dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_filesystem_configure : tmpfs .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apache2_configure () {
59 local -; set +f
60 rule apt_get_install \
61 apache2-mpm-itk \
62 libapache2-mod-php5
63 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
64 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
65 # NOTE: apache2-mpm-itk semble le plus sécurisé,
66 # car on est certain que tout est exécuté avec les uid/gid
67 # assignés au VirtualHost/Directory/Location
68 # néamoins il se peut qu'une combinaison du genre :
69 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
70 # soit plus performante (threads et pas forks),
71 # cependant l'usage de suexec impose des forks il semble..
72 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
73 # donc pour l'instant : apache2-mpm-itk
74 rule www_configure
75 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
76 ServerName "$vm_fqdn"
77 EOF
78 sudo install -m 660 -o root -g root /dev/stdin \
79 /etc/apache2/apache2.conf
80 sudo install -m 660 -o root -g root \
81 "$tool"/etc/apache2/envvars \
82 /etc/apache2/envvars
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/httpd.conf \
85 /etc/apache2/httpd.conf
86 #sudo install -m 660 -o root -g root /dev/stdin \
87 # /etc/apache2/suexec/www-data <<-EOF
88 # /home
89 # pub/www/cgi
90 # EOF
91 sudo install -m 660 -o root -g root \
92 "$tool"/etc/apache2/ports.conf \
93 /etc/apache2/ports.conf
94 sudo a2enmod actions
95 sudo a2enmod headers
96 sudo a2enmod rewrite
97 sudo a2enmod ssl
98 sudo a2enmod userdir
99 local conf
100 sudo a2dissite "*"
101 sudo ln -fns \
102 /etc/apache2 \
103 /home/www/etc/apache2
104 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
105 do conf=${conf#"$tool"/etc/apache2/site.d/}
106 local port site
107 IFS=. read -r port site <<-EOF
108 ${conf%\/VirtualHost\.conf}
109 EOF
110 assert 'test "${site:+set}"'
111 assert 'test "${port:+set}"'
112 local site_user="$user.$port.$site"
113 local site_dir="$user.$port.$site"
114 case $port in
115 (443)
116 local hint="run vm_remote apache2_key_send before"
117 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
118 sudo install -d -m 770 -o "$user" -g "$user" \
119 /etc/apache2 \
120 /etc/apache2/site.d/"$site_dir" \
121 /etc/apache2/site.d/"$site_dir"/x509 \
122 /etc/apache2/site.d/"$site_dir"/x509/ca \
123 /etc/apache2/site.d/"$site_dir"/x509/empty \
124 /etc/apache2/site.d/"$site_dir"/x509/rvk \
125 /etc/apache2/site.d/"$site_dir"/x509/usr
126 sudo install -m 664 -o www -g www \
127 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
128 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
129 #sudo install -m 664 -o "$user" -g "$user" \
130 # "$tool"/var/pub/x509/"$site"/rvk.pem \
131 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
132 sudo install -m 664 -o www -g www \
133 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
134 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/crt.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
138 ;;
139 esac
140 case $port in
141 (80)
142 cat <<-EOF
143 <VirtualHost *:$port>
144 AssignUserID $site_user $site_user
145 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
146 #CustomLog "/dev/null" Combined
147 DocumentRoot /home/www/pub/$site_dir
148 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
149 #ErrorLog "/dev/null"
150 ServerName $site
151 LogLevel Warn
152 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
153 </VirtualHost>
154 EOF
155 ;;
156 (443)
157 cat <<-EOF
158 <IfModule mod_ssl.c>
159 <VirtualHost *:$port>
160 AssignUserID $site_user $site_user
161 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
162 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
163 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
164 #CustomLog "/dev/null" Combined
165 DocumentRoot /home/www/pub/$site_dir
166 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
167 #ErrorLog "/dev/null"
168 LogLevel Warn
169 ServerName $site
170 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
171 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
172 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
173 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
175 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
176 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
177 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
178 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
179 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
180 SSLCipherSuite AES+RSA+SHA256
181 SSLEngine On
182 SSLInsecureRenegotiation Off
183 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
184 SSLProtocol -All +TLSv1
185 #SSLRenegBufferSize 262144
186 SSLSessionCacheTimeout 1200
187 SSLStrictSNIVHostCheck On
188 SSLUserName SSL_CLIENT_S_DN_CN
189 SSLVerifyClient None
190 SSLVerifyDepth 1
191 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
