dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : évite de dépasser GROUP_NAME_MAX_LENGTH==32 .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
39 #!/bin/sh -efux
40 case \$1 in
41 (refs/remotes/master)
42 cd ..
43 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
44 git --git-dir=\$PWD/.git clean -f -d -
45 ;;
46 esac
47 EOF
48 )
49 }
50 rule_git_reset () {
51 (
52 cd "$tool"
53 git checkout -f -B master remotes/master
54 git clean -f -d -x
55 )
56 }
57
58 rule_apt_get_install () { # SYNTAX: $package
59 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
60 }
61 rule_dpkg_reconfigure () { # SYNTAX: $package
62 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
63 }
64
65 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
66 export LANG=C
67 export LC_CTYPE=C
68 . /etc/profile
69 }
70
71 rule_apache2_configure () {
72 local -; set +f
73 rule apt_get_install \
74 apache2-mpm-itk \
75 libapache2-mod-php5
76 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
77 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
78 # NOTE: apache2-mpm-itk semble le plus sécurisé,
79 # car on est certain que tout est exécuté avec les uid/gid
80 # assignés au VirtualHost/Directory/Location
81 # néamoins il se peut qu'une combinaison du genre :
82 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
83 # soit plus performante (threads et pas forks),
84 # cependant l'usage de suexec impose des forks il semble..
85 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
86 # donc pour l'instant : apache2-mpm-itk
87 rule www_configure
88 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
89 ServerName "$vm_fqdn"
90 EOF
91 sudo install -m 660 -o root -g root /dev/stdin \
92 /etc/apache2/apache2.conf
93 sudo install -m 660 -o root -g root \
94 "$tool"/etc/apache2/envvars \
95 /etc/apache2/envvars
96 sudo install -m 660 -o root -g root \
97 "$tool"/etc/apache2/httpd.conf \
98 /etc/apache2/httpd.conf
99 #sudo install -m 660 -o root -g root /dev/stdin \
100 # /etc/apache2/suexec/www-data <<-EOF
101 # /home
102 # pub/www/cgi
103 # EOF
104 sudo install -m 660 -o root -g root \
105 "$tool"/etc/apache2/ports.conf \
106 /etc/apache2/ports.conf
107 sudo a2enmod actions
108 sudo a2enmod headers
109 sudo a2enmod rewrite
110 sudo a2enmod ssl
111 sudo a2enmod userdir
112 local conf
113 sudo a2dissite "*"
114 sudo ln -fns \
115 /etc/apache2 \
116 /home/www/etc/apache2
117 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
118 do conf=${conf#"$tool"/etc/apache2/site.d/}
119 local port site
120 IFS=. read -r port domain <<-EOF
121 ${conf%\/VirtualHost\.conf}
122 EOF
123 assert 'test "${port:+set}"'
124 assert 'test "${domain:+set}"'
125 local site="$port.$domain"
126 case $port in
127 (443)
128 local hint="run vm_remote apache2_key_send before"
129 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
130 sudo install -d -m 770 -o www."$site" -g www."$site" \
131 /etc/apache2 \
132 /etc/apache2/site.d/"$site" \
133 /etc/apache2/site.d/"$site"/x509 \
134 /etc/apache2/site.d/"$site"/x509/ca \
135 /etc/apache2/site.d/"$site"/x509/empty \
136 /etc/apache2/site.d/"$site"/x509/rvk \
137 /etc/apache2/site.d/"$site"/x509/usr
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
140 /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
141 #sudo install -m 664 -o www."$site" -g www."$site" \
142 # "$tool"/var/pub/x509/"$site"/rvk.pem \
143 # /etc/apache2/site.d/"$site"/x509/rvk.pem
144 sudo install -m 664 -o www -g www \
145 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
146 /etc/apache2/site.d/"$site"/x509/ca/crt.pem
147 sudo install -m 664 -o www -g www \
148 "$tool"/var/pub/x509/"$site"/crt.pem \
149 /etc/apache2/site.d/"$site"/x509/crt.pem
150 ;;
151 esac
152 case $port in
153 (80)
154 cat <<-EOF
155 <VirtualHost *:$port>
156 AssignUserID www.$site www.$site
157 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
158 #CustomLog "/dev/null" Combined
159 DocumentRoot /home/www/pub/$site
160 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
161 #ErrorLog "/dev/null"
162 ServerName $domain
163 LogLevel Warn
164 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
165 </VirtualHost>
166 EOF
167 ;;
168 (443)
169 cat <<-EOF
170 <IfModule mod_ssl.c>
171 <VirtualHost *:$port>
172 AssignUserID www.$site www.$site
173 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
174 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
175 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
176 #CustomLog "/dev/null" Combined
177 DocumentRoot /home/www/pub/$site
178 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
179 #ErrorLog "/dev/null"
180 LogLevel Warn
181 ServerName $domain
182 SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
183 SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
184 #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
185 SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
186 SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
187 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
188 SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
189 SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
190 SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
191 SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
192 SSLCipherSuite AES+RSA+SHA256
193 SSLEngine On
194 SSLInsecureRenegotiation Off
195 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
196 SSLProtocol -All +TLSv1
197 #SSLRenegBufferSize 262144
198 SSLSessionCacheTimeout 1200
199 SSLStrictSNIVHostCheck On
200 SSLUserName SSL_CLIENT_S_DN_CN
201 SSLVerifyClient None
202 SSLVerifyDepth 1
203 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
204 </VirtualHost>
205 </IfModule>
206 EOF
207 ;;
208 esac |
209 sudo install -m 660 -o root -g root /dev/stdin \
210 /etc/apache2/site.d/"$site"/VirtualHost.conf
211 sudo ln -fns \
212 ../site.d/"$site"/VirtualHost.conf \
213 /etc/apache2/sites-available/"$site"
214 sudo install -d -m 770 -o www."$site" -g www."$site" \
215 /home/www/log/"$site" \
216 /home/www/log/"$site"/apache2
217 sudo ln -fns \
218 /etc/apache2/site.d/"$site" \
219 /home/www/etc/apache2/"$site"
220 test -e /home/www/pub/"$site" ||
221 sudo install -d -m 2770 -o www."$site" -g www."$site" \
222 /home/www/pub/"$site"
223 getent passwd www."$site" >/dev/null ||
224 sudo adduser \
225 --disabled-password \
226 --group \
227 --no-create-home \
228 --home /home/www/pub/"$site" \
229 --shell /bin/false \
230 --system \
231 www."$site"
232 #sudo setfacl -m u:"www.$site":--x \
233 # /home/www/ \
234 # /home/www/pub/ \
235 # /home/www/pub/"$site"/
