image-$vm_arch
288 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
289 GRUB_DEFAULT=0
290 GRUB_TIMEOUT=5
291 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
292 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
293 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
294 GRUB_DISABLE_RECOVERY="true"
295 #GRUB_PRELOAD_MODULES="lvm"
296 EOF
297 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
298 (hd0) /dev/xvda
299 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
300 EOF
301 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
302 rule initramfs_configure
303 rule apt_get_install molly-guard
304 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
305 ALWAYS_QUERY_HOSTNAME=true
306 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
307 # néamoins demander tout le temps n'est pas trop contraignant
308 # et davantage sécurisant.
309 EOF
310 }
311 rule_dovecot_configure () {
312 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
313 local hint="run vm_remote dovecot_key_send before"
314 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
315 sudo install -m 400 -o root -g root \
316 "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
317 /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
318 sudo install -d -m 770 -o root -g root \
319 /etc/skel/etc/mail \
320 /etc/skel/etc/sieve
321 sudo install -d -m 1777 -o root -g root \
322 /var/lib/dovecot-control \
323 /var/lib/dovecot-index
324 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
325 auth_ssl_username_from_cert = yes
326 listen = *
327 log_timestamp = "%Y-%m-%d %H:%M:%S "
328 mail_debug = yes
329 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
330 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
331 # VOIR: http://wiki2.dovecot.org/Quota/FS
332 mail_plugins = \$mail_plugins quota
333 mail_privileged_group = mail
334 passdb {
335 args = /home/%u/etc/dovecot/passwd
336 driver = passwd-file
337 }
338 plugin {
339 quota = fs:user
340 recipient_delimiter = +
341 sieve = ~/etc/mail/filter.sieve
342 sieve_dir = ~/etc/mail/sieve
343 sieve_global_dir = /var/lib/dovecot/sieve/global/
344 sieve_max_script_size = 1M
345 sieve_quota_max_scripts = 0
346 sieve_quota_max_storage = 10M
347 sieve_user_log = ~/var/log/mail/sieve.log
348 }
349 protocol imap {
350 mail_plugins = \$mail_plugins imap_quota
351 }
352 protocol lda {
353 auth_socket_path = /var/run/dovecot/auth-master
354 hostname = $vm_domainname
355 info_log_path =
356 log_path =
357 mail_plugins = \$mail_plugins sieve
358 postmaster_address = contact+dovecot+lda@$vm_domainname
359 syslog_facility = mail
360 }
361 protocols = imap sieve
362 service auth {
363 user = root
364 unix_listener /var/spool/postfix/private/auth {
365 mode = 0660
366 user = postfix
367 group = postfix
368 }
369 }
370 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
371 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
372 ssl_cipher_list = AES256-SHA
373 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
374 ssl_verify_client_cert = yes
375 userdb {
376 driver = passwd
377 }
378 verbose_ssl = no
379 EOF
380 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
381 #!/bin/sh -efux
382 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
383 install -d -m 770 ~/etc/dovecot
384 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
385 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
386 _EOF
387 EOF
388 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
389 EOF
390 sudo service dovecot restart
391 }
392 rule_etckeeper_configure () {
393 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
394 VCS=git
395 GIT_COMMIT_OPTIONS=""
396 AVOID_DAILY_AUTOCOMMITS=1
397 #AVOID_SPECIAL_FILE_WARNING=1
398 AVOID_COMMIT_BEFORE_INSTALL=1
399 HIGHLEVEL_PACKAGE_MANAGER=apt
400 LOWLEVEL_PACKAGE_MANAGER=dpkg
401 EOF
402 sudo install -m 644 -o root -g root \
403 "$tool"/etc/etckeeper/prompt.sh \
404 /etc/etckeeper/prompt.sh
405 rule apt_get_install etckeeper
406 }
407 rule_filesystem_configure () {
408 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
409 # <file system> <mount point> <type> <options> <dump> <pass>
410 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
411 proc /proc proc defaults 0 0
412 sysfs /sys sysfs defaults 0 0
413 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
414 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
415 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
416 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
417 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
418 EOF
419 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
420 # <target name> <source device> <key file> <options>
421 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
422 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
423 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
