dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_apt_configure : proxy avant update .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10 export TRACE=1
11
12 rule_help () { # SYNTAX: [--hidden]
13 local hidden; [ ${1:+set} ] || hidden=set
14 cat >&2 <<-EOF
15 DESCRIPTION:
16 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
17 _depuis_ la VM hébergée ($vm_fqdn) ;
18 il sert à la fois d'outil (aisément bidouillable)
19 et de documentation (préçise).
20 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
21 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 RULES:
23 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 ENVIRONMENT:
25 TRACE # affiche les commandes avant leur exécution
26 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
27 EOF
28 }
29
30 rule_git_configure () {
31 (
32 cd "$tool"
33 git config --replace branch.master.remote .
34 git config --replace branch.master.merge refs/remotes/master
35 local tool
36 tool=$(cd "$tool"; cd -)
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
38 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
39 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
40 #!/bin/sh -efux
41 case \$1 in
42 (refs/remotes/master)
43 cd ..
44 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
45 git --git-dir=\$PWD/.git clean -f -d -x
46 ;;
47 esac
48 EOF
49 )
50 }
51 rule_git_reset () {
52 (
53 cd "$tool"
54 git checkout -f -B master remotes/master
55 git clean -f -d -x
56 )
57 }
58
59 rule_adduser () {
60 local user="$1"; shift
61 getent passwd "$user" >/dev/null ||
62 sudo adduser "$@" "$user"
63 }
64 rule_apt_get_install () { # SYNTAX: $package
65 sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@"
66 }
67 rule_dpkg_reconfigure () { # SYNTAX: $package
68 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
69 }
70
71 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
72 export LANG=C
73 export LC_CTYPE=C
74 . /etc/profile
75 }
76
77 rule_apache2_configure () {
78 local -; set +f
79 rule apt_get_install \
80 apache2-mpm-itk \
81 libapache2-mod-php5
82 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
83 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
84 # NOTE: apache2-mpm-itk semble le plus sécurisé,
85 # car on est certain que tout est exécuté avec les uid/gid
86 # assignés au VirtualHost/Directory/Location
87 # néamoins il se peut qu'une combinaison du genre :
88 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
89 # soit plus performante (threads et pas forks),
90 # cependant l'usage de suexec impose des forks il semble..
91 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
92 # donc pour l'instant : apache2-mpm-itk
93 sudo rm -rf \
94 /etc/apache2/site.d
95 sudo install -d -m 770 -o www -g www \
96 /etc/apache2 \
97 /etc/apache2/site.d \
98 /etc/apache2/x509.d
99 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
100 ServerName "$vm_fqdn"
101 EOF
102 sudo install -m 660 -o root -g root /dev/stdin \
103 /etc/apache2/apache2.conf
104 sudo install -m 660 -o root -g root \
105 "$tool"/etc/apache2/envvars \
106 /etc/apache2/envvars
107 sudo install -m 660 -o root -g root \
108 "$tool"/etc/apache2/httpd.conf \
109 /etc/apache2/httpd.conf
110 #sudo install -m 660 -o root -g root /dev/stdin \
111 # /etc/apache2/suexec/www-data <<-EOF
112 # /home
113 # pub/www/cgi
114 # EOF
115 sudo install -m 660 -o root -g root \
116 "$tool"/etc/apache2/ports.conf \
117 /etc/apache2/ports.conf
118 sudo a2enmod actions
119 sudo a2enmod headers
120 sudo a2enmod rewrite
121 sudo a2enmod ssl
122 sudo a2enmod userdir
123 local conf
124 sudo a2dissite "*"
125 sudo ln -fns \
126 /etc/apache2 \
127 /home/www/etc/apache2
128 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
129 do conf=${conf#"$tool"/etc/apache2/site.d/}
130 local site=${conf%/VirtualHost.conf}
131 case $site in
132 (*-tls)
133 local hint="run vm_remote apache2_key_send before"
134 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
135 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
136 /etc/apache2 \
137 /etc/apache2/site.d/"$site" \
138 /etc/apache2/x509.d/"$site" \
139 /etc/apache2/x509.d/"$site"/ca \
140 /etc/apache2/x509.d/"$site"/empty \
141 /etc/apache2/x509.d/"$site"/rvk \
142 /etc/apache2/x509.d/"$site"/usr
143 sudo install -m 664 -o www -g www \
144 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
145 /etc/apache2/x509.d/"$site"/crt.self-signed.pem
146 #sudo install -m 664 -o www-"$site" -g www-"$site" \
147 # "$tool"/var/pub/x509/"$site"/rvk.pem \
148 # /etc/apache2/x509.d/"$site"/rvk.pem
149 sudo install -m 664 -o www -g www \
150 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
151 /etc/apache2/x509.d/"$site"/ca/crt.pem
152 sudo install -m 664 -o www -g www \
153 "$tool"/var/pub/x509/"$site"/crt.pem \
154 /etc/apache2/x509.d/"$site"/crt.pem
155 ;;
156 esac
157 case $site in
158 (*-tls)
159 cat <<-EOF
160 <IfModule mod_ssl.c>
161 <VirtualHost *:$port>
162 AssignUserID www-$site www-$site
163 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
164 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
165 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
166 #CustomLog "/dev/null" Combined
167 DocumentRoot /home/www/pub/$site
168 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
169 #ErrorLog "/dev/null"
170 LogLevel Warn
171 SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem
172 SSLCACertificatePath /etc/apache2/x509.d/$site/usr/
173 #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem
174 SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem
175 SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/
176 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
177 SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/
178 SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
179 SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem
180 SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem
181 SSLCipherSuite AES+RSA+SHA256
182 SSLEngine On
183 SSLInsecureRenegotiation Off
184 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
185 SSLProtocol -All +TLSv1
186 #SSLRenegBufferSize 262144
187 SSLSessionCacheTimeout 1200
