Correction : vm_hosted : gitweb.

[lhc/ateliers.git] / vm_hosted

diff --git a/vm_hosted b/vm_hosted
index a75d9cb..11dd8bb 100755 (executable)
--- a/vm_hosted
+++ b/vm_hosted
@@ -34,9 +34,7 @@ rule_git_configure () {
        git config --replace branch.master.merge refs/remotes/master
        local tool
        tool=$(cd "$tool"; cd -)
-       sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
-       sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
-       sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
+       install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
                #!/bin/sh -efux
                case \$1 in
                 (refs/remotes/master)
@@ -62,7 +60,7 @@ rule_adduser () {
        sudo adduser "$@" "$user"
  }
 rule_apt_get_install () { # SYNTAX: $package
-       sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
+       sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@"
  }
 rule_dpkg_reconfigure () { # SYNTAX: $package
        sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
@@ -74,7 +72,7 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
        . /etc/profile
  }
 
-rule_apache2_configure () {
+rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour
        local -; set +f
        rule apt_get_install \
         apache2-mpm-itk \
@@ -90,6 +88,12 @@ rule_apache2_configure () {
                # cependant l'usage de suexec impose des forks il semble..
                # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
                # donc pour l'instant : apache2-mpm-itk
+       sudo rm -rf \
+        /etc/apache2/site.d
+       sudo install -d -m 770 -o www -g www \
+        /etc/apache2 \
+        /etc/apache2/site.d \
+        /etc/apache2/x509.d
        cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
                ServerName "$vm_fqdn"
                EOF
@@ -129,23 +133,23 @@ rule_apache2_configure () {
                        sudo install -d -m 770 -o www-"$site" -g www-"$site" \
                         /etc/apache2 \
                         /etc/apache2/site.d/"$site" \
-                        /etc/apache2/site.d/"$site"/x509 \
-                        /etc/apache2/site.d/"$site"/x509/ca \
-                        /etc/apache2/site.d/"$site"/x509/empty \
-                        /etc/apache2/site.d/"$site"/x509/rvk \
-                        /etc/apache2/site.d/"$site"/x509/usr
+                        /etc/apache2/x509.d/"$site" \
+                        /etc/apache2/x509.d/"$site"/ca \
+                        /etc/apache2/x509.d/"$site"/empty \
+                        /etc/apache2/x509.d/"$site"/rvk \
+                        /etc/apache2/x509.d/"$site"/usr
                        sudo install -m 664 -o www -g www \
-                            "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
-                        /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+                        "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+                         /etc/apache2/x509.d/"$site"/crt.self-signed.pem
                        #sudo install -m 664 -o www-"$site" -g www-"$site" \
                        # "$tool"/var/pub/x509/"$site"/rvk.pem \
-                       # /etc/apache2/site.d/"$site"/x509/rvk.pem
+                       #  /etc/apache2/x509.d/"$site"/rvk.pem
                        sudo install -m 664 -o www -g www \
                         "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
-                        /etc/apache2/site.d/"$site"/x509/ca/crt.pem
+                         /etc/apache2/x509.d/"$site"/ca/crt.pem
                        sudo install -m 664 -o www -g www \
-                            "$tool"/var/pub/x509/"$site"/crt.pem \
-                        /etc/apache2/site.d/"$site"/x509/crt.pem
+                        "$tool"/var/pub/x509/"$site"/crt.pem \
+                         /etc/apache2/x509.d/"$site"/crt.pem
                        ;;
                 esac
                case $site in
@@ -162,16 +166,16 @@ rule_apache2_configure () {
                                                ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
                                                #ErrorLog "/dev/null"
                                                LogLevel Warn
-                                               SSLCACertificateFile    /etc/apache2/site.d/$site/x509/crt.self-signed.pem
-                                               SSLCACertificatePath    /etc/apache2/site.d/$site/x509/usr/
-                                               #SSLCARevocationFile    /etc/apache2/site.d/$site/x509/rvk.pem
-                                               SSLCADNRequestFile      /etc/apache2/site.d/$site/x509/crt.self-signed.pem
-                                               SSLCADNRequestPath      /etc/apache2/site.d/$site/x509/empty/