424 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
425 EOF
426 rule tmpfs_configure
427 }
428 rule_initramfs_configure () {
429 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
430 MODULES=most
431 BUSYBOX=y
432 KEYMAP=y
433 COMPRESS=gzip
434 DEVICE=eth0
435 EOF
436 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
437 alias eth0 xennet
438 alias scsi_hostadapter xenblk
439 EOF
440 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
441 sha1_generic
442 sha256_generic
443 sha512_generic
444 aes-x86_64
445 xts
446 # NOTE: pour Xen en mode HVM :
447 #modprobe xen-platform-pci
448 EOF
449 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
450 EOF
451 sudo sed -e '/^configure_networking /s/ &$//' \
452 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
453 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
454 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
455 ( while IFS= read -r line
456 do case $line in (*" RSA") return 0; break;; esac
457 done; return 1 ) ||
458 {
459 sudo rm -f \
460 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
461 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
462 sudo dropbearkey -t rsa -s 4096 -f \
463 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
464 }
465 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
466 sudo install -d -m 640 -o root -g root \
467 /etc/initramfs-tools/root \
468 /etc/initramfs-tools/root/.ssh
469 getent group sudo |
470 while IFS=: read -r group x x users
471 do while test -n "$users" && IFS=, read -r user users <<-EOF
472 $users
473 EOF
474 do eval local home\; home="~$user"
475 cat "$home"/etc/ssh/authorized_keys
476 done
477 done |
478 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
479 sudo rm -f \
480 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
481 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
482 /etc/initramfs-tools/root/.ssh/id_rsa
483 # NOTE: clefs générées par Debian
484 sudo update-initramfs -u
485 }
486 rule_gitolite_configure () {
487 sudo debconf-set-selections <<-EOF
488 gitolite gitolite/gituser string git
489 gitolite gitolite/adminkey string
490 gitolite gitolite/gitdir string /home/git
491 EOF
492 rule apt_get_install gitolite
493 rule adduser git \
494 --disabled-password \
495 --group \
496 --home /home/git \
497 --shell /bin/bash \
498 --system
499 sudo chfn --full-name git git
500 rule adduser log-git \
501 --disabled-login \
502 --disabled-password \
503 --group \
504 --home /home/git/log \
505 --shell /bin/false \
506 --system
507 rule adduser git-data\
508 --disabled-login \
509 --disabled-password \
510 --group \
511 --home /home/git/pub \
512 --shell /bin/false \
513 --system
514 rule adduser git-daemon\
515 --disabled-login \
516 --disabled-password \
517 --group \
518 --home /home/git/pub \
519 --shell /bin/false \
520 --system
521 rule adduser log-git-daemon\
522 --disabled-login \
523 --disabled-password \
524 --group \
525 --home /home/git/log/git-daemon \
526 --shell /bin/false \
527 --system
528 sudo adduser git git-data
529 sudo adduser git-daemon git-data
530 sudo adduser log-git log-git-daemon
531 sudo install -d -m 770 -o git -g git \
532 /etc/gitolite \
533 /home/git/etc \
534 /home/git/etc/ssh
535 sudo install -d -m 751 -o git -g git \
536 /home/git
537 sudo install -d -m 3771 -o git-data -g git-data \
538 /home/git/pub
539 sudo install -d -m 1771 -o git -g git \
540 /home/git/log
541 sudo install -d -m 2770 -o git -g log-git \
542 /home/git/log/gitolite \
543 /home/git/log/gitolite/perf
544 sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \
545 /home/git/log/git-daemon
546 sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
547 /etc/gitweb \
548 /etc/gitweb/cgi
549 sudo ln -fns /etc/gitolite /home/git/etc/gitolite
550 sudo ln -fns /etc/gitweb /home/git/etc/gitweb
551 sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
552 sudo ln -fns etc/ssh /home/git/.ssh
553 sudo install -m 770 -o git -g git /dev/stdin \
554 /home/git/etc/gitolite/gitolite.rc <<-EOF
555 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
556 #\$BIG_INFO_CAP = 20;
557 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
558 # NOTE: Please use single quotes, not double quotes.
559 #\$GITWEB_URI_ESCAPE = 0;
560 \$GIT_PATH = "";
561 #\$GL_ADC_PATH = "";
562 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
563 #\$GL_ALL_INCLUDES_SPECIAL = 0;
564 #\$GL_ALL_READ_ALL = 0;
565 \$GL_BIG_CONFIG = 0;
566 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
567 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
568 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
569 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
570 #\$GL_HOSTNAME = "git.$vm_domainname";
571 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
572 #\$GL_HTTP_ANON_USER = "mob";
