dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_gitolite_configure .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g adm \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
417 LOCK_SIZE=5242880 # NOTE: 5MiB
418 RAMLOCK=yes
419 RAMSHM=yes
420 RAMTMP=yes
421 RUN_SIZE=10%
422 SHM_SIZE=
423 TMP_MODE=1777,nr_inodes=1000k,noatime
424 TMP_OVERFLOW_LIMIT=1024
425 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
426 # on the root filesystem (overriding RAMTMP).
427 TMP_SIZE=200m
428 TMPFS_SIZE=20%VM
429 EOF
430 sudo install -m 775 -o root -g root \
431 "$tool"/etc/init.d/tmpfs \
432 /etc/init.d/tmpfs
433 sudo update-rc.d tmpfs defaults
434 }
435 rule_initramfs_configure () {
436 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
437 MODULES=most
438 BUSYBOX=y
439 KEYMAP=y
440 COMPRESS=gzip
441 DEVICE=eth0
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
444 alias eth0 xennet
445 alias scsi_hostadapter xenblk
446 EOF
447 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
448 sha1_generic
449 sha256_generic
450 sha512_generic
451 aes-x86_64
452 xts
453 # NOTE: pour Xen en mode HVM :
454 #modprobe xen-platform-pci
455 EOF
456 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
457 EOF
458 sudo sed -e '/^configure_networking /s/ &$//' \
459 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
460 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
461 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
462 ( while IFS= read -r line
463 do case $line in (*" RSA") return 0; break;; esac
464 done; return 1 ) ||
465 {
466 sudo rm -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
468 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
469 sudo dropbearkey -t rsa -s 4096 -f \
470 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
471 }
472 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
473 sudo install -d -m 640 -o root -g root \
474 /etc/initramfs-tools/root \
475 /etc/initramfs-tools/root/.ssh
476 getent group sudo |
477 while IFS=: read -r group x x users
478 do while test -n "$users" && IFS=, read -r user users <<-EOF
479 $users
480 EOF
481 do eval local home\; home="~$user"
482 cat "$home"/etc/ssh/authorized_keys
483 done
484 done |
485 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
486 sudo rm -f \
487 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
488 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
489 /etc/initramfs-tools/root/.ssh/id_rsa
490 # NOTE: clefs générées par Debian
491 sudo update-initramfs -u
492 }
493 rule_gitolite_configure () {
494 local user=git
495 sudo debconf-set-selections <<-EOF
496 gitolite gitolite/gituser string $user
497 gitolite gitolite/adminkey string
498 gitolite gitolite/gitdir string /home/$user
499 EOF
500 rule apt_get_install gitolite
501 getent passwd "$user" >/dev/null ||
502 sudo adduser \
503 --disabled-password \
504 --group \
505 --shell /bin/bash \
506 --system \
507 "$user"
508 sudo chfn --full-name "$user" "$user"
509 eval local home\; home="~$user"
510 sudo install -d -m 770 -o "$user" -g "$user" \
511 /etc/gitolite \
512 "$home"/etc \
513 "$home"/etc/ssh \
514 "$home"/pub \
515 "$home"/log \
516 "$home"/log/gitolite \
517 "$home"/log/gitolite/perf
518 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
519 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
520 sudo ln -fns etc/ssh "$home"/.ssh
521 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
522 "$home"/etc/gitolite/gitolite.rc <<-EOF
523 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
524 #\$BIG_INFO_CAP = 20;
525 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
526 # NOTE: Please use single quotes, not double quotes.
