dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Modification : vm_hosted : rule_git_configure : synchronise au push remotes/master...
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
39 #!/bin/sh -efux
40 case \$1 in
41 (refs/remotes/master)
42 cd ..
43 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
44 git --git-dir=\$PWD/.git clean -f -d -
45 ;;
46 esac
47 EOF
48 )
49 }
50 rule_git_reset () {
51 (
52 cd "$tool"
53 git checkout -f -B master remotes/master
54 git clean -f -d -x
55 )
56 }
57
58 rule_apt_get_install () { # SYNTAX: $package
59 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
60 }
61 rule_dpkg_reconfigure () { # SYNTAX: $package
62 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
63 }
64
65 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
66 export LANG=C
67 export LC_CTYPE=C
68 . /etc/profile
69 }
70
71 rule_apache2_configure () {
72 local -; set +f
73 rule apt_get_install \
74 apache2-mpm-itk \
75 libapache2-mod-php5
76 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
77 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
78 # NOTE: apache2-mpm-itk semble le plus sécurisé,
79 # car on est certain que tout est exécuté avec les uid/gid
80 # assignés au VirtualHost/Directory/Location
81 # néamoins il se peut qu'une combinaison du genre :
82 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
83 # soit plus performante (threads et pas forks),
84 # cependant l'usage de suexec impose des forks il semble..
85 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
86 # donc pour l'instant : apache2-mpm-itk
87 rule www_configure
88 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
89 ServerName "$vm_fqdn"
90 EOF
91 sudo install -m 660 -o root -g root /dev/stdin \
92 /etc/apache2/apache2.conf
93 sudo install -m 660 -o root -g root \
94 "$tool"/etc/apache2/envvars \
95 /etc/apache2/envvars
96 sudo install -m 660 -o root -g root \
97 "$tool"/etc/apache2/httpd.conf \
98 /etc/apache2/httpd.conf
99 #sudo install -m 660 -o root -g root /dev/stdin \
100 # /etc/apache2/suexec/www-data <<-EOF
101 # /home
102 # pub/www/cgi
103 # EOF
104 sudo install -m 660 -o root -g root \
105 "$tool"/etc/apache2/ports.conf \
106 /etc/apache2/ports.conf
107 sudo a2enmod actions
108 sudo a2enmod headers
109 sudo a2enmod rewrite
110 sudo a2enmod ssl
111 sudo a2enmod userdir
112 local conf
113 sudo a2dissite "*"
114 sudo ln -fns \
115 /etc/apache2 \
116 /home/www/etc/apache2
117 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
118 do conf=${conf#"$tool"/etc/apache2/site.d/}
119 local port site
120 IFS=. read -r port domain <<-EOF
121 ${conf%\/VirtualHost\.conf}
122 EOF
123 assert 'test "${port:+set}"'
124 assert 'test "${domain:+set}"'
125 local site="$port.$domain"
126 case $port in
127 (443)
128 local hint="run vm_remote apache2_key_send before"
129 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
130 sudo install -d -m 770 -o www."$site" -g www."$site" \
131 /etc/apache2 \
132 /etc/apache2/site.d/"$site" \
133 /etc/apache2/site.d/"$site"/x509 \
134 /etc/apache2/site.d/"$site"/x509/ca \
135 /etc/apache2/site.d/"$site"/x509/empty \
136 /etc/apache2/site.d/"$site"/x509/rvk \
137 /etc/apache2/site.d/"$site"/x509/usr
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
140 /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
141 #sudo install -m 664 -o www."$site" -g www."$site" \
142 # "$tool"/var/pub/x509/"$site"/rvk.pem \
143 # /etc/apache2/site.d/"$site"/x509/rvk.pem
144 sudo install -m 664 -o www -g www \
145 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
146 /etc/apache2/site.d/"$site"/x509/ca/crt.pem
147 sudo install -m 664 -o www -g www \
148 "$tool"/var/pub/x509/"$site"/crt.pem \
149 /etc/apache2/site.d/"$site"/x509/crt.pem
150 ;;
151 esac
152 case $port in
153 (80)
154 cat <<-EOF
155 <VirtualHost *:$port>
156 AssignUserID www.$site www.$site
157 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
158 #CustomLog "/dev/null" Combined
159 DocumentRoot /home/www/pub/$site
160 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
161 #ErrorLog "/dev/null"
162 ServerName $domain
163 LogLevel Warn
164 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
165 </VirtualHost>
166 EOF
167 ;;
168 (443)
169 cat <<-EOF
170 <IfModule mod_ssl.c>
171 <VirtualHost *:$port>
172 AssignUserID www.$site www.$site
173 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
174 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
175 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
176 #CustomLog "/dev/null" Combined
177 DocumentRoot /home/www/pub/$site
178 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
179 #ErrorLog "/dev/null"
180 LogLevel Warn
181 ServerName $domain
182 SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
183 SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
184 #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
185 SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
186 SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
187 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
188 SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
189 SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
190 SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
191 SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
192 SSLCipherSuite AES+RSA+SHA256
193 SSLEngine On
194 SSLInsecureRenegotiation Off
195 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
196 SSLProtocol -All +TLSv1
197 #SSLRenegBufferSize 262144
198 SSLSessionCacheTimeout 1200
199 SSLStrictSNIVHostCheck On
200 SSLUserName SSL_CLIENT_S_DN_CN
201 SSLVerifyClient None
202 SSLVerifyDepth 1
203 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
204 </VirtualHost>
205 </IfModule>
206 EOF
207 ;;
208 esac |
209 sudo install -m 660 -o root -g root /dev/stdin \
210 /etc/apache2/site.d/"$site"/VirtualHost.conf
211 sudo ln -fns \
212 ../site.d/"$site"/VirtualHost.conf \
213 /etc/apache2/sites-available/"$site"
214 sudo install -d -m 770 -o www."$site" -g www."$site" \
215 /home/www/log/"$site" \
216 /home/www/log/"$site"/apache2
217 sudo ln -fns \
218 /etc/apache2/site.d/"$site" \
219 /home/www/etc/apache2/"$site"
220 test -e /home/www/pub/"$site" ||
221 sudo install -d -m 2770 -o www."$site" -g www."$site" \
222 /home/www/pub/"$site"
223 getent passwd www."$site" >/dev/null ||
224 sudo adduser \
225 --disabled-password \
226 --group \
227 --no-create-home \
228 --home /home/www/pub/"$site" \
229 --shell /bin/false \
230 --system \
231 www."$site"
232 #sudo setfacl -m u:"www.$site":--x \
233 # /home/www/ \
234 # /home/www/pub/ \
