dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Modification : etc/openssl/ : tls -> x509 .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apache2_configure () {
59 local -; set +f
60 rule apt_get_install \
61 apache2-mpm-itk \
62 libapache2-mod-php5
63 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
64 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
65 # NOTE: apache2-mpm-itk semble le plus sécurisé,
66 # car on est certain que tout est exécuté avec les uid/gid
67 # assignés au VirtualHost/Directory/Location
68 # néamoins il se peut qu'une combinaison du genre :
69 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
70 # soit plus performante (threads et pas forks),
71 # cependant l'usage de suexec impose des forks il semble..
72 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
73 # donc pour l'instant : apache2-mpm-itk
74 rule www_configure
75 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
76 ServerName "$vm_fqdn"
77 EOF
78 sudo install -m 660 -o root -g root /dev/stdin \
79 /etc/apache2/apache2.conf
80 sudo install -m 660 -o root -g root \
81 "$tool"/etc/apache2/envvars \
82 /etc/apache2/envvars
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/httpd.conf \
85 /etc/apache2/httpd.conf
86 #sudo install -m 660 -o root -g root /dev/stdin \
87 # /etc/apache2/suexec/www-data <<-EOF
88 # /home
89 # pub/www/cgi
90 # EOF
91 sudo install -m 660 -o root -g root \
92 "$tool"/etc/apache2/ports.conf \
93 /etc/apache2/ports.conf
94 sudo a2enmod actions
95 sudo a2enmod headers
96 sudo a2enmod rewrite
97 sudo a2enmod ssl
98 sudo a2enmod userdir
99 local conf
100 sudo a2dissite "*"
101 sudo ln -fns \
102 /etc/apache2 \
103 /home/www/etc/apache2
104 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
105 do conf=${conf#"$tool"/etc/apache2/site.d/}
106 local port site
107 IFS=. read -r port site <<-EOF
108 ${conf%\/VirtualHost\.conf}
109 EOF
110 assert 'test "${site:+set}"'
111 assert 'test "${port:+set}"'
112 local site_user="$user.$port.$site"
113 local site_dir="$user.$port.$site"
114 case $port in
115 (443)
116 local hint="run vm_remote apache2_key_send before"
117 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
118 sudo install -d -m 770 -o "$user" -g "$user" \
119 /etc/apache2 \
120 /etc/apache2/site.d/"$site_dir" \
121 /etc/apache2/site.d/"$site_dir"/x509 \
122 /etc/apache2/site.d/"$site_dir"/x509/ca \
123 /etc/apache2/site.d/"$site_dir"/x509/empty \
124 /etc/apache2/site.d/"$site_dir"/x509/rvk \
125 /etc/apache2/site.d/"$site_dir"/x509/usr
126 sudo install -m 664 -o www -g www \
127 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
128 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
129 #sudo install -m 664 -o "$user" -g "$user" \
130 # "$tool"/var/pub/x509/"$site"/rvk.pem \
131 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
132 sudo install -m 664 -o www -g www \
133 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
134 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/crt.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
138 ;;
139 esac
140 case $port in
141 (80)
142 cat <<-EOF
143 <VirtualHost *:$port>
144 AssignUserID $site_user $site_user
145 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
146 #CustomLog "/dev/null" Combined
147 DocumentRoot /home/www/pub/$site_dir
148 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
149 #ErrorLog "/dev/null"
150 ServerName $site
151 LogLevel Warn
152 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
153 </VirtualHost>
154 EOF
155 ;;
156 (443)
157 cat <<-EOF
158 <IfModule mod_ssl.c>
159 <VirtualHost *:$port>
160 AssignUserID $site_user $site_user
161 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
162 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
163 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
164 #CustomLog "/dev/null" Combined
165 DocumentRoot /home/www/pub/$site_dir
166 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
167 #ErrorLog "/dev/null"
168 LogLevel Warn
169 ServerName $site
170 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
171 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
172 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
173 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
175 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
176 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
177 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
178 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
179 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
180 SSLCipherSuite AES+RSA+SHA256
181 SSLEngine On
182 SSLInsecureRenegotiation Off
183 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
184 SSLProtocol -All +TLSv1
185 #SSLRenegBufferSize 262144
186 SSLSessionCacheTimeout 1200
187 SSLStrictSNIVHostCheck On
188 SSLUserName SSL_CLIENT_S_DN_CN
189 SSLVerifyClient None
190 SSLVerifyDepth 1
