#!/bin/sh
set -e -f ${DRY_RUN:+-n} -u
-tool=$(cd "${0%/*}"; cd -)
+tool=$(readlink -e "${0%/*}")
. "$tool"/lib/rule.sh
. "$tool"/etc/vm.sh
+TRACE=1
rule_help () { # SYNTAX: [--hidden]
local hidden; [ ${1:+set} ] || hidden=set
(
cd "$tool"
git remote rm host || true
- git remote add host $vm_host:tool/vm
+ git remote add host $vm_host:src/vm
git config --replace remote.host.push HEAD:refs/remotes/master
git remote rm hosted || true
- git remote add hosted root@$vm_fqdn:tool/vm
+ git remote add hosted $vm_fqdn:src/vm
git config --replace remote.hosted.push HEAD:refs/remotes/master
git submodule update --init
)
cd "$tool"
local remote=${1#remote=}; shift
GIT_SSH=./lib/ssh git push -v "$remote" "$@"
- info "penser à faire : vm_hosted git_reset"
)
}
"$tool"/lib/ssh $vm_fqdn "$@"
}
rule_mosh () {
- mosh --ssh="$tool/lib/ssh $*" $vm_fqdn
+ mosh --ssh="$tool/lib/ssh ${ssh-}" -- $vm_fqdn "$@"
}
rule__ssh_known_hosts_update () {
rule ssh \
whoami
}
-rule__x509_service_key_send_deciphered () { # SYNTAX: $service $remote_destination ${ssh_options-}
- local service="$1"; shift
- local remote_destination="$1"; shift
- gpg --decrypt "var/sec/x509/$vm_domainname/$service/key.pass.gpg" |
+rule__x509_site_key_decrypt () { # SYNTAX: $site
+ local site="$1"; shift
+ gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg |
openssl rsa -passin 'stdin' \
- -in "var/sec/x509/$vm_domainname/$service/key.pem" \
- -out '/dev/stdout' |
- rule ssh "$@" ' \
- install -m 400 -o root -g root \
- /dev/stdin \
- '"$remote_destination"' \
- '
+ -in var/sec/x509/"$site"/key.pem \
+ -out '/dev/stdout'
}
rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
done
}
-rule_apache2_key_send () {
- local -; set +f
- for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
- do conf=${conf#"$tool"/etc/apache2/site.d/}
- local port domain
- IFS=. read -r port domain <<-EOF
- ${conf%\/VirtualHost\.conf}
- EOF
- assert 'test "${port:+set}"'
- assert 'test "${domain:+set}"'
- local site="$port.$domain"
- case $port in
- (443)
- rule ssh -l root ' \
- sudo install -d -m 770 -o '"$user"' -g '"$user"' \
- /etc/apache2 \
- /etc/apache2/site.d/'"$site"' \
- /etc/apache2/site.d/'"$site"'/x509; \
- sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \
- /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF
- key.pem
- EOF
- '
- rule _x509_service_key_send_deciphered $service \
- /etc/apache2/"$site"/x509/key.pem -l root "$@"
- ;;
- esac
- done
- }
-rule_dovecot_key_send () {
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/dovecot/'"$vm_domainname"'/ \
- /etc/dovecot/'"$vm_domainname"'/imap \
- /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
- key.pem
- EOF
- '
- rule _x509_service_key_send_deciphered imap \
- /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@"
- }
-rule_gitolite_configure () {
+rule_gitolite_git () {
(
cd "$tool"/etc/gitolite
GIT_SSH=../../lib/ssh \
SSH_ASKPASS='"$tool"'/lib/ssh-pass \
SSH_ID=git \
ssh-add '"$tool"'/var/sec/ssh/git </dev/null && \
- git push -v origin '"$*"
+ git '"$*"
+ )
+ }
+rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options
+ if test $# = 0
+ then
+ set +x
+ rule ssh sudo sv status \
+ $(sudo find /etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%p\n' | sort)
+ else
+ local services=
+ while [ $# -gt 0 ]
+ do case $1 in
+ (--) shift; break;;
+ (*) services="$services $1"; shift;;
+ esac
+ done
+ for sv in $(find "$tool"/etc/sv \
+ -mindepth 1 -maxdepth 1 -type d \
+ -false $(printf -- '-or -name %s\n' $services) \
