dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : etc/skel/etc/mail/delivery.procmailrc : prend le bon champ GECOS pour...
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port domain <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${port:+set}"'
114 assert 'test "${domain:+set}"'
115 local site="$port.$domain"
116 case $port in
117 (443)
118 local hint="run vm_remote apache2_key_send before"
119 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
120 sudo install -d -m 770 -o www."$site" -g www."$site" \
121 /etc/apache2 \
122 /etc/apache2/site.d/"$site" \
123 /etc/apache2/site.d/"$site"/x509 \
124 /etc/apache2/site.d/"$site"/x509/ca \
125 /etc/apache2/site.d/"$site"/x509/empty \
126 /etc/apache2/site.d/"$site"/x509/rvk \
127 /etc/apache2/site.d/"$site"/x509/usr
128 sudo install -m 664 -o www -g www \
129 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
130 /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
131 #sudo install -m 664 -o www."$site" -g www."$site" \
132 # "$tool"/var/pub/x509/"$site"/rvk.pem \
133 # /etc/apache2/site.d/"$site"/x509/rvk.pem
134 sudo install -m 664 -o www -g www \
135 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
136 /etc/apache2/site.d/"$site"/x509/ca/crt.pem
137 sudo install -m 664 -o www -g www \
138 "$tool"/var/pub/x509/"$site"/crt.pem \
139 /etc/apache2/site.d/"$site"/x509/crt.pem
140 ;;
141 esac
142 case $port in
143 (80)
144 cat <<-EOF
145 <VirtualHost *:$port>
146 AssignUserID www.$site www.$site
147 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
148 #CustomLog "/dev/null" Combined
149 DocumentRoot /home/www/pub/$site
150 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
151 #ErrorLog "/dev/null"
152 ServerName $domain
153 LogLevel Warn
154 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
155 </VirtualHost>
156 EOF
157 ;;
158 (443)
159 cat <<-EOF
160 <IfModule mod_ssl.c>
161 <VirtualHost *:$port>
162 AssignUserID www.$site www.$site
163 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
164 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
165 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
166 #CustomLog "/dev/null" Combined
167 DocumentRoot /home/www/pub/$site
168 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
169 #ErrorLog "/dev/null"
170 LogLevel Warn
171 ServerName $domain
172 SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
173 SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
174 #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
175 SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
176 SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
177 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
178 SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
179 SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
180 SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
181 SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
182 SSLCipherSuite AES+RSA+SHA256
183 SSLEngine On
184 SSLInsecureRenegotiation Off
185 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
186 SSLProtocol -All +TLSv1
187 #SSLRenegBufferSize 262144
188 SSLSessionCacheTimeout 1200
189 SSLStrictSNIVHostCheck On
190 SSLUserName SSL_CLIENT_S_DN_CN
191 SSLVerifyClient None
192 SSLVerifyDepth 1
193 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
194 </VirtualHost>
195 </IfModule>
196 EOF
197 ;;
198 esac |
199 sudo install -m 660 -o root -g root /dev/stdin \
200 /etc/apache2/site.d/"$site"/VirtualHost.conf
201 sudo ln -fns \
202 ../site.d/"$site"/VirtualHost.conf \
203 /etc/apache2/sites-available/"$site"
204 sudo install -d -m 770 -o www."$site" -g www."$site" \
205 /home/www/log/"$site" \
206 /home/www/log/"$site"/apache2
207 sudo ln -fns \
208 /etc/apache2/site.d/"$site" \
209 /home/www/etc/apache2/"$site"
210 test -e /home/www/pub/"$site" ||
211 sudo install -d -m 770 -o www."$site" -g www."$site" \
212 /home/www/pub/"$site"
213 getent passwd www."$site" >/dev/null ||
214 sudo adduser \
215 --disabled-password \
216 --group \
217 --no-create-home \
218 --home /home/www/pub/"$site" \
219 --shell /bin/false \
220 --system \
221 www."$site"
222 #sudo setfacl -m u:"www.$site":--x \
223 # /home/www/ \
224 # /home/www/pub/ \
225 # /home/www/pub/"$site"/
226 #sudo setfacl -m d:u:"www.$site":rwx \
227 # "$home"/pub/www/"$site"/
228 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
229 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
230 test -e /etc/apache2/sites-enabled/"$site" ||
231 sudo a2ensite "$site"
232 done
233 sudo service apache2 restart
234 }
235 rule_apt_configure () {
236 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
237 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
238 EOF
239 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
240 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
241 EOF
242 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
243 Package: *
244 Pin: release a=$vm_lsb_name
245 Pin-Priority: 170
246
247 Package: *
248 Pin: release a=$vm_lsb_name-backports
249 Pin-Priority: 200
250 EOF
251 sudo apt-get update
252 rule apt_get_install apticron
253 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
254 EMAIL="admin@$vm_domainname"
255 # DIFF_ONLY="1"
256 # LISTCHANGES_PROFILE="apticron"
257 # ALL_FQDNS="1"
258 # SYSTEM="foobar.example.com"
259 # IPADDRESSNUM="1"
260 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
261 # NOTIFY_HOLDS="0"
262 # NOTIFY_NEW="0"
263 # NOTIFY_NO_UPDATES="0"
264 # CUSTOM_SUBJECT=""
265 # CUSTOM_NO_UPDATES_SUBJECT=""
266 # CUSTOM_FROM="root@$vm_fqdn"
267 EOF
268 }
269 rule_boot_configure () {
270 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
271 sudo debconf-set-selections <<-EOF
272 grub-pc grub-pc/install_devices multiselect
273 EOF
274 rule apt_get_install grub-pc
275 sudo install -d -m 644 -o root -g root /boot/grub
276 rule apt_get_install linux-image-$vm_arch
277 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
278 GRUB_DEFAULT=0
279 GRUB_TIMEOUT=5
280 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
281 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
282 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
283 GRUB_DISABLE_RECOVERY="true"
284 #GRUB_PRELOAD_MODULES="lvm"
285 EOF
286 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
287 (hd0) /dev/xvda
288 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
289 EOF
290 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
291 rule initramfs_configure
292 rule apt_get_install molly-guard
293 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
294 ALWAYS_QUERY_HOSTNAME=true
295 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
296 # néamoins demander tout le temps n'est pas trop contraignant
297 # et davantage sécurisant.