573 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
574 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
575 #\$GL_NICE_VALUE = 0;
576 \$GL_NO_CREATE_REPOS = 0;
577 \$GL_NO_DAEMON_NO_GITWEB = 0;
578 \$GL_NO_SETUP_AUTHKEYS = 0;
579 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
580 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
581 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
582 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
583 \$GL_SITE_INFO = "git.$vm_domainname";
584 #\$GL_SLAVE_MODE = 0;
585 \$GL_WILDREPOS = 0;
586 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
587 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
588 \$HTPASSWD_FILE = "";
589 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
590 \$REPO_BASE = "pub";
591 \$REPO_UMASK = 0007;
592 \$RSYNC_BASE = "";
593 \$SVNSERVE = "";
594 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
595 \$WEB_INTERFACE = "gitweb";
596 1;
597 EOF
598 sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
599 /home/git/etc/gitweb/gitweb.conf <<-EOF
600 \$commit_oneline_message_width = 70;
601 \$default_projects_order = 'age';
602 \$default_text_plain_charset = 'UTF-8';
603 @diff_opts = ();
604 \$favicon = "img/git-favicon.png";
605 \$git_temp = "/run/shm/tmp/gitweb";
606 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
607 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
608 \$home_link = "/";
609 \$home_link_str = 'd&eacute;p&ocirc;ts';
610 \$home_th_age = 'activit&eacute;';
611 \$home_th_descr = 'description';
612 \$home_th_owner = 'contact';
613 \$home_th_project = 'd&eacute;p&ocirc;t';
614 \$javascript = "js/gitweb.js";
615 \$logo = "img/git-logo.png";
616 \$my_uri = "";
617 \$projectroot = "../git";
618 \$projects_list = "/etc/gitolite/projects.list";
619 \$projects_list_description_width = 42;
620 \$projects_list_owner_width = 15;
621 \$search_str = "Filtre&nbsp;:";
622 \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
623 \$site_header = undef;
624 \$site_name = "git.$vm_domainname";
625 \$space_to_nbsp = 0;
626 @stylesheets = ("css/gitweb.css");#
627 \$untabify_tabstop = 2;
628 EOF
629 sudo install -m 600 -o git -g git \
630 "$tool"/var/pub/ssh/git.key \
631 /home/git/etc/ssh/git.pub
632 sudo -u git \
633 GL_RC=/home/git/etc/gitolite/gitolite.rc \
634 GIT_AUTHOR_NAME=git \
635 gl-setup -q /home/git/etc/ssh/git.pub git
636 local d
637 for d in doc logs src
638 do test ! -d /home/git/etc/gitolite/"$d" ||
639 rmdir /home/git/etc/gitolite/"$d"
640 done
641 rule apt_get_install gitweb highlight
642 sudo service tmpfs restart
643 }
644 rule_locales_configure () {
645 sudo debconf-set-selections <<-EOF
646 locales locales/default_environment_locale select None
647 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
648 EOF
649 rule dpkg_reconfigure locales
650 }
651 rule_login_configure () {
652 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
653 # /etc/inittab: init(8) configuration.
654
655 # The default runlevel.
656 id:2:initdefault:
657
658 # Boot-time system configuration/initialization script.
659 # This is run first except when booting in emergency (-b) mode.
660 si::sysinit:/etc/init.d/rcS
661
662 # What to do in single-user mode.
663 ~~:S:wait:/sbin/sulogin
664
665 # /etc/init.d executes the S and K scripts upon change
666 # of runlevel.
667 #
668 # Runlevel 0 is halt.
669 # Runlevel 1 is single-user.
670 # Runlevels 2-5 are multi-user.
671 # Runlevel 6 is reboot.
672
673 l0:0:wait:/etc/init.d/rc 0
674 l1:1:wait:/etc/init.d/rc 1
675 l2:2:wait:/etc/init.d/rc 2
676 l3:3:wait:/etc/init.d/rc 3
677 l4:4:wait:/etc/init.d/rc 4
678 l5:5:wait:/etc/init.d/rc 5
679 l6:6:wait:/etc/init.d/rc 6
680 # Normally not reached, but fallthrough in case of emergency.
681 z6:6:respawn:/sbin/sulogin
682
683 # What to do when CTRL-ALT-DEL is pressed.
684 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
685
686 # What to do when the power fails/returns.
687 pf::powerwait:/etc/init.d/powerfail start
688 pn::powerfailnow:/etc/init.d/powerfail now
689 po::powerokwait:/etc/init.d/powerfail stop
690
691 # Xen hypervisor console
692 hvc:2345:respawn:/sbin/getty 38400 hvc0
693 #xvc:2345:respawn:/sbin/getty 38400 xvc0
694
695 #-- runit begin
696 SV:123456:respawn:/usr/sbin/runsvdir-start
697 #-- runit end
698 EOF
699 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
700 MAIL_DIR /var/mail
701 FAILLOG_ENAB yes
702 LOG_UNKFAIL_ENAB no
703 LOG_OK_LOGINS no
704 SYSLOG_SU_ENAB yes
705 SYSLOG_SG_ENAB yes
706 FTMP_FILE /var/log/btmp
707 SU_NAME su
708 HUSHLOGIN_FILE .hushlogin
709 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
710 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
711 # NOTE: met les sbin/ dans ENV_PATH ;
712 # - ça n'apporte aucune protection de ne pas les mettre ;
713 # - ça frustre de ne pas les trouver.