527 #\$GITWEB_URI_ESCAPE = 0;
528 \$GIT_PATH = "";
529 #\$GL_ADC_PATH = "";
530 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
531 #\$GL_ALL_INCLUDES_SPECIAL = 0;
532 #\$GL_ALL_READ_ALL = 0;
533 \$GL_BIG_CONFIG = 0;
534 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
535 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
536 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
537 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
538 #\$GL_HOSTNAME = "git.$vm_domainname";
539 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
540 #\$GL_HTTP_ANON_USER = "mob";
541 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
542 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
543 #\$GL_NICE_VALUE = 0;
544 \$GL_NO_CREATE_REPOS = 0;
545 \$GL_NO_DAEMON_NO_GITWEB = 0;
546 \$GL_NO_SETUP_AUTHKEYS = 0;
547 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
548 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
549 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
550 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
551 \$GL_SITE_INFO = "git.$vm_domainname";
552 #\$GL_SLAVE_MODE = 0;
553 \$GL_WILDREPOS = 0;
554 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
555 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
556 \$HTPASSWD_FILE = "";
557 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
558 \$REPO_BASE = "pub";
559 \$REPO_UMASK = 0007;
560 \$RSYNC_BASE = "";
561 \$SVNSERVE = "";
562 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
563 #\$WEB_INTERFACE = "gitweb";
564 1;
565 EOF
566 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
567 "$home"/etc/gitweb/gitweb.conf <<-EOF
568 \$commit_oneline_message_width = 70;
569 \$default_projects_order = 'age';
570 \$default_text_plain_charset = 'UTF-8';
571 @diff_opts = ();
572 \$favicon = "img/git-favicon.png";
573 \$git_temp = "/run/shm/gitweb";
574 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
575 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
576 \$home_link = "/";
577 \$home_link_str = 'd&eacute;p&ocirc;ts';
578 \$home_th_age = 'activit&eacute;';
579 \$home_th_descr = 'description';
580 \$home_th_owner = 'contact';
581 \$home_th_project = 'd&eacute;p&ocirc;t';
582 \$javascript = "js/gitweb.js";
583 \$logo = "img/git-logo.png";
584 \$my_uri = "";
585 \$projectroot = "../git";
586 \$projects_list = "/etc/gitolite/projects.list";
587 \$projects_list_description_width = 42;
588 \$projects_list_owner_width = 15;
589 \$search_str = "Filtre&nbsp;:";
590 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
591 \$site_header = undef;
592 \$site_name = "git.$vm_domainname";
593 \$space_to_nbsp = 0;
594 @stylesheets = ("css/gitweb.css");#
595 \$untabify_tabstop = 2;
596 EOF
597 sudo install -m 600 -o "$user" -g "$user" \
598 "$tool"/var/pub/ssh/"$user".key \
599 "$home"/etc/ssh/"$user".pub
600 sudo -u "$user" \
601 GL_RC="$home"/etc/gitolite/gitolite.rc \
602 GIT_AUTHOR_NAME="$user" \
603 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
604 local d
605 for d in doc logs src
606 do test ! -d "$home"/etc/gitolite/"$d" ||
607 rmdir "$home"/etc/gitolite/"$d"
608 done
609 rule apt_get_install gitweb highlight
610 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
611 #sudo sv restart git-daemon.git.9418
612 }
613 rule_locale_configure () {
614 sudo debconf-set-selections <<-EOF
615 locales locales/default_environment_locale select None
616 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
617 EOF
618 rule dpkg_reconfigure locales
619 }
620 rule_login_configure () {
621 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
622 # /etc/inittab: init(8) configuration.
623
624 # The default runlevel.
625 id:2:initdefault:
626
627 # Boot-time system configuration/initialization script.
628 # This is run first except when booting in emergency (-b) mode.
629 si::sysinit:/etc/init.d/rcS
630
631 # What to do in single-user mode.
632 ~~:S:wait:/sbin/sulogin
633
634 # /etc/init.d executes the S and K scripts upon change
635 # of runlevel.
636 #
637 # Runlevel 0 is halt.
638 # Runlevel 1 is single-user.
639 # Runlevels 2-5 are multi-user.
640 # Runlevel 6 is reboot.