191 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
192 </VirtualHost>
193 </IfModule>
194 EOF
195 ;;
196 esac |
197 sudo install -m 660 -o root -g root /dev/stdin \
198 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
199 sudo ln -fns \
200 ../site.d/"$site_dir"/VirtualHost.conf \
201 /etc/apache2/sites-available/"$site_dir"
202 sudo install -d -m 770 -o "$user" -g "$user" \
203 /home/www/log/"$site_dir" \
204 /home/www/log/"$site_dir"/apache2
205 sudo ln -fns \
206 /etc/apache2/site.d/"$site_dir" \
207 /home/www/etc/apache2/"$site_dir"
208 test -e /home/www/pub/"$site_dir" ||
209 sudo install -d -m 770 -o "$user" -g "$user" \
210 /home/www/pub/"$site_dir"
211 getent passwd "$site_user" >/dev/null ||
212 sudo adduser \
213 --disabled-password \
214 --group \
215 --no-create-home \
216 --home /home/www/pub/"$site_dir" \
217 --shell /bin/false \
218 --system \
219 "$site_user"
220 sudo setfacl -m u:"$site_user":--x \
221 /home/www/ \
222 /home/www/pub/ \
223 /home/www/pub/"$site_dir"/
224 sudo setfacl -m d:u:"$site_user":rwx \
225 "$home"/pub/www/"$site_dir"/
226 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
227 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
228 test -e /etc/apache2/sites-enabled/"$site_dir" ||
229 sudo a2ensite "$site_dir"
230 done
231 sudo service apache2 restart
232 }
233 rule_apt_configure () {
234 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
235 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
236 EOF
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
238 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
241 Package: *
242 Pin: release a=$vm_lsb_name
243 Pin-Priority: 170
244
245 Package: *
246 Pin: release a=$vm_lsb_name-backports
247 Pin-Priority: 200
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
250 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 rule apt_get_install grub-pc
273 sudo install -d -m 644 -o root -g root /boot/grub
274 rule apt_get_install linux-image-$vm_arch
275 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
276 GRUB_DEFAULT=0
277 GRUB_TIMEOUT=5
278 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
279 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
280 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
281 GRUB_DISABLE_RECOVERY="true"
282 #GRUB_PRELOAD_MODULES="lvm"
283 EOF
284 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
285 (hd0) /dev/xvda
286 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
287 EOF
288 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
289 rule initramfs_configure
290 }
291 rule_dovecot_configure () {
292 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
293 local hint="run vm_remote dovecot_key_send before"
294 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
295 sudo install -m 400 -o root -g root \
296 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
297 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
298 sudo install -d -m 770 -o root -g adm \
299 /etc/skel/etc/mail \
300 /etc/skel/etc/sieve
301 sudo install -d -m 1777 -o root -g root \
302 /var/lib/dovecot-control \
303 /var/lib/dovecot-index
304 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
305 auth_ssl_username_from_cert = yes
306 listen = *
307 log_timestamp = "%Y-%m-%d %H:%M:%S "
308 mail_debug = yes
309 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
310 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
311 # VOIR: http://wiki2.dovecot.org/Quota/FS
312 mail_plugins = \$mail_plugins quota
313 mail_privileged_group = mail
314 passdb {
315 args = /home/%u/etc/dovecot/passwd
316 driver = passwd-file
317 }
318 plugin {
319 quota = fs:user
320 recipient_delimiter = +
321 sieve = ~/etc/mail/filter.sieve
322 sieve_dir = ~/etc/mail/sieve
323 sieve_global_dir = /var/lib/dovecot/sieve/global/
324 sieve_max_script_size = 1M
325 sieve_quota_max_scripts = 0
326 sieve_quota_max_storage = 10M
327 sieve_user_log = ~/var/log/mail/sieve.log
328 }
329 protocol imap {
330 mail_plugins = \$mail_plugins imap_quota
331 }
332 protocol lda {
333 auth_socket_path = /var/run/dovecot/auth-master
334 hostname = $vm_domainname
335 info_log_path =
336 log_path =
337 mail_plugins = \$mail_plugins sieve
338 postmaster_address = contact+dovecot+lda@$vm_domainname
339 syslog_facility = mail
340 }
341 protocols = imap sieve
342 service auth {
343 user = root
344 unix_listener /var/spool/postfix/private/auth {
345 mode = 0660
346 user = postfix
347 group = postfix
348 }
349 }
350 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
351 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
352 ssl_cipher_list = AES256-SHA
353 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
354 ssl_verify_client_cert = yes
355 userdb {
356 driver = passwd
357 }
358 verbose_ssl = no
359 EOF
360 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
361 #!/bin/sh -efux
362 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