192 </VirtualHost>
193 </IfModule>
194 EOF
195 ;;
196 esac |
197 sudo install -m 660 -o root -g root /dev/stdin \
198 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
199 sudo ln -fns \
200 ../site.d/"$site_dir"/VirtualHost.conf \
201 /etc/apache2/sites-available/"$site_dir"
202 sudo install -d -m 770 -o "$user" -g "$user" \
203 /home/www/log/"$site_dir" \
204 /home/www/log/"$site_dir"/apache2
205 sudo ln -fns \
206 /etc/apache2/site.d/"$site_dir" \
207 /home/www/etc/apache2/"$site_dir"
208 test -e /home/www/pub/"$site_dir" ||
209 sudo install -d -m 770 -o "$user" -g "$user" \
210 /home/www/pub/"$site_dir"
211 getent passwd "$site_user" >/dev/null ||
212 sudo adduser \
213 --disabled-password \
214 --group \
215 --no-create-home \
216 --home /home/www/pub/"$site_dir" \
217 --shell /bin/false \
218 --system \
219 "$site_user"
220 sudo setfacl -m u:"$site_user":--x \
221 /home/www/ \
222 /home/www/pub/ \
223 /home/www/pub/"$site_dir"/
224 sudo setfacl -m d:u:"$site_user":rwx \
225 "$home"/pub/www/"$site_dir"/
226 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
227 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
228 test -e /etc/apache2/sites-enabled/"$site_dir" ||
229 sudo a2ensite "$site_dir"
230 done
231 sudo service apache2 restart
232 }
233 rule_apt_configure () {
234 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
235 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
236 EOF
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
238 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
241 Package: *
242 Pin: release a=$vm_lsb_name
243 Pin-Priority: 170
244
245 Package: *
246 Pin: release a=$vm_lsb_name-backports
247 Pin-Priority: 200
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
250 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 rule apt_get_install grub-pc
273 sudo install -d -m 644 -o root -g root /boot/grub
274 rule apt_get_install linux-image-$vm_arch
275 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
276 GRUB_DEFAULT=0
277 GRUB_TIMEOUT=5
278 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
279 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
280 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
281 GRUB_DISABLE_RECOVERY="true"
282 #GRUB_PRELOAD_MODULES="lvm"
283 EOF
284 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
285 (hd0) /dev/xvda
286 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
287 EOF
288 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
289 rule initramfs_configure
290 }
291 rule_dovecot_configure () {
292 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
293 local hint="run vm_remote dovecot_key_send before"
294 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
295 sudo install -m 400 -o root -g root \
296 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
297 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
298 sudo install -d -m 770 -o root -g adm \
299 /etc/skel/etc/mail \
300 /etc/skel/etc/sieve
301 sudo install -d -m 1777 -o root -g root \
302 /var/lib/dovecot-control \
303 /var/lib/dovecot-index
304 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
305 auth_ssl_username_from_cert = yes
306 listen = *
307 log_timestamp = "%Y-%m-%d %H:%M:%S "
308 mail_debug = yes
309 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
310 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
311 # VOIR: http://wiki2.dovecot.org/Quota/FS
312 mail_plugins = \$mail_plugins quota
313 mail_privileged_group = mail
314 passdb {
315 args = /home/%u/etc/dovecot/passwd
316 driver = passwd-file
317 }
318 plugin {
319 quota = fs:user
320 recipient_delimiter = +
321 sieve = ~/etc/mail/filter.sieve
322 sieve_dir = ~/etc/mail/sieve
323 sieve_global_dir = /var/lib/dovecot/sieve/global/
324 sieve_max_script_size = 1M
325 sieve_quota_max_scripts = 0
326 sieve_quota_max_storage = 10M
327 sieve_user_log = ~/var/log/mail/sieve.log
328 }
329 protocol imap {
330 mail_plugins = \$mail_plugins imap_quota
331 }
332 protocol lda {
333 auth_socket_path = /var/run/dovecot/auth-master
334 hostname = $vm_domainname
335 info_log_path =
336 log_path =
337 mail_plugins = \$mail_plugins sieve
338 postmaster_address = contact+dovecot+lda@$vm_domainname
339 syslog_facility = mail
340 }
341 protocols = imap sieve
342 service auth {
343 user = root
344 unix_listener /var/spool/postfix/private/auth {
345 mode = 0660
346 user = postfix
347 group = postfix
348 }
349 }
350 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
351 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
352 ssl_cipher_list = AES256-SHA
353 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
354 ssl_verify_client_cert = yes
355 userdb {
356 driver = passwd
357 }
358 verbose_ssl = no
359 EOF
360 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
361 #!/bin/sh -efux
362 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
363 install -d -m 770 ~/etc/dovecot
364 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