+                                               SSLCACertificateFile    /etc/apache2/x509.d/$site/crt.self-signed.pem
+                                               SSLCACertificatePath    /etc/apache2/x509.d/$site/usr/
+                                               #SSLCARevocationFile    /etc/apache2/x509.d/$site/rvk.pem
+                                               SSLCADNRequestFile      /etc/apache2/x509.d/$site/crt.self-signed.pem
+                                               SSLCADNRequestPath      /etc/apache2/x509.d/$site/empty/
                                                        # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
-                                               SSLCARevocationPath     /etc/apache2/site.d/$site/x509/rvk/
-                                               SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
-                                               SSLCertificateFile      /etc/apache2/site.d/$site/x509/crt.pem
-                                               SSLCertificateKeyFile   /etc/apache2/site.d/$site/x509/key.pem
+                                               SSLCARevocationPath     /etc/apache2/x509.d/$site/rvk/
+                                               SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
+                                               SSLCertificateFile      /etc/apache2/x509.d/$site/crt.pem
+                                               SSLCertificateKeyFile   /etc/apache2/x509.d/$site/key.pem
                                                SSLCipherSuite AES+RSA+SHA256
                                                SSLEngine On
                                                SSLInsecureRenegotiation Off
@@ -239,19 +243,19 @@ rule_apache2_configure () {
  }
 rule_apt_configure () {
        sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
-               deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
+               deb http://ftp.rezopole.net/debian $vm_lsb_name main
                EOF
-       sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
-               #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
+       sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
+               deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main
                EOF
        sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
                Package: *
                Pin: release a=$vm_lsb_name
-               Pin-Priority: 170
+               Pin-Priority: 200
                
                Package: *
                Pin: release a=$vm_lsb_name-backports
-               Pin-Priority: 200
+               Pin-Priority: 170
                EOF
        sudo apt-get update
        rule apt_get_install apticron
@@ -466,10 +470,11 @@ rule_initramfs_configure () {
                        $users
                        EOF
                 do eval local home\; home="~$user"
-                       cat "$home"/etc/ssh/authorized_keys
+                       sudo cat "$home"/etc/ssh/authorized_keys
                 done
         done |
-       sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
+       sudo install -m 644 -o root -g root /dev/stdin \
+        /etc/initramfs-tools/root/.ssh/authorized_keys
        sudo rm -f \
         /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
         /etc/initramfs-tools/root/.ssh/id_rsa.pub \
@@ -487,6 +492,7 @@ rule_gitolite_configure () {
        rule adduser git \
         --disabled-password \
         --group \
+        --home /home/git \
         --shell /bin/bash \
         --system
        sudo chfn --full-name git git
@@ -494,34 +500,38 @@ rule_gitolite_configure () {
         --disabled-login \
         --disabled-password \
         --group \
-        --home ~git/log \
+        --home /home/git/log \
         --shell /bin/false \
         --system
-       rule adduser git-daemon\
+       rule adduser git-data \
         --disabled-login \
         --disabled-password \
         --group \
         --home /home/git/pub \
         --shell /bin/false \
         --system
+       sudo adduser git        git-data
        sudo install -d -m 770 -o git -g git \
         /etc/gitolite \
-        ~git/etc \
-        ~git/etc/ssh \
-        ~git/pub
-       sudo install -d -m 770 -o log-git -g log-git \
-        ~git/log \
-        ~git/log/gitolite \
-        ~git/log/gitolite/perf
-       sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
-        /etc/gitweb \
-        /etc/gitweb/cgi
-       sudo ln -fns /etc/gitolite ~git/etc/gitolite
-       sudo ln -fns /etc/gitweb ~git/etc/gitweb
-       sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
-       sudo ln -fns etc/ssh ~git/.ssh
+        /home/git/etc \
+        /home/git/etc/ssh
+       sudo install -d -m 751 -o git -g git \
