dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_user_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g root \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
417 LOCK_SIZE=5242880 # NOTE: 5MiB
418 RAMLOCK=yes
419 RAMSHM=yes
420 RAMTMP=yes
421 RUN_SIZE=10%
422 SHM_SIZE=
423 TMP_MODE=1777,nr_inodes=1000k,noatime
424 TMP_OVERFLOW_LIMIT=1024
425 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
426 # on the root filesystem (overriding RAMTMP).
427 TMP_SIZE=200m
428 TMPFS_SIZE=20%VM
429 EOF
430 sudo install -m 775 -o root -g root \
431 "$tool"/etc/init.d/tmpfs \
432 /etc/init.d/tmpfs
433 sudo update-rc.d tmpfs defaults
434 }
435 rule_initramfs_configure () {
436 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
437 MODULES=most
438 BUSYBOX=y
439 KEYMAP=y
440 COMPRESS=gzip
441 DEVICE=eth0
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
444 alias eth0 xennet
445 alias scsi_hostadapter xenblk
446 EOF
447 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
448 sha1_generic
449 sha256_generic
450 sha512_generic
451 aes-x86_64
452 xts
453 # NOTE: pour Xen en mode HVM :
454 #modprobe xen-platform-pci
455 EOF
456 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
457 EOF
458 sudo sed -e '/^configure_networking /s/ &$//' \
459 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
460 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
461 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
462 ( while IFS= read -r line
463 do case $line in (*" RSA") return 0; break;; esac
464 done; return 1 ) ||
465 {
466 sudo rm -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
468 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
469 sudo dropbearkey -t rsa -s 4096 -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
471 }
472 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
473 sudo install -d -m 640 -o root -g root \
474 /etc/initramfs-tools/root \
475 /etc/initramfs-tools/root/.ssh
476 getent group sudo |
477 while IFS=: read -r group x x users
478 do while test -n "$users" && IFS=, read -r user users <<-EOF
479 $users
480 EOF
481 do eval local home\; home="~$user"
482 cat "$home"/etc/ssh/authorized_keys
483 done
484 done |
485 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
486 sudo rm -f \
487 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
488 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
489 /etc/initramfs-tools/root/.ssh/id_rsa
490 # NOTE: clefs générées par Debian
491 sudo update-initramfs -u
492 }
493 rule_gitolite_configure () {
494 local user=git
495 sudo debconf-set-selections <<-EOF
496 gitolite gitolite/gituser string $user
497 gitolite gitolite/adminkey string
498 gitolite gitolite/gitdir string /home/$user
499 EOF
500 rule apt_get_install gitolite
501 getent passwd "$user" >/dev/null ||
502 sudo adduser \
503 --disabled-password \
504 --group \
505 --shell /bin/bash \
506 --system \
507 "$user"
508 sudo chfn --full-name "$user" "$user"
509 eval local home\; home="~$user"
510 sudo install -d -m 770 -o "$user" -g "$user" \
511 /etc/gitolite \
512 "$home"/etc \
513 "$home"/etc/ssh \
514 "$home"/pub \
515 "$home"/log \
516 "$home"/log/gitolite \
517 "$home"/log/gitolite/perf
518 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
519 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
520 sudo ln -fns etc/ssh "$home"/.ssh
521 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
522 "$home"/etc/gitolite/gitolite.rc <<-EOF
523 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
524 #\$BIG_INFO_CAP = 20;
525 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
526 # NOTE: Please use single quotes, not double quotes.