236 #sudo setfacl -m d:u:"www.$site":rwx \
237 # "$home"/pub/www/"$site"/
238 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
239 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
240 test -e /etc/apache2/sites-enabled/"$site" ||
241 sudo a2ensite "$site"
242 done
243 sudo service apache2 restart
244 }
245 rule_apt_configure () {
246 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
247 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
250 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
251 EOF
252 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
253 Package: *
254 Pin: release a=$vm_lsb_name
255 Pin-Priority: 170
256
257 Package: *
258 Pin: release a=$vm_lsb_name-backports
259 Pin-Priority: 200
260 EOF
261 sudo apt-get update
262 rule apt_get_install apticron
263 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
264 EMAIL="admin@$vm_domainname"
265 # DIFF_ONLY="1"
266 # LISTCHANGES_PROFILE="apticron"
267 # ALL_FQDNS="1"
268 # SYSTEM="foobar.example.com"
269 # IPADDRESSNUM="1"
270 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
271 # NOTIFY_HOLDS="0"
272 # NOTIFY_NEW="0"
273 # NOTIFY_NO_UPDATES="0"
274 # CUSTOM_SUBJECT=""
275 # CUSTOM_NO_UPDATES_SUBJECT=""
276 # CUSTOM_FROM="root@$vm_fqdn"
277 EOF
278 }
279 rule_boot_configure () {
280 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
281 sudo debconf-set-selections <<-EOF
282 grub-pc grub-pc/install_devices multiselect
283 EOF
284 rule apt_get_install grub-pc
285 sudo install -d -m 644 -o root -g root /boot/grub
286 rule apt_get_install linux-image-$vm_arch
287 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
288 GRUB_DEFAULT=0
289 GRUB_TIMEOUT=5
290 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
291 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
292 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
293 GRUB_DISABLE_RECOVERY="true"
294 #GRUB_PRELOAD_MODULES="lvm"
295 EOF
296 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
297 (hd0) /dev/xvda
298 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
299 EOF
300 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
301 rule initramfs_configure
302 rule apt_get_install molly-guard
303 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
304 ALWAYS_QUERY_HOSTNAME=true
305 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
306 # néamoins demander tout le temps n'est pas trop contraignant
307 # et davantage sécurisant.
308 EOF
309 }
310 rule_dovecot_configure () {
311 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
312 local hint="run vm_remote dovecot_key_send before"
313 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
314 sudo install -m 400 -o root -g root \
315 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
316 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
317 sudo install -d -m 770 -o root -g root \
318 /etc/skel/etc/mail \
319 /etc/skel/etc/sieve
320 sudo install -d -m 1777 -o root -g root \
321 /var/lib/dovecot-control \
322 /var/lib/dovecot-index
323 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
324 auth_ssl_username_from_cert = yes
325 listen = *
326 log_timestamp = "%Y-%m-%d %H:%M:%S "
327 mail_debug = yes
328 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
329 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
330 # VOIR: http://wiki2.dovecot.org/Quota/FS
331 mail_plugins = \$mail_plugins quota
332 mail_privileged_group = mail
333 passdb {
334 args = /home/%u/etc/dovecot/passwd
335 driver = passwd-file
336 }
337 plugin {
338 quota = fs:user
339 recipient_delimiter = +
340 sieve = ~/etc/mail/filter.sieve
341 sieve_dir = ~/etc/mail/sieve
342 sieve_global_dir = /var/lib/dovecot/sieve/global/
343 sieve_max_script_size = 1M
344 sieve_quota_max_scripts = 0
345 sieve_quota_max_storage = 10M
346 sieve_user_log = ~/var/log/mail/sieve.log
347 }
348 protocol imap {
349 mail_plugins = \$mail_plugins imap_quota
350 }
351 protocol lda {
352 auth_socket_path = /var/run/dovecot/auth-master
353 hostname = $vm_domainname
354 info_log_path =
355 log_path =
356 mail_plugins = \$mail_plugins sieve
357 postmaster_address = contact+dovecot+lda@$vm_domainname
358 syslog_facility = mail
359 }
360 protocols = imap sieve
361 service auth {
362 user = root
363 unix_listener /var/spool/postfix/private/auth {
364 mode = 0660
365 user = postfix
366 group = postfix
367 }
368 }
369 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
370 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
371 ssl_cipher_list = AES256-SHA
372 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
373 ssl_verify_client_cert = yes
374 userdb {
375 driver = passwd
376 }
377 verbose_ssl = no
378 EOF
379 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
380 #!/bin/sh -efux
381 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
382 install -d -m 770 ~/etc/dovecot
383 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
384 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
385 _EOF
386 EOF
387 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
388 EOF
389 sudo service dovecot restart
390 }
391 rule_etckeeper_configure () {
392 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
393 VCS=git
394 GIT_COMMIT_OPTIONS=""
395 AVOID_DAILY_AUTOCOMMITS=1
396 #AVOID_SPECIAL_FILE_WARNING=1
397 AVOID_COMMIT_BEFORE_INSTALL=1
398 HIGHLEVEL_PACKAGE_MANAGER=apt
399 LOWLEVEL_PACKAGE_MANAGER=dpkg
400 EOF
401 sudo install -m 644 -o root -g root \
402 "$tool"/etc/etckeeper/prompt.sh \
403 /etc/etckeeper/prompt.sh
404 rule apt_get_install etckeeper
405 }
406 rule_filesystem_configure () {
407 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
408 # <file system> <mount point> <type> <options> <dump> <pass>
409 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
410 proc /proc proc defaults 0 0
411 sysfs /sys sysfs defaults 0 0
412 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
413 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
414 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
415 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
416 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
417 EOF
418 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
419 # <target name> <source device> <key file> <options>
420 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
421 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
422 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
423 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
424 EOF
425 rule tmpfs_configure
426 }
427 rule_initramfs_configure () {
428 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
