#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
tool=${0%/*}
. "$tool"/env.sh
. "$tool"/inc.sh

rule_help () {
	cat >&2 <<-EOF
		DESCRIPTION: ce script regroupe des fonctions utilitaires
		             pour gérer la VM des ateliers _depuis_ la VM hébergée ;
		             il sert à la fois d'outil et de documentation.
		             Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte.
		SYNTAX: $0 \$RULE \${RULE}_SYNTAX
		RULES:
		$(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
		ENVIRONMENT:
		  TRACE # affiche les commandes avant leur exécution
		$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
		EOF
 }

rule_filesystem_init () {
	mk_reg mod= own= --append /etc/sysctl.conf <<-EOF
		vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
		vm.vfs_cache_pressure=50
		EOF
 }
rule_filesystem_unmount () {
 }
rule_shell_source () {
	. /etc/profile
 }
rule_network_init () {
	mk_reg mod= own= /etc/hostname <<-EOF
		$vm
		EOF
	grep -q " $vm\$" /etc/hosts ||
	mk_reg mod= own= --append /etc/hosts <<-EOF
		127.0.0.1 $vm.local $vm
		EOF
	mk_reg mod= own= /etc/network/interfaces <<-EOF
		auto lo
		iface lo inet loopback
		
		auto eth0=grenode
		iface grenode inet static
			address   $vm_ipv4
			gateway   $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
			network   $vm_ipv4
			broadcast $vm_ipv4
			netmask   255.255.255.255
			mtu 1300 # TODO: voir si c'est nécessaire à Lyon
			up   ip address add    $vm_ipv4/32 dev \$IFACE
			down ip address delete $vm_ipv4/32 dev \$IFACE
		EOF
 }
rule_apt_init () {
	mk_reg mod= own= /etc/apt/sources.list <<-EOF
		deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
		deb http://nightly.openerp.com/trunk/nightly/deb/ ./
		EOF
	mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
		deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
		EOF
	mk_reg mod= own= /etc/apt/preferences <<-EOF
		Package: *
		Pin: release a=$vm_lsb_name
		Pin-Priority: 170
		
		Package: *
		Pin: release a=$vm_lsb_name-backports
		Pin-Priority: 200
		EOF
 }
rule_boot_init () {
	mk_reg mod= own= /etc/fstab <<-EOF
		# <file system> <mount point> <type> <options> <dump> <pass>
		LABEL=boot /boot ext2 defaults,no-auto 0 0
		proc /proc proc defaults 0 0
		sysfs /sys sysfs defaults 0 0
		tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
		/dev/mapper/${vm}_root_deciphered /     ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm}_var_deciphered  /var  ext4 defaults,errors=remount-ro,acl,noatime 0 1
		/dev/mapper/${vm}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
		/dev/mapper/${vm}_swap_deciphered swap swap sw 0 0
		EOF
	mk_reg mod= own= /etc/crypttab <<-EOF
		# <target name> <source device> <key file> <options>
		${vm}_root_deciphered LABEL=${vm}_root ${vm}_root            luks
		${vm}_var_deciphered  LABEL=${vm}_var  ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
		EOF
	mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF
		#loop
		sha1_generic
		sha256_generic
		sha512_generic
		aes-x86_64
		xts
		EOF
	mk_reg mod= own= --append /etc/default/grub <<-EOF
		GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 resume=/dev/mapper/${vm}_swap_deciphered"
		EOF
 }
rule_user_admin_add () { # SYNTAX: <name>
	admin=$1
	! id "$admin" || adduser "$admin"
	eval home="~$admin"
	adduser "$admin" sudo
	mk_dir mod=0750 own="$admin:$admin" "$home"/etc
	mk_dir mod=0700 own="$admin:$admin" "$home"/etc/ssh
	mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub
 }
rule_users_init () {
	mk_reg mod=0664 own=root:root /etc/ssh/sshd_config <<-EOF
		ListenAddress $vm_ipv4
		#ListenAddress ::
		Port 22
		Protocol 2
		Compression yes
		HostKey /etc/ssh/ssh_host_rsa_key
		UsePrivilegeSeparation yes
		KeyRegenerationInterval 3600
		ServerKeyBits 768
		SyslogFacility AUTH
		LogLevel INFO
		LoginGraceTime 120
		PermitRootLogin no
		StrictModes yes
		RSAAuthentication yes
		PubkeyAuthentication yes
		AuthorizedKeysFile %h/etc/ssh/authorized_keys
		IgnoreRhosts yes
		RhostsRSAAuthentication no
		HostbasedAuthentication no
		IgnoreUserKnownHosts no
		PermitEmptyPasswords no
		ChallengeResponseAuthentication no
		PasswordAuthentication no
		KerberosAuthentication no
		GSSAPIAuthentication no
		X11Forwarding no
		X11DisplayOffset 10
		PrintMotd no
		DebianBanner no
		PrintLastLog yes
		TCPKeepAlive yes
		ClientAliveInterval 0
		AcceptEnv LANG LC_*
		Subsystem sftp /usr/lib/openssh/sftp-server
		UsePAM yes
		EOF
	mk_reg mod=0440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \
		  case \$(/usr/bin/passwd --status "\$SUDO_USER") in \
		    ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
		EOF
	mk_reg mod=0440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
		%sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
		EOF
	mk_reg mod=0555 own=root:root /usr/local/sbin/passwd-init <<-EOF
		#!/bin/sh
		sudo /bin/sh -e -f -u -c \
		  'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
		EOF
 }
rule_kernel_init () {
	sudo apt-get install --reinstall linux-image-$vm_arch
 }

rule=${1:-help}
${1+shift}
set "${TRACE:+-x}"
rule_$rule "$@"