dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_hosted : rule_dovecot_configure : sudo .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apache2_configure () {
59 local -; set +f
60 rule apt_get_install \
61 apache2-mpm-itk \
62 libapache2-mod-php5
63 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
64 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
65 # NOTE: apache2-mpm-itk semble le plus sécurisé,
66 # car on est certain que tout est exécuté avec les uid/gid
67 # assignés au VirtualHost/Directory/Location
68 # néamoins il se peut qu'une combinaison du genre :
69 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
70 # soit plus performante (threads et pas forks),
71 # cependant l'usage de suexec impose des forks il semble..
72 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
73 # donc pour l'instant : apache2-mpm-itk
74 rule www_configure
75 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
76 ServerName "$vm_fqdn"
77 EOF
78 sudo install -m 660 -o root -g root /dev/stdin \
79 /etc/apache2/apache2.conf
80 sudo install -m 660 -o root -g root \
81 "$tool"/etc/apache2/envvars \
82 /etc/apache2/envvars
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/httpd.conf \
85 /etc/apache2/httpd.conf
86 #sudo install -m 660 -o root -g root /dev/stdin \
87 # /etc/apache2/suexec/www-data <<-EOF
88 # /home
89 # pub/www/cgi
90 # EOF
91 sudo install -m 660 -o root -g root \
92 "$tool"/etc/apache2/ports.conf \
93 /etc/apache2/ports.conf
94 sudo a2enmod actions
95 sudo a2enmod headers
96 sudo a2enmod rewrite
97 sudo a2enmod ssl
98 sudo a2enmod userdir
99 local conf
100 sudo a2dissite "*"
101 sudo ln -fns \
102 /etc/apache2 \
103 /home/www/etc/apache2
104 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
105 do conf=${conf#"$tool"/etc/apache2/site.d/}
106 local port site
107 IFS=. read -r port site <<-EOF
108 ${conf%\/VirtualHost\.conf}
109 EOF
110 assert 'test "${site:+set}"'
111 assert 'test "${port:+set}"'
112 local site_user="$user.$port.$site"
113 local site_dir="$user.$port.$site"
114 case $port in
115 (443)
116 local hint="run vm_remote apache2_key_send before"
117 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
118 sudo install -d -m 770 -o "$user" -g "$user" \
119 /etc/apache2 \
120 /etc/apache2/site.d/"$site_dir" \
121 /etc/apache2/site.d/"$site_dir"/x509 \
122 /etc/apache2/site.d/"$site_dir"/x509/ca \
123 /etc/apache2/site.d/"$site_dir"/x509/empty \
124 /etc/apache2/site.d/"$site_dir"/x509/rvk \
125 /etc/apache2/site.d/"$site_dir"/x509/usr
126 sudo install -m 664 -o www -g www \
127 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
128 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
129 #sudo install -m 664 -o "$user" -g "$user" \
130 # "$tool"/var/pub/x509/"$site"/rvk.pem \
131 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
132 sudo install -m 664 -o www -g www \
133 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
134 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/crt.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
138 ;;
139 esac
140 case $port in
141 (80)
142 cat <<-EOF
143 <VirtualHost *:$port>
144 AssignUserID $site_user $site_user
145 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
146 #CustomLog "/dev/null" Combined
147 DocumentRoot /home/www/pub/$site_dir
148 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
149 #ErrorLog "/dev/null"
150 ServerName $site
151 LogLevel Warn
152 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
153 </VirtualHost>
154 EOF
155 ;;
156 (443)
157 cat <<-EOF
158 <IfModule mod_ssl.c>
159 <VirtualHost *:$port>
160 AssignUserID $site_user $site_user
161 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
162 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
163 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
164 #CustomLog "/dev/null" Combined
165 DocumentRoot /home/www/pub/$site_dir
166 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
167 #ErrorLog "/dev/null"
168 LogLevel Warn
169 ServerName $site
170 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
171 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
172 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
173 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
175 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
176 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
177 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
178 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
179 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
180 SSLCipherSuite AES+RSA+SHA256
181 SSLEngine On
182 SSLInsecureRenegotiation Off
183 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
184 SSLProtocol -All +TLSv1
185 #SSLRenegBufferSize 262144
186 SSLSessionCacheTimeout 1200
187 SSLStrictSNIVHostCheck On
188 SSLUserName SSL_CLIENT_S_DN_CN
189 SSLVerifyClient None
190 SSLVerifyDepth 1