429 MODULES=most
430 BUSYBOX=y
431 KEYMAP=y
432 COMPRESS=gzip
433 DEVICE=eth0
434 EOF
435 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
436 alias eth0 xennet
437 alias scsi_hostadapter xenblk
438 EOF
439 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
440 sha1_generic
441 sha256_generic
442 sha512_generic
443 aes-x86_64
444 xts
445 # NOTE: pour Xen en mode HVM :
446 #modprobe xen-platform-pci
447 EOF
448 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
449 EOF
450 sudo sed -e '/^configure_networking /s/ &$//' \
451 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
452 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
453 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
454 ( while IFS= read -r line
455 do case $line in (*" RSA") return 0; break;; esac
456 done; return 1 ) ||
457 {
458 sudo rm -f \
459 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
460 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
461 sudo dropbearkey -t rsa -s 4096 -f \
462 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
463 }
464 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
465 sudo install -d -m 640 -o root -g root \
466 /etc/initramfs-tools/root \
467 /etc/initramfs-tools/root/.ssh
468 getent group sudo |
469 while IFS=: read -r group x x users
470 do while test -n "$users" && IFS=, read -r user users <<-EOF
471 $users
472 EOF
473 do eval local home\; home="~$user"
474 cat "$home"/etc/ssh/authorized_keys
475 done
476 done |
477 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
478 sudo rm -f \
479 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
480 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
481 /etc/initramfs-tools/root/.ssh/id_rsa
482 # NOTE: clefs générées par Debian
483 sudo update-initramfs -u
484 }
485 rule_gitolite_configure () {
486 local user=git
487 sudo debconf-set-selections <<-EOF
488 gitolite gitolite/gituser string $user
489 gitolite gitolite/adminkey string
490 gitolite gitolite/gitdir string /home/$user
491 EOF
492 rule apt_get_install gitolite
493 getent passwd "$user" >/dev/null ||
494 sudo adduser \
495 --disabled-password \
496 --group \
497 --shell /bin/bash \
498 --system \
499 "$user"
500 sudo chfn --full-name "$user" "$user"
501 eval local home\; home="~$user"
502 sudo install -d -m 770 -o "$user" -g "$user" \
503 /etc/gitolite \
504 "$home"/etc \
505 "$home"/etc/ssh \
506 "$home"/pub \
507 "$home"/log \
508 "$home"/log/gitolite \
509 "$home"/log/gitolite/perf
510 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
511 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
512 sudo ln -fns etc/ssh "$home"/.ssh
513 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
514 "$home"/etc/gitolite/gitolite.rc <<-EOF
515 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
516 #\$BIG_INFO_CAP = 20;
517 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
518 # NOTE: Please use single quotes, not double quotes.
519 #\$GITWEB_URI_ESCAPE = 0;
520 \$GIT_PATH = "";
521 #\$GL_ADC_PATH = "";
522 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
523 #\$GL_ALL_INCLUDES_SPECIAL = 0;
524 #\$GL_ALL_READ_ALL = 0;
525 \$GL_BIG_CONFIG = 0;
526 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
527 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
528 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
529 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
530 #\$GL_HOSTNAME = "git.$vm_domainname";
531 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
532 #\$GL_HTTP_ANON_USER = "mob";
533 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
534 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
535 #\$GL_NICE_VALUE = 0;
536 \$GL_NO_CREATE_REPOS = 0;
537 \$GL_NO_DAEMON_NO_GITWEB = 0;
538 \$GL_NO_SETUP_AUTHKEYS = 0;
539 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
540 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
541 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
542 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
543 \$GL_SITE_INFO = "git.$vm_domainname";
544 #\$GL_SLAVE_MODE = 0;
545 \$GL_WILDREPOS = 0;
546 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
547 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
548 \$HTPASSWD_FILE = "";
549 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
550 \$REPO_BASE = "pub";
551 \$REPO_UMASK = 0007;
552 \$RSYNC_BASE = "";
553 \$SVNSERVE = "";
554 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
555 #\$WEB_INTERFACE = "gitweb";
556 1;
557 EOF
558 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
559 "$home"/etc/gitweb/gitweb.conf <<-EOF
560 \$commit_oneline_message_width = 70;
561 \$default_projects_order = 'age';
562 \$default_text_plain_charset = 'UTF-8';
563 @diff_opts = ();
564 \$favicon = "img/git-favicon.png";
565 \$git_temp = "/run/shm/gitweb";
566 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
567 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
568 \$home_link = "/";
569 \$home_link_str = 'd&eacute;p&ocirc;ts';
570 \$home_th_age = 'activit&eacute;';
571 \$home_th_descr = 'description';
572 \$home_th_owner = 'contact';
573 \$home_th_project = 'd&eacute;p&ocirc;t';
574 \$javascript = "js/gitweb.js";
575 \$logo = "img/git-logo.png";
576 \$my_uri = "";
577 \$projectroot = "../git";
578 \$projects_list = "/etc/gitolite/projects.list";
579 \$projects_list_description_width = 42;
580 \$projects_list_owner_width = 15;
581 \$search_str = "Filtre&nbsp;:";
582 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
583 \$site_header = undef;
584 \$site_name = "git.$vm_domainname";
585 \$space_to_nbsp = 0;
586 @stylesheets = ("css/gitweb.css");#
587 \$untabify_tabstop = 2;
588 EOF
589 sudo install -m 600 -o "$user" -g "$user" \
590 "$tool"/var/pub/ssh/"$user".key \
591 "$home"/etc/ssh/"$user".pub
592 sudo -u "$user" \
593 GL_RC="$home"/etc/gitolite/gitolite.rc \
594 GIT_AUTHOR_NAME="$user" \
595 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
596 local d
597 for d in doc logs src
598 do test ! -d "$home"/etc/gitolite/"$d" ||
599 rmdir "$home"/etc/gitolite/"$d"
600 done
601 rule apt_get_install gitweb highlight
602 #sudo sv restart fcgi.git.80.git.heureux-cyclage.org
603 #sudo sv restart git-daemon.git.9418
604 }
605 rule_locales_configure () {
606 sudo debconf-set-selections <<-EOF
607 locales locales/default_environment_locale select None
608 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
609 EOF
610 rule dpkg_reconfigure locales
611 }
612 rule_login_configure () {
613 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
614 # /etc/inittab: init(8) configuration.
