X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=11dd8bb0a40efccc07d852b0479a6c25a4bdf4d6;hp=a75d9cb45f27e245244d1a47c95d01d53bd150c3;hb=bac5cba029aebec55df758a3c18e8edcf684af1f;hpb=de0435e3d96f9205fd7a27809d2004d5737469fa diff --git a/vm_hosted b/vm_hosted index a75d9cb..11dd8bb 100755 --- a/vm_hosted +++ b/vm_hosted @@ -34,9 +34,7 @@ rule_git_configure () { git config --replace branch.master.merge refs/remotes/master local tool tool=$(cd "$tool"; cd -) - sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/ - sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm - sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF + install -m 770 /dev/stdin .git/hooks/post-update <<-EOF #!/bin/sh -efux case \$1 in (refs/remotes/master) @@ -62,7 +60,7 @@ rule_adduser () { sudo adduser "$@" "$user" } rule_apt_get_install () { # SYNTAX: $package - sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@" + sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@" } rule_dpkg_reconfigure () { # SYNTAX: $package sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@" @@ -74,7 +72,7 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? . /etc/profile } -rule_apache2_configure () { +rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour local -; set +f rule apt_get_install \ apache2-mpm-itk \ @@ -90,6 +88,12 @@ rule_apache2_configure () { # cependant l'usage de suexec impose des forks il semble.. # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; # donc pour l'instant : apache2-mpm-itk + sudo rm -rf \ + /etc/apache2/site.d + sudo install -d -m 770 -o www -g www \ + /etc/apache2 \ + /etc/apache2/site.d \ + /etc/apache2/x509.d cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | ServerName "$vm_fqdn" EOF @@ -129,23 +133,23 @@ rule_apache2_configure () { sudo install -d -m 770 -o www-"$site" -g www-"$site" \ /etc/apache2 \ /etc/apache2/site.d/"$site" \ - /etc/apache2/site.d/"$site"/x509 \ - /etc/apache2/site.d/"$site"/x509/ca \ - /etc/apache2/site.d/"$site"/x509/empty \ - /etc/apache2/site.d/"$site"/x509/rvk \ - /etc/apache2/site.d/"$site"/x509/usr + /etc/apache2/x509.d/"$site" \ + /etc/apache2/x509.d/"$site"/ca \ + /etc/apache2/x509.d/"$site"/empty \ + /etc/apache2/x509.d/"$site"/rvk \ + /etc/apache2/x509.d/"$site"/usr sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/x509.d/"$site"/crt.self-signed.pem #sudo install -m 664 -o www-"$site" -g www-"$site" \ # "$tool"/var/pub/x509/"$site"/rvk.pem \ - # /etc/apache2/site.d/"$site"/x509/rvk.pem + # /etc/apache2/x509.d/"$site"/rvk.pem sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/ca/crt.pem + /etc/apache2/x509.d/"$site"/ca/crt.pem sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.pem \ - /etc/apache2/site.d/"$site"/x509/crt.pem + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/x509.d/"$site"/crt.pem ;; esac case $site in @@ -162,16 +166,16 @@ rule_apache2_configure () { ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" LogLevel Warn - SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/ - #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem - SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/ + SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/x509.d/$site/usr/ + #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem + SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/ # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés - SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/ - SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem - SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem - SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem + SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/ + SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem + SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem + SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem SSLCipherSuite AES+RSA+SHA256 SSLEngine On SSLInsecureRenegotiation Off @@ -239,19 +243,19 @@ rule_apache2_configure () { } rule_apt_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF - deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free + deb http://ftp.rezopole.net/debian $vm_lsb_name main EOF - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF - #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free + sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF + deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main EOF sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF Package: * Pin: release a=$vm_lsb_name - Pin-Priority: 170 + Pin-Priority: 200 Package: * Pin: release a=$vm_lsb_name-backports - Pin-Priority: 200 + Pin-Priority: 170 EOF sudo apt-get update rule apt_get_install apticron @@ -466,10 +470,11 @@ rule_initramfs_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | - sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/root/.ssh/authorized_keys sudo rm -f \ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ /etc/initramfs-tools/root/.ssh/id_rsa.pub \ @@ -487,6 +492,7 @@ rule_gitolite_configure () { rule adduser git \ --disabled-password \ --group \ + --home /home/git \ --shell /bin/bash \ --system sudo chfn --full-name git git @@ -494,34 +500,38 @@ rule_gitolite_configure () { --disabled-login \ --disabled-password \ --group \ - --home ~git/log \ + --home /home/git/log \ --shell /bin/false \ --system - rule adduser git-daemon\ + rule adduser git-data \ --disabled-login \ --disabled-password \ --group \ --home /home/git/pub \ --shell /bin/false \ --system + sudo adduser git git-data sudo install -d -m 770 -o git -g git \ /etc/gitolite \ - ~git/etc \ - ~git/etc/ssh \ - ~git/pub - sudo install -d -m 770 -o log-git -g log-git \ - ~git/log \ - ~git/log/gitolite \ - ~git/log/gitolite/perf - sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \ - /etc/gitweb \ - /etc/gitweb/cgi - sudo ln -fns /etc/gitolite ~git/etc/gitolite - sudo ln -fns /etc/gitweb ~git/etc/gitweb - sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc - sudo ln -fns etc/ssh ~git/.ssh + /home/git/etc \ + /home/git/etc/ssh + sudo install -d -m 751 -o git -g git \ + /home/git + sudo install -d -m 2770 -o git-data -g git-data \ + /home/git/pub + sudo install -d -m 1771 -o git -g git \ + /home/git/log + sudo install -d -m 2770 -o git -g log-git \ + /home/git/log/gitolite \ + /home/git/log/gitolite/perf + sudo install -d -m 3771 -o git -g git \ + /home/git/hooks + sudo ln -fns /etc/gitolite /home/git/etc/gitolite + sudo ln -fns /etc/gitweb /home/git/etc/gitweb + sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc + sudo ln -fns etc/ssh /home/git/.ssh sudo install -m 770 -o git -g git /dev/stdin \ - ~git/etc/gitolite/gitolite.rc <<-EOF + /home/git/etc/gitolite/gitolite.rc <<-EOF #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; #\$BIG_INFO_CAP = 20; #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; @@ -536,7 +546,7 @@ rule_gitolite_configure () { \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf"; \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm"; #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" - \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*"; + \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*"; #\$GL_HOSTNAME = "git.$vm_domainname"; # NOTE: read doc/mirroring.mkd COMPLETELY before setting this. #\$GL_HTTP_ANON_USER = "mob"; @@ -556,7 +566,7 @@ rule_gitolite_configure () { #\$GL_WILDREPOS_DEFPERMS = 'R @all'; \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; \$HTPASSWD_FILE = ""; - \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list"; + \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list"; \$REPO_BASE = "pub"; \$REPO_UMASK = 0007; \$RSYNC_BASE = ""; @@ -565,50 +575,18 @@ rule_gitolite_configure () { \$WEB_INTERFACE = "gitweb"; 1; EOF - sudo install -m 740 -o git -g www-lhc-git /dev/stdin \ - ~git/etc/gitweb/gitweb.conf <<-EOF - \$commit_oneline_message_width = 70; - \$default_projects_order = 'age'; - \$default_text_plain_charset = 'UTF-8'; - @diff_opts = (); - \$favicon = "img/git-favicon.png"; - \$git_temp = "/run/shm/tmp/gitweb"; - \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc"; - \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc"; - \$home_link = "/"; - \$home_link_str = 'dépôts'; - \$home_th_age = 'activité'; - \$home_th_descr = 'description'; - \$home_th_owner = 'contact'; - \$home_th_project = 'dépôt'; - \$javascript = "js/gitweb.js"; - \$logo = "img/git-logo.png"; - \$my_uri = ""; - \$projectroot = "../git"; - \$projects_list = "/etc/gitolite/projects.list"; - \$projects_list_description_width = 42; - \$projects_list_owner_width = 15; - \$search_str = "Filtre :"; - \$site_footer = "/etc/gitweb/cgi/site-footer.bin"; - \$site_header = undef; - \$site_name = "git.