235 # /home/www/pub/"$site"/
236 #sudo setfacl -m d:u:"www.$site":rwx \
237 # "$home"/pub/www/"$site"/
238 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
239 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
240 test -e /etc/apache2/sites-enabled/"$site" ||
241 sudo a2ensite "$site"
242 done
243 sudo service apache2 restart
244 }
245 rule_apt_configure () {
246 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
247 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
250 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
251 EOF
252 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
253 Package: *
254 Pin: release a=$vm_lsb_name
255 Pin-Priority: 170
256
257 Package: *
258 Pin: release a=$vm_lsb_name-backports
259 Pin-Priority: 200
260 EOF
261 sudo apt-get update
262 rule apt_get_install apticron
263 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
264 EMAIL="admin@$vm_domainname"
265 # DIFF_ONLY="1"
266 # LISTCHANGES_PROFILE="apticron"
267 # ALL_FQDNS="1"
268 # SYSTEM="foobar.example.com"
269 # IPADDRESSNUM="1"
270 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
271 # NOTIFY_HOLDS="0"
272 # NOTIFY_NEW="0"
273 # NOTIFY_NO_UPDATES="0"
274 # CUSTOM_SUBJECT=""
275 # CUSTOM_NO_UPDATES_SUBJECT=""
276 # CUSTOM_FROM="root@$vm_fqdn"
277 EOF
278 }
279 rule_boot_configure () {
280 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
281 sudo debconf-set-selections <<-EOF
282 grub-pc grub-pc/install_devices multiselect
283 EOF
284 rule apt_get_install grub-pc
285 sudo install -d -m 644 -o root -g root /boot/grub
286 rule apt_get_install linux-image-$vm_arch
287 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
288 GRUB_DEFAULT=0
289 GRUB_TIMEOUT=5
290 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
291 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
292 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
293 GRUB_DISABLE_RECOVERY="true"
294 #GRUB_PRELOAD_MODULES="lvm"
295 EOF
296 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
297 (hd0) /dev/xvda
298 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
299 EOF
300 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
301 rule initramfs_configure
302 rule apt_get_install molly-guard
303 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
304 ALWAYS_QUERY_HOSTNAME=true
305 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
306 # néamoins demander tout le temps n'est pas trop contraignant
307 # et davantage sécurisant.
308 EOF
309 }
310 rule_dovecot_configure () {
311 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
312 local hint="run vm_remote dovecot_key_send before"
313 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
314 sudo install -m 400 -o root -g root \
315 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
316 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
317 sudo install -d -m 770 -o root -g root \
318 /etc/skel/etc/mail \
319 /etc/skel/etc/sieve
320 sudo install -d -m 1777 -o root -g root \
321 /var/lib/dovecot-control \
322 /var/lib/dovecot-index
323 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
324 auth_ssl_username_from_cert = yes
325 listen = *
326 log_timestamp = "%Y-%m-%d %H:%M:%S "
327 mail_debug = yes
328 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
329 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
330 # VOIR: http://wiki2.dovecot.org/Quota/FS
331 mail_plugins = \$mail_plugins quota
332 mail_privileged_group = mail
333 passdb {
334 args = /home/%u/etc/dovecot/passwd
335 driver = passwd-file
336 }
337 plugin {
338 quota = fs:user
339 recipient_delimiter = +
340 sieve = ~/etc/mail/filter.sieve
341 sieve_dir = ~/etc/mail/sieve
342 sieve_global_dir = /var/lib/dovecot/sieve/global/
343 sieve_max_script_size = 1M
344 sieve_quota_max_scripts = 0
345 sieve_quota_max_storage = 10M
346 sieve_user_log = ~/var/log/mail/sieve.log
347 }
348 protocol imap {
349 mail_plugins = \$mail_plugins imap_quota
350 }
351 protocol lda {
352 auth_socket_path = /var/run/dovecot/auth-master
353 hostname = $vm_domainname
354 info_log_path =
355 log_path =
356 mail_plugins = \$mail_plugins sieve
357 postmaster_address = contact+dovecot+lda@$vm_domainname
358 syslog_facility = mail
359 }
360 protocols = imap sieve
361 service auth {
362 user = root
363 unix_listener /var/spool/postfix/private/auth {
364 mode = 0660
365 user = postfix
366 group = postfix
367 }
368 }
369 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
370 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
371 ssl_cipher_list = AES256-SHA
372 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
373 ssl_verify_client_cert = yes
374 userdb {
375 driver = passwd
376 }
377 verbose_ssl = no
378 EOF
379 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
380 #!/bin/sh -efux
381 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
382 install -d -m 770 ~/etc/dovecot
383 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
384 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
385 _EOF
386 EOF
387 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
388 EOF
389 sudo service dovecot restart
390 }
391 rule_etckeeper_configure () {
392 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
393 VCS=git
394 GIT_COMMIT_OPTIONS=""
395 AVOID_DAILY_AUTOCOMMITS=1
396 #AVOID_SPECIAL_FILE_WARNING=1
397 AVOID_COMMIT_BEFORE_INSTALL=1
398 HIGHLEVEL_PACKAGE_MANAGER=apt
399 LOWLEVEL_PACKAGE_MANAGER=dpkg
400 EOF
401 sudo install -m 644 -o root -g root \
402 "$tool"/etc/etckeeper/prompt.sh \
403 /etc/etckeeper/prompt.sh
404 rule apt_get_install etckeeper
405 }
406 rule_filesystem_configure () {
407 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
408 # <file system> <mount point> <type> <options> <dump> <pass>
409 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
410 proc /proc proc defaults 0 0
411 sysfs /sys sysfs defaults 0 0
412 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
413 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
414 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
415 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
416 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
417 EOF
418 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
419 # <target name> <source device> <key file> <options>
420 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
421 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
422 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
423 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
424 EOF
425 rule tmpfs_configure
426 }
427 rule_initramfs_configure () {
428 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
