dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : vm_hosted : rule_boot_configure : molly-guard .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apache2_configure () {
59 local -; set +f
60 rule apt_get_install \
61 apache2-mpm-itk \
62 libapache2-mod-php5
63 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
64 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
65 # NOTE: apache2-mpm-itk semble le plus sécurisé,
66 # car on est certain que tout est exécuté avec les uid/gid
67 # assignés au VirtualHost/Directory/Location
68 # néamoins il se peut qu'une combinaison du genre :
69 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
70 # soit plus performante (threads et pas forks),
71 # cependant l'usage de suexec impose des forks il semble..
72 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
73 # donc pour l'instant : apache2-mpm-itk
74 rule www_configure
75 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
76 ServerName "$vm_fqdn"
77 EOF
78 sudo install -m 660 -o root -g root /dev/stdin \
79 /etc/apache2/apache2.conf
80 sudo install -m 660 -o root -g root \
81 "$tool"/etc/apache2/envvars \
82 /etc/apache2/envvars
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/httpd.conf \
85 /etc/apache2/httpd.conf
86 #sudo install -m 660 -o root -g root /dev/stdin \
87 # /etc/apache2/suexec/www-data <<-EOF
88 # /home
89 # pub/www/cgi
90 # EOF
91 sudo install -m 660 -o root -g root \
92 "$tool"/etc/apache2/ports.conf \
93 /etc/apache2/ports.conf
94 sudo a2enmod actions
95 sudo a2enmod headers
96 sudo a2enmod rewrite
97 sudo a2enmod ssl
98 sudo a2enmod userdir
99 local conf
100 sudo a2dissite "*"
101 sudo ln -fns \
102 /etc/apache2 \
103 /home/www/etc/apache2
104 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
105 do conf=${conf#"$tool"/etc/apache2/site.d/}
106 local port site
107 IFS=. read -r port site <<-EOF
108 ${conf%\/VirtualHost\.conf}
109 EOF
110 assert 'test "${site:+set}"'
111 assert 'test "${port:+set}"'
112 local site_user="$user.$port.$site"
113 local site_dir="$user.$port.$site"
114 case $port in
115 (443)
116 local hint="run vm_remote apache2_key_send before"
117 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
118 sudo install -d -m 770 -o "$user" -g "$user" \
119 /etc/apache2 \
120 /etc/apache2/site.d/"$site_dir" \
121 /etc/apache2/site.d/"$site_dir"/x509 \
122 /etc/apache2/site.d/"$site_dir"/x509/ca \
123 /etc/apache2/site.d/"$site_dir"/x509/empty \
124 /etc/apache2/site.d/"$site_dir"/x509/rvk \
125 /etc/apache2/site.d/"$site_dir"/x509/usr
126 sudo install -m 664 -o www -g www \
127 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
128 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
129 #sudo install -m 664 -o "$user" -g "$user" \
130 # "$tool"/var/pub/x509/"$site"/rvk.pem \
131 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
132 sudo install -m 664 -o www -g www \
133 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
134 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/crt.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
138 ;;
139 esac
140 case $port in
141 (80)
142 cat <<-EOF
143 <VirtualHost *:$port>
144 AssignUserID $site_user $site_user
145 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
146 #CustomLog "/dev/null" Combined
147 DocumentRoot /home/www/pub/$site_dir
148 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
149 #ErrorLog "/dev/null"
150 ServerName $site
151 LogLevel Warn
152 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
153 </VirtualHost>
154 EOF
155 ;;
156 (443)
157 cat <<-EOF
158 <IfModule mod_ssl.c>
159 <VirtualHost *:$port>
160 AssignUserID $site_user $site_user
161 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
162 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
163 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
164 #CustomLog "/dev/null" Combined
165 DocumentRoot /home/www/pub/$site_dir
166 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
167 #ErrorLog "/dev/null"
168 LogLevel Warn
169 ServerName $site
170 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
171 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
172 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
173 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
175 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
176 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
177 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
178 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
179 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
180 SSLCipherSuite AES+RSA+SHA256
181 SSLEngine On
182 SSLInsecureRenegotiation Off
183 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
184 SSLProtocol -All +TLSv1
185 #SSLRenegBufferSize 262144
186 SSLSessionCacheTimeout 1200
187 SSLStrictSNIVHostCheck On
188 SSLUserName SSL_CLIENT_S_DN_CN
189 SSLVerifyClient None
190 SSLVerifyDepth 1
191 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
192 </VirtualHost>
