dépôts / lhc / ateliers.git / blob
? search:


fae784e9eb60335e894ae7f996ec0ce3f27307dd
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
50 }
51 rule_dpkg_reconfigure () { # SYNTAX: $package
52 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
53 }
54
55 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
56 export LANG=C
57 export LC_CTYPE=C
58 . /etc/profile
59 }
60
61 rule_apache2_configure () {
62 local -; set +f
63 rule apt_get_install \
64 apache2-mpm-itk \
65 libapache2-mod-php5
66 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
67 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
68 # NOTE: apache2-mpm-itk semble le plus sécurisé,
69 # car on est certain que tout est exécuté avec les uid/gid
70 # assignés au VirtualHost/Directory/Location
71 # néamoins il se peut qu'une combinaison du genre :
72 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
73 # soit plus performante (threads et pas forks),
74 # cependant l'usage de suexec impose des forks il semble..
75 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
76 # donc pour l'instant : apache2-mpm-itk
77 rule www_configure
78 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
79 ServerName "$vm_fqdn"
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin \
82 /etc/apache2/apache2.conf
83 sudo install -m 660 -o root -g root \
84 "$tool"/etc/apache2/envvars \
85 /etc/apache2/envvars
86 sudo install -m 660 -o root -g root \
87 "$tool"/etc/apache2/httpd.conf \
88 /etc/apache2/httpd.conf
89 #sudo install -m 660 -o root -g root /dev/stdin \
90 # /etc/apache2/suexec/www-data <<-EOF
91 # /home
92 # pub/www/cgi
93 # EOF
94 sudo install -m 660 -o root -g root \
95 "$tool"/etc/apache2/ports.conf \
96 /etc/apache2/ports.conf
97 sudo a2enmod actions
98 sudo a2enmod headers
99 sudo a2enmod rewrite
100 sudo a2enmod ssl
101 sudo a2enmod userdir
102 local conf
103 sudo a2dissite "*"
104 sudo ln -fns \
105 /etc/apache2 \
106 /home/www/etc/apache2
107 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
108 do conf=${conf#"$tool"/etc/apache2/site.d/}
109 local port site
110 IFS=. read -r port site <<-EOF
111 ${conf%\/VirtualHost\.conf}
112 EOF
113 assert 'test "${site:+set}"'
114 assert 'test "${port:+set}"'
115 local site_user="$user.$port.$site"
116 local site_dir="$user.$port.$site"
117 case $port in
118 (443)
119 local hint="run vm_remote apache2_key_send before"
120 assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
121 sudo install -d -m 770 -o "$user" -g "$user" \
122 /etc/apache2 \
123 /etc/apache2/site.d/"$site_dir" \
124 /etc/apache2/site.d/"$site_dir"/x509 \
125 /etc/apache2/site.d/"$site_dir"/x509/ca \
126 /etc/apache2/site.d/"$site_dir"/x509/empty \
127 /etc/apache2/site.d/"$site_dir"/x509/rvk \
128 /etc/apache2/site.d/"$site_dir"/x509/usr
129 sudo install -m 664 -o www -g www \
130 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
131 /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
132 #sudo install -m 664 -o "$user" -g "$user" \
133 # "$tool"/var/pub/x509/"$site"/rvk.pem \
134 # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
135 sudo install -m 664 -o www -g www \
136 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
137 /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
138 sudo install -m 664 -o www -g www \
139 "$tool"/var/pub/x509/"$site"/crt.pem \
140 /etc/apache2/site.d/"$site_dir"/x509/crt.pem
141 ;;
142 esac
143 case $port in
144 (80)
145 cat <<-EOF
146 <VirtualHost *:$port>
147 AssignUserID $site_user $site_user
148 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
149 #CustomLog "/dev/null" Combined
150 DocumentRoot /home/www/pub/$site_dir
151 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
152 #ErrorLog "/dev/null"
153 ServerName $site
154 LogLevel Warn
155 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
156 </VirtualHost>
157 EOF
158 ;;
159 (443)
160 cat <<-EOF
161 <IfModule mod_ssl.c>
162 <VirtualHost *:$port>
163 AssignUserID $site_user $site_user
164 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
165 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
166 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
167 #CustomLog "/dev/null" Combined
168 DocumentRoot /home/www/pub/$site_dir
169 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
170 #ErrorLog "/dev/null"
171 LogLevel Warn
172 ServerName $site
173 SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
174 SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
175 #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
176 SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
177 SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
178 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
179 SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
180 SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
181 SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
182 SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
183 SSLCipherSuite AES+RSA+SHA256
184 SSLEngine On
185 SSLInsecureRenegotiation Off
186 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
187 SSLProtocol -All +TLSv1
188 #SSLRenegBufferSize 262144
189 SSLSessionCacheTimeout 1200
190 SSLStrictSNIVHostCheck On
191 SSLUserName SSL_CLIENT_S_DN_CN
192 SSLVerifyClient None
193 SSLVerifyDepth 1
194 $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
195 </VirtualHost>
196 </IfModule>
197 EOF
198 ;;
199 esac |
200 sudo install -m 660 -o root -g root /dev/stdin \
201 /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
202 sudo ln -fns \
203 ../site.d/"$site_dir"/VirtualHost.conf \
204 /etc/apache2/sites-available/"$site_dir"
205 sudo install -d -m 770 -o "$user" -g "$user" \
206 /home/www/log/"$site_dir" \
207 /home/www/log/"$site_dir"/apache2
208 sudo ln -fns \
209 /etc/apache2/site.d/"$site_dir" \
210 /home/www/etc/apache2/"$site_dir"
211 test -e /home/www/pub/"$site_dir" ||
212 sudo install -d -m 770 -o "$user" -g "$user" \
213 /home/www/pub/"$site_dir"
214 getent passwd "$site_user" >/dev/null ||
215 sudo adduser \
216 --disabled-password \
217 --group \
218 --no-create-home \
219 --home /home/www/pub/"$site_dir" \
220 --shell /bin/false \
221 --system \
222 "$site_user"
223 sudo setfacl -m u:"$site_user":--x \
224 /home/www/ \
225 /home/www/pub/ \
226 /home/www/pub/"$site_dir"/
227 sudo setfacl -m d:u:"$site_user":rwx \
228 "$home"/pub/www/"$site_dir"/
229 test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
230 . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