298 EOF
299 }
300 rule_dovecot_configure () {
301 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
302 local hint="run vm_remote dovecot_key_send before"
303 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
304 sudo install -m 400 -o root -g root \
305 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
306 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
307 sudo install -d -m 770 -o root -g root \
308 /etc/skel/etc/mail \
309 /etc/skel/etc/sieve
310 sudo install -d -m 1777 -o root -g root \
311 /var/lib/dovecot-control \
312 /var/lib/dovecot-index
313 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
314 auth_ssl_username_from_cert = yes
315 listen = *
316 log_timestamp = "%Y-%m-%d %H:%M:%S "
317 mail_debug = yes
318 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
319 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
320 # VOIR: http://wiki2.dovecot.org/Quota/FS
321 mail_plugins = \$mail_plugins quota
322 mail_privileged_group = mail
323 passdb {
324 args = /home/%u/etc/dovecot/passwd
325 driver = passwd-file
326 }
327 plugin {
328 quota = fs:user
329 recipient_delimiter = +
330 sieve = ~/etc/mail/filter.sieve
331 sieve_dir = ~/etc/mail/sieve
332 sieve_global_dir = /var/lib/dovecot/sieve/global/
333 sieve_max_script_size = 1M
334 sieve_quota_max_scripts = 0
335 sieve_quota_max_storage = 10M
336 sieve_user_log = ~/var/log/mail/sieve.log
337 }
338 protocol imap {
339 mail_plugins = \$mail_plugins imap_quota
340 }
341 protocol lda {
342 auth_socket_path = /var/run/dovecot/auth-master
343 hostname = $vm_domainname
344 info_log_path =
345 log_path =
346 mail_plugins = \$mail_plugins sieve
347 postmaster_address = contact+dovecot+lda@$vm_domainname
348 syslog_facility = mail
349 }
350 protocols = imap sieve
351 service auth {
352 user = root
353 unix_listener /var/spool/postfix/private/auth {
354 mode = 0660
355 user = postfix
356 group = postfix
357 }
358 }
359 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
360 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cipher_list = AES256-SHA
362 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
363 ssl_verify_client_cert = yes
364 userdb {
365 driver = passwd
366 }
367 verbose_ssl = no
368 EOF
369 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
370 #!/bin/sh -efux
371 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
372 install -d -m 770 ~/etc/dovecot
373 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
374 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
375 _EOF
376 EOF
377 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
378 EOF
379 sudo service dovecot restart
380 }
381 rule_etckeeper_configure () {
382 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
383 VCS=git
384 GIT_COMMIT_OPTIONS=""
385 AVOID_DAILY_AUTOCOMMITS=1
386 #AVOID_SPECIAL_FILE_WARNING=1
387 AVOID_COMMIT_BEFORE_INSTALL=1
388 HIGHLEVEL_PACKAGE_MANAGER=apt
389 LOWLEVEL_PACKAGE_MANAGER=dpkg
390 EOF
391 sudo install -m 644 -o root -g root \
392 "$tool"/etc/etckeeper/prompt.sh \
393 /etc/etckeeper/prompt.sh
394 rule apt_get_install etckeeper
395 }
396 rule_filesystem_configure () {
397 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
398 # <file system> <mount point> <type> <options> <dump> <pass>
399 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
400 proc /proc proc defaults 0 0
401 sysfs /sys sysfs defaults 0 0
402 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
403 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
405 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
406 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
407 EOF
408 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
409 # <target name> <source device> <key file> <options>
410 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
411 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
412 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 EOF
415 rule tmpfs_configure
416 }
417 rule_initramfs_configure () {
418 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
419 MODULES=most
420 BUSYBOX=y
421 KEYMAP=y
422 COMPRESS=gzip
423 DEVICE=eth0
424 EOF
425 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
426 alias eth0 xennet
427 alias scsi_hostadapter xenblk
428 EOF
429 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
430 sha1_generic
431 sha256_generic
432 sha512_generic
433 aes-x86_64
434 xts
435 # NOTE: pour Xen en mode HVM :
436 #modprobe xen-platform-pci
437 EOF
438 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
439 EOF
440 sudo sed -e '/^configure_networking /s/ &$//' \
441 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
442 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
443 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
444 ( while IFS= read -r line
445 do case $line in (*" RSA") return 0; break;; esac
446 done; return 1 ) ||
447 {
448 sudo rm -f \
449 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
450 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
451 sudo dropbearkey -t rsa -s 4096 -f \
452 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
453 }
454 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
455 sudo install -d -m 640 -o root -g root \
456 /etc/initramfs-tools/root \
457 /etc/initramfs-tools/root/.ssh
458 getent group sudo |
459 while IFS=: read -r group x x users