193 </IfModule>
194 EOF
195 ;;
196 esac |
197 sudo install -m 660 -o root -g root /dev/stdin \
198 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
199 sudo ln -fns \
200 ../site.d/"$site_dir"/VirtualHost.conf \
201 /etc/apache2/sites-available/"$site_dir"
202 sudo install -d -m 770 -o "$user" -g "$user" \
203 /home/www/log/"$site_dir" \
204 /home/www/log/"$site_dir"/apache2
205 sudo ln -fns \
206 /etc/apache2/site.d/"$site_dir" \
207 /home/www/etc/apache2/"$site_dir"
208 test -e /home/www/pub/"$site_dir" ||
209 sudo install -d -m 770 -o "$user" -g "$user" \
210 /home/www/pub/"$site_dir"
211 getent passwd "$site_user" >/dev/null ||
212 sudo adduser \
213 --disabled-password \
214 --group \
215 --no-create-home \
216 --home /home/www/pub/"$site_dir" \
217 --shell /bin/false \
218 --system \
219 "$site_user"
220 sudo setfacl -m u:"$site_user":--x \
221 /home/www/ \
222 /home/www/pub/ \
223 /home/www/pub/"$site_dir"/
224 sudo setfacl -m d:u:"$site_user":rwx \
225 "$home"/pub/www/"$site_dir"/
226 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
227 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
228 test -e /etc/apache2/sites-enabled/"$site_dir" ||
229 sudo a2ensite "$site_dir"
230 done
231 sudo service apache2 restart
232 }
233 rule_apt_configure () {
234 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
235 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
236 EOF
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
238 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
241 Package: *
242 Pin: release a=$vm_lsb_name
243 Pin-Priority: 170
244
245 Package: *
246 Pin: release a=$vm_lsb_name-backports
247 Pin-Priority: 200
248 EOF
249 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
250 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 rule apt_get_install grub-pc
273 sudo install -d -m 644 -o root -g root /boot/grub
274 rule apt_get_install linux-image-$vm_arch
275 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
276 GRUB_DEFAULT=0
277 GRUB_TIMEOUT=5
278 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
279 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
280 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
281 GRUB_DISABLE_RECOVERY="true"
282 #GRUB_PRELOAD_MODULES="lvm"
283 EOF
284 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
285 (hd0) /dev/xvda
286 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
287 EOF
288 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
289 rule initramfs_configure
290 rule apt_get_install molly-guard
291 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
292 ALWAYS_QUERY_HOSTNAME=true
293 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
294 # néamoins demander tout le temps n'est pas trop contraignant
295 # et davantage sécurisant.
296 EOF
297 }
298 rule_dovecot_configure () {
299 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
300 local hint="run vm_remote dovecot_key_send before"
301 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
302 sudo install -m 400 -o root -g root \
303 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
304 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
305 sudo install -d -m 770 -o root -g adm \
306 /etc/skel/etc/mail \
307 /etc/skel/etc/sieve
308 sudo install -d -m 1777 -o root -g root \
309 /var/lib/dovecot-control \
310 /var/lib/dovecot-index
311 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
312 auth_ssl_username_from_cert = yes
313 listen = *
314 log_timestamp = "%Y-%m-%d %H:%M:%S "
315 mail_debug = yes
316 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
317 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
318 # VOIR: http://wiki2.dovecot.org/Quota/FS
319 mail_plugins = \$mail_plugins quota
320 mail_privileged_group = mail
321 passdb {
322 args = /home/%u/etc/dovecot/passwd
323 driver = passwd-file
324 }
325 plugin {
326 quota = fs:user
327 recipient_delimiter = +
328 sieve = ~/etc/mail/filter.sieve
329 sieve_dir = ~/etc/mail/sieve
330 sieve_global_dir = /var/lib/dovecot/sieve/global/
331 sieve_max_script_size = 1M
332 sieve_quota_max_scripts = 0
333 sieve_quota_max_storage = 10M
334 sieve_user_log = ~/var/log/mail/sieve.log
335 }
336 protocol imap {
337 mail_plugins = \$mail_plugins imap_quota
338 }
339 protocol lda {
340 auth_socket_path = /var/run/dovecot/auth-master
341 hostname = $vm_domainname
342 info_log_path =
343 log_path =
344 mail_plugins = \$mail_plugins sieve
345 postmaster_address = contact+dovecot+lda@$vm_domainname
346 syslog_facility = mail
347 }
348 protocols = imap sieve
349 service auth {
350 user = root
351 unix_listener /var/spool/postfix/private/auth {
352 mode = 0660
353 user = postfix
354 group = postfix
355 }
356 }
357 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
358 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
359 ssl_cipher_list = AES256-SHA
360 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
361 ssl_verify_client_cert = yes
362 userdb {
363 driver = passwd