641
642 l0:0:wait:/etc/init.d/rc 0
643 l1:1:wait:/etc/init.d/rc 1
644 l2:2:wait:/etc/init.d/rc 2
645 l3:3:wait:/etc/init.d/rc 3
646 l4:4:wait:/etc/init.d/rc 4
647 l5:5:wait:/etc/init.d/rc 5
648 l6:6:wait:/etc/init.d/rc 6
649 # Normally not reached, but fallthrough in case of emergency.
650 z6:6:respawn:/sbin/sulogin
651
652 # What to do when CTRL-ALT-DEL is pressed.
653 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
654
655 # What to do when the power fails/returns.
656 pf::powerwait:/etc/init.d/powerfail start
657 pn::powerfailnow:/etc/init.d/powerfail now
658 po::powerokwait:/etc/init.d/powerfail stop
659
660 # Xen hypervisor console
661 hvc:2345:respawn:/sbin/getty 38400 hvc0
662 #xvc:2345:respawn:/sbin/getty 38400 xvc0
663 EOF
664 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
665 MAIL_DIR /var/mail
666 FAILLOG_ENAB yes
667 LOG_UNKFAIL_ENAB no
668 LOG_OK_LOGINS no
669 SYSLOG_SU_ENAB yes
670 SYSLOG_SG_ENAB yes
671 FTMP_FILE /var/log/btmp
672 SU_NAME su
673 HUSHLOGIN_FILE .hushlogin
674 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
675 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
676 # NOTE: met les sbin/ dans ENV_PATH ;
677 # - ça n'apporte aucune protection de ne pas les mettre ;
678 # - ça frustre de ne pas les trouver.
679 TTYGROUP tty
680 TTYPERM 0600
681 ERASECHAR 0177
682 KILLCHAR 025
683 UMASK 007
684 # NOTE: rwxrwx--- ;
685 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
686 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
687 PASS_MAX_DAYS 99999
688 PASS_MIN_DAYS 0
689 PASS_WARN_AGE 7
690 UID_MIN 1000
691 UID_MAX 60000
692 GID_MIN 1000
693 GID_MAX 60000
694 LOGIN_RETRIES 3
695 LOGIN_TIMEOUT 60
696 CHFN_RESTRICT rwh
697 DEFAULT_HOME yes
698 USERGROUPS_ENAB yes
699 ENCRYPT_METHOD SHA512
700 EOF
701 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
702 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
703 $(cat /etc/pam.d/common-session)
704 session optional pam_umask.so
705 EOF
706 grep -q '^hvc0$' /etc/securetty ||
707 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
708 $(cat /etc/securetty)
709 hvc0
710 EOF
711 grep -q '^xvc0$' /etc/securetty ||
712 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
713 $(cat /etc/securetty)
714 xvc0
715 EOF
716 }
717 rule_mail_configure () {
718 rule postfix_configure
719 rule postgrey_configure
720 rule procmail_configure
721 rule dovecot_configure
722 }
723 rule_mysql_configure () {
724 rule apt_get_install mysql-server-5.5
725 sudo service mysql restart
726 }
727 rule_network_configure () {
728 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
729 $vm
730 EOF
731 grep -q " $vm\$" /etc/hosts ||
732 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
733 $(cat /etc/hosts)
734 127.0.0.1 $vm_fqdn $vm
735 EOF
736 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
737 auto lo
738 iface lo inet loopback
739
740 auto eth0=grenode
741 iface grenode inet static
742 address $vm_ipv4
743 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
744 network $vm_ipv4
745 broadcast $vm_ipv4
746 netmask 255.255.255.255
747 mtu 1300
748 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
749 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
750 #
751 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
752 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
753 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
754 #
755 # --- soupirail.grenode.net ping statistics ---
756 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
757 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
758 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