365 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
366 _EOF
367 EOF
368 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
369 EOF
370 sudo service dovecot restart
371 }
372 rule_etckeeper_configure () {
373 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
374 VCS=git
375 GIT_COMMIT_OPTIONS=""
376 AVOID_DAILY_AUTOCOMMITS=1
377 #AVOID_SPECIAL_FILE_WARNING=1
378 AVOID_COMMIT_BEFORE_INSTALL=1
379 HIGHLEVEL_PACKAGE_MANAGER=apt
380 LOWLEVEL_PACKAGE_MANAGER=dpkg
381 EOF
382 sudo install -m 644 -o root -g root \
383 "$tool"/etc/etckeeper/prompt.sh \
384 /etc/etckeeper/prompt.sh
385 rule apt_get_install etckeeper
386 }
387 rule_filesystem_configure () {
388 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
389 # <file system> <mount point> <type> <options> <dump> <pass>
390 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
391 proc /proc proc defaults 0 0
392 sysfs /sys sysfs defaults 0 0
393 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
394 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
395 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
396 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
397 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
398 EOF
399 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
400 # <target name> <source device> <key file> <options>
401 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
402 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
403 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
404 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
405 EOF
406 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
407 LOCK_SIZE=5242880 # NOTE: 5MiB
408 RAMLOCK=yes
409 RAMSHM=yes
410 RAMTMP=yes
411 RUN_SIZE=10%
412 SHM_SIZE=
413 TMP_MODE=1777,nr_inodes=1000k,noatime
414 TMP_OVERFLOW_LIMIT=1024
415 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
416 # on the root filesystem (overriding RAMTMP).
417 TMP_SIZE=200m
418 TMPFS_SIZE=20%VM
419 EOF
420 sudo install -m 775 -o root -g root \
421 "$tool"/etc/init.d/tmpfs \
422 /etc/init.d/tmpfs
423 sudo update-rc.d tmpfs defaults
424 }
425 rule_initramfs_configure () {
426 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
427 MODULES=most
428 BUSYBOX=y
429 KEYMAP=y
430 COMPRESS=gzip
431 DEVICE=eth0
432 EOF
433 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
434 alias eth0 xennet
435 alias scsi_hostadapter xenblk
436 EOF
437 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
438 sha1_generic
439 sha256_generic
440 sha512_generic
441 aes-x86_64
442 xts
443 # NOTE: pour Xen en mode HVM :
444 #modprobe xen-platform-pci
445 EOF
446 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
447 EOF
448 sudo sed -e '/^configure_networking /s/ &$//' \
449 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
450 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
451 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
452 ( while IFS= read -r line
453 do case $line in (*" RSA") return 0; break;; esac
454 done; return 1 ) ||
455 {
456 sudo rm -f \
457 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
458 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
459 sudo dropbearkey -t rsa -s 4096 -f \
460 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
461 }
462 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
463 sudo install -d -m 640 -o root -g root \
464 /etc/initramfs-tools/root \
465 /etc/initramfs-tools/root/.ssh
466 getent group sudo |
467 while IFS=: read -r group x x users
468 do while test -n "$users" && IFS=, read -r user users <<-EOF
469 $users
470 EOF
471 do eval local home\; home="~$user"
472 cat "$home"/etc/ssh/authorized_keys
473 done
474 done |
475 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
476 sudo rm -f \
477 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
478 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
479 /etc/initramfs-tools/root/.ssh/id_rsa
480 # NOTE: clefs générées par Debian
481 sudo update-initramfs -u
482 }
483 rule_time_configure () {
484 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
485 Europe/Paris
486 EOF
487 sudo dpkg-reconfigure tzdata
488 rule apt_get_install ntp
489 }
490 rule_locale_configure () {
491 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
492 fr_FR.UTF-8 UTF-8
493 EOF
494 sudo update-locale
495 }
496 rule_login_configure () {
497 grep -q '^hvc0$' /etc/securetty ||
498 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
499 $(cat /etc/securetty)
500 hvc0
501 EOF
502 grep -q '^xvc0$' /etc/securetty ||
503 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
504 $(cat /etc/securetty)
505 xvc0
506 EOF
507 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
508 # /etc/inittab: init(8) configuration.
509
510 # The default runlevel.
511 id:2:initdefault:
512
513 # Boot-time system configuration/initialization script.
514 # This is run first except when booting in emergency (-b) mode.
