dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_sysctl_configure
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apache2_configure () {
59 local -; set +f
60 rule apt_get_install \
61 apache2-mpm-itk \
62 libapache2-mod-php5
63 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
64 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
65 # NOTE: apache2-mpm-itk semble le plus sécurisé,
66 # car on est certain que tout est exécuté avec les uid/gid
67 # assignés au VirtualHost/Directory/Location
68 # néamoins il se peut qu'une combinaison du genre :
69 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
70 # soit plus performante (threads et pas forks),
71 # cependant l'usage de suexec impose des forks il semble..
72 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
73 # donc pour l'instant : apache2-mpm-itk
74 rule www_configure
75 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
76 ServerName "$vm_fqdn"
77 EOF
78 sudo install -m 660 -o root -g root /dev/stdin \
79 /etc/apache2/apache2.conf
80 sudo install -m 660 -o root -g root \
81 "$tool"/etc/apache2/envvars \
82 /etc/apache2/envvars
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/httpd.conf \
85 /etc/apache2/httpd.conf
86 #sudo install -m 660 -o root -g root /dev/stdin \
87 # /etc/apache2/suexec/www-data <<-EOF
88 # /home
89 # pub/www/cgi
90 # EOF
91 sudo install -m 660 -o root -g root \
92 "$tool"/etc/apache2/ports.conf \
93 /etc/apache2/ports.conf
94 sudo a2enmod actions
95 sudo a2enmod headers
96 sudo a2enmod rewrite
97 sudo a2enmod ssl
98 sudo a2enmod userdir
99 local conf
100 sudo a2dissite "*"
101 sudo ln -fns \
102 /etc/apache2 \
103 /home/www/etc/apache2
104 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
105 do conf=${conf#"$tool"/etc/apache2/site.d/}
106 local port site
107 IFS=. read -r port site <<-EOF
108 ${conf%\/VirtualHost\.conf}
109 EOF
110 assert 'test "${site:+set}"'
111 assert 'test "${port:+set}"'
112 local site_user="$user.$port.$site"
113 local site_dir="$user.$port.$site"
114 case $port in
115 (443)
116 local hint="run vm_remote apache2_key_send before"
117 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
118 sudo install -d -m 770 -o "$user" -g "$user" \
119 /etc/apache2 \
120 /etc/apache2/site.d/"$site_dir" \
121 /etc/apache2/site.d/"$site_dir"/x509 \
122 /etc/apache2/site.d/"$site_dir"/x509/ca \
123 /etc/apache2/site.d/"$site_dir"/x509/empty \
124 /etc/apache2/site.d/"$site_dir"/x509/rvk \
125 /etc/apache2/site.d/"$site_dir"/x509/usr
126 sudo install -m 664 -o www -g www \
127 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
128 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
129 #sudo install -m 664 -o "$user" -g "$user" \
130 # "$tool"/var/pub/x509/"$site"/rvk.pem \
131 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
132 sudo install -m 664 -o www -g www \
133 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
134 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/crt.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
138 ;;
139 esac
140 case $port in
141 (80)
142 cat <<-EOF
143 <VirtualHost *:$port>
144 AssignUserID $site_user $site_user
145 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
146 #CustomLog "/dev/null" Combined
147 DocumentRoot /home/www/pub/$site_dir
148 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
149 #ErrorLog "/dev/null"
150 ServerName $site
151 LogLevel Warn
152 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
153 </VirtualHost>
154 EOF
155 ;;
156 (443)
157 cat <<-EOF
158 <IfModule mod_ssl.c>
159 <VirtualHost *:$port>
160 AssignUserID $site_user $site_user
161 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
162 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
163 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
164 #CustomLog "/dev/null" Combined
165 DocumentRoot /home/www/pub/$site_dir
166 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
167 #ErrorLog "/dev/null"
168 LogLevel Warn
169 ServerName $site
170 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
171 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
172 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
173 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
175 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
176 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
177 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
178 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
179 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
180 SSLCipherSuite AES+RSA+SHA256
181 SSLEngine On
182 SSLInsecureRenegotiation Off
183 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
184 SSLProtocol -All +TLSv1
185 #SSLRenegBufferSize 262144
186 SSLSessionCacheTimeout 1200
187 SSLStrictSNIVHostCheck On
188 SSLUserName SSL_CLIENT_S_DN_CN
189 SSLVerifyClient None
190 SSLVerifyDepth 1