188 SSLStrictSNIVHostCheck On
189 SSLUserName SSL_CLIENT_S_DN_CN
190 SSLVerifyClient None
191 SSLVerifyDepth 1
192 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
193 </VirtualHost>
194 </IfModule>
195 EOF
196 ;;
197 (*)
198 cat <<-EOF
199 <VirtualHost *:$port>
200 AssignUserID www-$site www-$site
201 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
202 #CustomLog "/dev/null" Combined
203 DocumentRoot /home/www/pub/$site
204 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
205 #ErrorLog "/dev/null"
206 LogLevel Warn
207 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
208 </VirtualHost>
209 EOF
210 ;;
211 esac |
212 sudo install -m 660 -o root -g root /dev/stdin \
213 /etc/apache2/site.d/"$site"/VirtualHost.conf
214 sudo ln -fns \
215 ../site.d/"$site"/VirtualHost.conf \
216 /etc/apache2/sites-available/"$site"
217 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
218 /home/www/log/"$site" \
219 /home/www/log/"$site"/apache2
220 sudo ln -fns \
221 /etc/apache2/site.d/"$site" \
222 /home/www/etc/apache2/"$site"
223 test -e /home/www/pub/"$site" ||
224 sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
225 /home/www/pub/"$site"
226 rule adduser www-"$site"
227 --disabled-password \
228 --group \
229 --no-create-home \
230 --home /home/www/pub/"$site" \
231 --shell /bin/false \
232 --system
233 #sudo setfacl -m u:"www-$site":--x \
234 # /home/www/ \
235 # /home/www/pub/ \
236 # /home/www/pub/"$site"/
237 #sudo setfacl -m d:u:"www-$site":rwx \
238 # "$home"/pub/www/"$site"/
239 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
240 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
241 test -e /etc/apache2/sites-enabled/"$site" ||
242 sudo a2ensite "$site"
243 done
244 sudo service apache2 restart
245 }
246 rule_apt_configure () {
247 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
248 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
249 EOF
250 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
251 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
252 EOF
253 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
254 Package: *
255 Pin: release a=$vm_lsb_name
256 Pin-Priority: 170
257
258 Package: *
259 Pin: release a=$vm_lsb_name-backports
260 Pin-Priority: 200
261 EOF
262 #sudo install -m 660 -o root -g root /dev/stdin /etc/apt/apt.conf.d/02proxy-grenode <<-EOF
263 # Acquire::http::Proxy "http://outils.grenode.net:3142";
264 # EOF
265 sudo apt-get update
266 rule apt_get_install apticron
267 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
268 EMAIL="admin@$vm_domainname"
269 # DIFF_ONLY="1"
270 # LISTCHANGES_PROFILE="apticron"
271 # ALL_FQDNS="1"
272 # SYSTEM="foobar.example.com"
273 # IPADDRESSNUM="1"
274 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
275 # NOTIFY_HOLDS="0"
276 # NOTIFY_NEW="0"
277 # NOTIFY_NO_UPDATES="0"
278 # CUSTOM_SUBJECT=""
279 # CUSTOM_NO_UPDATES_SUBJECT=""
280 # CUSTOM_FROM="root@$vm_fqdn"
281 EOF
282 }
283 rule_boot_configure () {
284 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
285 sudo debconf-set-selections <<-EOF
286 grub-pc grub-pc/install_devices multiselect
287 EOF
288 rule apt_get_install grub-pc
289 sudo install -d -m 644 -o root -g root /boot/grub
290 rule apt_get_install linux-image-$vm_arch
291 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
292 GRUB_DEFAULT=0
293 GRUB_TIMEOUT=5
294 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
295 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
296 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
297 GRUB_DISABLE_RECOVERY="true"
298 #GRUB_PRELOAD_MODULES="lvm"
299 EOF
300 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
301 (hd0) /dev/xvda
302 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
303 EOF
304 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
305 rule initramfs_configure
306 rule apt_get_install molly-guard
307 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
308 ALWAYS_QUERY_HOSTNAME=true
309 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
310 # néamoins demander tout le temps n'est pas trop contraignant
311 # et davantage sécurisant.
312 EOF
313 }
314 rule_dovecot_configure () {
315 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
316 local hint="run vm_remote dovecot_key_send before"
317 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
318 sudo install -m 400 -o root -g root \
319 "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
320 /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
321 sudo install -d -m 770 -o root -g root \
322 /etc/skel/etc/mail \
323 /etc/skel/etc/sieve
324 sudo install -d -m 1777 -o root -g root \
325 /var/lib/dovecot-control \
326 /var/lib/dovecot-index
327 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
328 auth_ssl_username_from_cert = yes
329 listen = *
330 log_timestamp = "%Y-%m-%d %H:%M:%S "
331 mail_debug = yes
332 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
333 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
334 # VOIR: http://wiki2.dovecot.org/Quota/FS
335 mail_plugins = \$mail_plugins quota
336 mail_privileged_group = mail
337 passdb {
338 args = /home/%u/etc/dovecot/passwd
339 driver = passwd-file
340 }
341 plugin {
342 quota = fs:user
343 recipient_delimiter = +
344 sieve = ~/etc/mail/filter.sieve
345 sieve_dir = ~/etc/mail/sieve
346 sieve_global_dir = /var/lib/dovecot/sieve/global/
347 sieve_max_script_size = 1M
348 sieve_quota_max_scripts = 0
349 sieve_quota_max_storage = 10M
350 sieve_user_log = ~/var/log/mail/sieve.log
351 }
352 protocol imap {
353 mail_plugins = \$mail_plugins imap_quota
354 }
355 protocol lda {
356 auth_socket_path = /var/run/dovecot/auth-master
357 hostname = $vm_domainname
358 info_log_path =
359 log_path =
360 mail_plugins = \$mail_plugins sieve
361 postmaster_address = contact+dovecot+lda@$vm_domainname
362 syslog_facility = mail
363 }
364 protocols = imap sieve
365 service auth {
366 user = root
367 unix_listener /var/spool/postfix/private/auth {
368 mode = 0660
369 user = postfix
370 group = postfix
371 }
372 }
373 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
374 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