429 MODULES=most
430 BUSYBOX=y
431 KEYMAP=y
432 COMPRESS=gzip
433 DEVICE=eth0
434 EOF
435 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
436 alias eth0 xennet
437 alias scsi_hostadapter xenblk
438 EOF
439 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
440 sha1_generic
441 sha256_generic
442 sha512_generic
443 aes-x86_64
444 xts
445 # NOTE: pour Xen en mode HVM :
446 #modprobe xen-platform-pci
447 EOF
448 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
449 EOF
450 sudo sed -e '/^configure_networking /s/ &$//' \
451 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
452 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
453 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
454 ( while IFS= read -r line
455 do case $line in (*" RSA") return 0; break;; esac
456 done; return 1 ) ||
457 {
458 sudo rm -f \
459 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
460 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
461 sudo dropbearkey -t rsa -s 4096 -f \
462 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
463 }
464 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
465 sudo install -d -m 640 -o root -g root \
466 /etc/initramfs-tools/root \
467 /etc/initramfs-tools/root/.ssh
468 getent group sudo |
469 while IFS=: read -r group x x users
470 do while test -n "$users" && IFS=, read -r user users <<-EOF
471 $users
472 EOF
473 do eval local home\; home="~$user"
474 cat "$home"/etc/ssh/authorized_keys
475 done
476 done |
477 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
478 sudo rm -f \
479 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
480 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
481 /etc/initramfs-tools/root/.ssh/id_rsa
482 # NOTE: clefs générées par Debian
483 sudo update-initramfs -u
484 }
485 rule_gitolite_configure () {
486 local user=git
487 sudo debconf-set-selections <<-EOF
488 gitolite gitolite/gituser string $user
489 gitolite gitolite/adminkey string
490 gitolite gitolite/gitdir string /home/$user
491 EOF
492 rule apt_get_install gitolite
493 getent passwd "$user" >/dev/null ||
494 sudo adduser \
495 --disabled-password \
496 --group \
497 --shell /bin/bash \
498 --system \
499 "$user"
500 sudo chfn --full-name "$user" "$user"
501 eval local home\; home="~$user"
502 sudo install -d -m 770 -o "$user" -g "$user" \
503 /etc/gitolite \
504 "$home"/etc \
505 "$home"/etc/ssh \
506 "$home"/pub \
507 "$home"/log \
508 "$home"/log/gitolite \
509 "$home"/log/gitolite/perf
510 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
511 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
512 sudo ln -fns etc/ssh "$home"/.ssh
513 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
514 "$home"/etc/gitolite/gitolite.rc <<-EOF
515 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
516 #\$BIG_INFO_CAP = 20;
517 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
518 # NOTE: Please use single quotes, not double quotes.
519 #\$GITWEB_URI_ESCAPE = 0;
520 \$GIT_PATH = "";
521 #\$GL_ADC_PATH = "";
522 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
523 #\$GL_ALL_INCLUDES_SPECIAL = 0;
524 #\$GL_ALL_READ_ALL = 0;
525 \$GL_BIG_CONFIG = 0;
526 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
527 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
528 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
529 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
530 #\$GL_HOSTNAME = "git.$vm_domainname";
531 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
532 #\$GL_HTTP_ANON_USER = "mob";
533 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
534 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
535 #\$GL_NICE_VALUE = 0;
536 \$GL_NO_CREATE_REPOS = 0;
537 \$GL_NO_DAEMON_NO_GITWEB = 0;
538 \$GL_NO_SETUP_AUTHKEYS = 0;
539 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
540 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
541 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
542 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
543 \$GL_SITE_INFO = "git.$vm_domainname";
544 #\$GL_SLAVE_MODE = 0;
545 \$GL_WILDREPOS = 0;
546 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
547 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
548 \$HTPASSWD_FILE = "";
549 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
550 \$REPO_BASE = "pub";
551 \$REPO_UMASK = 0007;
552 \$RSYNC_BASE = "";
553 \$SVNSERVE = "";
554 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
555 #\$WEB_INTERFACE = "gitweb";
556 1;
557 EOF
558 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
559 "$home"/etc/gitweb/gitweb.conf <<-EOF
560 \$commit_oneline_message_width = 70;
561 \$default_projects_order = 'age';
562 \$default_text_plain_charset = 'UTF-8';
563 @diff_opts = ();
564 \$favicon = "img/git-favicon.png";
565 \$git_temp = "/run/shm/gitweb";
566 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
567 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
568 \$home_link = "/";
569 \$home_link_str = 'd&eacute;p&ocirc;ts';
570 \$home_th_age = 'activit&eacute;';
571 \$home_th_descr = 'description';
572 \$home_th_owner = 'contact';
573 \$home_th_project = 'd&eacute;p&ocirc;t';
574 \$javascript = "js/gitweb.js";
575 \$logo = "img/git-logo.png";
576 \$my_uri = "";
577 \$projectroot = "../git";
578 \$projects_list = "/etc/gitolite/projects.list";
579 \$projects_list_description_width = 42;
580 \$projects_list_owner_width = 15;
581 \$search_str = "Filtre&nbsp;:";
582 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
583 \$site_header = undef;
584 \$site_name = "git.$vm_domainname";
585 \$space_to_nbsp = 0;
586 @stylesheets = ("css/gitweb.css");#
587 \$untabify_tabstop = 2;
588 EOF
589 sudo install -m 600 -o "$user" -g "$user" \
590 "$tool"/var/pub/ssh/"$user".key \
591 "$home"/etc/ssh/"$user".pub
592 sudo -u "$user" \
593 GL_RC="$home"/etc/gitolite/gitolite.rc \
594 GIT_AUTHOR_NAME="$user" \
595 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
596 local d
597 for d in doc logs src
598 do test ! -d "$home"/etc/gitolite/"$d" ||
599 rmdir "$home"/etc/gitolite/"$d"
600 done
601 rule apt_get_install gitweb highlight
602 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
603 #sudo sv restart git-daemon.git.9418
604 }
605 rule_locales_configure () {
606 sudo debconf-set-selections <<-EOF
607 locales locales/default_environment_locale select None
608 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
609 EOF
610 rule dpkg_reconfigure locales
611 }
612 rule_login_configure () {
613 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
614 # /etc/inittab: init(8) configuration.
