dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_hosted : rule_runit_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10 export TRACE=1
11
12 rule_help () { # SYNTAX: [--hidden]
13 local hidden; [ ${1:+set} ] || hidden=set
14 cat >&2 <<-EOF
15 DESCRIPTION:
16 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
17 _depuis_ la VM hébergée ($vm_fqdn) ;
18 il sert à la fois d'outil (aisément bidouillable)
19 et de documentation (préçise).
20 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
21 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 RULES:
23 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 ENVIRONMENT:
25 TRACE # affiche les commandes avant leur exécution
26 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
27 EOF
28 }
29
30 rule_git_configure () {
31 (
32 cd "$tool"
33 git config --replace branch.master.remote .
34 git config --replace branch.master.merge refs/remotes/master
35 local tool
36 tool=$(cd "$tool"; cd -)
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
38 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
39 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
40 #!/bin/sh -efux
41 case \$1 in
42 (refs/remotes/master)
43 cd ..
44 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
45 git --git-dir=\$PWD/.git clean -f -d -x
46 ;;
47 esac
48 EOF
49 )
50 }
51 rule_git_reset () {
52 (
53 cd "$tool"
54 git checkout -f -B master remotes/master
55 git clean -f -d -x
56 )
57 }
58
59 rule_apt_get_install () { # SYNTAX: $package
60 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
61 }
62 rule_dpkg_reconfigure () { # SYNTAX: $package
63 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
64 }
65
66 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
67 export LANG=C
68 export LC_CTYPE=C
69 . /etc/profile
70 }
71
72 rule_apache2_configure () {
73 local -; set +f
74 rule apt_get_install \
75 apache2-mpm-itk \
76 libapache2-mod-php5
77 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
78 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
79 # NOTE: apache2-mpm-itk semble le plus sécurisé,
80 # car on est certain que tout est exécuté avec les uid/gid
81 # assignés au VirtualHost/Directory/Location
82 # néamoins il se peut qu'une combinaison du genre :
83 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
84 # soit plus performante (threads et pas forks),
85 # cependant l'usage de suexec impose des forks il semble..
86 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
87 # donc pour l'instant : apache2-mpm-itk
88 rule www_configure
89 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
90 ServerName "$vm_fqdn"
91 EOF
92 sudo install -m 660 -o root -g root /dev/stdin \
93 /etc/apache2/apache2.conf
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/envvars \
96 /etc/apache2/envvars
97 sudo install -m 660 -o root -g root \
98 "$tool"/etc/apache2/httpd.conf \
99 /etc/apache2/httpd.conf
100 #sudo install -m 660 -o root -g root /dev/stdin \
101 # /etc/apache2/suexec/www-data <<-EOF
102 # /home
103 # pub/www/cgi
104 # EOF
105 sudo install -m 660 -o root -g root \
106 "$tool"/etc/apache2/ports.conf \
107 /etc/apache2/ports.conf
108 sudo a2enmod actions
109 sudo a2enmod headers
110 sudo a2enmod rewrite
111 sudo a2enmod ssl
112 sudo a2enmod userdir
113 local conf
114 sudo a2dissite "*"
115 sudo ln -fns \
116 /etc/apache2 \
117 /home/www/etc/apache2
118 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
119 do conf=${conf#"$tool"/etc/apache2/site.d/}
120 local port site
121 IFS=. read -r port domain <<-EOF
122 ${conf%\/VirtualHost\.conf}
123 EOF
124 assert 'test "${port:+set}"'
125 assert 'test "${domain:+set}"'
126 local site="$port.$domain"
127 case $port in
128 (443)
129 local hint="run vm_remote apache2_key_send before"
130 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
131 sudo install -d -m 770 -o www."$site" -g www."$site" \
132 /etc/apache2 \
133 /etc/apache2/site.d/"$site" \
134 /etc/apache2/site.d/"$site"/x509 \
135 /etc/apache2/site.d/"$site"/x509/ca \
136 /etc/apache2/site.d/"$site"/x509/empty \
137 /etc/apache2/site.d/"$site"/x509/rvk \
138 /etc/apache2/site.d/"$site"/x509/usr
139 sudo install -m 664 -o www -g www \
140 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
141 /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
142 #sudo install -m 664 -o www."$site" -g www."$site" \
143 # "$tool"/var/pub/x509/"$site"/rvk.pem \
144 # /etc/apache2/site.d/"$site"/x509/rvk.pem
145 sudo install -m 664 -o www -g www \
146 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
147 /etc/apache2/site.d/"$site"/x509/ca/crt.pem
148 sudo install -m 664 -o www -g www \
149 "$tool"/var/pub/x509/"$site"/crt.pem \
150 /etc/apache2/site.d/"$site"/x509/crt.pem
151 ;;
152 esac
153 case $port in
154 (80)
155 cat <<-EOF
156 <VirtualHost *:$port>
157 AssignUserID www.$site www.$site
158 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
159 #CustomLog "/dev/null" Combined
160 DocumentRoot /home/www/pub/$site
161 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
162 #ErrorLog "/dev/null"
163 ServerName $domain
164 LogLevel Warn
165 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
166 </VirtualHost>
167 EOF
168 ;;
169 (443)
170 cat <<-EOF
171 <IfModule mod_ssl.c>
172 <VirtualHost *:$port>
173 AssignUserID www.$site www.$site
174 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
175 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
176 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
177 #CustomLog "/dev/null" Combined
178 DocumentRoot /home/www/pub/$site
179 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
180 #ErrorLog "/dev/null"
181 LogLevel Warn
182 ServerName $domain
183 SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