231 test -e /etc/apache2/sites-enabled/"$site_dir" ||
232 sudo a2ensite "$site_dir"
233 done
234 sudo service apache2 restart
235 }
236 rule_apt_configure () {
237 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
238 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
239 EOF
240 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
241 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
242 EOF
243 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
244 Package: *
245 Pin: release a=$vm_lsb_name
246 Pin-Priority: 170
247
248 Package: *
249 Pin: release a=$vm_lsb_name-backports
250 Pin-Priority: 200
251 EOF
252 sudo apt-get update
253 rule apt_get_install apticron
254 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
255 EMAIL="admin@$vm_domainname"
256 # DIFF_ONLY="1"
257 # LISTCHANGES_PROFILE="apticron"
258 # ALL_FQDNS="1"
259 # SYSTEM="foobar.example.com"
260 # IPADDRESSNUM="1"
261 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
262 # NOTIFY_HOLDS="0"
263 # NOTIFY_NEW="0"
264 # NOTIFY_NO_UPDATES="0"
265 # CUSTOM_SUBJECT=""
266 # CUSTOM_NO_UPDATES_SUBJECT=""
267 # CUSTOM_FROM="root@$vm_fqdn"
268 EOF
269 }
270 rule_boot_configure () {
271 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
272 sudo debconf-set-selections <<-EOF
273 grub-pc grub-pc/install_devices multiselect
274 EOF
275 rule apt_get_install grub-pc
276 sudo install -d -m 644 -o root -g root /boot/grub
277 rule apt_get_install linux-image-$vm_arch
278 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
279 GRUB_DEFAULT=0
280 GRUB_TIMEOUT=5
281 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
282 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
283 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
284 GRUB_DISABLE_RECOVERY="true"
285 #GRUB_PRELOAD_MODULES="lvm"
286 EOF
287 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
288 (hd0) /dev/xvda
289 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
290 EOF
291 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
292 rule initramfs_configure
293 rule apt_get_install molly-guard
294 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
295 ALWAYS_QUERY_HOSTNAME=true
296 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
297 # néamoins demander tout le temps n'est pas trop contraignant
298 # et davantage sécurisant.
299 EOF
300 }
301 rule_dovecot_configure () {
302 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
303 local hint="run vm_remote dovecot_key_send before"
304 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
305 sudo install -m 400 -o root -g root \
306 "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
307 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
308 sudo install -d -m 770 -o root -g root \
309 /etc/skel/etc/mail \
310 /etc/skel/etc/sieve
311 sudo install -d -m 1777 -o root -g root \
312 /var/lib/dovecot-control \
313 /var/lib/dovecot-index
314 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
315 auth_ssl_username_from_cert = yes
316 listen = *
317 log_timestamp = "%Y-%m-%d %H:%M:%S "
318 mail_debug = yes
319 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
320 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
321 # VOIR: http://wiki2.dovecot.org/Quota/FS
322 mail_plugins = \$mail_plugins quota
323 mail_privileged_group = mail
324 passdb {
325 args = /home/%u/etc/dovecot/passwd
326 driver = passwd-file
327 }
328 plugin {
329 quota = fs:user
330 recipient_delimiter = +
331 sieve = ~/etc/mail/filter.sieve
332 sieve_dir = ~/etc/mail/sieve
333 sieve_global_dir = /var/lib/dovecot/sieve/global/
334 sieve_max_script_size = 1M
335 sieve_quota_max_scripts = 0
336 sieve_quota_max_storage = 10M
337 sieve_user_log = ~/var/log/mail/sieve.log
338 }
339 protocol imap {
340 mail_plugins = \$mail_plugins imap_quota
341 }
342 protocol lda {
343 auth_socket_path = /var/run/dovecot/auth-master
344 hostname = $vm_domainname
345 info_log_path =
346 log_path =
347 mail_plugins = \$mail_plugins sieve
348 postmaster_address = contact+dovecot+lda@$vm_domainname
349 syslog_facility = mail
350 }
351 protocols = imap sieve
352 service auth {
353 user = root
354 unix_listener /var/spool/postfix/private/auth {
355 mode = 0660
356 user = postfix
357 group = postfix
358 }
359 }
360 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
361 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
362 ssl_cipher_list = AES256-SHA
363 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
364 ssl_verify_client_cert = yes
365 userdb {
366 driver = passwd
367 }
368 verbose_ssl = no
369 EOF
370 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
371 #!/bin/sh -efux
372 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
373 install -d -m 770 ~/etc/dovecot
374 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
375 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
376 _EOF
377 EOF
378 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
379 EOF
380 sudo service dovecot restart
381 }
382 rule_etckeeper_configure () {
383 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
384 VCS=git
385 GIT_COMMIT_OPTIONS=""
386 AVOID_DAILY_AUTOCOMMITS=1
387 #AVOID_SPECIAL_FILE_WARNING=1
388 AVOID_COMMIT_BEFORE_INSTALL=1
389 HIGHLEVEL_PACKAGE_MANAGER=apt
390 LOWLEVEL_PACKAGE_MANAGER=dpkg
391 EOF
392 sudo install -m 644 -o root -g root \
393 "$tool"/etc/etckeeper/prompt.sh \
394 /etc/etckeeper/prompt.sh
395 rule apt_get_install etckeeper
396 }
397 rule_filesystem_configure () {
398 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
399 # <file system> <mount point> <type> <options> <dump> <pass>
400 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
401 proc /proc proc defaults 0 0
402 sysfs /sys sysfs defaults 0 0
403 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
404 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
405 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
406 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
407 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
408 EOF
409 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
410 # <target name> <source device> <key file> <options>
411 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
412 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
413 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
414 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
415 EOF
416 rule tmpfs_configure
417 }
418 rule_initramfs_configure () {
419 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
420 MODULES=most
421 BUSYBOX=y
422 KEYMAP=y
423 COMPRESS=gzip