375 ssl_cipher_list = AES256-SHA
376 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
377 ssl_verify_client_cert = yes
378 userdb {
379 driver = passwd
380 }
381 verbose_ssl = no
382 EOF
383 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
384 #!/bin/sh -efux
385 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
386 install -d -m 770 ~/etc/dovecot
387 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
388 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
389 _EOF
390 EOF
391 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
392 EOF
393 sudo service dovecot restart
394 }
395 rule_etckeeper_configure () {
396 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
397 VCS=git
398 GIT_COMMIT_OPTIONS=""
399 AVOID_DAILY_AUTOCOMMITS=1
400 #AVOID_SPECIAL_FILE_WARNING=1
401 AVOID_COMMIT_BEFORE_INSTALL=1
402 HIGHLEVEL_PACKAGE_MANAGER=apt
403 LOWLEVEL_PACKAGE_MANAGER=dpkg
404 EOF
405 sudo install -m 644 -o root -g root \
406 "$tool"/etc/etckeeper/prompt.sh \
407 /etc/etckeeper/prompt.sh
408 rule apt_get_install etckeeper
409 }
410 rule_filesystem_configure () {
411 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
412 # <file system> <mount point> <type> <options> <dump> <pass>
413 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
414 proc /proc proc defaults 0 0
415 sysfs /sys sysfs defaults 0 0
416 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
417 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
418 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
419 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
420 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
421 EOF
422 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
423 # <target name> <source device> <key file> <options>
424 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
425 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
426 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
427 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
428 EOF
429 rule tmpfs_configure
430 }
431 rule_initramfs_configure () {
432 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
433 MODULES=most
434 BUSYBOX=y
435 KEYMAP=y
436 COMPRESS=gzip
437 DEVICE=eth0
438 EOF
439 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
440 alias eth0 xennet
441 alias scsi_hostadapter xenblk
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
444 sha1_generic
445 sha256_generic
446 sha512_generic
447 aes-x86_64
448 xts
449 # NOTE: pour Xen en mode HVM :
450 #modprobe xen-platform-pci
451 EOF
452 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
453 EOF
454 sudo sed -e '/^configure_networking /s/ &$//' \
455 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
456 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
457 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
458 ( while IFS= read -r line
459 do case $line in (*" RSA") return 0; break;; esac
460 done; return 1 ) ||
461 {
462 sudo rm -f \
463 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
464 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
465 sudo dropbearkey -t rsa -s 4096 -f \
466 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
467 }
468 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
469 sudo install -d -m 640 -o root -g root \
470 /etc/initramfs-tools/root \
471 /etc/initramfs-tools/root/.ssh
472 getent group sudo |
473 while IFS=: read -r group x x users
474 do while test -n "$users" && IFS=, read -r user users <<-EOF
475 $users
476 EOF
477 do eval local home\; home="~$user"
478 cat "$home"/etc/ssh/authorized_keys
479 done
480 done |
481 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
482 sudo rm -f \
483 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
484 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
485 /etc/initramfs-tools/root/.ssh/id_rsa
486 # NOTE: clefs générées par Debian
487 sudo update-initramfs -u
488 }
489 rule_gitolite_configure () {
490 sudo debconf-set-selections <<-EOF
491 gitolite gitolite/gituser string git
492 gitolite gitolite/adminkey string
493 gitolite gitolite/gitdir string /home/git
494 EOF
495 rule apt_get_install gitolite
496 rule adduser git \
497 --disabled-password \
498 --group \
499 --home /home/git \
500 --shell /bin/bash \
501 --system
502 sudo chfn --full-name git git
503 rule adduser log-git \
504 --disabled-login \
505 --disabled-password \
506 --group \
507 --home /home/git/log \
508 --shell /bin/false \
509 --system
510 rule adduser git-data\
511 --disabled-login \
512 --disabled-password \
513 --group \
514 --home /home/git/pub \
515 --shell /bin/false \
516 --system
517 rule adduser git-daemon\
518 --disabled-login \
519 --disabled-password \
520 --group \
521 --home /home/git/pub \
522 --shell /bin/false \
523 --system
524 rule adduser log-git-daemon\
525 --disabled-login \
526 --disabled-password \
527 --group \
528 --home /home/git/log/git-daemon \
529 --shell /bin/false \
530 --system
531 sudo adduser git git-data
532 sudo adduser git-daemon git-data
533 sudo adduser log-git log-git-daemon
534 sudo install -d -m 770 -o git -g git \
535 /etc/gitolite \
536 /home/git/etc \
537 /home/git/etc/ssh
538 sudo install -d -m 751 -o git -g git \
539 /home/git
540 sudo install -d -m 3771 -o git-data -g git-data \
541 /home/git/pub
542 sudo install -d -m 1771 -o git -g git \
543 /home/git/log
544 sudo install -d -m 2770 -o git -g log-git \
545 /home/git/log/gitolite \
546 /home/git/log/gitolite/perf
547 sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \
548 /home/git/log/git-daemon
549 sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
550 /etc/gitweb \
551 /etc/gitweb/cgi
552 sudo ln -fns /etc/gitolite /home/git/etc/gitolite
553 sudo ln -fns /etc/gitweb /home/git/etc/gitweb
554 sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
555 sudo ln -fns etc/ssh /home/git/.ssh
556 sudo install -m 770 -o git -g git /dev/stdin \
557 /home/git/etc/gitolite/gitolite.rc <<-EOF
558 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
559 #\$BIG_INFO_CAP = 20;
560 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
561 # NOTE: Please use single quotes, not double quotes.