364 }
365 verbose_ssl = no
366 EOF
367 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
368 #!/bin/sh -efux
369 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
370 install -d -m 770 ~/etc/dovecot
371 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
372 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
373 _EOF
374 EOF
375 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
376 EOF
377 sudo service dovecot restart
378 }
379 rule_etckeeper_configure () {
380 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
381 VCS=git
382 GIT_COMMIT_OPTIONS=""
383 AVOID_DAILY_AUTOCOMMITS=1
384 #AVOID_SPECIAL_FILE_WARNING=1
385 AVOID_COMMIT_BEFORE_INSTALL=1
386 HIGHLEVEL_PACKAGE_MANAGER=apt
387 LOWLEVEL_PACKAGE_MANAGER=dpkg
388 EOF
389 sudo install -m 644 -o root -g root \
390 "$tool"/etc/etckeeper/prompt.sh \
391 /etc/etckeeper/prompt.sh
392 rule apt_get_install etckeeper
393 }
394 rule_filesystem_configure () {
395 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
396 # <file system> <mount point> <type> <options> <dump> <pass>
397 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
398 proc /proc proc defaults 0 0
399 sysfs /sys sysfs defaults 0 0
400 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
401 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
402 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
403 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
404 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
405 EOF
406 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
407 # <target name> <source device> <key file> <options>
408 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
409 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
410 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
411 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
412 EOF
413 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
414 LOCK_SIZE=5242880 # NOTE: 5MiB
415 RAMLOCK=yes
416 RAMSHM=yes
417 RAMTMP=yes
418 RUN_SIZE=10%
419 SHM_SIZE=
420 TMP_MODE=1777,nr_inodes=1000k,noatime
421 TMP_OVERFLOW_LIMIT=1024
422 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
423 # on the root filesystem (overriding RAMTMP).
424 TMP_SIZE=200m
425 TMPFS_SIZE=20%VM
426 EOF
427 sudo install -m 775 -o root -g root \
428 "$tool"/etc/init.d/tmpfs \
429 /etc/init.d/tmpfs
430 sudo update-rc.d tmpfs defaults
431 }
432 rule_initramfs_configure () {
433 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
434 MODULES=most
435 BUSYBOX=y
436 KEYMAP=y
437 COMPRESS=gzip
438 DEVICE=eth0
439 EOF
440 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
441 alias eth0 xennet
442 alias scsi_hostadapter xenblk
443 EOF
444 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
445 sha1_generic
446 sha256_generic
447 sha512_generic
448 aes-x86_64
449 xts
450 # NOTE: pour Xen en mode HVM :
451 #modprobe xen-platform-pci
452 EOF
453 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
454 EOF
455 sudo sed -e '/^configure_networking /s/ &$//' \
456 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
457 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
458 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
459 ( while IFS= read -r line
460 do case $line in (*" RSA") return 0; break;; esac
461 done; return 1 ) ||
462 {
463 sudo rm -f \
464 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
465 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
466 sudo dropbearkey -t rsa -s 4096 -f \
467 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
468 }
469 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
470 sudo install -d -m 640 -o root -g root \
471 /etc/initramfs-tools/root \
472 /etc/initramfs-tools/root/.ssh
473 getent group sudo |
474 while IFS=: read -r group x x users
475 do while test -n "$users" && IFS=, read -r user users <<-EOF
476 $users
477 EOF
478 do eval local home\; home="~$user"
479 cat "$home"/etc/ssh/authorized_keys
480 done
481 done |
482 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
483 sudo rm -f \
484 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
485 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
486 /etc/initramfs-tools/root/.ssh/id_rsa
487 # NOTE: clefs générées par Debian
488 sudo update-initramfs -u
489 }
490 rule_time_configure () {
491 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
492 Europe/Paris
493 EOF
494 sudo dpkg-reconfigure tzdata
495 rule apt_get_install ntp
496 }
497 rule_locale_configure () {
498 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
499 fr_FR.UTF-8 UTF-8
500 EOF
501 sudo update-locale
502 }
503 rule_login_configure () {
504 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
505 # /etc/inittab: init(8) configuration.
506
507 # The default runlevel.
508 id:2:initdefault:
509
510 # Boot-time system configuration/initialization script.
511 # This is run first except when booting in emergency (-b) mode.
512 si::sysinit:/etc/init.d/rcS
513
514 # What to do in single-user mode.
