dépôts / lhc / ateliers.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Correction : rule_{mysql,tmpfs}_configure : socket unix.
[lhc/ateliers.git] / vm_hosted
diff --git a/vm_hosted b/vm_hosted
index a75d9cb..21950b0 100755 (executable)
--- a/vm_hosted
+++ b/vm_hosted
@@ -62,7 +62,7 @@ rule_adduser () {
        sudo adduser "$@" "$user"
  }
 rule_apt_get_install () { # SYNTAX: $package
-       sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
+       sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@"
  }
 rule_dpkg_reconfigure () { # SYNTAX: $package
        sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@"
@@ -74,7 +74,7 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
        . /etc/profile
  }
 
-rule_apache2_configure () {
+rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour
        local -; set +f
        rule apt_get_install \
         apache2-mpm-itk \
@@ -90,6 +90,12 @@ rule_apache2_configure () {
                # cependant l'usage de suexec impose des forks il semble..
                # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
                # donc pour l'instant : apache2-mpm-itk
+       sudo rm -rf \
+        /etc/apache2/site.d
+       sudo install -d -m 770 -o www -g www \
+        /etc/apache2 \
+        /etc/apache2/site.d \
+        /etc/apache2/x509.d
        cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
                ServerName "$vm_fqdn"
                EOF
@@ -129,23 +135,23 @@ rule_apache2_configure () {
                        sudo install -d -m 770 -o www-"$site" -g www-"$site" \
                         /etc/apache2 \
                         /etc/apache2/site.d/"$site" \
-                        /etc/apache2/site.d/"$site"/x509 \
-                        /etc/apache2/site.d/"$site"/x509/ca \
-                        /etc/apache2/site.d/"$site"/x509/empty \
-                        /etc/apache2/site.d/"$site"/x509/rvk \
-                        /etc/apache2/site.d/"$site"/x509/usr
+                        /etc/apache2/x509.d/"$site" \
+                        /etc/apache2/x509.d/"$site"/ca \
+                        /etc/apache2/x509.d/"$site"/empty \
+                        /etc/apache2/x509.d/"$site"/rvk \
+                        /etc/apache2/x509.d/"$site"/usr
                        sudo install -m 664 -o www -g www \
-                            "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
-                        /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+                        "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+                         /etc/apache2/x509.d/"$site"/crt.self-signed.pem
                        #sudo install -m 664 -o www-"$site" -g www-"$site" \
                        # "$tool"/var/pub/x509/"$site"/rvk.pem \
-                       # /etc/apache2/site.d/"$site"/x509/rvk.pem
+                       #  /etc/apache2/x509.d/"$site"/rvk.pem
                        sudo install -m 664 -o www -g www \
                         "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
-                        /etc/apache2/site.d/"$site"/x509/ca/crt.pem
+                         /etc/apache2/x509.d/"$site"/ca/crt.pem
                        sudo install -m 664 -o www -g www \
-                            "$tool"/var/pub/x509/"$site"/crt.pem \
-                        /etc/apache2/site.d/"$site"/x509/crt.pem
+                        "$tool"/var/pub/x509/"$site"/crt.pem \
+                         /etc/apache2/x509.d/"$site"/crt.pem
                        ;;
                 esac
                case $site in
@@ -162,16 +168,16 @@ rule_apache2_configure () {
                                                ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
                                                #ErrorLog "/dev/null"
                                                LogLevel Warn
-                                               SSLCACertificateFile    /etc/apache2/site.d/$site/x509/crt.self-signed.pem
-                                               SSLCACertificatePath    /etc/apache2/site.d/$site/x509/usr/
-                                               #SSLCARevocationFile    /etc/apache2/site.d/$site/x509/rvk.pem
-                                               SSLCADNRequestFile      /etc/apache2/site.d/$site/x509/crt.self-signed.pem