562 #\$GITWEB_URI_ESCAPE = 0;
563 \$GIT_PATH = "";
564 #\$GL_ADC_PATH = "";
565 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
566 #\$GL_ALL_INCLUDES_SPECIAL = 0;
567 #\$GL_ALL_READ_ALL = 0;
568 \$GL_BIG_CONFIG = 0;
569 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
570 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
571 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
572 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
573 #\$GL_HOSTNAME = "git.$vm_domainname";
574 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
575 #\$GL_HTTP_ANON_USER = "mob";
576 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
577 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
578 #\$GL_NICE_VALUE = 0;
579 \$GL_NO_CREATE_REPOS = 0;
580 \$GL_NO_DAEMON_NO_GITWEB = 0;
581 \$GL_NO_SETUP_AUTHKEYS = 0;
582 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
583 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
584 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
585 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
586 \$GL_SITE_INFO = "git.$vm_domainname";
587 #\$GL_SLAVE_MODE = 0;
588 \$GL_WILDREPOS = 0;
589 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
590 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
591 \$HTPASSWD_FILE = "";
592 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
593 \$REPO_BASE = "pub";
594 \$REPO_UMASK = 0007;
595 \$RSYNC_BASE = "";
596 \$SVNSERVE = "";
597 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
598 \$WEB_INTERFACE = "gitweb";
599 1;
600 EOF
601 sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
602 /home/git/etc/gitweb/gitweb.conf <<-EOF
603 \$commit_oneline_message_width = 70;
604 \$default_projects_order = 'age';
605 \$default_text_plain_charset = 'UTF-8';
606 @diff_opts = ();
607 \$favicon = "img/git-favicon.png";
608 \$git_temp = "/run/shm/tmp/gitweb";
609 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
610 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
611 \$home_link = "/";
612 \$home_link_str = 'd&eacute;p&ocirc;ts';
613 \$home_th_age = 'activit&eacute;';
614 \$home_th_descr = 'description';
615 \$home_th_owner = 'contact';
616 \$home_th_project = 'd&eacute;p&ocirc;t';
617 \$javascript = "js/gitweb.js";
618 \$logo = "img/git-logo.png";
619 \$my_uri = "";
620 \$projectroot = "../git";
621 \$projects_list = "/etc/gitolite/projects.list";
622 \$projects_list_description_width = 42;
623 \$projects_list_owner_width = 15;
624 \$search_str = "Filtre&nbsp;:";
625 \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
626 \$site_header = undef;
627 \$site_name = "git.$vm_domainname";
628 \$space_to_nbsp = 0;
629 @stylesheets = ("css/gitweb.css");#
630 \$untabify_tabstop = 2;
631 EOF
632 sudo install -m 600 -o git -g git \
633 "$tool"/var/pub/ssh/git.key \
634 /home/git/etc/ssh/git.pub
635 sudo -u git \
636 GL_RC=/home/git/etc/gitolite/gitolite.rc \
637 GIT_AUTHOR_NAME=git \
638 gl-setup -q /home/git/etc/ssh/git.pub git
639 local d
640 for d in doc logs src
641 do test ! -d /home/git/etc/gitolite/"$d" ||
642 rmdir /home/git/etc/gitolite/"$d"
643 done
644 rule apt_get_install gitweb highlight
645 sudo service tmpfs restart
646 }
647 rule_locales_configure () {
648 sudo debconf-set-selections <<-EOF
649 locales locales/default_environment_locale select None
650 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
651 EOF
652 rule dpkg_reconfigure locales
653 }
654 rule_login_configure () {
655 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
656 # /etc/inittab: init(8) configuration.
657
658 # The default runlevel.
659 id:2:initdefault:
660
661 # Boot-time system configuration/initialization script.
662 # This is run first except when booting in emergency (-b) mode.
663 si::sysinit:/etc/init.d/rcS
664
665 # What to do in single-user mode.
666 ~~:S:wait:/sbin/sulogin
667
668 # /etc/init.d executes the S and K scripts upon change
669 # of runlevel.
670 #
671 # Runlevel 0 is halt.
672 # Runlevel 1 is single-user.
673 # Runlevels 2-5 are multi-user.
674 # Runlevel 6 is reboot.
675
676 l0:0:wait:/etc/init.d/rc 0
677 l1:1:wait:/etc/init.d/rc 1
678 l2:2:wait:/etc/init.d/rc 2
679 l3:3:wait:/etc/init.d/rc 3
680 l4:4:wait:/etc/init.d/rc 4
681 l5:5:wait:/etc/init.d/rc 5
682 l6:6:wait:/etc/init.d/rc 6
683 # Normally not reached, but fallthrough in case of emergency.
684 z6:6:respawn:/sbin/sulogin
685
686 # What to do when CTRL-ALT-DEL is pressed.
687 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
688
689 # What to do when the power fails/returns.
690 pf::powerwait:/etc/init.d/powerfail start
691 pn::powerfailnow:/etc/init.d/powerfail now
692 po::powerokwait:/etc/init.d/powerfail stop
693
694 # Xen hypervisor console
695 hvc:2345:respawn:/sbin/getty 38400 hvc0
696 #xvc:2345:respawn:/sbin/getty 38400 xvc0
697
698 #-- runit begin
699 SV:123456:respawn:/usr/sbin/runsvdir-start
700 #-- runit end
701 EOF
702 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
703 MAIL_DIR /var/mail
704 FAILLOG_ENAB yes
705 LOG_UNKFAIL_ENAB no
706 LOG_OK_LOGINS no
707 SYSLOG_SU_ENAB yes
708 SYSLOG_SG_ENAB yes
709 FTMP_FILE /var/log/btmp
710 SU_NAME su
711 HUSHLOGIN_FILE .hushlogin
712 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
713 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
714 # NOTE: met les sbin/ dans ENV_PATH ;
715 # - ça n'apporte aucune protection de ne pas les mettre ;
716 # - ça frustre de ne pas les trouver.