460 do while test -n "$users" && IFS=, read -r user users <<-EOF
461 $users
462 EOF
463 do eval local home\; home="~$user"
464 cat "$home"/etc/ssh/authorized_keys
465 done
466 done |
467 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
468 sudo rm -f \
469 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
470 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
471 /etc/initramfs-tools/root/.ssh/id_rsa
472 # NOTE: clefs générées par Debian
473 sudo update-initramfs -u
474 }
475 rule_gitolite_configure () {
476 local user=git
477 sudo debconf-set-selections <<-EOF
478 gitolite gitolite/gituser string $user
479 gitolite gitolite/adminkey string
480 gitolite gitolite/gitdir string /home/$user
481 EOF
482 rule apt_get_install gitolite
483 getent passwd "$user" >/dev/null ||
484 sudo adduser \
485 --disabled-password \
486 --group \
487 --shell /bin/bash \
488 --system \
489 "$user"
490 sudo chfn --full-name "$user" "$user"
491 eval local home\; home="~$user"
492 sudo install -d -m 770 -o "$user" -g "$user" \
493 /etc/gitolite \
494 "$home"/etc \
495 "$home"/etc/ssh \
496 "$home"/pub \
497 "$home"/log \
498 "$home"/log/gitolite \
499 "$home"/log/gitolite/perf
500 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
501 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
502 sudo ln -fns etc/ssh "$home"/.ssh
503 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
504 "$home"/etc/gitolite/gitolite.rc <<-EOF
505 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
506 #\$BIG_INFO_CAP = 20;
507 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
508 # NOTE: Please use single quotes, not double quotes.
509 #\$GITWEB_URI_ESCAPE = 0;
510 \$GIT_PATH = "";
511 #\$GL_ADC_PATH = "";
512 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
513 #\$GL_ALL_INCLUDES_SPECIAL = 0;
514 #\$GL_ALL_READ_ALL = 0;
515 \$GL_BIG_CONFIG = 0;
516 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
517 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
518 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
519 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
520 #\$GL_HOSTNAME = "git.$vm_domainname";
521 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
522 #\$GL_HTTP_ANON_USER = "mob";
523 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
524 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
525 #\$GL_NICE_VALUE = 0;
526 \$GL_NO_CREATE_REPOS = 0;
527 \$GL_NO_DAEMON_NO_GITWEB = 0;
528 \$GL_NO_SETUP_AUTHKEYS = 0;
529 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
530 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
531 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
532 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
533 \$GL_SITE_INFO = "git.$vm_domainname";
534 #\$GL_SLAVE_MODE = 0;
535 \$GL_WILDREPOS = 0;
536 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
537 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
538 \$HTPASSWD_FILE = "";
539 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
540 \$REPO_BASE = "pub";
541 \$REPO_UMASK = 0007;
542 \$RSYNC_BASE = "";
543 \$SVNSERVE = "";
544 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
545 #\$WEB_INTERFACE = "gitweb";
546 1;
547 EOF
548 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
549 "$home"/etc/gitweb/gitweb.conf <<-EOF
550 \$commit_oneline_message_width = 70;
551 \$default_projects_order = 'age';
552 \$default_text_plain_charset = 'UTF-8';
553 @diff_opts = ();
554 \$favicon = "img/git-favicon.png";
555 \$git_temp = "/run/shm/gitweb";
556 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
557 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
558 \$home_link = "/";
559 \$home_link_str = 'd&eacute;p&ocirc;ts';
560 \$home_th_age = 'activit&eacute;';
561 \$home_th_descr = 'description';
562 \$home_th_owner = 'contact';
563 \$home_th_project = 'd&eacute;p&ocirc;t';
564 \$javascript = "js/gitweb.js";
565 \$logo = "img/git-logo.png";
566 \$my_uri = "";
567 \$projectroot = "../git";
568 \$projects_list = "/etc/gitolite/projects.list";
569 \$projects_list_description_width = 42;
570 \$projects_list_owner_width = 15;
571 \$search_str = "Filtre&nbsp;:";
572 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
573 \$site_header = undef;
574 \$site_name = "git.$vm_domainname";
575 \$space_to_nbsp = 0;
576 @stylesheets = ("css/gitweb.css");#
577 \$untabify_tabstop = 2;
578 EOF
579 sudo install -m 600 -o "$user" -g "$user" \
580 "$tool"/var/pub/ssh/"$user".key \
581 "$home"/etc/ssh/"$user".pub
582 sudo -u "$user" \
583 GL_RC="$home"/etc/gitolite/gitolite.rc \
584 GIT_AUTHOR_NAME="$user" \
585 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
586 local d
587 for d in doc logs src
588 do test ! -d "$home"/etc/gitolite/"$d" ||
589 rmdir "$home"/etc/gitolite/"$d"
590 done
591 rule apt_get_install gitweb highlight
592 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
593 #sudo sv restart git-daemon.git.9418
594 }
595 rule_locales_configure () {
596 sudo debconf-set-selections <<-EOF
597 locales locales/default_environment_locale select None
598 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
599 EOF
600 rule dpkg_reconfigure locales
601 }
602 rule_login_configure () {
603 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
604 # /etc/inittab: init(8) configuration.