515 si::sysinit:/etc/init.d/rcS
516
517 # What to do in single-user mode.
518 ~~:S:wait:/sbin/sulogin
519
520 # /etc/init.d executes the S and K scripts upon change
521 # of runlevel.
522 #
523 # Runlevel 0 is halt.
524 # Runlevel 1 is single-user.
525 # Runlevels 2-5 are multi-user.
526 # Runlevel 6 is reboot.
527
528 l0:0:wait:/etc/init.d/rc 0
529 l1:1:wait:/etc/init.d/rc 1
530 l2:2:wait:/etc/init.d/rc 2
531 l3:3:wait:/etc/init.d/rc 3
532 l4:4:wait:/etc/init.d/rc 4
533 l5:5:wait:/etc/init.d/rc 5
534 l6:6:wait:/etc/init.d/rc 6
535 # Normally not reached, but fallthrough in case of emergency.
536 z6:6:respawn:/sbin/sulogin
537
538 # What to do when CTRL-ALT-DEL is pressed.
539 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
540
541 # What to do when the power fails/returns.
542 pf::powerwait:/etc/init.d/powerfail start
543 pn::powerfailnow:/etc/init.d/powerfail now
544 po::powerokwait:/etc/init.d/powerfail stop
545
546 # Xen hypervisor console
547 hvc:2345:respawn:/sbin/getty 38400 hvc0
548 #xvc:2345:respawn:/sbin/getty 38400 xvc0
549 EOF
550 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
551 MAIL_DIR /var/mail
552 FAILLOG_ENAB yes
553 LOG_UNKFAIL_ENAB no
554 LOG_OK_LOGINS no
555 SYSLOG_SU_ENAB yes
556 SYSLOG_SG_ENAB yes
557 FTMP_FILE /var/log/btmp
558 SU_NAME su
559 HUSHLOGIN_FILE .hushlogin
560 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
561 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
562 # NOTE: met les sbin/ dans ENV_PATH ;
563 # - ça n'apporte aucune protection de ne pas les mettre ;
564 # - ça frustre de ne pas les trouver.
565 TTYGROUP tty
566 TTYPERM 0600
567 ERASECHAR 0177
568 KILLCHAR 025
569 UMASK 007
570 # NOTE: rwxrwx--- ;
571 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
572 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
573 PASS_MAX_DAYS 99999
574 PASS_MIN_DAYS 0
575 PASS_WARN_AGE 7
576 UID_MIN 1000
577 UID_MAX 60000
578 GID_MIN 1000
579 GID_MAX 60000
580 LOGIN_RETRIES 3
581 LOGIN_TIMEOUT 60
582 CHFN_RESTRICT rwh
583 DEFAULT_HOME yes
584 USERGROUPS_ENAB yes
585 ENCRYPT_METHOD SHA512
586 EOF
587 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
588 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
589 $(cat /etc/pam.d/common-session)
590 session optional pam_umask.so
591 EOF
592 }
593 rule_mail_configure () {
594 rule postfix_configure
595 rule postgrey_configure
596 rule procmail_configure
597 rule dovecot_configure
598 }
599 rule_network_configure () {
600 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
601 $vm
602 EOF
603 grep -q " $vm\$" /etc/hosts ||
604 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
605 $(cat /etc/hosts)
606 127.0.0.1 $vm_fqdn $vm
607 EOF
608 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
609 auto lo
610 iface lo inet loopback
611
612 auto eth0=grenode
613 iface grenode inet static
614 address $vm_ipv4
615 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
616 network $vm_ipv4
617 broadcast $vm_ipv4
618 netmask 255.255.255.255
619 mtu 1300
620 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
621 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
622 #
623 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
624 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
625 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
626 #
627 # --- soupirail.grenode.net ping statistics ---
628 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
629 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
630 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
631 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
632 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
633 #
634 # --- soupirail.grenode.net ping statistics ---
635 # 0 packets transmitted, 0 received, +1 errors
636 post-up ip address add $vm_ipv4/32 dev \$IFACE
637 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
638 EOF
639 }
640 rule_www_configure () {
641 getent passwd www >/dev/null ||
642 sudo adduser \
643 --disabled-login \
644 --disabled-password \
645 --group \
646 --home /home/www \
647 --shell /bin/false \
648 --system \
649 www
650 sudo adduser \
651 --disabled-login \