527 #\$GITWEB_URI_ESCAPE = 0;
528 \$GIT_PATH = "";
529 #\$GL_ADC_PATH = "";
530 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
531 #\$GL_ALL_INCLUDES_SPECIAL = 0;
532 #\$GL_ALL_READ_ALL = 0;
533 \$GL_BIG_CONFIG = 0;
534 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
535 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
536 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
537 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
538 #\$GL_HOSTNAME = "git.$vm_domainname";
539 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
540 #\$GL_HTTP_ANON_USER = "mob";
541 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
542 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
543 #\$GL_NICE_VALUE = 0;
544 \$GL_NO_CREATE_REPOS = 0;
545 \$GL_NO_DAEMON_NO_GITWEB = 0;
546 \$GL_NO_SETUP_AUTHKEYS = 0;
547 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
548 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
549 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
550 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
551 \$GL_SITE_INFO = "git.$vm_domainname";
552 #\$GL_SLAVE_MODE = 0;
553 \$GL_WILDREPOS = 0;
554 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
555 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
556 \$HTPASSWD_FILE = "";
557 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
558 \$REPO_BASE = "pub";
559 \$REPO_UMASK = 0007;
560 \$RSYNC_BASE = "";
561 \$SVNSERVE = "";
562 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
563 #\$WEB_INTERFACE = "gitweb";
564 1;
565 EOF
566 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
567 "$home"/etc/gitweb/gitweb.conf <<-EOF
568 \$commit_oneline_message_width = 70;
569 \$default_projects_order = 'age';
570 \$default_text_plain_charset = 'UTF-8';
571 @diff_opts = ();
572 \$favicon = "img/git-favicon.png";
573 \$git_temp = "/run/shm/gitweb";
574 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
575 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
576 \$home_link = "/";
577 \$home_link_str = 'd&eacute;p&ocirc;ts';
578 \$home_th_age = 'activit&eacute;';
579 \$home_th_descr = 'description';
580 \$home_th_owner = 'contact';
581 \$home_th_project = 'd&eacute;p&ocirc;t';
582 \$javascript = "js/gitweb.js";
583 \$logo = "img/git-logo.png";
584 \$my_uri = "";
585 \$projectroot = "../git";
586 \$projects_list = "/etc/gitolite/projects.list";
587 \$projects_list_description_width = 42;
588 \$projects_list_owner_width = 15;
589 \$search_str = "Filtre&nbsp;:";
590 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
591 \$site_header = undef;
592 \$site_name = "git.$vm_domainname";
593 \$space_to_nbsp = 0;
594 @stylesheets = ("css/gitweb.css");#
595 \$untabify_tabstop = 2;
596 EOF
597 sudo install -m 600 -o "$user" -g "$user" \
598 "$tool"/var/pub/ssh/"$user".key \
599 "$home"/etc/ssh/"$user".pub
600 sudo -u "$user" \
601 GL_RC="$home"/etc/gitolite/gitolite.rc \
602 GIT_AUTHOR_NAME="$user" \
603 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
604 local d
605 for d in doc logs src
606 do test ! -d "$home"/etc/gitolite/"$d" ||
607 rmdir "$home"/etc/gitolite/"$d"
608 done
609 rule apt_get_install gitweb highlight
610 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
611 #sudo sv restart git-daemon.git.9418
612 }
613 rule_locales_configure () {
614 sudo debconf-set-selections <<-EOF
615 locales locales/default_environment_locale select None
616 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
617 EOF
618 rule dpkg_reconfigure locales
619 }
620 rule_login_configure () {
621 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
622 # /etc/inittab: init(8) configuration.
623
624 # The default runlevel.
625 id:2:initdefault:
626
627 # Boot-time system configuration/initialization script.
628 # This is run first except when booting in emergency (-b) mode.
629 si::sysinit:/etc/init.d/rcS
630
631 # What to do in single-user mode.
632 ~~:S:wait:/sbin/sulogin
633
634 # /etc/init.d executes the S and K scripts upon change
635 # of runlevel.
636 #
637 # Runlevel 0 is halt.
638 # Runlevel 1 is single-user.
639 # Runlevels 2-5 are multi-user.
640 # Runlevel 6 is reboot.
641
642 l0:0:wait:/etc/init.d/rc 0
643 l1:1:wait:/etc/init.d/rc 1
644 l2:2:wait:/etc/init.d/rc 2
645 l3:3:wait:/etc/init.d/rc 3
646 l4:4:wait:/etc/init.d/rc 4
647 l5:5:wait:/etc/init.d/rc 5
648 l6:6:wait:/etc/init.d/rc 6
649 # Normally not reached, but fallthrough in case of emergency.
650 z6:6:respawn:/sbin/sulogin
651
652 # What to do when CTRL-ALT-DEL is pressed.
653 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
654
655 # What to do when the power fails/returns.