515 ~~:S:wait:/sbin/sulogin
516
517 # /etc/init.d executes the S and K scripts upon change
518 # of runlevel.
519 #
520 # Runlevel 0 is halt.
521 # Runlevel 1 is single-user.
522 # Runlevels 2-5 are multi-user.
523 # Runlevel 6 is reboot.
524
525 l0:0:wait:/etc/init.d/rc 0
526 l1:1:wait:/etc/init.d/rc 1
527 l2:2:wait:/etc/init.d/rc 2
528 l3:3:wait:/etc/init.d/rc 3
529 l4:4:wait:/etc/init.d/rc 4
530 l5:5:wait:/etc/init.d/rc 5
531 l6:6:wait:/etc/init.d/rc 6
532 # Normally not reached, but fallthrough in case of emergency.
533 z6:6:respawn:/sbin/sulogin
534
535 # What to do when CTRL-ALT-DEL is pressed.
536 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
537
538 # What to do when the power fails/returns.
539 pf::powerwait:/etc/init.d/powerfail start
540 pn::powerfailnow:/etc/init.d/powerfail now
541 po::powerokwait:/etc/init.d/powerfail stop
542
543 # Xen hypervisor console
544 hvc:2345:respawn:/sbin/getty 38400 hvc0
545 #xvc:2345:respawn:/sbin/getty 38400 xvc0
546 EOF
547 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
548 MAIL_DIR /var/mail
549 FAILLOG_ENAB yes
550 LOG_UNKFAIL_ENAB no
551 LOG_OK_LOGINS no
552 SYSLOG_SU_ENAB yes
553 SYSLOG_SG_ENAB yes
554 FTMP_FILE /var/log/btmp
555 SU_NAME su
556 HUSHLOGIN_FILE .hushlogin
557 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
558 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
559 # NOTE: met les sbin/ dans ENV_PATH ;
560 # - ça n'apporte aucune protection de ne pas les mettre ;
561 # - ça frustre de ne pas les trouver.
562 TTYGROUP tty
563 TTYPERM 0600
564 ERASECHAR 0177
565 KILLCHAR 025
566 UMASK 007
567 # NOTE: rwxrwx--- ;
568 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
569 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
570 PASS_MAX_DAYS 99999
571 PASS_MIN_DAYS 0
572 PASS_WARN_AGE 7
573 UID_MIN 1000
574 UID_MAX 60000
575 GID_MIN 1000
576 GID_MAX 60000
577 LOGIN_RETRIES 3
578 LOGIN_TIMEOUT 60
579 CHFN_RESTRICT rwh
580 DEFAULT_HOME yes
581 USERGROUPS_ENAB yes
582 ENCRYPT_METHOD SHA512
583 EOF
584 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
585 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
586 $(cat /etc/pam.d/common-session)
587 session optional pam_umask.so
588 EOF
589 grep -q '^hvc0$' /etc/securetty ||
590 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
591 $(cat /etc/securetty)
592 hvc0
593 EOF
594 grep -q '^xvc0$' /etc/securetty ||
595 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
596 $(cat /etc/securetty)
597 xvc0
598 EOF
599 }
600 rule_mail_configure () {
601 rule postfix_configure
602 rule postgrey_configure
603 rule procmail_configure
604 rule dovecot_configure
605 }
606 rule_network_configure () {
607 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
608 $vm
609 EOF
610 grep -q " $vm\$" /etc/hosts ||
611 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
612 $(cat /etc/hosts)
613 127.0.0.1 $vm_fqdn $vm
614 EOF
615 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
616 auto lo
617 iface lo inet loopback
618
619 auto eth0=grenode
620 iface grenode inet static
621 address $vm_ipv4
622 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
623 network $vm_ipv4
624 broadcast $vm_ipv4
625 netmask 255.255.255.255
626 mtu 1300
627 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
628 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
629 #
630 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
631 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
632 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
633 #
634 # --- soupirail.grenode.net ping statistics ---
635 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
636 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
637 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
638 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
639 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
640 #
641 # --- soupirail.grenode.net ping statistics ---
642 # 0 packets transmitted, 0 received, +1 errors
643 post-up ip address add $vm_ipv4/32 dev \$IFACE
644 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
645 EOF
646 }
647 rule_www_configure () {
648 getent passwd www >/dev/null ||
649 sudo adduser \