714 TTYGROUP tty
715 TTYPERM 0600
716 ERASECHAR 0177
717 KILLCHAR 025
718 UMASK 007
719 # NOTE: rwxrwx--- ;
720 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
721 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
722 PASS_MAX_DAYS 99999
723 PASS_MIN_DAYS 0
724 PASS_WARN_AGE 7
725 UID_MIN 1000
726 UID_MAX 60000
727 GID_MIN 1000
728 GID_MAX 60000
729 LOGIN_RETRIES 3
730 LOGIN_TIMEOUT 60
731 CHFN_RESTRICT rwh
732 DEFAULT_HOME yes
733 USERGROUPS_ENAB yes
734 ENCRYPT_METHOD SHA512
735 EOF
736 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
737 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
738 $(cat /etc/pam.d/common-session)
739 session optional pam_umask.so
740 EOF
741 grep -q '^hvc0$' /etc/securetty ||
742 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
743 $(cat /etc/securetty)
744 hvc0
745 EOF
746 grep -q '^xvc0$' /etc/securetty ||
747 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
748 $(cat /etc/securetty)
749 xvc0
750 EOF
751 }
752 rule_mail_configure () {
753 rule postfix_configure
754 rule postgrey_configure
755 rule procmail_configure
756 rule dovecot_configure
757 }
758 rule_mysql_configure () {
759 rule apt_get_install mysql-server-5.5
760 sudo install -m 644 -o root -g root \
761 "$tool"/etc/mysql/my.cnf \
762 /etc/mysql/my.cnf
763 if test ! -d /home/mysql; then
764 sudo install -d -m 750 -o mysql -g mysql \
765 /home/mysql
766 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
767 fi
768 }
769 rule_network_configure () {
770 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
771 $vm
772 EOF
773 grep -q " $vm\$" /etc/hosts ||
774 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
775 $(cat /etc/hosts)
776 127.0.0.1 $vm_fqdn $vm
777 EOF
778 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
779 auto lo
780 iface lo inet loopback
781
782 auto eth0=grenode
783 iface grenode inet static
784 address $vm_ipv4
785 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
786 network $vm_ipv4
787 broadcast $vm_ipv4
788 netmask 255.255.255.255
789 mtu 1300
790 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
791 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
792 #
793 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
794 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
795 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
796 #
797 # --- soupirail.grenode.net ping statistics ---
798 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
799 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
800 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
801 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
802 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
803 #
804 # --- soupirail.grenode.net ping statistics ---
805 # 0 packets transmitted, 0 received, +1 errors
806 post-up ip address add $vm_ipv4/32 dev \$IFACE
807 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
808 EOF
809 }
810 rule_www_configure () {
811 rule adduser www \
812 --disabled-login \
813 --disabled-password \
814 --group \
815 --home /home/www \
816 --shell /bin/false \
817 --system
818 rule adduser log-www \
819 --disabled-login \
820 --disabled-password \
821 --group \
822 --home /home/www/log \
823 --shell /bin/false \
824 --system
825 #sudo adduser www www-data
826 sudo adduser www log-www
827 #sudo adduser log log-www
828 usermod --home /home/www/pub www-data
829 sudo install -d -m 751 -o www -g www \
830 /home/www
831 sudo install -d -m 750 -o www -g www \
832 /home/www/etc
833 sudo install -d -m 1771 -o www-data -g www-data \
834 /home/www/pub
835 sudo install -d -m 1771 -o log-www -g log-www \
836 /home/www/log
837 }
838 rule_nginx_configure () {
839 local -; set +f
840 rule apt_get_install nginx
841 sudo rm -rf \
842 /etc/nginx/conf.d \
843 /etc/nginx/site.d
844 sudo install -d -m 770 -o www -g www \
845 /etc/nginx \
846 /etc/nginx/conf.d \
847 /etc/nginx/site.d \
848 /etc/nginx/x509.d
849 sudo ln -fns \
850 /etc/nginx \
851 /home/www/etc/nginx
852 sudo install -m 660 -o www -g www \
853 "$tool"/etc/nginx/nginx.conf \
854 /etc/nginx/nginx.conf
855 local conf
856 for conf in "$tool"/etc/nginx/conf.d/*.conf
857 do conf=${conf#"$tool"/etc/nginx/conf.d/}
858 sudo install -m 660 -o www -g www \
859 "$tool"/etc/nginx/conf.d/"$conf" \
860 /etc/nginx/conf.d/"$conf"
861 done
862 for conf in "$tool"/etc/nginx/site.d/*/site.conf
863 do conf=${conf#"$tool"/etc/nginx/site.d/}
864 local site="${conf%/site.conf}"
865 rule adduser www-"$site" \
866 --disabled-login \
867 --disabled-password \
868 --group \
869 --home /home/www-data/"$site" \
870 --shell /bin/false \
871 --system
872 rule adduser log-www-"$site" \
873 --disabled-login \
874 --disabled-password \
875 --group \
876 --home /home/www/log/"$site"/nginx \
877 --shell /bin/false \
878 --system
879 sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
880 /home/www/log/"$site"
881 sudo install -d -m 770 -o www -g www \
882 /etc/nginx/site.d/"$site"
883 sudo install -d -m 770 -o www -g www \
884 /etc/nginx/x509.d/"$site"
885 test -L /home/www/pub/"$site" ||
886 sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
887 /home/www/pub/"$site"
888 sudo adduser www-data www-"$site"
889 sudo adduser www-data log-www-"$site"
890 sudo install -m 660 -o www -g www \
891 "$tool"/etc/nginx/site.d/"$site"/local.conf \
892 /etc/nginx/site.d/"$site"/local.inc
893 sudo install -m 660 -o www -g www \
894 "$tool"/etc/nginx/site.d/"$site"/site.conf \
895 /etc/nginx/site.d/"$site"/site.inc
896 sudo install -m 660 -o www -g www /dev/stdin \
897 /etc/nginx/site.d/"$site"/server.conf <<-EOF
898 server {
899 access_log /home/www/log/$site/nginx/access.log main;
900 error_log /home/www/log/$site/nginx/error.log warn;
901 root /home/www/pub/$site;
902 include /etc/nginx/site.d/$site/local.inc;
903 include /etc/nginx/site.d/$site/site.inc;
904 }
905 EOF
906 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
907 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
908 done
909 rule apt_get_install spawn-fcgi fcgiwrap
910 sudo insserv --remove fcgiwrap
911 sudo insserv --remove nginx
912 rule tmpfs_configure
913 sudo service php5-fpm restart
914 # NOTE: relance les processus du pool
915 # pour leur donner les droits
916 # de leurs groupes supplémentaires.