191 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
192 </VirtualHost>
193 </IfModule>
194 EOF
195 ;;
196 esac |
197 sudo install -m 660 -o root -g root /dev/stdin \
198 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
199 sudo ln -fns \
200 ../site.d/"$site_dir"/VirtualHost.conf \
201 /etc/apache2/sites-available/"$site_dir"
202 sudo install -d -m 770 -o "$user" -g "$user" \
203 /home/www/log/"$site_dir" \
204 /home/www/log/"$site_dir"/apache2
205 sudo ln -fns \
206 /etc/apache2/site.d/"$site_dir" \
207 /home/www/etc/apache2/"$site_dir"
208 test -e /home/www/pub/"$site_dir" ||
209 sudo install -d -m 770 -o "$user" -g "$user" \
210 /home/www/pub/"$site_dir"
211 getent passwd "$site_user" >/dev/null ||
212 sudo adduser \
213 --disabled-password \
214 --group \
215 --no-create-home \
216 --home /home/www/pub/"$site_dir" \
217 --shell /bin/false \
218 --system \
219 "$site_user"
220 sudo setfacl -m u:"$site_user":--x \
221 /home/www/ \
222 /home/www/pub/ \
223 /home/www/pub/"$site_dir"/
224 sudo setfacl -m d:u:"$site_user":rwx \
225 "$home"/pub/www/"$site_dir"/
226 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
227 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
228 test -e /etc/apache2/sites-enabled/"$site_dir" ||
229 sudo a2ensite "$site_dir"
230 done
231 sudo service apache2 restart
232 }
233 rule_apt_configure () {
234 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
235 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
236 EOF
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
238 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
241 Package: *
242 Pin: release a=$vm_lsb_name
243 Pin-Priority: 170
244
245 Package: *
246 Pin: release a=$vm_lsb_name-backports
247 Pin-Priority: 200
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
250 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 rule apt_get_install grub-pc
273 sudo install -d -m 644 -o root -g root /boot/grub
274 rule apt_get_install linux-image-$vm_arch
275 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
276 GRUB_DEFAULT=0
277 GRUB_TIMEOUT=5
278 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
279 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
280 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
281 GRUB_DISABLE_RECOVERY="true"
282 #GRUB_PRELOAD_MODULES="lvm"
283 EOF
284 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
285 (hd0) /dev/xvda
286 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
287 EOF
288 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
289 rule initramfs_configure
290 }
291 rule_dovecot_configure () {
292 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
293 local hint="run vm_remote dovecot_key_send before"
294 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
295 sudo install -m 400 -o root -g root \
296 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
297 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
298 sudo install -d -m 770 -o root -g adm \
299 /etc/skel/etc/mail \
300 /etc/skel/etc/sieve
301 sudo install -d -m 1777 -o root -g root \
302 /var/lib/dovecot-control \
303 /var/lib/dovecot-index
304 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
305 auth_ssl_username_from_cert = yes
306 listen = *
307 log_timestamp = "%Y-%m-%d %H:%M:%S "
308 mail_debug = yes
309 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
310 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
311 # VOIR: http://wiki2.dovecot.org/Quota/FS
312 mail_plugins = \$mail_plugins quota
313 mail_privileged_group = mail
314 passdb {
315 args = /home/%u/etc/dovecot/passwd
316 driver = passwd-file
317 }
318 plugin {
319 quota = fs:user
320 recipient_delimiter = +
321 sieve = ~/etc/mail/filter.sieve
322 sieve_dir = ~/etc/mail/sieve
323 sieve_global_dir = /var/lib/dovecot/sieve/global/
324 sieve_max_script_size = 1M
325 sieve_quota_max_scripts = 0
326 sieve_quota_max_storage = 10M
327 sieve_user_log = ~/var/log/mail/sieve.log
328 }
329 protocol imap {
330 mail_plugins = \$mail_plugins imap_quota
331 }
332 protocol lda {
333 auth_socket_path = /var/run/dovecot/auth-master
334 hostname = $vm_domainname
335 info_log_path =
336 log_path =
337 mail_plugins = \$mail_plugins sieve
338 postmaster_address = contact+dovecot+lda@$vm_domainname
339 syslog_facility = mail
340 }
341 protocols = imap sieve
342 service auth {
343 user = root
344 unix_listener /var/spool/postfix/private/auth {
345 mode = 0660
346 user = postfix
347 group = postfix
348 }
349 }
350 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
351 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
352 ssl_cipher_list = AES256-SHA
353 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
354 ssl_verify_client_cert = yes
355 userdb {
356 driver = passwd
357 }
358 verbose_ssl = no
359 EOF
360 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
361 #!/bin/sh -efux