717 TTYGROUP tty
718 TTYPERM 0600
719 ERASECHAR 0177
720 KILLCHAR 025
721 UMASK 007
722 # NOTE: rwxrwx--- ;
723 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
724 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
725 PASS_MAX_DAYS 99999
726 PASS_MIN_DAYS 0
727 PASS_WARN_AGE 7
728 UID_MIN 1000
729 UID_MAX 60000
730 GID_MIN 1000
731 GID_MAX 60000
732 LOGIN_RETRIES 3
733 LOGIN_TIMEOUT 60
734 CHFN_RESTRICT rwh
735 DEFAULT_HOME yes
736 USERGROUPS_ENAB yes
737 ENCRYPT_METHOD SHA512
738 EOF
739 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
740 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
741 $(cat /etc/pam.d/common-session)
742 session optional pam_umask.so
743 EOF
744 grep -q '^hvc0$' /etc/securetty ||
745 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
746 $(cat /etc/securetty)
747 hvc0
748 EOF
749 grep -q '^xvc0$' /etc/securetty ||
750 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
751 $(cat /etc/securetty)
752 xvc0
753 EOF
754 }
755 rule_mail_configure () {
756 rule postfix_configure
757 rule postgrey_configure
758 rule procmail_configure
759 rule dovecot_configure
760 }
761 rule_mysql_configure () {
762 rule apt_get_install mysql-server-5.5
763 sudo install -m 644 -o root -g root \
764 "$tool"/etc/mysql/my.cnf \
765 /etc/mysql/my.cnf
766 if test ! -d /home/mysql; then
767 sudo install -d -m 750 -o mysql -g mysql \
768 /home/mysql
769 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
770 fi
771 }
772 rule_network_configure () {
773 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
774 $vm
775 EOF
776 grep -q " $vm\$" /etc/hosts ||
777 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
778 $(cat /etc/hosts)
779 127.0.0.1 $vm_fqdn $vm
780 EOF
781 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
782 auto lo
783 iface lo inet loopback
784
785 auto eth0=grenode
786 iface grenode inet static
787 address $vm_ipv4
788 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
789 network $vm_ipv4
790 broadcast $vm_ipv4
791 netmask 255.255.255.255
792 mtu 1300
793 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
794 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
795 #
796 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
797 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
798 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
799 #
800 # --- soupirail.grenode.net ping statistics ---
801 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
802 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
803 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
804 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
805 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
806 #
807 # --- soupirail.grenode.net ping statistics ---
808 # 0 packets transmitted, 0 received, +1 errors
809 post-up ip address add $vm_ipv4/32 dev \$IFACE
810 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
811 EOF
812 }
813 rule_www_configure () {
814 rule adduser www \
815 --disabled-login \
816 --disabled-password \
817 --group \
818 --home /home/www \
819 --shell /bin/false \
820 --system
821 rule adduser log-www \
822 --disabled-login \
823 --disabled-password \
824 --group \
825 --home /home/www/log \
826 --shell /bin/false \
827 --system
828 #sudo adduser www www-data
829 sudo adduser www log-www
830 #sudo adduser log log-www
831 usermod --home /home/www/pub www-data
832 sudo install -d -m 751 -o www -g www \
833 /home/www
834 sudo install -d -m 750 -o www -g www \
835 /home/www/etc
836 sudo install -d -m 1771 -o www-data -g www-data \
837 /home/www/pub
838 sudo install -d -m 1771 -o log-www -g log-www \
839 /home/www/log
840 }
841 rule_nginx_configure () {
842 local -; set +f
843 rule apt_get_install nginx
844 sudo rm -rf \
845 /etc/nginx/conf.d \
846 /etc/nginx/site.d
847 sudo install -d -m 770 -o www -g www \
848 /etc/nginx \
849 /etc/nginx/conf.d \
850 /etc/nginx/site.d \
851 /etc/nginx/x509.d
852 sudo ln -fns \
853 /etc/nginx \
854 /home/www/etc/nginx
855 sudo install -m 660 -o www -g www \
856 "$tool"/etc/nginx/nginx.conf \
857 /etc/nginx/nginx.conf
858 local conf
859 for conf in "$tool"/etc/nginx/conf.d/*.conf
860 do conf=${conf#"$tool"/etc/nginx/conf.d/}
861 sudo install -m 660 -o www -g www \
862 "$tool"/etc/nginx/conf.d/"$conf" \
863 /etc/nginx/conf.d/"$conf"
864 done
865 for conf in "$tool"/etc/nginx/site.d/*/site.conf
866 do conf=${conf#"$tool"/etc/nginx/site.d/}
867 local site="${conf%/site.conf}"
868 rule adduser www-"$site" \
869 --disabled-login \
870 --disabled-password \
871 --group \
872 --home /home/www-data/"$site" \
873 --shell /bin/false \
874 --system
875 rule adduser log-www-"$site" \
876 --disabled-login \
877 --disabled-password \
878 --group \
879 --home /home/www/log/"$site"/nginx \
880 --shell /bin/false \
881 --system
882 sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
883 /home/www/log/"$site"
884 sudo install -d -m 770 -o www -g www \
885 /etc/nginx/site.d/"$site"
886 sudo install -d -m 770 -o www -g www \
887 /etc/nginx/x509.d/"$site"
888 test -L /home/www/pub/"$site" ||
889 sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
890 /home/www/pub/"$site"
891 sudo adduser www-data www-"$site"
892 sudo adduser www-data log-www-"$site"
893 sudo install -m 660 -o www -g www \
894 "$tool"/etc/nginx/site.d/"$site"/local.conf \
895 /etc/nginx/site.d/"$site"/local.inc
896 sudo install -m 660 -o www -g www \
897 "$tool"/etc/nginx/site.d/"$site"/site.conf \
898 /etc/nginx/site.d/"$site"/site.inc
899 sudo install -m 660 -o www -g www /dev/stdin \
900 /etc/nginx/site.d/"$site"/server.conf <<-EOF
901 server {
902 access_log /home/www/log/$site/nginx/access.log main;
903 error_log /home/www/log/$site/nginx/error.log warn;
904 root /home/www/pub/$site;
905 include /etc/nginx/site.d/$site/local.inc;
906 include /etc/nginx/site.d/$site/site.inc;
907 }
908 EOF
909 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
910 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
911 done
912 rule apt_get_install spawn-fcgi fcgiwrap
913 sudo insserv --remove fcgiwrap
914 sudo insserv --remove nginx
915 rule tmpfs_configure
916 sudo service php5-fpm restart
917 # NOTE: relance les processus du pool
918 # pour leur donner les droits
919 # de leurs groupes supplémentaires.
