dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_postgresql_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g adm \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
417 LOCK_SIZE=5242880 # NOTE: 5MiB
418 RAMLOCK=yes
419 RAMSHM=yes
420 RAMTMP=yes
421 RUN_SIZE=10%
422 SHM_SIZE=
423 TMP_MODE=1777,nr_inodes=1000k,noatime
424 TMP_OVERFLOW_LIMIT=1024
425 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
426 # on the root filesystem (overriding RAMTMP).
427 TMP_SIZE=200m
428 TMPFS_SIZE=20%VM
429 EOF
430 sudo install -m 775 -o root -g root \
431 "$tool"/etc/init.d/tmpfs \
432 /etc/init.d/tmpfs
433 sudo update-rc.d tmpfs defaults
434 }
435 rule_initramfs_configure () {
436 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
437 MODULES=most
438 BUSYBOX=y
439 KEYMAP=y
440 COMPRESS=gzip
441 DEVICE=eth0
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
444 alias eth0 xennet
445 alias scsi_hostadapter xenblk
446 EOF
447 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
448 sha1_generic
449 sha256_generic
450 sha512_generic
451 aes-x86_64
452 xts
453 # NOTE: pour Xen en mode HVM :
454 #modprobe xen-platform-pci
455 EOF
456 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
457 EOF
458 sudo sed -e '/^configure_networking /s/ &$//' \
459 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
460 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
461 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
462 ( while IFS= read -r line
463 do case $line in (*" RSA") return 0; break;; esac
464 done; return 1 ) ||
465 {
466 sudo rm -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
468 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
469 sudo dropbearkey -t rsa -s 4096 -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
471 }
472 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
473 sudo install -d -m 640 -o root -g root \
474 /etc/initramfs-tools/root \
475 /etc/initramfs-tools/root/.ssh
476 getent group sudo |
477 while IFS=: read -r group x x users
478 do while test -n "$users" && IFS=, read -r user users <<-EOF
479 $users
480 EOF
481 do eval local home\; home="~$user"
482 cat "$home"/etc/ssh/authorized_keys
483 done
484 done |
485 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
486 sudo rm -f \
487 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
488 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
489 /etc/initramfs-tools/root/.ssh/id_rsa
490 # NOTE: clefs générées par Debian
491 sudo update-initramfs -u
492 }
493 rule_gitolite_configure () {
494 local user=git
495 sudo debconf-set-selections <<-EOF
496 gitolite gitolite/gituser string $user
497 gitolite gitolite/adminkey string
498 gitolite gitolite/gitdir string /home/$user
499 EOF
500 rule apt_get_install gitolite
501 getent passwd "$user" >/dev/null ||
502 sudo adduser \
503 --disabled-password \
504 --group \
505 --shell /bin/bash \
506 --system \
507 "$user"
508 sudo chfn --full-name "$user" "$user"
509 eval local home\; home="~$user"
510 sudo install -d -m 770 -o "$user" -g "$user" \
511 /etc/gitolite \
512 "$home"/etc \
513 "$home"/etc/ssh \
514 "$home"/pub \
515 "$home"/log \
516 "$home"/log/gitolite \
517 "$home"/log/gitolite/perf
518 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
519 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
520 sudo ln -fns etc/ssh "$home"/.ssh
521 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
522 "$home"/etc/gitolite/gitolite.rc <<-EOF
523 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
524 #\$BIG_INFO_CAP = 20;
525 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
526 # NOTE: Please use single quotes, not double quotes.