615
616 # The default runlevel.
617 id:2:initdefault:
618
619 # Boot-time system configuration/initialization script.
620 # This is run first except when booting in emergency (-b) mode.
621 si::sysinit:/etc/init.d/rcS
622
623 # What to do in single-user mode.
624 ~~:S:wait:/sbin/sulogin
625
626 # /etc/init.d executes the S and K scripts upon change
627 # of runlevel.
628 #
629 # Runlevel 0 is halt.
630 # Runlevel 1 is single-user.
631 # Runlevels 2-5 are multi-user.
632 # Runlevel 6 is reboot.
633
634 l0:0:wait:/etc/init.d/rc 0
635 l1:1:wait:/etc/init.d/rc 1
636 l2:2:wait:/etc/init.d/rc 2
637 l3:3:wait:/etc/init.d/rc 3
638 l4:4:wait:/etc/init.d/rc 4
639 l5:5:wait:/etc/init.d/rc 5
640 l6:6:wait:/etc/init.d/rc 6
641 # Normally not reached, but fallthrough in case of emergency.
642 z6:6:respawn:/sbin/sulogin
643
644 # What to do when CTRL-ALT-DEL is pressed.
645 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
646
647 # What to do when the power fails/returns.
648 pf::powerwait:/etc/init.d/powerfail start
649 pn::powerfailnow:/etc/init.d/powerfail now
650 po::powerokwait:/etc/init.d/powerfail stop
651
652 # Xen hypervisor console
653 hvc:2345:respawn:/sbin/getty 38400 hvc0
654 #xvc:2345:respawn:/sbin/getty 38400 xvc0
655
656 #-- runit begin
657 SV:123456:respawn:/usr/sbin/runsvdir-start
658 #-- runit end
659 EOF
660 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
661 MAIL_DIR /var/mail
662 FAILLOG_ENAB yes
663 LOG_UNKFAIL_ENAB no
664 LOG_OK_LOGINS no
665 SYSLOG_SU_ENAB yes
666 SYSLOG_SG_ENAB yes
667 FTMP_FILE /var/log/btmp
668 SU_NAME su
669 HUSHLOGIN_FILE .hushlogin
670 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
671 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
672 # NOTE: met les sbin/ dans ENV_PATH ;
673 # - ça n'apporte aucune protection de ne pas les mettre ;
674 # - ça frustre de ne pas les trouver.
675 TTYGROUP tty
676 TTYPERM 0600
677 ERASECHAR 0177
678 KILLCHAR 025
679 UMASK 007
680 # NOTE: rwxrwx--- ;
681 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
682 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
683 PASS_MAX_DAYS 99999
684 PASS_MIN_DAYS 0
685 PASS_WARN_AGE 7
686 UID_MIN 1000
687 UID_MAX 60000
688 GID_MIN 1000
689 GID_MAX 60000
690 LOGIN_RETRIES 3
691 LOGIN_TIMEOUT 60
692 CHFN_RESTRICT rwh
693 DEFAULT_HOME yes
694 USERGROUPS_ENAB yes
695 ENCRYPT_METHOD SHA512
696 EOF
697 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
698 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
699 $(cat /etc/pam.d/common-session)
700 session optional pam_umask.so
701 EOF
702 grep -q '^hvc0$' /etc/securetty ||
703 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
704 $(cat /etc/securetty)
705 hvc0
706 EOF
707 grep -q '^xvc0$' /etc/securetty ||
708 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
709 $(cat /etc/securetty)
710 xvc0
711 EOF
712 }
713 rule_mail_configure () {
714 rule postfix_configure
715 rule postgrey_configure
716 rule procmail_configure
717 rule dovecot_configure
718 }
719 rule_mysql_configure () {
720 rule apt_get_install mysql-server-5.5
721 sudo install -m 644 -o root -g root \
722 "$tool"/etc/mysql/my.cnf \
723 /etc/mysql/my.cnf
724 if test ! -d /home/mysql; then
725 sudo install -d -m 750 -o mysql -g mysql \
726 /home/mysql
727 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
728 fi
729 sudo service mysql restart
730 }
731 rule_network_configure () {
732 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
733 $vm
734 EOF
735 grep -q " $vm\$" /etc/hosts ||
736 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
737 $(cat /etc/hosts)
738 127.0.0.1 $vm_fqdn $vm
739 EOF
740 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
741 auto lo
742 iface lo inet loopback
743
744 auto eth0=grenode
745 iface grenode inet static
746 address $vm_ipv4
747 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
748 network $vm_ipv4
749 broadcast $vm_ipv4
750 netmask 255.255.255.255
751 mtu 1300
752 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
753 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
754 #
755 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
756 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
757 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
758 #
759 # --- soupirail.grenode.net ping statistics ---
760 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
761 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
762 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
763 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
764 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
765 #
766 # --- soupirail.grenode.net ping statistics ---
767 # 0 packets transmitted, 0 received, +1 errors
768 post-up ip address add $vm_ipv4/32 dev \$IFACE
769 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
770 EOF
771 }