920 sudo service nginx restart
921 #case $(sv status nginx) in
922 # (run:*) sudo sv restart nginx
923 # esac
924 }
925 rule_php5_fpm_configure () {
926 local -; set +f
927 rule apt_get_install \
928 php5-fpm \
929 php-apc
930 rule adduser php5 \
931 --disabled-login \
932 --disabled-password \
933 --group \
934 --home /etc/php5/fpm \
935 --shell /bin/false \
936 --system
937 rule adduser log-php5 \
938 --disabled-login \
939 --disabled-password \
940 --group \
941 --home /home/www/log/php5/fpm \
942 --shell /bin/false \
943 --system
944 sudo ln -fns \
945 /etc/php5/fpm \
946 /home/www/etc/php5
947 sudo rm -rf \
948 /etc/php5/fpm/conf.d \
949 /etc/php5/fpm/pool.d
950 sudo install -d -m 770 -o php5 -g php5 \
951 /etc/php5/fpm/conf.d \
952 /etc/php5/fpm/pool.d
953 sudo install -m 770 -o php5 -g php5 \
954 "$tool"/etc/php5/fpm/php-fpm.conf \
955 /etc/php5/fpm/php-fpm.conf
956 local conf
957 #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
958 # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
959 # sudo install -m 660 -o php5 -g php5 \
960 # "$tool"/etc/php5/fpm/conf.d/"$conf" \
961 # /etc/php5/fpm/conf.d/"$conf"
962 # done
963 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
964 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
965 IFS=. read -r pool <<-EOF
966 ${conf%.conf}
967 EOF
968 assert 'test "${pool:+set}"'
969 rule adduser php5-"$pool" \
970 --disabled-login \
971 --disabled-password \
972 --group \
973 --no-create-home \
974 --home /etc/php5/fpm/pool.d \
975 --shell /bin/false \
976 --system
977 rule adduser log-php5-"$pool" \
978 --disabled-login \
979 --disabled-password \
980 --group \
981 --no-create-home \
982 --home /home/www/log/php5/fpm/"$pool" \
983 --shell /bin/false \
984 --system
985 sudo install -d -m 770 -o log-php5 -g log-php5 \
986 /home/www/log/php5 \
987 /home/www/log/php5/fpm
988 sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
989 /home/www/log/php5/fpm/"$pool"
990 sudo install -m 660 -o php5 -g php5 /dev/stdin \
991 /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
992 [$pool]
993 access.log = /home/www/log/php5/fpm/$pool/access.log
994 catch_workers_output = yes
995 chdir = /
996 env[HOSTNAME] = \$HOSTNAME
997 env[TEMP] = /tmp
998 env[TMPDIR] = /tmp
999 env[TMP] = /tmp
1000 group = php5-$pool
1001 #listen = 127.0.0.1:9000
1002 listen = /run/php5/fpm/$pool
1003 #listen.allowed_clients = 127.0.0.1
1004 listen.group = www-data
1005 listen.mode = 0660
1006 #listen.owner = www-data
1007 listen.backlog = -1
1008 pm = dynamic
1009 pm.max_children = 5
1010 pm.max_requests = 200
1011 pm.max_spare_servers = 4
1012 pm.min_spare_servers = 2
1013 pm.start_servers = 3
1014 pm.status_path = /status
1015 request_slowlog_timeout = 5s
1016 request_terminate_timeout = 120s
1017 rlimit_core = unlimited
1018 rlimit_files = 131072
1019 slowlog = /home/www/log/php5/fpm/$pool/slow.log
1020 user = php5-$pool
1021 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
1022 EOF
1023 sudo install -m 664 -o php5 -g php5 \
1024 "$tool"/etc/php5/fpm/php.ini \
1025 /etc/php5/fpm/php.ini
1026 case $(sv status php5-"$pool") in
1027 (run:*) sudo sv restart php5-"$pool"
1028 esac
1029 done
1030 rule tmpfs_configure
1031 sudo service php5-fpm restart
1032 }
1033 rule_postfix_configure () {
1034 local hint="run vm_remote postfix_key_send before"
1035 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
1036 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
1037 sudo debconf-set-selections <<-EOF
1038 postfix postfix/main_mailer_type select No configuration
1039 EOF
1040 rule apt_get_install postfix
1041 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1042 *.db
1043 EOF
1044 sudo install -d -m 771 -o root -g root \
1045 /etc/postfix/ \
1046 /etc/postfix/$vm_domainname/ \
1047 /etc/postfix/$vm_domainname/smtp \
1048 /etc/postfix/$vm_domainname/smtp/x509 \
1049 /etc/postfix/$vm_domainname/smtp/x509/ca \
1050 /etc/postfix/$vm_domainname/smtpd \
1051 /etc/postfix/$vm_domainname/smtpd/x509 \
1052 /etc/postfix/$vm_domainname/smtpd/x509/ca
1053 sudo ln -fns \
1054 ../crt+crl.self-signed.pem \
1055 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1056 sudo install -m 400 -o root -g root \
1057 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1058 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1059 sudo install -m 400 -o root -g root \
1060 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1061 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1062 sudo install -m 400 -o root -g root \
1063 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1064 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1065 sudo install -m 400 -o root -g root \
1066 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1067 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1068 sudo install -m 660 -o root -g root \
1069 "$tool"/etc/postfix/$vm_domainname/header_checks \
1070 /etc/postfix/$vm_domainname/header_checks
1071 sudo install -m 664 -o root -g root /dev/stdin \
1072 /etc/postfix/aliases <<-EOF
1073 # See man 5 aliases for format
1074 abuse: root
1075 admin: root
1076 contact: root
1077 mailer-daemon: root
1078 postmaster: root
1079 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1080 EOF
1081 sudo newaliases -oA/etc/postfix/aliases
1082 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1083 mydomain = $vm_domainname
1084 myorigin = \$mydomain
1085 myhostname = $vm_hostname.\$mydomain
1086 mail_name = \$myhostname
1087 mydestination = $vm_hostname \$myhostname \$myorigin
1088 EOF
1089 sudo install -m 664 -o root -g root /dev/stdin \
1090 /etc/postfix/main.cf
1091 sudo install -m 664 -o root -g root \
1092 "$tool"/etc/postfix/master.cf \
1093 /etc/postfix/master.cf
1094 sudo install -m 660 -o root -g root \
1095 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1096 /etc/postfix/$vm_domainname/smtp/x509/policy