424 DEVICE=eth0
425 EOF
426 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
427 alias eth0 xennet
428 alias scsi_hostadapter xenblk
429 EOF
430 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
431 sha1_generic
432 sha256_generic
433 sha512_generic
434 aes-x86_64
435 xts
436 # NOTE: pour Xen en mode HVM :
437 #modprobe xen-platform-pci
438 EOF
439 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
440 EOF
441 sudo sed -e '/^configure_networking /s/ &$//' \
442 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
443 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
444 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
445 ( while IFS= read -r line
446 do case $line in (*" RSA") return 0; break;; esac
447 done; return 1 ) ||
448 {
449 sudo rm -f \
450 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
451 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
452 sudo dropbearkey -t rsa -s 4096 -f \
453 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
454 }
455 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
456 sudo install -d -m 640 -o root -g root \
457 /etc/initramfs-tools/root \
458 /etc/initramfs-tools/root/.ssh
459 getent group sudo |
460 while IFS=: read -r group x x users
461 do while test -n "$users" && IFS=, read -r user users <<-EOF
462 $users
463 EOF
464 do eval local home\; home="~$user"
465 cat "$home"/etc/ssh/authorized_keys
466 done
467 done |
468 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
469 sudo rm -f \
470 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
471 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
472 /etc/initramfs-tools/root/.ssh/id_rsa
473 # NOTE: clefs générées par Debian
474 sudo update-initramfs -u
475 }
476 rule_gitolite_configure () {
477 local user=git
478 sudo debconf-set-selections <<-EOF
479 gitolite gitolite/gituser string $user
480 gitolite gitolite/adminkey string
481 gitolite gitolite/gitdir string /home/$user
482 EOF
483 rule apt_get_install gitolite
484 getent passwd "$user" >/dev/null ||
485 sudo adduser \
486 --disabled-password \
487 --group \
488 --shell /bin/bash \
489 --system \
490 "$user"
491 sudo chfn --full-name "$user" "$user"
492 eval local home\; home="~$user"
493 sudo install -d -m 770 -o "$user" -g "$user" \
494 /etc/gitolite \
495 "$home"/etc \
496 "$home"/etc/ssh \
497 "$home"/pub \
498 "$home"/log \
499 "$home"/log/gitolite \
500 "$home"/log/gitolite/perf
501 sudo ln -fns /etc/gitolite "$home"/etc/gitolite
502 sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
503 sudo ln -fns etc/ssh "$home"/.ssh
504 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
505 "$home"/etc/gitolite/gitolite.rc <<-EOF
506 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
507 #\$BIG_INFO_CAP = 20;
508 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
509 # NOTE: Please use single quotes, not double quotes.
510 #\$GITWEB_URI_ESCAPE = 0;
511 \$GIT_PATH = "";
512 #\$GL_ADC_PATH = "";
513 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
514 #\$GL_ALL_INCLUDES_SPECIAL = 0;
515 #\$GL_ALL_READ_ALL = 0;
516 \$GL_BIG_CONFIG = 0;
517 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
518 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
519 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
520 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
521 #\$GL_HOSTNAME = "git.$vm_domainname";
522 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
523 #\$GL_HTTP_ANON_USER = "mob";
524 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
525 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
526 #\$GL_NICE_VALUE = 0;
527 \$GL_NO_CREATE_REPOS = 0;
528 \$GL_NO_DAEMON_NO_GITWEB = 0;
529 \$GL_NO_SETUP_AUTHKEYS = 0;
530 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
531 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
532 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
533 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
534 \$GL_SITE_INFO = "git.$vm_domainname";
535 #\$GL_SLAVE_MODE = 0;
536 \$GL_WILDREPOS = 0;
537 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
538 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
539 \$HTPASSWD_FILE = "";
540 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
541 \$REPO_BASE = "pub";
542 \$REPO_UMASK = 0007;
543 \$RSYNC_BASE = "";
544 \$SVNSERVE = "";
545 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
546 #\$WEB_INTERFACE = "gitweb";
547 1;
548 EOF
549 sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
550 "$home"/etc/gitweb/gitweb.conf <<-EOF
551 \$commit_oneline_message_width = 70;
552 \$default_projects_order = 'age';
553 \$default_text_plain_charset = 'UTF-8';
554 @diff_opts = ();
555 \$favicon = "img/git-favicon.png";
556 \$git_temp = "/run/shm/gitweb";
557 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
558 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
559 \$home_link = "/";
560 \$home_link_str = 'd&eacute;p&ocirc;ts';
561 \$home_th_age = 'activit&eacute;';
562 \$home_th_descr = 'description';
563 \$home_th_owner = 'contact';
564 \$home_th_project = 'd&eacute;p&ocirc;t';
565 \$javascript = "js/gitweb.js";
566 \$logo = "img/git-logo.png";
567 \$my_uri = "";
568 \$projectroot = "../git";
569 \$projects_list = "/etc/gitolite/projects.list";
570 \$projects_list_description_width = 42;
571 \$projects_list_owner_width = 15;
572 \$search_str = "Filtre&nbsp;:";
573 \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
574 \$site_header = undef;
575 \$site_name = "git.$vm_domainname";
576 \$space_to_nbsp = 0;
577 @stylesheets = ("css/gitweb.css");#
578 \$untabify_tabstop = 2;
579 EOF
580 sudo install -m 600 -o "$user" -g "$user" \
581 "$tool"/var/pub/ssh/"$user".key \
582 "$home"/etc/ssh/"$user".pub
583 sudo -u "$user" \
584 GL_RC="$home"/etc/gitolite/gitolite.rc \
585 GIT_AUTHOR_NAME="$user" \
586 gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
587 local d
588 for d in doc logs src
589 do test ! -d "$home"/etc/gitolite/"$d" ||
590 rmdir "$home"/etc/gitolite/"$d"
591 done
592 rule apt_get_install gitweb highlight
593 #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
594 #sudo sv restart git-daemon.git.9418
595 }
596 rule_locales_configure () {
597 sudo debconf-set-selections <<-EOF
598 locales locales/default_environment_locale select None
599 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
600 EOF
601 rule dpkg_reconfigure locales
602 }
603 rule_login_configure () {
604 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
605 # /etc/inittab: init(8) configuration.
