dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_{hosted,remote} : chemins et noms .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10 export TRACE=1
11
12 rule_help () { # SYNTAX: [--hidden]
13 local hidden; [ ${1:+set} ] || hidden=set
14 cat >&2 <<-EOF
15 DESCRIPTION:
16 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
17 _depuis_ la VM hébergée ($vm_fqdn) ;
18 il sert à la fois d'outil (aisément bidouillable)
19 et de documentation (préçise).
20 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
21 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 RULES:
23 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 ENVIRONMENT:
25 TRACE # affiche les commandes avant leur exécution
26 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
27 EOF
28 }
29
30 rule_git_configure () {
31 (
32 cd "$tool"
33 git config --replace branch.master.remote .
34 git config --replace branch.master.merge refs/remotes/master
35 local tool
36 tool=$(cd "$tool"; cd -)
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
38 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
39 sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
40 #!/bin/sh -efux
41 case \$1 in
42 (refs/remotes/master)
43 cd ..
44 git --git-dir=\$PWD/.git checkout -f -B master remotes/master
45 git --git-dir=\$PWD/.git clean -f -d -x
46 ;;
47 esac
48 EOF
49 )
50 }
51 rule_git_reset () {
52 (
53 cd "$tool"
54 git checkout -f -B master remotes/master
55 git clean -f -d -x
56 )
57 }
58
59 rule_adduser () {
60 local user="$1"; shift
61 getent passwd "$user" >/dev/null ||
62 sudo adduser "$@" "$user"
63 }
64 rule_apt_get_install () { # SYNTAX: $package
65 sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
66 }
67 rule_dpkg_reconfigure () { # SYNTAX: $package
68 sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
69 }
70
71 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
72 export LANG=C
73 export LC_CTYPE=C
74 . /etc/profile
75 }
76
77 rule_apache2_configure () {
78 local -; set +f
79 rule apt_get_install \
80 apache2-mpm-itk \
81 libapache2-mod-php5
82 # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
83 # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers
84 # NOTE: apache2-mpm-itk semble le plus sécurisé,
85 # car on est certain que tout est exécuté avec les uid/gid
86 # assignés au VirtualHost/Directory/Location
87 # néamoins il se peut qu'une combinaison du genre :
88 # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm
89 # soit plus performante (threads et pas forks),
90 # cependant l'usage de suexec impose des forks il semble..
91 # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
92 # donc pour l'instant : apache2-mpm-itk
93 cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
94 ServerName "$vm_fqdn"
95 EOF
96 sudo install -m 660 -o root -g root /dev/stdin \
97 /etc/apache2/apache2.conf
98 sudo install -m 660 -o root -g root \
99 "$tool"/etc/apache2/envvars \
100 /etc/apache2/envvars
101 sudo install -m 660 -o root -g root \
102 "$tool"/etc/apache2/httpd.conf \
103 /etc/apache2/httpd.conf
104 #sudo install -m 660 -o root -g root /dev/stdin \
105 # /etc/apache2/suexec/www-data <<-EOF
106 # /home
107 # pub/www/cgi
108 # EOF
109 sudo install -m 660 -o root -g root \
110 "$tool"/etc/apache2/ports.conf \
111 /etc/apache2/ports.conf
112 sudo a2enmod actions
113 sudo a2enmod headers
114 sudo a2enmod rewrite
115 sudo a2enmod ssl
116 sudo a2enmod userdir
117 local conf
118 sudo a2dissite "*"
119 sudo ln -fns \
120 /etc/apache2 \
121 /home/www/etc/apache2
122 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
123 do conf=${conf#"$tool"/etc/apache2/site.d/}
124 local site=${conf%/VirtualHost.conf}
125 case $site in
126 (*-tls)
127 local hint="run vm_remote apache2_key_send before"
128 assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
129 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
130 /etc/apache2 \
131 /etc/apache2/site.d/"$site" \
132 /etc/apache2/site.d/"$site"/x509 \
133 /etc/apache2/site.d/"$site"/x509/ca \
134 /etc/apache2/site.d/"$site"/x509/empty \
135 /etc/apache2/site.d/"$site"/x509/rvk \
136 /etc/apache2/site.d/"$site"/x509/usr
137 sudo install -m 664 -o www -g www \
138 "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
139 /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
140 #sudo install -m 664 -o www-"$site" -g www-"$site" \
141 # "$tool"/var/pub/x509/"$site"/rvk.pem \
142 # /etc/apache2/site.d/"$site"/x509/rvk.pem
143 sudo install -m 664 -o www -g www \
144 "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
145 /etc/apache2/site.d/"$site"/x509/ca/crt.pem
146 sudo install -m 664 -o www -g www \
147 "$tool"/var/pub/x509/"$site"/crt.pem \
148 /etc/apache2/site.d/"$site"/x509/crt.pem
149 ;;
150 esac
151 case $site in
152 (*-tls)
153 cat <<-EOF
154 <IfModule mod_ssl.c>
155 <VirtualHost *:$port>
156 AssignUserID www-$site www-$site
157 BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
158 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
159 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
160 #CustomLog "/dev/null" Combined
161 DocumentRoot /home/www/pub/$site
162 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
163 #ErrorLog "/dev/null"
164 LogLevel Warn
165 SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
166 SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
167 #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
168 SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
169 SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
170 # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
171 SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
172 SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
173 SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
174 SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