615
616 # The default runlevel.
617 id:2:initdefault:
618
619 # Boot-time system configuration/initialization script.
620 # This is run first except when booting in emergency (-b) mode.
621 si::sysinit:/etc/init.d/rcS
622
623 # What to do in single-user mode.
624 ~~:S:wait:/sbin/sulogin
625
626 # /etc/init.d executes the S and K scripts upon change
627 # of runlevel.
628 #
629 # Runlevel 0 is halt.
630 # Runlevel 1 is single-user.
631 # Runlevels 2-5 are multi-user.
632 # Runlevel 6 is reboot.
633
634 l0:0:wait:/etc/init.d/rc 0
635 l1:1:wait:/etc/init.d/rc 1
636 l2:2:wait:/etc/init.d/rc 2
637 l3:3:wait:/etc/init.d/rc 3
638 l4:4:wait:/etc/init.d/rc 4
639 l5:5:wait:/etc/init.d/rc 5
640 l6:6:wait:/etc/init.d/rc 6
641 # Normally not reached, but fallthrough in case of emergency.
642 z6:6:respawn:/sbin/sulogin
643
644 # What to do when CTRL-ALT-DEL is pressed.
645 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
646
647 # What to do when the power fails/returns.
648 pf::powerwait:/etc/init.d/powerfail start
649 pn::powerfailnow:/etc/init.d/powerfail now
650 po::powerokwait:/etc/init.d/powerfail stop
651
652 # Xen hypervisor console
653 hvc:2345:respawn:/sbin/getty 38400 hvc0
654 #xvc:2345:respawn:/sbin/getty 38400 xvc0
655
656 #-- runit begin
657 SV:123456:respawn:/usr/sbin/runsvdir-start
658 #-- runit end
659 EOF
660 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
661 MAIL_DIR /var/mail
662 FAILLOG_ENAB yes
663 LOG_UNKFAIL_ENAB no
664 LOG_OK_LOGINS no
665 SYSLOG_SU_ENAB yes
666 SYSLOG_SG_ENAB yes
667 FTMP_FILE /var/log/btmp
668 SU_NAME su
669 HUSHLOGIN_FILE .hushlogin
670 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
671 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
672 # NOTE: met les sbin/ dans ENV_PATH ;
673 # - ça n'apporte aucune protection de ne pas les mettre ;
674 # - ça frustre de ne pas les trouver.
675 TTYGROUP tty
676 TTYPERM 0600
677 ERASECHAR 0177
678 KILLCHAR 025
679 UMASK 007
680 # NOTE: rwxrwx--- ;
681 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
682 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
683 PASS_MAX_DAYS 99999
684 PASS_MIN_DAYS 0
685 PASS_WARN_AGE 7
686 UID_MIN 1000
687 UID_MAX 60000
688 GID_MIN 1000
689 GID_MAX 60000
690 LOGIN_RETRIES 3
691 LOGIN_TIMEOUT 60
692 CHFN_RESTRICT rwh
693 DEFAULT_HOME yes
694 USERGROUPS_ENAB yes
695 ENCRYPT_METHOD SHA512
696 EOF
697 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
698 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
699 $(cat /etc/pam.d/common-session)
700 session optional pam_umask.so
701 EOF
702 grep -q '^hvc0$' /etc/securetty ||
703 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
704 $(cat /etc/securetty)
705 hvc0
706 EOF
707 grep -q '^xvc0$' /etc/securetty ||
708 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
709 $(cat /etc/securetty)
710 xvc0
711 EOF
712 }
713 rule_mail_configure () {
714 rule postfix_configure
715 rule postgrey_configure
716 rule procmail_configure
717 rule dovecot_configure
718 }
719 rule_mysql_configure () {
720 rule apt_get_install mysql-server-5.5
721 sudo install -m 644 -o root -g root \
722 "$tool"/etc/mysql/my.cnf \
723 /etc/mysql/my.cnf
724 if test ! -d /home/mysql; then
725 sudo install -d -m 750 -o mysql -g mysql \
726 /home/mysql
727 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
728 fi
729 }
730 rule_network_configure () {
731 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
732 $vm
733 EOF
734 grep -q " $vm\$" /etc/hosts ||
735 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
736 $(cat /etc/hosts)
737 127.0.0.1 $vm_fqdn $vm
738 EOF
739 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
740 auto lo
741 iface lo inet loopback
742
743 auto eth0=grenode
744 iface grenode inet static
745 address $vm_ipv4
746 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
747 network $vm_ipv4
748 broadcast $vm_ipv4
749 netmask 255.255.255.255
750 mtu 1300
751 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
752 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
753 #
754 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
755 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
756 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
757 #
758 # --- soupirail.grenode.net ping statistics ---
759 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
760 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
761 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
762 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
763 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
764 #
765 # --- soupirail.grenode.net ping statistics ---
766 # 0 packets transmitted, 0 received, +1 errors
767 post-up ip address add $vm_ipv4/32 dev \$IFACE
768 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
769 EOF
770 }
771 rule_www_configure () {