184 SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
185 #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
186 SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
187 SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
188 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
189 SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
190 SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
191 SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
192 SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
193 SSLCipherSuite AES+RSA+SHA256
194 SSLEngine On
195 SSLInsecureRenegotiation Off
196 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
197 SSLProtocol -All +TLSv1
198 #SSLRenegBufferSize 262144
199 SSLSessionCacheTimeout 1200
200 SSLStrictSNIVHostCheck On
201 SSLUserName SSL_CLIENT_S_DN_CN
202 SSLVerifyClient None
203 SSLVerifyDepth 1
204 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
205 </VirtualHost>
206 </IfModule>
207 EOF
208 ;;
209 esac |
210 sudo install -m 660 -o root -g root /dev/stdin \
211 /etc/apache2/site.d/"$site"/VirtualHost.conf
212 sudo ln -fns \
213 ../site.d/"$site"/VirtualHost.conf \
214 /etc/apache2/sites-available/"$site"
215 sudo install -d -m 770 -o www."$site" -g www."$site" \
216 /home/www/log/"$site" \
217 /home/www/log/"$site"/apache2
218 sudo ln -fns \
219 /etc/apache2/site.d/"$site" \
220 /home/www/etc/apache2/"$site"
221 test -e /home/www/pub/"$site" ||
222 sudo install -d -m 2770 -o www."$site" -g www."$site" \
223 /home/www/pub/"$site"
224 getent passwd www."$site" >/dev/null ||
225 sudo adduser \
226 --disabled-password \
227 --group \
228 --no-create-home \
229 --home /home/www/pub/"$site" \
230 --shell /bin/false \
231 --system \
232 www."$site"
233 #sudo setfacl -m u:"www.$site":--x \
234 # /home/www/ \
235 # /home/www/pub/ \
236 # /home/www/pub/"$site"/
237 #sudo setfacl -m d:u:"www.$site":rwx \
238 # "$home"/pub/www/"$site"/
239 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
240 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
241 test -e /etc/apache2/sites-enabled/"$site" ||
242 sudo a2ensite "$site"
243 done
244 sudo service apache2 restart
245 }
246 rule_apt_configure () {
247 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
248 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
249 EOF
250 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
251 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
252 EOF
253 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
254 Package: *
255 Pin: release a=$vm_lsb_name
256 Pin-Priority: 170
257
258 Package: *
259 Pin: release a=$vm_lsb_name-backports
260 Pin-Priority: 200
261 EOF
262 sudo apt-get update
263 rule apt_get_install apticron
264 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
265 EMAIL="admin@$vm_domainname"
266 # DIFF_ONLY="1"
267 # LISTCHANGES_PROFILE="apticron"
268 # ALL_FQDNS="1"
269 # SYSTEM="foobar.example.com"
270 # IPADDRESSNUM="1"
271 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
272 # NOTIFY_HOLDS="0"
273 # NOTIFY_NEW="0"
274 # NOTIFY_NO_UPDATES="0"
275 # CUSTOM_SUBJECT=""
276 # CUSTOM_NO_UPDATES_SUBJECT=""
277 # CUSTOM_FROM="root@$vm_fqdn"
278 EOF
279 }
280 rule_boot_configure () {
281 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
282 sudo debconf-set-selections <<-EOF
283 grub-pc grub-pc/install_devices multiselect
284 EOF
285 rule apt_get_install grub-pc
286 sudo install -d -m 644 -o root -g root /boot/grub
287 rule apt_get_install linux-image-$vm_arch
288 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
289 GRUB_DEFAULT=0
290 GRUB_TIMEOUT=5
291 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
292 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
293 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
294 GRUB_DISABLE_RECOVERY="true"
295 #GRUB_PRELOAD_MODULES="lvm"
296 EOF
297 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
298 (hd0) /dev/xvda
299 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
300 EOF
301 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
302 rule initramfs_configure
303 rule apt_get_install molly-guard
304 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
305 ALWAYS_QUERY_HOSTNAME=true
306 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
307 # néamoins demander tout le temps n'est pas trop contraignant
308 # et davantage sécurisant.
309 EOF
310 }
311 rule_dovecot_configure () {
312 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
313 local hint="run vm_remote dovecot_key_send before"
314 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
315 sudo install -m 400 -o root -g root \
316 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
317 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
318 sudo install -d -m 770 -o root -g root \
319 /etc/skel/etc/mail \
320 /etc/skel/etc/sieve
321 sudo install -d -m 1777 -o root -g root \
322 /var/lib/dovecot-control \
323 /var/lib/dovecot-index
324 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
325 auth_ssl_username_from_cert = yes
326 listen = *
327 log_timestamp = "%Y-%m-%d %H:%M:%S "
328 mail_debug = yes
329 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
330 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
331 # VOIR: http://wiki2.dovecot.org/Quota/FS
332 mail_plugins = \$mail_plugins quota
333 mail_privileged_group = mail
334 passdb {
335 args = /home/%u/etc/dovecot/passwd
336 driver = passwd-file
337 }
338 plugin {
339 quota = fs:user
340 recipient_delimiter = +
341 sieve = ~/etc/mail/filter.sieve
342 sieve_dir = ~/etc/mail/sieve
343 sieve_global_dir = /var/lib/dovecot/sieve/global/
344 sieve_max_script_size = 1M
345 sieve_quota_max_scripts = 0
346 sieve_quota_max_storage = 10M