175 SSLCipherSuite AES+RSA+SHA256
176 SSLEngine On
177 SSLInsecureRenegotiation Off
178 SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars
179 SSLProtocol -All +TLSv1
180 #SSLRenegBufferSize 262144
181 SSLSessionCacheTimeout 1200
182 SSLStrictSNIVHostCheck On
183 SSLUserName SSL_CLIENT_S_DN_CN
184 SSLVerifyClient None
185 SSLVerifyDepth 1
186 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
187 </VirtualHost>
188 </IfModule>
189 EOF
190 ;;
191 (*)
192 cat <<-EOF
193 <VirtualHost *:$port>
194 AssignUserID www-$site www-$site
195 CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
196 #CustomLog "/dev/null" Combined
197 DocumentRoot /home/www/pub/$site
198 ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
199 #ErrorLog "/dev/null"
200 LogLevel Warn
201 $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
202 </VirtualHost>
203 EOF
204 ;;
205 esac |
206 sudo install -m 660 -o root -g root /dev/stdin \
207 /etc/apache2/site.d/"$site"/VirtualHost.conf
208 sudo ln -fns \
209 ../site.d/"$site"/VirtualHost.conf \
210 /etc/apache2/sites-available/"$site"
211 sudo install -d -m 770 -o www-"$site" -g www-"$site" \
212 /home/www/log/"$site" \
213 /home/www/log/"$site"/apache2
214 sudo ln -fns \
215 /etc/apache2/site.d/"$site" \
216 /home/www/etc/apache2/"$site"
217 test -e /home/www/pub/"$site" ||
218 sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
219 /home/www/pub/"$site"
220 rule adduser www-"$site"
221 --disabled-password \
222 --group \
223 --no-create-home \
224 --home /home/www/pub/"$site" \
225 --shell /bin/false \
226 --system
227 #sudo setfacl -m u:"www-$site":--x \
228 # /home/www/ \
229 # /home/www/pub/ \
230 # /home/www/pub/"$site"/
231 #sudo setfacl -m d:u:"www-$site":rwx \
232 # "$home"/pub/www/"$site"/
233 test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
234 . "$tool"/etc/apache2/site.d/"$site"/configure.sh
235 test -e /etc/apache2/sites-enabled/"$site" ||
236 sudo a2ensite "$site"
237 done
238 sudo service apache2 restart
239 }
240 rule_apt_configure () {
241 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
242 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
243 EOF
244 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
245 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
246 EOF
247 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
248 Package: *
249 Pin: release a=$vm_lsb_name
250 Pin-Priority: 170
251
252 Package: *
253 Pin: release a=$vm_lsb_name-backports
254 Pin-Priority: 200
255 EOF
256 sudo apt-get update
257 rule apt_get_install apticron
258 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
259 EMAIL="admin@$vm_domainname"
260 # DIFF_ONLY="1"
261 # LISTCHANGES_PROFILE="apticron"
262 # ALL_FQDNS="1"
263 # SYSTEM="foobar.example.com"
264 # IPADDRESSNUM="1"
265 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
266 # NOTIFY_HOLDS="0"
267 # NOTIFY_NEW="0"
268 # NOTIFY_NO_UPDATES="0"
269 # CUSTOM_SUBJECT=""
270 # CUSTOM_NO_UPDATES_SUBJECT=""
271 # CUSTOM_FROM="root@$vm_fqdn"
272 EOF
273 }
274 rule_boot_configure () {
275 #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
276 sudo debconf-set-selections <<-EOF
277 grub-pc grub-pc/install_devices multiselect
278 EOF
279 rule apt_get_install grub-pc
280 sudo install -d -m 644 -o root -g root /boot/grub
281 rule apt_get_install linux-image-$vm_arch
282 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
283 GRUB_DEFAULT=0
284 GRUB_TIMEOUT=5
285 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
286 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
287 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
288 GRUB_DISABLE_RECOVERY="true"
289 #GRUB_PRELOAD_MODULES="lvm"
290 EOF
291 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
292 (hd0) /dev/xvda
293 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
294 EOF
295 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
296 rule initramfs_configure
297 rule apt_get_install molly-guard
298 sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF
299 ALWAYS_QUERY_HOSTNAME=true
300 # NOTE: une alternative est de dire à sudo de conserver les SSH_*
301 # néamoins demander tout le temps n'est pas trop contraignant
302 # et davantage sécurisant.
303 EOF
304 }
305 rule_dovecot_configure () {
306 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
307 local hint="run vm_remote dovecot_key_send before"
308 assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
309 sudo install -m 400 -o root -g root \
310 "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
311 /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
312 sudo install -d -m 770 -o root -g root \
313 /etc/skel/etc/mail \
314 /etc/skel/etc/sieve
315 sudo install -d -m 1777 -o root -g root \
316 /var/lib/dovecot-control \
317 /var/lib/dovecot-index
318 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
319 auth_ssl_username_from_cert = yes
320 listen = *
321 log_timestamp = "%Y-%m-%d %H:%M:%S "
322 mail_debug = yes
323 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
324 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
325 # VOIR: http://wiki2.dovecot.org/Quota/FS
326 mail_plugins = \$mail_plugins quota
327 mail_privileged_group = mail
328 passdb {
329 args = /home/%u/etc/dovecot/passwd
330 driver = passwd-file
331 }
332 plugin {
333 quota = fs:user
334 recipient_delimiter = +
335 sieve = ~/etc/mail/filter.sieve
336 sieve_dir = ~/etc/mail/sieve
337 sieve_global_dir = /var/lib/dovecot/sieve/global/
338 sieve_max_script_size = 1M
339 sieve_quota_max_scripts = 0
340 sieve_quota_max_storage = 10M
341 sieve_user_log = ~/var/log/mail/sieve.log
342 }
343 protocol imap {
344 mail_plugins = \$mail_plugins imap_quota
345 }
346 protocol lda {
347 auth_socket_path = /var/run/dovecot/auth-master
348 hostname = $vm_domainname
349 info_log_path =
350 log_path =
