dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_tmpfs_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g root \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 rule tmpfs_configure
417 }
418 rule_initramfs_configure () {
419 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
420 MODULES=most
421 BUSYBOX=y
422 KEYMAP=y
423 COMPRESS=gzip
424 DEVICE=eth0
425 EOF
426 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
427 alias eth0 xennet
428 alias scsi_hostadapter xenblk
429 EOF
430 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
431 sha1_generic
432 sha256_generic
433 sha512_generic
434 aes-x86_64
435 xts
436 # NOTE: pour Xen en mode HVM :
437 #modprobe xen-platform-pci
438 EOF
439 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
440 EOF
441 sudo sed -e '/^configure_networking /s/ &$//' \
442 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
443 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
444 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
445 ( while IFS= read -r line
446 do case $line in (*" RSA") return 0; break;; esac
447 done; return 1 ) ||
448 {
449 sudo rm -f \
450 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
451 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
452 sudo dropbearkey -t rsa -s 4096 -f \
453 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
454 }
455 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
456 sudo install -d -m 640 -o root -g root \
457 /etc/initramfs-tools/root \
458 /etc/initramfs-tools/root/.ssh
459 getent group sudo |
460 while IFS=: read -r group x x users
461 do while test -n "$users" && IFS=, read -r user users <<-EOF
462 $users
463 EOF
464 do eval local home\; home="~$user"
465 cat "$home"/etc/ssh/authorized_keys
466 done
467 done |
468 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
469 sudo rm -f \
470 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
471 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
472 /etc/initramfs-tools/root/.ssh/id_rsa
473 # NOTE: clefs générées par Debian
474 sudo update-initramfs -u
475 }
476 rule_gitolite_configure () {
477 local user=git
478 sudo debconf-set-selections <<-EOF
479 gitolite gitolite/gituser string $user
480 gitolite gitolite/adminkey string
481 gitolite gitolite/gitdir string /home/$user
482 EOF
483 rule apt_get_install gitolite
484 getent passwd "$user" >/dev/null ||
485 sudo adduser \
486 --disabled-password \
487 --group \
488 --shell /bin/bash \
489 --system \
490 "$user"
491 sudo chfn --full-name "$user" "$user"
492 eval local home\; home="~$user"
493 sudo install -d -m 770 -o "$user" -g "$user" \
494 /etc/gitolite \
495 "$home"/etc \
496 "$home"/etc/ssh \
497 "$home"/pub \
498 "$home"/log \
499 "$home"/log/gitolite \
500 "$home"/log/gitolite/perf
501 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
502 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
503 sudo ln -fns etc/ssh "$home"/.ssh
504 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
505 "$home"/etc/gitolite/gitolite.rc <<-EOF
506 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
507 #\$BIG_INFO_CAP = 20;
508 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
509 # NOTE: Please use single quotes, not double quotes.
510 #\$GITWEB_URI_ESCAPE = 0;
511 \$GIT_PATH = "";
512 #\$GL_ADC_PATH = "";
513 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
514 #\$GL_ALL_INCLUDES_SPECIAL = 0;
515 #\$GL_ALL_READ_ALL = 0;
516 \$GL_BIG_CONFIG = 0;
517 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
518 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
519 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
520 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
521 #\$GL_HOSTNAME = "git.$vm_domainname";
522 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
523 #\$GL_HTTP_ANON_USER = "mob";
524 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
525 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
526 #\$GL_NICE_VALUE = 0;
527 \$GL_NO_CREATE_REPOS = 0;
528 \$GL_NO_DAEMON_NO_GITWEB = 0;
529 \$GL_NO_SETUP_AUTHKEYS = 0;
530 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
531 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
532 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
533 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
534 \$GL_SITE_INFO = "git.$vm_domainname";
535 #\$GL_SLAVE_MODE = 0;