-                                               SSLCADNRequestPath      /etc/apache2/site.d/$site/x509/empty/
+                                               SSLCACertificateFile    /etc/apache2/x509.d/$site/crt.self-signed.pem
+                                               SSLCACertificatePath    /etc/apache2/x509.d/$site/usr/
+                                               #SSLCARevocationFile    /etc/apache2/x509.d/$site/rvk.pem
+                                               SSLCADNRequestFile      /etc/apache2/x509.d/$site/crt.self-signed.pem
+                                               SSLCADNRequestPath      /etc/apache2/x509.d/$site/empty/
                                                        # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés
-                                               SSLCARevocationPath     /etc/apache2/site.d/$site/x509/rvk/
-                                               SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
-                                               SSLCertificateFile      /etc/apache2/site.d/$site/x509/crt.pem
-                                               SSLCertificateKeyFile   /etc/apache2/site.d/$site/x509/key.pem
+                                               SSLCARevocationPath     /etc/apache2/x509.d/$site/rvk/
+                                               SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem
+                                               SSLCertificateFile      /etc/apache2/x509.d/$site/crt.pem
+                                               SSLCertificateKeyFile   /etc/apache2/x509.d/$site/key.pem
                                                SSLCipherSuite AES+RSA+SHA256
                                                SSLEngine On
                                                SSLInsecureRenegotiation Off
@@ -253,6 +259,9 @@ rule_apt_configure () {
                Pin: release a=$vm_lsb_name-backports
                Pin-Priority: 200
                EOF
+       #sudo install -m 660 -o root -g root /dev/stdin /etc/apt/apt.conf.d/02proxy-grenode <<-EOF
+       #       Acquire::http::Proxy "http://outils.grenode.net:3142";
+       #       EOF
        sudo apt-get update
        rule apt_get_install apticron
        sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
@@ -487,6 +496,7 @@ rule_gitolite_configure () {
        rule adduser git \
         --disabled-password \
         --group \
+        --home /home/git \
         --shell /bin/bash \
         --system
        sudo chfn --full-name git git
@@ -494,34 +504,38 @@ rule_gitolite_configure () {
         --disabled-login \
         --disabled-password \
         --group \
-        --home ~git/log \
+        --home /home/git/log \
         --shell /bin/false \
         --system
-       rule adduser git-daemon\
+       rule adduser git-data \
         --disabled-login \
         --disabled-password \
         --group \
         --home /home/git/pub \
         --shell /bin/false \
         --system
+       sudo adduser git        git-data
        sudo install -d -m 770 -o git -g git \
         /etc/gitolite \
-        ~git/etc \
-        ~git/etc/ssh \
-        ~git/pub
-       sudo install -d -m 770 -o log-git -g log-git \
-        ~git/log \
-        ~git/log/gitolite \
-        ~git/log/gitolite/perf
-       sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
-        /etc/gitweb \
-        /etc/gitweb/cgi
-       sudo ln -fns /etc/gitolite ~git/etc/gitolite
-       sudo ln -fns /etc/gitweb ~git/etc/gitweb
-       sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
-       sudo ln -fns etc/ssh ~git/.ssh
+        /home/git/etc \
+        /home/git/etc/ssh
+       sudo install -d -m 751 -o git -g git \
+        /home/git
+       sudo install -d -m 2770 -o git-data -g git-data \
+        /home/git/pub
+       sudo install -d -m 1771 -o git -g git \
+        /home/git/log
+       sudo install -d -m 2770 -o git -g log-git \
+        /home/git/log/gitolite \
+        /home/git/log/gitolite/perf
+       sudo install -d -m 3771 -o git -g git \
+        /home/git/hooks
+       sudo ln -fns /etc/gitolite /home/git/etc/gitolite
+       sudo ln -fns /etc/gitweb /home/git/etc/gitweb
+       sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc
+       sudo ln -fns etc/ssh /home/git/.ssh