772 rule_www_configure () {
773 getent passwd www >/dev/null ||
774 sudo adduser \
775 --disabled-login \
776 --disabled-password \
777 --group \
778 --home /home/www \
779 --shell /bin/false \
780 --system \
781 www
782 sudo adduser \
783 --disabled-login \
784 --disabled-password \
785 --group \
786 --home ~www/log \
787 --shell /bin/false \
788 --system \
789 log.www
790 #sudo adduser www www-data
791 sudo adduser www log.www
792 #sudo adduser log log.www
793 usermod --home /home/www/pub www-data
794 sudo install -d -m 751 -o www -g www \
795 /home/www
796 sudo install -d -m 750 -o www -g www \
797 /home/www/etc
798 sudo install -d -m 1771 -o www-data -g www-data \
799 /home/www/pub
800 sudo install -d -m 1771 -o log.www -g log.www \
801 /home/www/log
802 }
803 rule_nginx_configure () {
804 local -; set +f
805 rule apt_get_install nginx
806 rule www_configure
807 sudo rm -rf \
808 /etc/nginx/conf.d \
809 /etc/nginx/site.d
810 sudo install -d -m 770 -o www -g www \
811 /etc/nginx \
812 /etc/nginx/conf.d \
813 /etc/nginx/site.d
814 sudo ln -fns \
815 /etc/nginx \
816 /home/www/etc/nginx
817 sudo install -m 660 -o www -g www \
818 "$tool"/etc/nginx/nginx.conf \
819 /etc/nginx/nginx.conf
820 local conf
821 for conf in "$tool"/etc/nginx/conf.d/*.conf
822 do conf=${conf#"$tool"/etc/nginx/conf.d/}
823 sudo install -m 660 -o www -g www \
824 "$tool"/etc/nginx/conf.d/"$conf" \
825 /etc/nginx/conf.d/"$conf"
826 done
827 for conf in "$tool"/etc/nginx/site.d/*/server.conf
828 do conf=${conf#"$tool"/etc/nginx/site.d/}
829 local port domain
830 IFS=. read -r port domain <<-EOF
831 ${conf%\/server\.conf}
832 EOF
833 assert 'test "${port:+set}"'
834 assert 'test "${domain:+set}"'
835 local site="$port.$domain"
836 getent passwd www."$site" >/dev/null ||
837 sudo adduser \
838 --disabled-login \
839 --disabled-password \
840 --group \
841 --home ~www-data/"$site" \
842 --shell /bin/false \
843 --system \
844 www."$site"
845 getent passwd log."$site" >/dev/null ||
846 sudo adduser \
847 --disabled-login \
848 --disabled-password \
849 --group \
850 --shell /bin/false \
851 --system \
852 log."$site"
853 sudo usermod --home ~www/log/"$site"/nginx log."$site"
854 sudo install -d -m 770 -o www -g www \
855 /etc/nginx/site.d/"$site"
856 case $port in
857 (443)
858 local hint="run vm_remote nginx_key_send before"
859 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
860 sudo install -m 664 -o www -g www \
861 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
862 /etc/nginx/site.d/"$site"/x509/crt.pem
863 ;;
864 esac
865 case $port in
866 (80)
867 cat <<-EOF
868 server {
869 listen $port;
870 access_log /home/www/log/$site/nginx/access.log main;
871 error_log /home/www/log/$site/nginx/error.log warn;
872 root /home/www/pub/$site;
873 server_name $domain;
874 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
875 }
876 EOF
877 ;;
878 (443)
879 cat <<-EOF
880 server {
881 listen $port;
882 access_log /home/www/log/$site/nginx/access.log main;
883 error_log /home/www/log/$site/nginx/error.log warn;
884 keepalive_timeout 70;
885 root /home/www/pub/$site;
886 server_name $domain;
887 # DOC: http://wiki.nginx.org/HttpSslModule
888 ssl on;
889 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
890 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
891 ssl_ciphers HIGH:!ADH:!MD5;
892 ssl_prefer_server_ciphers on;
893 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
894 ssl_session_cache shared:SSL:10m;
895 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
896 }
897 EOF
898 ;;
899 esac |
900 sudo install -m 660 -o www -g www /dev/stdin \
901 /etc/nginx/site.d/"$site"/server.conf
902 adduser www-data www."$site"
903 test -e /home/www/pub/"$site" ||
904 sudo install -d -m 3770 -o www."$site" -g www."$site" \
905 /home/www/pub/"$site"
906 sudo install -d -m 3770 -o log."$site" -g log."$site" \
907 /home/www/log/"$site"/nginx
908 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
909 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
910 done
911 rule apt_get_install spawn-fcgi fcgiwrap
912 sudo insserv --remove fcgiwrap
913 rule tmpfs_configure
914 sudo service nginx restart
915 }
916 rule_php5_fpm_configure () {
917 local -; set +f
918 rule apt_get_install \
919 php5-fpm \
920 php-apc
921 getent passwd php5 >/dev/null ||
922 sudo adduser \
923 --disabled-login \
924 --disabled-password \
925 --group \
926 --shell /bin/false \
927 --system \
928 php5
929 local conf
930 sudo ln -fns \
931 /etc/php5-fpm \
932 /home/www/etc/php5
933 sudo rm -f /etc/php5/fpm/pool.d/*
934 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
935 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
936 local port domain
937 IFS=. read -r port domain <<-EOF
938 ${conf%\.conf}
939 EOF
940 assert 'test "${port:+set}"'
941 assert 'test "${domain:+set}"'