191 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
192 </VirtualHost>
193 </IfModule>
194 EOF
195 ;;
196 esac |
197 sudo install -m 660 -o root -g root /dev/stdin \
198 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
199 sudo ln -fns \
200 ../site.d/"$site_dir"/VirtualHost.conf \
201 /etc/apache2/sites-available/"$site_dir"
202 sudo install -d -m 770 -o "$user" -g "$user" \
203 /home/www/log/"$site_dir" \
204 /home/www/log/"$site_dir"/apache2
205 sudo ln -fns \
206 /etc/apache2/site.d/"$site_dir" \
207 /home/www/etc/apache2/"$site_dir"
208 test -e /home/www/pub/"$site_dir" ||
209 sudo install -d -m 770 -o "$user" -g "$user" \
210 /home/www/pub/"$site_dir"
211 getent passwd "$site_user" >/dev/null ||
212 sudo adduser \
213 --disabled-password \
214 --group \
215 --no-create-home \
216 --home /home/www/pub/"$site_dir" \
217 --shell /bin/false \
218 --system \
219 "$site_user"
220 sudo setfacl -m u:"$site_user":--x \
221 /home/www/ \
222 /home/www/pub/ \
223 /home/www/pub/"$site_dir"/
224 sudo setfacl -m d:u:"$site_user":rwx \
225 "$home"/pub/www/"$site_dir"/
226 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
227 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
228 test -e /etc/apache2/sites-enabled/"$site_dir" ||
229 sudo a2ensite "$site_dir"
230 done
231 sudo service apache2 restart
232 }
233 rule_apt_configure () {
234 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
235 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
236 EOF
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
238 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
241 Package: *
242 Pin: release a=$vm_lsb_name
243 Pin-Priority: 170
244
245 Package: *
246 Pin: release a=$vm_lsb_name-backports
247 Pin-Priority: 200
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
250 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 rule apt_get_install grub-pc
273 sudo install -d -m 644 -o root -g root /boot/grub
274 rule apt_get_install linux-image-$vm_arch
275 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
276 GRUB_DEFAULT=0
277 GRUB_TIMEOUT=5
278 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
279 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
280 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
281 GRUB_DISABLE_RECOVERY="true"
282 #GRUB_PRELOAD_MODULES="lvm"
283 EOF
284 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
285 (hd0) /dev/xvda
286 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
287 EOF
288 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
289 rule initramfs_configure
290 }
291 rule_dovecot_configure () {
292 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
293 local hint="run vm_remote dovecot_key_send before"
294 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
295 sudo install -m 400 -o root -g root \
296 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
297 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
298 sudo install -d -m 770 -o root -g adm \
299 /etc/skel/etc/mail \
300 /etc/skel/etc/sieve
301 sudo install -d -m 1777 -o root -g root \
302 /var/lib/dovecot-control \
303 /var/lib/dovecot-index
304 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
305 auth_ssl_username_from_cert = yes
306 listen = *
307 log_timestamp = "%Y-%m-%d %H:%M:%S "
308 mail_debug = yes
309 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
310 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
311 # VOIR: http://wiki2.dovecot.org/Quota/FS
312 mail_plugins = \$mail_plugins quota
313 mail_privileged_group = mail
314 passdb {
315 args = /home/%u/etc/dovecot/passwd
316 driver = passwd-file
317 }
318 plugin {
319 quota = fs:user
320 recipient_delimiter = +
321 sieve = ~/etc/mail/filter.sieve
322 sieve_dir = ~/etc/mail/sieve
323 sieve_global_dir = /var/lib/dovecot/sieve/global/
324 sieve_max_script_size = 1M
325 sieve_quota_max_scripts = 0
326 sieve_quota_max_storage = 10M
327 sieve_user_log = ~/var/log/mail/sieve.log
328 }
329 protocol imap {
330 mail_plugins = \$mail_plugins imap_quota
331 }
332 protocol lda {
333 auth_socket_path = /var/run/dovecot/auth-master
334 hostname = $vm_domainname
335 info_log_path =
336 log_path =
337 mail_plugins = \$mail_plugins sieve
338 postmaster_address = contact+dovecot+lda@$vm_domainname
339 syslog_facility = mail
340 }
341 protocols = imap sieve
342 service auth {
343 user = root
344 unix_listener /var/spool/postfix/private/auth {
345 mode = 0660
346 user = postfix
347 group = postfix
348 }
349 }
350 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
351 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
352 ssl_cipher_list = AES256-SHA
353 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
354 ssl_verify_client_cert = yes
355 userdb {
356 driver = passwd
357 }
358 verbose_ssl = no
359 EOF
360 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
361 #!/bin/sh -efux
362 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