        sudo install -m 770 -o git -g git /dev/stdin \
-        ~git/etc/gitolite/gitolite.rc <<-EOF
+        /home/git/etc/gitolite/gitolite.rc <<-EOF
                #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
                #\$BIG_INFO_CAP = 20;
                #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
@@ -565,50 +579,18 @@ rule_gitolite_configure () {
                \$WEB_INTERFACE = "gitweb";
                1;
                EOF
-       sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
-        ~git/etc/gitweb/gitweb.conf <<-EOF
-               \$commit_oneline_message_width = 70;
-               \$default_projects_order = 'age';
-               \$default_text_plain_charset = 'UTF-8';
-               @diff_opts = ();
-               \$favicon = "img/git-favicon.png";
-               \$git_temp = "/run/shm/tmp/gitweb";
-               \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
-               \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
-               \$home_link = "/";
-               \$home_link_str = 'd&eacute;p&ocirc;ts';
-               \$home_th_age = 'activit&eacute;';
-               \$home_th_descr = 'description';
-               \$home_th_owner = 'contact';
-               \$home_th_project = 'd&eacute;p&ocirc;t';
-               \$javascript = "js/gitweb.js";
-               \$logo = "img/git-logo.png";
-               \$my_uri = "";
-               \$projectroot = "../git";
-               \$projects_list = "/etc/gitolite/projects.list";
-               \$projects_list_description_width = 42;
-               \$projects_list_owner_width = 15;
-               \$search_str = "Filtre&nbsp;:";
-               \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
-               \$site_header = undef;
-               \$site_name = "git.$vm_domainname";
-               \$space_to_nbsp = 0;
-               @stylesheets = ("css/gitweb.css");#
-               \$untabify_tabstop = 2;
-               EOF
        sudo install -m 600 -o git -g git \
         "$tool"/var/pub/ssh/git.key \
-               ~git/etc/ssh/git.pub
+          /home/git/etc/ssh/git.pub
        sudo -u git \
         GL_RC=/home/git/etc/gitolite/gitolite.rc \
         GIT_AUTHOR_NAME=git \
-               gl-setup -q ~git/etc/ssh/git.pub git
+               gl-setup -q /home/git/etc/ssh/git.pub git
        local d
        for d in doc logs src
-        do test ! -d ~git/etc/gitolite/"$d" ||
-               rmdir ~git/etc/gitolite/"$d"
+        do test ! -d /home/git/etc/gitolite/"$d" ||
+               rmdir /home/git/etc/gitolite/"$d"
         done
-       rule apt_get_install gitweb highlight
        sudo service tmpfs restart
  }
 rule_locales_configure () {
@@ -728,13 +710,20 @@ rule_mail_configure () {
 rule_mysql_configure () {
        rule apt_get_install mysql-server-5.5
        sudo install -m 644 -o root -g root \
-           "$tool"/etc/mysql/my.cnf \
-           /etc/mysql/my.cnf
-       if test ! -d /home/mysql; then
-           sudo install -d -m 750 -o mysql -g mysql \
-               /home/mysql
-           sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
-       fi
+        "$tool"/etc/mysql/my.cnf \
+               /etc/mysql/my.cnf
+       if test ! -d /home/mysql
+        then
+               sudo install -d -m 750 -o mysql -g mysql \
+                /home/mysql
+               sudo install -d -m 750 -o mysql -g mysql \
+                /home/mysql/data
+               sudo -u mysql mysql_install_db \
+                --no-defaults \
+                --datadir=/home/mysql/data
+               sudo usermod --home /home/mysql mysql
+        fi
+       sudo service tmpfs restart
  }
 rule_network_configure () {
        sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
@@ -829,14 +818,14 @@ rule_nginx_configure () {
                 "$tool"/etc/nginx/conf.d/"$conf" \
                        /etc/nginx/conf.d/"$conf"
         done
-       for conf in "$tool"/etc/nginx/site.d/*/server.conf
+       for conf in "$tool"/etc/nginx/site.d/*/site.conf
         do conf=${conf#"$tool"/etc/nginx/site.d/}
-               local site="${conf%/server.conf}"
+               local site="${conf%/site.conf}"
                rule adduser www-"$site" \
                 --disabled-login \