942 local site="$port.$domain"
943 getent passwd php5."$site" >/dev/null ||
944 sudo adduser \
945 --disabled-login \
946 --disabled-password \
947 --group \
948 --no-create-home \
949 --home ~www/pub/"$site" \
950 --shell /bin/false \
951 --system \
952 php5."$site"
953 sudo install -d -m 770 -o php5 -g php5 \
954 /home/www/log/php5 \
955 /home/www/log/php5/fpm
956 sudo install -d -m 770 -o log."$site" -g log."$site" \
957 /home/www/log/"$site"
958 sudo adduser php5."$site" www."$site"
959 sudo install -m 660 -o root -g root /dev/stdin \
960 /etc/php5/fpm/pool.d/"$conf" <<-EOF
961 [php5.$site]
962 access.log = /home/www/log/$site/php5/fpm/access.log
963 catch_workers_output = yes
964 chdir = /
965 env[HOSTNAME] = \$HOSTNAME
966 env[TEMP] = /tmp
967 env[TMPDIR] = /tmp
968 env[TMP] = /tmp
969 group = www-data
970 listen = /run/nginx/fastcgi/php5.$site
971 #listen = 127.0.0.1:9000
972 #listen.allowed_clients = 127.0.0.1
973 listen.backlog = -1
974 pm = dynamic
975 pm.max_children = 5
976 pm.max_requests = 200
977 pm.max_spare_servers = 4
978 pm.min_spare_servers = 2
979 pm.start_servers = 3
980 pm.status_path = /status
981 request_slowlog_timeout = 5s
982 request_terminate_timeout = 120s
983 rlimit_core = unlimited
984 rlimit_files = 131072
985 slowlog = /home/www/log/$site/php5/fpm/slow.log
986 user = $php5_user
987 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
988 EOF
989 sudo install -m 664 -o root -g root \
990 "$tool"/etc/php5/fpm/php.ini \
991 /etc/php5/fpm/php.ini
992 done
993 rule tmpfs_configure
994 sudo service php5-fpm restart
995 }
996 rule_postfix_configure () {
997 local hint="run vm_remote postfix_key_send before"
998 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
999 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
1000 sudo debconf-set-selections <<-EOF
1001 postfix postfix/main_mailer_type select No configuration
1002 EOF
1003 rule apt_get_install postfix
1004 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1005 *.db
1006 EOF
1007 sudo install -d -m 771 -o root -g root \
1008 /etc/postfix/ \
1009 /etc/postfix/$vm_domainname/ \
1010 /etc/postfix/$vm_domainname/smtp \
1011 /etc/postfix/$vm_domainname/smtp/x509 \
1012 /etc/postfix/$vm_domainname/smtp/x509/ca \
1013 /etc/postfix/$vm_domainname/smtpd \
1014 /etc/postfix/$vm_domainname/smtpd/x509 \
1015 /etc/postfix/$vm_domainname/smtpd/x509/ca
1016 sudo ln -fns \
1017 ../crt+crl.self-signed.pem \
1018 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1019 sudo install -m 400 -o root -g root \
1020 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1021 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1022 sudo install -m 400 -o root -g root \
1023 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1024 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1025 sudo install -m 400 -o root -g root \
1026 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1027 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1028 sudo install -m 400 -o root -g root \
1029 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1030 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1031 sudo install -m 660 -o root -g root \
1032 "$tool"/etc/postfix/$vm_domainname/header_checks \
1033 /etc/postfix/$vm_domainname/header_checks
1034 sudo install -m 664 -o root -g root /dev/stdin \
1035 /etc/postfix/aliases <<-EOF
1036 # See man 5 aliases for format
1037 abuse: root
1038 admin: root
1039 contact: root
1040 mailer-daemon: root
1041 postmaster: root
1042 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1043 EOF
1044 sudo newaliases -oA/etc/postfix/aliases
1045 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1046 mydomain = $vm_domainname
1047 myorigin = \$mydomain
1048 myhostname = $vm_hostname.\$mydomain
1049 mail_name = \$myhostname
1050 mydestination = $vm_hostname \$myhostname \$myorigin
1051 EOF
1052 sudo install -m 664 -o root -g root /dev/stdin \
1053 /etc/postfix/main.cf
1054 sudo install -m 664 -o root -g root \
1055 "$tool"/etc/postfix/master.cf \
1056 /etc/postfix/master.cf
1057 sudo install -m 660 -o root -g root \
1058 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1059 /etc/postfix/$vm_domainname/smtp/x509/policy
1060 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1061 sudo install -m 660 -o root -g root \
1062 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1063 /etc/postfix/$vm_domainname/smtp/header_checks
1064 sudo install -m 660 -o root -g root \
1065 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1066 /etc/postfix/$vm_domainname/smtpd/sender_access
1067 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1068 sudo install -m 660 -o root -g root \
1069 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1070 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1071 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1072 sudo install -m 660 -o root -g root \