363 install -d -m 770 ~/etc/dovecot
364 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
365 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
366 _EOF
367 EOF
368 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
369 EOF
370 sudo service dovecot restart
371 }
372 rule_etckeeper_configure () {
373 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
374 VCS=git
375 GIT_COMMIT_OPTIONS=""
376 AVOID_DAILY_AUTOCOMMITS=1
377 #AVOID_SPECIAL_FILE_WARNING=1
378 AVOID_COMMIT_BEFORE_INSTALL=1
379 HIGHLEVEL_PACKAGE_MANAGER=apt
380 LOWLEVEL_PACKAGE_MANAGER=dpkg
381 EOF
382 sudo install -m 644 -o root -g root \
383 "$tool"/etc/etckeeper/prompt.sh \
384 /etc/etckeeper/prompt.sh
385 rule apt_get_install etckeeper
386 }
387 rule_filesystem_configure () {
388 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
389 # <file system> <mount point> <type> <options> <dump> <pass>
390 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
391 proc /proc proc defaults 0 0
392 sysfs /sys sysfs defaults 0 0
393 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
394 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
395 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
396 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
397 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
398 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
399 EOF
400 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
401 # <target name> <source device> <key file> <options>
402 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
403 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
404 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
405 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
406 EOF
407 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
408 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
409 vm.vfs_cache_pressure=50
410 EOF
411 }
412 rule_initramfs_configure () {
413 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
414 MODULES=most
415 BUSYBOX=y
416 KEYMAP=y
417 COMPRESS=gzip
418 DEVICE=eth0
419 EOF
420 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
421 alias eth0 xennet
422 alias scsi_hostadapter xenblk
423 EOF
424 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
425 sha1_generic
426 sha256_generic
427 sha512_generic
428 aes-x86_64
429 xts
430 # NOTE: pour Xen en mode HVM :
431 #modprobe xen-platform-pci
432 EOF
433 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
434 EOF
435 sudo sed -e '/^configure_networking /s/ &$//' \
436 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
437 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
438 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
439 ( while IFS= read -r line
440 do case $line in (*" RSA") return 0; break;; esac
441 done; return 1 ) ||
442 {
443 sudo rm -f \
444 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
445 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
446 sudo dropbearkey -t rsa -s 4096 -f \
447 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
448 }
449 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
450 sudo install -d -m 640 -o root -g root \
451 /etc/initramfs-tools/root \
452 /etc/initramfs-tools/root/.ssh
453 getent group sudo |
454 while IFS=: read -r group x x users
455 do while test -n "$users" && IFS=, read -r user users <<-EOF
456 $users
457 EOF
458 do eval local home\; home="~$user"
459 cat "$home"/etc/ssh/authorized_keys
460 done
461 done |
462 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
463 sudo rm -f \
464 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
465 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
466 /etc/initramfs-tools/root/.ssh/id_rsa
467 # NOTE: clefs générées par Debian
468 sudo update-initramfs -u
469 }
470 rule_time_configure () {
471 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
472 Europe/Paris
473 EOF
474 sudo dpkg-reconfigure tzdata
475 rule apt_get_install ntp
476 }
477 rule_locale_configure () {
478 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
479 fr_FR.UTF-8 UTF-8
480 EOF
481 sudo update-locale
482 }
483 rule_login_configure () {
484 grep -q '^hvc0$' /etc/securetty ||
485 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
486 $(cat /etc/securetty)
487 hvc0
488 EOF
489 grep -q '^xvc0$' /etc/securetty ||
490 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
491 $(cat /etc/securetty)
492 xvc0
493 EOF
494 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
495 # /etc/inittab: init(8) configuration.
496
497 # The default runlevel.
498 id:2:initdefault:
499
500 # Boot-time system configuration/initialization script.
501 # This is run first except when booting in emergency (-b) mode.
502 si::sysinit:/etc/init.d/rcS
503
504 # What to do in single-user mode.
505 ~~:S:wait:/sbin/sulogin
506
507 # /etc/init.d executes the S and K scripts upon change
508 # of runlevel.
509 #
510 # Runlevel 0 is halt.