759 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
760 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
761 #
762 # --- soupirail.grenode.net ping statistics ---
763 # 0 packets transmitted, 0 received, +1 errors
764 post-up ip address add $vm_ipv4/32 dev \$IFACE
765 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
766 EOF
767 }
768 rule_www_configure () {
769 getent passwd www >/dev/null ||
770 sudo adduser \
771 --disabled-login \
772 --disabled-password \
773 --group \
774 --home /home/www \
775 --shell /bin/false \
776 --system \
777 www
778 sudo adduser \
779 --disabled-login \
780 --disabled-password \
781 --group \
782 --home ~www/log \
783 --shell /bin/false \
784 --system \
785 log.www
786 #sudo adduser www www-data
787 sudo adduser www log.www
788 #sudo adduser log log.www
789 usermod --home /home/www/pub www-data
790 sudo install -d -m 751 -o www -g www \
791 /home/www
792 sudo install -d -m 750 -o www -g www \
793 /home/www/etc
794 sudo install -d -m 1771 -o www-data -g www-data \
795 /home/www/pub \
796 sudo install -d -m 1771 -o log.www -g log.www \
797 /home/www/log
798 }
799 rule_nginx_configure () {
800 local -; set +f
801 rule apt_get_install nginx
802 rule www_configure
803 sudo rm -rf \
804 /etc/nginx/conf.d \
805 /etc/nginx/site.d
806 sudo install -d -m 770 -o www -g www \
807 /etc/nginx \
808 /etc/nginx/conf.d \
809 /etc/nginx/site.d
810 sudo ln -fns \
811 /etc/nginx \
812 /home/www/etc/nginx
813 sudo install -m 660 -o www -g www \
814 "$tool"/etc/nginx/nginx.conf \
815 /etc/nginx/nginx.conf
816 local conf
817 for conf in "$tool"/etc/nginx/conf.d/*.conf
818 do conf=${conf#"$tool"/etc/nginx/conf.d/}
819 sudo install -m 660 -o www -g www \
820 "$tool"/etc/nginx/conf.d/"$conf" \
821 /etc/nginx/conf.d/"$conf"
822 done
823 for conf in "$tool"/etc/nginx/site.d/*/server.conf
824 do conf=${conf#"$tool"/etc/nginx/site.d/}
825 local port site
826 IFS=. read -r port site <<-EOF
827 ${conf%\/server\.conf}
828 EOF
829 assert 'test "${port:+set}"'
830 assert 'test "${site:+set}"'
831 site="$port.$site"
832 getent passwd www."$site" >/dev/null ||
833 sudo adduser \
834 --disabled-login \
835 --disabled-password \
836 --group \
837 --home ~www-data/"$site" \
838 --shell /bin/false \
839 --system \
840 www."$site"
841 getent passwd log."$site" >/dev/null ||
842 sudo adduser \
843 --disabled-login \
844 --disabled-password \
845 --group \
846 --shell /bin/false \
847 --system \
848 log."$site"
849 sudo usermod --home ~www/log/"$site"/nginx log."$site"
850 sudo install -d -m 770 -o www -g www \
851 /etc/nginx/site.d/"$site"
852 case $port in
853 (443)
854 local hint="run vm_remote nginx_key_send before"
855 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
856 sudo install -m 664 -o www -g www \
857 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
858 /etc/nginx/site.d/"$site"/x509/crt.pem
859 ;;
860 esac
861 case $port in
862 (80)
863 cat <<-EOF
864 server {
865 listen $port;
866 access_log /home/www/log/$site/nginx/access.log main;
867 error_log /home/www/log/$site/nginx/error.log warn;
868 root /home/www/pub/$site;
869 server_name $site;
870 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
871 }
872 EOF
873 ;;
874 (443)
875 cat <<-EOF
876 server {
877 listen $port;
878 access_log /home/www/log/$site/nginx/access.log main;
879 error_log /home/www/log/$site/nginx/error.log warn;
880 keepalive_timeout 70;
881 root /home/www/pub/$site;
882 server_name $site;
883 # DOC: http://wiki.nginx.org/HttpSslModule
884 ssl on;
885 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
