Ajout : vm_remote : rule_gpg .

[lhc/ateliers.git] / vm_remote
diff --git a/vm_remote b/vm_remote

index f735ba9..64e5353 100755 (executable)
--- a/vm_remote
+++ b/vm_remote
@@ -3,6 +3,7 @@ set -e -f ${DRY_RUN:+-n} -u
  tool=$(readlink -e "${0%/*}")
  . "$tool"/lib/rule.sh
  . "$tool"/etc/vm.sh
+TRACE=1
  
  rule_help () { # SYNTAX: [--hidden]
         local hidden; [ ${1:+set} ] || hidden=set
@@ -135,10 +136,69 @@ rule__runit_sv_configure () { # SYNTAX: $sv $configure_options
         .         "$tool"/etc/sv/"$sv"/remote.sh || return 1
         )
   }
+
+
+rule_duplicity_configure () {
+       subkey_caps="e s" \
+       rule gpg_gen_key "backup+$vm_hostname@$vm_domainname" <<-EOF
+               Name-Real: $vm_fqdn
+               Name-Email: backup+$vm_hostname@$vm_domainname
+               Name-Comment: (duplicity)
+               Expire-Date: 0
+               EOF
+ }
+rule_duplicity_key_send () {
+       gpg --export-options export-reset-subkey-passwd \
+        --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
+       rule ssh gpg --import -
+ }
+rule_gpg () { # SYNTAX: $gpg_options
+       LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@"
+ }
+rule_gpg_gen_key () { # SYNTAX: $uid  ENV: $gpg_options
+       local uid="$1"
+       install -d -m 700 \
+        var/pub/openpgp
+       install -d -m 700 \
+        var/sec \
+        var/sec/openpgp
+       if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg
+        then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF
+                       $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
+                       EOF
+        fi
+       if ! rule gpg --list-keys -- "$uid" >/dev/null
+        then
+               rule gpg --batch --gen-key
+                       # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
+                       Key-Type: RSA
+                       Key-Length: 4096
+                       Key-Usage: sign
+                       Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+                       Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
+                       $(cat -)
+                       %commit
+                       EOF
+        fi
+       caps=$(
+               rule gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
+                -- "$uid" |
+               sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
+        )
+       for cap in ${subkey_caps:-}
+        do
+               test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
+               printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save |
+               rule gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \
+                --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF
+                       $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
+                       EOF
+        done
+ }
  rule_mysql_backup () {
         mkdir -p "$tool"/var/backup/mysql
-       rule ssh -l root '
-               for db in $(sudo -u mysql mysql -u mysql --skip-column-names <<-EOF
+       rule ssh -l backup '
+               for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
                         SELECT schema_name
                                 FROM information_schema.schemata
                                 WHERE schema_name NOT IN ("information_schema", "performance_schema");