650 --disabled-login \
651 --disabled-password \
652 --group \
653 --home /home/www \
654 --shell /bin/false \
655 --system \
656 www
657 sudo adduser \
658 --disabled-login \
659 --disabled-password \
660 --group \
661 --home ~www/log \
662 --shell /bin/false \
663 --system \
664 log.www
665 #sudo adduser www www-data
666 sudo adduser www log.www
667 #sudo adduser log log.www
668 usermod --home /home/www/pub www-data
669 sudo install -d -m 751 -o www -g www \
670 /home/www
671 sudo install -d -m 750 -o www -g www \
672 /home/www/etc
673 sudo install -d -m 1771 -o www-data -g www-data \
674 /home/www/pub \
675 sudo install -d -m 1771 -o log.www -g log.www \
676 /home/www/log
677 }
678 rule_nginx_configure () {
679 local -; set +f
680 rule apt_get_install nginx
681 rule www_configure
682 sudo rm -rf \
683 /etc/nginx/conf.d \
684 /etc/nginx/site.d
685 sudo install -d -m 770 -o www -g www \
686 /etc/nginx \
687 /etc/nginx/conf.d \
688 /etc/nginx/site.d
689 sudo ln -fns \
690 /etc/nginx \
691 /home/www/etc/nginx
692 sudo install -m 660 -o www -g www \
693 "$tool"/etc/nginx/nginx.conf \
694 /etc/nginx/nginx.conf
695 local conf
696 for conf in "$tool"/etc/nginx/conf.d/*.conf
697 do conf=${conf#"$tool"/etc/nginx/conf.d/}
698 sudo install -m 660 -o www -g www \
699 "$tool"/etc/nginx/conf.d/"$conf" \
700 /etc/nginx/conf.d/"$conf"
701 done
702 for conf in "$tool"/etc/nginx/site.d/*/server.conf
703 do conf=${conf#"$tool"/etc/nginx/site.d/}
704 local port site
705 IFS=. read -r port site <<-EOF
706 ${conf%\/server\.conf}
707 EOF
708 assert 'test "${port:+set}"'
709 assert 'test "${site:+set}"'
710 site="$port.$site"
711 getent passwd www."$site" >/dev/null ||
712 sudo adduser \
713 --disabled-login \
714 --disabled-password \
715 --group \
716 --home ~www-data/"$site" \
717 --shell /bin/false \
718 --system \
719 www."$site"
720 getent passwd log."$site" >/dev/null ||
721 sudo adduser \
722 --disabled-login \
723 --disabled-password \
724 --group \
725 --shell /bin/false \
726 --system \
727 log."$site"
728 sudo usermod --home ~www/log/"$site"/nginx log."$site"
729 sudo install -d -m 770 -o www -g www \
730 /etc/nginx/site.d/"$site"
731 case $port in
732 (443)
733 local hint="run vm_remote nginx_key_send before"
734 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
735 sudo install -m 664 -o www -g www \
736 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
737 /etc/nginx/site.d/"$site"/x509/crt.pem
738 ;;
739 esac
740 case $port in
741 (80)
742 cat <<-EOF
743 server {
744 listen $port;
745 access_log /home/www/log/$site/nginx/access.log main;
746 error_log /home/www/log/$site/nginx/error.log warn;
747 root /home/www/pub/$site;
748 server_name $site;
749 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
750 }
751 EOF
752 ;;
753 (443)
754 cat <<-EOF
755 server {
756 listen $port;
757 access_log /home/www/log/$site/nginx/access.log main;
758 error_log /home/www/log/$site/nginx/error.log warn;
759 keepalive_timeout 70;
760 root /home/www/pub/$site;
761 server_name $site;
762 # DOC: http://wiki.nginx.org/HttpSslModule
763 ssl on;
764 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
765 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
766 ssl_ciphers HIGH:!ADH:!MD5;
767 ssl_prefer_server_ciphers on;
768 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
769 ssl_session_cache shared:SSL:10m;
770 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
771 }
772 EOF
773 ;;
774 esac |
775 sudo install -m 660 -o www -g www /dev/stdin \
776 /etc/nginx/site.d/"$site"/server.conf
777 adduser www-data "$site"
778 test -e /home/www/pub/"$site" ||
779 sudo install -d -m 3770 -o "$site" -g "$site" \
780 /home/www/pub/"$site"
781 sudo install -d -m 3770 -o log."$site" -g log."$site" \
782 /home/www/log/"$site"/nginx
783 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
784 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
785 done
786 rule apt_get_install spawn-fcgi fcgiwrap
787 sudo insserv --remove fcgiwrap
788 rule tmpfs_configure
789 sudo service nginx restart
790 }
791 rule_php5_fpm_configure () {
792 local -; set +f
793 rule apt_get_install \
794 php5-fpm \
795 php-apc
796 getent passwd php5 >/dev/null ||