511 # Runlevel 1 is single-user.
512 # Runlevels 2-5 are multi-user.
513 # Runlevel 6 is reboot.
514
515 l0:0:wait:/etc/init.d/rc 0
516 l1:1:wait:/etc/init.d/rc 1
517 l2:2:wait:/etc/init.d/rc 2
518 l3:3:wait:/etc/init.d/rc 3
519 l4:4:wait:/etc/init.d/rc 4
520 l5:5:wait:/etc/init.d/rc 5
521 l6:6:wait:/etc/init.d/rc 6
522 # Normally not reached, but fallthrough in case of emergency.
523 z6:6:respawn:/sbin/sulogin
524
525 # What to do when CTRL-ALT-DEL is pressed.
526 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
527
528 # What to do when the power fails/returns.
529 pf::powerwait:/etc/init.d/powerfail start
530 pn::powerfailnow:/etc/init.d/powerfail now
531 po::powerokwait:/etc/init.d/powerfail stop
532
533 # Xen hypervisor console
534 hvc:2345:respawn:/sbin/getty 38400 hvc0
535 #xvc:2345:respawn:/sbin/getty 38400 xvc0
536 EOF
537 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
538 MAIL_DIR /var/mail
539 FAILLOG_ENAB yes
540 LOG_UNKFAIL_ENAB no
541 LOG_OK_LOGINS no
542 SYSLOG_SU_ENAB yes
543 SYSLOG_SG_ENAB yes
544 FTMP_FILE /var/log/btmp
545 SU_NAME su
546 HUSHLOGIN_FILE .hushlogin
547 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
548 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
549 # NOTE: met les sbin/ dans ENV_PATH ;
550 # - ça n'apporte aucune protection de ne pas les mettre ;
551 # - ça frustre de ne pas les trouver.
552 TTYGROUP tty
553 TTYPERM 0600
554 ERASECHAR 0177
555 KILLCHAR 025
556 UMASK 007
557 # NOTE: rwxrwx--- ;
558 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
559 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
560 PASS_MAX_DAYS 99999
561 PASS_MIN_DAYS 0
562 PASS_WARN_AGE 7
563 UID_MIN 1000
564 UID_MAX 60000
565 GID_MIN 1000
566 GID_MAX 60000
567 LOGIN_RETRIES 3
568 LOGIN_TIMEOUT 60
569 CHFN_RESTRICT rwh
570 DEFAULT_HOME yes
571 USERGROUPS_ENAB yes
572 ENCRYPT_METHOD SHA512
573 EOF
574 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
575 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
576 $(cat /etc/pam.d/common-session)
577 session optional pam_umask.so
578 EOF
579 }
580 rule_mail_configure () {
581 rule postfix_configure
582 rule postgrey_configure
583 rule procmail_configure
584 rule dovecot_configure
585 }
586 rule_network_configure () {
587 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
588 $vm
589 EOF
590 grep -q " $vm\$" /etc/hosts ||
591 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
592 $(cat /etc/hosts)
593 127.0.0.1 $vm_fqdn $vm
594 EOF
595 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
596 auto lo
597 iface lo inet loopback
598
599 auto eth0=grenode
600 iface grenode inet static
601 address $vm_ipv4
602 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
603 network $vm_ipv4
604 broadcast $vm_ipv4
605 netmask 255.255.255.255
606 mtu 1300
607 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
608 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
609 #
610 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
611 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
612 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
613 #
614 # --- soupirail.grenode.net ping statistics ---
615 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
616 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
617 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
618 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
619 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
620 #
621 # --- soupirail.grenode.net ping statistics ---
622 # 0 packets transmitted, 0 received, +1 errors
623 post-up ip address add $vm_ipv4/32 dev \$IFACE
624 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
625 EOF
626 }
627 rule_postfix_configure () {
628 local hint="run vm_remote postfix_key_send before"
629 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
630 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
631 rule apt_get_install postfix
632 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
633 *.db
634 EOF
635 sudo install -d -m 770 -o root -g root \
636 /etc/postfix/$vm_domainname/ \
637 /etc/postfix/$vm_domainname/smtp \
638 /etc/postfix/$vm_domainname/smtp/x509 \
639 /etc/postfix/$vm_domainname/smtp/x509/ca \
640 /etc/postfix/$vm_domainname/smtpd \
641 /etc/postfix/$vm_domainname/smtpd/x509 \