772 getent passwd www >/dev/null ||
773 sudo adduser \
774 --disabled-login \
775 --disabled-password \
776 --group \
777 --home /home/www \
778 --shell /bin/false \
779 --system \
780 www
781 sudo adduser \
782 --disabled-login \
783 --disabled-password \
784 --group \
785 --home ~www/log \
786 --shell /bin/false \
787 --system \
788 log.www
789 #sudo adduser www www-data
790 sudo adduser www log.www
791 #sudo adduser log log.www
792 usermod --home /home/www/pub www-data
793 sudo install -d -m 751 -o www -g www \
794 /home/www
795 sudo install -d -m 750 -o www -g www \
796 /home/www/etc
797 sudo install -d -m 1771 -o www-data -g www-data \
798 /home/www/pub
799 sudo install -d -m 1771 -o log.www -g log.www \
800 /home/www/log
801 }
802 rule_nginx_configure () {
803 local -; set +f
804 rule apt_get_install nginx
805 rule www_configure
806 sudo rm -rf \
807 /etc/nginx/conf.d \
808 /etc/nginx/site.d
809 sudo install -d -m 770 -o www -g www \
810 /etc/nginx \
811 /etc/nginx/conf.d \
812 /etc/nginx/site.d
813 sudo ln -fns \
814 /etc/nginx \
815 /home/www/etc/nginx
816 sudo install -m 660 -o www -g www \
817 "$tool"/etc/nginx/nginx.conf \
818 /etc/nginx/nginx.conf
819 local conf
820 for conf in "$tool"/etc/nginx/conf.d/*.conf
821 do conf=${conf#"$tool"/etc/nginx/conf.d/}
822 sudo install -m 660 -o www -g www \
823 "$tool"/etc/nginx/conf.d/"$conf" \
824 /etc/nginx/conf.d/"$conf"
825 done
826 for conf in "$tool"/etc/nginx/site.d/*/server.conf
827 do conf=${conf#"$tool"/etc/nginx/site.d/}
828 local port domain
829 IFS=. read -r port domain <<-EOF
830 ${conf%\/server\.conf}
831 EOF
832 assert 'test "${port:+set}"'
833 assert 'test "${domain:+set}"'
834 local site="$port.$domain"
835 getent passwd www."$site" >/dev/null ||
836 sudo adduser \
837 --disabled-login \
838 --disabled-password \
839 --group \
840 --home ~www-data/"$site" \
841 --shell /bin/false \
842 --system \
843 www."$site"
844 getent passwd log."$site" >/dev/null ||
845 sudo adduser \
846 --disabled-login \
847 --disabled-password \
848 --group \
849 --shell /bin/false \
850 --system \
851 log."$site"
852 sudo usermod --home ~www/log/"$site"/nginx log."$site"
853 sudo install -d -m 770 -o www -g www \
854 /etc/nginx/site.d/"$site"
855 case $port in
856 (443)
857 local hint="run vm_remote nginx_key_send before"
858 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
859 sudo install -m 664 -o www -g www \
860 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
861 /etc/nginx/site.d/"$site"/x509/crt.pem
862 ;;
863 esac
864 case $port in
865 (80)
866 cat <<-EOF
867 server {
868 listen $port;
869 access_log /home/www/log/$site/nginx/access.log main;
870 error_log /home/www/log/$site/nginx/error.log warn;
871 root /home/www/pub/$site;
872 server_name $domain;
873 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
874 }
875 EOF
876 ;;
877 (443)
878 cat <<-EOF
879 server {
880 listen $port;
881 access_log /home/www/log/$site/nginx/access.log main;
882 error_log /home/www/log/$site/nginx/error.log warn;
883 keepalive_timeout 70;
884 root /home/www/pub/$site;
885 server_name $domain;
886 # DOC: http://wiki.nginx.org/HttpSslModule
887 ssl on;
888 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
889 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
890 ssl_ciphers HIGH:!ADH:!MD5;
891 ssl_prefer_server_ciphers on;
892 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
893 ssl_session_cache shared:SSL:10m;
894 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
895 }
896 EOF
897 ;;
898 esac |
899 sudo install -m 660 -o www -g www /dev/stdin \
900 /etc/nginx/site.d/"$site"/server.conf
901 adduser www-data www."$site"
902 test -e /home/www/pub/"$site" ||
903 sudo install -d -m 3770 -o www."$site" -g www."$site" \
904 /home/www/pub/"$site"
905 sudo install -d -m 3770 -o log."$site" -g log."$site" \
906 /home/www/log/"$site"/nginx
907 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
908 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
909 done
910 rule apt_get_install spawn-fcgi fcgiwrap
911 sudo insserv --remove fcgiwrap
912 rule tmpfs_configure
913 sudo service nginx restart
914 }
915 rule_php5_fpm_configure () {
916 local -; set +f
917 rule apt_get_install \
918 php5-fpm \
919 php-apc
920 getent passwd php5 >/dev/null ||
921 sudo adduser \
922 --disabled-login \
923 --disabled-password \
924 --group \
925 --shell /bin/false \
926 --system \
927 php5
928 local conf
929 sudo ln -fns \
930 /etc/php5-fpm \
931 /home/www/etc/php5
932 sudo rm -f /etc/php5/fpm/pool.d/*
933 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
934 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
935 local port domain
936 IFS=. read -r port domain <<-EOF
937 ${conf%\.conf}
938 EOF
939 assert 'test "${port:+set}"'
940 assert 'test "${domain:+set}"'
941 local site="$port.$domain"