362 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
363 install -d -m 770 ~/etc/dovecot
364 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
365 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
366 _EOF
367 EOF
368 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
369 EOF
370 sudo service dovecot restart
371 }
372 rule_etckeeper_configure () {
373 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
374 VCS=git
375 GIT_COMMIT_OPTIONS=""
376 AVOID_DAILY_AUTOCOMMITS=1
377 #AVOID_SPECIAL_FILE_WARNING=1
378 AVOID_COMMIT_BEFORE_INSTALL=1
379 HIGHLEVEL_PACKAGE_MANAGER=apt
380 LOWLEVEL_PACKAGE_MANAGER=dpkg
381 EOF
382 sudo install -m 644 -o root -g root \
383 "$tool"/etc/etckeeper/prompt.sh \
384 /etc/etckeeper/prompt.sh
385 rule apt_get_install etckeeper
386 }
387 rule_filesystem_configure () {
388 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
389 # <file system> <mount point> <type> <options> <dump> <pass>
390 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
391 proc /proc proc defaults 0 0
392 sysfs /sys sysfs defaults 0 0
393 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
394 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
395 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
396 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
397 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
398 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
399 EOF
400 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
401 # <target name> <source device> <key file> <options>
402 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
403 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
404 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
405 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
406 EOF
407 }
408 rule_initramfs_configure () {
409 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
410 MODULES=most
411 BUSYBOX=y
412 KEYMAP=y
413 COMPRESS=gzip
414 DEVICE=eth0
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
417 alias eth0 xennet
418 alias scsi_hostadapter xenblk
419 EOF
420 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
421 sha1_generic
422 sha256_generic
423 sha512_generic
424 aes-x86_64
425 xts
426 # NOTE: pour Xen en mode HVM :
427 #modprobe xen-platform-pci
428 EOF
429 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
430 EOF
431 sudo sed -e '/^configure_networking /s/ &$//' \
432 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
433 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
434 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
435 ( while IFS= read -r line
436 do case $line in (*" RSA") return 0; break;; esac
437 done; return 1 ) ||
438 {
439 sudo rm -f \
440 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
441 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
442 sudo dropbearkey -t rsa -s 4096 -f \
443 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
444 }
445 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
446 sudo install -d -m 640 -o root -g root \
447 /etc/initramfs-tools/root \
448 /etc/initramfs-tools/root/.ssh
449 getent group sudo |
450 while IFS=: read -r group x x users
451 do while test -n "$users" && IFS=, read -r user users <<-EOF
452 $users
453 EOF
454 do eval local home\; home="~$user"
455 cat "$home"/etc/ssh/authorized_keys
456 done
457 done |
458 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
459 sudo rm -f \
460 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
461 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
462 /etc/initramfs-tools/root/.ssh/id_rsa
463 # NOTE: clefs générées par Debian
464 sudo update-initramfs -u
465 }
466 rule_time_configure () {
467 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
468 Europe/Paris
469 EOF
470 sudo dpkg-reconfigure tzdata
471 rule apt_get_install ntp
472 }
473 rule_locale_configure () {
474 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
475 fr_FR.UTF-8 UTF-8
476 EOF
477 sudo update-locale
478 }
479 rule_login_configure () {
480 grep -q '^hvc0$' /etc/securetty ||
481 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
482 $(cat /etc/securetty)
483 hvc0
484 EOF
485 grep -q '^xvc0$' /etc/securetty ||
486 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
487 $(cat /etc/securetty)
488 xvc0
489 EOF
490 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
491 # /etc/inittab: init(8) configuration.
492
493 # The default runlevel.
494 id:2:initdefault:
495
496 # Boot-time system configuration/initialization script.
497 # This is run first except when booting in emergency (-b) mode.
498 si::sysinit:/etc/init.d/rcS
499
500 # What to do in single-user mode.
501 ~~:S:wait:/sbin/sulogin
502
503 # /etc/init.d executes the S and K scripts upon change
504 # of runlevel.
505 #
506 # Runlevel 0 is halt.
507 # Runlevel 1 is single-user.
508 # Runlevels 2-5 are multi-user.
509 # Runlevel 6 is reboot.