656 pf::powerwait:/etc/init.d/powerfail start
657 pn::powerfailnow:/etc/init.d/powerfail now
658 po::powerokwait:/etc/init.d/powerfail stop
659
660 # Xen hypervisor console
661 hvc:2345:respawn:/sbin/getty 38400 hvc0
662 #xvc:2345:respawn:/sbin/getty 38400 xvc0
663
664 #-- runit begin
665 SV:123456:respawn:/usr/sbin/runsvdir-start
666 #-- runit end
667 EOF
668 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
669 MAIL_DIR /var/mail
670 FAILLOG_ENAB yes
671 LOG_UNKFAIL_ENAB no
672 LOG_OK_LOGINS no
673 SYSLOG_SU_ENAB yes
674 SYSLOG_SG_ENAB yes
675 FTMP_FILE /var/log/btmp
676 SU_NAME su
677 HUSHLOGIN_FILE .hushlogin
678 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
679 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
680 # NOTE: met les sbin/ dans ENV_PATH ;
681 # - ça n'apporte aucune protection de ne pas les mettre ;
682 # - ça frustre de ne pas les trouver.
683 TTYGROUP tty
684 TTYPERM 0600
685 ERASECHAR 0177
686 KILLCHAR 025
687 UMASK 007
688 # NOTE: rwxrwx--- ;
689 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
690 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
691 PASS_MAX_DAYS 99999
692 PASS_MIN_DAYS 0
693 PASS_WARN_AGE 7
694 UID_MIN 1000
695 UID_MAX 60000
696 GID_MIN 1000
697 GID_MAX 60000
698 LOGIN_RETRIES 3
699 LOGIN_TIMEOUT 60
700 CHFN_RESTRICT rwh
701 DEFAULT_HOME yes
702 USERGROUPS_ENAB yes
703 ENCRYPT_METHOD SHA512
704 EOF
705 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
706 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
707 $(cat /etc/pam.d/common-session)
708 session optional pam_umask.so
709 EOF
710 grep -q '^hvc0$' /etc/securetty ||
711 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
712 $(cat /etc/securetty)
713 hvc0
714 EOF
715 grep -q '^xvc0$' /etc/securetty ||
716 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
717 $(cat /etc/securetty)
718 xvc0
719 EOF
720 }
721 rule_mail_configure () {
722 rule postfix_configure
723 rule postgrey_configure
724 rule procmail_configure
725 rule dovecot_configure
726 }
727 rule_mysql_configure () {
728 rule apt_get_install mysql-server-5.5
729 sudo service mysql restart
730 }
731 rule_network_configure () {
732 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
733 $vm
734 EOF
735 grep -q " $vm\$" /etc/hosts ||
736 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
737 $(cat /etc/hosts)
738 127.0.0.1 $vm_fqdn $vm
739 EOF
740 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
741 auto lo
742 iface lo inet loopback
743
744 auto eth0=grenode
745 iface grenode inet static
746 address $vm_ipv4
747 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
748 network $vm_ipv4
749 broadcast $vm_ipv4
750 netmask 255.255.255.255
751 mtu 1300
752 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
753 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
754 #
755 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
756 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
757 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
758 #
759 # --- soupirail.grenode.net ping statistics ---
760 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
761 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
762 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
763 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
764 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
765 #
766 # --- soupirail.grenode.net ping statistics ---
767 # 0 packets transmitted, 0 received, +1 errors
768 post-up ip address add $vm_ipv4/32 dev \$IFACE
769 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
770 EOF
771 }
772 rule_www_configure () {
773 getent passwd www >/dev/null ||
774 sudo adduser \
775 --disabled-login \
776 --disabled-password \
777 --group \
778 --home /home/www \
779 --shell /bin/false \
780 --system \
781 www
782 sudo adduser \