+ -printf '%f\n')
+ do
+ rule _runit_sv_configure "$sv" "$@"
+ done
+ fi
+ }
+rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
+ local sv="$1"; shift
+ (
+ test ! -r "$tool"/etc/sv/"$sv"/remote.sh ||
+ . "$tool"/etc/sv/"$sv"/remote.sh || return 1
)
}
-rule_nginx_key_send () {
- local -; set +f
- for conf in "$tool"/etc/nginx/site.d/*/server.conf
- do conf=${conf#"$tool"/etc/nginx/site.d/}
- local port domain
- IFS=. read -r port domain <<-EOF
- ${conf%\/server\.conf}
+
+
+rule_duplicity_configure () {
+ subkey_caps="e s" \
+ rule gpg_gen_key "backup+$vm_hostname@$vm_domainname" <<-EOF
+ Name-Real: $vm_fqdn
+ Name-Email: backup+$vm_hostname@$vm_domainname
+ Name-Comment: (duplicity)
+ Expire-Date: 0
+ EOF
+ }
+rule_duplicity_key_send () {
+ gpg --export-options export-reset-subkey-passwd \
+ --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
+ rule ssh gpg --import -
+ }
+rule_gpg () { # SYNTAX: $gpg_options
+ LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@"
+ }
+rule_gpg_gen_key () { # SYNTAX: $uid ENV: $gpg_options
+ local uid="$1"
+ install -d -m 700 \
+ var/pub/openpgp
+ install -d -m 700 \
+ var/sec \
+ var/sec/openpgp
+ if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
+ then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
+ $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
+ EOF
+ fi
+ if ! rule gpg --list-keys -- "$uid" >/dev/null
+ then
+ rule gpg --batch --gen-key
+ # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
+ Key-Type: RSA
+ Key-Length: 4096
+ Key-Usage: sign
+ Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+ Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
+ $(cat -)
+ %commit
+ EOF
+ fi
+ caps=$(
+ rule gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
+ -- "$uid" |
+ sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
+ )
+ for cap in ${subkey_caps:-}
+ do
+ test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
+ printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
+ rule gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
+ --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
+ $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
EOF
- assert 'test "${port:+set}"'
- assert 'test "${domain:+set}"'
- local site="$port.$domain"
- case $port in
- (443)
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/nginx \
- /etc/nginx/site.d \
- /etc/nginx/site.d/'"$site"' \
- /etc/nginx/site.d/'"$site"'/x509; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/nginx/site.d/'"$site"'/x509/.gitignore <<-EOF
- key.pem
- EOF
- '
- rule _x509_service_key_send_deciphered $service \
- /etc/nginx/"$site"/x509/key.pem -l root "$@"
- ;;
- esac
done
}
-rule_postfix_key_send () {
- rule ssh -l root ' \
- sudo install -d -m 770 -o root -g root \
- /etc/postfix/'"$vm_domainname"'/ \
- /etc/postfix/'"$vm_domainname"'/smtpd \
- /etc/postfix/'"$vm_domainname"'/smtpd/x509; \
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF
- key.pem
- EOF
- sudo install -m 644 -o root -g root /dev/stdin \
- /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
- key.pem
+rule_mysql_backup () {
+ mkdir -p "$tool"/var/backup/mysql
+ rule ssh -l backup '
+ for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
+ SELECT schema_name
+ FROM information_schema.schemata
+ WHERE schema_name NOT IN ("information_schema", "performance_schema");
EOF
+ ); do
+ $db
+ done
'
- rule _x509_service_key_send_deciphered smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509/key.pem -l root "$@"
}
rule=${1:-help}