527 #\$GITWEB_URI_ESCAPE = 0;
528 \$GIT_PATH = "";
529 #\$GL_ADC_PATH = "";
530 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
531 #\$GL_ALL_INCLUDES_SPECIAL = 0;
532 #\$GL_ALL_READ_ALL = 0;
533 \$GL_BIG_CONFIG = 0;
534 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
535 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
536 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
537 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
538 #\$GL_HOSTNAME = "git.$vm_domainname";
539 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
540 #\$GL_HTTP_ANON_USER = "mob";
541 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
542 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
543 #\$GL_NICE_VALUE = 0;
544 \$GL_NO_CREATE_REPOS = 0;
545 \$GL_NO_DAEMON_NO_GITWEB = 0;
546 \$GL_NO_SETUP_AUTHKEYS = 0;
547 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
548 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
549 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
550 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
551 \$GL_SITE_INFO = "git.$vm_domainname";
552 #\$GL_SLAVE_MODE = 0;
553 \$GL_WILDREPOS = 0;
554 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
555 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
556 \$HTPASSWD_FILE = "";
557 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
558 \$REPO_BASE = "pub";
559 \$REPO_UMASK = 0007;
560 \$RSYNC_BASE = "";
561 \$SVNSERVE = "";
562 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
563 #\$WEB_INTERFACE = "gitweb";
564 1;
565 EOF
566 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
567 "$home"/etc/gitweb/gitweb.conf <<-EOF
568 \$commit_oneline_message_width = 70;
569 \$default_projects_order = 'age';
570 \$default_text_plain_charset = 'UTF-8';
571 @diff_opts = ();
572 \$favicon = "img/git-favicon.png";
573 \$git_temp = "/run/shm/gitweb";
574 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
575 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
576 \$home_link = "/";
577 \$home_link_str = 'd&eacute;p&ocirc;ts';
578 \$home_th_age = 'activit&eacute;';
579 \$home_th_descr = 'description';
580 \$home_th_owner = 'contact';
581 \$home_th_project = 'd&eacute;p&ocirc;t';
582 \$javascript = "js/gitweb.js";
583 \$logo = "img/git-logo.png";
584 \$my_uri = "";
585 \$projectroot = "../git";
586 \$projects_list = "/etc/gitolite/projects.list";
587 \$projects_list_description_width = 42;
588 \$projects_list_owner_width = 15;
589 \$search_str = "Filtre&nbsp;:";
590 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
591 \$site_header = undef;
592 \$site_name = "git.$vm_domainname";
593 \$space_to_nbsp = 0;
594 @stylesheets = ("css/gitweb.css");#
595 \$untabify_tabstop = 2;
596 EOF
597 sudo install -m 600 -o "$user" -g "$user" \
598 "$tool"/var/pub/ssh/"$user".key \
599 "$home"/etc/ssh/"$user".pub
600 sudo -u "$user" \
601 GL_RC="$home"/etc/gitolite/gitolite.rc \
602 GIT_AUTHOR_NAME="$user" \
603 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
604 local d
605 for d in doc logs src
606 do test ! -d "$home"/etc/gitolite/"$d" ||
607 rmdir "$home"/etc/gitolite/"$d"
608 done
609 rule apt_get_install gitweb highlight
610 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
611 #sudo sv restart git-daemon.git.9418
612 }
613 rule_locale_configure () {
614 sudo debconf-set-selections <<-EOF
615 locales locales/default_environment_locale select None
616 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
617 EOF
618 rule dpkg_reconfigure locales
619 }
620 rule_login_configure () {
621 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
622 # /etc/inittab: init(8) configuration.
623
624 # The default runlevel.
625 id:2:initdefault:
626
627 # Boot-time system configuration/initialization script.
628 # This is run first except when booting in emergency (-b) mode.
629 si::sysinit:/etc/init.d/rcS
630
631 # What to do in single-user mode.
632 ~~:S:wait:/sbin/sulogin
633
634 # /etc/init.d executes the S and K scripts upon change
635 # of runlevel.
636 #
637 # Runlevel 0 is halt.
638 # Runlevel 1 is single-user.
639 # Runlevels 2-5 are multi-user.
640 # Runlevel 6 is reboot.
641
642 l0:0:wait:/etc/init.d/rc 0
643 l1:1:wait:/etc/init.d/rc 1
644 l2:2:wait:/etc/init.d/rc 2
645 l3:3:wait:/etc/init.d/rc 3
646 l4:4:wait:/etc/init.d/rc 4
647 l5:5:wait:/etc/init.d/rc 5
648 l6:6:wait:/etc/init.d/rc 6
649 # Normally not reached, but fallthrough in case of emergency.