536 \$GL_WILDREPOS = 0;
537 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
538 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
539 \$HTPASSWD_FILE = "";
540 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
541 \$REPO_BASE = "pub";
542 \$REPO_UMASK = 0007;
543 \$RSYNC_BASE = "";
544 \$SVNSERVE = "";
545 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
546 #\$WEB_INTERFACE = "gitweb";
547 1;
548 EOF
549 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
550 "$home"/etc/gitweb/gitweb.conf <<-EOF
551 \$commit_oneline_message_width = 70;
552 \$default_projects_order = 'age';
553 \$default_text_plain_charset = 'UTF-8';
554 @diff_opts = ();
555 \$favicon = "img/git-favicon.png";
556 \$git_temp = "/run/shm/gitweb";
557 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
558 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
559 \$home_link = "/";
560 \$home_link_str = 'd&eacute;p&ocirc;ts';
561 \$home_th_age = 'activit&eacute;';
562 \$home_th_descr = 'description';
563 \$home_th_owner = 'contact';
564 \$home_th_project = 'd&eacute;p&ocirc;t';
565 \$javascript = "js/gitweb.js";
566 \$logo = "img/git-logo.png";
567 \$my_uri = "";
568 \$projectroot = "../git";
569 \$projects_list = "/etc/gitolite/projects.list";
570 \$projects_list_description_width = 42;
571 \$projects_list_owner_width = 15;
572 \$search_str = "Filtre&nbsp;:";
573 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
574 \$site_header = undef;
575 \$site_name = "git.$vm_domainname";
576 \$space_to_nbsp = 0;
577 @stylesheets = ("css/gitweb.css");#
578 \$untabify_tabstop = 2;
579 EOF
580 sudo install -m 600 -o "$user" -g "$user" \
581 "$tool"/var/pub/ssh/"$user".key \
582 "$home"/etc/ssh/"$user".pub
583 sudo -u "$user" \
584 GL_RC="$home"/etc/gitolite/gitolite.rc \
585 GIT_AUTHOR_NAME="$user" \
586 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
587 local d
588 for d in doc logs src
589 do test ! -d "$home"/etc/gitolite/"$d" ||
590 rmdir "$home"/etc/gitolite/"$d"
591 done
592 rule apt_get_install gitweb highlight
593 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
594 #sudo sv restart git-daemon.git.9418
595 }
596 rule_locales_configure () {
597 sudo debconf-set-selections <<-EOF
598 locales locales/default_environment_locale select None
599 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
600 EOF
601 rule dpkg_reconfigure locales
602 }
603 rule_login_configure () {
604 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
605 # /etc/inittab: init(8) configuration.
606
607 # The default runlevel.
608 id:2:initdefault:
609
610 # Boot-time system configuration/initialization script.
611 # This is run first except when booting in emergency (-b) mode.
612 si::sysinit:/etc/init.d/rcS
613
614 # What to do in single-user mode.
615 ~~:S:wait:/sbin/sulogin
616
617 # /etc/init.d executes the S and K scripts upon change
618 # of runlevel.
619 #
620 # Runlevel 0 is halt.
621 # Runlevel 1 is single-user.
622 # Runlevels 2-5 are multi-user.
623 # Runlevel 6 is reboot.
624
625 l0:0:wait:/etc/init.d/rc 0
626 l1:1:wait:/etc/init.d/rc 1
627 l2:2:wait:/etc/init.d/rc 2
628 l3:3:wait:/etc/init.d/rc 3
629 l4:4:wait:/etc/init.d/rc 4
630 l5:5:wait:/etc/init.d/rc 5
631 l6:6:wait:/etc/init.d/rc 6
632 # Normally not reached, but fallthrough in case of emergency.
633 z6:6:respawn:/sbin/sulogin
634
635 # What to do when CTRL-ALT-DEL is pressed.
636 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
637
638 # What to do when the power fails/returns.
639 pf::powerwait:/etc/init.d/powerfail start
640 pn::powerfailnow:/etc/init.d/powerfail now
641 po::powerokwait:/etc/init.d/powerfail stop
642
643 # Xen hypervisor console
644 hvc:2345:respawn:/sbin/getty 38400 hvc0
645 #xvc:2345:respawn:/sbin/getty 38400 xvc0
646
647 #-- runit begin
648 SV:123456:respawn:/usr/sbin/runsvdir-start
649 #-- runit end
650 EOF
651 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
652 MAIL_DIR /var/mail
653 FAILLOG_ENAB yes
654 LOG_UNKFAIL_ENAB no
655 LOG_OK_LOGINS no
656 SYSLOG_SU_ENAB yes
657 SYSLOG_SG_ENAB yes
658 FTMP_FILE /var/log/btmp
659 SU_NAME su
660 HUSHLOGIN_FILE .hushlogin
661 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
662 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
663 # NOTE: met les sbin/ dans ENV_PATH ;
664 # - ça n'apporte aucune protection de ne pas les mettre ;
665 # - ça frustre de ne pas les trouver.