363 install -d -m 770 ~/etc/dovecot
364 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
365 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
366 _EOF
367 EOF
368 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
369 EOF
370 sudo service dovecot restart
371 }
372 rule_etckeeper_configure () {
373 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
374 VCS=git
375 GIT_COMMIT_OPTIONS=""
376 AVOID_DAILY_AUTOCOMMITS=1
377 #AVOID_SPECIAL_FILE_WARNING=1
378 AVOID_COMMIT_BEFORE_INSTALL=1
379 HIGHLEVEL_PACKAGE_MANAGER=apt
380 LOWLEVEL_PACKAGE_MANAGER=dpkg
381 EOF
382 sudo install -m 644 -o root -g root \
383 "$tool"/etc/etckeeper/prompt.sh \
384 /etc/etckeeper/prompt.sh
385 rule apt_get_install etckeeper
386 }
387 rule_filesystem_configure () {
388 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
389 # <file system> <mount point> <type> <options> <dump> <pass>
390 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
391 proc /proc proc defaults 0 0
392 sysfs /sys sysfs defaults 0 0
393 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
394 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
395 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
396 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
397 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
398 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
399 EOF
400 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
401 # <target name> <source device> <key file> <options>
402 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
403 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
404 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
405 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
406 EOF
407 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
408 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
409 vm.vfs_cache_pressure=50
410 EOF
411 }
412 rule_initramfs_configure () {
413 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
414 MODULES=most
415 BUSYBOX=y
416 KEYMAP=y
417 COMPRESS=gzip
418 DEVICE=eth0
419 EOF
420 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
421 alias eth0 xennet
422 alias scsi_hostadapter xenblk
423 EOF
424 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
425 sha1_generic
426 sha256_generic
427 sha512_generic
428 aes-x86_64
429 xts
430 # NOTE: pour Xen en mode HVM :
431 #modprobe xen-platform-pci
432 EOF
433 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
434 EOF
435 sudo sed -e '/^configure_networking /s/ &$//' \
436 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
437 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
438 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
439 ( while IFS= read -r line
440 do case $line in (*" RSA") return 0; break;; esac
441 done; return 1 ) ||
442 {
443 sudo rm -f \
444 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
445 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
446 sudo dropbearkey -t rsa -s 4096 -f \
447 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
448 }
449 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
450 sudo install -d -m 640 -o root -g root \
451 /etc/initramfs-tools/root \
452 /etc/initramfs-tools/root/.ssh
453 getent group sudo |
454 while IFS=: read -r group x x users
455 do while test -n "$users" && IFS=, read -r user users <<-EOF
456 $users
457 EOF
458 do eval local home\; home="~$user"
459 cat "$home"/etc/ssh/authorized_keys
460 done
461 done |
462 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
463 sudo rm -f \
464 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
465 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
466 /etc/initramfs-tools/root/.ssh/id_rsa
467 # NOTE: clefs générées par Debian
468 sudo update-initramfs -u
469 }
470 rule_time_configure () {
471 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
472 Europe/Paris
473 EOF
474 sudo dpkg-reconfigure tzdata
475 rule apt_get_install ntp
476 }
477 rule_locale_configure () {
478 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
479 fr_FR.UTF-8 UTF-8
480 EOF
481 sudo update-locale
482 }
483 rule_login_configure () {
484 grep -q '^hvc0$' /etc/securetty ||
485 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
486 $(cat /etc/securetty)
487 hvc0
488 EOF
489 grep -q '^xvc0$' /etc/securetty ||
490 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
491 $(cat /etc/securetty)
492 xvc0
493 EOF
494 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
495 # /etc/inittab: init(8) configuration.
496
497 # The default runlevel.
498 id:2:initdefault:
499
500 # Boot-time system configuration/initialization script.
501 # This is run first except when booting in emergency (-b) mode.
502 si::sysinit:/etc/init.d/rcS
503
504 # What to do in single-user mode.
505 ~~:S:wait:/sbin/sulogin
506
507 # /etc/init.d executes the S and K scripts upon change
508 # of runlevel.