942 getent passwd php5."$site" >/dev/null ||
943 sudo adduser \
944 --disabled-login \
945 --disabled-password \
946 --group \
947 --no-create-home \
948 --home ~www/pub/"$site" \
949 --shell /bin/false \
950 --system \
951 php5."$site"
952 sudo install -d -m 770 -o php5 -g php5 \
953 /home/www/log/php5 \
954 /home/www/log/php5/fpm
955 sudo install -d -m 770 -o log."$site" -g log."$site" \
956 /home/www/log/"$site"
957 sudo adduser php5."$site" www."$site"
958 sudo install -m 660 -o root -g root /dev/stdin \
959 /etc/php5/fpm/pool.d/"$conf" <<-EOF
960 [php5.$site]
961 access.log = /home/www/log/$site/php5/fpm/access.log
962 catch_workers_output = yes
963 chdir = /
964 env[HOSTNAME] = \$HOSTNAME
965 env[TEMP] = /tmp
966 env[TMPDIR] = /tmp
967 env[TMP] = /tmp
968 group = www-data
969 listen = /run/nginx/fastcgi/php5.$site
970 #listen = 127.0.0.1:9000
971 #listen.allowed_clients = 127.0.0.1
972 listen.backlog = -1
973 pm = dynamic
974 pm.max_children = 5
975 pm.max_requests = 200
976 pm.max_spare_servers = 4
977 pm.min_spare_servers = 2
978 pm.start_servers = 3
979 pm.status_path = /status
980 request_slowlog_timeout = 5s
981 request_terminate_timeout = 120s
982 rlimit_core = unlimited
983 rlimit_files = 131072
984 slowlog = /home/www/log/$site/php5/fpm/slow.log
985 user = $php5_user
986 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
987 EOF
988 sudo install -m 664 -o root -g root \
989 "$tool"/etc/php5/fpm/php.ini \
990 /etc/php5/fpm/php.ini
991 done
992 rule tmpfs_configure
993 sudo service php5-fpm restart
994 }
995 rule_postfix_configure () {
996 local hint="run vm_remote postfix_key_send before"
997 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
998 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
999 sudo debconf-set-selections <<-EOF
1000 postfix postfix/main_mailer_type select No configuration
1001 EOF
1002 rule apt_get_install postfix
1003 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1004 *.db
1005 EOF
1006 sudo install -d -m 771 -o root -g root \
1007 /etc/postfix/ \
1008 /etc/postfix/$vm_domainname/ \
1009 /etc/postfix/$vm_domainname/smtp \
1010 /etc/postfix/$vm_domainname/smtp/x509 \
1011 /etc/postfix/$vm_domainname/smtp/x509/ca \
1012 /etc/postfix/$vm_domainname/smtpd \
1013 /etc/postfix/$vm_domainname/smtpd/x509 \
1014 /etc/postfix/$vm_domainname/smtpd/x509/ca
1015 sudo ln -fns \
1016 ../crt+crl.self-signed.pem \
1017 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1018 sudo install -m 400 -o root -g root \
1019 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1020 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1021 sudo install -m 400 -o root -g root \
1022 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1023 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1024 sudo install -m 400 -o root -g root \
1025 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1026 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1027 sudo install -m 400 -o root -g root \
1028 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1029 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1030 sudo install -m 660 -o root -g root \
1031 "$tool"/etc/postfix/$vm_domainname/header_checks \
1032 /etc/postfix/$vm_domainname/header_checks
1033 sudo install -m 664 -o root -g root /dev/stdin \
1034 /etc/postfix/aliases <<-EOF
1035 # See man 5 aliases for format
1036 abuse: root
1037 admin: root
1038 contact: root
1039 mailer-daemon: root
1040 postmaster: root
1041 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1042 EOF
1043 sudo newaliases -oA/etc/postfix/aliases
1044 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1045 mydomain = $vm_domainname
1046 myorigin = \$mydomain
1047 myhostname = $vm_hostname.\$mydomain
1048 mail_name = \$myhostname
1049 mydestination = $vm_hostname \$myhostname \$myorigin
1050 EOF
1051 sudo install -m 664 -o root -g root /dev/stdin \
1052 /etc/postfix/main.cf
1053 sudo install -m 664 -o root -g root \
1054 "$tool"/etc/postfix/master.cf \
1055 /etc/postfix/master.cf
1056 sudo install -m 660 -o root -g root \
1057 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1058 /etc/postfix/$vm_domainname/smtp/x509/policy
1059 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1060 sudo install -m 660 -o root -g root \
1061 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1062 /etc/postfix/$vm_domainname/smtp/header_checks
1063 sudo install -m 660 -o root -g root \
1064 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1065 /etc/postfix/$vm_domainname/smtpd/sender_access
1066 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1067 sudo install -m 660 -o root -g root \
1068 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1069 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1070 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1071 sudo install -m 660 -o root -g root \