1097 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1098 sudo install -m 660 -o root -g root \
1099 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1100 /etc/postfix/$vm_domainname/smtp/header_checks
1101 sudo install -m 660 -o root -g root \
1102 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1103 /etc/postfix/$vm_domainname/smtpd/sender_access
1104 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1105 sudo install -m 660 -o root -g root \
1106 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1107 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1108 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1109 sudo install -m 660 -o root -g root \
1110 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1111 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1112 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1113 sudo install -m 660 -o root -g root \
1114 "$tool"/etc/postfix/$vm_domainname/transport \
1115 /etc/postfix/$vm_domainname/transport
1116 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1117 sudo install -m 660 -o root -g root \
1118 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1119 /etc/postfix/$vm_domainname/virtual_alias
1120 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1121 sudo service postfix restart
1122 }
1123 rule_postgresql_configure () {
1124 rule apt_get_install postgresql-9.1
1125 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1126 pg_createcluster -u postgres --start 9.1 main
1127 fi
1128 sudo install -m 660 -o root -g root \
1129 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1130 /etc/postgresql/9.1/main/postgresql.conf
1131 sudo service postgresql restart
1132 }
1133 rule_openerp_configure () {
1134 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1135 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1136 EOF
1137 sudo apt-get update
1138 rule apt_get_install openerp
1139 }
1140 rule_postgrey_configure () {
1141 rule apt_get_install postgrey
1142 sudo service postgrey restart
1143 }
1144 rule_procmail_configure () {
1145 rule apt_get_install procmail
1146 sudo install -d -m 770 -o root -g root \
1147 /etc/skel/etc/mail \
1148 /etc/skel/var/cache/mail \
1149 /etc/skel/var/log/mail \
1150 /etc/skel/var/mail
1151 sudo install -m 660 -o root -g root \
1152 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1153 /etc/skel/etc/mail/delivery.procmailrc
1154 }
1155 rule_runit_configure () {
1156 rule apt_get_install runit
1157 local -; set +f
1158 for sv in ${1-/etc/service/*}
1159 # NOTE: stoppe les services en retenant leur status de départ
1160 do sv=$(basename "$sv")
1161 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1162 local sv_status
1163 IFS= read -r sv_status_$sv_hash <<-EOF
1164 $(sv status "$sv")
1165 EOF
1166 rm -f /etc/service/"$sv"
1167 done
1168 for sv in ${1-"$tool"/etc/sv/*}
1169 # NOTE: configure et (re-)démarre les services
1170 do sv=$(basename "$sv")
1171 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1172 sudo install -d -m 770 -o root -g root \
1173 /etc/sv/"$sv"
1174 sudo install -m 770 -o root -g root \
1175 "$tool"/etc/sv/"$sv"/run \
1176 /etc/sv/"$sv"/run
1177 if test -e "$tool"/etc/sv/"$sv"/log/run
1178 then
1179 sudo install -d -m 770 -o root -g root \
1180 /etc/sv/"$sv"/log
1181 sudo install -m 770 -o root -g root \
1182 "$tool"/etc/sv/"$sv"/log/run \
1183 /etc/sv/"$sv"/log/run
1184 fi
1185 test ! -x "$tool"/etc/sv/"$sv"/configure ||
1186 "$tool"/etc/sv/"$sv"/configure
1187 ln -fns ../sv/"$sv" /etc/service/"$sv"
1188 eval local sv_status=\"\${sv_status_$sv_hash-}\"
1189 case $sv_status in
1190 ("") sv start "$sv";;
1191 (run:*) sv restart "$sv";;
1192 esac
1193 done
1194 }
1195 rule_ssh_configure () {
1196 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1197 ( while IFS= read -r line
1198 do case $line in (*" RSA") return 0; break;; esac
1199 done; return 1 ) ||
1200 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1201 sudo rm -f \
1202 /etc/ssh/ssh_host_dsa_key \
1203 /etc/ssh/ssh_host_dsa_key.pub \
1204 /etc/ssh/ssh_host_ecdsa_key \
1205 /etc/ssh/ssh_host_ecdsa_key.pub
1206 # NOTE: clefs générées par Debian
1207 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1208 Port 22
1209 ListenAddress $vm_ipv4
1210 #ListenAddress ::
1211 Protocol 2
1212 Compression yes
1213 HostKey /etc/ssh/ssh_host_rsa_key
1214 UsePrivilegeSeparation yes
1215 KeyRegenerationInterval 3600
1216 ServerKeyBits 768
1217 SyslogFacility AUTH
1218 LogLevel INFO
1219 LoginGraceTime 120
1220 PermitRootLogin yes
1221 StrictModes yes
1222 RSAAuthentication yes
1223 PubkeyAuthentication yes
1224 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1225 IgnoreRhosts yes
1226 RhostsRSAAuthentication no
1227 HostbasedAuthentication no
1228 IgnoreUserKnownHosts no
1229 PermitEmptyPasswords no
1230 ChallengeResponseAuthentication no
1231 PasswordAuthentication no
1232 KerberosAuthentication no
1233 GSSAPIAuthentication no
1234 X11Forwarding no
1235 X11DisplayOffset 10
1236 PrintMotd no
1237 DebianBanner no
1238 PrintLastLog yes
1239 TCPKeepAlive yes
1240 ClientAliveInterval 0
1241 AcceptEnv LANG LC_*
1242 Subsystem sftp /usr/lib/openssh/sftp-server
1243 UsePAM yes
1244 EOF
1245 sudo service ssh restart
1246 }
1247 rule_sysctl_configure () {
1248 local -; set +f
1249 for conf in "$tool"/etc/sysctl.d/*.conf
1250 do conf=${conf#"$tool"/etc/sysctl.d/}
1251 sudo install -m 660 -o root -g root \
1252 "$tool"/etc/sysctl.d/"$conf" \
1253 /etc/sysctl.d/"$conf"
1254 done
1255 sudo sysctl --system
1256 }
1257 rule_tmpfs_configure () {
1258 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1259 LOCK_SIZE=5242880 # NOTE: 5MiB
1260 RAMLOCK=yes
1261 RAMSHM=yes
1262 RAMTMP=yes
1263 RUN_SIZE=10%
1264 SHM_SIZE=
1265 TMP_MODE=1777,nr_inodes=1000k,noatime
1266 TMP_OVERFLOW_LIMIT=1024
1267 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1268 # on the root filesystem (overriding RAMTMP).
