#!/bin/sh set -e -f ${DRY_RUN:+-n} -u tool=$0 while test -L "$tool" do tool=$(readlink "$tool") done tool=${tool%/*} . "$tool"/lib/rule.sh . "$tool"/etc/vm.sh rule_help () { # SYNTAX: [--hidden] local hidden; [ ${1:+set} ] || hidden=set cat >&2 <<-EOF DESCRIPTION: ce script regroupe des règles pour administrer la VM ($vm_fqdn) _depuis_ la VM hébergée ($vm_fqdn) ; il sert à la fois d'outil (aisément bidouillable) et de documentation (préçise). Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host). SYNTAX: $0 \$RULE \${RULE}_SYNTAX RULES: $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0") ENVIRONMENT: TRACE # affiche les commandes avant leur exécution $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") EOF } rule_git_configure () { ( cd "$tool" git config --replace branch.master.remote . git config --replace branch.master.merge refs/remotes/master local tool tool=$(cd "$tool"; cd -) sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/ sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm ) } rule_git_reset () { ( cd "$tool" git checkout -f -B master remotes/master git clean -f -d -x ) } rule_apt_get_install () { # SYNTAX: $package case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in ("Status: install ok installed");; (*) test ! -x /usr/bin/etckeeper || ! sudo etckeeper unclean || warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again." sudo apt-get install "$@";; esac } rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? export LANG=C export LC_CTYPE=C . /etc/profile } rule_apt_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free EOF sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free EOF sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF Package: * Pin: release a=$vm_lsb_name Pin-Priority: 170 Package: * Pin: release a=$vm_lsb_name-backports Pin-Priority: 200 EOF sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF deb http://nightly.openerp.com/trunk/nightly/deb/ ./ EOF sudo apt-get update rule apt_get_install apticron sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF EMAIL="admin@$vm_domainname" # DIFF_ONLY="1" # LISTCHANGES_PROFILE="apticron" # ALL_FQDNS="1" # SYSTEM="foobar.example.com" # IPADDRESSNUM="1" # IPADDRESSES=" 2001:db8:1:2:3::1" # NOTIFY_HOLDS="0" # NOTIFY_NEW="0" # NOTIFY_NO_UPDATES="0" # CUSTOM_SUBJECT="" # CUSTOM_NO_UPDATES_SUBJECT="" # CUSTOM_FROM="root@$vm_fqdn" EOF } rule_boot_configure () { warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" rule apt_get_install grub-pc sudo install -d -m 644 -o root -g root /boot/grub rule apt_get_install linux-image-$vm_arch sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\` GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered" GRUB_DISABLE_RECOVERY="true" #GRUB_PRELOAD_MODULES="lvm" EOF sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF (hd0) /dev/xvda (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') EOF sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map rule initramfs_configure } rule_dovecot_configure () { rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve local hint="run vm_remote dovecot_key_send before" assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint sudo install -m 400 -o root -g root \ "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \ /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem sudo install -d -m 770 -o root -g adm \ /etc/skel/etc/mail \ /etc/skel/etc/sieve sudo install -d -m 1777 -o root -g root \ /var/lib/dovecot-control \ /var/lib/dovecot-index sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF auth_ssl_username_from_cert = yes listen = * log_timestamp = "%Y-%m-%d %H:%M:%S " mail_debug = yes mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc # VOIR: http://wiki2.dovecot.org/Quota/FS mail_plugins = \$mail_plugins quota mail_privileged_group = mail passdb { args = /home/%u/etc/dovecot/passwd driver = passwd-file } plugin { quota = fs:user recipient_delimiter = + sieve = ~/etc/mail/filter.sieve sieve_dir = ~/etc/mail/sieve sieve_global_dir = /var/lib/dovecot/sieve/global/ sieve_max_script_size = 1M sieve_quota_max_scripts = 0 sieve_quota_max_storage = 10M sieve_user_log = ~/var/log/mail/sieve.log } protocol imap { mail_plugins = \$mail_plugins imap_quota } protocol lda { auth_socket_path = /var/run/dovecot/auth-master hostname = $vm_domainname info_log_path = log_path = mail_plugins = \$mail_plugins sieve postmaster_address = contact+dovecot+lda@$vm_domainname syslog_facility = mail } protocols = imap sieve service auth { user = root unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } ssl_ca = LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 proc /proc proc defaults 0 0 sysfs /sys sysfs defaults 0 0 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0 EOF sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF # ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived EOF sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité vm.vfs_cache_pressure=50 EOF } rule_initramfs_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF MODULES=most BUSYBOX=y KEYMAP=y COMPRESS=gzip DEVICE=eth0 EOF sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF alias eth0 xennet alias scsi_hostadapter xenblk EOF sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF sha1_generic sha256_generic sha512_generic aes-x86_64 xts # NOTE: pour Xen en mode HVM : #modprobe xen-platform-pci EOF sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF EOF sudo sed -e '/^configure_networking /s/ &$//' \ -i /usr/share/initramfs-tools/scripts/init-premount/dropbear # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | ( while IFS= read -r line do case $line in (*" RSA") return 0; break;; esac done; return 1 ) || { sudo rm -f \ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub sudo dropbearkey -t rsa -s 4096 -f \ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key } # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins. sudo install -d -m 640 -o root -g root \ /etc/initramfs-tools/root \ /etc/initramfs-tools/root/.ssh getent group sudo | while IFS=: read -r group x x users do while test -n "$users" && IFS=, read -r user users <<-EOF $users EOF do eval local home\; home="~$user" cat "$home"/etc/ssh/authorized_keys done done | sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys sudo rm -f \ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ /etc/initramfs-tools/root/.ssh/id_rsa.pub \ /etc/initramfs-tools/root/.ssh/id_rsa # NOTE: clefs générées par Debian sudo update-initramfs -u } rule_locale_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF fr_FR.UTF-8 UTF-8 EOF sudo update-locale } rule_login_configure () { grep -q '^hvc0$' /etc/securetty || sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF $(cat /etc/securetty) hvc0 EOF grep -q '^xvc0$' /etc/securetty || sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF $(cat /etc/securetty) xvc0 EOF sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF # /etc/inittab: init(8) configuration. # The default runlevel. id:2:initdefault: # Boot-time system configuration/initialization script. # This is run first except when booting in emergency (-b) mode. si::sysinit:/etc/init.d/rcS # What to do in single-user mode. ~~:S:wait:/sbin/sulogin # /etc/init.d executes the S and K scripts upon change # of runlevel. # # Runlevel 0 is halt. # Runlevel 1 is single-user. # Runlevels 2-5 are multi-user. # Runlevel 6 is reboot. l0:0:wait:/etc/init.d/rc 0 l1:1:wait:/etc/init.d/rc 1 l2:2:wait:/etc/init.d/rc 2 l3:3:wait:/etc/init.d/rc 3 l4:4:wait:/etc/init.d/rc 4 l5:5:wait:/etc/init.d/rc 5 l6:6:wait:/etc/init.d/rc 6 # Normally not reached, but fallthrough in case of emergency. z6:6:respawn:/sbin/sulogin # What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now # What to do when the power fails/returns. pf::powerwait:/etc/init.d/powerfail start pn::powerfailnow:/etc/init.d/powerfail now po::powerokwait:/etc/init.d/powerfail stop # Xen hypervisor console hvc:2345:respawn:/sbin/getty 38400 hvc0 #xvc:2345:respawn:/sbin/getty 38400 xvc0 EOF sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF MAIL_DIR /var/mail FAILLOG_ENAB yes LOG_UNKFAIL_ENAB no LOG_OK_LOGINS no SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes FTMP_FILE /var/log/btmp SU_NAME su HUSHLOGIN_FILE .hushlogin ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # NOTE: met les sbin/ dans ENV_PATH ; # - ça n'apporte aucune protection de ne pas les mettre ; # - ça frustre de ne pas les trouver. TTYGROUP tty TTYPERM 0600 ERASECHAR 0177 KILLCHAR 025 UMASK 007 # NOTE: rwxrwx--- ; # - donne une même confiance au groupe propriétaire qu'au propriétaire ; # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 GID_MIN 1000 GID_MAX 60000 LOGIN_RETRIES 3 LOGIN_TIMEOUT 60 CHFN_RESTRICT rwh DEFAULT_HOME yes USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 EOF grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF $(cat /etc/pam.d/common-session) session optional pam_umask.so EOF } rule_procmail_configure () { rule apt_get_install procmail sudo install -d -m 770 -o root -g adm \ /etc/skel/etc/mail \ /etc/skel/var/cache/mail \ /etc/skel/var/log/mail \ /etc/skel/var/mail sudo install -m 660 -o root -g adm \ "$tool"/etc/skel/etc/mail/delivery.procmailrc \ /etc/skel/etc/mail/delivery.procmailrc } rule_postgrey_configure () { rule apt_get_install postgrey sudo service postgrey restart } rule_postfix_configure () { local hint="run vm_remote postfix_key_send before" assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix" rule apt_get_install postfix sudo install -d -m 770 -o root -g root \ /etc/postfix/$vm_domainname/ \ /etc/postfix/$vm_domainname/smtp \ /etc/postfix/$vm_domainname/smtp/x509 \ /etc/postfix/$vm_domainname/smtp/x509/ca \ /etc/postfix/$vm_domainname/smtpd \ /etc/postfix/$vm_domainname/smtpd/x509 \ /etc/postfix/$vm_domainname/smtpd/x509/ca sudo install -d -m 770 -o root -g root \ /etc/postfix/$vm_domainname/ \ /etc/postfix/$vm_domainname/smtp \ /etc/postfix/$vm_domainname/smtp/x509 \ /etc/postfix/$vm_domainname/smtp/x509/ca \ /etc/postfix/$vm_domainname/smtpd \ /etc/postfix/$vm_domainname/smtpd/x509 \ /etc/postfix/$vm_domainname/smtpd/x509/ca sudo ln -fns \ ../crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem sudo install -m 400 -o root -g root \ var/pub/x509/service/smtpd/crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 400 -o root -g root \ var/pub/x509/service/smtpd/crt.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem sudo install -m 400 -o root -g root \ var/pub/x509/service/smtpd/crt+root.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem sudo install -m 400 -o root -g root \ var/pub/x509/service/smtpd/crt+crl.self-signed.pem \ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/header_checks \ /etc/postfix/$vm_domainname/header_checks sudo install -m 664 -o root -g root \ etc/aliases \ /etc/aliases sudo newaliases cat /dev/stdin etc/postfix/main.cf <<-EOF | mydomain = $vm_domainname myorigin = \$mydomain myhostname = $vm_hostname.\$mydomain mail_name = \$myhostname mydestination = $vm_hostname \$myhostname \$myorigin EOF sudo install -m 664 -o root -g root /dev/stdin \ /etc/postfix/main.cf sudo install -m 664 -o root -g root \ etc/postfix/master.cf \ /etc/postfix/master.cf sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/smtp/x509/policy \ /etc/postfix/$vm_domainname/smtp/x509/policy sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/smtp/header_checks \ /etc/postfix/$vm_domainname/smtp/header_checks sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/smtpd/sender_access \ /etc/postfix/$vm_domainname/smtpd/sender_access sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/smtpd/client_blacklist \ /etc/postfix/$vm_domainname/smtpd/client_blacklist sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/smtpd/relay_clientcerts \ /etc/postfix/$vm_domainname/smtpd/relay_clientcerts sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/transport \ /etc/postfix/$vm_domainname/transport sudo postmap hash:/etc/postfix/$vm_domainname/transport sudo install -m 660 -o root -g root \ etc/postfix/$vm_domainname/virtual_alias \ /etc/postfix/$vm_domainname/virtual_alias sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias sudo service postfix restart } rule_mail_configure () { rule postfix_configure rule postgrey_configure rule procmail_configure rule dovecot_configure } rule_network_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF $vm EOF grep -q " $vm\$" /etc/hosts || sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF $(cat /etc/hosts) $vm_fqdn $vm EOF sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF auto lo iface lo inet loopback auto eth0=grenode iface grenode inet static address $vm_ipv4 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse network $vm_ipv4 broadcast $vm_ipv4 netmask mtu 1300 