+        /home/git
+       sudo install -d -m 2770 -o git-data -g git-data \
+        /home/git/pub
+       sudo install -d -m 1771 -o git -g git \
+        /home/git/log
+       sudo install -d -m 2770 -o git -g log-git \
+        /home/git/log/gitolite \
+        /home/git/log/gitolite/perf
+       sudo install -d -m 3771 -o git -g git \
+        /home/git/hooks
+       sudo ln -fns /etc/gitolite /home/git/etc/gitolite
+       sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+       sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
+       sudo ln -fns etc/ssh /home/git/.ssh
        sudo install -m 770 -o git -g git /dev/stdin \
-        ~git/etc/gitolite/gitolite.rc <<-EOF
+        /home/git/etc/gitolite/gitolite.rc <<-EOF
                #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
                #\$BIG_INFO_CAP = 20;
                #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
@@ -536,7 +546,7 @@ rule_gitolite_configure () {
                \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf";
                \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm";
                #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
-               \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*";
+               \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*";
                #\$GL_HOSTNAME = "git.$vm_domainname";
                        # NOTE: read doc/mirroring.mkd COMPLETELY before setting this.
                #\$GL_HTTP_ANON_USER = "mob";
@@ -556,7 +566,7 @@ rule_gitolite_configure () {
                #\$GL_WILDREPOS_DEFPERMS = 'R @all';
                \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS";
                \$HTPASSWD_FILE = "";
-               \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list";
+               \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list";
                \$REPO_BASE = "pub";
                \$REPO_UMASK = 0007;
                \$RSYNC_BASE = "";
@@ -565,50 +575,18 @@ rule_gitolite_configure () {
                \$WEB_INTERFACE = "gitweb";
                1;
                EOF
-       sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
-        ~git/etc/gitweb/gitweb.conf <<-EOF
-               \$commit_oneline_message_width = 70;
-               \$default_projects_order = 'age';
-               \$default_text_plain_charset = 'UTF-8';
-               @diff_opts = ();
-               \$favicon = "img/git-favicon.png";
-               \$git_temp = "/run/shm/tmp/gitweb";
-               \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
-               \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
-               \$home_link = "/";
-               \$home_link_str = 'd&eacute;p&ocirc;ts';
-               \$home_th_age = 'activit&eacute;';
-               \$home_th_descr = 'description';
-               \$home_th_owner = 'contact';
-               \$home_th_project = 'd&eacute;p&ocirc;t';
-               \$javascript = "js/gitweb.js";
-               \$logo = "img/git-logo.png";
-               \$my_uri = "";
-               \$projectroot = "../git";
-               \$projects_list = "/etc/gitolite/projects.list";
-               \$projects_list_description_width = 42;
-               \$projects_list_owner_width = 15;
-               \$search_str = "Filtre&nbsp;:";
-               \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
-               \$site_header = undef;
-               \$site_name = "git.$vm_domainname";
-               \$space_to_nbsp = 0;
-               @stylesheets = ("css/gitweb.css");#
-               \$untabify_tabstop = 2;
-               EOF
        sudo install -m 600 -o git -g git \
         "$tool"/var/pub/ssh/git.key \
-               ~git/etc/ssh/git.pub
+          /home/git/etc/ssh/git.pub
        sudo -u git \
         GL_RC=/home/git/etc/gitolite/gitolite.rc \
         GIT_AUTHOR_NAME=git \
-               gl-setup -q ~git/etc/ssh/git.pub git
+               gl-setup -q /home/git/etc/ssh/git.pub git
        local d
        for d in doc logs src
-        do test ! -d ~git/etc/gitolite/"$d" ||
-               rmdir ~git/etc/gitolite/"$d"
+        do test ! -d /home/git/etc/gitolite/"$d" ||
+               rmdir /home/git/etc/gitolite/"$d"
         done
-       rule apt_get_install gitweb highlight
        sudo service tmpfs restart
  }
 rule_locales_configure () {
@@ -727,14 +705,39 @@ rule_mail_configure () {
  }
 rule_mysql_configure () {
        rule apt_get_install mysql-server-5.5
-       sudo install -m 644 -o root -g root \
-           "$tool"/etc/mysql/my.cnf \
-           /etc/mysql/my.cnf
-       if test ! -d /home/mysql; then
-           sudo install -d -m 750 -o mysql -g mysql \
-               /home/mysql
-           sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
-       fi