351 mail_plugins = \$mail_plugins sieve
352 postmaster_address = contact+dovecot+lda@$vm_domainname
353 syslog_facility = mail
354 }
355 protocols = imap sieve
356 service auth {
357 user = root
358 unix_listener /var/spool/postfix/private/auth {
359 mode = 0660
360 user = postfix
361 group = postfix
362 }
363 }
364 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
365 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
366 ssl_cipher_list = AES256-SHA
367 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
368 ssl_verify_client_cert = yes
369 userdb {
370 driver = passwd
371 }
372 verbose_ssl = no
373 EOF
374 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
375 #!/bin/sh -efux
376 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
377 install -d -m 770 ~/etc/dovecot
378 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
379 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
380 _EOF
381 EOF
382 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
383 EOF
384 sudo service dovecot restart
385 }
386 rule_etckeeper_configure () {
387 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
388 VCS=git
389 GIT_COMMIT_OPTIONS=""
390 AVOID_DAILY_AUTOCOMMITS=1
391 #AVOID_SPECIAL_FILE_WARNING=1
392 AVOID_COMMIT_BEFORE_INSTALL=1
393 HIGHLEVEL_PACKAGE_MANAGER=apt
394 LOWLEVEL_PACKAGE_MANAGER=dpkg
395 EOF
396 sudo install -m 644 -o root -g root \
397 "$tool"/etc/etckeeper/prompt.sh \
398 /etc/etckeeper/prompt.sh
399 rule apt_get_install etckeeper
400 }
401 rule_filesystem_configure () {
402 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
403 # <file system> <mount point> <type> <options> <dump> <pass>
404 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
405 proc /proc proc defaults 0 0
406 sysfs /sys sysfs defaults 0 0
407 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
408 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
409 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
410 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
411 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
412 EOF
413 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
414 # <target name> <source device> <key file> <options>
415 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
416 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
417 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
418 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
419 EOF
420 rule tmpfs_configure
421 }
422 rule_initramfs_configure () {
423 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
424 MODULES=most
425 BUSYBOX=y
426 KEYMAP=y
427 COMPRESS=gzip
428 DEVICE=eth0
429 EOF
430 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
431 alias eth0 xennet
432 alias scsi_hostadapter xenblk
433 EOF
434 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
435 sha1_generic
436 sha256_generic
437 sha512_generic
438 aes-x86_64
439 xts
440 # NOTE: pour Xen en mode HVM :
441 #modprobe xen-platform-pci
442 EOF
443 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
444 EOF
445 sudo sed -e '/^configure_networking /s/ &$//' \
446 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
447 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
448 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
449 ( while IFS= read -r line
450 do case $line in (*" RSA") return 0; break;; esac
451 done; return 1 ) ||
452 {
453 sudo rm -f \
454 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
455 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
456 sudo dropbearkey -t rsa -s 4096 -f \
457 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
458 }
459 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
460 sudo install -d -m 640 -o root -g root \
461 /etc/initramfs-tools/root \
462 /etc/initramfs-tools/root/.ssh
463 getent group sudo |
464 while IFS=: read -r group x x users
465 do while test -n "$users" && IFS=, read -r user users <<-EOF
466 $users
467 EOF
468 do eval local home\; home="~$user"
469 cat "$home"/etc/ssh/authorized_keys
470 done
471 done |
472 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
473 sudo rm -f \
474 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
475 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
476 /etc/initramfs-tools/root/.ssh/id_rsa
477 # NOTE: clefs générées par Debian
478 sudo update-initramfs -u
479 }
480 rule_gitolite_configure () {
481 sudo debconf-set-selections <<-EOF
482 gitolite gitolite/gituser string git
483 gitolite gitolite/adminkey string
484 gitolite gitolite/gitdir string /home/git
485 EOF
486 rule apt_get_install gitolite
487 rule adduser git \
488 --disabled-password \
489 --group \
490 --shell /bin/bash \
491 --system
492 sudo chfn --full-name git git
493 rule adduser log-git \
494 --disabled-login \
495 --disabled-password \
496 --group \
497 --home ~git/log \
498 --shell /bin/false \
499 --system
500 rule adduser git-daemon\
501 --disabled-login \
502 --disabled-password \
503 --group \
504 --home /home/git/pub \
505 --shell /bin/false \
506 --system
507 sudo install -d -m 770 -o git -g git \
508 /etc/gitolite \
509 ~git/etc \
510 ~git/etc/ssh \
511 ~git/pub
512 sudo install -d -m 770 -o log-git -g log-git \
513 ~git/log \
514 ~git/log/gitolite \
515 ~git/log/gitolite/perf
516 sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
517 /etc/gitweb \
518 /etc/gitweb/cgi
519 sudo ln -fns /etc/gitolite ~git/etc/gitolite
520 sudo ln -fns /etc/gitweb ~git/etc/gitweb
521 sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
522 sudo ln -fns etc/ssh ~git/.ssh
523 sudo install -m 770 -o git -g git /dev/stdin \
524 ~git/etc/gitolite/gitolite.rc <<-EOF
525 #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
526 #\$BIG_INFO_CAP = 20;
527 #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
528 # NOTE: Please use single quotes, not double quotes.