509 #
510 # Runlevel 0 is halt.
511 # Runlevel 1 is single-user.
512 # Runlevels 2-5 are multi-user.
513 # Runlevel 6 is reboot.
514
515 l0:0:wait:/etc/init.d/rc 0
516 l1:1:wait:/etc/init.d/rc 1
517 l2:2:wait:/etc/init.d/rc 2
518 l3:3:wait:/etc/init.d/rc 3
519 l4:4:wait:/etc/init.d/rc 4
520 l5:5:wait:/etc/init.d/rc 5
521 l6:6:wait:/etc/init.d/rc 6
522 # Normally not reached, but fallthrough in case of emergency.
523 z6:6:respawn:/sbin/sulogin
524
525 # What to do when CTRL-ALT-DEL is pressed.
526 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
527
528 # What to do when the power fails/returns.
529 pf::powerwait:/etc/init.d/powerfail start
530 pn::powerfailnow:/etc/init.d/powerfail now
531 po::powerokwait:/etc/init.d/powerfail stop
532
533 # Xen hypervisor console
534 hvc:2345:respawn:/sbin/getty 38400 hvc0
535 #xvc:2345:respawn:/sbin/getty 38400 xvc0
536 EOF
537 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
538 MAIL_DIR /var/mail
539 FAILLOG_ENAB yes
540 LOG_UNKFAIL_ENAB no
541 LOG_OK_LOGINS no
542 SYSLOG_SU_ENAB yes
543 SYSLOG_SG_ENAB yes
544 FTMP_FILE /var/log/btmp
545 SU_NAME su
546 HUSHLOGIN_FILE .hushlogin
547 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
548 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
549 # NOTE: met les sbin/ dans ENV_PATH ;
550 # - ça n'apporte aucune protection de ne pas les mettre ;
551 # - ça frustre de ne pas les trouver.
552 TTYGROUP tty
553 TTYPERM 0600
554 ERASECHAR 0177
555 KILLCHAR 025
556 UMASK 007
557 # NOTE: rwxrwx--- ;
558 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
559 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
560 PASS_MAX_DAYS 99999
561 PASS_MIN_DAYS 0
562 PASS_WARN_AGE 7
563 UID_MIN 1000
564 UID_MAX 60000
565 GID_MIN 1000
566 GID_MAX 60000
567 LOGIN_RETRIES 3
568 LOGIN_TIMEOUT 60
569 CHFN_RESTRICT rwh
570 DEFAULT_HOME yes
571 USERGROUPS_ENAB yes
572 ENCRYPT_METHOD SHA512
573 EOF
574 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
575 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
576 $(cat /etc/pam.d/common-session)
577 session optional pam_umask.so
578 EOF
579 }
580 rule_mail_configure () {
581 rule postfix_configure
582 rule postgrey_configure
583 rule procmail_configure
584 rule dovecot_configure
585 }
586 rule_network_configure () {
587 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
588 $vm
589 EOF
590 grep -q " $vm\$" /etc/hosts ||
591 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
592 $(cat /etc/hosts)
593 127.0.0.1 $vm_fqdn $vm
594 EOF
595 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
596 auto lo
597 iface lo inet loopback
598
599 auto eth0=grenode
600 iface grenode inet static
601 address $vm_ipv4
602 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
603 network $vm_ipv4
604 broadcast $vm_ipv4
605 netmask 255.255.255.255
606 mtu 1300
607 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
608 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
609 #
610 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
611 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
612 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
613 #
614 # --- soupirail.grenode.net ping statistics ---
615 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
616 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
617 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
618 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
619 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
620 #
621 # --- soupirail.grenode.net ping statistics ---
622 # 0 packets transmitted, 0 received, +1 errors
623 post-up ip address add $vm_ipv4/32 dev \$IFACE
624 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
625 EOF
626 }
627 rule_www_configure () {
628 getent passwd www >/dev/null ||
629 sudo adduser \
630 --disabled-login \
631 --disabled-password \
632 --group \
633 --home /home/www \
634 --shell /bin/false \
635 --system \
636 www
637 sudo adduser \
638 --disabled-login \
639 --disabled-password \
640 --group \
641 --home ~www/log \
642 --shell /bin/false \