917 sudo service nginx restart
918 #case $(sv status nginx) in
919 # (run:*) sudo sv restart nginx
920 # esac
921 }
922 rule_php5_fpm_configure () {
923 local -; set +f
924 rule apt_get_install \
925 php5-fpm \
926 php-apc
927 rule adduser php5 \
928 --disabled-login \
929 --disabled-password \
930 --group \
931 --home /etc/php5/fpm \
932 --shell /bin/false \
933 --system
934 rule adduser log-php5 \
935 --disabled-login \
936 --disabled-password \
937 --group \
938 --home /home/www/log/php5/fpm \
939 --shell /bin/false \
940 --system
941 sudo ln -fns \
942 /etc/php5/fpm \
943 /home/www/etc/php5
944 sudo rm -rf \
945 /etc/php5/fpm/conf.d \
946 /etc/php5/fpm/pool.d
947 sudo install -d -m 770 -o php5 -g php5 \
948 /etc/php5/fpm/conf.d \
949 /etc/php5/fpm/pool.d
950 sudo install -m 770 -o php5 -g php5 \
951 "$tool"/etc/php5/fpm/php-fpm.conf \
952 /etc/php5/fpm/php-fpm.conf
953 local conf
954 #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
955 # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
956 # sudo install -m 660 -o php5 -g php5 \
957 # "$tool"/etc/php5/fpm/conf.d/"$conf" \
958 # /etc/php5/fpm/conf.d/"$conf"
959 # done
960 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
961 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
962 IFS=. read -r pool <<-EOF
963 ${conf%.conf}
964 EOF
965 assert 'test "${pool:+set}"'
966 rule adduser php5-"$pool" \
967 --disabled-login \
968 --disabled-password \
969 --group \
970 --no-create-home \
971 --home /etc/php5/fpm/pool.d \
972 --shell /bin/false \
973 --system
974 rule adduser log-php5-"$pool" \
975 --disabled-login \
976 --disabled-password \
977 --group \
978 --no-create-home \
979 --home /home/www/log/php5/fpm/"$pool" \
980 --shell /bin/false \
981 --system
982 sudo install -d -m 770 -o log-php5 -g log-php5 \
983 /home/www/log/php5 \
984 /home/www/log/php5/fpm
985 sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
986 /home/www/log/php5/fpm/"$pool"
987 sudo install -m 660 -o php5 -g php5 /dev/stdin \
988 /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
989 [$pool]
990 access.log = /home/www/log/php5/fpm/$pool/access.log
991 catch_workers_output = yes
992 chdir = /
993 env[HOSTNAME] = \$HOSTNAME
994 env[TEMP] = /tmp
995 env[TMPDIR] = /tmp
996 env[TMP] = /tmp
997 group = php5-$pool
998 #listen = 127.0.0.1:9000
999 listen = /run/php5/fpm/$pool
1000 #listen.allowed_clients = 127.0.0.1
1001 listen.group = www-data
1002 listen.mode = 0660
1003 #listen.owner = www-data
1004 listen.backlog = -1
1005 pm = dynamic
1006 pm.max_children = 5
1007 pm.max_requests = 200
1008 pm.max_spare_servers = 4
1009 pm.min_spare_servers = 2
1010 pm.start_servers = 3
1011 pm.status_path = /status
1012 request_slowlog_timeout = 5s
1013 request_terminate_timeout = 120s
1014 rlimit_core = unlimited
1015 rlimit_files = 131072
1016 slowlog = /home/www/log/php5/fpm/$pool/slow.log
1017 user = php5-$pool
1018 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
1019 EOF
1020 sudo install -m 664 -o php5 -g php5 \
1021 "$tool"/etc/php5/fpm/php.ini \
1022 /etc/php5/fpm/php.ini
1023 case $(sv status php5-"$pool") in
1024 (run:*) sudo sv restart php5-"$pool"
1025 esac
1026 done
1027 rule tmpfs_configure
1028 sudo service php5-fpm restart
1029 }
1030 rule_postfix_configure () {
1031 local hint="run vm_remote postfix_key_send before"
1032 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
1033 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
1034 sudo debconf-set-selections <<-EOF
1035 postfix postfix/main_mailer_type select No configuration
1036 EOF
1037 rule apt_get_install postfix
1038 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1039 *.db
1040 EOF
1041 sudo install -d -m 771 -o root -g root \
1042 /etc/postfix/ \
1043 /etc/postfix/$vm_domainname/ \
1044 /etc/postfix/$vm_domainname/smtp \
1045 /etc/postfix/$vm_domainname/smtp/x509 \
1046 /etc/postfix/$vm_domainname/smtp/x509/ca \