529 #\$GITWEB_URI_ESCAPE = 0;
530 \$GIT_PATH = "";
531 #\$GL_ADC_PATH = "";
532 \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite";
533 #\$GL_ALL_INCLUDES_SPECIAL = 0;
534 #\$GL_ALL_READ_ALL = 0;
535 \$GL_BIG_CONFIG = 0;
536 \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
537 \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
538 #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
539 \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
540 #\$GL_HOSTNAME = "git.$vm_domainname";
541 # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
542 #\$GL_HTTP_ANON_USER = "mob";
543 \$GL_KEYDIR = "\$GL_ADMINDIR/keydir";
544 \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log";
545 #\$GL_NICE_VALUE = 0;
546 \$GL_NO_CREATE_REPOS = 0;
547 \$GL_NO_DAEMON_NO_GITWEB = 0;
548 \$GL_NO_SETUP_AUTHKEYS = 0;
549 \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf";
550 \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks";
551 #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log";
552 #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$);
553 \$GL_SITE_INFO = "git.$vm_domainname";
554 #\$GL_SLAVE_MODE = 0;
555 \$GL_WILDREPOS = 0;
556 #\$GL_WILDREPOS_DEFPERMS = 'R @all';
557 \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
558 \$HTPASSWD_FILE = "";
559 \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
560 \$REPO_BASE = "pub";
561 \$REPO_UMASK = 0007;
562 \$RSYNC_BASE = "";
563 \$SVNSERVE = "";
564 #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
565 \$WEB_INTERFACE = "gitweb";
566 1;
567 EOF
568 sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
569 ~git/etc/gitweb/gitweb.conf <<-EOF
570 \$commit_oneline_message_width = 70;
571 \$default_projects_order = 'age';
572 \$default_text_plain_charset = 'UTF-8';
573 @diff_opts = ();
574 \$favicon = "img/git-favicon.png";
575 \$git_temp = "/run/shm/tmp/gitweb";
576 \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
577 \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
578 \$home_link = "/";
579 \$home_link_str = 'd&eacute;p&ocirc;ts';
580 \$home_th_age = 'activit&eacute;';
581 \$home_th_descr = 'description';
582 \$home_th_owner = 'contact';
583 \$home_th_project = 'd&eacute;p&ocirc;t';
584 \$javascript = "js/gitweb.js";
585 \$logo = "img/git-logo.png";
586 \$my_uri = "";
587 \$projectroot = "../git";
588 \$projects_list = "/etc/gitolite/projects.list";
589 \$projects_list_description_width = 42;
590 \$projects_list_owner_width = 15;
591 \$search_str = "Filtre&nbsp;:";
592 \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
593 \$site_header = undef;
594 \$site_name = "git.$vm_domainname";
595 \$space_to_nbsp = 0;
596 @stylesheets = ("css/gitweb.css");#
597 \$untabify_tabstop = 2;
598 EOF
599 sudo install -m 600 -o git -g git \
600 "$tool"/var/pub/ssh/git.key \
601 ~git/etc/ssh/git.pub
602 sudo -u git \
603 GL_RC=/home/git/etc/gitolite/gitolite.rc \
604 GIT_AUTHOR_NAME=git \
605 gl-setup -q ~git/etc/ssh/git.pub git
606 local d
607 for d in doc logs src
608 do test ! -d ~git/etc/gitolite/"$d" ||
609 rmdir ~git/etc/gitolite/"$d"
610 done
611 rule apt_get_install gitweb highlight
612 sudo service tmpfs restart
613 }
614 rule_locales_configure () {
615 sudo debconf-set-selections <<-EOF
616 locales locales/default_environment_locale select None
617 locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8
618 EOF
619 rule dpkg_reconfigure locales
620 }
621 rule_login_configure () {
622 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
623 # /etc/inittab: init(8) configuration.
624
625 # The default runlevel.
626 id:2:initdefault:
627
628 # Boot-time system configuration/initialization script.
629 # This is run first except when booting in emergency (-b) mode.
630 si::sysinit:/etc/init.d/rcS
631
632 # What to do in single-user mode.
633 ~~:S:wait:/sbin/sulogin
634
635 # /etc/init.d executes the S and K scripts upon change
636 # of runlevel.
637 #
638 # Runlevel 0 is halt.
639 # Runlevel 1 is single-user.
640 # Runlevels 2-5 are multi-user.
641 # Runlevel 6 is reboot.
642
643 l0:0:wait:/etc/init.d/rc 0
644 l1:1:wait:/etc/init.d/rc 1
645 l2:2:wait:/etc/init.d/rc 2
646 l3:3:wait:/etc/init.d/rc 3
647 l4:4:wait:/etc/init.d/rc 4
648 l5:5:wait:/etc/init.d/rc 5
649 l6:6:wait:/etc/init.d/rc 6
650 # Normally not reached, but fallthrough in case of emergency.
651 z6:6:respawn:/sbin/sulogin
652
653 # What to do when CTRL-ALT-DEL is pressed.
654 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
655
656 # What to do when the power fails/returns.
657 pf::powerwait:/etc/init.d/powerfail start
658 pn::powerfailnow:/etc/init.d/powerfail now
659 po::powerokwait:/etc/init.d/powerfail stop
660
661 # Xen hypervisor console
662 hvc:2345:respawn:/sbin/getty 38400 hvc0
663 #xvc:2345:respawn:/sbin/getty 38400 xvc0
664
665 #-- runit begin
666 SV:123456:respawn:/usr/sbin/runsvdir-start
667 #-- runit end
668 EOF
669 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
670 MAIL_DIR /var/mail
671 FAILLOG_ENAB yes
672 LOG_UNKFAIL_ENAB no
673 LOG_OK_LOGINS no
674 SYSLOG_SU_ENAB yes
675 SYSLOG_SG_ENAB yes
676 FTMP_FILE /var/log/btmp
677 SU_NAME su
678 HUSHLOGIN_FILE .hushlogin
679 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
680 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
681 # NOTE: met les sbin/ dans ENV_PATH ;
682 # - ça n'apporte aucune protection de ne pas les mettre ;
683 # - ça frustre de ne pas les trouver.