510
511 l0:0:wait:/etc/init.d/rc 0
512 l1:1:wait:/etc/init.d/rc 1
513 l2:2:wait:/etc/init.d/rc 2
514 l3:3:wait:/etc/init.d/rc 3
515 l4:4:wait:/etc/init.d/rc 4
516 l5:5:wait:/etc/init.d/rc 5
517 l6:6:wait:/etc/init.d/rc 6
518 # Normally not reached, but fallthrough in case of emergency.
519 z6:6:respawn:/sbin/sulogin
520
521 # What to do when CTRL-ALT-DEL is pressed.
522 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
523
524 # What to do when the power fails/returns.
525 pf::powerwait:/etc/init.d/powerfail start
526 pn::powerfailnow:/etc/init.d/powerfail now
527 po::powerokwait:/etc/init.d/powerfail stop
528
529 # Xen hypervisor console
530 hvc:2345:respawn:/sbin/getty 38400 hvc0
531 #xvc:2345:respawn:/sbin/getty 38400 xvc0
532 EOF
533 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
534 MAIL_DIR /var/mail
535 FAILLOG_ENAB yes
536 LOG_UNKFAIL_ENAB no
537 LOG_OK_LOGINS no
538 SYSLOG_SU_ENAB yes
539 SYSLOG_SG_ENAB yes
540 FTMP_FILE /var/log/btmp
541 SU_NAME su
542 HUSHLOGIN_FILE .hushlogin
543 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
544 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
545 # NOTE: met les sbin/ dans ENV_PATH ;
546 # - ça n'apporte aucune protection de ne pas les mettre ;
547 # - ça frustre de ne pas les trouver.
548 TTYGROUP tty
549 TTYPERM 0600
550 ERASECHAR 0177
551 KILLCHAR 025
552 UMASK 007
553 # NOTE: rwxrwx--- ;
554 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
555 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
556 PASS_MAX_DAYS 99999
557 PASS_MIN_DAYS 0
558 PASS_WARN_AGE 7
559 UID_MIN 1000
560 UID_MAX 60000
561 GID_MIN 1000
562 GID_MAX 60000
563 LOGIN_RETRIES 3
564 LOGIN_TIMEOUT 60
565 CHFN_RESTRICT rwh
566 DEFAULT_HOME yes
567 USERGROUPS_ENAB yes
568 ENCRYPT_METHOD SHA512
569 EOF
570 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
571 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
572 $(cat /etc/pam.d/common-session)
573 session optional pam_umask.so
574 EOF
575 }
576 rule_mail_configure () {
577 rule postfix_configure
578 rule postgrey_configure
579 rule procmail_configure
580 rule dovecot_configure
581 }
582 rule_network_configure () {
583 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
584 $vm
585 EOF
586 grep -q " $vm\$" /etc/hosts ||
587 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
588 $(cat /etc/hosts)
589 127.0.0.1 $vm_fqdn $vm
590 EOF
591 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
592 auto lo
593 iface lo inet loopback
594
595 auto eth0=grenode
596 iface grenode inet static
597 address $vm_ipv4
598 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
599 network $vm_ipv4
600 broadcast $vm_ipv4
601 netmask 255.255.255.255
602 mtu 1300
603 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
604 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
605 #
606 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
607 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
608 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
609 #
610 # --- soupirail.grenode.net ping statistics ---
611 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
612 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
613 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
614 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
615 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
616 #
617 # --- soupirail.grenode.net ping statistics ---
618 # 0 packets transmitted, 0 received, +1 errors
619 post-up ip address add $vm_ipv4/32 dev \$IFACE
620 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
621 EOF
622 }
623 rule_www_configure () {
624 getent passwd www >/dev/null ||
625 sudo adduser \
626 --disabled-login \
627 --disabled-password \
628 --group \
629 --home /home/www \
630 --shell /bin/false \
631 --system \
632 www
633 sudo adduser \
634 --disabled-login \
635 --disabled-password \
636 --group \
637 --home ~www/log \
638 --shell /bin/false \
639 --system \
640 log.www
641 #sudo adduser www www-data
642 sudo adduser www log.www
643 #sudo adduser log log.www
644 usermod --home /home/www/pub www-data