1047 /etc/postfix/$vm_domainname/smtpd \
1048 /etc/postfix/$vm_domainname/smtpd/x509 \
1049 /etc/postfix/$vm_domainname/smtpd/x509/ca
1050 sudo ln -fns \
1051 ../crt+crl.self-signed.pem \
1052 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1053 sudo install -m 400 -o root -g root \
1054 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1055 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1056 sudo install -m 400 -o root -g root \
1057 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1058 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1059 sudo install -m 400 -o root -g root \
1060 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1061 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1062 sudo install -m 400 -o root -g root \
1063 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1064 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1065 sudo install -m 660 -o root -g root \
1066 "$tool"/etc/postfix/$vm_domainname/header_checks \
1067 /etc/postfix/$vm_domainname/header_checks
1068 sudo install -m 664 -o root -g root /dev/stdin \
1069 /etc/postfix/aliases <<-EOF
1070 # See man 5 aliases for format
1071 abuse: root
1072 admin: root
1073 contact: root
1074 mailer-daemon: root
1075 postmaster: root
1076 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1077 EOF
1078 sudo newaliases -oA/etc/postfix/aliases
1079 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1080 mydomain = $vm_domainname
1081 myorigin = \$mydomain
1082 myhostname = $vm_hostname.\$mydomain
1083 mail_name = \$myhostname
1084 mydestination = $vm_hostname \$myhostname \$myorigin
1085 EOF
1086 sudo install -m 664 -o root -g root /dev/stdin \
1087 /etc/postfix/main.cf
1088 sudo install -m 664 -o root -g root \
1089 "$tool"/etc/postfix/master.cf \
1090 /etc/postfix/master.cf
1091 sudo install -m 660 -o root -g root \
1092 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1093 /etc/postfix/$vm_domainname/smtp/x509/policy
1094 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1095 sudo install -m 660 -o root -g root \
1096 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1097 /etc/postfix/$vm_domainname/smtp/header_checks
1098 sudo install -m 660 -o root -g root \
1099 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1100 /etc/postfix/$vm_domainname/smtpd/sender_access
1101 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1102 sudo install -m 660 -o root -g root \
1103 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1104 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1105 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1106 sudo install -m 660 -o root -g root \
1107 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1108 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1109 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1110 sudo install -m 660 -o root -g root \
1111 "$tool"/etc/postfix/$vm_domainname/transport \
1112 /etc/postfix/$vm_domainname/transport
1113 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1114 sudo install -m 660 -o root -g root \
1115 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1116 /etc/postfix/$vm_domainname/virtual_alias
1117 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1118 sudo service postfix restart
1119 }
1120 rule_postgresql_configure () {
1121 rule apt_get_install postgresql-9.1
1122 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1123 pg_createcluster -u postgres --start 9.1 main
1124 fi
1125 sudo install -m 660 -o root -g root \
1126 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1127 /etc/postgresql/9.1/main/postgresql.conf
1128 sudo service postgresql restart
1129 }
1130 rule_openerp_configure () {
1131 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1132 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1133 EOF
1134 sudo apt-get update
1135 rule apt_get_install openerp
1136 }
1137 rule_postgrey_configure () {
1138 rule apt_get_install postgrey