666 TTYGROUP tty
667 TTYPERM 0600
668 ERASECHAR 0177
669 KILLCHAR 025
670 UMASK 007
671 # NOTE: rwxrwx--- ;
672 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
673 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
674 PASS_MAX_DAYS 99999
675 PASS_MIN_DAYS 0
676 PASS_WARN_AGE 7
677 UID_MIN 1000
678 UID_MAX 60000
679 GID_MIN 1000
680 GID_MAX 60000
681 LOGIN_RETRIES 3
682 LOGIN_TIMEOUT 60
683 CHFN_RESTRICT rwh
684 DEFAULT_HOME yes
685 USERGROUPS_ENAB yes
686 ENCRYPT_METHOD SHA512
687 EOF
688 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
689 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
690 $(cat /etc/pam.d/common-session)
691 session optional pam_umask.so
692 EOF
693 grep -q '^hvc0$' /etc/securetty ||
694 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
695 $(cat /etc/securetty)
696 hvc0
697 EOF
698 grep -q '^xvc0$' /etc/securetty ||
699 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
700 $(cat /etc/securetty)
701 xvc0
702 EOF
703 }
704 rule_mail_configure () {
705 rule postfix_configure
706 rule postgrey_configure
707 rule procmail_configure
708 rule dovecot_configure
709 }
710 rule_mysql_configure () {
711 rule apt_get_install mysql-server-5.5
712 sudo service mysql restart
713 }
714 rule_network_configure () {
715 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
716 $vm
717 EOF
718 grep -q " $vm\$" /etc/hosts ||
719 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
720 $(cat /etc/hosts)
721 127.0.0.1 $vm_fqdn $vm
722 EOF
723 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
724 auto lo
725 iface lo inet loopback
726
727 auto eth0=grenode
728 iface grenode inet static
729 address $vm_ipv4
730 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
731 network $vm_ipv4
732 broadcast $vm_ipv4
733 netmask 255.255.255.255
734 mtu 1300
735 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
736 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
737 #
738 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
739 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
740 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
741 #
742 # --- soupirail.grenode.net ping statistics ---
743 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
744 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
745 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
746 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
747 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
748 #
749 # --- soupirail.grenode.net ping statistics ---
750 # 0 packets transmitted, 0 received, +1 errors
751 post-up ip address add $vm_ipv4/32 dev \$IFACE
752 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
753 EOF
754 }
755 rule_www_configure () {
756 getent passwd www >/dev/null ||
757 sudo adduser \
758 --disabled-login \
759 --disabled-password \
760 --group \
761 --home /home/www \
762 --shell /bin/false \
763 --system \
764 www
765 sudo adduser \
766 --disabled-login \
767 --disabled-password \
768 --group \
769 --home ~www/log \
770 --shell /bin/false \
771 --system \
772 log.www
773 #sudo adduser www www-data
774 sudo adduser www log.www
775 #sudo adduser log log.www
776 usermod --home /home/www/pub www-data
777 sudo install -d -m 751 -o www -g www \
778 /home/www
779 sudo install -d -m 750 -o www -g www \
780 /home/www/etc
781 sudo install -d -m 1771 -o www-data -g www-data \
782 /home/www/pub \
783 sudo install -d -m 1771 -o log.www -g log.www \
784 /home/www/log
785 }
786 rule_nginx_configure () {
787 local -; set +f
788 rule apt_get_install nginx
789 rule www_configure
790 sudo rm -rf \
791 /etc/nginx/conf.d \
792 /etc/nginx/site.d
793 sudo install -d -m 770 -o www -g www \
794 /etc/nginx \
795 /etc/nginx/conf.d \
796 /etc/nginx/site.d
797 sudo ln -fns \