645 sudo install -d -m 751 -o www -g www \
646 /home/www
647 sudo install -d -m 750 -o www -g www \
648 /home/www/etc
649 sudo install -d -m 1771 -o www-data -g www-data \
650 /home/www/pub \
651 sudo install -d -m 1771 -o log.www -g log.www \
652 /home/www/log
653 }
654 rule_nginx_configure () {
655 local -; set +f
656 rule apt_get_install nginx
657 rule www_configure
658 sudo rm -rf \
659 /etc/nginx/conf.d \
660 /etc/nginx/site.d
661 sudo install -d -m 770 -o www -g www \
662 /etc/nginx \
663 /etc/nginx/conf.d \
664 /etc/nginx/site.d
665 sudo ln -fns \
666 /etc/nginx \
667 /home/www/etc/nginx
668 sudo install -m 660 -o www -g www \
669 "$tool"/etc/nginx/nginx.conf \
670 /etc/nginx/nginx.conf
671 local conf
672 for conf in "$tool"/etc/nginx/conf.d/*.conf
673 do conf=${conf#"$tool"/etc/nginx/conf.d/}
674 sudo install -m 660 -o www -g www \
675 "$tool"/etc/nginx/conf.d/"$conf" \
676 /etc/nginx/conf.d/"$conf"
677 done
678 for conf in "$tool"/etc/nginx/site.d/*/server.conf
679 do conf=${conf#"$tool"/etc/nginx/site.d/}
680 local port site
681 IFS=. read -r port site <<-EOF
682 ${conf%\/server\.conf}
683 EOF
684 assert 'test "${port:+set}"'
685 assert 'test "${site:+set}"'
686 site="$port.$site"
687 getent passwd www."$site" >/dev/null ||
688 sudo adduser \
689 --disabled-login \
690 --disabled-password \
691 --group \
692 --home ~www-data/"$site" \
693 --shell /bin/false \
694 --system \
695 www."$site"
696 getent passwd log."$site" >/dev/null ||
697 sudo adduser \
698 --disabled-login \
699 --disabled-password \
700 --group \
701 --shell /bin/false \
702 --system \
703 log."$site"
704 sudo usermod --home ~www/log/"$site"/nginx log."$site"
705 sudo install -d -m 770 -o www -g www \
706 /etc/nginx/site.d/"$site"
707 case $port in
708 (443)
709 local hint="run vm_remote nginx_key_send before"
710 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
711 sudo install -m 664 -o www -g www \
712 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
713 /etc/nginx/site.d/"$site"/x509/crt.pem
714 ;;
715 esac
716 case $port in
717 (80)
718 cat <<-EOF
719 server {
720 listen $port;
721 access_log /home/www/log/$site/nginx/access.log main;
722 error_log /home/www/log/$site/nginx/error.log warn;
723 root /home/www/pub/$site;
724 server_name $site;
725 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
726 }
727 EOF
728 ;;
729 (443)
730 cat <<-EOF
731 server {
732 listen $port;
733 access_log /home/www/log/$site/nginx/access.log main;
734 error_log /home/www/log/$site/nginx/error.log warn;
735 keepalive_timeout 70;
736 root /home/www/pub/$site;
737 server_name $site;
738 # DOC: http://wiki.nginx.org/HttpSslModule
739 ssl on;
740 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
741 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
742 ssl_ciphers HIGH:!ADH:!MD5;
743 ssl_prefer_server_ciphers on;
744 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
745 ssl_session_cache shared:SSL:10m;
746 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
747 }
748 EOF
749 ;;
750 esac |
751 sudo install -m 660 -o www -g www /dev/stdin \
752 /etc/nginx/site.d/"$site"/server.conf
753 adduser www-data "$site"
754 test -e /home/www/pub/"$site" ||
755 sudo install -d -m 3770 -o "$site" -g "$site" \
756 /home/www/pub/"$site"
757 sudo install -d -m 3770 -o log."$site" -g log."$site" \
758 /home/www/log/"$site"/nginx
759 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
760 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
761 done
762 rule apt_get_install spawn-fcgi fcgiwrap
763 sudo insserv --remove fcgiwrap
764 rule tmpfs_configure
765 sudo service nginx restart
766 }
767 rule_php5_fpm_configure () {
768 local -; set +f
769 rule apt_get_install \
770 php5-fpm \
771 php-apc
772 getent passwd php5 >/dev/null ||
773 sudo adduser \
774 --disabled-login \
775 --disabled-password \
776 --group \
777 --shell /bin/false \
778 --system \
779 php5
780 local conf
781 sudo ln -fns \
782 /etc/php5-fpm \
783 /home/www/etc/php5
784 sudo rm -f /etc/php5/fpm/pool.d/*
785 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