650 z6:6:respawn:/sbin/sulogin
651
652 # What to do when CTRL-ALT-DEL is pressed.
653 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
654
655 # What to do when the power fails/returns.
656 pf::powerwait:/etc/init.d/powerfail start
657 pn::powerfailnow:/etc/init.d/powerfail now
658 po::powerokwait:/etc/init.d/powerfail stop
659
660 # Xen hypervisor console
661 hvc:2345:respawn:/sbin/getty 38400 hvc0
662 #xvc:2345:respawn:/sbin/getty 38400 xvc0
663 EOF
664 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
665 MAIL_DIR /var/mail
666 FAILLOG_ENAB yes
667 LOG_UNKFAIL_ENAB no
668 LOG_OK_LOGINS no
669 SYSLOG_SU_ENAB yes
670 SYSLOG_SG_ENAB yes
671 FTMP_FILE /var/log/btmp
672 SU_NAME su
673 HUSHLOGIN_FILE .hushlogin
674 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
675 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
676 # NOTE: met les sbin/ dans ENV_PATH ;
677 # - ça n'apporte aucune protection de ne pas les mettre ;
678 # - ça frustre de ne pas les trouver.
679 TTYGROUP tty
680 TTYPERM 0600
681 ERASECHAR 0177
682 KILLCHAR 025
683 UMASK 007
684 # NOTE: rwxrwx--- ;
685 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
686 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
687 PASS_MAX_DAYS 99999
688 PASS_MIN_DAYS 0
689 PASS_WARN_AGE 7
690 UID_MIN 1000
691 UID_MAX 60000
692 GID_MIN 1000
693 GID_MAX 60000
694 LOGIN_RETRIES 3
695 LOGIN_TIMEOUT 60
696 CHFN_RESTRICT rwh
697 DEFAULT_HOME yes
698 USERGROUPS_ENAB yes
699 ENCRYPT_METHOD SHA512
700 EOF
701 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
702 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
703 $(cat /etc/pam.d/common-session)
704 session optional pam_umask.so
705 EOF
706 grep -q '^hvc0$' /etc/securetty ||
707 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
708 $(cat /etc/securetty)
709 hvc0
710 EOF
711 grep -q '^xvc0$' /etc/securetty ||
712 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
713 $(cat /etc/securetty)
714 xvc0
715 EOF
716 }
717 rule_mail_configure () {
718 rule postfix_configure
719 rule postgrey_configure
720 rule procmail_configure
721 rule dovecot_configure
722 }
723 rule_mysql_configure () {
724 rule apt_get_install mysql-server-5.5
725 sudo service mysql restart
726 }
727 rule_network_configure () {
728 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
729 $vm
730 EOF
731 grep -q " $vm\$" /etc/hosts ||
732 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
733 $(cat /etc/hosts)
734 127.0.0.1 $vm_fqdn $vm
735 EOF
736 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
737 auto lo
738 iface lo inet loopback
739
740 auto eth0=grenode
741 iface grenode inet static
742 address $vm_ipv4
743 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
744 network $vm_ipv4
745 broadcast $vm_ipv4
746 netmask 255.255.255.255
747 mtu 1300
748 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
749 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
750 #
751 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
752 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
753 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
754 #
755 # --- soupirail.grenode.net ping statistics ---
756 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
757 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
758 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
759 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
760 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
761 #
762 # --- soupirail.grenode.net ping statistics ---
763 # 0 packets transmitted, 0 received, +1 errors
764 post-up ip address add $vm_ipv4/32 dev \$IFACE