797 sudo adduser \
798 --disabled-login \
799 --disabled-password \
800 --group \
801 --shell /bin/false \
802 --system \
803 php5
804 local conf
805 sudo ln -fns \
806 /etc/php5-fpm \
807 /home/www/etc/php5
808 sudo rm -f /etc/php5/fpm/pool.d/*
809 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
810 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
811 local port site
812 IFS=. read -r port site <<-EOF
813 ${conf%\.conf}
814 EOF
815 assert 'test "${port:+set}"'
816 assert 'test "${site:+set}"'
817 site="$port.$site"
818 getent passwd php5"$site" >/dev/null ||
819 sudo adduser \
820 --disabled-login \
821 --disabled-password \
822 --group \
823 --no-create-home \
824 --home ~www/pub/"$site" \
825 --shell /bin/false \
826 --system \
827 php5."$site"
828 sudo install -d -m 770 -o php5 -g php5 \
829 /home/www/log/php5 \
830 /home/www/log/php5/fpm
831 sudo install -d -m 770 -o log."$site" -g log."$site" \
832 /home/www/log/"$site"
833 sudo adduser php5."$user" www."$site"
834 sudo install -m 660 -o root -g root /dev/stdin \
835 /etc/php5/fpm/pool.d/"$conf" <<-EOF
836 [php5.$site]
837 access.log = /home/www/log/$site/php5/fpm/access.log
838 catch_workers_output = yes
839 chdir = /
840 env[HOSTNAME] = \$HOSTNAME
841 env[TEMP] = /tmp
842 env[TMPDIR] = /tmp
843 env[TMP] = /tmp
844 group = www-data
845 listen = /run/nginx/fastcgi/php5.$site
846 #listen = 127.0.0.1:9000
847 #listen.allowed_clients = 127.0.0.1
848 listen.backlog = -1
849 pm = dynamic
850 pm.max_children = 5
851 pm.max_requests = 200
852 pm.max_spare_servers = 4
853 pm.min_spare_servers = 2
854 pm.start_servers = 3
855 pm.status_path = /status
856 request_slowlog_timeout = 5s
857 request_terminate_timeout = 120s
858 rlimit_core = unlimited
859 rlimit_files = 131072
860 slowlog = /home/www/log/$site/php5/fpm/slow.log
861 user = $php5_user
862 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
863 EOF
864 sudo install -m 664 -o root -g root \
865 "$tool"/etc/php5/fpm/php.ini \
866 /etc/php5/fpm/php.ini
867 done
868 rule tmpfs_configure
869 sudo service php5-fpm restart
870 }
871 rule_postfix_configure () {
872 local hint="run vm_remote postfix_key_send before"
873 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
874 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
875 rule apt_get_install postfix
876 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
877 *.db
878 EOF
879 sudo install -d -m 770 -o root -g root \
880 /etc/postfix/$vm_domainname/ \
881 /etc/postfix/$vm_domainname/smtp \
882 /etc/postfix/$vm_domainname/smtp/x509 \
883 /etc/postfix/$vm_domainname/smtp/x509/ca \
884 /etc/postfix/$vm_domainname/smtpd \
885 /etc/postfix/$vm_domainname/smtpd/x509 \
886 /etc/postfix/$vm_domainname/smtpd/x509/ca
887 sudo install -d -m 770 -o root -g root \
888 /etc/postfix/$vm_domainname/ \
889 /etc/postfix/$vm_domainname/smtp \
890 /etc/postfix/$vm_domainname/smtp/x509 \
891 /etc/postfix/$vm_domainname/smtp/x509/ca \
892 /etc/postfix/$vm_domainname/smtpd \
893 /etc/postfix/$vm_domainname/smtpd/x509 \
894 /etc/postfix/$vm_domainname/smtpd/x509/ca
895 sudo ln -fns \
896 ../crt+crl.self-signed.pem \
897 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
898 sudo install -m 400 -o root -g root \
899 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
900 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
901 sudo install -m 400 -o root -g root \
902 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
903 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
904 sudo install -m 400 -o root -g root \
905 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
906 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
907 sudo install -m 400 -o root -g root \
908 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
909 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
910 sudo install -m 660 -o root -g root \
911 "$tool"/etc/postfix/$vm_domainname/header_checks \
912 /etc/postfix/$vm_domainname/header_checks
913 sudo install -m 664 -o root -g root /dev/stdin \
914 /etc/postfix/aliases <<-EOF
915 # See man 5 aliases for format
916 abuse: root
917 admin: root
918 contact: root
919 postmaster: root
920 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