684 TTYGROUP tty
685 TTYPERM 0600
686 ERASECHAR 0177
687 KILLCHAR 025
688 UMASK 007
689 # NOTE: rwxrwx--- ;
690 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
691 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
692 PASS_MAX_DAYS 99999
693 PASS_MIN_DAYS 0
694 PASS_WARN_AGE 7
695 UID_MIN 1000
696 UID_MAX 60000
697 GID_MIN 1000
698 GID_MAX 60000
699 LOGIN_RETRIES 3
700 LOGIN_TIMEOUT 60
701 CHFN_RESTRICT rwh
702 DEFAULT_HOME yes
703 USERGROUPS_ENAB yes
704 ENCRYPT_METHOD SHA512
705 EOF
706 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
707 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
708 $(cat /etc/pam.d/common-session)
709 session optional pam_umask.so
710 EOF
711 grep -q '^hvc0$' /etc/securetty ||
712 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
713 $(cat /etc/securetty)
714 hvc0
715 EOF
716 grep -q '^xvc0$' /etc/securetty ||
717 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
718 $(cat /etc/securetty)
719 xvc0
720 EOF
721 }
722 rule_mail_configure () {
723 rule postfix_configure
724 rule postgrey_configure
725 rule procmail_configure
726 rule dovecot_configure
727 }
728 rule_mysql_configure () {
729 rule apt_get_install mysql-server-5.5
730 sudo install -m 644 -o root -g root \
731 "$tool"/etc/mysql/my.cnf \
732 /etc/mysql/my.cnf
733 if test ! -d /home/mysql; then
734 sudo install -d -m 750 -o mysql -g mysql \
735 /home/mysql
736 sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
737 fi
738 }
739 rule_network_configure () {
740 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
741 $vm
742 EOF
743 grep -q " $vm\$" /etc/hosts ||
744 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
745 $(cat /etc/hosts)
746 127.0.0.1 $vm_fqdn $vm
747 EOF
748 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
749 auto lo
750 iface lo inet loopback
751
752 auto eth0=grenode
753 iface grenode inet static
754 address $vm_ipv4
755 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
756 network $vm_ipv4
757 broadcast $vm_ipv4
758 netmask 255.255.255.255
759 mtu 1300
760 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
761 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
762 #
763 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
764 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
765 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
766 #
767 # --- soupirail.grenode.net ping statistics ---
768 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
769 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
770 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
771 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
772 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
773 #
774 # --- soupirail.grenode.net ping statistics ---
775 # 0 packets transmitted, 0 received, +1 errors
776 post-up ip address add $vm_ipv4/32 dev \$IFACE
777 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
778 EOF
779 }
780 rule_www_configure () {
781 rule adduser www \
782 --disabled-login \
783 --disabled-password \
784 --group \
785 --home /home/www \
786 --shell /bin/false \
787 --system
788 rule adduser log-www \
789 --disabled-login \
790 --disabled-password \
791 --group \
792 --home /home/www/log \
793 --shell /bin/false \
794 --system
795 #sudo adduser www www-data
796 sudo adduser www log-www
797 #sudo adduser log log-www
798 usermod --home /home/www/pub www-data
799 sudo install -d -m 751 -o www -g www \
800 /home/www
801 sudo install -d -m 750 -o www -g www \
802 /home/www/etc
803 sudo install -d -m 1771 -o www-data -g www-data \
804 /home/www/pub
805 sudo install -d -m 1771 -o log-www -g log-www \
806 /home/www/log
807 }
808 rule_nginx_configure () {
809 local -; set +f
810 rule apt_get_install nginx
811 sudo rm -rf \
812 /etc/nginx/conf.d \
813 /etc/nginx/site.d
814 sudo install -d -m 770 -o www -g www \
815 /etc/nginx \
816 /etc/nginx/conf.d \
817 /etc/nginx/site.d \
818 /etc/nginx/x509.d
819 sudo ln -fns \
820 /etc/nginx \
821 /home/www/etc/nginx
822 sudo install -m 660 -o www -g www \
823 "$tool"/etc/nginx/nginx.conf \
824 /etc/nginx/nginx.conf
825 local conf
826 for conf in "$tool"/etc/nginx/conf.d/*.conf
827 do conf=${conf#"$tool"/etc/nginx/conf.d/}
828 sudo install -m 660 -o www -g www \
829 "$tool"/etc/nginx/conf.d/"$conf" \
830 /etc/nginx/conf.d/"$conf"
831 done
832 for conf in "$tool"/etc/nginx/site.d/*/server.conf
833 do conf=${conf#"$tool"/etc/nginx/site.d/}
834 local site="${conf%/server.conf}"
835 rule adduser www-"$site" \
836 --disabled-login \
837 --disabled-password \
838 --group \
839 --home /home/www-data/"$site" \
840 --shell /bin/false \
841 --system
842 rule adduser log-www-"$site" \
843 --disabled-login \
844 --disabled-password \
845 --group \
846 --home /home/www/log/"$site"/nginx \
847 --shell /bin/false \
848 --system
849 sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
850 /home/www/log/"$site"
851 sudo install -d -m 770 -o www -g www \
852 /etc/nginx/site.d/"$site"
853 sudo install -d -m 770 -o www -g www \
854 /etc/nginx/x509.d/"$site"
855 test -L /home/www/pub/"$site" ||
856 sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
857 /home/www/pub/"$site"
858 sudo adduser www-data www-"$site"
859 sudo adduser www-data log-www-"$site"
860 sudo install -m 660 -o www -g www /dev/stdin \
861 /etc/nginx/site.d/"$site"/server.conf <<-EOF
862 server {
863 access_log /home/www/log/$site/nginx/access.log main;
864 error_log /home/www/log/$site/nginx/error.log warn;
865 root /home/www/pub/$site;
866 ssl_certificate /etc/nginx/x509.d/$site/crt.pem;
867 ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
868 $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
869 $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
870 }
871 EOF
872 test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
873 test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
874 . "$tool"/etc/nginx/site.d/"$site"/configure.sh
875 done