786 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
787 local port site
788 IFS=. read -r port site <<-EOF
789 ${conf%\.conf}
790 EOF
791 assert 'test "${port:+set}"'
792 assert 'test "${site:+set}"'
793 site="$port.$site"
794 getent passwd php5"$site" >/dev/null ||
795 sudo adduser \
796 --disabled-login \
797 --disabled-password \
798 --group \
799 --no-create-home \
800 --home ~www/pub/"$site" \
801 --shell /bin/false \
802 --system \
803 php5."$site"
804 sudo install -d -m 770 -o php5 -g php5 \
805 /home/www/log/php5 \
806 /home/www/log/php5/fpm
807 sudo install -d -m 770 -o log."$site" -g log."$site" \
808 /home/www/log/"$site"
809 sudo adduser php5."$user" www."$site"
810 sudo install -m 660 -o root -g root /dev/stdin \
811 /etc/php5/fpm/pool.d/"$conf" <<-EOF
812 [php5.$site]
813 access.log = /home/www/log/$site/php5/fpm/access.log
814 catch_workers_output = yes
815 chdir = /
816 env[HOSTNAME] = \$HOSTNAME
817 env[TEMP] = /tmp
818 env[TMPDIR] = /tmp
819 env[TMP] = /tmp
820 group = www-data
821 listen = /run/nginx/fastcgi/php5.$site
822 #listen = 127.0.0.1:9000
823 #listen.allowed_clients = 127.0.0.1
824 listen.backlog = -1
825 pm = dynamic
826 pm.max_children = 5
827 pm.max_requests = 200
828 pm.max_spare_servers = 4
829 pm.min_spare_servers = 2
830 pm.start_servers = 3
831 pm.status_path = /status
832 request_slowlog_timeout = 5s
833 request_terminate_timeout = 120s
834 rlimit_core = unlimited
835 rlimit_files = 131072
836 slowlog = /home/www/log/$site/php5/fpm/slow.log
837 user = $php5_user
838 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
839 EOF
840 sudo install -m 664 -o root -g root \
841 "$tool"/etc/php5/fpm/php.ini \
842 /etc/php5/fpm/php.ini
843 done
844 rule tmpfs_configure
845 sudo service php5-fpm restart
846 }
847 rule_postfix_configure () {
848 local hint="run vm_remote postfix_key_send before"
849 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
850 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
851 rule apt_get_install postfix
852 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
853 *.db
854 EOF
855 sudo install -d -m 770 -o root -g root \
856 /etc/postfix/$vm_domainname/ \
857 /etc/postfix/$vm_domainname/smtp \
858 /etc/postfix/$vm_domainname/smtp/x509 \
859 /etc/postfix/$vm_domainname/smtp/x509/ca \
860 /etc/postfix/$vm_domainname/smtpd \
861 /etc/postfix/$vm_domainname/smtpd/x509 \
862 /etc/postfix/$vm_domainname/smtpd/x509/ca
863 sudo install -d -m 770 -o root -g root \
864 /etc/postfix/$vm_domainname/ \
865 /etc/postfix/$vm_domainname/smtp \
866 /etc/postfix/$vm_domainname/smtp/x509 \
867 /etc/postfix/$vm_domainname/smtp/x509/ca \
868 /etc/postfix/$vm_domainname/smtpd \
869 /etc/postfix/$vm_domainname/smtpd/x509 \
870 /etc/postfix/$vm_domainname/smtpd/x509/ca
871 sudo ln -fns \
872 ../crt+crl.self-signed.pem \
873 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
874 sudo install -m 400 -o root -g root \
875 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
876 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
877 sudo install -m 400 -o root -g root \
878 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
879 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
880 sudo install -m 400 -o root -g root \
881 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
882 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
883 sudo install -m 400 -o root -g root \
884 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
885 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
886 sudo install -m 660 -o root -g root \
887 "$tool"/etc/postfix/$vm_domainname/header_checks \
888 /etc/postfix/$vm_domainname/header_checks
889 sudo install -m 664 -o root -g root /dev/stdin \
890 /etc/postfix/aliases <<-EOF
891 # See man 5 aliases for format
892 abuse: root
893 admin: root
894 contact: root
895 postmaster: root
896 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
897 EOF
898 sudo newaliases -oA/etc/postfix/aliases
899 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
900 mydomain = $vm_domainname
901 myorigin = \$mydomain