+       rule adduser mysql \
+        --disabled-login \
+        --disabled-password \
+        --group \
+        --home /home/mysql \
+        --shell /bin/false \
+        --system
+       rule adduser mysql-data \
+        --disabled-login \
+        --disabled-password \
+        --group \
+        --home /home/mysql/data \
+        --shell /bin/false \
+        --system
+       sudo usermod --home /home/mysql mysql
+       sudo adduser mysql mysql-data
+       sudo install -m 640 -o mysql -g mysql \
+        "$tool"/etc/mysql/my.cnf \
+               /etc/mysql/my.cnf
+       sudo install -d -m 751 -o mysql -g mysql \
+        /home/mysql
+       sudo install -d -m 750 -o mysql-data -g mysql-data \
+        /home/mysql/data
+       if test ! -d /home/mysql/data
+        then
+               sudo -u mysql mysql_install_db \
+                --no-defaults \
+                --datadir=/home/mysql/data
+        fi
+       sudo service tmpfs restart
+       case $(sudo sv status mysql || true) in
+        (run:*) sudo sv restart mysql
+        esac
  }
 rule_network_configure () {
        sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
@@ -829,14 +832,14 @@ rule_nginx_configure () {
                 "$tool"/etc/nginx/conf.d/"$conf" \
                        /etc/nginx/conf.d/"$conf"
         done
-       for conf in "$tool"/etc/nginx/site.d/*/server.conf
+       for conf in "$tool"/etc/nginx/site.d/*/site.conf
         do conf=${conf#"$tool"/etc/nginx/site.d/}
-               local site="${conf%/server.conf}"
+               local site="${conf%/site.conf}"
                rule adduser www-"$site" \
                 --disabled-login \
                 --disabled-password \
                 --group \
-                --home /home/www-data/"$site" \
+                --home /home/www/pub/"$site" \
                 --shell /bin/false \
                 --system
                rule adduser log-www-"$site" \
@@ -846,40 +849,45 @@ rule_nginx_configure () {
                 --home /home/www/log/"$site"/nginx \
                 --shell /bin/false \
                 --system
-               sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
+               sudo install -d -m 771 -o log-www -g log-www \
                 /home/www/log/"$site"
                sudo install -d -m 770 -o www -g www \
                 /etc/nginx/site.d/"$site"
                sudo install -d -m 770 -o www -g www \
                 /etc/nginx/x509.d/"$site"
                test -L /home/www/pub/"$site" ||
-               sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
+               sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
                 /home/www/pub/"$site"
                sudo adduser www-data www-"$site"
                sudo adduser www-data log-www-"$site"
+               sudo install -m 660 -o www -g www \
+                "$tool"/etc/nginx/site.d/"$site"/local.conf \
+                       /etc/nginx/site.d/"$site"/local.inc
+               sudo install -m 660 -o www -g www \
+                "$tool"/etc/nginx/site.d/"$site"/site.conf \
+                       /etc/nginx/site.d/"$site"/site.inc
                sudo install -m 660 -o www -g www /dev/stdin \
                 /etc/nginx/site.d/"$site"/server.conf <<-EOF
                        server {
                                access_log          /home/www/log/$site/nginx/access.log main;
                                error_log           /home/www/log/$site/nginx/error.log warn;
                                root                /home/www/pub/$site;
-                               ssl_certificate     /etc/nginx/x509.d/$site/crt.pem;
-                               ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
-                               $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
-                               $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+                               include             /etc/nginx/site.d/$site/local.inc;
+                               include             /etc/nginx/site.d/$site/site.inc;
                         }
                        EOF
-               test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
                test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
                .         "$tool"/etc/nginx/site.d/"$site"/configure.sh
         done
        rule apt_get_install spawn-fcgi fcgiwrap
        sudo insserv --remove fcgiwrap
-       sudo insserv --remove nginx
+       #sudo insserv --remove nginx
        rule tmpfs_configure
-       case $(sv status nginx) in
-        (run:*) sudo sv restart nginx
-        esac
+       sudo service php5-fpm restart
+               # NOTE: relance les processus du pool
+               #       pour leur donner les droits
+               #       de leurs groupes supplémentaires.