347 sieve_user_log = ~/var/log/mail/sieve.log
348 }
349 protocol imap {
350 mail_plugins = \$mail_plugins imap_quota
351 }
352 protocol lda {
353 auth_socket_path = /var/run/dovecot/auth-master
354 hostname = $vm_domainname
355 info_log_path =
356 log_path =
357 mail_plugins = \$mail_plugins sieve
358 postmaster_address = contact+dovecot+lda@$vm_domainname
359 syslog_facility = mail
360 }
361 protocols = imap sieve
362 service auth {
363 user = root
364 unix_listener /var/spool/postfix/private/auth {
365 mode = 0660
366 user = postfix
367 group = postfix
368 }
369 }
370 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
371 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
372 ssl_cipher_list = AES256-SHA
373 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
374 ssl_verify_client_cert = yes
375 userdb {
376 driver = passwd
377 }
378 verbose_ssl = no
379 EOF
380 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
381 #!/bin/sh -efux
382 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
383 install -d -m 770 ~/etc/dovecot
384 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
385 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
386 _EOF
387 EOF
388 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
389 EOF
390 sudo service dovecot restart
391 }
392 rule_etckeeper_configure () {
393 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
394 VCS=git
395 GIT_COMMIT_OPTIONS=""
396 AVOID_DAILY_AUTOCOMMITS=1
397 #AVOID_SPECIAL_FILE_WARNING=1
398 AVOID_COMMIT_BEFORE_INSTALL=1
399 HIGHLEVEL_PACKAGE_MANAGER=apt
400 LOWLEVEL_PACKAGE_MANAGER=dpkg
401 EOF
402 sudo install -m 644 -o root -g root \
403 "$tool"/etc/etckeeper/prompt.sh \
404 /etc/etckeeper/prompt.sh
405 rule apt_get_install etckeeper
406 }
407 rule_filesystem_configure () {
408 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
409 # <file system> <mount point> <type> <options> <dump> <pass>
410 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
411 proc /proc proc defaults 0 0
412 sysfs /sys sysfs defaults 0 0
413 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
414 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
415 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
416 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
417 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
418 EOF
419 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
420 # <target name> <source device> <key file> <options>
421 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
422 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
423 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
424 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
425 EOF
426 rule tmpfs_configure
427 }
428 rule_initramfs_configure () {
429 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
430 MODULES=most
431 BUSYBOX=y
432 KEYMAP=y
433 COMPRESS=gzip
434 DEVICE=eth0
435 EOF
436 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
437 alias eth0 xennet
438 alias scsi_hostadapter xenblk
439 EOF
440 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
441 sha1_generic
442 sha256_generic
443 sha512_generic
444 aes-x86_64
445 xts
446 # NOTE: pour Xen en mode HVM :
447 #modprobe xen-platform-pci
448 EOF
449 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
450 EOF
451 sudo sed -e '/^configure_networking /s/ &$//' \
452 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
453 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
454 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
455 ( while IFS= read -r line
456 do case $line in (*" RSA") return 0; break;; esac
457 done; return 1 ) ||
458 {
459 sudo rm -f \
460 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
461 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
462 sudo dropbearkey -t rsa -s 4096 -f \
463 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
464 }
465 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
466 sudo install -d -m 640 -o root -g root \
467 /etc/initramfs-tools/root \
468 /etc/initramfs-tools/root/.ssh
469 getent group sudo |
470 while IFS=: read -r group x x users
471 do while test -n "$users" && IFS=, read -r user users <<-EOF
472 $users
473 EOF
474 do eval local home\; home="~$user"
475 cat "$home"/etc/ssh/authorized_keys
476 done
477 done |
478 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
479 sudo rm -f \
480 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
481 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
482 /etc/initramfs-tools/root/.ssh/id_rsa
483 # NOTE: clefs générées par Debian
484 sudo update-initramfs -u
485 }
486 rule_gitolite_configure () {
487 local user=git
488 sudo debconf-set-selections <<-EOF
489 gitolite gitolite/gituser string $user
490 gitolite gitolite/adminkey string
491 gitolite gitolite/gitdir string /home/$user
492 EOF
493 rule apt_get_install gitolite
494 getent passwd "$user" >/dev/null ||
495 sudo adduser \
496 --disabled-password \
497 --group \
498 --shell /bin/bash \
499 --system \
500 "$user"
501 sudo chfn --full-name "$user" "$user"
502 eval local home\; home="~$user"
503 sudo install -d -m 770 -o "$user" -g "$user" \
504 /etc/gitolite \
505 "$home"/etc \
506 "$home"/etc/ssh \
507 "$home"/pub \
508 "$home"/log \
509 "$home"/log/gitolite \
510 "$home"/log/gitolite/perf
511 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
512 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
513 sudo ln -fns etc/ssh "$home"/.ssh
514 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
515 "$home"/etc/gitolite/gitolite.rc <<-EOF
516 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
517 #\$BIG_INFO_CAP = 20;
518 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
519 # NOTE: Please use single quotes, not double quotes.