902 myhostname = $vm_hostname.\$mydomain
903 mail_name = \$myhostname
904 mydestination = $vm_hostname \$myhostname \$myorigin
905 EOF
906 sudo install -m 664 -o root -g root /dev/stdin \
907 /etc/postfix/main.cf
908 sudo install -m 664 -o root -g root \
909 "$tool"/etc/postfix/master.cf \
910 /etc/postfix/master.cf
911 sudo install -m 660 -o root -g root \
912 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
913 /etc/postfix/$vm_domainname/smtp/x509/policy
914 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
915 sudo install -m 660 -o root -g root \
916 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
917 /etc/postfix/$vm_domainname/smtp/header_checks
918 sudo install -m 660 -o root -g root \
919 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
920 /etc/postfix/$vm_domainname/smtpd/sender_access
921 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
922 sudo install -m 660 -o root -g root \
923 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
924 /etc/postfix/$vm_domainname/smtpd/client_blacklist
925 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
926 sudo install -m 660 -o root -g root \
927 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
928 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
929 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
930 sudo install -m 660 -o root -g root \
931 "$tool"/etc/postfix/$vm_domainname/transport \
932 /etc/postfix/$vm_domainname/transport
933 sudo postmap hash:/etc/postfix/$vm_domainname/transport
934 sudo install -m 660 -o root -g root \
935 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
936 /etc/postfix/$vm_domainname/virtual_alias
937 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
938 sudo service postfix restart
939 }
940 rule_postgrey_configure () {
941 rule apt_get_install postgrey
942 sudo service postgrey restart
943 }
944 rule_procmail_configure () {
945 rule apt_get_install procmail
946 sudo install -d -m 770 -o root -g adm \
947 /etc/skel/etc/mail \
948 /etc/skel/var/cache/mail \
949 /etc/skel/var/log/mail \
950 /etc/skel/var/mail
951 sudo install -m 660 -o root -g adm \
952 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
953 /etc/skel/etc/mail/delivery.procmailrc
954 }
955 rule_ssh_configure () {
956 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
957 ( while IFS= read -r line
958 do case $line in (*" RSA") return 0; break;; esac
959 done; return 1 ) ||
960 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
961 sudo rm -f \
962 /etc/ssh/ssh_host_dsa_key \
963 /etc/ssh/ssh_host_dsa_key.pub \
964 /etc/ssh/ssh_host_ecdsa_key \
965 /etc/ssh/ssh_host_ecdsa_key.pub
966 # NOTE: clefs générées par Debian
967 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
968 Port 22
969 ListenAddress $vm_ipv4
970 #ListenAddress ::
971 Protocol 2
972 Compression yes
973 HostKey /etc/ssh/ssh_host_rsa_key
974 UsePrivilegeSeparation yes
975 KeyRegenerationInterval 3600
976 ServerKeyBits 768
977 SyslogFacility AUTH
978 LogLevel INFO
979 LoginGraceTime 120
980 PermitRootLogin yes
981 StrictModes yes
982 RSAAuthentication yes
983 PubkeyAuthentication yes
984 AuthorizedKeysFile %h/etc/ssh/authorized_keys
985 IgnoreRhosts yes
986 RhostsRSAAuthentication no
987 HostbasedAuthentication no
988 IgnoreUserKnownHosts no
989 PermitEmptyPasswords no
990 ChallengeResponseAuthentication no
991 PasswordAuthentication no
992 KerberosAuthentication no
993 GSSAPIAuthentication no
994 X11Forwarding no
995 X11DisplayOffset 10
996 PrintMotd no
997 DebianBanner no
998 PrintLastLog yes
999 TCPKeepAlive yes
1000 ClientAliveInterval 0
1001 AcceptEnv LANG LC_*
1002 Subsystem sftp /usr/lib/openssh/sftp-server
1003 UsePAM yes
1004 EOF
1005 sudo service ssh restart
1006 }
1007 rule_sysctl_configure () {
1008 local -; set +f
1009 for conf in "$tool"/etc/sysctl.d/*.conf
1010 do conf=${conf#"$tool"/etc/sysctl.d/}
1011 sudo install -m 660 -o root -g root \
1012 "$tool"/etc/sysctl.d/"$conf" \
1013 /etc/sysctl.d/"$conf"
1014 done
1015 sudo sysctl --system
1016 }
1017 rule_user_add () { # SYNTAX: $user
1018 rule user_configure