1139 sudo service postgrey restart
1140 }
1141 rule_procmail_configure () {
1142 rule apt_get_install procmail
1143 sudo install -d -m 770 -o root -g root \
1144 /etc/skel/etc/mail \
1145 /etc/skel/var/cache/mail \
1146 /etc/skel/var/log/mail \
1147 /etc/skel/var/mail
1148 sudo install -m 660 -o root -g root \
1149 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1150 /etc/skel/etc/mail/delivery.procmailrc
1151 }
1152 rule_runit_configure () {
1153 rule apt_get_install runit
1154 local -; set +f
1155 for sv in ${1-/etc/service/*}
1156 # NOTE: stoppe les services en retenant leur status de départ
1157 do sv=$(basename "$sv")
1158 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1159 local sv_status
1160 IFS= read -r sv_status_$sv_hash <<-EOF
1161 $(sv status "$sv")
1162 EOF
1163 rm -f /etc/service/"$sv"
1164 done
1165 for sv in ${1-"$tool"/etc/sv/*}
1166 # NOTE: configure et (re-)démarre les services
1167 do sv=$(basename "$sv")
1168 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1169 sudo install -d -m 770 -o root -g root \
1170 /etc/sv/"$sv"
1171 sudo install -m 770 -o root -g root \
1172 "$tool"/etc/sv/"$sv"/run \
1173 /etc/sv/"$sv"/run
1174 if test -e "$tool"/etc/sv/"$sv"/log/run
1175 then
1176 sudo install -d -m 770 -o root -g root \
1177 /etc/sv/"$sv"/log
1178 sudo install -m 770 -o root -g root \
1179 "$tool"/etc/sv/"$sv"/log/run \
1180 /etc/sv/"$sv"/log/run
1181 fi
1182 test ! -x "$tool"/etc/sv/"$sv"/configure ||
1183 "$tool"/etc/sv/"$sv"/configure
1184 ln -fns ../sv/"$sv" /etc/service/"$sv"
1185 eval local sv_status=\"\${sv_status_$sv_hash-}\"
1186 case $sv_status in
1187 ("") sv start "$sv";;
1188 (run:*) sv restart "$sv";;
1189 esac
1190 done
1191 }
1192 rule_ssh_configure () {
1193 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1194 ( while IFS= read -r line
1195 do case $line in (*" RSA") return 0; break;; esac
1196 done; return 1 ) ||
1197 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1198 sudo rm -f \
1199 /etc/ssh/ssh_host_dsa_key \
1200 /etc/ssh/ssh_host_dsa_key.pub \
1201 /etc/ssh/ssh_host_ecdsa_key \
1202 /etc/ssh/ssh_host_ecdsa_key.pub
1203 # NOTE: clefs générées par Debian
1204 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1205 Port 22
1206 ListenAddress $vm_ipv4
1207 #ListenAddress ::
1208 Protocol 2
1209 Compression yes
1210 HostKey /etc/ssh/ssh_host_rsa_key
1211 UsePrivilegeSeparation yes
1212 KeyRegenerationInterval 3600
1213 ServerKeyBits 768
1214 SyslogFacility AUTH
1215 LogLevel INFO
1216 LoginGraceTime 120
1217 PermitRootLogin yes
1218 StrictModes yes
1219 RSAAuthentication yes
1220 PubkeyAuthentication yes
1221 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1222 IgnoreRhosts yes
1223 RhostsRSAAuthentication no
1224 HostbasedAuthentication no
1225 IgnoreUserKnownHosts no
1226 PermitEmptyPasswords no
1227 ChallengeResponseAuthentication no
1228 PasswordAuthentication no
1229 KerberosAuthentication no
1230 GSSAPIAuthentication no
1231 X11Forwarding no
1232 X11DisplayOffset 10
1233 PrintMotd no
1234 DebianBanner no
1235 PrintLastLog yes
1236 TCPKeepAlive yes
1237 ClientAliveInterval 0
1238 AcceptEnv LANG LC_*
1239 Subsystem sftp /usr/lib/openssh/sftp-server
1240 UsePAM yes
1241 EOF
1242 sudo service ssh restart
1243 }
1244 rule_sysctl_configure () {
1245 local -; set +f
1246 for conf in "$tool"/etc/sysctl.d/*.conf
1247 do conf=${conf#"$tool"/etc/sysctl.d/}
1248 sudo install -m 660 -o root -g root \
1249 "$tool"/etc/sysctl.d/"$conf" \
1250 /etc/sysctl.d/"$conf"
1251 done
1252 sudo sysctl --system
1253 }
1254 rule_tmpfs_configure () {
1255 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1256 LOCK_SIZE=5242880 # NOTE: 5MiB
1257 RAMLOCK=yes
1258 RAMSHM=yes
1259 RAMTMP=yes
1260 RUN_SIZE=10%
1261 SHM_SIZE=
1262 TMP_MODE=1777,nr_inodes=1000k,noatime
1263 TMP_OVERFLOW_LIMIT=1024
1264 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1265 # on the root filesystem (overriding RAMTMP).