783 --disabled-login \
784 --disabled-password \
785 --group \
786 --home ~www/log \
787 --shell /bin/false \
788 --system \
789 log.www
790 #sudo adduser www www-data
791 sudo adduser www log.www
792 #sudo adduser log log.www
793 usermod --home /home/www/pub www-data
794 sudo install -d -m 751 -o www -g www \
795 /home/www
796 sudo install -d -m 750 -o www -g www \
797 /home/www/etc
798 sudo install -d -m 1771 -o www-data -g www-data \
799 /home/www/pub \
800 sudo install -d -m 1771 -o log.www -g log.www \
801 /home/www/log
802 }
803 rule_nginx_configure () {
804 local -; set +f
805 rule apt_get_install nginx
806 rule www_configure
807 sudo rm -rf \
808 /etc/nginx/conf.d \
809 /etc/nginx/site.d
810 sudo install -d -m 770 -o www -g www \
811 /etc/nginx \
812 /etc/nginx/conf.d \
813 /etc/nginx/site.d
814 sudo ln -fns \
815 /etc/nginx \
816 /home/www/etc/nginx
817 sudo install -m 660 -o www -g www \
818 "$tool"/etc/nginx/nginx.conf \
819 /etc/nginx/nginx.conf
820 local conf
821 for conf in "$tool"/etc/nginx/conf.d/*.conf
822 do conf=${conf#"$tool"/etc/nginx/conf.d/}
823 sudo install -m 660 -o www -g www \
824 "$tool"/etc/nginx/conf.d/"$conf" \
825 /etc/nginx/conf.d/"$conf"
826 done
827 for conf in "$tool"/etc/nginx/site.d/*/server.conf
828 do conf=${conf#"$tool"/etc/nginx/site.d/}
829 local port site
830 IFS=. read -r port site <<-EOF
831 ${conf%\/server\.conf}
832 EOF
833 assert 'test "${port:+set}"'
834 assert 'test "${site:+set}"'
835 site="$port.$site"
836 getent passwd www."$site" >/dev/null ||
837 sudo adduser \
838 --disabled-login \
839 --disabled-password \
840 --group \
841 --home ~www-data/"$site" \
842 --shell /bin/false \
843 --system \
844 www."$site"
845 getent passwd log."$site" >/dev/null ||
846 sudo adduser \
847 --disabled-login \
848 --disabled-password \
849 --group \
850 --shell /bin/false \
851 --system \
852 log."$site"
853 sudo usermod --home ~www/log/"$site"/nginx log."$site"
854 sudo install -d -m 770 -o www -g www \
855 /etc/nginx/site.d/"$site"
856 case $port in
857 (443)
858 local hint="run vm_remote nginx_key_send before"
859 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
860 sudo install -m 664 -o www -g www \
861 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
862 /etc/nginx/site.d/"$site"/x509/crt.pem
863 ;;
864 esac
865 case $port in
866 (80)
867 cat <<-EOF
868 server {
869 listen $port;
870 access_log /home/www/log/$site/nginx/access.log main;
871 error_log /home/www/log/$site/nginx/error.log warn;
872 root /home/www/pub/$site;
873 server_name $site;
874 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
875 }
876 EOF
877 ;;
878 (443)
879 cat <<-EOF
880 server {
881 listen $port;
882 access_log /home/www/log/$site/nginx/access.log main;
883 error_log /home/www/log/$site/nginx/error.log warn;
884 keepalive_timeout 70;
885 root /home/www/pub/$site;
886 server_name $site;
887 # DOC: http://wiki.nginx.org/HttpSslModule
888 ssl on;
889 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
890 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
891 ssl_ciphers HIGH:!ADH:!MD5;
892 ssl_prefer_server_ciphers on;
893 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
894 ssl_session_cache shared:SSL:10m;
895 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
896 }
897 EOF
898 ;;
899 esac |
900 sudo install -m 660 -o www -g www /dev/stdin \
901 /etc/nginx/site.d/"$site"/server.conf
902 adduser www-data "$site"
903 test -e /home/www/pub/"$site" ||
904 sudo install -d -m 3770 -o "$site" -g "$site" \
905 /home/www/pub/"$site"
906 sudo install -d -m 3770 -o log."$site" -g log."$site" \
907 /home/www/log/"$site"/nginx
908 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
909 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
910 done
911 rule apt_get_install spawn-fcgi fcgiwrap