+       sudo service nginx restart
  }
 rule_php5_fpm_configure () {
        local -; set +f
@@ -938,7 +946,7 @@ rule_php5_fpm_configure () {
                 --disabled-password \
                 --group \
                 --no-create-home \
-                --home /home/www/log/php5/fpm \
+                --home /home/www/log/php5/fpm/"$pool" \
                 --shell /bin/false \
                 --system
                sudo install -d -m 770 -o log-php5 -g log-php5 \
@@ -982,7 +990,7 @@ rule_php5_fpm_configure () {
                sudo install -m 664 -o php5 -g php5 \
                 "$tool"/etc/php5/fpm/php.ini \
                        /etc/php5/fpm/php.ini
-               case $(sv status php5-"$pool") in
+               case $(sudo sv status php5-"$pool") in
                 (run:*) sudo sv restart php5-"$pool"
                 esac
         done
@@ -1120,9 +1128,9 @@ rule_runit_configure () {
                local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ')
                local sv_status
                IFS= read -r sv_status_$sv_hash <<-EOF
-                       $(sv status "$sv")
+                       $(sudo sv status "$sv")
                        EOF
-               rm -f /etc/service/"$sv"
+               sudo rm -f /etc/service/"$sv"
         done
        for sv in ${1-"$tool"/etc/sv/*}
         # NOTE: configure et (re-)démarre les services
@@ -1141,13 +1149,13 @@ rule_runit_configure () {
                         "$tool"/etc/sv/"$sv"/log/run \
                                /etc/sv/"$sv"/log/run
                 fi
-               test ! -x "$tool"/etc/sv/"$sv"/configure ||
-               "$tool"/etc/sv/"$sv"/configure
-               ln -fns ../sv/"$sv" /etc/service/"$sv"
+               test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
+               .         "$tool"/etc/sv/"$sv"/configure.sh
+               sudo ln -fns ../sv/"$sv" /etc/service/"$sv"
                eval local sv_status=\"\${sv_status_$sv_hash-}\"
                case $sv_status in
-                ("") sv start "$sv";;
-                (run:*) sv restart "$sv";;
+                ("") true;;
+                (run:*) sudo sv restart "$sv";;
                 esac
         done
  }
@@ -1163,43 +1171,59 @@ rule_ssh_configure () {
         /etc/ssh/ssh_host_ecdsa_key \
         /etc/ssh/ssh_host_ecdsa_key.pub
         # NOTE: clefs générées par Debian
-       sudo install -m 644 -o root -g root /dev/stdin  /etc/ssh/sshd_config <<-EOF
-               Port 22
-               ListenAddress $vm_ipv4
-               #ListenAddress ::
-               Protocol 2
+       sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
+               AcceptEnv LANG LC_*
+               AuthorizedKeysFile %h/etc/ssh/authorized_keys
+               ChallengeResponseAuthentication no
+               ClientAliveInterval 0
                Compression yes
+               DebianBanner no
+               GSSAPIAuthentication no
                HostKey /etc/ssh/ssh_host_rsa_key
-               UsePrivilegeSeparation yes
+               HostbasedAuthentication no
+               IgnoreRhosts yes
+               IgnoreUserKnownHosts no
+               KerberosAuthentication no
                KeyRegenerationInterval 3600
-               ServerKeyBits 768
-               SyslogFacility AUTH
+               Port 22
+               ListenAddress 127.0.0.1
+               ListenAddress $vm_ipv4
                LogLevel INFO
                LoginGraceTime 120
+               PasswordAuthentication no
+               PermitEmptyPasswords no
                PermitRootLogin yes
-               StrictModes yes
-               RSAAuthentication yes
+               PrintLastLog yes
+               PrintMotd no
+               Protocol 2