1072 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1073 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1074 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1075 sudo install -m 660 -o root -g root \
1076 "$tool"/etc/postfix/$vm_domainname/transport \
1077 /etc/postfix/$vm_domainname/transport
1078 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1079 sudo install -m 660 -o root -g root \
1080 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1081 /etc/postfix/$vm_domainname/virtual_alias
1082 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1083 sudo service postfix restart
1084 }
1085 rule_postgresql_configure () {
1086 rule apt_get_install postgresql-9.1
1087 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1088 pg_createcluster -u postgres --start 9.1 main
1089 fi
1090 sudo install -m 660 -o root -g root \
1091 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1092 /etc/postgresql/9.1/main/postgresql.conf
1093 sudo service postgresql restart
1094 }
1095 rule_openerp_configure () {
1096 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1097 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1098 EOF
1099 sudo apt-get update
1100 rule apt_get_install openerp
1101 }
1102 rule_postgrey_configure () {
1103 rule apt_get_install postgrey
1104 sudo service postgrey restart
1105 }
1106 rule_procmail_configure () {
1107 rule apt_get_install procmail
1108 sudo install -d -m 770 -o root -g root \
1109 /etc/skel/etc/mail \
1110 /etc/skel/var/cache/mail \
1111 /etc/skel/var/log/mail \
1112 /etc/skel/var/mail
1113 sudo install -m 660 -o root -g root \
1114 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1115 /etc/skel/etc/mail/delivery.procmailrc
1116 }
1117 rule_runit_configure () {
1118 rule apt_get_install runit
1119 local -; set +f
1120 rm -f /etc/service/*
1121 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1122 for sv in "$tool"/etc/sv/*
1123 do sv=${sv#"$tool"/etc/sv/}
1124 sudo install -d -m 770 -o root -g root \
1125 /etc/sv/"$sv"
1126 sudo install -m 770 -o root -g root \
1127 "$tool"/etc/sv/"$sv"/run \
1128 /etc/sv/"$sv"/run
1129 if test -e "$tool"/etc/sv/"$sv"/log/run
1130 then
1131 sudo install -d -m 770 -o root -g root \
1132 /etc/sv/"$sv"/log
1133 sudo install -m 770 -o root -g root \
1134 "$tool"/etc/sv/"$sv"/log/run \
1135 /etc/sv/"$sv"/log/run
1136 fi
1137 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1138 "$tool"/etc/sv/"$sv"/configure
1139 then
1140 ln -fns ../sv/"$sv" /etc/service/"$sv"
1141 test ! -e /etc/sv/"$sv"/supervise/ok ||
1142 sv restart "$sv"
1143 fi
1144 done
1145 }
1146 rule_ssh_configure () {
1147 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1148 ( while IFS= read -r line
1149 do case $line in (*" RSA") return 0; break;; esac
1150 done; return 1 ) ||
1151 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1152 sudo rm -f \
1153 /etc/ssh/ssh_host_dsa_key \
1154 /etc/ssh/ssh_host_dsa_key.pub \
1155 /etc/ssh/ssh_host_ecdsa_key \
1156 /etc/ssh/ssh_host_ecdsa_key.pub
1157 # NOTE: clefs générées par Debian
1158 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1159 Port 22
1160 ListenAddress $vm_ipv4
1161 #ListenAddress ::
1162 Protocol 2
1163 Compression yes
1164 HostKey /etc/ssh/ssh_host_rsa_key
1165 UsePrivilegeSeparation yes
1166 KeyRegenerationInterval 3600
1167 ServerKeyBits 768
1168 SyslogFacility AUTH
1169 LogLevel INFO
1170 LoginGraceTime 120
1171 PermitRootLogin yes
1172 StrictModes yes
1173 RSAAuthentication yes
1174 PubkeyAuthentication yes
1175 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1176 IgnoreRhosts yes
1177 RhostsRSAAuthentication no
1178 HostbasedAuthentication no
1179 IgnoreUserKnownHosts no
1180 PermitEmptyPasswords no
1181 ChallengeResponseAuthentication no
1182 PasswordAuthentication no
1183 KerberosAuthentication no
1184 GSSAPIAuthentication no
1185 X11Forwarding no
1186 X11DisplayOffset 10
1187 PrintMotd no
1188 DebianBanner no
1189 PrintLastLog yes
1190 TCPKeepAlive yes
1191 ClientAliveInterval 0
1192 AcceptEnv LANG LC_*
1193 Subsystem sftp /usr/lib/openssh/sftp-server
1194 UsePAM yes
1195 EOF
1196 sudo service ssh restart
1197 }
1198 rule_sysctl_configure () {
1199 local -; set +f
1200 for conf in "$tool"/etc/sysctl.d/*.conf
1201 do conf=${conf#"$tool"/etc/sysctl.d/}
1202 sudo install -m 660 -o root -g root \
1203 "$tool"/etc/sysctl.d/"$conf" \
1204 /etc/sysctl.d/"$conf"
1205 done
1206 sudo sysctl --system
1207 }
1208 rule_tmpfs_configure () {
1209 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1210 LOCK_SIZE=5242880 # NOTE: 5MiB
1211 RAMLOCK=yes
1212 RAMSHM=yes
1213 RAMTMP=yes
1214 RUN_SIZE=10%
1215 SHM_SIZE=
1216 TMP_MODE=1777,nr_inodes=1000k,noatime
1217 TMP_OVERFLOW_LIMIT=1024
1218 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1219 # on the root filesystem (overriding RAMTMP).