520 #\$GITWEB_URI_ESCAPE = 0;
521 \$GIT_PATH = "";
522 #\$GL_ADC_PATH = "";
523 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
524 #\$GL_ALL_INCLUDES_SPECIAL = 0;
525 #\$GL_ALL_READ_ALL = 0;
526 \$GL_BIG_CONFIG = 0;
527 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
528 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
529 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
530 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
531 #\$GL_HOSTNAME = "git.$vm_domainname";
532 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
533 #\$GL_HTTP_ANON_USER = "mob";
534 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
535 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
536 #\$GL_NICE_VALUE = 0;
537 \$GL_NO_CREATE_REPOS = 0;
538 \$GL_NO_DAEMON_NO_GITWEB = 0;
539 \$GL_NO_SETUP_AUTHKEYS = 0;
540 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
541 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
542 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
543 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
544 \$GL_SITE_INFO = "git.$vm_domainname";
545 #\$GL_SLAVE_MODE = 0;
546 \$GL_WILDREPOS = 0;
547 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
548 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
549 \$HTPASSWD_FILE = "";
550 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
551 \$REPO_BASE = "pub";
552 \$REPO_UMASK = 0007;
553 \$RSYNC_BASE = "";
554 \$SVNSERVE = "";
555 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
556 #\$WEB_INTERFACE = "gitweb";
557 1;
558 EOF
559 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
560 "$home"/etc/gitweb/gitweb.conf <<-EOF
561 \$commit_oneline_message_width = 70;
562 \$default_projects_order = 'age';
563 \$default_text_plain_charset = 'UTF-8';
564 @diff_opts = ();
565 \$favicon = "img/git-favicon.png";
566 \$git_temp = "/run/shm/gitweb";
567 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
568 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
569 \$home_link = "/";
570 \$home_link_str = 'd&eacute;p&ocirc;ts';
571 \$home_th_age = 'activit&eacute;';
572 \$home_th_descr = 'description';
573 \$home_th_owner = 'contact';
574 \$home_th_project = 'd&eacute;p&ocirc;t';
575 \$javascript = "js/gitweb.js";
576 \$logo = "img/git-logo.png";
577 \$my_uri = "";
578 \$projectroot = "../git";
579 \$projects_list = "/etc/gitolite/projects.list";
580 \$projects_list_description_width = 42;
581 \$projects_list_owner_width = 15;
582 \$search_str = "Filtre&nbsp;:";
583 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
584 \$site_header = undef;
585 \$site_name = "git.$vm_domainname";
586 \$space_to_nbsp = 0;
587 @stylesheets = ("css/gitweb.css");#
588 \$untabify_tabstop = 2;
589 EOF
590 sudo install -m 600 -o "$user" -g "$user" \
591 "$tool"/var/pub/ssh/"$user".key \
592 "$home"/etc/ssh/"$user".pub
593 sudo -u "$user" \
594 GL_RC="$home"/etc/gitolite/gitolite.rc \
595 GIT_AUTHOR_NAME="$user" \
596 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
597 local d
598 for d in doc logs src
599 do test ! -d "$home"/etc/gitolite/"$d" ||
600 rmdir "$home"/etc/gitolite/"$d"
601 done
602 rule apt_get_install gitweb highlight
603 #sudo sv restart fcgi.git.80.git.heureux-cyclage.org
604 #sudo sv restart git-daemon.git.9418
605 }
606 rule_locales_configure () {
607 sudo debconf-set-selections <<-EOF
608 locales locales/default_environment_locale select None
609 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
610 EOF
611 rule dpkg_reconfigure locales
612 }
613 rule_login_configure () {
614 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
615 # /etc/inittab: init(8) configuration.
616
617 # The default runlevel.
618 id:2:initdefault:
619
620 # Boot-time system configuration/initialization script.
621 # This is run first except when booting in emergency (-b) mode.
622 si::sysinit:/etc/init.d/rcS
623
624 # What to do in single-user mode.
625 ~~:S:wait:/sbin/sulogin
626
627 # /etc/init.d executes the S and K scripts upon change
628 # of runlevel.
629 #
630 # Runlevel 0 is halt.
631 # Runlevel 1 is single-user.
632 # Runlevels 2-5 are multi-user.
633 # Runlevel 6 is reboot.
634
635 l0:0:wait:/etc/init.d/rc 0
636 l1:1:wait:/etc/init.d/rc 1
637 l2:2:wait:/etc/init.d/rc 2
638 l3:3:wait:/etc/init.d/rc 3
639 l4:4:wait:/etc/init.d/rc 4
640 l5:5:wait:/etc/init.d/rc 5
641 l6:6:wait:/etc/init.d/rc 6
642 # Normally not reached, but fallthrough in case of emergency.
643 z6:6:respawn:/sbin/sulogin
644
645 # What to do when CTRL-ALT-DEL is pressed.
646 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
647
648 # What to do when the power fails/returns.
649 pf::powerwait:/etc/init.d/powerfail start
650 pn::powerfailnow:/etc/init.d/powerfail now
651 po::powerokwait:/etc/init.d/powerfail stop
652
653 # Xen hypervisor console
654 hvc:2345:respawn:/sbin/getty 38400 hvc0
655 #xvc:2345:respawn:/sbin/getty 38400 xvc0
656
657 #-- runit begin
658 SV:123456:respawn:/usr/sbin/runsvdir-start
659 #-- runit end
660 EOF
661 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
662 MAIL_DIR /var/mail
663 FAILLOG_ENAB yes
664 LOG_UNKFAIL_ENAB no
665 LOG_OK_LOGINS no
666 SYSLOG_SU_ENAB yes
667 SYSLOG_SG_ENAB yes
668 FTMP_FILE /var/log/btmp
669 SU_NAME su
670 HUSHLOGIN_FILE .hushlogin
671 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
672 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
673 # NOTE: met les sbin/ dans ENV_PATH ;
674 # - ça n'apporte aucune protection de ne pas les mettre ;
675 # - ça frustre de ne pas les trouver.