912 sudo insserv --remove fcgiwrap
913 rule tmpfs_configure
914 sudo service nginx restart
915 }
916 rule_php5_fpm_configure () {
917 local -; set +f
918 rule apt_get_install \
919 php5-fpm \
920 php-apc
921 getent passwd php5 >/dev/null ||
922 sudo adduser \
923 --disabled-login \
924 --disabled-password \
925 --group \
926 --shell /bin/false \
927 --system \
928 php5
929 local conf
930 sudo ln -fns \
931 /etc/php5-fpm \
932 /home/www/etc/php5
933 sudo rm -f /etc/php5/fpm/pool.d/*
934 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
935 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
936 local port site
937 IFS=. read -r port site <<-EOF
938 ${conf%\.conf}
939 EOF
940 assert 'test "${port:+set}"'
941 assert 'test "${site:+set}"'
942 site="$port.$site"
943 getent passwd php5"$site" >/dev/null ||
944 sudo adduser \
945 --disabled-login \
946 --disabled-password \
947 --group \
948 --no-create-home \
949 --home ~www/pub/"$site" \
950 --shell /bin/false \
951 --system \
952 php5."$site"
953 sudo install -d -m 770 -o php5 -g php5 \
954 /home/www/log/php5 \
955 /home/www/log/php5/fpm
956 sudo install -d -m 770 -o log."$site" -g log."$site" \
957 /home/www/log/"$site"
958 sudo adduser php5."$user" www."$site"
959 sudo install -m 660 -o root -g root /dev/stdin \
960 /etc/php5/fpm/pool.d/"$conf" <<-EOF
961 [php5.$site]
962 access.log = /home/www/log/$site/php5/fpm/access.log
963 catch_workers_output = yes
964 chdir = /
965 env[HOSTNAME] = \$HOSTNAME
966 env[TEMP] = /tmp
967 env[TMPDIR] = /tmp
968 env[TMP] = /tmp
969 group = www-data
970 listen = /run/nginx/fastcgi/php5.$site
971 #listen = 127.0.0.1:9000
972 #listen.allowed_clients = 127.0.0.1
973 listen.backlog = -1
974 pm = dynamic
975 pm.max_children = 5
976 pm.max_requests = 200
977 pm.max_spare_servers = 4
978 pm.min_spare_servers = 2
979 pm.start_servers = 3
980 pm.status_path = /status
981 request_slowlog_timeout = 5s
982 request_terminate_timeout = 120s
983 rlimit_core = unlimited
984 rlimit_files = 131072
985 slowlog = /home/www/log/$site/php5/fpm/slow.log
986 user = $php5_user
987 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
988 EOF
989 sudo install -m 664 -o root -g root \
990 "$tool"/etc/php5/fpm/php.ini \
991 /etc/php5/fpm/php.ini
992 done
993 rule tmpfs_configure
994 sudo service php5-fpm restart
995 }
996 rule_postfix_configure () {
997 local hint="run vm_remote postfix_key_send before"
998 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
999 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
1000 sudo debconf-set-selections <<-EOF
1001 postfix postfix/main_mailer_type select No configuration
1002 EOF
1003 rule apt_get_install postfix
1004 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1005 *.db
1006 EOF
1007 sudo install -d -m 770 -o root -g root \
1008 /etc/postfix/$vm_domainname/ \
1009 /etc/postfix/$vm_domainname/smtp \
1010 /etc/postfix/$vm_domainname/smtp/x509 \
1011 /etc/postfix/$vm_domainname/smtp/x509/ca \
1012 /etc/postfix/$vm_domainname/smtpd \
1013 /etc/postfix/$vm_domainname/smtpd/x509 \
1014 /etc/postfix/$vm_domainname/smtpd/x509/ca
1015 sudo install -d -m 770 -o root -g root \
1016 /etc/postfix/$vm_domainname/ \
1017 /etc/postfix/$vm_domainname/smtp \
1018 /etc/postfix/$vm_domainname/smtp/x509 \
1019 /etc/postfix/$vm_domainname/smtp/x509/ca \
1020 /etc/postfix/$vm_domainname/smtpd \
1021 /etc/postfix/$vm_domainname/smtpd/x509 \
1022 /etc/postfix/$vm_domainname/smtpd/x509/ca
1023 sudo ln -fns \
1024 ../crt+crl.self-signed.pem \
1025 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1026 sudo install -m 400 -o root -g root \
1027 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1028 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1029 sudo install -m 400 -o root -g root \
1030 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