765 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
766 EOF
767 }
768 rule_www_configure () {
769 getent passwd www >/dev/null ||
770 sudo adduser \
771 --disabled-login \
772 --disabled-password \
773 --group \
774 --home /home/www \
775 --shell /bin/false \
776 --system \
777 www
778 sudo adduser \
779 --disabled-login \
780 --disabled-password \
781 --group \
782 --home ~www/log \
783 --shell /bin/false \
784 --system \
785 log.www
786 #sudo adduser www www-data
787 sudo adduser www log.www
788 #sudo adduser log log.www
789 usermod --home /home/www/pub www-data
790 sudo install -d -m 751 -o www -g www \
791 /home/www
792 sudo install -d -m 750 -o www -g www \
793 /home/www/etc
794 sudo install -d -m 1771 -o www-data -g www-data \
795 /home/www/pub \
796 sudo install -d -m 1771 -o log.www -g log.www \
797 /home/www/log
798 }
799 rule_nginx_configure () {
800 local -; set +f
801 rule apt_get_install nginx
802 rule www_configure
803 sudo rm -rf \
804 /etc/nginx/conf.d \
805 /etc/nginx/site.d
806 sudo install -d -m 770 -o www -g www \
807 /etc/nginx \
808 /etc/nginx/conf.d \
809 /etc/nginx/site.d
810 sudo ln -fns \
811 /etc/nginx \
812 /home/www/etc/nginx
813 sudo install -m 660 -o www -g www \
814 "$tool"/etc/nginx/nginx.conf \
815 /etc/nginx/nginx.conf
816 local conf
817 for conf in "$tool"/etc/nginx/conf.d/*.conf
818 do conf=${conf#"$tool"/etc/nginx/conf.d/}
819 sudo install -m 660 -o www -g www \
820 "$tool"/etc/nginx/conf.d/"$conf" \
821 /etc/nginx/conf.d/"$conf"
822 done
823 for conf in "$tool"/etc/nginx/site.d/*/server.conf
824 do conf=${conf#"$tool"/etc/nginx/site.d/}
825 local port site
826 IFS=. read -r port site <<-EOF
827 ${conf%\/server\.conf}
828 EOF
829 assert 'test "${port:+set}"'
830 assert 'test "${site:+set}"'
831 site="$port.$site"
832 getent passwd www."$site" >/dev/null ||
833 sudo adduser \
834 --disabled-login \
835 --disabled-password \
836 --group \
837 --home ~www-data/"$site" \
838 --shell /bin/false \
839 --system \
840 www."$site"
841 getent passwd log."$site" >/dev/null ||
842 sudo adduser \
843 --disabled-login \
844 --disabled-password \
845 --group \
846 --shell /bin/false \
847 --system \
848 log."$site"
849 sudo usermod --home ~www/log/"$site"/nginx log."$site"
850 sudo install -d -m 770 -o www -g www \
851 /etc/nginx/site.d/"$site"
852 case $port in
853 (443)
854 local hint="run vm_remote nginx_key_send before"
855 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
856 sudo install -m 664 -o www -g www \
857 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
858 /etc/nginx/site.d/"$site"/x509/crt.pem
859 ;;
860 esac
861 case $port in
862 (80)
863 cat <<-EOF
864 server {
865 listen $port;
866 access_log /home/www/log/$site/nginx/access.log main;
867 error_log /home/www/log/$site/nginx/error.log warn;
868 root /home/www/pub/$site;
869 server_name $site;
870 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
871 }
872 EOF
873 ;;
874 (443)
875 cat <<-EOF
876 server {
877 listen $port;
878 access_log /home/www/log/$site/nginx/access.log main;
879 error_log /home/www/log/$site/nginx/error.log warn;
880 keepalive_timeout 70;
881 root /home/www/pub/$site;
882 server_name $site;
883 # DOC: http://wiki.nginx.org/HttpSslModule
884 ssl on;
885 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
886 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
887 ssl_ciphers HIGH:!ADH:!MD5;
888 ssl_prefer_server_ciphers on;
889 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
890 ssl_session_cache shared:SSL:10m;
891 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
892 }
893 EOF
894 ;;
895 esac |
896 sudo install -m 660 -o www -g www /dev/stdin \