876 rule apt_get_install spawn-fcgi fcgiwrap
877 sudo insserv --remove fcgiwrap
878 sudo insserv --remove nginx
879 rule tmpfs_configure
880 case $(sv status nginx) in
881 (run:*) sudo sv restart nginx
882 esac
883 }
884 rule_php5_fpm_configure () {
885 local -; set +f
886 rule apt_get_install \
887 php5-fpm \
888 php-apc
889 rule adduser php5 \
890 --disabled-login \
891 --disabled-password \
892 --group \
893 --home /etc/php5/fpm \
894 --shell /bin/false \
895 --system
896 rule adduser log-php5 \
897 --disabled-login \
898 --disabled-password \
899 --group \
900 --home /home/www/log/php5/fpm \
901 --shell /bin/false \
902 --system
903 sudo ln -fns \
904 /etc/php5/fpm \
905 /home/www/etc/php5
906 sudo rm -rf \
907 /etc/php5/fpm/conf.d \
908 /etc/php5/fpm/pool.d
909 sudo install -d -m 770 -o php5 -g php5 \
910 /etc/php5/fpm/conf.d \
911 /etc/php5/fpm/pool.d
912 sudo install -m 770 -o php5 -g php5 \
913 "$tool"/etc/php5/fpm/php-fpm.conf \
914 /etc/php5/fpm/php-fpm.conf
915 local conf
916 #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
917 # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
918 # sudo install -m 660 -o php5 -g php5 \
919 # "$tool"/etc/php5/fpm/conf.d/"$conf" \
920 # /etc/php5/fpm/conf.d/"$conf"
921 # done
922 for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
923 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
924 IFS=. read -r pool <<-EOF
925 ${conf%.conf}
926 EOF
927 assert 'test "${pool:+set}"'
928 rule adduser php5-"$pool" \
929 --disabled-login \
930 --disabled-password \
931 --group \
932 --no-create-home \
933 --home /etc/php5/fpm/pool.d \
934 --shell /bin/false \
935 --system
936 rule adduser log-php5-"$pool" \
937 --disabled-login \
938 --disabled-password \
939 --group \
940 --no-create-home \
941 --home /home/www/log/php5/fpm \
942 --shell /bin/false \
943 --system
944 sudo install -d -m 770 -o log-php5 -g log-php5 \
945 /home/www/log/php5 \
946 /home/www/log/php5/fpm
947 sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
948 /home/www/log/php5/fpm/"$pool"
949 sudo install -m 660 -o php5 -g php5 /dev/stdin \
950 /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
951 [$pool]
952 access.log = /home/www/log/php5/fpm/$pool/access.log
953 catch_workers_output = yes
954 chdir = /
955 env[HOSTNAME] = \$HOSTNAME
956 env[TEMP] = /tmp
957 env[TMPDIR] = /tmp
958 env[TMP] = /tmp
959 group = php5-$pool
960 #listen = 127.0.0.1:9000
961 listen = /run/php5/fpm/$pool
962 #listen.allowed_clients = 127.0.0.1
963 listen.group = www-data
964 listen.mode = 0660
965 #listen.owner = www-data
966 listen.backlog = -1
967 pm = dynamic
968 pm.max_children = 5
969 pm.max_requests = 200
970 pm.max_spare_servers = 4
971 pm.min_spare_servers = 2
972 pm.start_servers = 3
973 pm.status_path = /status
974 request_slowlog_timeout = 5s
975 request_terminate_timeout = 120s
976 rlimit_core = unlimited
977 rlimit_files = 131072
978 slowlog = /home/www/log/php5/fpm/$pool/slow.log
979 user = php5-$pool
980 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
981 EOF
982 sudo install -m 664 -o php5 -g php5 \
983 "$tool"/etc/php5/fpm/php.ini \
984 /etc/php5/fpm/php.ini
985 case $(sv status php5-"$pool") in
986 (run:*) sudo sv restart php5-"$pool"
987 esac
988 done
989 rule tmpfs_configure
990 sudo service php5-fpm restart
991 }
992 rule_postfix_configure () {
993 local hint="run vm_remote postfix_key_send before"
994 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
995 #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
996 sudo debconf-set-selections <<-EOF
997 postfix postfix/main_mailer_type select No configuration
998 EOF
999 rule apt_get_install postfix
1000 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
1001 *.db
1002 EOF
1003 sudo install -d -m 771 -o root -g root \
1004 /etc/postfix/ \
1005 /etc/postfix/$vm_domainname/ \
1006 /etc/postfix/$vm_domainname/smtp \
1007 /etc/postfix/$vm_domainname/smtp/x509 \
1008 /etc/postfix/$vm_domainname/smtp/x509/ca \
1009 /etc/postfix/$vm_domainname/smtpd \
1010 /etc/postfix/$vm_domainname/smtpd/x509 \
1011 /etc/postfix/$vm_domainname/smtpd/x509/ca
1012 sudo ln -fns \
1013 ../crt+crl.self-signed.pem \
1014 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
1015 sudo install -m 400 -o root -g root \
1016 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1017 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1018 sudo install -m 400 -o root -g root \
1019 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
1020 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
1021 sudo install -m 400 -o root -g root \
1022 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
1023 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
1024 sudo install -m 400 -o root -g root \
1025 "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
1026 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
1027 sudo install -m 660 -o root -g root \
1028 "$tool"/etc/postfix/$vm_domainname/header_checks \
1029 /etc/postfix/$vm_domainname/header_checks
1030 sudo install -m 664 -o root -g root /dev/stdin \
1031 /etc/postfix/aliases <<-EOF
1032 # See man 5 aliases for format
1033 abuse: root
1034 admin: root
1035 contact: root
1036 mailer-daemon: root
1037 postmaster: root
1038 root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
1039 EOF
1040 sudo newaliases -oA/etc/postfix/aliases
1041 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
1042 mydomain = $vm_domainname
1043 myorigin = \$mydomain
1044 myhostname = $vm_hostname.\$mydomain
1045 mail_name = \$myhostname
1046 mydestination = $vm_hostname \$myhostname \$myorigin
1047 EOF
1048 sudo install -m 664 -o root -g root /dev/stdin \
1049 /etc/postfix/main.cf
1050 sudo install -m 664 -o root -g root \
1051 "$tool"/etc/postfix/master.cf \
1052 /etc/postfix/master.cf
1053 sudo install -m 660 -o root -g root \
1054 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
1055 /etc/postfix/$vm_domainname/smtp/x509/policy