                 --disabled-password \
                 --group \
-                --home /home/www-data/"$site" \
+                --home /home/www/pub/"$site" \
                 --shell /bin/false \
                 --system
                rule adduser log-www-"$site" \
@@ -846,30 +835,33 @@ rule_nginx_configure () {
                 --home /home/www/log/"$site"/nginx \
                 --shell /bin/false \
                 --system
-               sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
+               sudo install -d -m 771 -o log-www -g log-www \
                 /home/www/log/"$site"
                sudo install -d -m 770 -o www -g www \
                 /etc/nginx/site.d/"$site"
                sudo install -d -m 770 -o www -g www \
                 /etc/nginx/x509.d/"$site"
                test -L /home/www/pub/"$site" ||
-               sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
+               sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
                 /home/www/pub/"$site"
                sudo adduser www-data www-"$site"
                sudo adduser www-data log-www-"$site"
+               sudo install -m 660 -o www -g www \
+                "$tool"/etc/nginx/site.d/"$site"/local.conf \
+                       /etc/nginx/site.d/"$site"/local.inc
+               sudo install -m 660 -o www -g www \
+                "$tool"/etc/nginx/site.d/"$site"/site.conf \
+                       /etc/nginx/site.d/"$site"/site.inc
                sudo install -m 660 -o www -g www /dev/stdin \
                 /etc/nginx/site.d/"$site"/server.conf <<-EOF
                        server {
                                access_log          /home/www/log/$site/nginx/access.log main;
                                error_log           /home/www/log/$site/nginx/error.log warn;
                                root                /home/www/pub/$site;
-                               ssl_certificate     /etc/nginx/x509.d/$site/crt.pem;
-                               ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
-                               $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
-                               $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+                               include             /etc/nginx/site.d/$site/local.inc;
+                               include             /etc/nginx/site.d/$site/site.inc;
                         }
                        EOF
-               test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
                test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
                .         "$tool"/etc/nginx/site.d/"$site"/configure.sh
         done
@@ -877,9 +869,14 @@ rule_nginx_configure () {
        sudo insserv --remove fcgiwrap
        sudo insserv --remove nginx
        rule tmpfs_configure
-       case $(sv status nginx) in
-        (run:*) sudo sv restart nginx
-        esac
+       sudo service php5-fpm restart
+               # NOTE: relance les processus du pool
+               #       pour leur donner les droits
+               #       de leurs groupes supplémentaires.
+       sudo service nginx restart
+       #case $(sv status nginx) in
+       # (run:*) sudo sv restart nginx
+       # esac
  }
 rule_php5_fpm_configure () {
        local -; set +f
@@ -938,7 +935,7 @@ rule_php5_fpm_configure () {
                 --disabled-password \
                 --group \
                 --no-create-home \
-                --home /home/www/log/php5/fpm \
+                --home /home/www/log/php5/fpm/"$pool" \
                 --shell /bin/false \
                 --system
                sudo install -d -m 770 -o log-php5 -g log-php5 \
@@ -1141,12 +1138,12 @@ rule_runit_configure () {
                         "$tool"/etc/sv/"$sv"/log/run \
                                /etc/sv/"$sv"/log/run
                 fi
-               test ! -x "$tool"/etc/sv/"$sv"/configure ||
-               "$tool"/etc/sv/"$sv"/configure
+               test ! -r "$tool"/etc/sv/"$sv"/configure.sh ||
+               . "$tool"/etc/sv/"$sv"/configure.sh
                ln -fns ../sv/"$sv" /etc/service/"$sv"
                eval local sv_status=\"\${sv_status_$sv_hash-}\"
                case $sv_status in
-                ("") sv start "$sv";;
+                ("") true;;