643 --system \
644 log.www
645 #sudo adduser www www-data
646 sudo adduser www log.www
647 #sudo adduser log log.www
648 usermod --home /home/www/pub www-data
649 sudo install -d -m 751 -o www -g www \
650 /home/www
651 sudo install -d -m 750 -o www -g www \
652 /home/www/etc
653 sudo install -d -m 1771 -o www-data -g www-data \
654 /home/www/pub \
655 sudo install -d -m 1771 -o log.www -g log.www \
656 /home/www/log
657 }
658 rule_nginx_configure () {
659 local -; set +f
660 rule apt_get_install nginx
661 rule www_configure
662 sudo rm -rf \
663 /etc/nginx/conf.d \
664 /etc/nginx/site.d
665 sudo install -d -m 770 -o www -g www \
666 /etc/nginx \
667 /etc/nginx/conf.d \
668 /etc/nginx/site.d
669 sudo ln -fns \
670 /etc/nginx \
671 /home/www/etc/nginx
672 sudo install -m 660 -o www -g www \
673 "$tool"/etc/nginx/nginx.conf \
674 /etc/nginx/nginx.conf
675 local conf
676 for conf in "$tool"/etc/nginx/conf.d/*.conf
677 do conf=${conf#"$tool"/etc/nginx/conf.d/}
678 sudo install -m 660 -o www -g www \
679 "$tool"/etc/nginx/conf.d/"$conf" \
680 /etc/nginx/conf.d/"$conf"
681 done
682 for conf in "$tool"/etc/nginx/site.d/*/server.conf
683 do conf=${conf#"$tool"/etc/nginx/site.d/}
684 local port site
685 IFS=. read -r port site <<-EOF
686 ${conf%\/server\.conf}
687 EOF
688 assert 'test "${port:+set}"'
689 assert 'test "${site:+set}"'
690 site="$port.$site"
691 getent passwd www."$site" >/dev/null ||
692 sudo adduser \
693 --disabled-login \
694 --disabled-password \
695 --group \
696 --home ~www-data/"$site" \
697 --shell /bin/false \
698 --system \
699 www."$site"
700 getent passwd log."$site" >/dev/null ||
701 sudo adduser \
702 --disabled-login \
703 --disabled-password \
704 --group \
705 --shell /bin/false \
706 --system \
707 log."$site"
708 sudo usermod --home ~www/log/"$site"/nginx log."$site"
709 sudo install -d -m 770 -o www -g www \
710 /etc/nginx/site.d/"$site"
711 case $port in
712 (443)
713 local hint="run vm_remote nginx_key_send before"
714 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
715 sudo install -m 664 -o www -g www \
716 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
717 /etc/nginx/site.d/"$site"/x509/crt.pem
718 ;;
719 esac
720 case $port in
721 (80)
722 cat <<-EOF
723 server {
724 listen $port;
725 access_log /home/www/log/$site/nginx/access.log main;
726 error_log /home/www/log/$site/nginx/error.log warn;
727 root /home/www/pub/$site;
728 server_name $site;
729 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
730 }
731 EOF
732 ;;
733 (443)
734 cat <<-EOF
735 server {
736 listen $port;
737 access_log /home/www/log/$site/nginx/access.log main;
738 error_log /home/www/log/$site/nginx/error.log warn;
739 keepalive_timeout 70;
740 root /home/www/pub/$site;
741 server_name $site;
742 # DOC: http://wiki.nginx.org/HttpSslModule
743 ssl on;
744 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
745 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
746 ssl_ciphers HIGH:!ADH:!MD5;
747 ssl_prefer_server_ciphers on;
748 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
749 ssl_session_cache shared:SSL:10m;
750 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
751 }
752 EOF
753 ;;
754 esac |
755 sudo install -m 660 -o www -g www /dev/stdin \
756 /etc/nginx/site.d/"$site"/server.conf
757 adduser www-data "$site"
758 test -e /home/www/pub/"$site" ||
759 sudo install -d -m 3770 -o "$site" -g "$site" \
760 /home/www/pub/"$site"
761 sudo install -d -m 3770 -o log."$site" -g log."$site" \
762 /home/www/log/"$site"/nginx
763 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
764 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
765 done
766 rule apt_get_install spawn-fcgi fcgiwrap
767 sudo insserv --remove fcgiwrap
768 rule tmpfs_configure
769 sudo service nginx restart
770 }
771 rule_php5_fpm_configure () {
772 local -; set +f
773 rule apt_get_install \
774 php5-fpm \
775 php-apc
776 getent passwd php5 >/dev/null ||
777 sudo adduser \
778 --disabled-login \
779 --disabled-password \
780 --group \
781 --shell /bin/false \