605
606 # The default runlevel.
607 id:2:initdefault:
608
609 # Boot-time system configuration/initialization script.
610 # This is run first except when booting in emergency (-b) mode.
611 si::sysinit:/etc/init.d/rcS
612
613 # What to do in single-user mode.
614 ~~:S:wait:/sbin/sulogin
615
616 # /etc/init.d executes the S and K scripts upon change
617 # of runlevel.
618 #
619 # Runlevel 0 is halt.
620 # Runlevel 1 is single-user.
621 # Runlevels 2-5 are multi-user.
622 # Runlevel 6 is reboot.
623
624 l0:0:wait:/etc/init.d/rc 0
625 l1:1:wait:/etc/init.d/rc 1
626 l2:2:wait:/etc/init.d/rc 2
627 l3:3:wait:/etc/init.d/rc 3
628 l4:4:wait:/etc/init.d/rc 4
629 l5:5:wait:/etc/init.d/rc 5
630 l6:6:wait:/etc/init.d/rc 6
631 # Normally not reached, but fallthrough in case of emergency.
632 z6:6:respawn:/sbin/sulogin
633
634 # What to do when CTRL-ALT-DEL is pressed.
635 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
636
637 # What to do when the power fails/returns.
638 pf::powerwait:/etc/init.d/powerfail start
639 pn::powerfailnow:/etc/init.d/powerfail now
640 po::powerokwait:/etc/init.d/powerfail stop
641
642 # Xen hypervisor console
643 hvc:2345:respawn:/sbin/getty 38400 hvc0
644 #xvc:2345:respawn:/sbin/getty 38400 xvc0
645
646 #-- runit begin
647 SV:123456:respawn:/usr/sbin/runsvdir-start
648 #-- runit end
649 EOF
650 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
651 MAIL_DIR /var/mail
652 FAILLOG_ENAB yes
653 LOG_UNKFAIL_ENAB no
654 LOG_OK_LOGINS no
655 SYSLOG_SU_ENAB yes
656 SYSLOG_SG_ENAB yes
657 FTMP_FILE /var/log/btmp
658 SU_NAME su
659 HUSHLOGIN_FILE .hushlogin
660 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
661 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
662 # NOTE: met les sbin/ dans ENV_PATH ;
663 # - ça n'apporte aucune protection de ne pas les mettre ;
664 # - ça frustre de ne pas les trouver.
665 TTYGROUP tty
666 TTYPERM 0600
667 ERASECHAR 0177
668 KILLCHAR 025
669 UMASK 007
670 # NOTE: rwxrwx--- ;
671 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
672 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
673 PASS_MAX_DAYS 99999
674 PASS_MIN_DAYS 0
675 PASS_WARN_AGE 7
676 UID_MIN 1000
677 UID_MAX 60000
678 GID_MIN 1000
679 GID_MAX 60000
680 LOGIN_RETRIES 3
681 LOGIN_TIMEOUT 60
682 CHFN_RESTRICT rwh
683 DEFAULT_HOME yes
684 USERGROUPS_ENAB yes
685 ENCRYPT_METHOD SHA512
686 EOF
687 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
688 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
689 $(cat /etc/pam.d/common-session)
690 session optional pam_umask.so
691 EOF
692 grep -q '^hvc0$' /etc/securetty ||
693 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
694 $(cat /etc/securetty)
695 hvc0
696 EOF
697 grep -q '^xvc0$' /etc/securetty ||
698 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
699 $(cat /etc/securetty)
700 xvc0
701 EOF
702 }
703 rule_mail_configure () {
704 rule postfix_configure
705 rule postgrey_configure
706 rule procmail_configure
707 rule dovecot_configure
708 }
709 rule_mysql_configure () {
710 rule apt_get_install mysql-server-5.5
711 sudo install -m 644 -o root -g root \
712 "$tool"/etc/mysql/my.cnf \
713 /etc/mysql/my.cnf
714 if test ! -d /home/mysql; then
715 sudo install -d -m 750 -o mysql -g mysql \
716 /home/mysql
717 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
718 fi
719 sudo service mysql restart
720 }
721 rule_network_configure () {
722 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
723 $vm
724 EOF
725 grep -q " $vm\$" /etc/hosts ||
726 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
727 $(cat /etc/hosts)
728 127.0.0.1 $vm_fqdn $vm
729 EOF
730 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
731 auto lo
732 iface lo inet loopback
733
734 auto eth0=grenode
735 iface grenode inet static
736 address $vm_ipv4
737 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
738 network $vm_ipv4
739 broadcast $vm_ipv4
740 netmask 255.255.255.255
741 mtu 1300
742 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
743 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
744 #
745 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
746 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
747 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
748 #
749 # --- soupirail.grenode.net ping statistics ---
750 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
751 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
752 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
753 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
754 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
755 #
756 # --- soupirail.grenode.net ping statistics ---
757 # 0 packets transmitted, 0 received, +1 errors
758 post-up ip address add $vm_ipv4/32 dev \$IFACE
759 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
760 EOF
761 }