886 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
887 ssl_ciphers HIGH:!ADH:!MD5;
888 ssl_prefer_server_ciphers on;
889 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
890 ssl_session_cache shared:SSL:10m;
891 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
892 }
893 EOF
894 ;;
895 esac |
896 sudo install -m 660 -o www -g www /dev/stdin \
897 /etc/nginx/site.d/"$site"/server.conf
898 adduser www-data "$site"
899 test -e /home/www/pub/"$site" ||
900 sudo install -d -m 3770 -o "$site" -g "$site" \
901 /home/www/pub/"$site"
902 sudo install -d -m 3770 -o log."$site" -g log."$site" \
903 /home/www/log/"$site"/nginx
904 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
905 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
906 done
907 rule apt_get_install spawn-fcgi fcgiwrap
908 sudo insserv --remove fcgiwrap
909 rule tmpfs_configure
910 sudo service nginx restart
911 }
912 rule_php5_fpm_configure () {
913 local -; set +f
914 rule apt_get_install \
915 php5-fpm \
916 php-apc
917 getent passwd php5 >/dev/null ||
918 sudo adduser \
919 --disabled-login \
920 --disabled-password \
921 --group \
922 --shell /bin/false \
923 --system \
924 php5
925 local conf
926 sudo ln -fns \
927 /etc/php5-fpm \
928 /home/www/etc/php5
929 sudo rm -f /etc/php5/fpm/pool.d/*
930 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
931 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
932 local port site
933 IFS=. read -r port site <<-EOF
934 ${conf%\.conf}
935 EOF
936 assert 'test "${port:+set}"'
937 assert 'test "${site:+set}"'
938 site="$port.$site"
939 getent passwd php5"$site" >/dev/null ||
940 sudo adduser \
941 --disabled-login \
942 --disabled-password \
943 --group \
944 --no-create-home \
945 --home ~www/pub/"$site" \
946 --shell /bin/false \
947 --system \
948 php5."$site"
949 sudo install -d -m 770 -o php5 -g php5 \
950 /home/www/log/php5 \
951 /home/www/log/php5/fpm
952 sudo install -d -m 770 -o log."$site" -g log."$site" \
953 /home/www/log/"$site"
954 sudo adduser php5."$user" www."$site"
955 sudo install -m 660 -o root -g root /dev/stdin \
956 /etc/php5/fpm/pool.d/"$conf" <<-EOF
957 [php5.$site]
958 access.log = /home/www/log/$site/php5/fpm/access.log
959 catch_workers_output = yes
960 chdir = /
961 env[HOSTNAME] = \$HOSTNAME
962 env[TEMP] = /tmp
963 env[TMPDIR] = /tmp
964 env[TMP] = /tmp
965 group = www-data
966 listen = /run/nginx/fastcgi/php5.$site
967 #listen = 127.0.0.1:9000
968 #listen.allowed_clients = 127.0.0.1
969 listen.backlog = -1
970 pm = dynamic
971 pm.max_children = 5
972 pm.max_requests = 200
973 pm.max_spare_servers = 4
974 pm.min_spare_servers = 2
975 pm.start_servers = 3
976 pm.status_path = /status
977 request_slowlog_timeout = 5s
978 request_terminate_timeout = 120s
979 rlimit_core = unlimited
980 rlimit_files = 131072
981 slowlog = /home/www/log/$site/php5/fpm/slow.log
982 user = $php5_user
983 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
984 EOF
985 sudo install -m 664 -o root -g root \
986 "$tool"/etc/php5/fpm/php.ini \
987 /etc/php5/fpm/php.ini
988 done
989 rule tmpfs_configure
990 sudo service php5-fpm restart
991 }
992 rule_postfix_configure () {
993 local hint="run vm_remote postfix_key_send before"
994 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
995 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
996 sudo debconf-set-selections <<-EOF
997 postfix postfix/main_mailer_type select No configuration
998 EOF
999 rule apt_get_install postfix
1000 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1001 *.db
1002 EOF
1003 sudo install -d -m 770 -o root -g root \