676 TTYGROUP tty
677 TTYPERM 0600
678 ERASECHAR 0177
679 KILLCHAR 025
680 UMASK 007
681 # NOTE: rwxrwx--- ;
682 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
683 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
684 PASS_MAX_DAYS 99999
685 PASS_MIN_DAYS 0
686 PASS_WARN_AGE 7
687 UID_MIN 1000
688 UID_MAX 60000
689 GID_MIN 1000
690 GID_MAX 60000
691 LOGIN_RETRIES 3
692 LOGIN_TIMEOUT 60
693 CHFN_RESTRICT rwh
694 DEFAULT_HOME yes
695 USERGROUPS_ENAB yes
696 ENCRYPT_METHOD SHA512
697 EOF
698 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
699 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
700 $(cat /etc/pam.d/common-session)
701 session optional pam_umask.so
702 EOF
703 grep -q '^hvc0$' /etc/securetty ||
704 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
705 $(cat /etc/securetty)
706 hvc0
707 EOF
708 grep -q '^xvc0$' /etc/securetty ||
709 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
710 $(cat /etc/securetty)
711 xvc0
712 EOF
713 }
714 rule_mail_configure () {
715 rule postfix_configure
716 rule postgrey_configure
717 rule procmail_configure
718 rule dovecot_configure
719 }
720 rule_mysql_configure () {
721 rule apt_get_install mysql-server-5.5
722 sudo install -m 644 -o root -g root \
723 "$tool"/etc/mysql/my.cnf \
724 /etc/mysql/my.cnf
725 if test ! -d /home/mysql; then
726 sudo install -d -m 750 -o mysql -g mysql \
727 /home/mysql
728 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
729 fi
730 }
731 rule_network_configure () {
732 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
733 $vm
734 EOF
735 grep -q " $vm\$" /etc/hosts ||
736 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
737 $(cat /etc/hosts)
738 127.0.0.1 $vm_fqdn $vm
739 EOF
740 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
741 auto lo
742 iface lo inet loopback
743
744 auto eth0=grenode
745 iface grenode inet static
746 address $vm_ipv4
747 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
748 network $vm_ipv4
749 broadcast $vm_ipv4
750 netmask 255.255.255.255
751 mtu 1300
752 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
753 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
754 #
755 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
756 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
757 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
758 #
759 # --- soupirail.grenode.net ping statistics ---
760 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
761 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
762 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
763 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
764 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
765 #
766 # --- soupirail.grenode.net ping statistics ---
767 # 0 packets transmitted, 0 received, +1 errors
768 post-up ip address add $vm_ipv4/32 dev \$IFACE
769 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
770 EOF
771 }
772 rule_www_configure () {
773 getent passwd www >/dev/null ||
774 sudo adduser \
775 --disabled-login \
776 --disabled-password \
777 --group \
778 --home /home/www \
779 --shell /bin/false \
780 --system \
781 www
782 sudo adduser \
783 --disabled-login \
784 --disabled-password \
785 --group \
786 --home ~www/log \
787 --shell /bin/false \
788 --system \
789 log.www
790 #sudo adduser www www-data
791 sudo adduser www log.www
792 #sudo adduser log log.www
793 usermod --home /home/www/pub www-data
794 sudo install -d -m 751 -o www -g www \
795 /home/www
796 sudo install -d -m 750 -o www -g www \
797 /home/www/etc
798 sudo install -d -m 1771 -o www-data -g www-data \
799 /home/www/pub
800 sudo install -d -m 1771 -o log.www -g log.www \
801 /home/www/log
802 }
803 rule_nginx_configure () {
804 local -; set +f
805 rule apt_get_install nginx
806 rule www_configure
807 sudo rm -rf \
808 /etc/nginx/conf.d \
809 /etc/nginx/site.d
810 sudo install -d -m 770 -o www -g www \
811 /etc/nginx \
812 /etc/nginx/conf.d \
813 /etc/nginx/site.d
814 sudo ln -fns \
815 /etc/nginx \
816 /home/www/etc/nginx
817 sudo install -m 660 -o www -g www \
818 "$tool"/etc/nginx/nginx.conf \
819 /etc/nginx/nginx.conf
820 local conf
821 for conf in "$tool"/etc/nginx/conf.d/*.conf
822 do conf=${conf#"$tool"/etc/nginx/conf.d/}
823 sudo install -m 660 -o www -g www \
824 "$tool"/etc/nginx/conf.d/"$conf" \
825 /etc/nginx/conf.d/"$conf"
826 done
827 for conf in "$tool"/etc/nginx/site.d/*/server.conf
828 do conf=${conf#"$tool"/etc/nginx/site.d/}
829 local port domain
830 IFS=. read -r port domain <<-EOF
831 ${conf%\/server\.conf}
832 EOF
833 assert 'test "${port:+set}"'
834 assert 'test "${domain:+set}"'
835 local site="$port.$domain"
836 getent passwd www."$site" >/dev/null ||
837 sudo adduser \
838 --disabled-login \
839 --disabled-password \
840 --group \
841 --home ~www-data/"$site" \
842 --shell /bin/false \
843 --system \
844 www."$site"
845 getent passwd log."$site" >/dev/null ||
846 sudo adduser \
847 --disabled-login \
848 --disabled-password \
849 --group \
850 --shell /bin/false \
851 --system \
852 log."$site"
853 sudo usermod --home ~www/log/"$site"/nginx log."$site"
854 sudo install -d -m 770 -o www -g www \
855 /etc/nginx/site.d/"$site"
856 case $port in
857 (443)
858 local hint="run vm_remote nginx_key_send before"
859 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
860 sudo install -m 664 -o www -g www \
861 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
862 /etc/nginx/site.d/"$site"/x509/crt.pem
863 ;;
864 esac
865 case $port in
866 (80)
867 cat <<-EOF
868 server {
869 listen $port;
870 access_log /home/www/log/$site/nginx/access.log main;
871 error_log /home/www/log/$site/nginx/error.log warn;
872 root /home/www/pub/$site;
873 server_name $domain;
874 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
875 }
876 EOF
877 ;;
878 (443)
879 cat <<-EOF
880 server {
881 listen $port;
882 access_log /home/www/log/$site/nginx/access.log main;
883 error_log /home/www/log/$site/nginx/error.log warn;