798 /etc/nginx \
799 /home/www/etc/nginx
800 sudo install -m 660 -o www -g www \
801 "$tool"/etc/nginx/nginx.conf \
802 /etc/nginx/nginx.conf
803 local conf
804 for conf in "$tool"/etc/nginx/conf.d/*.conf
805 do conf=${conf#"$tool"/etc/nginx/conf.d/}
806 sudo install -m 660 -o www -g www \
807 "$tool"/etc/nginx/conf.d/"$conf" \
808 /etc/nginx/conf.d/"$conf"
809 done
810 for conf in "$tool"/etc/nginx/site.d/*/server.conf
811 do conf=${conf#"$tool"/etc/nginx/site.d/}
812 local port site
813 IFS=. read -r port site <<-EOF
814 ${conf%\/server\.conf}
815 EOF
816 assert 'test "${port:+set}"'
817 assert 'test "${site:+set}"'
818 site="$port.$site"
819 getent passwd www."$site" >/dev/null ||
820 sudo adduser \
821 --disabled-login \
822 --disabled-password \
823 --group \
824 --home ~www-data/"$site" \
825 --shell /bin/false \
826 --system \
827 www."$site"
828 getent passwd log."$site" >/dev/null ||
829 sudo adduser \
830 --disabled-login \
831 --disabled-password \
832 --group \
833 --shell /bin/false \
834 --system \
835 log."$site"
836 sudo usermod --home ~www/log/"$site"/nginx log."$site"
837 sudo install -d -m 770 -o www -g www \
838 /etc/nginx/site.d/"$site"
839 case $port in
840 (443)
841 local hint="run vm_remote nginx_key_send before"
842 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
843 sudo install -m 664 -o www -g www \
844 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
845 /etc/nginx/site.d/"$site"/x509/crt.pem
846 ;;
847 esac
848 case $port in
849 (80)
850 cat <<-EOF
851 server {
852 listen $port;
853 access_log /home/www/log/$site/nginx/access.log main;
854 error_log /home/www/log/$site/nginx/error.log warn;
855 root /home/www/pub/$site;
856 server_name $site;
857 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
858 }
859 EOF
860 ;;
861 (443)
862 cat <<-EOF
863 server {
864 listen $port;
865 access_log /home/www/log/$site/nginx/access.log main;
866 error_log /home/www/log/$site/nginx/error.log warn;
867 keepalive_timeout 70;
868 root /home/www/pub/$site;
869 server_name $site;
870 # DOC: http://wiki.nginx.org/HttpSslModule
871 ssl on;
872 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
873 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
874 ssl_ciphers HIGH:!ADH:!MD5;
875 ssl_prefer_server_ciphers on;
876 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
877 ssl_session_cache shared:SSL:10m;
878 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
879 }
880 EOF
881 ;;
882 esac |
883 sudo install -m 660 -o www -g www /dev/stdin \
884 /etc/nginx/site.d/"$site"/server.conf
885 adduser www-data "$site"
886 test -e /home/www/pub/"$site" ||
887 sudo install -d -m 3770 -o "$site" -g "$site" \
888 /home/www/pub/"$site"
889 sudo install -d -m 3770 -o log."$site" -g log."$site" \
890 /home/www/log/"$site"/nginx
891 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
892 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
893 done
894 rule apt_get_install spawn-fcgi fcgiwrap
895 sudo insserv --remove fcgiwrap
896 rule tmpfs_configure
897 sudo service nginx restart
898 }
899 rule_php5_fpm_configure () {
900 local -; set +f
901 rule apt_get_install \
902 php5-fpm \
903 php-apc
904 getent passwd php5 >/dev/null ||
905 sudo adduser \
906 --disabled-login \
907 --disabled-password \
908 --group \
909 --shell /bin/false \
910 --system \
911 php5
912 local conf
913 sudo ln -fns \
914 /etc/php5-fpm \
915 /home/www/etc/php5
916 sudo rm -f /etc/php5/fpm/pool.d/*
917 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
918 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
919 local port site
920 IFS=. read -r port site <<-EOF
921 ${conf%\.conf}
922 EOF
923 assert 'test "${port:+set}"'
924 assert 'test "${site:+set}"'
925 site="$port.$site"