1004 /etc/postfix/$vm_domainname/ \
1005 /etc/postfix/$vm_domainname/smtp \
1006 /etc/postfix/$vm_domainname/smtp/x509 \
1007 /etc/postfix/$vm_domainname/smtp/x509/ca \
1008 /etc/postfix/$vm_domainname/smtpd \
1009 /etc/postfix/$vm_domainname/smtpd/x509 \
1010 /etc/postfix/$vm_domainname/smtpd/x509/ca
1011 sudo install -d -m 770 -o root -g root \
1012 /etc/postfix/$vm_domainname/ \
1013 /etc/postfix/$vm_domainname/smtp \
1014 /etc/postfix/$vm_domainname/smtp/x509 \
1015 /etc/postfix/$vm_domainname/smtp/x509/ca \
1016 /etc/postfix/$vm_domainname/smtpd \
1017 /etc/postfix/$vm_domainname/smtpd/x509 \
1018 /etc/postfix/$vm_domainname/smtpd/x509/ca
1019 sudo ln -fns \
1020 ../crt+crl.self-signed.pem \
1021 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1022 sudo install -m 400 -o root -g root \
1023 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1024 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1025 sudo install -m 400 -o root -g root \
1026 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
1027 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1028 sudo install -m 400 -o root -g root \
1029 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
1030 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1031 sudo install -m 400 -o root -g root \
1032 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1033 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1034 sudo install -m 660 -o root -g root \
1035 "$tool"/etc/postfix/$vm_domainname/header_checks \
1036 /etc/postfix/$vm_domainname/header_checks
1037 sudo install -m 664 -o root -g root /dev/stdin \
1038 /etc/postfix/aliases <<-EOF
1039 # See man 5 aliases for format
1040 abuse: root
1041 admin: root
1042 contact: root
1043 postmaster: root
1044 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1045 EOF
1046 sudo newaliases -oA/etc/postfix/aliases
1047 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1048 mydomain = $vm_domainname
1049 myorigin = \$mydomain
1050 myhostname = $vm_hostname.\$mydomain
1051 mail_name = \$myhostname
1052 mydestination = $vm_hostname \$myhostname \$myorigin
1053 EOF
1054 sudo install -m 664 -o root -g root /dev/stdin \
1055 /etc/postfix/main.cf
1056 sudo install -m 664 -o root -g root \
1057 "$tool"/etc/postfix/master.cf \
1058 /etc/postfix/master.cf
1059 sudo install -m 660 -o root -g root \
1060 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1061 /etc/postfix/$vm_domainname/smtp/x509/policy
1062 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1063 sudo install -m 660 -o root -g root \
1064 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1065 /etc/postfix/$vm_domainname/smtp/header_checks
1066 sudo install -m 660 -o root -g root \
1067 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1068 /etc/postfix/$vm_domainname/smtpd/sender_access
1069 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1070 sudo install -m 660 -o root -g root \
1071 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1072 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1073 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1074 sudo install -m 660 -o root -g root \
1075 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1076 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1077 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1078 sudo install -m 660 -o root -g root \
1079 "$tool"/etc/postfix/$vm_domainname/transport \
1080 /etc/postfix/$vm_domainname/transport
1081 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1082 sudo install -m 660 -o root -g root \