606
607 # The default runlevel.
608 id:2:initdefault:
609
610 # Boot-time system configuration/initialization script.
611 # This is run first except when booting in emergency (-b) mode.
612 si::sysinit:/etc/init.d/rcS
613
614 # What to do in single-user mode.
615 ~~:S:wait:/sbin/sulogin
616
617 # /etc/init.d executes the S and K scripts upon change
618 # of runlevel.
619 #
620 # Runlevel 0 is halt.
621 # Runlevel 1 is single-user.
622 # Runlevels 2-5 are multi-user.
623 # Runlevel 6 is reboot.
624
625 l0:0:wait:/etc/init.d/rc 0
626 l1:1:wait:/etc/init.d/rc 1
627 l2:2:wait:/etc/init.d/rc 2
628 l3:3:wait:/etc/init.d/rc 3
629 l4:4:wait:/etc/init.d/rc 4
630 l5:5:wait:/etc/init.d/rc 5
631 l6:6:wait:/etc/init.d/rc 6
632 # Normally not reached, but fallthrough in case of emergency.
633 z6:6:respawn:/sbin/sulogin
634
635 # What to do when CTRL-ALT-DEL is pressed.
636 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
637
638 # What to do when the power fails/returns.
639 pf::powerwait:/etc/init.d/powerfail start
640 pn::powerfailnow:/etc/init.d/powerfail now
641 po::powerokwait:/etc/init.d/powerfail stop
642
643 # Xen hypervisor console
644 hvc:2345:respawn:/sbin/getty 38400 hvc0
645 #xvc:2345:respawn:/sbin/getty 38400 xvc0
646
647 #-- runit begin
648 SV:123456:respawn:/usr/sbin/runsvdir-start
649 #-- runit end
650 EOF
651 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
652 MAIL_DIR /var/mail
653 FAILLOG_ENAB yes
654 LOG_UNKFAIL_ENAB no
655 LOG_OK_LOGINS no
656 SYSLOG_SU_ENAB yes
657 SYSLOG_SG_ENAB yes
658 FTMP_FILE /var/log/btmp
659 SU_NAME su
660 HUSHLOGIN_FILE .hushlogin
661 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
662 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
663 # NOTE: met les sbin/ dans ENV_PATH ;
664 # - ça n'apporte aucune protection de ne pas les mettre ;
665 # - ça frustre de ne pas les trouver.
666 TTYGROUP tty
667 TTYPERM 0600
668 ERASECHAR 0177
669 KILLCHAR 025
670 UMASK 007
671 # NOTE: rwxrwx--- ;
672 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
673 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
674 PASS_MAX_DAYS 99999
675 PASS_MIN_DAYS 0
676 PASS_WARN_AGE 7
677 UID_MIN 1000
678 UID_MAX 60000
679 GID_MIN 1000
680 GID_MAX 60000
681 LOGIN_RETRIES 3
682 LOGIN_TIMEOUT 60
683 CHFN_RESTRICT rwh
684 DEFAULT_HOME yes
685 USERGROUPS_ENAB yes
686 ENCRYPT_METHOD SHA512
687 EOF
688 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
689 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
690 $(cat /etc/pam.d/common-session)
691 session optional pam_umask.so
692 EOF
693 grep -q '^hvc0$' /etc/securetty ||
694 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
695 $(cat /etc/securetty)
696 hvc0
697 EOF
698 grep -q '^xvc0$' /etc/securetty ||
699 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
700 $(cat /etc/securetty)
701 xvc0
702 EOF
703 }
704 rule_mail_configure () {
705 rule postfix_configure
706 rule postgrey_configure
707 rule procmail_configure
708 rule dovecot_configure
709 }
710 rule_mysql_configure () {
711 rule apt_get_install mysql-server-5.5
712 sudo service mysql restart
713 }
714 rule_network_configure () {
715 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
716 $vm
717 EOF
718 grep -q " $vm\$" /etc/hosts ||
719 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
720 $(cat /etc/hosts)
721 127.0.0.1 $vm_fqdn $vm
722 EOF
723 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
724 auto lo
725 iface lo inet loopback
726
727 auto eth0=grenode
728 iface grenode inet static
729 address $vm_ipv4
730 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
731 network $vm_ipv4
732 broadcast $vm_ipv4
733 netmask 255.255.255.255
734 mtu 1300
735 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
736 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
737 #
738 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
739 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
740 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
741 #
742 # --- soupirail.grenode.net ping statistics ---
743 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
744 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
745 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
746 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
747 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
748 #
749 # --- soupirail.grenode.net ping statistics ---
750 # 0 packets transmitted, 0 received, +1 errors
751 post-up ip address add $vm_ipv4/32 dev \$IFACE
752 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
753 EOF
754 }
755 rule_www_configure () {
756 getent passwd www >/dev/null ||
757 sudo adduser \
758 --disabled-login \
759 --disabled-password \
760 --group \
761 --home /home/www \
762 --shell /bin/false \
763 --system \
764 www
765 sudo adduser \
766 --disabled-login \
767 --disabled-password \
768 --group \
769 --home ~www/log \
770 --shell /bin/false \
771 --system \
772 log.www
773 #sudo adduser www www-data
774 sudo adduser www log.www
775 #sudo adduser log log.www
776 usermod --home /home/www/pub www-data
777 sudo install -d -m 751 -o www -g www \
778 /home/www
779 sudo install -d -m 750 -o www -g www \
780 /home/www/etc
781 sudo install -d -m 1771 -o www-data -g www-data \
782 /home/www/pub \
783 sudo install -d -m 1771 -o log.www -g log.www \
784 /home/www/log
785 }
786 rule_nginx_configure () {
787 local -; set +f
788 rule apt_get_install nginx
789 rule www_configure
790 sudo rm -rf \
791 /etc/nginx/conf.d \