1031 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1032 sudo install -m 400 -o root -g root \
1033 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
1034 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1035 sudo install -m 400 -o root -g root \
1036 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1037 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1038 sudo install -m 660 -o root -g root \
1039 "$tool"/etc/postfix/$vm_domainname/header_checks \
1040 /etc/postfix/$vm_domainname/header_checks
1041 sudo install -m 664 -o root -g root /dev/stdin \
1042 /etc/postfix/aliases <<-EOF
1043 # See man 5 aliases for format
1044 abuse: root
1045 admin: root
1046 contact: root
1047 postmaster: root
1048 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1049 EOF
1050 sudo newaliases -oA/etc/postfix/aliases
1051 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1052 mydomain = $vm_domainname
1053 myorigin = \$mydomain
1054 myhostname = $vm_hostname.\$mydomain
1055 mail_name = \$myhostname
1056 mydestination = $vm_hostname \$myhostname \$myorigin
1057 EOF
1058 sudo install -m 664 -o root -g root /dev/stdin \
1059 /etc/postfix/main.cf
1060 sudo install -m 664 -o root -g root \
1061 "$tool"/etc/postfix/master.cf \
1062 /etc/postfix/master.cf
1063 sudo install -m 660 -o root -g root \
1064 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1065 /etc/postfix/$vm_domainname/smtp/x509/policy
1066 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1067 sudo install -m 660 -o root -g root \
1068 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1069 /etc/postfix/$vm_domainname/smtp/header_checks
1070 sudo install -m 660 -o root -g root \
1071 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1072 /etc/postfix/$vm_domainname/smtpd/sender_access
1073 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1074 sudo install -m 660 -o root -g root \
1075 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1076 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1077 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1078 sudo install -m 660 -o root -g root \
1079 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1080 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1081 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1082 sudo install -m 660 -o root -g root \
1083 "$tool"/etc/postfix/$vm_domainname/transport \
1084 /etc/postfix/$vm_domainname/transport
1085 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1086 sudo install -m 660 -o root -g root \
1087 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1088 /etc/postfix/$vm_domainname/virtual_alias
1089 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1090 sudo service postfix restart
1091 }
1092 rule_postgresql_configure () {
1093 rule apt_get_install postgresql-9.1
1094 sudo service postgresql restart
1095 }
1096 rule_openerp_configure () {
1097 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1098 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1099 EOF
1100 sudo apt-get update
1101 rule apt_get_install openerp
1102 }
1103 rule_postgrey_configure () {
1104 rule apt_get_install postgrey
1105 sudo service postgrey restart
1106 }
1107 rule_procmail_configure () {
1108 rule apt_get_install procmail
1109 sudo install -d -m 770 -o root -g root \
1110 /etc/skel/etc/mail \
1111 /etc/skel/var/cache/mail \
1112 /etc/skel/var/log/mail \
1113 /etc/skel/var/mail
1114 sudo install -m 660 -o root -g root \
1115 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1116 /etc/skel/etc/mail/delivery.procmailrc
1117 }
1118 rule_runit_configure () {
1119 rule apt_get_install runit
1120 local -; set +f
1121 rm -f /etc/service/*
1122 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1123 for sv in "$tool"/etc/sv/*