                 (run:*) sv restart "$sv";;
                 esac
         done
@@ -1163,43 +1160,59 @@ rule_ssh_configure () {
         /etc/ssh/ssh_host_ecdsa_key \
         /etc/ssh/ssh_host_ecdsa_key.pub
         # NOTE: clefs générées par Debian
-       sudo install -m 644 -o root -g root /dev/stdin  /etc/ssh/sshd_config <<-EOF
-               Port 22
-               ListenAddress $vm_ipv4
-               #ListenAddress ::
-               Protocol 2
+       sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
+               AcceptEnv LANG LC_*
+               AuthorizedKeysFile %h/etc/ssh/authorized_keys
+               ChallengeResponseAuthentication no
+               ClientAliveInterval 0
                Compression yes
+               DebianBanner no
+               GSSAPIAuthentication no
                HostKey /etc/ssh/ssh_host_rsa_key
-               UsePrivilegeSeparation yes
+               HostbasedAuthentication no
+               IgnoreRhosts yes
+               IgnoreUserKnownHosts no
+               KerberosAuthentication no
                KeyRegenerationInterval 3600
-               ServerKeyBits 768
-               SyslogFacility AUTH
+               Port 22
+               ListenAddress 127.0.0.1
+               ListenAddress $vm_ipv4
                LogLevel INFO
                LoginGraceTime 120
+               PasswordAuthentication no
+               PermitEmptyPasswords no
                PermitRootLogin yes
-               StrictModes yes
-               RSAAuthentication yes
+               PrintLastLog yes
+               PrintMotd no
+               Protocol 2
                PubkeyAuthentication yes
-               AuthorizedKeysFile %h/etc/ssh/authorized_keys
-               IgnoreRhosts yes
+               RSAAuthentication yes
                RhostsRSAAuthentication no
-               HostbasedAuthentication no
-               IgnoreUserKnownHosts no
-               PermitEmptyPasswords no
-               ChallengeResponseAuthentication no
-               PasswordAuthentication no
-               KerberosAuthentication no
-               GSSAPIAuthentication no
-               X11Forwarding no
-               X11DisplayOffset 10
-               PrintMotd no
-               DebianBanner no
-               PrintLastLog yes
-               TCPKeepAlive yes
-               ClientAliveInterval 0
-               AcceptEnv LANG LC_*
+               ServerKeyBits 768
+               StrictModes yes
                Subsystem sftp /usr/lib/openssh/sftp-server
+               SyslogFacility AUTH
+               TCPKeepAlive yes
                UsePAM yes
+               UsePrivilegeSeparation yes
+               X11DisplayOffset 10
+               X11Forwarding no
+               EOF
+       sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/ssh_config <<-EOF
+               Host *
+                       #Compression yes
+                       #CompressionLevel 9
+                       #ControlMaster auto
+                       #ControlPath ~/var/run/ssh/%h-%p-%r.sock
+                       GSSAPIAuthentication no
+                       GSSAPIDelegateCredentials no
+                       HashKnownHosts yes
+                       IdentityFile ~/etc/ssh/id_dsa
+                       IdentityFile ~/etc/ssh/id_rsa
+                       IdentityFile ~/etc/ssh/identity
+                       SendEnv LANG LC_*
+                       StrictHostKeyChecking ask
+                       UserKnownHostsFile ~/etc/ssh/known_hosts
                EOF
        sudo service ssh restart
  }
@@ -1278,7 +1291,7 @@ rule_user_configure () {
                LAST_SYSTEM_UID=999
                LAST_UID=29999
                LETTERHOMES=no
-               NAME_REGEX="^[a-z][-a-z0-9_.]*\$"
+               NAME_REGEX="^[a-z][-a-z0-9_]*\$"
                QUOTAUSER="" # TODO: init
                SETGID_HOME=no
                SKEL=/etc/skel
@@ -1385,11 +1398,11 @@ rule_configure () {
        rule sysctl_configure
        rule user_configure
        rule mail_configure
+       rule gitolite_configure
        rule www_configure
        rule php5_fpm_configure
        rule nginx_configure
        #rule apache2_configure
-       rule gitolite_configure
        rule runit_configure
  }
 
outils d'administration d'ateliers.heureux-cyclage.org