762 rule_www_configure () {
763 getent passwd www >/dev/null ||
764 sudo adduser \
765 --disabled-login \
766 --disabled-password \
767 --group \
768 --home /home/www \
769 --shell /bin/false \
770 --system \
771 www
772 sudo adduser \
773 --disabled-login \
774 --disabled-password \
775 --group \
776 --home ~www/log \
777 --shell /bin/false \
778 --system \
779 log.www
780 #sudo adduser www www-data
781 sudo adduser www log.www
782 #sudo adduser log log.www
783 usermod --home /home/www/pub www-data
784 sudo install -d -m 751 -o www -g www \
785 /home/www
786 sudo install -d -m 750 -o www -g www \
787 /home/www/etc
788 sudo install -d -m 1771 -o www-data -g www-data \
789 /home/www/pub \
790 sudo install -d -m 1771 -o log.www -g log.www \
791 /home/www/log
792 }
793 rule_nginx_configure () {
794 local -; set +f
795 rule apt_get_install nginx
796 rule www_configure
797 sudo rm -rf \
798 /etc/nginx/conf.d \
799 /etc/nginx/site.d
800 sudo install -d -m 770 -o www -g www \
801 /etc/nginx \
802 /etc/nginx/conf.d \
803 /etc/nginx/site.d
804 sudo ln -fns \
805 /etc/nginx \
806 /home/www/etc/nginx
807 sudo install -m 660 -o www -g www \
808 "$tool"/etc/nginx/nginx.conf \
809 /etc/nginx/nginx.conf
810 local conf
811 for conf in "$tool"/etc/nginx/conf.d/*.conf
812 do conf=${conf#"$tool"/etc/nginx/conf.d/}
813 sudo install -m 660 -o www -g www \
814 "$tool"/etc/nginx/conf.d/"$conf" \
815 /etc/nginx/conf.d/"$conf"
816 done
817 for conf in "$tool"/etc/nginx/site.d/*/server.conf
818 do conf=${conf#"$tool"/etc/nginx/site.d/}
819 local port domain
820 IFS=. read -r port domain <<-EOF
821 ${conf%\/server\.conf}
822 EOF
823 assert 'test "${port:+set}"'
824 assert 'test "${domain:+set}"'
825 local site="$port.$domain"
826 getent passwd www."$site" >/dev/null ||
827 sudo adduser \
828 --disabled-login \
829 --disabled-password \
830 --group \
831 --home ~www-data/"$site" \
832 --shell /bin/false \
833 --system \
834 www."$site"
835 getent passwd log."$site" >/dev/null ||
836 sudo adduser \
837 --disabled-login \
838 --disabled-password \
839 --group \
840 --shell /bin/false \
841 --system \
842 log."$site"
843 sudo usermod --home ~www/log/"$site"/nginx log."$site"
844 sudo install -d -m 770 -o www -g www \
845 /etc/nginx/site.d/"$site"
846 case $port in
847 (443)
848 local hint="run vm_remote nginx_key_send before"
849 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
850 sudo install -m 664 -o www -g www \
851 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
852 /etc/nginx/site.d/"$site"/x509/crt.pem
853 ;;
854 esac
855 case $port in
856 (80)
857 cat <<-EOF
858 server {
859 listen $port;
860 access_log /home/www/log/$site/nginx/access.log main;
861 error_log /home/www/log/$site/nginx/error.log warn;
862 root /home/www/pub/$site;
863 server_name $domain;
864 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
865 }
866 EOF
867 ;;
868 (443)
869 cat <<-EOF
870 server {
871 listen $port;
872 access_log /home/www/log/$site/nginx/access.log main;
873 error_log /home/www/log/$site/nginx/error.log warn;
874 keepalive_timeout 70;
875 root /home/www/pub/$site;
876 server_name $domain;
877 # DOC: http://wiki.nginx.org/HttpSslModule
878 ssl on;
879 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
880 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
881 ssl_ciphers HIGH:!ADH:!MD5;
882 ssl_prefer_server_ciphers on;
883 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
884 ssl_session_cache shared:SSL:10m;
885 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
886 }
887 EOF
888 ;;
889 esac |
890 sudo install -m 660 -o www -g www /dev/stdin \
891 /etc/nginx/site.d/"$site"/server.conf
892 adduser www-data www."$site"
893 test -e /home/www/pub/"$site" ||
894 sudo install -d -m 3770 -o www."$site" -g www."$site" \
895 /home/www/pub/"$site"
896 sudo install -d -m 3770 -o log."$site" -g log."$site" \
897 /home/www/log/"$site"/nginx
898 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
899 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
900 done
901 rule apt_get_install spawn-fcgi fcgiwrap
902 sudo insserv --remove fcgiwrap
903 rule tmpfs_configure
904 sudo service nginx restart
905 }
906 rule_php5_fpm_configure () {
907 local -; set +f
908 rule apt_get_install \
909 php5-fpm \
910 php-apc
911 getent passwd php5 >/dev/null ||
912 sudo adduser \
913 --disabled-login \
914 --disabled-password \
915 --group \
916 --shell /bin/false \
917 --system \
918 php5
919 local conf
920 sudo ln -fns \
921 /etc/php5-fpm \
922 /home/www/etc/php5
923 sudo rm -f /etc/php5/fpm/pool.d/*
924 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
925 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
926 local port domain
927 IFS=. read -r port domain <<-EOF
928 ${conf%\.conf}
929 EOF
930 assert 'test "${port:+set}"'
931 assert 'test "${domain:+set}"'