926 getent passwd php5"$site" >/dev/null ||
927 sudo adduser \
928 --disabled-login \
929 --disabled-password \
930 --group \
931 --no-create-home \
932 --home ~www/pub/"$site" \
933 --shell /bin/false \
934 --system \
935 php5."$site"
936 sudo install -d -m 770 -o php5 -g php5 \
937 /home/www/log/php5 \
938 /home/www/log/php5/fpm
939 sudo install -d -m 770 -o log."$site" -g log."$site" \
940 /home/www/log/"$site"
941 sudo adduser php5."$user" www."$site"
942 sudo install -m 660 -o root -g root /dev/stdin \
943 /etc/php5/fpm/pool.d/"$conf" <<-EOF
944 [php5.$site]
945 access.log = /home/www/log/$site/php5/fpm/access.log
946 catch_workers_output = yes
947 chdir = /
948 env[HOSTNAME] = \$HOSTNAME
949 env[TEMP] = /tmp
950 env[TMPDIR] = /tmp
951 env[TMP] = /tmp
952 group = www-data
953 listen = /run/nginx/fastcgi/php5.$site
954 #listen = 127.0.0.1:9000
955 #listen.allowed_clients = 127.0.0.1
956 listen.backlog = -1
957 pm = dynamic
958 pm.max_children = 5
959 pm.max_requests = 200
960 pm.max_spare_servers = 4
961 pm.min_spare_servers = 2
962 pm.start_servers = 3
963 pm.status_path = /status
964 request_slowlog_timeout = 5s
965 request_terminate_timeout = 120s
966 rlimit_core = unlimited
967 rlimit_files = 131072
968 slowlog = /home/www/log/$site/php5/fpm/slow.log
969 user = $php5_user
970 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
971 EOF
972 sudo install -m 664 -o root -g root \
973 "$tool"/etc/php5/fpm/php.ini \
974 /etc/php5/fpm/php.ini
975 done
976 rule tmpfs_configure
977 sudo service php5-fpm restart
978 }
979 rule_postfix_configure () {
980 local hint="run vm_remote postfix_key_send before"
981 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
982 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
983 sudo debconf-set-selections <<-EOF
984 postfix postfix/main_mailer_type select No configuration
985 EOF
986 rule apt_get_install postfix
987 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
988 *.db
989 EOF
990 sudo install -d -m 770 -o root -g root \
991 /etc/postfix/$vm_domainname/ \
992 /etc/postfix/$vm_domainname/smtp \
993 /etc/postfix/$vm_domainname/smtp/x509 \
994 /etc/postfix/$vm_domainname/smtp/x509/ca \
995 /etc/postfix/$vm_domainname/smtpd \
996 /etc/postfix/$vm_domainname/smtpd/x509 \
997 /etc/postfix/$vm_domainname/smtpd/x509/ca
998 sudo install -d -m 770 -o root -g root \
999 /etc/postfix/$vm_domainname/ \
1000 /etc/postfix/$vm_domainname/smtp \
1001 /etc/postfix/$vm_domainname/smtp/x509 \
1002 /etc/postfix/$vm_domainname/smtp/x509/ca \
1003 /etc/postfix/$vm_domainname/smtpd \
1004 /etc/postfix/$vm_domainname/smtpd/x509 \
1005 /etc/postfix/$vm_domainname/smtpd/x509/ca
1006 sudo ln -fns \
1007 ../crt+crl.self-signed.pem \
1008 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1009 sudo install -m 400 -o root -g root \
1010 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1011 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1012 sudo install -m 400 -o root -g root \
1013 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
1014 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1015 sudo install -m 400 -o root -g root \
1016 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
1017 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1018 sudo install -m 400 -o root -g root \
1019 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1020 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1021 sudo install -m 660 -o root -g root \
1022 "$tool"/etc/postfix/$vm_domainname/header_checks \
1023 /etc/postfix/$vm_domainname/header_checks
1024 sudo install -m 664 -o root -g root /dev/stdin \
1025 /etc/postfix/aliases <<-EOF
1026 # See man 5 aliases for format
1027 abuse: root
1028 admin: root
1029 contact: root
1030 postmaster: root