1083 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1084 /etc/postfix/$vm_domainname/virtual_alias
1085 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1086 sudo service postfix restart
1087 }
1088 rule_openerp_configure () {
1089 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1090 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1091 EOF
1092 sudo apt-get update
1093 rule apt_get_install openerp
1094 }
1095 rule_postgrey_configure () {
1096 rule apt_get_install postgrey
1097 sudo service postgrey restart
1098 }
1099 rule_procmail_configure () {
1100 rule apt_get_install procmail
1101 sudo install -d -m 770 -o root -g adm \
1102 /etc/skel/etc/mail \
1103 /etc/skel/var/cache/mail \
1104 /etc/skel/var/log/mail \
1105 /etc/skel/var/mail
1106 sudo install -m 660 -o root -g adm \
1107 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1108 /etc/skel/etc/mail/delivery.procmailrc
1109 }
1110 rule_ssh_configure () {
1111 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1112 ( while IFS= read -r line
1113 do case $line in (*" RSA") return 0; break;; esac
1114 done; return 1 ) ||
1115 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1116 sudo rm -f \
1117 /etc/ssh/ssh_host_dsa_key \
1118 /etc/ssh/ssh_host_dsa_key.pub \
1119 /etc/ssh/ssh_host_ecdsa_key \
1120 /etc/ssh/ssh_host_ecdsa_key.pub
1121 # NOTE: clefs générées par Debian
1122 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1123 Port 22
1124 ListenAddress $vm_ipv4
1125 #ListenAddress ::
1126 Protocol 2
1127 Compression yes
1128 HostKey /etc/ssh/ssh_host_rsa_key
1129 UsePrivilegeSeparation yes
1130 KeyRegenerationInterval 3600
1131 ServerKeyBits 768
1132 SyslogFacility AUTH
1133 LogLevel INFO
1134 LoginGraceTime 120
1135 PermitRootLogin yes
1136 StrictModes yes
1137 RSAAuthentication yes
1138 PubkeyAuthentication yes
1139 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1140 IgnoreRhosts yes
1141 RhostsRSAAuthentication no
1142 HostbasedAuthentication no
1143 IgnoreUserKnownHosts no
1144 PermitEmptyPasswords no
1145 ChallengeResponseAuthentication no
1146 PasswordAuthentication no
1147 KerberosAuthentication no
1148 GSSAPIAuthentication no
1149 X11Forwarding no
1150 X11DisplayOffset 10
1151 PrintMotd no
1152 DebianBanner no
1153 PrintLastLog yes
1154 TCPKeepAlive yes
1155 ClientAliveInterval 0
1156 AcceptEnv LANG LC_*
1157 Subsystem sftp /usr/lib/openssh/sftp-server
1158 UsePAM yes
1159 EOF
1160 sudo service ssh restart
1161 }
1162 rule_sysctl_configure () {
1163 local -; set +f
1164 for conf in "$tool"/etc/sysctl.d/*.conf
1165 do conf=${conf#"$tool"/etc/sysctl.d/}
1166 sudo install -m 660 -o root -g root \
1167 "$tool"/etc/sysctl.d/"$conf" \
1168 /etc/sysctl.d/"$conf"
1169 done
1170 sudo sysctl --system
1171 }
1172 rule_time_configure () {
1173 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1174 Europe/Paris
1175 EOF
1176 sudo debconf-set-selections <<-EOF
1177 tzdata tzdata/Areas select Europe
1178 tzdata tzdata/Zones/Europe select Paris
1179 EOF
1180 rule dpkg_reconfigure tzdata
1181 rule apt_get_install ntp
1182 }
1183 rule_user_add () { # SYNTAX: $user
1184 rule user_configure
1185 local user=$1
1186 id "$user" >/dev/null ||
1187 sudo adduser --disabled-password "$user"
1188 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1189 eval local home\; home="~$user"
1190 sudo adduser "$user" users
1191 sudo install -m 640 -o root -g root \
1192 "$tool"/var/pub/ssh/"$user".key \
1193 "$home"/etc/ssh/authorized_keys
1194 local key; local -; set +f
1195 for key in "$tool"/var/pub/openpgp/*.key
1196 do sudo -u "$user" gpg --import - <"$key"
1197 done
1198 }
1199 rule_user_configure () {