921 EOF
922 sudo newaliases -oA/etc/postfix/aliases
923 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
924 mydomain = $vm_domainname
925 myorigin = \$mydomain
926 myhostname = $vm_hostname.\$mydomain
927 mail_name = \$myhostname
928 mydestination = $vm_hostname \$myhostname \$myorigin
929 EOF
930 sudo install -m 664 -o root -g root /dev/stdin \
931 /etc/postfix/main.cf
932 sudo install -m 664 -o root -g root \
933 "$tool"/etc/postfix/master.cf \
934 /etc/postfix/master.cf
935 sudo install -m 660 -o root -g root \
936 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
937 /etc/postfix/$vm_domainname/smtp/x509/policy
938 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
939 sudo install -m 660 -o root -g root \
940 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
941 /etc/postfix/$vm_domainname/smtp/header_checks
942 sudo install -m 660 -o root -g root \
943 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
944 /etc/postfix/$vm_domainname/smtpd/sender_access
945 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
946 sudo install -m 660 -o root -g root \
947 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
948 /etc/postfix/$vm_domainname/smtpd/client_blacklist
949 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
950 sudo install -m 660 -o root -g root \
951 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
952 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
953 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
954 sudo install -m 660 -o root -g root \
955 "$tool"/etc/postfix/$vm_domainname/transport \
956 /etc/postfix/$vm_domainname/transport
957 sudo postmap hash:/etc/postfix/$vm_domainname/transport
958 sudo install -m 660 -o root -g root \
959 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
960 /etc/postfix/$vm_domainname/virtual_alias
961 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
962 sudo service postfix restart
963 }
964 rule_postgrey_configure () {
965 rule apt_get_install postgrey
966 sudo service postgrey restart
967 }
968 rule_procmail_configure () {
969 rule apt_get_install procmail
970 sudo install -d -m 770 -o root -g adm \
971 /etc/skel/etc/mail \
972 /etc/skel/var/cache/mail \
973 /etc/skel/var/log/mail \
974 /etc/skel/var/mail
975 sudo install -m 660 -o root -g adm \
976 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
977 /etc/skel/etc/mail/delivery.procmailrc
978 }
979 rule_ssh_configure () {
980 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
981 ( while IFS= read -r line
982 do case $line in (*" RSA") return 0; break;; esac
983 done; return 1 ) ||
984 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
985 sudo rm -f \
986 /etc/ssh/ssh_host_dsa_key \
987 /etc/ssh/ssh_host_dsa_key.pub \
988 /etc/ssh/ssh_host_ecdsa_key \
989 /etc/ssh/ssh_host_ecdsa_key.pub
990 # NOTE: clefs générées par Debian
991 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
992 Port 22
993 ListenAddress $vm_ipv4
994 #ListenAddress ::
995 Protocol 2
996 Compression yes
997 HostKey /etc/ssh/ssh_host_rsa_key
998 UsePrivilegeSeparation yes
999 KeyRegenerationInterval 3600
1000 ServerKeyBits 768
1001 SyslogFacility AUTH
1002 LogLevel INFO
1003 LoginGraceTime 120
1004 PermitRootLogin yes
1005 StrictModes yes
1006 RSAAuthentication yes
1007 PubkeyAuthentication yes
1008 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1009 IgnoreRhosts yes
1010 RhostsRSAAuthentication no
1011 HostbasedAuthentication no
1012 IgnoreUserKnownHosts no
1013 PermitEmptyPasswords no
1014 ChallengeResponseAuthentication no
1015 PasswordAuthentication no
1016 KerberosAuthentication no
1017 GSSAPIAuthentication no
1018 X11Forwarding no
1019 X11DisplayOffset 10
1020 PrintMotd no
1021 DebianBanner no
1022 PrintLastLog yes
1023 TCPKeepAlive yes
1024 ClientAliveInterval 0
1025 AcceptEnv LANG LC_*
1026 Subsystem sftp /usr/lib/openssh/sftp-server
1027 UsePAM yes
1028 EOF
1029 sudo service ssh restart
1030 }
1031 rule_sysctl_configure () {
1032 local -; set +f
1033 for conf in "$tool"/etc/sysctl.d/*.conf
1034 do conf=${conf#"$tool"/etc/sysctl.d/}
1035 sudo install -m 660 -o root -g root \
1036 "$tool"/etc/sysctl.d/"$conf" \
1037 /etc/sysctl.d/"$conf"