884 keepalive_timeout 70;
885 root /home/www/pub/$site;
886 server_name $domain;
887 # DOC: http://wiki.nginx.org/HttpSslModule
888 ssl on;
889 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
890 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
891 ssl_ciphers HIGH:!ADH:!MD5;
892 ssl_prefer_server_ciphers on;
893 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
894 ssl_session_cache shared:SSL:10m;
895 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
896 }
897 EOF
898 ;;
899 esac |
900 sudo install -m 660 -o www -g www /dev/stdin \
901 /etc/nginx/site.d/"$site"/server.conf
902 adduser www-data www."$site"
903 test -e /home/www/pub/"$site" ||
904 sudo install -d -m 3770 -o www."$site" -g www."$site" \
905 /home/www/pub/"$site"
906 sudo install -d -m 3770 -o log."$site" -g log."$site" \
907 /home/www/log/"$site"/nginx
908 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
909 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
910 done
911 rule apt_get_install spawn-fcgi fcgiwrap
912 sudo insserv --remove fcgiwrap
913 rule tmpfs_configure
914 sudo service nginx restart
915 }
916 rule_php5_fpm_configure () {
917 local -; set +f
918 rule apt_get_install \
919 php5-fpm \
920 php-apc
921 getent passwd php5 >/dev/null ||
922 sudo adduser \
923 --disabled-login \
924 --disabled-password \
925 --group \
926 --shell /bin/false \
927 --system \
928 php5
929 local conf
930 sudo ln -fns \
931 /etc/php5-fpm \
932 /home/www/etc/php5
933 sudo rm -f /etc/php5/fpm/pool.d/*
934 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
935 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
936 local port domain
937 IFS=. read -r port domain <<-EOF
938 ${conf%\.conf}
939 EOF
940 assert 'test "${port:+set}"'
941 assert 'test "${domain:+set}"'
942 local site="$port.$domain"
943 getent passwd php5."$site" >/dev/null ||
944 sudo adduser \
945 --disabled-login \
946 --disabled-password \
947 --group \
948 --no-create-home \
949 --home ~www/pub/"$site" \
950 --shell /bin/false \
951 --system \
952 php5."$site"
953 sudo install -d -m 770 -o php5 -g php5 \
954 /home/www/log/php5 \
955 /home/www/log/php5/fpm
956 sudo install -d -m 770 -o log."$site" -g log."$site" \
957 /home/www/log/"$site"
958 sudo adduser php5."$site" www."$site"
959 sudo install -m 660 -o root -g root /dev/stdin \
960 /etc/php5/fpm/pool.d/"$conf" <<-EOF
961 [php5.$site]
962 access.log = /home/www/log/$site/php5/fpm/access.log
963 catch_workers_output = yes
964 chdir = /
965 env[HOSTNAME] = \$HOSTNAME
966 env[TEMP] = /tmp
967 env[TMPDIR] = /tmp
968 env[TMP] = /tmp
969 group = www-data
970 listen = /run/nginx/fastcgi/php5.$site
971 #listen = 127.0.0.1:9000
972 #listen.allowed_clients = 127.0.0.1
973 listen.backlog = -1
974 pm = dynamic
975 pm.max_children = 5
976 pm.max_requests = 200
977 pm.max_spare_servers = 4
978 pm.min_spare_servers = 2
979 pm.start_servers = 3
980 pm.status_path = /status
981 request_slowlog_timeout = 5s
982 request_terminate_timeout = 120s
983 rlimit_core = unlimited
984 rlimit_files = 131072
985 slowlog = /home/www/log/$site/php5/fpm/slow.log
986 user = $php5_user
987 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
988 EOF
989 sudo install -m 664 -o root -g root \
990 "$tool"/etc/php5/fpm/php.ini \
991 /etc/php5/fpm/php.ini
992 done
993 rule tmpfs_configure
994 sudo service php5-fpm restart
995 }
996 rule_postfix_configure () {
997 local hint="run vm_remote postfix_key_send before"
998 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
999 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
1000 sudo debconf-set-selections <<-EOF
1001 postfix postfix/main_mailer_type select No configuration
1002 EOF
1003 rule apt_get_install postfix
1004 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1005 *.db
1006 EOF
1007 sudo install -d -m 771 -o root -g root \
1008 /etc/postfix/ \
1009 /etc/postfix/$vm_domainname/ \
1010 /etc/postfix/$vm_domainname/smtp \
1011 /etc/postfix/$vm_domainname/smtp/x509 \
1012 /etc/postfix/$vm_domainname/smtp/x509/ca \
1013 /etc/postfix/$vm_domainname/smtpd \
1014 /etc/postfix/$vm_domainname/smtpd/x509 \
1015 /etc/postfix/$vm_domainname/smtpd/x509/ca
1016 sudo ln -fns \
1017 ../crt+crl.self-signed.pem \
1018 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1019 sudo install -m 400 -o root -g root \
1020 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1021 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1022 sudo install -m 400 -o root -g root \
1023 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1024 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1025 sudo install -m 400 -o root -g root \
1026 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1027 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1028 sudo install -m 400 -o root -g root \
1029 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1030 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1031 sudo install -m 660 -o root -g root \
1032 "$tool"/etc/postfix/$vm_domainname/header_checks \
1033 /etc/postfix/$vm_domainname/header_checks
1034 sudo install -m 664 -o root -g root /dev/stdin \
1035 /etc/postfix/aliases <<-EOF
1036 # See man 5 aliases for format
1037 abuse: root
1038 admin: root
1039 contact: root
1040 mailer-daemon: root
1041 postmaster: root
1042 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1043 EOF
1044 sudo newaliases -oA/etc/postfix/aliases
1045 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1046 mydomain = $vm_domainname
1047 myorigin = \$mydomain
1048 myhostname = $vm_hostname.\$mydomain
1049 mail_name = \$myhostname
1050 mydestination = $vm_hostname \$myhostname \$myorigin
1051 EOF
1052 sudo install -m 664 -o root -g root /dev/stdin \
1053 /etc/postfix/main.cf
1054 sudo install -m 664 -o root -g root \
1055 "$tool"/etc/postfix/master.cf \
1056 /etc/postfix/master.cf
1057 sudo install -m 660 -o root -g root \
1058 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1059 /etc/postfix/$vm_domainname/smtp/x509/policy