792 /etc/nginx/site.d
793 sudo install -d -m 770 -o www -g www \
794 /etc/nginx \
795 /etc/nginx/conf.d \
796 /etc/nginx/site.d
797 sudo ln -fns \
798 /etc/nginx \
799 /home/www/etc/nginx
800 sudo install -m 660 -o www -g www \
801 "$tool"/etc/nginx/nginx.conf \
802 /etc/nginx/nginx.conf
803 local conf
804 for conf in "$tool"/etc/nginx/conf.d/*.conf
805 do conf=${conf#"$tool"/etc/nginx/conf.d/}
806 sudo install -m 660 -o www -g www \
807 "$tool"/etc/nginx/conf.d/"$conf" \
808 /etc/nginx/conf.d/"$conf"
809 done
810 for conf in "$tool"/etc/nginx/site.d/*/server.conf
811 do conf=${conf#"$tool"/etc/nginx/site.d/}
812 local port site
813 IFS=. read -r port site <<-EOF
814 ${conf%\/server\.conf}
815 EOF
816 assert 'test "${port:+set}"'
817 assert 'test "${site:+set}"'
818 site="$port.$site"
819 getent passwd www."$site" >/dev/null ||
820 sudo adduser \
821 --disabled-login \
822 --disabled-password \
823 --group \
824 --home ~www-data/"$site" \
825 --shell /bin/false \
826 --system \
827 www."$site"
828 getent passwd log."$site" >/dev/null ||
829 sudo adduser \
830 --disabled-login \
831 --disabled-password \
832 --group \
833 --shell /bin/false \
834 --system \
835 log."$site"
836 sudo usermod --home ~www/log/"$site"/nginx log."$site"
837 sudo install -d -m 770 -o www -g www \
838 /etc/nginx/site.d/"$site"
839 case $port in
840 (443)
841 local hint="run vm_remote nginx_key_send before"
842 assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
843 sudo install -m 664 -o www -g www \
844 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
845 /etc/nginx/site.d/"$site"/x509/crt.pem
846 ;;
847 esac
848 case $port in
849 (80)
850 cat <<-EOF
851 server {
852 listen $port;
853 access_log /home/www/log/$site/nginx/access.log main;
854 error_log /home/www/log/$site/nginx/error.log warn;
855 root /home/www/pub/$site;
856 server_name $site;
857 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
858 }
859 EOF
860 ;;
861 (443)
862 cat <<-EOF
863 server {
864 listen $port;
865 access_log /home/www/log/$site/nginx/access.log main;
866 error_log /home/www/log/$site/nginx/error.log warn;
867 keepalive_timeout 70;
868 root /home/www/pub/$site;
869 server_name $site;
870 # DOC: http://wiki.nginx.org/HttpSslModule
871 ssl on;
872 ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
873 ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
874 ssl_ciphers HIGH:!ADH:!MD5;
875 ssl_prefer_server_ciphers on;
876 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
877 ssl_session_cache shared:SSL:10m;
878 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
879 }
880 EOF
881 ;;
882 esac |
883 sudo install -m 660 -o www -g www /dev/stdin \
884 /etc/nginx/site.d/"$site"/server.conf
885 adduser www-data "$site"
886 test -e /home/www/pub/"$site" ||
887 sudo install -d -m 3770 -o "$site" -g "$site" \
888 /home/www/pub/"$site"
889 sudo install -d -m 3770 -o log."$site" -g log."$site" \
890 /home/www/log/"$site"/nginx
891 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
892 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
893 done
894 rule apt_get_install spawn-fcgi fcgiwrap
895 sudo insserv --remove fcgiwrap
896 rule tmpfs_configure
897 sudo service nginx restart
898 }
899 rule_php5_fpm_configure () {
900 local -; set +f
901 rule apt_get_install \
902 php5-fpm \
903 php-apc
904 getent passwd php5 >/dev/null ||
905 sudo adduser \
906 --disabled-login \
907 --disabled-password \
908 --group \
909 --shell /bin/false \
910 --system \
911 php5
912 local conf
913 sudo ln -fns \
914 /etc/php5-fpm \
915 /home/www/etc/php5
916 sudo rm -f /etc/php5/fpm/pool.d/*
917 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
918 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
919 local port site
920 IFS=. read -r port site <<-EOF
921 ${conf%\.conf}
922 EOF
923 assert 'test "${port:+set}"'
924 assert 'test "${site:+set}"'
925 site="$port.$site"
926 getent passwd php5"$site" >/dev/null ||
927 sudo adduser \
928 --disabled-login \
929 --disabled-password \
930 --group \
931 --no-create-home \
932 --home ~www/pub/"$site" \
933 --shell /bin/false \
934 --system \
935 php5."$site"
936 sudo install -d -m 770 -o php5 -g php5 \
937 /home/www/log/php5 \
938 /home/www/log/php5/fpm
939 sudo install -d -m 770 -o log."$site" -g log."$site" \
940 /home/www/log/"$site"
941 sudo adduser php5."$user" www."$site"
942 sudo install -m 660 -o root -g root /dev/stdin \
943 /etc/php5/fpm/pool.d/"$conf" <<-EOF
944 [php5.$site]
945 access.log = /home/www/log/$site/php5/fpm/access.log
946 catch_workers_output = yes
947 chdir = /
948 env[HOSTNAME] = \$HOSTNAME
949 env[TEMP] = /tmp
950 env[TMPDIR] = /tmp
951 env[TMP] = /tmp
952 group = www-data
953 listen = /run/nginx/fastcgi/php5.$site
954 #listen = 127.0.0.1:9000
955 #listen.allowed_clients = 127.0.0.1
956 listen.backlog = -1
957 pm = dynamic
958 pm.max_children = 5
959 pm.max_requests = 200
960 pm.max_spare_servers = 4
961 pm.min_spare_servers = 2
962 pm.start_servers = 3
963 pm.status_path = /status
964 request_slowlog_timeout = 5s
965 request_terminate_timeout = 120s
966 rlimit_core = unlimited
967 rlimit_files = 131072
968 slowlog = /home/www/log/$site/php5/fpm/slow.log
969 user = $php5_user
970 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
971 EOF
972 sudo install -m 664 -o root -g root \
973 "$tool"/etc/php5/fpm/php.ini \
974 /etc/php5/fpm/php.ini
975 done
976 rule tmpfs_configure
977 sudo service php5-fpm restart
978 }
979 rule_postfix_configure () {