1038 done
1039 sudo sysctl --system
1040 }
1041 rule_user_add () { # SYNTAX: $user
1042 rule user_configure
1043 local user=$1
1044 id "$user" >/dev/null ||
1045 sudo adduser --disabled-password "$user"
1046 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1047 eval local home\; home="~$user"
1048 sudo adduser "$user" users
1049 sudo install -m 640 -o root -g root \
1050 "$tool"/var/pub/ssh/"$user".key \
1051 "$home"/etc/ssh/authorized_keys
1052 local key; local -; set +f
1053 for key in "$tool"/var/pub/openpgp/*.key
1054 do sudo -u "$user" gpg --import - <"$key"
1055 done
1056 }
1057 rule_user_configure () {
1058 true
1059 }
1060 rule_user_admin_add () { # SYNTAX: $user
1061 rule user_configure
1062 local user=$1
1063 id "$user" >/dev/null ||
1064 sudo adduser --disabled-password "$user"
1065 eval local home\; home="~$user"
1066 sudo adduser "$user" sudo
1067 sudo adduser "$user" users
1068 sudo install -m 640 -o root -g root \
1069 "$tool"/var/pub/ssh/"$user".key \
1070 "$home"/etc/ssh/authorized_keys
1071 local key; local -; set +f
1072 for key in "$tool"/var/pub/openpgp/*.key
1073 do sudo -u "$user" gpg --import - <"$key"
1074 done
1075 rule user_admin_configure
1076 }
1077 rule_user_admin_configure () {
1078 rule initramfs_configure
1079 rule user_root_configure
1080 }
1081 rule_user_configure () {
1082 sudo install -d -m 750 -o root -g adm \
1083 /etc/skel/etc \
1084 /etc/skel/etc/gpg \
1085 /etc/skel/etc/ssh
1086 sudo install -d -m 770 -o root -g adm \
1087 /etc/skel/var \
1088 /etc/skel/var/cache \
1089 /etc/skel/var/log \
1090 /etc/skel/var/run \
1091 /etc/skel/var/run/ssh
1092 sudo ln -fns etc/ssh /etc/skel/.ssh
1093 sudo ln -fns etc/gpg /etc/skel/.gnupg
1094 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1095 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1096 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1097 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1098 EOF
1099 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1100 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1101 EOF
1102 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1103 Defaults env_keep = " \\
1104 EDITOR \\
1105 GIT_AUTHOR_NAME \\
1106 GIT_AUTHOR_EMAIL \\
1107 GIT_COMMITTER_NAME \\
1108 GIT_COMMITTER_EMAIL \\
1109 "
1110 EOF
1111 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1112 #!/bin/sh -efu
1113 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1114 sudo /bin/sh -e -f -u -c \
1115 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1116 EOF
1117 sudo install -m 644 -o root -g root \
1118 "$tool"/etc/bash.bashrc \
1119 /etc/bash.bashrc
1120 sudo install -m 644 -o root -g root \
1121 "$tool"/etc/screenrc \
1122 /etc/screenrc
1123 }
1124 rule_user_root_configure () {
1125 sudo install -d -m 750 -o root -g adm \
1126 /root/etc \
1127 /root/etc/gpg \
1128 /root/etc/ssh
1129 sudo ln -fns etc/gpg /root/.gnupg
1130 sudo ln -fns etc/ssh /root/.ssh
1131 getent group sudo |
1132 while IFS=: read -r group x x users
1133 do while test -n "$users" && IFS=, read -r user users <<-EOF
1134 $users
1135 EOF
1136 do eval local home\; home="~$user"
1137 cat "$home"/etc/ssh/authorized_keys
1138 done
1139 done |
1140 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1141 local key; local -; set +f
1142 for key in "$tool"/var/pub/openpgp/*.key
1143 do sudo gpg --import "$key"
1144 done
1145 }
1146 rule_configure () {
1147 rule apt_configure
1148 rule git_configure
1149 rule etckeeper_configure
1150 rule locale_configure
1151 rule time_configure
1152 rule network_configure
1153 rule filesystem_configure
1154 rule login_configure
1155 rule ssh_configure
1156 rule user_root_configure
1157 rule boot_configure
1158 rule sysctl_configure
1159 rule user_configure
1160 rule mail_configure
1161 #rule apache2_configure
1162 rule nginx_configure
1163 rule php5_fpm_configure
1164 }
1165
1166 rule_luks_key_change () {
1167 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1168 }
1169
1170 rule=${1:-help}
1171 ${1+shift}
1172 case $rule in
1173 (help);;
1174 (*)
1175 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1176 ;;
1177 esac
1178 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org