782 --system \
783 php5
784 local conf
785 sudo ln -fns \
786 /etc/php5-fpm \
787 /home/www/etc/php5
788 sudo rm -f /etc/php5/fpm/pool.d/*
789 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
790 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
791 local port site
792 IFS=. read -r port site <<-EOF
793 ${conf%\.conf}
794 EOF
795 assert 'test "${port:+set}"'
796 assert 'test "${site:+set}"'
797 site="$port.$site"
798 getent passwd php5"$site" >/dev/null ||
799 sudo adduser \
800 --disabled-login \
801 --disabled-password \
802 --group \
803 --no-create-home \
804 --home ~www/pub/"$site" \
805 --shell /bin/false \
806 --system \
807 php5."$site"
808 sudo install -d -m 770 -o php5 -g php5 \
809 /home/www/log/php5 \
810 /home/www/log/php5/fpm
811 sudo install -d -m 770 -o log."$site" -g log."$site" \
812 /home/www/log/"$site"
813 sudo adduser php5."$user" www."$site"
814 sudo install -m 660 -o root -g root /dev/stdin \
815 /etc/php5/fpm/pool.d/"$conf" <<-EOF
816 [php5.$site]
817 access.log = /home/www/log/$site/php5/fpm/access.log
818 catch_workers_output = yes
819 chdir = /
820 env[HOSTNAME] = \$HOSTNAME
821 env[TEMP] = /tmp
822 env[TMPDIR] = /tmp
823 env[TMP] = /tmp
824 group = www-data
825 listen = /run/nginx/fastcgi/php5.$site
826 #listen = 127.0.0.1:9000
827 #listen.allowed_clients = 127.0.0.1
828 listen.backlog = -1
829 pm = dynamic
830 pm.max_children = 5
831 pm.max_requests = 200
832 pm.max_spare_servers = 4
833 pm.min_spare_servers = 2
834 pm.start_servers = 3
835 pm.status_path = /status
836 request_slowlog_timeout = 5s
837 request_terminate_timeout = 120s
838 rlimit_core = unlimited
839 rlimit_files = 131072
840 slowlog = /home/www/log/$site/php5/fpm/slow.log
841 user = $php5_user
842 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
843 EOF
844 sudo install -m 664 -o root -g root \
845 "$tool"/etc/php5/fpm/php.ini \
846 /etc/php5/fpm/php.ini
847 done
848 rule tmpfs_configure
849 sudo service php5-fpm restart
850 }
851 rule_postfix_configure () {
852 local hint="run vm_remote postfix_key_send before"
853 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
854 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
855 rule apt_get_install postfix
856 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
857 *.db
858 EOF
859 sudo install -d -m 770 -o root -g root \
860 /etc/postfix/$vm_domainname/ \
861 /etc/postfix/$vm_domainname/smtp \
862 /etc/postfix/$vm_domainname/smtp/x509 \
863 /etc/postfix/$vm_domainname/smtp/x509/ca \
864 /etc/postfix/$vm_domainname/smtpd \
865 /etc/postfix/$vm_domainname/smtpd/x509 \
866 /etc/postfix/$vm_domainname/smtpd/x509/ca
867 sudo install -d -m 770 -o root -g root \
868 /etc/postfix/$vm_domainname/ \
869 /etc/postfix/$vm_domainname/smtp \
870 /etc/postfix/$vm_domainname/smtp/x509 \
871 /etc/postfix/$vm_domainname/smtp/x509/ca \
872 /etc/postfix/$vm_domainname/smtpd \
873 /etc/postfix/$vm_domainname/smtpd/x509 \
874 /etc/postfix/$vm_domainname/smtpd/x509/ca
875 sudo ln -fns \
876 ../crt+crl.self-signed.pem \
877 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
878 sudo install -m 400 -o root -g root \
879 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
880 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
881 sudo install -m 400 -o root -g root \
882 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
883 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
884 sudo install -m 400 -o root -g root \
885 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
886 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
887 sudo install -m 400 -o root -g root \
888 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
889 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
890 sudo install -m 660 -o root -g root \
891 "$tool"/etc/postfix/$vm_domainname/header_checks \
892 /etc/postfix/$vm_domainname/header_checks
893 sudo install -m 664 -o root -g root /dev/stdin \
894 /etc/postfix/aliases <<-EOF
895 # See man 5 aliases for format
896 abuse: root
897 admin: root
898 contact: root