1220 TMP_SIZE=200m
1221 TMPFS_SIZE=20%VM
1222 EOF
1223 sudo install -m 775 -o root -g root \
1224 "$tool"/etc/init.d/tmpfs \
1225 /etc/init.d/tmpfs
1226 sudo update-rc.d tmpfs defaults
1227 }
1228 rule_time_configure () {
1229 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1230 Europe/Paris
1231 EOF
1232 sudo debconf-set-selections <<-EOF
1233 tzdata tzdata/Areas select Europe
1234 tzdata tzdata/Zones/Europe select Paris
1235 EOF
1236 rule dpkg_reconfigure tzdata
1237 rule apt_get_install ntp
1238 }
1239 rule_user_add () { # SYNTAX: $user
1240 rule user_configure
1241 local user=$1
1242 getent passwd "$user" >/dev/null ||
1243 sudo adduser --disabled-password "$user"
1244 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1245 eval local home\; home="~$user"
1246 sudo adduser "$user" users
1247 sudo install -m 640 -o root -g root \
1248 "$tool"/var/pub/ssh/"$user".key \
1249 "$home"/etc/ssh/authorized_keys
1250 local key; local -; set +f
1251 for key in "$tool"/var/pub/openpgp/*.key
1252 do sudo -u "$user" gpg --import - <"$key"
1253 done
1254 }
1255 rule_user_configure () {
1256 sudo install -m 660 -o root -g root /dev/stdin \
1257 /etc/adduser.conf <<-EOF
1258 ADD_EXTRA_GROUPS=1
1259 DHOME=/home
1260 DIR_MODE=0750
1261 DSHELL=/bin/bash
1262 EXTRA_GROUPS="users"
1263 FIRST_GID=1000
1264 FIRST_SYSTEM_GID=100
1265 FIRST_SYSTEM_UID=100
1266 FIRST_UID=1000
1267 GROUPHOMES=no
1268 LAST_GID=29999
1269 LAST_SYSTEM_GID=999
1270 LAST_SYSTEM_UID=999
1271 LAST_UID=29999
1272 LETTERHOMES=no
1273 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1274 QUOTAUSER="" # TODO: init
1275 SETGID_HOME=no
1276 SKEL=/etc/skel
1277 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1278 USERGROUPS=yes
1279 USERS_GID=100
1280 EOF
1281 sudo install -d -m 750 -o root -g root \
1282 /etc/skel \
1283 /etc/skel/etc \
1284 /etc/skel/etc/gpg \
1285 /etc/skel/etc/ssh
1286 sudo install -d -m 770 -o root -g root \
1287 /etc/skel/var \
1288 /etc/skel/var/cache \
1289 /etc/skel/var/log \
1290 /etc/skel/var/run \
1291 /etc/skel/var/run/ssh
1292 sudo ln -fns etc/ssh /etc/skel/.ssh
1293 sudo ln -fns etc/gpg /etc/skel/.gnupg
1294 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1295 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1296 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1297 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1298 EOF
1299 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1300 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1301 EOF
1302 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1303 Defaults env_keep = " \\
1304 EDITOR \\
1305 GIT_AUTHOR_NAME \\
1306 GIT_AUTHOR_EMAIL \\
1307 GIT_COMMITTER_NAME \\
1308 GIT_COMMITTER_EMAIL \\
1309 "
1310 EOF
1311 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1312 #!/bin/sh -efu
1313 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1314 sudo /bin/sh -e -f -u -c \
1315 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1316 EOF
1317 sudo install -m 644 -o root -g root \
1318 "$tool"/etc/bash.bashrc \
1319 /etc/bash.bashrc
1320 sudo install -m 644 -o root -g root \
1321 "$tool"/etc/screenrc \
1322 /etc/screenrc
1323 }
1324 rule_user_admin_add () { # SYNTAX: $user
1325 rule user_configure
1326 local user=$1
1327 getent passwd "$user" >/dev/null ||
1328 sudo adduser --disabled-password "$user"
1329 eval local home\; home="~$user"
1330 sudo adduser "$user" sudo
1331 sudo install -m 640 -o root -g root \
1332 "$tool"/var/pub/ssh/"$user".key \
1333 "$home"/etc/ssh/authorized_keys
1334 local key; local -; set +f
1335 for key in "$tool"/var/pub/openpgp/*.key
1336 do sudo -u "$user" gpg --import - <"$key"
1337 done
1338 rule user_admin_configure
1339 }
1340 rule_user_admin_configure () {
1341 rule initramfs_configure
1342 rule user_root_configure
1343 }
1344 rule_user_root_configure () {
1345 sudo install -d -m 750 -o root -g root \
1346 /root/etc \
1347 /root/etc/gpg \
1348 /root/etc/ssh
1349 sudo ln -fns etc/gpg /root/.gnupg
1350 sudo ln -fns etc/ssh /root/.ssh
1351 getent group sudo |
1352 while IFS=: read -r group x x users
1353 do while test -n "$users" && IFS=, read -r user users <<-EOF
1354 $users
1355 EOF
1356 do eval local home\; home="~$user"
1357 cat "$home"/etc/ssh/authorized_keys
1358 done
1359 done |
1360 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1361 local key; local -; set +f
1362 for key in "$tool"/var/pub/openpgp/*.key
1363 do sudo gpg --import "$key"
1364 done
1365 }
1366 rule_configure () {
1367 rule apt_configure
1368 rule git_configure
1369 rule etckeeper_configure
1370 rule locales_configure
1371 rule time_configure
1372 rule network_configure
1373 rule filesystem_configure
1374 rule login_configure
1375 rule ssh_configure
1376 rule user_root_configure
1377 rule boot_configure
1378 rule sysctl_configure
1379 rule user_configure
1380 rule mail_configure
1381 #rule apache2_configure
1382 rule nginx_configure
1383 rule php5_fpm_configure
1384 rule gitolite_configure
1385 rule runit_configure
1386 }
1387
1388 rule_luks_key_change () {
1389 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1390 }
1391
1392 rule=${1:-help}
1393 ${1+shift}
1394 case $rule in
1395 (help);;
1396 (*)
1397 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1398 ;;
1399 esac
1400 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org