1073 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1074 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1075 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1076 sudo install -m 660 -o root -g root \
1077 "$tool"/etc/postfix/$vm_domainname/transport \
1078 /etc/postfix/$vm_domainname/transport
1079 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1080 sudo install -m 660 -o root -g root \
1081 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1082 /etc/postfix/$vm_domainname/virtual_alias
1083 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1084 sudo service postfix restart
1085 }
1086 rule_postgresql_configure () {
1087 rule apt_get_install postgresql-9.1
1088 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1089 pg_createcluster -u postgres --start 9.1 main
1090 fi
1091 sudo install -m 660 -o root -g root \
1092 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1093 /etc/postgresql/9.1/main/postgresql.conf
1094 sudo service postgresql restart
1095 }
1096 rule_openerp_configure () {
1097 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1098 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1099 EOF
1100 sudo apt-get update
1101 rule apt_get_install openerp
1102 }
1103 rule_postgrey_configure () {
1104 rule apt_get_install postgrey
1105 sudo service postgrey restart
1106 }
1107 rule_procmail_configure () {
1108 rule apt_get_install procmail
1109 sudo install -d -m 770 -o root -g root \
1110 /etc/skel/etc/mail \
1111 /etc/skel/var/cache/mail \
1112 /etc/skel/var/log/mail \
1113 /etc/skel/var/mail
1114 sudo install -m 660 -o root -g root \
1115 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1116 /etc/skel/etc/mail/delivery.procmailrc
1117 }
1118 rule_runit_configure () {
1119 rule apt_get_install runit
1120 local -; set +f
1121 rm -f /etc/service/*
1122 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1123 for sv in "$tool"/etc/sv/*
1124 do sv=${sv#"$tool"/etc/sv/}
1125 sudo install -d -m 770 -o root -g root \
1126 /etc/sv/"$sv"
1127 sudo install -m 770 -o root -g root \
1128 "$tool"/etc/sv/"$sv"/run \
1129 /etc/sv/"$sv"/run
1130 if test -e "$tool"/etc/sv/"$sv"/log/run
1131 then
1132 sudo install -d -m 770 -o root -g root \
1133 /etc/sv/"$sv"/log
1134 sudo install -m 770 -o root -g root \
1135 "$tool"/etc/sv/"$sv"/log/run \
1136 /etc/sv/"$sv"/log/run
1137 fi
1138 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1139 "$tool"/etc/sv/"$sv"/configure
1140 then
1141 ln -fns ../sv/"$sv" /etc/service/"$sv"
1142 sv restart "$sv"
1143 fi
1144 done
1145 }
1146 rule_ssh_configure () {
1147 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1148 ( while IFS= read -r line
1149 do case $line in (*" RSA") return 0; break;; esac
1150 done; return 1 ) ||
1151 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1152 sudo rm -f \
1153 /etc/ssh/ssh_host_dsa_key \
1154 /etc/ssh/ssh_host_dsa_key.pub \
1155 /etc/ssh/ssh_host_ecdsa_key \
1156 /etc/ssh/ssh_host_ecdsa_key.pub
1157 # NOTE: clefs générées par Debian
1158 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1159 Port 22
1160 ListenAddress $vm_ipv4
1161 #ListenAddress ::
1162 Protocol 2
1163 Compression yes
1164 HostKey /etc/ssh/ssh_host_rsa_key
1165 UsePrivilegeSeparation yes
1166 KeyRegenerationInterval 3600
1167 ServerKeyBits 768
1168 SyslogFacility AUTH
1169 LogLevel INFO
1170 LoginGraceTime 120
1171 PermitRootLogin yes
1172 StrictModes yes
1173 RSAAuthentication yes
1174 PubkeyAuthentication yes
1175 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1176 IgnoreRhosts yes
1177 RhostsRSAAuthentication no
1178 HostbasedAuthentication no
1179 IgnoreUserKnownHosts no
1180 PermitEmptyPasswords no
1181 ChallengeResponseAuthentication no
1182 PasswordAuthentication no
1183 KerberosAuthentication no
1184 GSSAPIAuthentication no
1185 X11Forwarding no
1186 X11DisplayOffset 10
1187 PrintMotd no
1188 DebianBanner no
1189 PrintLastLog yes
1190 TCPKeepAlive yes
1191 ClientAliveInterval 0
1192 AcceptEnv LANG LC_*
1193 Subsystem sftp /usr/lib/openssh/sftp-server
1194 UsePAM yes
1195 EOF
1196 sudo service ssh restart
1197 }
1198 rule_sysctl_configure () {
1199 local -; set +f
1200 for conf in "$tool"/etc/sysctl.d/*.conf
1201 do conf=${conf#"$tool"/etc/sysctl.d/}
1202 sudo install -m 660 -o root -g root \
1203 "$tool"/etc/sysctl.d/"$conf" \
1204 /etc/sysctl.d/"$conf"
1205 done
1206 sudo sysctl --system
1207 }
1208 rule_tmpfs_configure () {
1209 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1210 LOCK_SIZE=5242880 # NOTE: 5MiB
1211 RAMLOCK=yes
1212 RAMSHM=yes
1213 RAMTMP=yes
1214 RUN_SIZE=10%
1215 SHM_SIZE=
1216 TMP_MODE=1777,nr_inodes=1000k,noatime
1217 TMP_OVERFLOW_LIMIT=1024
1218 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1219 # on the root filesystem (overriding RAMTMP).