652 --disabled-password \
653 --group \
654 --home ~www/log \
655 --shell /bin/false \
656 --system \
657 log.www
658 #sudo adduser www www-data
659 sudo adduser www log.www
660 #sudo adduser log log.www
661 usermod --home /home/www/pub www-data
662 sudo install -d -m 751 -o www -g www \
663 /home/www
664 sudo install -d -m 750 -o www -g www \
665 /home/www/etc
666 sudo install -d -m 1771 -o www-data -g www-data \
667 /home/www/pub \
668 sudo install -d -m 1771 -o log.www -g log.www \
669 /home/www/log
670 }
671 rule_nginx_configure () {
672 local -; set +f
673 rule apt_get_install nginx
674 rule www_configure
675 sudo rm -rf \
676 /etc/nginx/conf.d \
677 /etc/nginx/site.d
678 sudo install -d -m 770 -o www -g www \
679 /etc/nginx \
680 /etc/nginx/conf.d \
681 /etc/nginx/site.d
682 sudo ln -fns \
683 /etc/nginx \
684 /home/www/etc/nginx
685 sudo install -m 660 -o www -g www \
686 "$tool"/etc/nginx/nginx.conf \
687 /etc/nginx/nginx.conf
688 local conf
689 for conf in "$tool"/etc/nginx/conf.d/*.conf
690 do conf=${conf#"$tool"/etc/nginx/conf.d/}
691 sudo install -m 660 -o www -g www \
692 "$tool"/etc/nginx/conf.d/"$conf" \
693 /etc/nginx/conf.d/"$conf"
694 done
695 for conf in "$tool"/etc/nginx/site.d/*/server.conf
696 do conf=${conf#"$tool"/etc/nginx/site.d/}
697 local port site
698 IFS=. read -r port site <<-EOF
699 ${conf%\/server\.conf}
700 EOF
701 assert 'test "${port:+set}"'
702 assert 'test "${site:+set}"'
703 site="$port.$site"
704 getent passwd www."$site" >/dev/null ||
705 sudo adduser \
706 --disabled-login \
707 --disabled-password \
708 --group \
709 --home ~www-data/"$site" \
710 --shell /bin/false \
711 --system \
712 www."$site"
713 getent passwd log."$site" >/dev/null ||
714 sudo adduser \
715 --disabled-login \
716 --disabled-password \
717 --group \
718 --shell /bin/false \
719 --system \
720 log."$site"
721 sudo usermod --home ~www/log/"$site"/nginx log."$site"
722 sudo install -d -m 770 -o www -g www \
723 /etc/nginx/site.d/"$site"
724 case $port in
725 (443)
726 local hint="run vm_remote nginx_key_send before"
727 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
728 sudo install -m 664 -o www -g www \
729 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
730 /etc/nginx/site.d/"$site"/x509/crt.pem
731 ;;
732 esac
733 case $port in
734 (80)
735 cat <<-EOF
736 server {
737 listen $port;
738 access_log /home/www/log/$site/nginx/access.log main;
739 error_log /home/www/log/$site/nginx/error.log warn;
740 root /home/www/pub/$site;
741 server_name $site;
742 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
743 }
744 EOF
745 ;;
746 (443)
747 cat <<-EOF
748 server {
749 listen $port;
750 access_log /home/www/log/$site/nginx/access.log main;
751 error_log /home/www/log/$site/nginx/error.log warn;
752 keepalive_timeout 70;
753 root /home/www/pub/$site;
754 server_name $site;
755 # DOC: http://wiki.nginx.org/HttpSslModule
756 ssl on;
757 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
758 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
759 ssl_ciphers HIGH:!ADH:!MD5;
760 ssl_prefer_server_ciphers on;
761 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
762 ssl_session_cache shared:SSL:10m;
763 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
764 }
765 EOF
766 ;;
767 esac |
768 sudo install -m 660 -o www -g www /dev/stdin \
769 /etc/nginx/site.d/"$site"/server.conf
770 adduser www-data "$site"
771 test -e /home/www/pub/"$site" ||
772 sudo install -d -m 3770 -o "$site" -g "$site" \
773 /home/www/pub/"$site"
774 sudo install -d -m 3770 -o log."$site" -g log."$site" \
775 /home/www/log/"$site"/nginx
776 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
777 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
778 done
779 rule apt_get_install spawn-fcgi fcgiwrap
780 sudo insserv --remove fcgiwrap
781 rule tmpfs_configure
782 sudo service nginx restart
783 }
784 rule_php5_fpm_configure () {
785 local -; set +f
786 rule apt_get_install \
787 php5-fpm \
788 php-apc
789 getent passwd php5 >/dev/null ||
790 sudo adduser \
791 --disabled-login \
792 --disabled-password \
793 --group \
794 --shell /bin/false \
795 --system \