897 /etc/nginx/site.d/"$site"/server.conf
898 adduser www-data "$site"
899 test -e /home/www/pub/"$site" ||
900 sudo install -d -m 3770 -o "$site" -g "$site" \
901 /home/www/pub/"$site"
902 sudo install -d -m 3770 -o log."$site" -g log."$site" \
903 /home/www/log/"$site"/nginx
904 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
905 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
906 done
907 rule apt_get_install spawn-fcgi fcgiwrap
908 sudo insserv --remove fcgiwrap
909 rule tmpfs_configure
910 sudo service nginx restart
911 }
912 rule_php5_fpm_configure () {
913 local -; set +f
914 rule apt_get_install \
915 php5-fpm \
916 php-apc
917 getent passwd php5 >/dev/null ||
918 sudo adduser \
919 --disabled-login \
920 --disabled-password \
921 --group \
922 --shell /bin/false \
923 --system \
924 php5
925 local conf
926 sudo ln -fns \
927 /etc/php5-fpm \
928 /home/www/etc/php5
929 sudo rm -f /etc/php5/fpm/pool.d/*
930 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
931 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
932 local port site
933 IFS=. read -r port site <<-EOF
934 ${conf%\.conf}
935 EOF
936 assert 'test "${port:+set}"'
937 assert 'test "${site:+set}"'
938 site="$port.$site"
939 getent passwd php5"$site" >/dev/null ||
940 sudo adduser \
941 --disabled-login \
942 --disabled-password \
943 --group \
944 --no-create-home \
945 --home ~www/pub/"$site" \
946 --shell /bin/false \
947 --system \
948 php5."$site"
949 sudo install -d -m 770 -o php5 -g php5 \
950 /home/www/log/php5 \
951 /home/www/log/php5/fpm
952 sudo install -d -m 770 -o log."$site" -g log."$site" \
953 /home/www/log/"$site"
954 sudo adduser php5."$user" www."$site"
955 sudo install -m 660 -o root -g root /dev/stdin \
956 /etc/php5/fpm/pool.d/"$conf" <<-EOF
957 [php5.$site]
958 access.log = /home/www/log/$site/php5/fpm/access.log
959 catch_workers_output = yes
960 chdir = /
961 env[HOSTNAME] = \$HOSTNAME
962 env[TEMP] = /tmp
963 env[TMPDIR] = /tmp
964 env[TMP] = /tmp
965 group = www-data
966 listen = /run/nginx/fastcgi/php5.$site
967 #listen = 127.0.0.1:9000
968 #listen.allowed_clients = 127.0.0.1
969 listen.backlog = -1
970 pm = dynamic
971 pm.max_children = 5
972 pm.max_requests = 200
973 pm.max_spare_servers = 4
974 pm.min_spare_servers = 2
975 pm.start_servers = 3
976 pm.status_path = /status
977 request_slowlog_timeout = 5s
978 request_terminate_timeout = 120s
979 rlimit_core = unlimited
980 rlimit_files = 131072
981 slowlog = /home/www/log/$site/php5/fpm/slow.log
982 user = $php5_user
983 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
984 EOF
985 sudo install -m 664 -o root -g root \
986 "$tool"/etc/php5/fpm/php.ini \
987 /etc/php5/fpm/php.ini
988 done
989 rule tmpfs_configure
990 sudo service php5-fpm restart
991 }
992 rule_postfix_configure () {
993 local hint="run vm_remote postfix_key_send before"
994 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
995 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
996 sudo debconf-set-selections <<-EOF
997 postfix postfix/main_mailer_type select No configuration
998 EOF
999 rule apt_get_install postfix
1000 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1001 *.db
1002 EOF
1003 sudo install -d -m 770 -o root -g root \
1004 /etc/postfix/$vm_domainname/ \
1005 /etc/postfix/$vm_domainname/smtp \
1006 /etc/postfix/$vm_domainname/smtp/x509 \
1007 /etc/postfix/$vm_domainname/smtp/x509/ca \
1008 /etc/postfix/$vm_domainname/smtpd \
1009 /etc/postfix/$vm_domainname/smtpd/x509 \
1010 /etc/postfix/$vm_domainname/smtpd/x509/ca
1011 sudo install -d -m 770 -o root -g root \
1012 /etc/postfix/$vm_domainname/ \