1060 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1061 sudo install -m 660 -o root -g root \
1062 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1063 /etc/postfix/$vm_domainname/smtp/header_checks
1064 sudo install -m 660 -o root -g root \
1065 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1066 /etc/postfix/$vm_domainname/smtpd/sender_access
1067 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1068 sudo install -m 660 -o root -g root \
1069 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1070 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1071 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1072 sudo install -m 660 -o root -g root \
1073 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1074 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1075 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1076 sudo install -m 660 -o root -g root \
1077 "$tool"/etc/postfix/$vm_domainname/transport \
1078 /etc/postfix/$vm_domainname/transport
1079 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1080 sudo install -m 660 -o root -g root \
1081 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1082 /etc/postfix/$vm_domainname/virtual_alias
1083 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1084 sudo service postfix restart
1085 }
1086 rule_postgresql_configure () {
1087 rule apt_get_install postgresql-9.1
1088 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1089 pg_createcluster -u postgres --start 9.1 main
1090 fi
1091 sudo install -m 660 -o root -g root \
1092 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1093 /etc/postgresql/9.1/main/postgresql.conf
1094 sudo service postgresql restart
1095 }
1096 rule_openerp_configure () {
1097 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1098 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1099 EOF
1100 sudo apt-get update
1101 rule apt_get_install openerp
1102 }
1103 rule_postgrey_configure () {
1104 rule apt_get_install postgrey
1105 sudo service postgrey restart
1106 }
1107 rule_procmail_configure () {
1108 rule apt_get_install procmail
1109 sudo install -d -m 770 -o root -g root \
1110 /etc/skel/etc/mail \
1111 /etc/skel/var/cache/mail \
1112 /etc/skel/var/log/mail \
1113 /etc/skel/var/mail
1114 sudo install -m 660 -o root -g root \
1115 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1116 /etc/skel/etc/mail/delivery.procmailrc
1117 }
1118 rule_runit_configure () {
1119 rule apt_get_install runit
1120 local -; set +f
1121 for sv in ${1-/etc/service/*}
1122 # NOTE: stoppe les services en retenant leur status de départ
1123 do sv=$(basename "$sv")
1124 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1125 local sv_status
1126 IFS= read -r sv_status_$sv_hash <<-EOF
1127 $(sv status "$sv")
1128 EOF
1129 rm -f /etc/service/"$sv"
1130 done
1131 for sv in ${1-"$tool"/etc/sv/*}
1132 # NOTE: configure et (re-)démarre les services
1133 do sv=$(basename "$sv")
1134 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1135 sudo install -d -m 770 -o root -g root \
1136 /etc/sv/"$sv"
1137 sudo install -m 770 -o root -g root \
1138 "$tool"/etc/sv/"$sv"/run \
1139 /etc/sv/"$sv"/run
1140 if test -e "$tool"/etc/sv/"$sv"/log/run
1141 then
1142 sudo install -d -m 770 -o root -g root \
1143 /etc/sv/"$sv"/log
1144 sudo install -m 770 -o root -g root \
1145 "$tool"/etc/sv/"$sv"/log/run \
1146 /etc/sv/"$sv"/log/run
1147 fi
1148 test ! -x "$tool"/etc/sv/"$sv"/configure ||
1149 "$tool"/etc/sv/"$sv"/configure
1150 ln -fns ../sv/"$sv" /etc/service/"$sv"
1151 eval local sv_status=\"\${sv_status_$sv_hash-}\"
1152 case $sv_status in
1153 ("") sv start "$sv";;
1154 (run:*) sv restart "$sv";;
1155 esac
1156 done
1157 }
1158 rule_ssh_configure () {
1159 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1160 ( while IFS= read -r line
1161 do case $line in (*" RSA") return 0; break;; esac
1162 done; return 1 ) ||
1163 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1164 sudo rm -f \
1165 /etc/ssh/ssh_host_dsa_key \
1166 /etc/ssh/ssh_host_dsa_key.pub \
1167 /etc/ssh/ssh_host_ecdsa_key \
1168 /etc/ssh/ssh_host_ecdsa_key.pub
1169 # NOTE: clefs générées par Debian
1170 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1171 Port 22
1172 ListenAddress $vm_ipv4
1173 #ListenAddress ::
1174 Protocol 2
1175 Compression yes
1176 HostKey /etc/ssh/ssh_host_rsa_key
1177 UsePrivilegeSeparation yes
1178 KeyRegenerationInterval 3600
1179 ServerKeyBits 768
1180 SyslogFacility AUTH
1181 LogLevel INFO
1182 LoginGraceTime 120
1183 PermitRootLogin yes
1184 StrictModes yes
1185 RSAAuthentication yes
1186 PubkeyAuthentication yes
1187 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1188 IgnoreRhosts yes
1189 RhostsRSAAuthentication no
1190 HostbasedAuthentication no
1191 IgnoreUserKnownHosts no
1192 PermitEmptyPasswords no
1193 ChallengeResponseAuthentication no
1194 PasswordAuthentication no
1195 KerberosAuthentication no
1196 GSSAPIAuthentication no
1197 X11Forwarding no
1198 X11DisplayOffset 10
1199 PrintMotd no
1200 DebianBanner no
1201 PrintLastLog yes
1202 TCPKeepAlive yes
1203 ClientAliveInterval 0
1204 AcceptEnv LANG LC_*
1205 Subsystem sftp /usr/lib/openssh/sftp-server
1206 UsePAM yes
1207 EOF
1208 sudo service ssh restart
1209 }
1210 rule_sysctl_configure () {
1211 local -; set +f
1212 for conf in "$tool"/etc/sysctl.d/*.conf
1213 do conf=${conf#"$tool"/etc/sysctl.d/}
1214 sudo install -m 660 -o root -g root \
1215 "$tool"/etc/sysctl.d/"$conf" \
1216 /etc/sysctl.d/"$conf"
1217 done
1218 sudo sysctl --system
1219 }
1220 rule_tmpfs_configure () {
1221 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1222 LOCK_SIZE=5242880 # NOTE: 5MiB
1223 RAMLOCK=yes
1224 RAMSHM=yes
1225 RAMTMP=yes
1226 RUN_SIZE=10%
1227 SHM_SIZE=
1228 TMP_MODE=1777,nr_inodes=1000k,noatime
1229 TMP_OVERFLOW_LIMIT=1024
1230 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1231 # on the root filesystem (overriding RAMTMP).