899 postmaster: root
900 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
901 EOF
902 sudo newaliases -oA/etc/postfix/aliases
903 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
904 mydomain = $vm_domainname
905 myorigin = \$mydomain
906 myhostname = $vm_hostname.\$mydomain
907 mail_name = \$myhostname
908 mydestination = $vm_hostname \$myhostname \$myorigin
909 EOF
910 sudo install -m 664 -o root -g root /dev/stdin \
911 /etc/postfix/main.cf
912 sudo install -m 664 -o root -g root \
913 "$tool"/etc/postfix/master.cf \
914 /etc/postfix/master.cf
915 sudo install -m 660 -o root -g root \
916 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
917 /etc/postfix/$vm_domainname/smtp/x509/policy
918 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
919 sudo install -m 660 -o root -g root \
920 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
921 /etc/postfix/$vm_domainname/smtp/header_checks
922 sudo install -m 660 -o root -g root \
923 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
924 /etc/postfix/$vm_domainname/smtpd/sender_access
925 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
926 sudo install -m 660 -o root -g root \
927 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
928 /etc/postfix/$vm_domainname/smtpd/client_blacklist
929 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
930 sudo install -m 660 -o root -g root \
931 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
932 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
933 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
934 sudo install -m 660 -o root -g root \
935 "$tool"/etc/postfix/$vm_domainname/transport \
936 /etc/postfix/$vm_domainname/transport
937 sudo postmap hash:/etc/postfix/$vm_domainname/transport
938 sudo install -m 660 -o root -g root \
939 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
940 /etc/postfix/$vm_domainname/virtual_alias
941 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
942 sudo service postfix restart
943 }
944 rule_postgrey_configure () {
945 rule apt_get_install postgrey
946 sudo service postgrey restart
947 }
948 rule_procmail_configure () {
949 rule apt_get_install procmail
950 sudo install -d -m 770 -o root -g adm \
951 /etc/skel/etc/mail \
952 /etc/skel/var/cache/mail \
953 /etc/skel/var/log/mail \
954 /etc/skel/var/mail
955 sudo install -m 660 -o root -g adm \
956 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
957 /etc/skel/etc/mail/delivery.procmailrc
958 }
959 rule_ssh_configure () {
960 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
961 ( while IFS= read -r line
962 do case $line in (*" RSA") return 0; break;; esac
963 done; return 1 ) ||
964 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
965 sudo rm -f \
966 /etc/ssh/ssh_host_dsa_key \
967 /etc/ssh/ssh_host_dsa_key.pub \
968 /etc/ssh/ssh_host_ecdsa_key \
969 /etc/ssh/ssh_host_ecdsa_key.pub
970 # NOTE: clefs générées par Debian
971 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
972 Port 22
973 ListenAddress $vm_ipv4
974 #ListenAddress ::
975 Protocol 2
976 Compression yes
977 HostKey /etc/ssh/ssh_host_rsa_key
978 UsePrivilegeSeparation yes
979 KeyRegenerationInterval 3600
980 ServerKeyBits 768
981 SyslogFacility AUTH
982 LogLevel INFO
983 LoginGraceTime 120
984 PermitRootLogin yes
985 StrictModes yes
986 RSAAuthentication yes
987 PubkeyAuthentication yes
988 AuthorizedKeysFile %h/etc/ssh/authorized_keys
989 IgnoreRhosts yes
990 RhostsRSAAuthentication no
991 HostbasedAuthentication no
992 IgnoreUserKnownHosts no
993 PermitEmptyPasswords no
994 ChallengeResponseAuthentication no
995 PasswordAuthentication no
996 KerberosAuthentication no
997 GSSAPIAuthentication no
998 X11Forwarding no
999 X11DisplayOffset 10
1000 PrintMotd no
1001 DebianBanner no
1002 PrintLastLog yes
1003 TCPKeepAlive yes
1004 ClientAliveInterval 0
1005 AcceptEnv LANG LC_*
1006 Subsystem sftp /usr/lib/openssh/sftp-server
1007 UsePAM yes
1008 EOF
1009 sudo service ssh restart
1010 }
1011 rule_user_add () { # SYNTAX: $user
1012 rule user_configure