796 php5
797 local conf
798 sudo ln -fns \
799 /etc/php5-fpm \
800 /home/www/etc/php5
801 sudo rm -f /etc/php5/fpm/pool.d/*
802 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
803 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
804 local port site
805 IFS=. read -r port site <<-EOF
806 ${conf%\.conf}
807 EOF
808 assert 'test "${port:+set}"'
809 assert 'test "${site:+set}"'
810 site="$port.$site"
811 getent passwd php5"$site" >/dev/null ||
812 sudo adduser \
813 --disabled-login \
814 --disabled-password \
815 --group \
816 --no-create-home \
817 --home ~www/pub/"$site" \
818 --shell /bin/false \
819 --system \
820 php5."$site"
821 sudo install -d -m 770 -o php5 -g php5 \
822 /home/www/log/php5 \
823 /home/www/log/php5/fpm
824 sudo install -d -m 770 -o log."$site" -g log."$site" \
825 /home/www/log/"$site"
826 sudo adduser php5."$user" www."$site"
827 sudo install -m 660 -o root -g root /dev/stdin \
828 /etc/php5/fpm/pool.d/"$conf" <<-EOF
829 [php5.$site]
830 access.log = /home/www/log/$site/php5/fpm/access.log
831 catch_workers_output = yes
832 chdir = /
833 env[HOSTNAME] = \$HOSTNAME
834 env[TEMP] = /tmp
835 env[TMPDIR] = /tmp
836 env[TMP] = /tmp
837 group = www-data
838 listen = /run/nginx/fastcgi/php5.$site
839 #listen = 127.0.0.1:9000
840 #listen.allowed_clients = 127.0.0.1
841 listen.backlog = -1
842 pm = dynamic
843 pm.max_children = 5
844 pm.max_requests = 200
845 pm.max_spare_servers = 4
846 pm.min_spare_servers = 2
847 pm.start_servers = 3
848 pm.status_path = /status
849 request_slowlog_timeout = 5s
850 request_terminate_timeout = 120s
851 rlimit_core = unlimited
852 rlimit_files = 131072
853 slowlog = /home/www/log/$site/php5/fpm/slow.log
854 user = $php5_user
855 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
856 EOF
857 sudo install -m 664 -o root -g root \
858 "$tool"/etc/php5/fpm/php.ini \
859 /etc/php5/fpm/php.ini
860 done
861 rule tmpfs_configure
862 sudo service php5-fpm restart
863 }
864 rule_postfix_configure () {
865 local hint="run vm_remote postfix_key_send before"
866 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
867 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
868 rule apt_get_install postfix
869 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
870 *.db
871 EOF
872 sudo install -d -m 770 -o root -g root \
873 /etc/postfix/$vm_domainname/ \
874 /etc/postfix/$vm_domainname/smtp \
875 /etc/postfix/$vm_domainname/smtp/x509 \
876 /etc/postfix/$vm_domainname/smtp/x509/ca \
877 /etc/postfix/$vm_domainname/smtpd \
878 /etc/postfix/$vm_domainname/smtpd/x509 \
879 /etc/postfix/$vm_domainname/smtpd/x509/ca
880 sudo install -d -m 770 -o root -g root \
881 /etc/postfix/$vm_domainname/ \
882 /etc/postfix/$vm_domainname/smtp \
883 /etc/postfix/$vm_domainname/smtp/x509 \
884 /etc/postfix/$vm_domainname/smtp/x509/ca \
885 /etc/postfix/$vm_domainname/smtpd \
886 /etc/postfix/$vm_domainname/smtpd/x509 \
887 /etc/postfix/$vm_domainname/smtpd/x509/ca
888 sudo ln -fns \
889 ../crt+crl.self-signed.pem \
890 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
891 sudo install -m 400 -o root -g root \
892 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
893 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
894 sudo install -m 400 -o root -g root \
895 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
896 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
897 sudo install -m 400 -o root -g root \
898 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
899 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
900 sudo install -m 400 -o root -g root \
901 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
902 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
903 sudo install -m 660 -o root -g root \
904 "$tool"/etc/postfix/$vm_domainname/header_checks \
905 /etc/postfix/$vm_domainname/header_checks
906 sudo install -m 664 -o root -g root /dev/stdin \
907 /etc/postfix/aliases <<-EOF
908 # See man 5 aliases for format
909 abuse: root
910 admin: root
911 contact: root
912 postmaster: root
913 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
914 EOF
915 sudo newaliases -oA/etc/postfix/aliases