$vm_domainname"; - \$space_to_nbsp = 0; - @stylesheets = ("css/gitweb.css");# - \$untabify_tabstop = 2; - EOF sudo install -m 600 -o git -g git \ "$tool"/var/pub/ssh/git.key \ - ~git/etc/ssh/git.pub + /home/git/etc/ssh/git.pub sudo -u git \ GL_RC=/home/git/etc/gitolite/gitolite.rc \ GIT_AUTHOR_NAME=git \ - gl-setup -q ~git/etc/ssh/git.pub git + gl-setup -q /home/git/etc/ssh/git.pub git local d for d in doc logs src - do test ! -d ~git/etc/gitolite/"$d" || - rmdir ~git/etc/gitolite/"$d" + do test ! -d /home/git/etc/gitolite/"$d" || + rmdir /home/git/etc/gitolite/"$d" done - rule apt_get_install gitweb highlight sudo service tmpfs restart } rule_locales_configure () { @@ -727,14 +705,39 @@ rule_mail_configure () { } rule_mysql_configure () { rule apt_get_install mysql-server-5.5 - sudo install -m 644 -o root -g root \ - "$tool"/etc/mysql/my.cnf \ - /etc/mysql/my.cnf - if test ! -d /home/mysql; then - sudo install -d -m 750 -o mysql -g mysql \ - /home/mysql - sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/ - fi + rule adduser mysql \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/mysql \ + --shell /bin/false \ + --system + rule adduser mysql-data \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/mysql/data \ + --shell /bin/false \ + --system + sudo usermod --home /home/mysql mysql + sudo adduser mysql mysql-data + sudo install -m 640 -o mysql -g mysql \ + "$tool"/etc/mysql/my.cnf \ + /etc/mysql/my.cnf + sudo install -d -m 751 -o mysql -g mysql \ + /home/mysql + sudo install -d -m 750 -o mysql-data -g mysql-data \ + /home/mysql/data + if test ! -d /home/mysql/data + then + sudo -u mysql mysql_install_db \ + --no-defaults \ + --datadir=/home/mysql/data + fi + sudo service tmpfs restart + case $(sudo sv status mysql || true) in + (run:*) sudo sv restart mysql + esac } rule_network_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF @@ -829,14 +832,14 @@ rule_nginx_configure () { "$tool"/etc/nginx/conf.d/"$conf" \ /etc/nginx/conf.d/"$conf" done - for conf in "$tool"/etc/nginx/site.d/*/server.conf + for conf in "$tool"/etc/nginx/site.d/*/site.conf do conf=${conf#"$tool"/etc/nginx/site.d/} - local site="${conf%/server.conf}" + local site="${conf%/site.conf}" rule adduser www-"$site" \ --disabled-login \ --disabled-password \ --group \ - --home /home/www-data/"$site" \ + --home /home/www/pub/"$site" \ --shell /bin/false \ --system rule adduser log-www-"$site" \ @@ -846,40 +849,45 @@ rule_nginx_configure () { --home /home/www/log/"$site"/nginx \ --shell /bin/false \ --system - sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \ + sudo install -d -m 771 -o log-www -g log-www \ /home/www/log/"$site" sudo install -d -m 770 -o www -g www \ /etc/nginx/site.d/"$site" sudo install -d -m 770 -o www -g www \ /etc/nginx/x509.d/"$site" test -L /home/www/pub/"$site" || - sudo install -d -m 3770 -o www-"$site" -g www-"$site" \ + sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ /home/www/pub/"$site" sudo adduser www-data www-"$site" sudo adduser www-data log-www-"$site" + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/local.conf \ + /etc/nginx/site.d/"$site"/local.inc + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/site.conf \ + /etc/nginx/site.d/"$site"/site.inc sudo install -m 660 -o www -g www /dev/stdin \ /etc/nginx/site.d/"$site"/server.conf <<-EOF server { access_log /home/www/log/$site/nginx/access.log main; error_log /home/www/log/$site/nginx/error.log warn; root /home/www/pub/$site; - ssl_certificate /etc/nginx/x509.d/$site/crt.pem; - ssl_certificate_key /etc/nginx/x509.d/$site/key.pem; - $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf) - $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) + include /etc/nginx/site.d/$site/local.inc; + include /etc/nginx/site.d/$site/site.inc; } EOF - test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" || test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || . "$tool"/etc/nginx/site.d/"$site"/configure.sh done rule apt_get_install spawn-fcgi fcgiwrap sudo insserv --remove fcgiwrap - sudo insserv --remove nginx + #sudo insserv --remove nginx rule tmpfs_configure - case $(sv status nginx) in - (run:*) sudo sv restart nginx - esac + sudo service php5-fpm restart + # NOTE: relance les processus du pool + # pour leur donner les droits + # de leurs groupes supplémentaires. + sudo service nginx restart } rule_php5_fpm_configure () { local -; set +f @@ -938,7 +946,7 @@ rule_php5_fpm_configure () { --disabled-password \ --group \ --no-create-home \ - --home /home/www/log/php5/fpm \ + --home /home/www/log/php5/fpm/"$pool" \ --shell /bin/false \ --system sudo install -d -m 770 -o log-php5 -g log-php5 \ @@ -982,7 +990,7 @@ rule_php5_fpm_configure () { sudo install -m 664 -o php5 -g php5 \ "$tool"/etc/php5/fpm/php.ini \ /etc/php5/fpm/php.ini - case $(sv status php5-"$pool") in + case $(sudo sv status php5-"$pool") in (run:*) sudo sv restart php5-"$pool" esac done @@ -1120,9 +1128,9 @@ rule_runit_configure () { local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ') local sv_status IFS= read -r sv_status_$sv_hash <<-EOF - $(sv status "$sv") + $(sudo sv status "$sv") EOF - rm -f /etc/service/"$sv" + sudo rm -f /etc/service/"$sv" done for sv in ${1-"$tool"/etc/sv/*} # NOTE: configure et (re-)démarre les services @@ -1141,13 +1149,13 @@ rule_runit_configure () { "$tool"/etc/sv/"$sv"/log/run \ /etc/sv/"$sv"/log/run fi - test ! -x "$tool"/etc/sv/"$sv"/configure || - "$tool"/etc/sv/"$sv"/configure - ln -fns ../sv/"$sv" /etc/service/"$sv" + test ! -r "$tool"/etc/sv/"$sv"/configure.sh || + . "$tool"/etc/sv/"$sv"/configure.sh + sudo ln -fns ../sv/"$sv" /etc/service/"$sv" eval local sv_status=\"\${sv_status_$sv_hash-}\" case $sv_status in - ("") sv start "$sv";; - (run:*) sv restart "$sv";; + ("") true;; + (run:*) sudo sv restart "$sv";; esac done } @@ -1163,43 +1171,59 @@ rule_ssh_configure () { /etc/ssh/ssh_host_ecdsa_key \ /etc/ssh/ssh_host_ecdsa_key.pub # NOTE: clefs générées par Debian - sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF - Port 22 - ListenAddress $vm_ipv4 - #ListenAddress :: - Protocol 2 + sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF + AcceptEnv LANG LC_* + AuthorizedKeysFile %h/etc/ssh/authorized_keys + ChallengeResponseAuthentication no + ClientAliveInterval 0 Compression yes + DebianBanner no + GSSAPIAuthentication no HostKey /etc/ssh/ssh_host_rsa_key - UsePrivilegeSeparation yes + HostbasedAuthentication no + IgnoreRhosts yes + IgnoreUserKnownHosts no + KerberosAuthentication no KeyRegenerationInterval 3600 - ServerKeyBits 768 - SyslogFacility AUTH + Port 22 + ListenAddress 127.0.0.1 + ListenAddress $vm_ipv4 LogLevel INFO LoginGraceTime 120 + PasswordAuthentication no + PermitEmptyPasswords no PermitRootLogin yes - StrictModes yes - RSAAuthentication yes + PrintLastLog yes + PrintMotd no + Protocol 2 PubkeyAuthentication yes - AuthorizedKeysFile %h/etc/ssh/authorized_keys - IgnoreRhosts yes + RSAAuthentication yes RhostsRSAAuthentication no - HostbasedAuthentication no - IgnoreUserKnownHosts no - PermitEmptyPasswords no - ChallengeResponseAuthentication no - PasswordAuthentication no - KerberosAuthentication no - GSSAPIAuthentication no - X11Forwarding no - X11DisplayOffset 10 - PrintMotd no - DebianBanner no - PrintLastLog yes - TCPKeepAlive yes - ClientAliveInterval 0 - AcceptEnv LANG LC_* + ServerKeyBits 768 + StrictModes yes Subsystem sftp /usr/lib/openssh/sftp-server + SyslogFacility AUTH + TCPKeepAlive yes UsePAM yes + UsePrivilegeSeparation yes + X11DisplayOffset 10 + X11Forwarding no + EOF + sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/ssh_config <<-EOF + Host * + #Compression yes + #CompressionLevel 9 + #ControlMaster auto + #ControlPath ~/var/run/ssh/sock/%h-%p-%r + GSSAPIAuthentication no + GSSAPIDelegateCredentials no + HashKnownHosts yes + IdentityFile ~/etc/ssh/id_dsa + IdentityFile ~/etc/ssh/id_rsa + IdentityFile ~/etc/ssh/identity + SendEnv LANG LC_* + StrictHostKeyChecking ask + UserKnownHostsFile ~/etc/ssh/known_hosts EOF sudo service ssh restart } @@ -1261,6 +1285,7 @@ rule_user_add () { # SYNTAX: $user done } rule_user_configure () { + rule apt_get_install bash-completion sudo install -m 660 -o root -g root /dev/stdin \ /etc/adduser.conf <<-EOF ADD_EXTRA_GROUPS=1 @@ -1278,7 +1303,7 @@ rule_user_configure () { LAST_SYSTEM_UID=999 LAST_UID=29999 LETTERHOMES=no - NAME_REGEX="^[a-z][-a-z0-9_.]*\$" + NAME_REGEX="^[a-z][-a-z0-9_]*\$" QUOTAUSER="" # TODO: init SETGID_HOME=no SKEL=/etc/skel @@ -1305,7 +1330,7 @@ rule_user_configure () { ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF - %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean + %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF Defaults env_keep = " \\ @@ -1361,7 +1386,7 @@ rule_user_root_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys @@ -1385,11 +1410,11 @@ rule_configure () { rule sysctl_configure rule user_configure rule mail_configure + rule gitolite_configure rule www_configure rule php5_fpm_configure rule nginx_configure #rule apache2_configure - rule gitolite_configure rule runit_configure }