1013 /etc/postfix/$vm_domainname/smtp \
1014 /etc/postfix/$vm_domainname/smtp/x509 \
1015 /etc/postfix/$vm_domainname/smtp/x509/ca \
1016 /etc/postfix/$vm_domainname/smtpd \
1017 /etc/postfix/$vm_domainname/smtpd/x509 \
1018 /etc/postfix/$vm_domainname/smtpd/x509/ca
1019 sudo ln -fns \
1020 ../crt+crl.self-signed.pem \
1021 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1022 sudo install -m 400 -o root -g root \
1023 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1024 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1025 sudo install -m 400 -o root -g root \
1026 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
1027 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1028 sudo install -m 400 -o root -g root \
1029 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
1030 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1031 sudo install -m 400 -o root -g root \
1032 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1033 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1034 sudo install -m 660 -o root -g root \
1035 "$tool"/etc/postfix/$vm_domainname/header_checks \
1036 /etc/postfix/$vm_domainname/header_checks
1037 sudo install -m 664 -o root -g root /dev/stdin \
1038 /etc/postfix/aliases <<-EOF
1039 # See man 5 aliases for format
1040 abuse: root
1041 admin: root
1042 contact: root
1043 postmaster: root
1044 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1045 EOF
1046 sudo newaliases -oA/etc/postfix/aliases
1047 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1048 mydomain = $vm_domainname
1049 myorigin = \$mydomain
1050 myhostname = $vm_hostname.\$mydomain
1051 mail_name = \$myhostname
1052 mydestination = $vm_hostname \$myhostname \$myorigin
1053 EOF
1054 sudo install -m 664 -o root -g root /dev/stdin \
1055 /etc/postfix/main.cf
1056 sudo install -m 664 -o root -g root \
1057 "$tool"/etc/postfix/master.cf \
1058 /etc/postfix/master.cf
1059 sudo install -m 660 -o root -g root \
1060 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1061 /etc/postfix/$vm_domainname/smtp/x509/policy
1062 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1063 sudo install -m 660 -o root -g root \
1064 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1065 /etc/postfix/$vm_domainname/smtp/header_checks
1066 sudo install -m 660 -o root -g root \
1067 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1068 /etc/postfix/$vm_domainname/smtpd/sender_access
1069 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1070 sudo install -m 660 -o root -g root \
1071 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1072 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1073 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1074 sudo install -m 660 -o root -g root \
1075 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1076 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1077 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1078 sudo install -m 660 -o root -g root \
1079 "$tool"/etc/postfix/$vm_domainname/transport \
1080 /etc/postfix/$vm_domainname/transport
1081 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1082 sudo install -m 660 -o root -g root \
1083 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1084 /etc/postfix/$vm_domainname/virtual_alias
1085 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1086 sudo service postfix restart
1087 }
1088 rule_postgresql_configure () {
1089 rule apt_get_install postgresql-9.1
1090 sudo service postgresql restart
1091 }
1092 rule_openerp_configure () {
1093 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1094 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1095 EOF