980 local hint="run vm_remote postfix_key_send before"
981 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
982 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
983 sudo debconf-set-selections <<-EOF
984 postfix postfix/main_mailer_type select No configuration
985 EOF
986 rule apt_get_install postfix
987 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
988 *.db
989 EOF
990 sudo install -d -m 770 -o root -g root \
991 /etc/postfix/$vm_domainname/ \
992 /etc/postfix/$vm_domainname/smtp \
993 /etc/postfix/$vm_domainname/smtp/x509 \
994 /etc/postfix/$vm_domainname/smtp/x509/ca \
995 /etc/postfix/$vm_domainname/smtpd \
996 /etc/postfix/$vm_domainname/smtpd/x509 \
997 /etc/postfix/$vm_domainname/smtpd/x509/ca
998 sudo install -d -m 770 -o root -g root \
999 /etc/postfix/$vm_domainname/ \
1000 /etc/postfix/$vm_domainname/smtp \
1001 /etc/postfix/$vm_domainname/smtp/x509 \
1002 /etc/postfix/$vm_domainname/smtp/x509/ca \
1003 /etc/postfix/$vm_domainname/smtpd \
1004 /etc/postfix/$vm_domainname/smtpd/x509 \
1005 /etc/postfix/$vm_domainname/smtpd/x509/ca
1006 sudo ln -fns \
1007 ../crt+crl.self-signed.pem \
1008 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1009 sudo install -m 400 -o root -g root \
1010 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1011 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1012 sudo install -m 400 -o root -g root \
1013 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
1014 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1015 sudo install -m 400 -o root -g root \
1016 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
1017 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1018 sudo install -m 400 -o root -g root \
1019 "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
1020 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1021 sudo install -m 660 -o root -g root \
1022 "$tool"/etc/postfix/$vm_domainname/header_checks \
1023 /etc/postfix/$vm_domainname/header_checks
1024 sudo install -m 664 -o root -g root /dev/stdin \
1025 /etc/postfix/aliases <<-EOF
1026 # See man 5 aliases for format
1027 abuse: root
1028 admin: root
1029 contact: root
1030 postmaster: root
1031 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1032 EOF
1033 sudo newaliases -oA/etc/postfix/aliases
1034 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1035 mydomain = $vm_domainname
1036 myorigin = \$mydomain
1037 myhostname = $vm_hostname.\$mydomain
1038 mail_name = \$myhostname
1039 mydestination = $vm_hostname \$myhostname \$myorigin
1040 EOF
1041 sudo install -m 664 -o root -g root /dev/stdin \
1042 /etc/postfix/main.cf
1043 sudo install -m 664 -o root -g root \
1044 "$tool"/etc/postfix/master.cf \
1045 /etc/postfix/master.cf
1046 sudo install -m 660 -o root -g root \
1047 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1048 /etc/postfix/$vm_domainname/smtp/x509/policy
1049 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1050 sudo install -m 660 -o root -g root \
1051 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1052 /etc/postfix/$vm_domainname/smtp/header_checks
1053 sudo install -m 660 -o root -g root \
1054 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1055 /etc/postfix/$vm_domainname/smtpd/sender_access
1056 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1057 sudo install -m 660 -o root -g root \
1058 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1059 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1060 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1061 sudo install -m 660 -o root -g root \
1062 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1063 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1064 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1065 sudo install -m 660 -o root -g root \
1066 "$tool"/etc/postfix/$vm_domainname/transport \
1067 /etc/postfix/$vm_domainname/transport
1068 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1069 sudo install -m 660 -o root -g root \
1070 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1071 /etc/postfix/$vm_domainname/virtual_alias
1072 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1073 sudo service postfix restart
1074 }
1075 rule_postgresql_configure () {
1076 rule apt_get_install postgresql-9.1
1077 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1078 pg_createcluster -u postgres --start 9.1 main
1079 fi
1080 sudo install -m 660 -o root -g root \
1081 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1082 /etc/postgresql/9.1/main/postgresql.conf
1083 sudo service postgresql restart
1084 }
1085 rule_openerp_configure () {
1086 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1087 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1088 EOF
1089 sudo apt-get update
1090 rule apt_get_install openerp
1091 }
1092 rule_postgrey_configure () {
1093 rule apt_get_install postgrey
1094 sudo service postgrey restart
1095 }
1096 rule_procmail_configure () {
1097 rule apt_get_install procmail
1098 sudo install -d -m 770 -o root -g root \
1099 /etc/skel/etc/mail \
1100 /etc/skel/var/cache/mail \
1101 /etc/skel/var/log/mail \
1102 /etc/skel/var/mail
1103 sudo install -m 660 -o root -g root \
1104 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1105 /etc/skel/etc/mail/delivery.procmailrc
1106 }
1107 rule_runit_configure () {
1108 rule apt_get_install runit
1109 local -; set +f
1110 rm -f /etc/service/*
1111 # NOTE: runsvdir éteindra les services qui n'apparaîtront plus ici.