932 local site="$port.$domain"
933 getent passwd php5."$site" >/dev/null ||
934 sudo adduser \
935 --disabled-login \
936 --disabled-password \
937 --group \
938 --no-create-home \
939 --home ~www/pub/"$site" \
940 --shell /bin/false \
941 --system \
942 php5."$site"
943 sudo install -d -m 770 -o php5 -g php5 \
944 /home/www/log/php5 \
945 /home/www/log/php5/fpm
946 sudo install -d -m 770 -o log."$site" -g log."$site" \
947 /home/www/log/"$site"
948 sudo adduser php5."$site" www."$site"
949 sudo install -m 660 -o root -g root /dev/stdin \
950 /etc/php5/fpm/pool.d/"$conf" <<-EOF
951 [php5.$site]
952 access.log = /home/www/log/$site/php5/fpm/access.log
953 catch_workers_output = yes
954 chdir = /
955 env[HOSTNAME] = \$HOSTNAME
956 env[TEMP] = /tmp
957 env[TMPDIR] = /tmp
958 env[TMP] = /tmp
959 group = www-data
960 listen = /run/nginx/fastcgi/php5.$site
961 #listen = 127.0.0.1:9000
962 #listen.allowed_clients = 127.0.0.1
963 listen.backlog = -1
964 pm = dynamic
965 pm.max_children = 5
966 pm.max_requests = 200
967 pm.max_spare_servers = 4
968 pm.min_spare_servers = 2
969 pm.start_servers = 3
970 pm.status_path = /status
971 request_slowlog_timeout = 5s
972 request_terminate_timeout = 120s
973 rlimit_core = unlimited
974 rlimit_files = 131072
975 slowlog = /home/www/log/$site/php5/fpm/slow.log
976 user = $php5_user
977 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
978 EOF
979 sudo install -m 664 -o root -g root \
980 "$tool"/etc/php5/fpm/php.ini \
981 /etc/php5/fpm/php.ini
982 done
983 rule tmpfs_configure
984 sudo service php5-fpm restart
985 }
986 rule_postfix_configure () {
987 local hint="run vm_remote postfix_key_send before"
988 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
989 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
990 sudo debconf-set-selections <<-EOF
991 postfix postfix/main_mailer_type select No configuration
992 EOF
993 rule apt_get_install postfix
994 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
995 *.db
996 EOF
997 sudo install -d -m 771 -o root -g root \
998 /etc/postfix/ \
999 /etc/postfix/$vm_domainname/ \
1000 /etc/postfix/$vm_domainname/smtp \
1001 /etc/postfix/$vm_domainname/smtp/x509 \
1002 /etc/postfix/$vm_domainname/smtp/x509/ca \
1003 /etc/postfix/$vm_domainname/smtpd \
1004 /etc/postfix/$vm_domainname/smtpd/x509 \
1005 /etc/postfix/$vm_domainname/smtpd/x509/ca
1006 sudo ln -fns \
1007 ../crt+crl.self-signed.pem \
1008 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1009 sudo install -m 400 -o root -g root \
1010 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1011 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1012 sudo install -m 400 -o root -g root \
1013 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1014 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1015 sudo install -m 400 -o root -g root \
1016 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1017 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1018 sudo install -m 400 -o root -g root \
1019 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1020 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1021 sudo install -m 660 -o root -g root \
1022 "$tool"/etc/postfix/$vm_domainname/header_checks \
1023 /etc/postfix/$vm_domainname/header_checks
1024 sudo install -m 664 -o root -g root /dev/stdin \
1025 /etc/postfix/aliases <<-EOF
1026 # See man 5 aliases for format
1027 abuse: root
1028 admin: root
1029 contact: root
1030 mailer-daemon: root
1031 postmaster: root
1032 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1033 EOF
1034 sudo newaliases -oA/etc/postfix/aliases
1035 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1036 mydomain = $vm_domainname
1037 myorigin = \$mydomain
1038 myhostname = $vm_hostname.\$mydomain
1039 mail_name = \$myhostname
1040 mydestination = $vm_hostname \$myhostname \$myorigin
1041 EOF
1042 sudo install -m 664 -o root -g root /dev/stdin \
1043 /etc/postfix/main.cf
1044 sudo install -m 664 -o root -g root \
1045 "$tool"/etc/postfix/master.cf \
1046 /etc/postfix/master.cf
1047 sudo install -m 660 -o root -g root \
1048 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1049 /etc/postfix/$vm_domainname/smtp/x509/policy
1050 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1051 sudo install -m 660 -o root -g root \
1052 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1053 /etc/postfix/$vm_domainname/smtp/header_checks
1054 sudo install -m 660 -o root -g root \
1055 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1056 /etc/postfix/$vm_domainname/smtpd/sender_access
1057 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1058 sudo install -m 660 -o root -g root \
1059 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1060 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1061 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1062 sudo install -m 660 -o root -g root \