1266 TMP_SIZE=200m
1267 TMPFS_SIZE=20%VM
1268 EOF
1269 sudo install -m 775 -o root -g root \
1270 "$tool"/etc/init.d/tmpfs \
1271 /etc/init.d/tmpfs
1272 sudo update-rc.d tmpfs defaults
1273 sudo service tmpfs restart
1274 }
1275 rule_time_configure () {
1276 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1277 Europe/Paris
1278 EOF
1279 sudo debconf-set-selections <<-EOF
1280 tzdata tzdata/Areas select Europe
1281 tzdata tzdata/Zones/Europe select Paris
1282 EOF
1283 rule dpkg_reconfigure tzdata
1284 rule apt_get_install ntp
1285 }
1286 rule_user_add () { # SYNTAX: $user
1287 rule user_configure
1288 local user=$1
1289 rule adduser "$user" --disabled-password
1290 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1291 eval local home\; home="~$user"
1292 sudo adduser "$user" users
1293 sudo install -m 640 -o root -g root \
1294 "$tool"/var/pub/ssh/"$user".key \
1295 "$home"/etc/ssh/authorized_keys
1296 local key; local -; set +f
1297 for key in "$tool"/var/pub/openpgp/*.key
1298 do sudo -u "$user" gpg --import - <"$key"
1299 done
1300 }
1301 rule_user_configure () {
1302 sudo install -m 660 -o root -g root /dev/stdin \
1303 /etc/adduser.conf <<-EOF
1304 ADD_EXTRA_GROUPS=1
1305 DHOME=/home
1306 DIR_MODE=0750
1307 DSHELL=/bin/bash
1308 EXTRA_GROUPS="users"
1309 FIRST_GID=1000
1310 FIRST_SYSTEM_GID=100
1311 FIRST_SYSTEM_UID=100
1312 FIRST_UID=1000
1313 GROUPHOMES=no
1314 LAST_GID=29999
1315 LAST_SYSTEM_GID=999
1316 LAST_SYSTEM_UID=999
1317 LAST_UID=29999
1318 LETTERHOMES=no
1319 NAME_REGEX="^[a-z][-a-z0-9_]*\$"
1320 QUOTAUSER="" # TODO: init
1321 SETGID_HOME=no
1322 SKEL=/etc/skel
1323 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1324 USERGROUPS=yes
1325 USERS_GID=100
1326 EOF
1327 sudo install -d -m 750 -o root -g root \
1328 /etc/skel \
1329 /etc/skel/etc \
1330 /etc/skel/etc/gpg \
1331 /etc/skel/etc/ssh
1332 sudo install -d -m 770 -o root -g root \
1333 /etc/skel/var \
1334 /etc/skel/var/cache \
1335 /etc/skel/var/log \
1336 /etc/skel/var/run \
1337 /etc/skel/var/run/ssh
1338 sudo ln -fns etc/ssh /etc/skel/.ssh
1339 sudo ln -fns etc/gpg /etc/skel/.gnupg
1340 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1341 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1342 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1343 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1344 EOF
1345 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1346 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1347 EOF
1348 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1349 Defaults env_keep = " \\
1350 EDITOR \\
1351 GIT_AUTHOR_NAME \\
1352 GIT_AUTHOR_EMAIL \\
1353 GIT_COMMITTER_NAME \\
1354 GIT_COMMITTER_EMAIL \\
1355 "
1356 EOF
1357 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1358 #!/bin/sh -efu
1359 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1360 sudo /bin/sh -e -f -u -c \
1361 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1362 EOF
1363 sudo install -m 644 -o root -g root \
1364 "$tool"/etc/bash.bashrc \
1365 /etc/bash.bashrc
1366 sudo install -m 644 -o root -g root \
1367 "$tool"/etc/screenrc \
1368 /etc/screenrc
1369 }
1370 rule_user_admin_add () { # SYNTAX: $user
1371 rule user_configure
1372 local user=$1
1373 rule adduser "$user" --disabled-password
1374 eval local home\; home="~$user"
1375 sudo adduser "$user" sudo
1376 sudo install -m 640 -o root -g root \
1377 "$tool"/var/pub/ssh/"$user".key \
1378 "$home"/etc/ssh/authorized_keys
1379 local key; local -; set +f
1380 for key in "$tool"/var/pub/openpgp/*.key
1381 do sudo -u "$user" gpg --import - <"$key"
1382 done
1383 rule user_admin_configure
1384 }
1385 rule_user_admin_configure () {
1386 rule initramfs_configure
1387 rule user_root_configure
1388 }
1389 rule_user_root_configure () {
1390 sudo install -d -m 750 -o root -g root \
1391 /root/etc \
1392 /root/etc/gpg \
1393 /root/etc/ssh
1394 sudo ln -fns etc/gpg /root/.gnupg
1395 sudo ln -fns etc/ssh /root/.ssh
1396 getent group sudo |
1397 while IFS=: read -r group x x users
1398 do while test -n "$users" && IFS=, read -r user users <<-EOF
1399 $users
1400 EOF
1401 do eval local home\; home="~$user"
1402 cat "$home"/etc/ssh/authorized_keys
1403 done
1404 done |
1405 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1406 local key; local -; set +f
1407 for key in "$tool"/var/pub/openpgp/*.key
1408 do sudo gpg --import "$key"
1409 done
1410 }
1411 rule_configure () {
1412 rule apt_configure
1413 rule git_configure
1414 rule etckeeper_configure
1415 rule locales_configure
1416 rule time_configure
1417 rule network_configure
1418 rule filesystem_configure
1419 rule login_configure
1420 rule ssh_configure
1421 rule user_root_configure
1422 rule boot_configure
1423 rule sysctl_configure
1424 rule user_configure
1425 rule mail_configure
1426 rule www_configure
1427 rule php5_fpm_configure
1428 rule nginx_configure
1429 #rule apache2_configure
1430 rule gitolite_configure
1431 rule runit_configure
1432 }
1433
1434 rule_luks_key_change () {
1435 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1436 }
1437
1438 rule=${1:-help}
1439 ${1+shift}
1440 case $rule in
1441 (help);;
1442 (*)
1443 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1444 ;;
1445 esac
1446 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org