1112 for sv in "$tool"/etc/sv/*
1113 do sv=${sv#"$tool"/etc/sv/}
1114 sudo install -d -m 770 -o root -g root \
1115 /etc/sv/"$sv"
1116 sudo install -m 770 -o root -g root \
1117 "$tool"/etc/sv/"$sv"/run \
1118 /etc/sv/"$sv"/run
1119 if test -e "$tool"/etc/sv/"$sv"/log/run
1120 then
1121 sudo install -d -m 770 -o root -g root \
1122 /etc/sv/"$sv"/log
1123 sudo install -m 770 -o root -g root \
1124 "$tool"/etc/sv/"$sv"/log/run \
1125 /etc/sv/"$sv"/log/run
1126 fi
1127 if test ! -x "$tool"/etc/sv/"$sv"/configure ||
1128 "$tool"/etc/sv/"$sv"/configure
1129 then
1130 ln -fns ../sv/"$sv" /etc/service/"$sv"
1131 sv restart "$sv"
1132 fi
1133 done
1134 }
1135 rule_ssh_configure () {
1136 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1137 ( while IFS= read -r line
1138 do case $line in (*" RSA") return 0; break;; esac
1139 done; return 1 ) ||
1140 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1141 sudo rm -f \
1142 /etc/ssh/ssh_host_dsa_key \
1143 /etc/ssh/ssh_host_dsa_key.pub \
1144 /etc/ssh/ssh_host_ecdsa_key \
1145 /etc/ssh/ssh_host_ecdsa_key.pub
1146 # NOTE: clefs générées par Debian
1147 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1148 Port 22
1149 ListenAddress $vm_ipv4
1150 #ListenAddress ::
1151 Protocol 2
1152 Compression yes
1153 HostKey /etc/ssh/ssh_host_rsa_key
1154 UsePrivilegeSeparation yes
1155 KeyRegenerationInterval 3600
1156 ServerKeyBits 768
1157 SyslogFacility AUTH
1158 LogLevel INFO
1159 LoginGraceTime 120
1160 PermitRootLogin yes
1161 StrictModes yes
1162 RSAAuthentication yes
1163 PubkeyAuthentication yes
1164 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1165 IgnoreRhosts yes
1166 RhostsRSAAuthentication no
1167 HostbasedAuthentication no
1168 IgnoreUserKnownHosts no
1169 PermitEmptyPasswords no
1170 ChallengeResponseAuthentication no
1171 PasswordAuthentication no
1172 KerberosAuthentication no
1173 GSSAPIAuthentication no
1174 X11Forwarding no
1175 X11DisplayOffset 10
1176 PrintMotd no
1177 DebianBanner no
1178 PrintLastLog yes
1179 TCPKeepAlive yes
1180 ClientAliveInterval 0
1181 AcceptEnv LANG LC_*
1182 Subsystem sftp /usr/lib/openssh/sftp-server
1183 UsePAM yes
1184 EOF
1185 sudo service ssh restart
1186 }
1187 rule_sysctl_configure () {
1188 local -; set +f
1189 for conf in "$tool"/etc/sysctl.d/*.conf
1190 do conf=${conf#"$tool"/etc/sysctl.d/}
1191 sudo install -m 660 -o root -g root \
1192 "$tool"/etc/sysctl.d/"$conf" \
1193 /etc/sysctl.d/"$conf"
1194 done
1195 sudo sysctl --system
1196 }
1197 rule_tmpfs_configure () {
1198 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1199 LOCK_SIZE=5242880 # NOTE: 5MiB
1200 RAMLOCK=yes
1201 RAMSHM=yes
1202 RAMTMP=yes
1203 RUN_SIZE=10%
1204 SHM_SIZE=
1205 TMP_MODE=1777,nr_inodes=1000k,noatime
1206 TMP_OVERFLOW_LIMIT=1024
1207 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1208 # on the root filesystem (overriding RAMTMP).