642 /etc/postfix/$vm_domainname/smtpd/x509/ca
643 sudo install -d -m 770 -o root -g root \
644 /etc/postfix/$vm_domainname/ \
645 /etc/postfix/$vm_domainname/smtp \
646 /etc/postfix/$vm_domainname/smtp/x509 \
647 /etc/postfix/$vm_domainname/smtp/x509/ca \
648 /etc/postfix/$vm_domainname/smtpd \
649 /etc/postfix/$vm_domainname/smtpd/x509 \
650 /etc/postfix/$vm_domainname/smtpd/x509/ca
651 sudo ln -fns \
652 ../crt+crl.self-signed.pem \
653 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
654 sudo install -m 400 -o root -g root \
655 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
656 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
657 sudo install -m 400 -o root -g root \
658 "$tool"/var/pub/x509/service/smtpd/crt.pem \
659 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
660 sudo install -m 400 -o root -g root \
661 "$tool"/var/pub/x509/service/smtpd/crt+root.pem \
662 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
663 sudo install -m 400 -o root -g root \
664 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
665 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
666 sudo install -m 660 -o root -g root \
667 "$tool"/etc/postfix/$vm_domainname/header_checks \
668 /etc/postfix/$vm_domainname/header_checks
669 sudo install -m 664 -o root -g root \
670 "$tool"/etc/postfix/aliases \
671 /etc/postfix/aliases
672 sudo newaliases -oA/etc/postfix/aliases
673 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
674 mydomain = $vm_domainname
675 myorigin = \$mydomain
676 myhostname = $vm_hostname.\$mydomain
677 mail_name = \$myhostname
678 mydestination = $vm_hostname \$myhostname \$myorigin
679 EOF
680 sudo install -m 664 -o root -g root /dev/stdin \
681 /etc/postfix/main.cf
682 sudo install -m 664 -o root -g root \
683 "$tool"/etc/postfix/master.cf \
684 /etc/postfix/master.cf
685 sudo install -m 660 -o root -g root \
686 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
687 /etc/postfix/$vm_domainname/smtp/x509/policy
688 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
689 sudo install -m 660 -o root -g root \
690 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
691 /etc/postfix/$vm_domainname/smtp/header_checks
692 sudo install -m 660 -o root -g root \
693 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
694 /etc/postfix/$vm_domainname/smtpd/sender_access
695 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
696 sudo install -m 660 -o root -g root \
697 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
698 /etc/postfix/$vm_domainname/smtpd/client_blacklist
699 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
700 sudo install -m 660 -o root -g root \
701 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
702 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
703 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
704 sudo install -m 660 -o root -g root \
705 "$tool"/etc/postfix/$vm_domainname/transport \
706 /etc/postfix/$vm_domainname/transport
707 sudo postmap hash:/etc/postfix/$vm_domainname/transport
708 sudo install -m 660 -o root -g root \
709 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
710 /etc/postfix/$vm_domainname/virtual_alias
711 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
712 sudo service postfix restart
713 }
714 rule_postgrey_configure () {
715 rule apt_get_install postgrey
716 sudo service postgrey restart
717 }
718 rule_procmail_configure () {
719 rule apt_get_install procmail
720 sudo install -d -m 770 -o root -g adm \
721 /etc/skel/etc/mail \
722 /etc/skel/var/cache/mail \
723 /etc/skel/var/log/mail \
724 /etc/skel/var/mail
725 sudo install -m 660 -o root -g adm \
726 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
727 /etc/skel/etc/mail/delivery.procmailrc
728 }
729 rule_ssh_configure () {
730 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
731 ( while IFS= read -r line
732 do case $line in (*" RSA") return 0; break;; esac
733 done; return 1 ) ||
734 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
735 sudo rm -f \
736 /etc/ssh/ssh_host_dsa_key \
737 /etc/ssh/ssh_host_dsa_key.pub \
738 /etc/ssh/ssh_host_ecdsa_key \
739 /etc/ssh/ssh_host_ecdsa_key.pub
740 # NOTE: clefs générées par Debian
741 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
742 Port 22