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. # # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net # PING soupirail.grenode.net ( 1272(1300) bytes of data. # 1280 bytes from soupirail.grenode.net ( icmp_req=1 ttl=63 time=18.0 ms # # --- soupirail.grenode.net ping statistics --- # 1 packets transmitted, 1 received, 0% packet loss, time 0ms # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net # PING soupirail.grenode.net ( 1273(1301) bytes of data. # From estran.grenode.net ( icmp_seq=1 Frag needed and DF set (mtu = 1300) # # --- soupirail.grenode.net ping statistics --- # 0 packets transmitted, 0 received, +1 errors post-up ip address add $vm_ipv4/32 dev \$IFACE pre-down ip address delete $vm_ipv4/32 dev \$IFACE EOF } rule_ssh_configure () { ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | ( while IFS= read -r line do case $line in (*" RSA") return 0; break;; esac done; return 1 ) || sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key sudo rm -f \ /etc/ssh/ssh_host_dsa_key \ /etc/ssh/ssh_host_dsa_key.pub \ /etc/ssh/ssh_host_ecdsa_key \ /etc/ssh/ssh_host_ecdsa_key.pub # NOTE: clefs générées par Debian sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF Port 22 ListenAddress $vm_ipv4 #ListenAddress :: Protocol 2 Compression yes HostKey /etc/ssh/ssh_host_rsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/etc/ssh/authorized_keys IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no KerberosAuthentication no GSSAPIAuthentication no X11Forwarding no X11DisplayOffset 10 PrintMotd no DebianBanner no PrintLastLog yes TCPKeepAlive yes ClientAliveInterval 0 AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes EOF sudo service ssh restart } rule_user_admin_add () { # SYNTAX: $user local user=$1 id "$user" >/dev/null || sudo adduser --disabled-password "$user" # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . eval local home\; home="~$user" sudo adduser "$user" sudo sudo install -m 640 -o root -g root \ "$tool"/var/pub/ssh/"$user".key \ "$home"/etc/ssh/authorized_keys local key; local -; set +f for key in "$tool"/var/pub/openpgp/*.key do sudo -u "$user" gpg --import "$key" done rule user_admin_configure } rule_user_admin_configure () { rule initramfs_configure rule user_root_configure } rule_user_configure () { sudo install -d -m 750 -o root -g adm \ /etc/skel/etc \ /etc/skel/etc/ssh sudo install -d -m 770 -o root -g adm \ /etc/skel/etc/apache2 \ /etc/skel/var \ /etc/skel/var/log \ /etc/skel/var/cache \ /etc/skel/var/cache/ssh sudo ln -fns etc/ssh /etc/skel/.ssh sudo ln -fns etc/gpg /etc/skel/.gnupg sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\ case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\ ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF Defaults env_keep = " \\ EDITOR \\ GIT_AUTHOR_NAME \\ GIT_AUTHOR_EMAIL \\ GIT_COMMITTER_NAME \\ GIT_COMMITTER_EMAIL \\ " EOF sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF #!/bin/sh -efu # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système. sudo /bin/sh -e -f -u -c \ 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac' EOF sudo install -m 644 -o root -g root \ etc/bash.bashrc \ /etc/bash.bashrc sudo install -m 644 -o root -g root \ etc/screenrc \ /etc/screenrc } rule_user_root_configure () { sudo install -d -m 750 -o root -g adm \ /root/etc \ /root/etc/ssh \ /root/etc/gpg sudo ln -fns etc/gpg /root/.gnupg sudo ln -fns etc/ssh /root/.ssh getent group sudo | while IFS=: read -r group x x users do while test -n "$users" && IFS=, read -r user users <<-EOF $users EOF do eval local home\; home="~$user" cat "$home"/etc/ssh/authorized_keys done done | sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys local key; local -; set +f for key in "$tool"/var/pub/openpgp/*.key do sudo gpg --import "$key" done } rule_configure () { rule apt_configure rule git_configure rule etckeeper_configure rule locale_configure rule network_configure rule filesystem_configure rule login_configure rule ssh_configure rule user_root_configure rule boot_configure rule user_configure } rule_luks_key_change () { sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root } rule=${1:-help} ${1+shift} case $rule in (help);; (*) assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn ;; esac rule $rule "$@"