1056 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
1057 sudo install -m 660 -o root -g root \
1058 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
1059 /etc/postfix/$vm_domainname/smtp/header_checks
1060 sudo install -m 660 -o root -g root \
1061 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
1062 /etc/postfix/$vm_domainname/smtpd/sender_access
1063 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
1064 sudo install -m 660 -o root -g root \
1065 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
1066 /etc/postfix/$vm_domainname/smtpd/client_blacklist
1067 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
1068 sudo install -m 660 -o root -g root \
1069 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
1070 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1071 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
1072 sudo install -m 660 -o root -g root \
1073 "$tool"/etc/postfix/$vm_domainname/transport \
1074 /etc/postfix/$vm_domainname/transport
1075 sudo postmap hash:/etc/postfix/$vm_domainname/transport
1076 sudo install -m 660 -o root -g root \
1077 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
1078 /etc/postfix/$vm_domainname/virtual_alias
1079 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
1080 sudo service postfix restart
1081 }
1082 rule_postgresql_configure () {
1083 rule apt_get_install postgresql-9.1
1084 if [ ! -d /var/lib/postgresql/9.1/ ]; then
1085 pg_createcluster -u postgres --start 9.1 main
1086 fi
1087 sudo install -m 660 -o root -g root \
1088 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
1089 /etc/postgresql/9.1/main/postgresql.conf
1090 sudo service postgresql restart
1091 }
1092 rule_openerp_configure () {
1093 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
1094 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
1095 EOF
1096 sudo apt-get update
1097 rule apt_get_install openerp
1098 }
1099 rule_postgrey_configure () {
1100 rule apt_get_install postgrey
1101 sudo service postgrey restart
1102 }
1103 rule_procmail_configure () {
1104 rule apt_get_install procmail
1105 sudo install -d -m 770 -o root -g root \
1106 /etc/skel/etc/mail \
1107 /etc/skel/var/cache/mail \
1108 /etc/skel/var/log/mail \
1109 /etc/skel/var/mail
1110 sudo install -m 660 -o root -g root \
1111 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
1112 /etc/skel/etc/mail/delivery.procmailrc
1113 }
1114 rule_runit_configure () {
1115 rule apt_get_install runit
1116 local -; set +f
1117 for sv in ${1-/etc/service/*}
1118 # NOTE: stoppe les services en retenant leur status de départ
1119 do sv=$(basename "$sv")
1120 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1121 local sv_status
1122 IFS= read -r sv_status_$sv_hash <<-EOF
1123 $(sv status "$sv")
1124 EOF
1125 rm -f /etc/service/"$sv"
1126 done
1127 for sv in ${1-"$tool"/etc/sv/*}
1128 # NOTE: configure et (re-)démarre les services
1129 do sv=$(basename "$sv")
1130 local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
1131 sudo install -d -m 770 -o root -g root \
1132 /etc/sv/"$sv"
1133 sudo install -m 770 -o root -g root \
1134 "$tool"/etc/sv/"$sv"/run \
1135 /etc/sv/"$sv"/run
1136 if test -e "$tool"/etc/sv/"$sv"/log/run
1137 then
1138 sudo install -d -m 770 -o root -g root \
1139 /etc/sv/"$sv"/log
1140 sudo install -m 770 -o root -g root \
1141 "$tool"/etc/sv/"$sv"/log/run \
1142 /etc/sv/"$sv"/log/run
1143 fi
1144 test ! -x "$tool"/etc/sv/"$sv"/configure ||
1145 "$tool"/etc/sv/"$sv"/configure
1146 ln -fns ../sv/"$sv" /etc/service/"$sv"
1147 eval local sv_status=\"\${sv_status_$sv_hash-}\"
1148 case $sv_status in
1149 ("") sv start "$sv";;
1150 (run:*) sv restart "$sv";;
1151 esac
1152 done
1153 }
1154 rule_ssh_configure () {
1155 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
1156 ( while IFS= read -r line
1157 do case $line in (*" RSA") return 0; break;; esac
1158 done; return 1 ) ||
1159 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
1160 sudo rm -f \
1161 /etc/ssh/ssh_host_dsa_key \
1162 /etc/ssh/ssh_host_dsa_key.pub \
1163 /etc/ssh/ssh_host_ecdsa_key \
1164 /etc/ssh/ssh_host_ecdsa_key.pub
1165 # NOTE: clefs générées par Debian
1166 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
1167 Port 22
1168 ListenAddress $vm_ipv4
1169 #ListenAddress ::
1170 Protocol 2
1171 Compression yes
1172 HostKey /etc/ssh/ssh_host_rsa_key
1173 UsePrivilegeSeparation yes
1174 KeyRegenerationInterval 3600
1175 ServerKeyBits 768
1176 SyslogFacility AUTH
1177 LogLevel INFO
1178 LoginGraceTime 120
1179 PermitRootLogin yes
1180 StrictModes yes
1181 RSAAuthentication yes
1182 PubkeyAuthentication yes
1183 AuthorizedKeysFile %h/etc/ssh/authorized_keys
1184 IgnoreRhosts yes
1185 RhostsRSAAuthentication no
1186 HostbasedAuthentication no
1187 IgnoreUserKnownHosts no
1188 PermitEmptyPasswords no
1189 ChallengeResponseAuthentication no
1190 PasswordAuthentication no
1191 KerberosAuthentication no
1192 GSSAPIAuthentication no
1193 X11Forwarding no
1194 X11DisplayOffset 10
1195 PrintMotd no
1196 DebianBanner no
1197 PrintLastLog yes
1198 TCPKeepAlive yes
1199 ClientAliveInterval 0
1200 AcceptEnv LANG LC_*
1201 Subsystem sftp /usr/lib/openssh/sftp-server
1202 UsePAM yes
1203 EOF
1204 sudo service ssh restart
1205 }
1206 rule_sysctl_configure () {
1207 local -; set +f
1208 for conf in "$tool"/etc/sysctl.d/*.conf
1209 do conf=${conf#"$tool"/etc/sysctl.d/}
1210 sudo install -m 660 -o root -g root \
1211 "$tool"/etc/sysctl.d/"$conf" \
1212 /etc/sysctl.d/"$conf"
1213 done
1214 sudo sysctl --system
1215 }
1216 rule_tmpfs_configure () {
1217 sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF
1218 LOCK_SIZE=5242880 # NOTE: 5MiB
1219 RAMLOCK=yes
1220 RAMSHM=yes
1221 RAMTMP=yes
1222 RUN_SIZE=10%
1223 SHM_SIZE=
1224 TMP_MODE=1777,nr_inodes=1000k,noatime
1225 TMP_OVERFLOW_LIMIT=1024
1226 # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB)
1227 # on the root filesystem (overriding RAMTMP).