1013 local user=$1
1014 id "$user" >/dev/null ||
1015 sudo adduser --disabled-password "$user"
1016 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1017 eval local home\; home="~$user"
1018 sudo adduser "$user" users
1019 sudo install -m 640 -o root -g root \
1020 "$tool"/var/pub/ssh/"$user".key \
1021 "$home"/etc/ssh/authorized_keys
1022 local key; local -; set +f
1023 for key in "$tool"/var/pub/openpgp/*.key
1024 do sudo -u "$user" gpg --import - <"$key"
1025 done
1026 }
1027 rule_user_configure () {
1028 true
1029 }
1030 rule_user_admin_add () { # SYNTAX: $user
1031 rule user_configure
1032 local user=$1
1033 id "$user" >/dev/null ||
1034 sudo adduser --disabled-password "$user"
1035 eval local home\; home="~$user"
1036 sudo adduser "$user" sudo
1037 sudo adduser "$user" users
1038 sudo install -m 640 -o root -g root \
1039 "$tool"/var/pub/ssh/"$user".key \
1040 "$home"/etc/ssh/authorized_keys
1041 local key; local -; set +f
1042 for key in "$tool"/var/pub/openpgp/*.key
1043 do sudo -u "$user" gpg --import - <"$key"
1044 done
1045 rule user_admin_configure
1046 }
1047 rule_user_admin_configure () {
1048 rule initramfs_configure
1049 rule user_root_configure
1050 }
1051 rule_user_configure () {
1052 sudo install -d -m 750 -o root -g adm \
1053 /etc/skel/etc \
1054 /etc/skel/etc/gpg \
1055 /etc/skel/etc/ssh
1056 sudo install -d -m 770 -o root -g adm \
1057 /etc/skel/var \
1058 /etc/skel/var/cache \
1059 /etc/skel/var/log \
1060 /etc/skel/var/run \
1061 /etc/skel/var/run/ssh
1062 sudo ln -fns etc/ssh /etc/skel/.ssh
1063 sudo ln -fns etc/gpg /etc/skel/.gnupg
1064 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1065 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1066 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1067 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1068 EOF
1069 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1070 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1071 EOF
1072 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1073 Defaults env_keep = " \\
1074 EDITOR \\
1075 GIT_AUTHOR_NAME \\
1076 GIT_AUTHOR_EMAIL \\
1077 GIT_COMMITTER_NAME \\
1078 GIT_COMMITTER_EMAIL \\
1079 "
1080 EOF
1081 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1082 #!/bin/sh -efu
1083 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1084 sudo /bin/sh -e -f -u -c \
1085 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1086 EOF
1087 sudo install -m 644 -o root -g root \
1088 "$tool"/etc/bash.bashrc \
1089 /etc/bash.bashrc
1090 sudo install -m 644 -o root -g root \
1091 "$tool"/etc/screenrc \
1092 /etc/screenrc
1093 }
1094 rule_user_root_configure () {
1095 sudo install -d -m 750 -o root -g adm \
1096 /root/etc \
1097 /root/etc/gpg \
1098 /root/etc/ssh
1099 sudo ln -fns etc/gpg /root/.gnupg
1100 sudo ln -fns etc/ssh /root/.ssh
1101 getent group sudo |
1102 while IFS=: read -r group x x users
1103 do while test -n "$users" && IFS=, read -r user users <<-EOF
1104 $users
1105 EOF
1106 do eval local home\; home="~$user"
1107 cat "$home"/etc/ssh/authorized_keys
1108 done
1109 done |
1110 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1111 local key; local -; set +f
1112 for key in "$tool"/var/pub/openpgp/*.key
1113 do sudo gpg --import "$key"
1114 done
1115 }
1116 rule_configure () {
1117 rule apt_configure
1118 rule git_configure
1119 rule etckeeper_configure
1120 rule locale_configure
1121 rule time_configure
1122 rule network_configure
1123 rule filesystem_configure
1124 rule login_configure
1125 rule ssh_configure
1126 rule user_root_configure
1127 rule boot_configure
1128 rule user_configure
1129 rule mail_configure
1130 #rule apache2_configure
1131 rule nginx_configure
1132 rule php5_fpm_configure
1133 }
1134
1135 rule_luks_key_change () {
1136 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1137 }
1138
1139 rule=${1:-help}
1140 ${1+shift}
1141 case $rule in
1142 (help);;
1143 (*)
1144 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1145 ;;
1146 esac
1147 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org