1096 sudo apt-get update
1097 rule apt_get_install openerp
1098 }
1099 rule_postgrey_configure () {
1100 rule apt_get_install postgrey
1101 sudo service postgrey restart
1102 }
1103 rule_procmail_configure () {
1104 rule apt_get_install procmail
1105 sudo install -d -m 770 -o root -g adm \
1106 /etc/skel/etc/mail \
1107 /etc/skel/var/cache/mail \
1108 /etc/skel/var/log/mail \
1109 /etc/skel/var/mail
1110 sudo install -m 660 -o root -g adm \
1111 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1112 /etc/skel/etc/mail/delivery.procmailrc
1113 }
1114 rule_ssh_configure () {
1115 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1116 ( while IFS= read -r line
1117 do case $line in (*" RSA") return 0; break;; esac
1118 done; return 1 ) ||
1119 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1120 sudo rm -f \
1121 /etc/ssh/ssh_host_dsa_key \
1122 /etc/ssh/ssh_host_dsa_key.pub \
1123 /etc/ssh/ssh_host_ecdsa_key \
1124 /etc/ssh/ssh_host_ecdsa_key.pub
1125 # NOTE: clefs générées par Debian
1126 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1127 Port 22
1128 ListenAddress $vm_ipv4
1129 #ListenAddress ::
1130 Protocol 2
1131 Compression yes
1132 HostKey /etc/ssh/ssh_host_rsa_key
1133 UsePrivilegeSeparation yes
1134 KeyRegenerationInterval 3600
1135 ServerKeyBits 768
1136 SyslogFacility AUTH
1137 LogLevel INFO
1138 LoginGraceTime 120
1139 PermitRootLogin yes
1140 StrictModes yes
1141 RSAAuthentication yes
1142 PubkeyAuthentication yes
1143 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1144 IgnoreRhosts yes
1145 RhostsRSAAuthentication no
1146 HostbasedAuthentication no
1147 IgnoreUserKnownHosts no
1148 PermitEmptyPasswords no
1149 ChallengeResponseAuthentication no
1150 PasswordAuthentication no
1151 KerberosAuthentication no
1152 GSSAPIAuthentication no
1153 X11Forwarding no
1154 X11DisplayOffset 10
1155 PrintMotd no
1156 DebianBanner no
1157 PrintLastLog yes
1158 TCPKeepAlive yes
1159 ClientAliveInterval 0
1160 AcceptEnv LANG LC_*
1161 Subsystem sftp /usr/lib/openssh/sftp-server
1162 UsePAM yes
1163 EOF
1164 sudo service ssh restart
1165 }
1166 rule_sysctl_configure () {
1167 local -; set +f
1168 for conf in "$tool"/etc/sysctl.d/*.conf
1169 do conf=${conf#"$tool"/etc/sysctl.d/}
1170 sudo install -m 660 -o root -g root \
1171 "$tool"/etc/sysctl.d/"$conf" \
1172 /etc/sysctl.d/"$conf"
1173 done
1174 sudo sysctl --system
1175 }
1176 rule_time_configure () {
1177 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1178 Europe/Paris
1179 EOF
1180 sudo debconf-set-selections <<-EOF
1181 tzdata tzdata/Areas select Europe
1182 tzdata tzdata/Zones/Europe select Paris
1183 EOF
1184 rule dpkg_reconfigure tzdata
1185 rule apt_get_install ntp
1186 }
1187 rule_user_add () { # SYNTAX: $user
1188 rule user_configure
1189 local user=$1
1190 id "$user" >/dev/null ||
1191 sudo adduser --disabled-password "$user"
1192 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1193 eval local home\; home="~$user"
1194 sudo adduser "$user" users
1195 sudo install -m 640 -o root -g root \
1196 "$tool"/var/pub/ssh/"$user".key \
1197 "$home"/etc/ssh/authorized_keys
1198 local key; local -; set +f
1199 for key in "$tool"/var/pub/openpgp/*.key
1200 do sudo -u "$user" gpg --import - <"$key"
1201 done
1202 }
1203 rule_user_configure () {
1204 true
1205 }
1206 rule_user_admin_add () { # SYNTAX: $user
1207 rule user_configure
1208 local user=$1
1209 id "$user" >/dev/null ||
1210 sudo adduser --disabled-password "$user"
1211 eval local home\; home="~$user"
1212 sudo adduser "$user" sudo
1213 sudo adduser "$user" users
1214 sudo install -m 640 -o root -g root \