1063 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1064 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1065 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1066 sudo install -m 660 -o root -g root \
1067 "$tool"/etc/postfix/$vm_domainname/transport \
1068 /etc/postfix/$vm_domainname/transport
1069 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1070 sudo install -m 660 -o root -g root \
1071 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1072 /etc/postfix/$vm_domainname/virtual_alias
1073 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1074 sudo service postfix restart
1075 }
1076 rule_postgresql_configure () {
1077 rule apt_get_install postgresql-9.1
1078 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1079 pg_createcluster -u postgres --start 9.1 main
1080 fi
1081 sudo install -m 660 -o root -g root \
1082 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1083 /etc/postgresql/9.1/main/postgresql.conf
1084 sudo service postgresql restart
1085 }
1086 rule_openerp_configure () {
1087 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1088 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1089 EOF
1090 sudo apt-get update
1091 rule apt_get_install openerp
1092 }
1093 rule_postgrey_configure () {
1094 rule apt_get_install postgrey
1095 sudo service postgrey restart
1096 }
1097 rule_procmail_configure () {
1098 rule apt_get_install procmail
1099 sudo install -d -m 770 -o root -g root \
1100 /etc/skel/etc/mail \
1101 /etc/skel/var/cache/mail \
1102 /etc/skel/var/log/mail \
1103 /etc/skel/var/mail
1104 sudo install -m 660 -o root -g root \
1105 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1106 /etc/skel/etc/mail/delivery.procmailrc
1107 }
1108 rule_runit_configure () {
1109 rule apt_get_install runit
1110 local -; set +f
1111 rm -f /etc/service/*
1112 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1113 for sv in "$tool"/etc/sv/*
1114 do sv=${sv#"$tool"/etc/sv/}
1115 sudo install -d -m 770 -o root -g root \
1116 /etc/sv/"$sv"
1117 sudo install -m 770 -o root -g root \
1118 "$tool"/etc/sv/"$sv"/run \
1119 /etc/sv/"$sv"/run
1120 if test -e "$tool"/etc/sv/"$sv"/log/run
1121 then
1122 sudo install -d -m 770 -o root -g root \
1123 /etc/sv/"$sv"/log
1124 sudo install -m 770 -o root -g root \
1125 "$tool"/etc/sv/"$sv"/log/run \
1126 /etc/sv/"$sv"/log/run
1127 fi
1128 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1129 "$tool"/etc/sv/"$sv"/configure
1130 then
1131 ln -fns ../sv/"$sv" /etc/service/"$sv"
1132 sv restart "$sv"
1133 fi
1134 done
1135 }
1136 rule_ssh_configure () {
1137 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1138 ( while IFS= read -r line
1139 do case $line in (*" RSA") return 0; break;; esac
1140 done; return 1 ) ||
1141 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1142 sudo rm -f \
1143 /etc/ssh/ssh_host_dsa_key \
1144 /etc/ssh/ssh_host_dsa_key.pub \
1145 /etc/ssh/ssh_host_ecdsa_key \
1146 /etc/ssh/ssh_host_ecdsa_key.pub
1147 # NOTE: clefs générées par Debian
1148 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1149 Port 22
1150 ListenAddress $vm_ipv4
1151 #ListenAddress ::
1152 Protocol 2
1153 Compression yes
1154 HostKey /etc/ssh/ssh_host_rsa_key
1155 UsePrivilegeSeparation yes
1156 KeyRegenerationInterval 3600
1157 ServerKeyBits 768
1158 SyslogFacility AUTH
1159 LogLevel INFO
1160 LoginGraceTime 120
1161 PermitRootLogin yes
1162 StrictModes yes
1163 RSAAuthentication yes
1164 PubkeyAuthentication yes
1165 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1166 IgnoreRhosts yes
1167 RhostsRSAAuthentication no
1168 HostbasedAuthentication no
1169 IgnoreUserKnownHosts no
1170 PermitEmptyPasswords no
1171 ChallengeResponseAuthentication no
1172 PasswordAuthentication no
1173 KerberosAuthentication no
1174 GSSAPIAuthentication no
1175 X11Forwarding no
1176 X11DisplayOffset 10
1177 PrintMotd no
1178 DebianBanner no
1179 PrintLastLog yes
1180 TCPKeepAlive yes
1181 ClientAliveInterval 0
1182 AcceptEnv LANG LC_*
1183 Subsystem sftp /usr/lib/openssh/sftp-server
1184 UsePAM yes
1185 EOF
1186 sudo service ssh restart
1187 }
1188 rule_sysctl_configure () {
1189 local -; set +f
1190 for conf in "$tool"/etc/sysctl.d/*.conf
1191 do conf=${conf#"$tool"/etc/sysctl.d/}
1192 sudo install -m 660 -o root -g root \
1193 "$tool"/etc/sysctl.d/"$conf" \
1194 /etc/sysctl.d/"$conf"
1195 done
1196 sudo sysctl --system
1197 }
1198 rule_tmpfs_configure () {
1199 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1200 LOCK_SIZE=5242880 # NOTE: 5MiB
1201 RAMLOCK=yes
1202 RAMSHM=yes
1203 RAMTMP=yes
1204 RUN_SIZE=10%
1205 SHM_SIZE=
1206 TMP_MODE=1777,nr_inodes=1000k,noatime
1207 TMP_OVERFLOW_LIMIT=1024
1208 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1209 # on the root filesystem (overriding RAMTMP).