1228 TMP_SIZE=200m
1229 TMPFS_SIZE=20%VM
1230 EOF
1231 sudo install -m 775 -o root -g root \
1232 "$tool"/etc/init.d/tmpfs \
1233 /etc/init.d/tmpfs
1234 sudo update-rc.d tmpfs defaults
1235 sudo service tmpfs restart
1236 }
1237 rule_time_configure () {
1238 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
1239 Europe/Paris
1240 EOF
1241 sudo debconf-set-selections <<-EOF
1242 tzdata tzdata/Areas select Europe
1243 tzdata tzdata/Zones/Europe select Paris
1244 EOF
1245 rule dpkg_reconfigure tzdata
1246 rule apt_get_install ntp
1247 }
1248 rule_user_add () { # SYNTAX: $user
1249 rule user_configure
1250 local user=$1
1251 rule adduser "$user" --disabled-password
1252 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
1253 eval local home\; home="~$user"
1254 sudo adduser "$user" users
1255 sudo install -m 640 -o root -g root \
1256 "$tool"/var/pub/ssh/"$user".key \
1257 "$home"/etc/ssh/authorized_keys
1258 local key; local -; set +f
1259 for key in "$tool"/var/pub/openpgp/*.key
1260 do sudo -u "$user" gpg --import - <"$key"
1261 done
1262 }
1263 rule_user_configure () {
1264 sudo install -m 660 -o root -g root /dev/stdin \
1265 /etc/adduser.conf <<-EOF
1266 ADD_EXTRA_GROUPS=1
1267 DHOME=/home
1268 DIR_MODE=0750
1269 DSHELL=/bin/bash
1270 EXTRA_GROUPS="users"
1271 FIRST_GID=1000
1272 FIRST_SYSTEM_GID=100
1273 FIRST_SYSTEM_UID=100
1274 FIRST_UID=1000
1275 GROUPHOMES=no
1276 LAST_GID=29999
1277 LAST_SYSTEM_GID=999
1278 LAST_SYSTEM_UID=999
1279 LAST_UID=29999
1280 LETTERHOMES=no
1281 NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
1282 QUOTAUSER="" # TODO: init
1283 SETGID_HOME=no
1284 SKEL=/etc/skel
1285 SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)"
1286 USERGROUPS=yes
1287 USERS_GID=100
1288 EOF
1289 sudo install -d -m 750 -o root -g root \
1290 /etc/skel \
1291 /etc/skel/etc \
1292 /etc/skel/etc/gpg \
1293 /etc/skel/etc/ssh
1294 sudo install -d -m 770 -o root -g root \
1295 /etc/skel/var \
1296 /etc/skel/var/cache \
1297 /etc/skel/var/log \
1298 /etc/skel/var/run \
1299 /etc/skel/var/run/ssh
1300 sudo ln -fns etc/ssh /etc/skel/.ssh
1301 sudo ln -fns etc/gpg /etc/skel/.gnupg
1302 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
1303 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
1304 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
1305 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
1306 EOF
1307 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
1308 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
1309 EOF
1310 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
1311 Defaults env_keep = " \\
1312 EDITOR \\
1313 GIT_AUTHOR_NAME \\
1314 GIT_AUTHOR_EMAIL \\
1315 GIT_COMMITTER_NAME \\
1316 GIT_COMMITTER_EMAIL \\
1317 "
1318 EOF
1319 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
1320 #!/bin/sh -efu
1321 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
1322 sudo /bin/sh -e -f -u -c \
1323 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
1324 EOF
1325 sudo install -m 644 -o root -g root \
1326 "$tool"/etc/bash.bashrc \
1327 /etc/bash.bashrc
1328 sudo install -m 644 -o root -g root \
1329 "$tool"/etc/screenrc \
1330 /etc/screenrc
1331 }
1332 rule_user_admin_add () { # SYNTAX: $user
1333 rule user_configure
1334 local user=$1
1335 rule adduser "$user" --disabled-password
1336 eval local home\; home="~$user"
1337 sudo adduser "$user" sudo
1338 sudo install -m 640 -o root -g root \
1339 "$tool"/var/pub/ssh/"$user".key \
1340 "$home"/etc/ssh/authorized_keys
1341 local key; local -; set +f
1342 for key in "$tool"/var/pub/openpgp/*.key
1343 do sudo -u "$user" gpg --import - <"$key"
1344 done
1345 rule user_admin_configure
1346 }
1347 rule_user_admin_configure () {
1348 rule initramfs_configure
1349 rule user_root_configure
1350 }
1351 rule_user_root_configure () {
1352 sudo install -d -m 750 -o root -g root \
1353 /root/etc \
1354 /root/etc/gpg \
1355 /root/etc/ssh
1356 sudo ln -fns etc/gpg /root/.gnupg
1357 sudo ln -fns etc/ssh /root/.ssh
1358 getent group sudo |
1359 while IFS=: read -r group x x users
1360 do while test -n "$users" && IFS=, read -r user users <<-EOF
1361 $users
1362 EOF
1363 do eval local home\; home="~$user"
1364 cat "$home"/etc/ssh/authorized_keys
1365 done
1366 done |
1367 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
1368 local key; local -; set +f
1369 for key in "$tool"/var/pub/openpgp/*.key
1370 do sudo gpg --import "$key"
1371 done
1372 }
1373 rule_configure () {
1374 rule apt_configure
1375 rule git_configure
1376 rule etckeeper_configure
1377 rule locales_configure
1378 rule time_configure
1379 rule network_configure
1380 rule filesystem_configure
1381 rule login_configure
1382 rule ssh_configure
1383 rule user_root_configure
1384 rule boot_configure
1385 rule sysctl_configure
1386 rule user_configure
1387 rule mail_configure
1388 rule www_configure
1389 rule php5_fpm_configure
1390 rule nginx_configure
1391 #rule apache2_configure
1392 rule gitolite_configure
1393 rule runit_configure
1394 }
1395
1396 rule_luks_key_change () {
1397 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
1398 }
1399
1400 rule=${1:-help}
1401 ${1+shift}
1402 case $rule in
1403 (help);;
1404 (*)
1405 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
1406 ;;
1407 esac
1408 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org