1232 TMP_SIZE=200m
1233 TMPFS_SIZE=20%VM
1234 EOF
1235 sudo install -m 775 -o root -g root \
1236 "$tool"/etc/init.d/tmpfs \
1237 /etc/init.d/tmpfs
1238 sudo update-rc.d tmpfs defaults
1239 }
1240 rule_time_configure () {
1241 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1242 Europe/Paris
1243 EOF
1244 sudo debconf-set-selections <<-EOF
1245 tzdata tzdata/Areas select Europe
1246 tzdata tzdata/Zones/Europe select Paris
1247 EOF
1248 rule dpkg_reconfigure tzdata
1249 rule apt_get_install ntp
1250 }
1251 rule_user_add () { # SYNTAX: $user
1252 rule user_configure
1253 local user=$1
1254 getent passwd "$user" >/dev/null ||
1255 sudo adduser --disabled-password "$user"
1256 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1257 eval local home\; home="~$user"
1258 sudo adduser "$user" users
1259 sudo install -m 640 -o root -g root \
1260 "$tool"/var/pub/ssh/"$user".key \
1261 "$home"/etc/ssh/authorized_keys
1262 local key; local -; set +f
1263 for key in "$tool"/var/pub/openpgp/*.key
1264 do sudo -u "$user" gpg --import - <"$key"
1265 done
1266 }
1267 rule_user_configure () {
1268 sudo install -m 660 -o root -g root /dev/stdin \
1269 /etc/adduser.conf <<-EOF
1270 ADD_EXTRA_GROUPS=1
1271 DHOME=/home
1272 DIR_MODE=0750
1273 DSHELL=/bin/bash
1274 EXTRA_GROUPS="users"
1275 FIRST_GID=1000
1276 FIRST_SYSTEM_GID=100
1277 FIRST_SYSTEM_UID=100
1278 FIRST_UID=1000
1279 GROUPHOMES=no
1280 LAST_GID=29999
1281 LAST_SYSTEM_GID=999
1282 LAST_SYSTEM_UID=999
1283 LAST_UID=29999
1284 LETTERHOMES=no
1285 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1286 QUOTAUSER="" # TODO: init
1287 SETGID_HOME=no
1288 SKEL=/etc/skel
1289 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1290 USERGROUPS=yes
1291 USERS_GID=100
1292 EOF
1293 sudo install -d -m 750 -o root -g root \
1294 /etc/skel \
1295 /etc/skel/etc \
1296 /etc/skel/etc/gpg \
1297 /etc/skel/etc/ssh
1298 sudo install -d -m 770 -o root -g root \
1299 /etc/skel/var \
1300 /etc/skel/var/cache \
1301 /etc/skel/var/log \
1302 /etc/skel/var/run \
1303 /etc/skel/var/run/ssh
1304 sudo ln -fns etc/ssh /etc/skel/.ssh
1305 sudo ln -fns etc/gpg /etc/skel/.gnupg
1306 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1307 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1308 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1309 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1310 EOF
1311 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1312 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1313 EOF
1314 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1315 Defaults env_keep = " \\
1316 EDITOR \\
1317 GIT_AUTHOR_NAME \\
1318 GIT_AUTHOR_EMAIL \\
1319 GIT_COMMITTER_NAME \\
1320 GIT_COMMITTER_EMAIL \\
1321 "
1322 EOF
1323 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1324 #!/bin/sh -efu
1325 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1326 sudo /bin/sh -e -f -u -c \
1327 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1328 EOF
1329 sudo install -m 644 -o root -g root \
1330 "$tool"/etc/bash.bashrc \
1331 /etc/bash.bashrc
1332 sudo install -m 644 -o root -g root \
1333 "$tool"/etc/screenrc \
1334 /etc/screenrc
1335 }
1336 rule_user_admin_add () { # SYNTAX: $user
1337 rule user_configure
1338 local user=$1
1339 getent passwd "$user" >/dev/null ||
1340 sudo adduser --disabled-password "$user"
1341 eval local home\; home="~$user"
1342 sudo adduser "$user" sudo
1343 sudo install -m 640 -o root -g root \
1344 "$tool"/var/pub/ssh/"$user".key \
1345 "$home"/etc/ssh/authorized_keys
1346 local key; local -; set +f
1347 for key in "$tool"/var/pub/openpgp/*.key
1348 do sudo -u "$user" gpg --import - <"$key"
1349 done
1350 rule user_admin_configure
1351 }
1352 rule_user_admin_configure () {
1353 rule initramfs_configure
1354 rule user_root_configure
1355 }
1356 rule_user_root_configure () {
1357 sudo install -d -m 750 -o root -g root \
1358 /root/etc \
1359 /root/etc/gpg \
1360 /root/etc/ssh
1361 sudo ln -fns etc/gpg /root/.gnupg
1362 sudo ln -fns etc/ssh /root/.ssh
1363 getent group sudo |
1364 while IFS=: read -r group x x users
1365 do while test -n "$users" && IFS=, read -r user users <<-EOF
1366 $users
1367 EOF
1368 do eval local home\; home="~$user"
1369 cat "$home"/etc/ssh/authorized_keys
1370 done
1371 done |
1372 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1373 local key; local -; set +f
1374 for key in "$tool"/var/pub/openpgp/*.key
1375 do sudo gpg --import "$key"
1376 done
1377 }
1378 rule_configure () {
1379 rule apt_configure
1380 rule git_configure
1381 rule etckeeper_configure
1382 rule locales_configure
1383 rule time_configure
1384 rule network_configure
1385 rule filesystem_configure
1386 rule login_configure
1387 rule ssh_configure
1388 rule user_root_configure
1389 rule boot_configure
1390 rule sysctl_configure
1391 rule user_configure
1392 rule mail_configure
1393 #rule apache2_configure
1394 rule nginx_configure
1395 rule php5_fpm_configure
1396 rule gitolite_configure
1397 rule runit_configure
1398 }
1399
1400 rule_luks_key_change () {
1401 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1402 }
1403
1404 rule=${1:-help}
1405 ${1+shift}
1406 case $rule in
1407 (help);;
1408 (*)
1409 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1410 ;;
1411 esac
1412 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org