1200 true
1201 }
1202 rule_user_admin_add () { # SYNTAX: $user
1203 rule user_configure
1204 local user=$1
1205 id "$user" >/dev/null ||
1206 sudo adduser --disabled-password "$user"
1207 eval local home\; home="~$user"
1208 sudo adduser "$user" sudo
1209 sudo adduser "$user" users
1210 sudo install -m 640 -o root -g root \
1211 "$tool"/var/pub/ssh/"$user".key \
1212 "$home"/etc/ssh/authorized_keys
1213 local key; local -; set +f
1214 for key in "$tool"/var/pub/openpgp/*.key
1215 do sudo -u "$user" gpg --import - <"$key"
1216 done
1217 rule user_admin_configure
1218 }
1219 rule_user_admin_configure () {
1220 rule initramfs_configure
1221 rule user_root_configure
1222 }
1223 rule_user_configure () {
1224 sudo install -d -m 750 -o root -g adm \
1225 /etc/skel/etc \
1226 /etc/skel/etc/gpg \
1227 /etc/skel/etc/ssh
1228 sudo install -d -m 770 -o root -g adm \
1229 /etc/skel/var \
1230 /etc/skel/var/cache \
1231 /etc/skel/var/log \
1232 /etc/skel/var/run \
1233 /etc/skel/var/run/ssh
1234 sudo ln -fns etc/ssh /etc/skel/.ssh
1235 sudo ln -fns etc/gpg /etc/skel/.gnupg
1236 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1237 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1238 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1239 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1240 EOF
1241 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1242 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1243 EOF
1244 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1245 Defaults env_keep = " \\
1246 EDITOR \\
1247 GIT_AUTHOR_NAME \\
1248 GIT_AUTHOR_EMAIL \\
1249 GIT_COMMITTER_NAME \\
1250 GIT_COMMITTER_EMAIL \\
1251 "
1252 EOF
1253 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1254 #!/bin/sh -efu
1255 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1256 sudo /bin/sh -e -f -u -c \
1257 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1258 EOF
1259 sudo install -m 644 -o root -g root \
1260 "$tool"/etc/bash.bashrc \
1261 /etc/bash.bashrc
1262 sudo install -m 644 -o root -g root \
1263 "$tool"/etc/screenrc \
1264 /etc/screenrc
1265 }
1266 rule_user_root_configure () {
1267 sudo install -d -m 750 -o root -g adm \
1268 /root/etc \
1269 /root/etc/gpg \
1270 /root/etc/ssh
1271 sudo ln -fns etc/gpg /root/.gnupg
1272 sudo ln -fns etc/ssh /root/.ssh
1273 getent group sudo |
1274 while IFS=: read -r group x x users
1275 do while test -n "$users" && IFS=, read -r user users <<-EOF
1276 $users
1277 EOF
1278 do eval local home\; home="~$user"
1279 cat "$home"/etc/ssh/authorized_keys
1280 done
1281 done |
1282 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1283 local key; local -; set +f
1284 for key in "$tool"/var/pub/openpgp/*.key
1285 do sudo gpg --import "$key"
1286 done
1287 }
1288 rule_configure () {
1289 rule apt_configure
1290 rule git_configure
1291 rule etckeeper_configure
1292 rule locale_configure
1293 rule time_configure
1294 rule network_configure
1295 rule filesystem_configure
1296 rule login_configure
1297 rule ssh_configure
1298 rule user_root_configure
1299 rule boot_configure
1300 rule sysctl_configure
1301 rule user_configure
1302 rule mail_configure
1303 #rule apache2_configure
1304 rule nginx_configure
1305 rule php5_fpm_configure
1306 rule gitolite_configure
1307 }
1308
1309 rule_luks_key_change () {
1310 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1311 }
1312
1313 rule=${1:-help}
1314 ${1+shift}
1315 case $rule in
1316 (help);;
1317 (*)
1318 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1319 ;;
1320 esac
1321 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org