916 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
917 mydomain = $vm_domainname
918 myorigin = \$mydomain
919 myhostname = $vm_hostname.\$mydomain
920 mail_name = \$myhostname
921 mydestination = $vm_hostname \$myhostname \$myorigin
922 EOF
923 sudo install -m 664 -o root -g root /dev/stdin \
924 /etc/postfix/main.cf
925 sudo install -m 664 -o root -g root \
926 "$tool"/etc/postfix/master.cf \
927 /etc/postfix/master.cf
928 sudo install -m 660 -o root -g root \
929 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
930 /etc/postfix/$vm_domainname/smtp/x509/policy
931 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
932 sudo install -m 660 -o root -g root \
933 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
934 /etc/postfix/$vm_domainname/smtp/header_checks
935 sudo install -m 660 -o root -g root \
936 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
937 /etc/postfix/$vm_domainname/smtpd/sender_access
938 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
939 sudo install -m 660 -o root -g root \
940 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
941 /etc/postfix/$vm_domainname/smtpd/client_blacklist
942 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
943 sudo install -m 660 -o root -g root \
944 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
945 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
946 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
947 sudo install -m 660 -o root -g root \
948 "$tool"/etc/postfix/$vm_domainname/transport \
949 /etc/postfix/$vm_domainname/transport
950 sudo postmap hash:/etc/postfix/$vm_domainname/transport
951 sudo install -m 660 -o root -g root \
952 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
953 /etc/postfix/$vm_domainname/virtual_alias
954 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
955 sudo service postfix restart
956 }
957 rule_postgrey_configure () {
958 rule apt_get_install postgrey
959 sudo service postgrey restart
960 }
961 rule_procmail_configure () {
962 rule apt_get_install procmail
963 sudo install -d -m 770 -o root -g adm \
964 /etc/skel/etc/mail \
965 /etc/skel/var/cache/mail \
966 /etc/skel/var/log/mail \
967 /etc/skel/var/mail
968 sudo install -m 660 -o root -g adm \
969 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
970 /etc/skel/etc/mail/delivery.procmailrc
971 }
972 rule_ssh_configure () {
973 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
974 ( while IFS= read -r line
975 do case $line in (*" RSA") return 0; break;; esac
976 done; return 1 ) ||
977 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
978 sudo rm -f \
979 /etc/ssh/ssh_host_dsa_key \
980 /etc/ssh/ssh_host_dsa_key.pub \
981 /etc/ssh/ssh_host_ecdsa_key \
982 /etc/ssh/ssh_host_ecdsa_key.pub
983 # NOTE: clefs générées par Debian
984 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
985 Port 22
986 ListenAddress $vm_ipv4
987 #ListenAddress ::
988 Protocol 2
989 Compression yes
990 HostKey /etc/ssh/ssh_host_rsa_key
991 UsePrivilegeSeparation yes
992 KeyRegenerationInterval 3600
993 ServerKeyBits 768
994 SyslogFacility AUTH
995 LogLevel INFO
996 LoginGraceTime 120
997 PermitRootLogin yes
998 StrictModes yes
999 RSAAuthentication yes
1000 PubkeyAuthentication yes
1001 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1002 IgnoreRhosts yes
1003 RhostsRSAAuthentication no
1004 HostbasedAuthentication no
1005 IgnoreUserKnownHosts no
1006 PermitEmptyPasswords no
1007 ChallengeResponseAuthentication no
1008 PasswordAuthentication no
1009 KerberosAuthentication no
1010 GSSAPIAuthentication no
1011 X11Forwarding no
1012 X11DisplayOffset 10
1013 PrintMotd no
1014 DebianBanner no
1015 PrintLastLog yes
1016 TCPKeepAlive yes
1017 ClientAliveInterval 0
1018 AcceptEnv LANG LC_*
1019 Subsystem sftp /usr/lib/openssh/sftp-server
1020 UsePAM yes
1021 EOF
1022 sudo service ssh restart
1023 }
1024 rule_sysctl_configure () {
1025 local -; set +f
1026 for conf in "$tool"/etc/sysctl.d/*.conf
1027 do conf=${conf#"$tool"/etc/sysctl.d/}
1028 sudo install -m 660 -o root -g root \
1029 "$tool"/etc/sysctl.d/"$conf" \
1030 /etc/sysctl.d/"$conf"
1031 done
1032 sudo sysctl --system