1031 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1032 EOF
1033 sudo newaliases -oA/etc/postfix/aliases
1034 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1035 mydomain = $vm_domainname
1036 myorigin = \$mydomain
1037 myhostname = $vm_hostname.\$mydomain
1038 mail_name = \$myhostname
1039 mydestination = $vm_hostname \$myhostname \$myorigin
1040 EOF
1041 sudo install -m 664 -o root -g root /dev/stdin \
1042 /etc/postfix/main.cf
1043 sudo install -m 664 -o root -g root \
1044 "$tool"/etc/postfix/master.cf \
1045 /etc/postfix/master.cf
1046 sudo install -m 660 -o root -g root \
1047 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1048 /etc/postfix/$vm_domainname/smtp/x509/policy
1049 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1050 sudo install -m 660 -o root -g root \
1051 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1052 /etc/postfix/$vm_domainname/smtp/header_checks
1053 sudo install -m 660 -o root -g root \
1054 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1055 /etc/postfix/$vm_domainname/smtpd/sender_access
1056 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1057 sudo install -m 660 -o root -g root \
1058 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1059 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1060 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1061 sudo install -m 660 -o root -g root \
1062 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1063 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1064 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1065 sudo install -m 660 -o root -g root \
1066 "$tool"/etc/postfix/$vm_domainname/transport \
1067 /etc/postfix/$vm_domainname/transport
1068 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1069 sudo install -m 660 -o root -g root \
1070 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1071 /etc/postfix/$vm_domainname/virtual_alias
1072 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1073 sudo service postfix restart
1074 }
1075 rule_postgresql_configure () {
1076 rule apt_get_install postgresql-9.1
1077 sudo service postgresql restart
1078 }
1079 rule_openerp_configure () {
1080 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1081 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1082 EOF
1083 sudo apt-get update
1084 rule apt_get_install openerp
1085 }
1086 rule_postgrey_configure () {
1087 rule apt_get_install postgrey
1088 sudo service postgrey restart
1089 }
1090 rule_procmail_configure () {
1091 rule apt_get_install procmail
1092 sudo install -d -m 770 -o root -g root \
1093 /etc/skel/etc/mail \
1094 /etc/skel/var/cache/mail \
1095 /etc/skel/var/log/mail \
1096 /etc/skel/var/mail
1097 sudo install -m 660 -o root -g root \
1098 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1099 /etc/skel/etc/mail/delivery.procmailrc
1100 }
1101 rule_runit_configure () {
1102 rule apt_get_install runit
1103 local -; set +f
1104 rm -f /etc/service/*
1105 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1106 for sv in "$tool"/etc/sv/*
1107 do sv=${sv#"$tool"/etc/sv/}
1108 sudo install -d -m 770 -o root -g root \
1109 /etc/sv/"$sv"
1110 sudo install -m 770 -o root -g root \
1111 "$tool"/etc/sv/"$sv"/run \
1112 /etc/sv/"$sv"/run
1113 if test -e "$tool"/etc/sv/"$sv"/log/run
1114 then
1115 sudo install -d -m 770 -o root -g root \
1116 /etc/sv/"$sv"/log
1117 sudo install -m 770 -o root -g root \
1118 "$tool"/etc/sv/"$sv"/log/run \
1119 /etc/sv/"$sv"/log/run
1120 fi
1121 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1122 "$tool"/etc/sv/"$sv"/configure
1123 then
1124 ln -fns ../sv/"$sv" /etc/service/"$sv"
1125 sv restart "$sv"
1126 else
1127 done
1128 }
1129 rule_ssh_configure () {