1269 TMP_SIZE=200m
1270 TMPFS_SIZE=20%VM
1271 EOF
1272 sudo install -m 775 -o root -g root \
1273 "$tool"/etc/init.d/tmpfs \
1274 /etc/init.d/tmpfs
1275 sudo update-rc.d tmpfs defaults
1276 sudo service tmpfs restart
1277 }
1278 rule_time_configure () {
1279 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1280 Europe/Paris
1281 EOF
1282 sudo debconf-set-selections <<-EOF
1283 tzdata tzdata/Areas select Europe
1284 tzdata tzdata/Zones/Europe select Paris
1285 EOF
1286 rule dpkg_reconfigure tzdata
1287 rule apt_get_install ntp
1288 }
1289 rule_user_add () { # SYNTAX: $user
1290 rule user_configure
1291 local user=$1
1292 rule adduser "$user" --disabled-password
1293 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1294 eval local home\; home="~$user"
1295 sudo adduser "$user" users
1296 sudo install -m 640 -o root -g root \
1297 "$tool"/var/pub/ssh/"$user".key \
1298 "$home"/etc/ssh/authorized_keys
1299 local key; local -; set +f
1300 for key in "$tool"/var/pub/openpgp/*.key
1301 do sudo -u "$user" gpg --import - <"$key"
1302 done
1303 }
1304 rule_user_configure () {
1305 sudo install -m 660 -o root -g root /dev/stdin \
1306 /etc/adduser.conf <<-EOF
1307 ADD_EXTRA_GROUPS=1
1308 DHOME=/home
1309 DIR_MODE=0750
1310 DSHELL=/bin/bash
1311 EXTRA_GROUPS="users"
1312 FIRST_GID=1000
1313 FIRST_SYSTEM_GID=100
1314 FIRST_SYSTEM_UID=100
1315 FIRST_UID=1000
1316 GROUPHOMES=no
1317 LAST_GID=29999
1318 LAST_SYSTEM_GID=999
1319 LAST_SYSTEM_UID=999
1320 LAST_UID=29999
1321 LETTERHOMES=no
1322 NAME_REGEX="^[a-z][-a-z0-9_]*\$"
1323 QUOTAUSER="" # TODO: init
1324 SETGID_HOME=no
1325 SKEL=/etc/skel
1326 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1327 USERGROUPS=yes
1328 USERS_GID=100
1329 EOF
1330 sudo install -d -m 750 -o root -g root \
1331 /etc/skel \
1332 /etc/skel/etc \
1333 /etc/skel/etc/gpg \
1334 /etc/skel/etc/ssh
1335 sudo install -d -m 770 -o root -g root \
1336 /etc/skel/var \
1337 /etc/skel/var/cache \
1338 /etc/skel/var/log \
1339 /etc/skel/var/run \
1340 /etc/skel/var/run/ssh
1341 sudo ln -fns etc/ssh /etc/skel/.ssh
1342 sudo ln -fns etc/gpg /etc/skel/.gnupg
1343 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1344 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1345 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1346 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1347 EOF
1348 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1349 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1350 EOF
1351 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1352 Defaults env_keep = " \\
1353 EDITOR \\
1354 GIT_AUTHOR_NAME \\
1355 GIT_AUTHOR_EMAIL \\
1356 GIT_COMMITTER_NAME \\
1357 GIT_COMMITTER_EMAIL \\
1358 "
1359 EOF
1360 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1361 #!/bin/sh -efu
1362 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1363 sudo /bin/sh -e -f -u -c \
1364 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1365 EOF
1366 sudo install -m 644 -o root -g root \
1367 "$tool"/etc/bash.bashrc \
1368 /etc/bash.bashrc
1369 sudo install -m 644 -o root -g root \
1370 "$tool"/etc/screenrc \
1371 /etc/screenrc
1372 }
1373 rule_user_admin_add () { # SYNTAX: $user
1374 rule user_configure
1375 local user=$1
1376 rule adduser "$user" --disabled-password
1377 eval local home\; home="~$user"
1378 sudo adduser "$user" sudo
1379 sudo install -m 640 -o root -g root \
1380 "$tool"/var/pub/ssh/"$user".key \
1381 "$home"/etc/ssh/authorized_keys
1382 local key; local -; set +f
1383 for key in "$tool"/var/pub/openpgp/*.key
1384 do sudo -u "$user" gpg --import - <"$key"
1385 done
1386 rule user_admin_configure
1387 }
1388 rule_user_admin_configure () {
1389 rule initramfs_configure
1390 rule user_root_configure
1391 }
1392 rule_user_root_configure () {
1393 sudo install -d -m 750 -o root -g root \
1394 /root/etc \
1395 /root/etc/gpg \
1396 /root/etc/ssh
1397 sudo ln -fns etc/gpg /root/.gnupg
1398 sudo ln -fns etc/ssh /root/.ssh
1399 getent group sudo |
1400 while IFS=: read -r group x x users
1401 do while test -n "$users" && IFS=, read -r user users <<-EOF
1402 $users
1403 EOF
1404 do eval local home\; home="~$user"
1405 cat "$home"/etc/ssh/authorized_keys
1406 done
1407 done |
1408 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1409 local key; local -; set +f
1410 for key in "$tool"/var/pub/openpgp/*.key
1411 do sudo gpg --import "$key"
1412 done
1413 }
1414 rule_configure () {
1415 rule apt_configure
1416 rule git_configure
1417 rule etckeeper_configure
1418 rule locales_configure
1419 rule time_configure
1420 rule network_configure
1421 rule filesystem_configure
1422 rule login_configure
1423 rule ssh_configure
1424 rule user_root_configure
1425 rule boot_configure
1426 rule sysctl_configure
1427 rule user_configure
1428 rule mail_configure
1429 rule www_configure
1430 rule php5_fpm_configure
1431 rule nginx_configure
1432 #rule apache2_configure
1433 rule gitolite_configure
1434 rule runit_configure
1435 }
1436
1437 rule_luks_key_change () {
1438 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1439 }
1440
1441 rule=${1:-help}
1442 ${1+shift}
1443 case $rule in
1444 (help);;
1445 (*)
1446 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1447 ;;
1448 esac
1449 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org