                PubkeyAuthentication yes
-               AuthorizedKeysFile %h/etc/ssh/authorized_keys
-               IgnoreRhosts yes
+               RSAAuthentication yes
                RhostsRSAAuthentication no
-               HostbasedAuthentication no
-               IgnoreUserKnownHosts no
-               PermitEmptyPasswords no
-               ChallengeResponseAuthentication no
-               PasswordAuthentication no
-               KerberosAuthentication no
-               GSSAPIAuthentication no
-               X11Forwarding no
-               X11DisplayOffset 10
-               PrintMotd no
-               DebianBanner no
-               PrintLastLog yes
-               TCPKeepAlive yes
-               ClientAliveInterval 0
-               AcceptEnv LANG LC_*
+               ServerKeyBits 768
+               StrictModes yes
                Subsystem sftp /usr/lib/openssh/sftp-server
+               SyslogFacility AUTH
+               TCPKeepAlive yes
                UsePAM yes
+               UsePrivilegeSeparation yes
+               X11DisplayOffset 10
+               X11Forwarding no
+               EOF
+       sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/ssh_config <<-EOF
+               Host *
+                       #Compression yes
+                       #CompressionLevel 9
+                       #ControlMaster auto
+                       #ControlPath ~/var/run/ssh/sock/%h-%p-%r
+                       GSSAPIAuthentication no
+                       GSSAPIDelegateCredentials no
+                       HashKnownHosts yes
+                       IdentityFile ~/etc/ssh/id_dsa
+                       IdentityFile ~/etc/ssh/id_rsa
+                       IdentityFile ~/etc/ssh/identity
+                       SendEnv LANG LC_*
+                       StrictHostKeyChecking ask
+                       UserKnownHostsFile ~/etc/ssh/known_hosts
                EOF
        sudo service ssh restart
  }
@@ -1261,6 +1285,7 @@ rule_user_add () { # SYNTAX: $user
         done
  }
 rule_user_configure () {
+       rule apt_get_install bash-completion
        sudo install -m 660 -o root -g root /dev/stdin \
         /etc/adduser.conf <<-EOF
                ADD_EXTRA_GROUPS=1
@@ -1278,7 +1303,7 @@ rule_user_configure () {
                LAST_SYSTEM_UID=999
                LAST_UID=29999
                LETTERHOMES=no
-               NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+               NAME_REGEX="^[a-z][-a-z0-9_]*\$"
                QUOTAUSER="" # TODO: init
                SETGID_HOME=no
                SKEL=/etc/skel
@@ -1305,7 +1330,7 @@ rule_user_configure () {
                    ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
                EOF
        sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
-               %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
+               %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean
                EOF
        sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
                Defaults env_keep = " \\
@@ -1361,7 +1386,7 @@ rule_user_root_configure () {
                        $users
                        EOF
                 do eval local home\; home="~$user"
-                       cat "$home"/etc/ssh/authorized_keys
+                       sudo cat "$home"/etc/ssh/authorized_keys
                 done
         done |
        sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
@@ -1385,11 +1410,11 @@ rule_configure () {
        rule sysctl_configure
        rule user_configure
        rule mail_configure
+       rule gitolite_configure
        rule www_configure
        rule php5_fpm_configure
        rule nginx_configure
        #rule apache2_configure
-       rule gitolite_configure
        rule runit_configure
  }