1130 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1131 ( while IFS= read -r line
1132 do case $line in (*" RSA") return 0; break;; esac
1133 done; return 1 ) ||
1134 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1135 sudo rm -f \
1136 /etc/ssh/ssh_host_dsa_key \
1137 /etc/ssh/ssh_host_dsa_key.pub \
1138 /etc/ssh/ssh_host_ecdsa_key \
1139 /etc/ssh/ssh_host_ecdsa_key.pub
1140 # NOTE: clefs générées par Debian
1141 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1142 Port 22
1143 ListenAddress $vm_ipv4
1144 #ListenAddress ::
1145 Protocol 2
1146 Compression yes
1147 HostKey /etc/ssh/ssh_host_rsa_key
1148 UsePrivilegeSeparation yes
1149 KeyRegenerationInterval 3600
1150 ServerKeyBits 768
1151 SyslogFacility AUTH
1152 LogLevel INFO
1153 LoginGraceTime 120
1154 PermitRootLogin yes
1155 StrictModes yes
1156 RSAAuthentication yes
1157 PubkeyAuthentication yes
1158 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1159 IgnoreRhosts yes
1160 RhostsRSAAuthentication no
1161 HostbasedAuthentication no
1162 IgnoreUserKnownHosts no
1163 PermitEmptyPasswords no
1164 ChallengeResponseAuthentication no
1165 PasswordAuthentication no
1166 KerberosAuthentication no
1167 GSSAPIAuthentication no
1168 X11Forwarding no
1169 X11DisplayOffset 10
1170 PrintMotd no
1171 DebianBanner no
1172 PrintLastLog yes
1173 TCPKeepAlive yes
1174 ClientAliveInterval 0
1175 AcceptEnv LANG LC_*
1176 Subsystem sftp /usr/lib/openssh/sftp-server
1177 UsePAM yes
1178 EOF
1179 sudo service ssh restart
1180 }
1181 rule_sysctl_configure () {
1182 local -; set +f
1183 for conf in "$tool"/etc/sysctl.d/*.conf
1184 do conf=${conf#"$tool"/etc/sysctl.d/}
1185 sudo install -m 660 -o root -g root \
1186 "$tool"/etc/sysctl.d/"$conf" \
1187 /etc/sysctl.d/"$conf"
1188 done
1189 sudo sysctl --system
1190 }
1191 rule_tmpfs_configure () {
1192 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1193 LOCK_SIZE=5242880 # NOTE: 5MiB
1194 RAMLOCK=yes
1195 RAMSHM=yes
1196 RAMTMP=yes
1197 RUN_SIZE=10%
1198 SHM_SIZE=
1199 TMP_MODE=1777,nr_inodes=1000k,noatime
1200 TMP_OVERFLOW_LIMIT=1024
1201 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1202 # on the root filesystem (overriding RAMTMP).
1203 TMP_SIZE=200m
1204 TMPFS_SIZE=20%VM
1205 EOF
1206 sudo install -m 775 -o root -g root \
1207 "$tool"/etc/init.d/tmpfs \
1208 /etc/init.d/tmpfs
1209 sudo update-rc.d tmpfs defaults
1210 }
1211 rule_time_configure () {
1212 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1213 Europe/Paris
1214 EOF
1215 sudo debconf-set-selections <<-EOF
1216 tzdata tzdata/Areas select Europe
1217 tzdata tzdata/Zones/Europe select Paris
1218 EOF
1219 rule dpkg_reconfigure tzdata
1220 rule apt_get_install ntp
1221 }
1222 rule_user_add () { # SYNTAX: $user
1223 rule user_configure
1224 local user=$1
1225 id "$user" >/dev/null ||
1226 sudo adduser --disabled-password "$user"
1227 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1228 eval local home\; home="~$user"
1229 sudo adduser "$user" users
1230 sudo install -m 640 -o root -g root \
1231 "$tool"/var/pub/ssh/"$user".key \
1232 "$home"/etc/ssh/authorized_keys
1233 local key; local -; set +f
1234 for key in "$tool"/var/pub/openpgp/*.key
1235 do sudo -u "$user" gpg --import - <"$key"
1236 done
1237 }
1238 rule_user_configure () {
1239 sudo install -m 660 -o root -g root /dev/stdin \
1240 /etc/adduser.conf <<-EOF
1241 ADD_EXTRA_GROUPS=1
1242 DHOME=/home
1243 DIR_MODE=0750
1244 DSHELL=/bin/bash
1245 EXTRA_GROUPS="users"
1246 FIRST_GID=1000
1247 FIRST_SYSTEM_GID=100
1248 FIRST_SYSTEM_UID=100
1249 FIRST_UID=1000
1250 GROUPHOMES=no
1251 LAST_GID=29999
1252 LAST_SYSTEM_GID=999
1253 LAST_SYSTEM_UID=999
1254 LAST_UID=29999
1255 LETTERHOMES=no
1256 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1257 QUOTAUSER="" # TODO: init