1124 do sv=${sv#"$tool"/etc/sv/}
1125 sudo install -d -m 770 -o root -g root \
1126 /etc/sv/"$sv"
1127 sudo install -m 770 -o root -g root \
1128 "$tool"/etc/sv/"$sv"/run \
1129 /etc/sv/"$sv"/run
1130 if test -e "$tool"/etc/sv/"$sv"/log/run
1131 then
1132 sudo install -d -m 770 -o root -g root \
1133 /etc/sv/"$sv"/log
1134 sudo install -m 770 -o root -g root \
1135 "$tool"/etc/sv/"$sv"/log/run \
1136 /etc/sv/"$sv"/log/run
1137 fi
1138 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1139 "$tool"/etc/sv/"$sv"/configure
1140 then
1141 ln -fns ../sv/"$sv" /etc/service/"$sv"
1142 sv restart "$sv"
1143 else
1144 done
1145 }
1146 rule_ssh_configure () {
1147 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1148 ( while IFS= read -r line
1149 do case $line in (*" RSA") return 0; break;; esac
1150 done; return 1 ) ||
1151 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1152 sudo rm -f \
1153 /etc/ssh/ssh_host_dsa_key \
1154 /etc/ssh/ssh_host_dsa_key.pub \
1155 /etc/ssh/ssh_host_ecdsa_key \
1156 /etc/ssh/ssh_host_ecdsa_key.pub
1157 # NOTE: clefs générées par Debian
1158 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1159 Port 22
1160 ListenAddress $vm_ipv4
1161 #ListenAddress ::
1162 Protocol 2
1163 Compression yes
1164 HostKey /etc/ssh/ssh_host_rsa_key
1165 UsePrivilegeSeparation yes
1166 KeyRegenerationInterval 3600
1167 ServerKeyBits 768
1168 SyslogFacility AUTH
1169 LogLevel INFO
1170 LoginGraceTime 120
1171 PermitRootLogin yes
1172 StrictModes yes
1173 RSAAuthentication yes
1174 PubkeyAuthentication yes
1175 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1176 IgnoreRhosts yes
1177 RhostsRSAAuthentication no
1178 HostbasedAuthentication no
1179 IgnoreUserKnownHosts no
1180 PermitEmptyPasswords no
1181 ChallengeResponseAuthentication no
1182 PasswordAuthentication no
1183 KerberosAuthentication no
1184 GSSAPIAuthentication no
1185 X11Forwarding no
1186 X11DisplayOffset 10
1187 PrintMotd no
1188 DebianBanner no
1189 PrintLastLog yes
1190 TCPKeepAlive yes
1191 ClientAliveInterval 0
1192 AcceptEnv LANG LC_*
1193 Subsystem sftp /usr/lib/openssh/sftp-server
1194 UsePAM yes
1195 EOF
1196 sudo service ssh restart
1197 }
1198 rule_sysctl_configure () {
1199 local -; set +f
1200 for conf in "$tool"/etc/sysctl.d/*.conf
1201 do conf=${conf#"$tool"/etc/sysctl.d/}
1202 sudo install -m 660 -o root -g root \
1203 "$tool"/etc/sysctl.d/"$conf" \
1204 /etc/sysctl.d/"$conf"
1205 done
1206 sudo sysctl --system
1207 }
1208 rule_time_configure () {
1209 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1210 Europe/Paris
1211 EOF
1212 sudo debconf-set-selections <<-EOF
1213 tzdata tzdata/Areas select Europe
1214 tzdata tzdata/Zones/Europe select Paris
1215 EOF
1216 rule dpkg_reconfigure tzdata
1217 rule apt_get_install ntp
1218 }
1219 rule_user_add () { # SYNTAX: $user
1220 rule user_configure
1221 local user=$1
1222 id "$user" >/dev/null ||
1223 sudo adduser --disabled-password "$user"
1224 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1225 eval local home\; home="~$user"
1226 sudo adduser "$user" users
1227 sudo install -m 640 -o root -g root \
1228 "$tool"/var/pub/ssh/"$user".key \
1229 "$home"/etc/ssh/authorized_keys
1230 local key; local -; set +f
1231 for key in "$tool"/var/pub/openpgp/*.key
1232 do sudo -u "$user" gpg --import - <"$key"
1233 done
1234 }
1235 rule_user_configure () {
1236 sudo install -m 660 -o root -g root /dev/stdin \
1237 /etc/adduser.conf <<-EOF
1238 ADD_EXTRA_GROUPS=1
1239 DHOME=/home
1240 DIR_MODE=0750
1241 DSHELL=/bin/bash
1242 EXTRA_GROUPS="users"
1243 FIRST_GID=1000
1244 FIRST_SYSTEM_GID=100
1245 FIRST_SYSTEM_UID=100
1246 FIRST_UID=1000
1247 GROUPHOMES=no
1248 LAST_GID=29999
1249 LAST_SYSTEM_GID=999
1250 LAST_SYSTEM_UID=999
1251 LAST_UID=29999
1252 LETTERHOMES=no