1033 }
1034 rule_user_add () { # SYNTAX: $user
1035 rule user_configure
1036 local user=$1
1037 id "$user" >/dev/null ||
1038 sudo adduser --disabled-password "$user"
1039 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1040 eval local home\; home="~$user"
1041 sudo adduser "$user" users
1042 sudo install -m 640 -o root -g root \
1043 "$tool"/var/pub/ssh/"$user".key \
1044 "$home"/etc/ssh/authorized_keys
1045 local key; local -; set +f
1046 for key in "$tool"/var/pub/openpgp/*.key
1047 do sudo -u "$user" gpg --import - <"$key"
1048 done
1049 }
1050 rule_user_configure () {
1051 true
1052 }
1053 rule_user_admin_add () { # SYNTAX: $user
1054 rule user_configure
1055 local user=$1
1056 id "$user" >/dev/null ||
1057 sudo adduser --disabled-password "$user"
1058 eval local home\; home="~$user"
1059 sudo adduser "$user" sudo
1060 sudo adduser "$user" users
1061 sudo install -m 640 -o root -g root \
1062 "$tool"/var/pub/ssh/"$user".key \
1063 "$home"/etc/ssh/authorized_keys
1064 local key; local -; set +f
1065 for key in "$tool"/var/pub/openpgp/*.key
1066 do sudo -u "$user" gpg --import - <"$key"
1067 done
1068 rule user_admin_configure
1069 }
1070 rule_user_admin_configure () {
1071 rule initramfs_configure
1072 rule user_root_configure
1073 }
1074 rule_user_configure () {
1075 sudo install -d -m 750 -o root -g adm \
1076 /etc/skel/etc \
1077 /etc/skel/etc/gpg \
1078 /etc/skel/etc/ssh
1079 sudo install -d -m 770 -o root -g adm \
1080 /etc/skel/var \
1081 /etc/skel/var/cache \
1082 /etc/skel/var/log \
1083 /etc/skel/var/run \
1084 /etc/skel/var/run/ssh
1085 sudo ln -fns etc/ssh /etc/skel/.ssh
1086 sudo ln -fns etc/gpg /etc/skel/.gnupg
1087 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1088 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1089 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1090 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1091 EOF
1092 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1093 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1094 EOF
1095 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1096 Defaults env_keep = " \\
1097 EDITOR \\
1098 GIT_AUTHOR_NAME \\
1099 GIT_AUTHOR_EMAIL \\
1100 GIT_COMMITTER_NAME \\
1101 GIT_COMMITTER_EMAIL \\
1102 "
1103 EOF
1104 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1105 #!/bin/sh -efu
1106 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1107 sudo /bin/sh -e -f -u -c \
1108 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1109 EOF
1110 sudo install -m 644 -o root -g root \
1111 "$tool"/etc/bash.bashrc \
1112 /etc/bash.bashrc
1113 sudo install -m 644 -o root -g root \
1114 "$tool"/etc/screenrc \
1115 /etc/screenrc
1116 }
1117 rule_user_root_configure () {
1118 sudo install -d -m 750 -o root -g adm \
1119 /root/etc \
1120 /root/etc/gpg \
1121 /root/etc/ssh
1122 sudo ln -fns etc/gpg /root/.gnupg
1123 sudo ln -fns etc/ssh /root/.ssh
1124 getent group sudo |
1125 while IFS=: read -r group x x users
1126 do while test -n "$users" && IFS=, read -r user users <<-EOF
1127 $users
1128 EOF
1129 do eval local home\; home="~$user"
1130 cat "$home"/etc/ssh/authorized_keys
1131 done
1132 done |
1133 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1134 local key; local -; set +f
1135 for key in "$tool"/var/pub/openpgp/*.key
1136 do sudo gpg --import "$key"
1137 done
1138 }
1139 rule_configure () {
1140 rule apt_configure
1141 rule git_configure
1142 rule etckeeper_configure
1143 rule locale_configure
1144 rule time_configure
1145 rule network_configure
1146 rule filesystem_configure
1147 rule login_configure
1148 rule ssh_configure
1149 rule user_root_configure
1150 rule boot_configure
1151 rule sysctl_configure
1152 rule user_configure
1153 rule mail_configure
1154 #rule apache2_configure
1155 rule nginx_configure
1156 rule php5_fpm_configure
1157 }
1158
1159 rule_luks_key_change () {
1160 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1161 }
1162
1163 rule=${1:-help}
1164 ${1+shift}
1165 case $rule in
1166 (help);;
1167 (*)
1168 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1169 ;;
1170 esac
1171 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org