1258 SETGID_HOME=no
1259 SKEL=/etc/skel
1260 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1261 USERGROUPS=yes
1262 USERS_GID=100
1263 EOF
1264 }
1265 rule_user_admin_add () { # SYNTAX: $user
1266 rule user_configure
1267 local user=$1
1268 getent passwd "$user" >/dev/null ||
1269 sudo adduser --disabled-password "$user"
1270 eval local home\; home="~$user"
1271 sudo adduser "$user" sudo
1272 sudo install -m 640 -o root -g root \
1273 "$tool"/var/pub/ssh/"$user".key \
1274 "$home"/etc/ssh/authorized_keys
1275 local key; local -; set +f
1276 for key in "$tool"/var/pub/openpgp/*.key
1277 do sudo -u "$user" gpg --import - <"$key"
1278 done
1279 rule user_admin_configure
1280 }
1281 rule_user_admin_configure () {
1282 rule initramfs_configure
1283 rule user_root_configure
1284 }
1285 rule_user_configure () {
1286 sudo install -d -m 750 -o root -g root \
1287 /etc/skel \
1288 /etc/skel/etc \
1289 /etc/skel/etc/gpg \
1290 /etc/skel/etc/ssh
1291 sudo install -d -m 770 -o root -g root \
1292 /etc/skel/var \
1293 /etc/skel/var/cache \
1294 /etc/skel/var/log \
1295 /etc/skel/var/run \
1296 /etc/skel/var/run/ssh
1297 sudo ln -fns etc/ssh /etc/skel/.ssh
1298 sudo ln -fns etc/gpg /etc/skel/.gnupg
1299 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1300 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1301 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1302 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1303 EOF
1304 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1305 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1306 EOF
1307 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1308 Defaults env_keep = " \\
1309 EDITOR \\
1310 GIT_AUTHOR_NAME \\
1311 GIT_AUTHOR_EMAIL \\
1312 GIT_COMMITTER_NAME \\
1313 GIT_COMMITTER_EMAIL \\
1314 "
1315 EOF
1316 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1317 #!/bin/sh -efu
1318 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1319 sudo /bin/sh -e -f -u -c \
1320 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1321 EOF
1322 sudo install -m 644 -o root -g root \
1323 "$tool"/etc/bash.bashrc \
1324 /etc/bash.bashrc
1325 sudo install -m 644 -o root -g root \
1326 "$tool"/etc/screenrc \
1327 /etc/screenrc
1328 }
1329 rule_user_root_configure () {
1330 sudo install -d -m 750 -o root -g root \
1331 /root/etc \
1332 /root/etc/gpg \
1333 /root/etc/ssh
1334 sudo ln -fns etc/gpg /root/.gnupg
1335 sudo ln -fns etc/ssh /root/.ssh
1336 getent group sudo |
1337 while IFS=: read -r group x x users
1338 do while test -n "$users" && IFS=, read -r user users <<-EOF
1339 $users
1340 EOF
1341 do eval local home\; home="~$user"
1342 cat "$home"/etc/ssh/authorized_keys
1343 done
1344 done |
1345 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1346 local key; local -; set +f
1347 for key in "$tool"/var/pub/openpgp/*.key
1348 do sudo gpg --import "$key"
1349 done
1350 }
1351 rule_configure () {
1352 rule apt_configure
1353 rule git_configure
1354 rule etckeeper_configure
1355 rule locales_configure
1356 rule time_configure
1357 rule network_configure
1358 rule filesystem_configure
1359 rule login_configure
1360 rule ssh_configure
1361 rule user_root_configure
1362 rule boot_configure
1363 rule sysctl_configure
1364 rule user_configure
1365 rule mail_configure
1366 #rule apache2_configure
1367 rule nginx_configure
1368 rule php5_fpm_configure
1369 rule gitolite_configure
1370 rule runit_configure
1371 }
1372
1373 rule_luks_key_change () {
1374 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1375 }
1376
1377 rule=${1:-help}
1378 ${1+shift}
1379 case $rule in
1380 (help);;
1381 (*)
1382 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1383 ;;
1384 esac
1385 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org