1019 local user=$1
1020 id "$user" >/dev/null ||
1021 sudo adduser --disabled-password "$user"
1022 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1023 eval local home\; home="~$user"
1024 sudo adduser "$user" users
1025 sudo install -m 640 -o root -g root \
1026 "$tool"/var/pub/ssh/"$user".key \
1027 "$home"/etc/ssh/authorized_keys
1028 local key; local -; set +f
1029 for key in "$tool"/var/pub/openpgp/*.key
1030 do sudo -u "$user" gpg --import - <"$key"
1031 done
1032 }
1033 rule_user_configure () {
1034 true
1035 }
1036 rule_user_admin_add () { # SYNTAX: $user
1037 rule user_configure
1038 local user=$1
1039 id "$user" >/dev/null ||
1040 sudo adduser --disabled-password "$user"
1041 eval local home\; home="~$user"
1042 sudo adduser "$user" sudo
1043 sudo adduser "$user" users
1044 sudo install -m 640 -o root -g root \
1045 "$tool"/var/pub/ssh/"$user".key \
1046 "$home"/etc/ssh/authorized_keys
1047 local key; local -; set +f
1048 for key in "$tool"/var/pub/openpgp/*.key
1049 do sudo -u "$user" gpg --import - <"$key"
1050 done
1051 rule user_admin_configure
1052 }
1053 rule_user_admin_configure () {
1054 rule initramfs_configure
1055 rule user_root_configure
1056 }
1057 rule_user_configure () {
1058 sudo install -d -m 750 -o root -g adm \
1059 /etc/skel/etc \
1060 /etc/skel/etc/gpg \
1061 /etc/skel/etc/ssh
1062 sudo install -d -m 770 -o root -g adm \
1063 /etc/skel/var \
1064 /etc/skel/var/cache \
1065 /etc/skel/var/log \
1066 /etc/skel/var/run \
1067 /etc/skel/var/run/ssh
1068 sudo ln -fns etc/ssh /etc/skel/.ssh
1069 sudo ln -fns etc/gpg /etc/skel/.gnupg
1070 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1071 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1072 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1073 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1074 EOF
1075 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1076 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1077 EOF
1078 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1079 Defaults env_keep = " \\
1080 EDITOR \\
1081 GIT_AUTHOR_NAME \\
1082 GIT_AUTHOR_EMAIL \\
1083 GIT_COMMITTER_NAME \\
1084 GIT_COMMITTER_EMAIL \\
1085 "
1086 EOF
1087 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1088 #!/bin/sh -efu
1089 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1090 sudo /bin/sh -e -f -u -c \
1091 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1092 EOF
1093 sudo install -m 644 -o root -g root \
1094 "$tool"/etc/bash.bashrc \
1095 /etc/bash.bashrc
1096 sudo install -m 644 -o root -g root \
1097 "$tool"/etc/screenrc \
1098 /etc/screenrc
1099 }
1100 rule_user_root_configure () {
1101 sudo install -d -m 750 -o root -g adm \
1102 /root/etc \
1103 /root/etc/gpg \
1104 /root/etc/ssh
1105 sudo ln -fns etc/gpg /root/.gnupg
1106 sudo ln -fns etc/ssh /root/.ssh
1107 getent group sudo |
1108 while IFS=: read -r group x x users
1109 do while test -n "$users" && IFS=, read -r user users <<-EOF
1110 $users
1111 EOF
1112 do eval local home\; home="~$user"
1113 cat "$home"/etc/ssh/authorized_keys
1114 done
1115 done |
1116 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1117 local key; local -; set +f
1118 for key in "$tool"/var/pub/openpgp/*.key
1119 do sudo gpg --import "$key"
1120 done
1121 }
1122 rule_configure () {
1123 rule apt_configure
1124 rule git_configure
1125 rule etckeeper_configure
1126 rule locale_configure
1127 rule time_configure
1128 rule network_configure
1129 rule filesystem_configure
1130 rule login_configure
1131 rule ssh_configure
1132 rule user_root_configure
1133 rule boot_configure
1134 rule sysctl_configure
1135 rule user_configure
1136 rule mail_configure
1137 #rule apache2_configure
1138 rule nginx_configure
1139 rule php5_fpm_configure
1140 }
1141
1142 rule_luks_key_change () {
1143 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1144 }
1145
1146 rule=${1:-help}
1147 ${1+shift}
1148 case $rule in
1149 (help);;
1150 (*)
1151 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1152 ;;
1153 esac
1154 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org