743 ListenAddress $vm_ipv4
744 #ListenAddress ::
745 Protocol 2
746 Compression yes
747 HostKey /etc/ssh/ssh_host_rsa_key
748 UsePrivilegeSeparation yes
749 KeyRegenerationInterval 3600
750 ServerKeyBits 768
751 SyslogFacility AUTH
752 LogLevel INFO
753 LoginGraceTime 120
754 PermitRootLogin yes
755 StrictModes yes
756 RSAAuthentication yes
757 PubkeyAuthentication yes
758 AuthorizedKeysFile %h/etc/ssh/authorized_keys
759 IgnoreRhosts yes
760 RhostsRSAAuthentication no
761 HostbasedAuthentication no
762 IgnoreUserKnownHosts no
763 PermitEmptyPasswords no
764 ChallengeResponseAuthentication no
765 PasswordAuthentication no
766 KerberosAuthentication no
767 GSSAPIAuthentication no
768 X11Forwarding no
769 X11DisplayOffset 10
770 PrintMotd no
771 DebianBanner no
772 PrintLastLog yes
773 TCPKeepAlive yes
774 ClientAliveInterval 0
775 AcceptEnv LANG LC_*
776 Subsystem sftp /usr/lib/openssh/sftp-server
777 UsePAM yes
778 EOF
779 sudo service ssh restart
780 }
781 rule_user_admin_add () { # SYNTAX: $user
782 local user=$1
783 id "$user" >/dev/null ||
784 sudo adduser --disabled-password "$user"
785 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
786 eval local home\; home="~$user"
787 sudo adduser "$user" sudo
788 sudo install -m 640 -o root -g root \
789 "$tool"/var/pub/ssh/"$user".key \
790 "$home"/etc/ssh/authorized_keys
791 local key; local -; set +f
792 for key in "$tool"/var/pub/openpgp/*.key
793 do sudo -u "$user" gpg --import "$key"
794 done
795 rule user_admin_configure
796 }
797 rule_user_admin_configure () {
798 rule initramfs_configure
799 rule user_root_configure
800 }
801 rule_user_configure () {
802 sudo install -d -m 750 -o root -g adm \
803 /etc/skel/etc \
804 /etc/skel/etc/ssh
805 sudo install -d -m 770 -o root -g adm \
806 /etc/skel/var \
807 /etc/skel/var/log \
808 /etc/skel/var/cache \
809 /etc/skel/var/cache/ssh
810 sudo ln -fns etc/ssh /etc/skel/.ssh
811 sudo ln -fns etc/gpg /etc/skel/.gnupg
812 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
813 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
814 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
815 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
816 EOF
817 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
818 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
819 EOF
820 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
821 Defaults env_keep = " \\
822 EDITOR \\
823 GIT_AUTHOR_NAME \\
824 GIT_AUTHOR_EMAIL \\
825 GIT_COMMITTER_NAME \\
826 GIT_COMMITTER_EMAIL \\
827 "
828 EOF
829 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
830 #!/bin/sh -efu
831 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
832 sudo /bin/sh -e -f -u -c \
833 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
834 EOF
835 sudo install -m 644 -o root -g root \
836 "$tool"/etc/bash.bashrc \
837 /etc/bash.bashrc
838 sudo install -m 644 -o root -g root \
839 "$tool"/etc/screenrc \
840 /etc/screenrc
841 }
842 rule_user_root_configure () {
843 sudo install -d -m 750 -o root -g adm \
844 /root/etc \
845 /root/etc/ssh \
846 /root/etc/gpg
847 sudo ln -fns etc/gpg /root/.gnupg
848 sudo ln -fns etc/ssh /root/.ssh
849 getent group sudo |
850 while IFS=: read -r group x x users
851 do while test -n "$users" && IFS=, read -r user users <<-EOF
852 $users
853 EOF
854 do eval local home\; home="~$user"
855 cat "$home"/etc/ssh/authorized_keys
856 done
857 done |
858 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
859 local key; local -; set +f
860 for key in "$tool"/var/pub/openpgp/*.key
861 do sudo gpg --import "$key"
862 done
863 }
864 rule_configure () {
865 rule apt_configure
866 rule git_configure
867 rule etckeeper_configure
868 rule locale_configure
869 rule time_configure
870 rule network_configure
871 rule filesystem_configure
872 rule login_configure
873 rule ssh_configure
874 rule mail_configure
875 rule apache2_configure
876 rule user_root_configure
877 rule boot_configure
878 rule user_configure
879 }
880
881 rule_luks_key_change () {
882 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
883 }
884
885 rule=${1:-help}
886 ${1+shift}
887 case $rule in
888 (help);;
889 (*)
890 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
891 ;;
892 esac
893 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org