1209 TMP_SIZE=200m
1210 TMPFS_SIZE=20%VM
1211 EOF
1212 sudo install -m 775 -o root -g root \
1213 "$tool"/etc/init.d/tmpfs \
1214 /etc/init.d/tmpfs
1215 sudo update-rc.d tmpfs defaults
1216 }
1217 rule_time_configure () {
1218 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1219 Europe/Paris
1220 EOF
1221 sudo debconf-set-selections <<-EOF
1222 tzdata tzdata/Areas select Europe
1223 tzdata tzdata/Zones/Europe select Paris
1224 EOF
1225 rule dpkg_reconfigure tzdata
1226 rule apt_get_install ntp
1227 }
1228 rule_user_add () { # SYNTAX: $user
1229 rule user_configure
1230 local user=$1
1231 getent passwd "$user" >/dev/null ||
1232 sudo adduser --disabled-password "$user"
1233 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1234 eval local home\; home="~$user"
1235 sudo adduser "$user" users
1236 sudo install -m 640 -o root -g root \
1237 "$tool"/var/pub/ssh/"$user".key \
1238 "$home"/etc/ssh/authorized_keys
1239 local key; local -; set +f
1240 for key in "$tool"/var/pub/openpgp/*.key
1241 do sudo -u "$user" gpg --import - <"$key"
1242 done
1243 }
1244 rule_user_configure () {
1245 sudo install -m 660 -o root -g root /dev/stdin \
1246 /etc/adduser.conf <<-EOF
1247 ADD_EXTRA_GROUPS=1
1248 DHOME=/home
1249 DIR_MODE=0750
1250 DSHELL=/bin/bash
1251 EXTRA_GROUPS="users"
1252 FIRST_GID=1000
1253 FIRST_SYSTEM_GID=100
1254 FIRST_SYSTEM_UID=100
1255 FIRST_UID=1000
1256 GROUPHOMES=no
1257 LAST_GID=29999
1258 LAST_SYSTEM_GID=999
1259 LAST_SYSTEM_UID=999
1260 LAST_UID=29999
1261 LETTERHOMES=no
1262 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1263 QUOTAUSER="" # TODO: init
1264 SETGID_HOME=no
1265 SKEL=/etc/skel
1266 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1267 USERGROUPS=yes
1268 USERS_GID=100
1269 EOF
1270 }
1271 rule_user_admin_add () { # SYNTAX: $user
1272 rule user_configure
1273 local user=$1
1274 getent passwd "$user" >/dev/null ||
1275 sudo adduser --disabled-password "$user"
1276 eval local home\; home="~$user"
1277 sudo adduser "$user" sudo
1278 sudo install -m 640 -o root -g root \
1279 "$tool"/var/pub/ssh/"$user".key \
1280 "$home"/etc/ssh/authorized_keys
1281 local key; local -; set +f
1282 for key in "$tool"/var/pub/openpgp/*.key
1283 do sudo -u "$user" gpg --import - <"$key"
1284 done
1285 rule user_admin_configure
1286 }
1287 rule_user_admin_configure () {
1288 rule initramfs_configure
1289 rule user_root_configure
1290 }
1291 rule_user_configure () {
1292 sudo install -d -m 750 -o root -g root \
1293 /etc/skel \
1294 /etc/skel/etc \
1295 /etc/skel/etc/gpg \
1296 /etc/skel/etc/ssh
1297 sudo install -d -m 770 -o root -g root \
1298 /etc/skel/var \
1299 /etc/skel/var/cache \
1300 /etc/skel/var/log \
1301 /etc/skel/var/run \
1302 /etc/skel/var/run/ssh
1303 sudo ln -fns etc/ssh /etc/skel/.ssh
1304 sudo ln -fns etc/gpg /etc/skel/.gnupg
1305 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1306 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1307 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1308 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1309 EOF
1310 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1311 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1312 EOF
1313 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1314 Defaults env_keep = " \\
1315 EDITOR \\
1316 GIT_AUTHOR_NAME \\
1317 GIT_AUTHOR_EMAIL \\
1318 GIT_COMMITTER_NAME \\
1319 GIT_COMMITTER_EMAIL \\
1320 "
1321 EOF
1322 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1323 #!/bin/sh -efu
1324 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1325 sudo /bin/sh -e -f -u -c \
1326 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1327 EOF
1328 sudo install -m 644 -o root -g root \
1329 "$tool"/etc/bash.bashrc \
1330 /etc/bash.bashrc
1331 sudo install -m 644 -o root -g root \
1332 "$tool"/etc/screenrc \
1333 /etc/screenrc
1334 }
1335 rule_user_root_configure () {
1336 sudo install -d -m 750 -o root -g root \
1337 /root/etc \
1338 /root/etc/gpg \
1339 /root/etc/ssh
1340 sudo ln -fns etc/gpg /root/.gnupg
1341 sudo ln -fns etc/ssh /root/.ssh
1342 getent group sudo |
1343 while IFS=: read -r group x x users
1344 do while test -n "$users" && IFS=, read -r user users <<-EOF
1345 $users
1346 EOF
1347 do eval local home\; home="~$user"
1348 cat "$home"/etc/ssh/authorized_keys
1349 done
1350 done |
1351 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1352 local key; local -; set +f
1353 for key in "$tool"/var/pub/openpgp/*.key
1354 do sudo gpg --import "$key"
1355 done
1356 }
1357 rule_configure () {
1358 rule apt_configure
1359 rule git_configure
1360 rule etckeeper_configure
1361 rule locales_configure
1362 rule time_configure
1363 rule network_configure
1364 rule filesystem_configure
1365 rule login_configure
1366 rule ssh_configure
1367 rule user_root_configure
1368 rule boot_configure
1369 rule sysctl_configure
1370 rule user_configure
1371 rule mail_configure
1372 #rule apache2_configure
1373 rule nginx_configure
1374 rule php5_fpm_configure
1375 rule gitolite_configure
1376 rule runit_configure
1377 }
1378
1379 rule_luks_key_change () {
1380 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1381 }
1382
1383 rule=${1:-help}
1384 ${1+shift}
1385 case $rule in
1386 (help);;
1387 (*)
1388 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1389 ;;
1390 esac
1391 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org