1253 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1254 QUOTAUSER="" # TODO: init
1255 SETGID_HOME=no
1256 SKEL=/etc/skel
1257 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1258 USERGROUPS=yes
1259 USERS_GID=100
1260 EOF
1261 }
1262 rule_user_admin_add () { # SYNTAX: $user
1263 rule user_configure
1264 local user=$1
1265 getent passwd "$user" >/dev/null ||
1266 sudo adduser --disabled-password "$user"
1267 eval local home\; home="~$user"
1268 sudo adduser "$user" sudo
1269 sudo install -m 640 -o root -g root \
1270 "$tool"/var/pub/ssh/"$user".key \
1271 "$home"/etc/ssh/authorized_keys
1272 local key; local -; set +f
1273 for key in "$tool"/var/pub/openpgp/*.key
1274 do sudo -u "$user" gpg --import - <"$key"
1275 done
1276 rule user_admin_configure
1277 }
1278 rule_user_admin_configure () {
1279 rule initramfs_configure
1280 rule user_root_configure
1281 }
1282 rule_user_configure () {
1283 sudo install -d -m 750 -o root -g root \
1284 /etc/skel \
1285 /etc/skel/etc \
1286 /etc/skel/etc/gpg \
1287 /etc/skel/etc/ssh
1288 sudo install -d -m 770 -o root -g root \
1289 /etc/skel/var \
1290 /etc/skel/var/cache \
1291 /etc/skel/var/log \
1292 /etc/skel/var/run \
1293 /etc/skel/var/run/ssh
1294 sudo ln -fns etc/ssh /etc/skel/.ssh
1295 sudo ln -fns etc/gpg /etc/skel/.gnupg
1296 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1297 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1298 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1299 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1300 EOF
1301 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1302 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1303 EOF
1304 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1305 Defaults env_keep = " \\
1306 EDITOR \\
1307 GIT_AUTHOR_NAME \\
1308 GIT_AUTHOR_EMAIL \\
1309 GIT_COMMITTER_NAME \\
1310 GIT_COMMITTER_EMAIL \\
1311 "
1312 EOF
1313 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1314 #!/bin/sh -efu
1315 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1316 sudo /bin/sh -e -f -u -c \
1317 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1318 EOF
1319 sudo install -m 644 -o root -g root \
1320 "$tool"/etc/bash.bashrc \
1321 /etc/bash.bashrc
1322 sudo install -m 644 -o root -g root \
1323 "$tool"/etc/screenrc \
1324 /etc/screenrc
1325 }
1326 rule_user_root_configure () {
1327 sudo install -d -m 750 -o root -g root \
1328 /root/etc \
1329 /root/etc/gpg \
1330 /root/etc/ssh
1331 sudo ln -fns etc/gpg /root/.gnupg
1332 sudo ln -fns etc/ssh /root/.ssh
1333 getent group sudo |
1334 while IFS=: read -r group x x users
1335 do while test -n "$users" && IFS=, read -r user users <<-EOF
1336 $users
1337 EOF
1338 do eval local home\; home="~$user"
1339 cat "$home"/etc/ssh/authorized_keys
1340 done
1341 done |
1342 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1343 local key; local -; set +f
1344 for key in "$tool"/var/pub/openpgp/*.key
1345 do sudo gpg --import "$key"
1346 done
1347 }
1348 rule_configure () {
1349 rule apt_configure
1350 rule git_configure
1351 rule etckeeper_configure
1352 rule locales_configure
1353 rule time_configure
1354 rule network_configure
1355 rule filesystem_configure
1356 rule login_configure
1357 rule ssh_configure
1358 rule user_root_configure
1359 rule boot_configure
1360 rule sysctl_configure
1361 rule user_configure
1362 rule mail_configure
1363 #rule apache2_configure
1364 rule nginx_configure
1365 rule php5_fpm_configure
1366 rule gitolite_configure
1367 rule runit_configure
1368 }
1369
1370 rule_luks_key_change () {
1371 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1372 }
1373
1374 rule=${1:-help}
1375 ${1+shift}
1376 case $rule in
1377 (help);;
1378 (*)
1379 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1380 ;;
1381 esac
1382 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org