1215 "$tool"/var/pub/ssh/"$user".key \
1216 "$home"/etc/ssh/authorized_keys
1217 local key; local -; set +f
1218 for key in "$tool"/var/pub/openpgp/*.key
1219 do sudo -u "$user" gpg --import - <"$key"
1220 done
1221 rule user_admin_configure
1222 }
1223 rule_user_admin_configure () {
1224 rule initramfs_configure
1225 rule user_root_configure
1226 }
1227 rule_user_configure () {
1228 sudo install -d -m 750 -o root -g adm \
1229 /etc/skel/etc \
1230 /etc/skel/etc/gpg \
1231 /etc/skel/etc/ssh
1232 sudo install -d -m 770 -o root -g adm \
1233 /etc/skel/var \
1234 /etc/skel/var/cache \
1235 /etc/skel/var/log \
1236 /etc/skel/var/run \
1237 /etc/skel/var/run/ssh
1238 sudo ln -fns etc/ssh /etc/skel/.ssh
1239 sudo ln -fns etc/gpg /etc/skel/.gnupg
1240 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1241 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1242 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1243 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1244 EOF
1245 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1246 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1247 EOF
1248 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1249 Defaults env_keep = " \\
1250 EDITOR \\
1251 GIT_AUTHOR_NAME \\
1252 GIT_AUTHOR_EMAIL \\
1253 GIT_COMMITTER_NAME \\
1254 GIT_COMMITTER_EMAIL \\
1255 "
1256 EOF
1257 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1258 #!/bin/sh -efu
1259 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1260 sudo /bin/sh -e -f -u -c \
1261 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1262 EOF
1263 sudo install -m 644 -o root -g root \
1264 "$tool"/etc/bash.bashrc \
1265 /etc/bash.bashrc
1266 sudo install -m 644 -o root -g root \
1267 "$tool"/etc/screenrc \
1268 /etc/screenrc
1269 }
1270 rule_user_root_configure () {
1271 sudo install -d -m 750 -o root -g adm \
1272 /root/etc \
1273 /root/etc/gpg \
1274 /root/etc/ssh
1275 sudo ln -fns etc/gpg /root/.gnupg
1276 sudo ln -fns etc/ssh /root/.ssh
1277 getent group sudo |
1278 while IFS=: read -r group x x users
1279 do while test -n "$users" && IFS=, read -r user users <<-EOF
1280 $users
1281 EOF
1282 do eval local home\; home="~$user"
1283 cat "$home"/etc/ssh/authorized_keys
1284 done
1285 done |
1286 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1287 local key; local -; set +f
1288 for key in "$tool"/var/pub/openpgp/*.key
1289 do sudo gpg --import "$key"
1290 done
1291 }
1292 rule_xinetd_configure () {
1293 rule apt_get_install xinetd
1294 local -; set +f
1295 for conf in "$tool"/etc/xinetd.d/*
1296 do conf=${conf#"$tool"/etc/xinetd.d/}
1297 sudo install -m 660 -o root -g root \
1298 "$tool"/etc/xinetd.d/"$conf" \
1299 /etc/xinetd.d/"$conf"
1300 done
1301 sudo service xinetd restart
1302 }
1303 rule_configure () {
1304 rule apt_configure
1305 rule git_configure
1306 rule etckeeper_configure
1307 rule locale_configure
1308 rule time_configure
1309 rule network_configure
1310 rule filesystem_configure
1311 rule login_configure
1312 rule ssh_configure
1313 rule user_root_configure
1314 rule boot_configure
1315 rule sysctl_configure
1316 rule user_configure
1317 rule mail_configure
1318 #rule apache2_configure
1319 rule nginx_configure
1320 rule php5_fpm_configure
1321 rule gitolite_configure
1322 rule xinetd_configure
1323 }
1324
1325 rule_luks_key_change () {
1326 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1327 }
1328
1329 rule=${1:-help}
1330 ${1+shift}
1331 case $rule in
1332 (help);;
1333 (*)
1334 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1335 ;;
1336 esac
1337 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org