1220 TMP_SIZE=200m
1221 TMPFS_SIZE=20%VM
1222 EOF
1223 sudo install -m 775 -o root -g root \
1224 "$tool"/etc/init.d/tmpfs \
1225 /etc/init.d/tmpfs
1226 sudo update-rc.d tmpfs defaults
1227 }
1228 rule_time_configure () {
1229 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1230 Europe/Paris
1231 EOF
1232 sudo debconf-set-selections <<-EOF
1233 tzdata tzdata/Areas select Europe
1234 tzdata tzdata/Zones/Europe select Paris
1235 EOF
1236 rule dpkg_reconfigure tzdata
1237 rule apt_get_install ntp
1238 }
1239 rule_user_add () { # SYNTAX: $user
1240 rule user_configure
1241 local user=$1
1242 getent passwd "$user" >/dev/null ||
1243 sudo adduser --disabled-password "$user"
1244 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1245 eval local home\; home="~$user"
1246 sudo adduser "$user" users
1247 sudo install -m 640 -o root -g root \
1248 "$tool"/var/pub/ssh/"$user".key \
1249 "$home"/etc/ssh/authorized_keys
1250 local key; local -; set +f
1251 for key in "$tool"/var/pub/openpgp/*.key
1252 do sudo -u "$user" gpg --import - <"$key"
1253 done
1254 }
1255 rule_user_configure () {
1256 sudo install -m 660 -o root -g root /dev/stdin \
1257 /etc/adduser.conf <<-EOF
1258 ADD_EXTRA_GROUPS=1
1259 DHOME=/home
1260 DIR_MODE=0750
1261 DSHELL=/bin/bash
1262 EXTRA_GROUPS="users"
1263 FIRST_GID=1000
1264 FIRST_SYSTEM_GID=100
1265 FIRST_SYSTEM_UID=100
1266 FIRST_UID=1000
1267 GROUPHOMES=no
1268 LAST_GID=29999
1269 LAST_SYSTEM_GID=999
1270 LAST_SYSTEM_UID=999
1271 LAST_UID=29999
1272 LETTERHOMES=no
1273 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1274 QUOTAUSER="" # TODO: init
1275 SETGID_HOME=no
1276 SKEL=/etc/skel
1277 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1278 USERGROUPS=yes
1279 USERS_GID=100
1280 EOF
1281 sudo install -d -m 750 -o root -g root \
1282 /etc/skel \
1283 /etc/skel/etc \
1284 /etc/skel/etc/gpg \
1285 /etc/skel/etc/ssh
1286 sudo install -d -m 770 -o root -g root \
1287 /etc/skel/var \
1288 /etc/skel/var/cache \
1289 /etc/skel/var/log \
1290 /etc/skel/var/run \
1291 /etc/skel/var/run/ssh
1292 sudo ln -fns etc/ssh /etc/skel/.ssh
1293 sudo ln -fns etc/gpg /etc/skel/.gnupg
1294 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1295 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1296 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1297 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1298 EOF
1299 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1300 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1301 EOF
1302 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1303 Defaults env_keep = " \\
1304 EDITOR \\
1305 GIT_AUTHOR_NAME \\
1306 GIT_AUTHOR_EMAIL \\
1307 GIT_COMMITTER_NAME \\
1308 GIT_COMMITTER_EMAIL \\
1309 "
1310 EOF
1311 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1312 #!/bin/sh -efu
1313 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1314 sudo /bin/sh -e -f -u -c \
1315 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1316 EOF
1317 sudo install -m 644 -o root -g root \
1318 "$tool"/etc/bash.bashrc \
1319 /etc/bash.bashrc
1320 sudo install -m 644 -o root -g root \
1321 "$tool"/etc/screenrc \
1322 /etc/screenrc
1323 }
1324 rule_user_admin_add () { # SYNTAX: $user
1325 rule user_configure
1326 local user=$1
1327 getent passwd "$user" >/dev/null ||
1328 sudo adduser --disabled-password "$user"
1329 eval local home\; home="~$user"
1330 sudo adduser "$user" sudo
1331 sudo install -m 640 -o root -g root \
1332 "$tool"/var/pub/ssh/"$user".key \
1333 "$home"/etc/ssh/authorized_keys
1334 local key; local -; set +f
1335 for key in "$tool"/var/pub/openpgp/*.key
1336 do sudo -u "$user" gpg --import - <"$key"
1337 done
1338 rule user_admin_configure
1339 }
1340 rule_user_admin_configure () {
1341 rule initramfs_configure
1342 rule user_root_configure
1343 }
1344 rule_user_root_configure () {
1345 sudo install -d -m 750 -o root -g root \
1346 /root/etc \
1347 /root/etc/gpg \
1348 /root/etc/ssh
1349 sudo ln -fns etc/gpg /root/.gnupg
1350 sudo ln -fns etc/ssh /root/.ssh
1351 getent group sudo |
1352 while IFS=: read -r group x x users
1353 do while test -n "$users" && IFS=, read -r user users <<-EOF
1354 $users
1355 EOF
1356 do eval local home\; home="~$user"
1357 cat "$home"/etc/ssh/authorized_keys
1358 done
1359 done |
1360 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1361 local key; local -; set +f
1362 for key in "$tool"/var/pub/openpgp/*.key
1363 do sudo gpg --import "$key"
1364 done
1365 }
1366 rule_configure () {
1367 rule apt_configure
1368 rule git_configure
1369 rule etckeeper_configure
1370 rule locales_configure
1371 rule time_configure
1372 rule network_configure
1373 rule filesystem_configure
1374 rule login_configure
1375 rule ssh_configure
1376 rule user_root_configure
1377 rule boot_configure
1378 rule sysctl_configure
1379 rule user_configure
1380 rule mail_configure
1381 #rule apache2_configure
1382 rule nginx_configure
1383 rule php5_fpm_configure
1384 rule gitolite_configure
1385 rule runit_configure
1386 }
1387
1388 rule_luks_key_change () {
1389 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1390 }
1391
1392 rule=${1:-help}
1393 ${1+shift}
1394 case $rule in
1395 (help);;
1396 (*)
1397 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1398 ;;
1399 esac
1400 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org