1210 TMP_SIZE=200m
1211 TMPFS_SIZE=20%VM
1212 EOF
1213 sudo install -m 775 -o root -g root \
1214 "$tool"/etc/init.d/tmpfs \
1215 /etc/init.d/tmpfs
1216 sudo update-rc.d tmpfs defaults
1217 }
1218 rule_time_configure () {
1219 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1220 Europe/Paris
1221 EOF
1222 sudo debconf-set-selections <<-EOF
1223 tzdata tzdata/Areas select Europe
1224 tzdata tzdata/Zones/Europe select Paris
1225 EOF
1226 rule dpkg_reconfigure tzdata
1227 rule apt_get_install ntp
1228 }
1229 rule_user_add () { # SYNTAX: $user
1230 rule user_configure
1231 local user=$1
1232 getent passwd "$user" >/dev/null ||
1233 sudo adduser --disabled-password "$user"
1234 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1235 eval local home\; home="~$user"
1236 sudo adduser "$user" users
1237 sudo install -m 640 -o root -g root \
1238 "$tool"/var/pub/ssh/"$user".key \
1239 "$home"/etc/ssh/authorized_keys
1240 local key; local -; set +f
1241 for key in "$tool"/var/pub/openpgp/*.key
1242 do sudo -u "$user" gpg --import - <"$key"
1243 done
1244 }
1245 rule_user_configure () {
1246 sudo install -m 660 -o root -g root /dev/stdin \
1247 /etc/adduser.conf <<-EOF
1248 ADD_EXTRA_GROUPS=1
1249 DHOME=/home
1250 DIR_MODE=0750
1251 DSHELL=/bin/bash
1252 EXTRA_GROUPS="users"
1253 FIRST_GID=1000
1254 FIRST_SYSTEM_GID=100
1255 FIRST_SYSTEM_UID=100
1256 FIRST_UID=1000
1257 GROUPHOMES=no
1258 LAST_GID=29999
1259 LAST_SYSTEM_GID=999
1260 LAST_SYSTEM_UID=999
1261 LAST_UID=29999
1262 LETTERHOMES=no
1263 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1264 QUOTAUSER="" # TODO: init
1265 SETGID_HOME=no
1266 SKEL=/etc/skel
1267 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1268 USERGROUPS=yes
1269 USERS_GID=100
1270 EOF
1271 sudo install -d -m 750 -o root -g root \
1272 /etc/skel \
1273 /etc/skel/etc \
1274 /etc/skel/etc/gpg \
1275 /etc/skel/etc/ssh
1276 sudo install -d -m 770 -o root -g root \
1277 /etc/skel/var \
1278 /etc/skel/var/cache \
1279 /etc/skel/var/log \
1280 /etc/skel/var/run \
1281 /etc/skel/var/run/ssh
1282 sudo ln -fns etc/ssh /etc/skel/.ssh
1283 sudo ln -fns etc/gpg /etc/skel/.gnupg
1284 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1285 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1286 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1287 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1288 EOF
1289 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1290 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1291 EOF
1292 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1293 Defaults env_keep = " \\
1294 EDITOR \\
1295 GIT_AUTHOR_NAME \\
1296 GIT_AUTHOR_EMAIL \\
1297 GIT_COMMITTER_NAME \\
1298 GIT_COMMITTER_EMAIL \\
1299 "
1300 EOF
1301 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1302 #!/bin/sh -efu
1303 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1304 sudo /bin/sh -e -f -u -c \
1305 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1306 EOF
1307 sudo install -m 644 -o root -g root \
1308 "$tool"/etc/bash.bashrc \
1309 /etc/bash.bashrc
1310 sudo install -m 644 -o root -g root \
1311 "$tool"/etc/screenrc \
1312 /etc/screenrc
1313 }
1314 rule_user_admin_add () { # SYNTAX: $user
1315 rule user_configure
1316 local user=$1
1317 getent passwd "$user" >/dev/null ||
1318 sudo adduser --disabled-password "$user"
1319 eval local home\; home="~$user"
1320 sudo adduser "$user" sudo
1321 sudo install -m 640 -o root -g root \
1322 "$tool"/var/pub/ssh/"$user".key \
1323 "$home"/etc/ssh/authorized_keys
1324 local key; local -; set +f
1325 for key in "$tool"/var/pub/openpgp/*.key
1326 do sudo -u "$user" gpg --import - <"$key"
1327 done
1328 rule user_admin_configure
1329 }
1330 rule_user_admin_configure () {
1331 rule initramfs_configure
1332 rule user_root_configure
1333 }
1334 rule_user_root_configure () {
1335 sudo install -d -m 750 -o root -g root \
1336 /root/etc \
1337 /root/etc/gpg \
1338 /root/etc/ssh
1339 sudo ln -fns etc/gpg /root/.gnupg
1340 sudo ln -fns etc/ssh /root/.ssh
1341 getent group sudo |
1342 while IFS=: read -r group x x users
1343 do while test -n "$users" && IFS=, read -r user users <<-EOF
1344 $users
1345 EOF
1346 do eval local home\; home="~$user"
1347 cat "$home"/etc/ssh/authorized_keys
1348 done
1349 done |
1350 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1351 local key; local -; set +f
1352 for key in "$tool"/var/pub/openpgp/*.key
1353 do sudo gpg --import "$key"
1354 done
1355 }
1356 rule_configure () {
1357 rule apt_configure
1358 rule git_configure
1359 rule etckeeper_configure
1360 rule locales_configure
1361 rule time_configure
1362 rule network_configure
1363 rule filesystem_configure
1364 rule login_configure
1365 rule ssh_configure
1366 rule user_root_configure
1367 rule boot_configure
1368 rule sysctl_configure
1369 rule user_configure
1370 rule mail_configure
1371 #rule apache2_configure
1372 rule nginx_configure
1373 rule php5_fpm_configure
1374 rule gitolite_configure
1375 rule runit_configure
1376 }
1377
1378 rule_luks_key_change () {
1379 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1380 }
1381
1382 rule=${1:-help}
1383 ${1+shift}
1384 case $rule in
1385 (help);;
1386 (*)
1387 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1388 ;;
1389 esac
1390 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org