X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=4cf4b9d14c113463ad1c6fac846fa05870a890ca;hp=9ebfa139dc5f66e53872e9deebb2c215a1c86579;hb=22f04b9fac14adc3d3fc98273ba126c3a51792c3;hpb=1cd496173068e492ae2d0d8b77872faa0b5f806a diff --git a/vm_hosted b/vm_hosted index 9ebfa13..4cf4b9d 100755 --- a/vm_hosted +++ b/vm_hosted @@ -34,7 +34,7 @@ rule_git_configure () { git config --replace branch.master.merge refs/remotes/master local tool tool=$(cd "$tool"; cd -) - sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF + install -m 770 /dev/stdin .git/hooks/post-update <<-EOF #!/bin/sh -efux case \$1 in (refs/remotes/master) @@ -60,10 +60,16 @@ rule_adduser () { sudo adduser "$@" "$user" } rule_apt_get_install () { # SYNTAX: $package - sudo DEBIAN_FRONTEND=noninteractive apt-get install --yes "$@" + sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + apt-get install --yes "$@" } rule_dpkg_reconfigure () { # SYNTAX: $package - sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@" + sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + dpkg-reconfigure "$@" } rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? @@ -242,13 +248,16 @@ rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour sudo service apache2 restart } rule_apt_configure () { - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF deb http://ftp.rezopole.net/debian $vm_lsb_name main EOF - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main EOF - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF + deb http://nightly.openerp.com/7.0/nightly/deb/ ./ + EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF Package: * Pin: release a=$vm_lsb_name Pin-Priority: 200 @@ -259,21 +268,11 @@ rule_apt_configure () { EOF sudo apt-get update rule apt_get_install apticron - sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF - EMAIL="admin@$vm_domainname" - # DIFF_ONLY="1" - # LISTCHANGES_PROFILE="apticron" - # ALL_FQDNS="1" - # SYSTEM="foobar.example.com" - # IPADDRESSNUM="1" - # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" - # NOTIFY_HOLDS="0" - # NOTIFY_NEW="0" - # NOTIFY_NO_UPDATES="0" - # CUSTOM_SUBJECT="" - # CUSTOM_NO_UPDATES_SUBJECT="" - # CUSTOM_FROM="root@$vm_fqdn" - EOF + m4 \ + --define=VM_DOMAINNAME=$vm_domainname \ + <"$tool"/etc/apticron/apticron.conf.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/apticron/apticron.conf } rule_boot_configure () { #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" @@ -306,86 +305,38 @@ rule_boot_configure () { # et davantage sécurisant. EOF } -rule_dovecot_configure () { - rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve - local hint="run vm_remote dovecot_key_send before" - assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \ - /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem - sudo install -d -m 770 -o root -g root \ - /etc/skel/etc/mail \ - /etc/skel/etc/sieve - sudo install -d -m 1777 -o root -g root \ - /var/lib/dovecot-control \ - /var/lib/dovecot-index - sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u - # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc - # VOIR: http://wiki2.dovecot.org/Quota/FS - mail_plugins = \$mail_plugins quota - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - plugin { - quota = fs:user - recipient_delimiter = + - sieve = ~/etc/mail/filter.sieve - sieve_dir = ~/etc/mail/sieve - sieve_global_dir = /var/lib/dovecot/sieve/global/ - sieve_max_script_size = 1M - sieve_quota_max_scripts = 0 - sieve_quota_max_storage = 10M - sieve_user_log = ~/var/log/mail/sieve.log - } - protocol imap { - mail_plugins = \$mail_plugins imap_quota - } - protocol lda { - auth_socket_path = /var/run/dovecot/auth-master - hostname = $vm_domainname - info_log_path = - log_path = - mail_plugins = \$mail_plugins sieve - postmaster_address = contact+dovecot+lda@$vm_domainname - syslog_facility = mail - } - protocols = imap sieve - service auth { - user = root - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } - } - ssl_ca = - LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 - proc /proc proc defaults 0 0 - sysfs /sys sysfs defaults 0 0 - /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 - # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. - /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0 - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF - # - ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg - ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - EOF + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/fstab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/fstab + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/crypttab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/crypttab rule tmpfs_configure } rule_initramfs_configure () { @@ -470,10 +415,11 @@ rule_initramfs_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | - sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/root/.ssh/authorized_keys sudo rm -f \ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ /etc/initramfs-tools/root/.ssh/id_rsa.pub \ @@ -481,6 +427,14 @@ rule_initramfs_configure () { # NOTE: clefs générées par Debian sudo update-initramfs -u } +rule_insserv_remove () { # SYNTAX: $sv + local sv="$1" + #sudo chmod u+x /etc/init.d/"$sv" + sudo insserv --force --remove "$sv" + sudo test ! -x /etc/init.d/"$sv" || + sudo /etc/init.d/"$sv" stop + sudo chmod ugo-x /etc/init.d/"$sv" + } rule_gitolite_configure () { sudo debconf-set-selections <<-EOF gitolite gitolite/gituser string git @@ -510,7 +464,7 @@ rule_gitolite_configure () { --shell /bin/false \ --system sudo adduser git git-data - sudo install -d -m 770 -o git -g git \ + sudo install -d -m 750 -o git -g git \ /etc/gitolite \ /home/git/etc \ /home/git/etc/ssh @@ -545,7 +499,7 @@ rule_gitolite_configure () { \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf"; \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm"; #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" - \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*"; + \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*"; #\$GL_HOSTNAME = "git.$vm_domainname"; # NOTE: read doc/mirroring.mkd COMPLETELY before setting this. #\$GL_HTTP_ANON_USER = "mob"; @@ -565,7 +519,7 @@ rule_gitolite_configure () { #\$GL_WILDREPOS_DEFPERMS = 'R @all'; \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; \$HTPASSWD_FILE = ""; - \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list"; + \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list"; \$REPO_BASE = "pub"; \$REPO_UMASK = 0007; \$RSYNC_BASE = ""; @@ -586,7 +540,6 @@ rule_gitolite_configure () { do test ! -d /home/git/etc/gitolite/"$d" || rmdir /home/git/etc/gitolite/"$d" done - sudo service tmpfs restart } rule_locales_configure () { sudo debconf-set-selections <<-EOF @@ -596,90 +549,12 @@ rule_locales_configure () { rule dpkg_reconfigure locales } rule_login_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF - # /etc/inittab: init(8) configuration. - - # The default runlevel. - id:2:initdefault: - - # Boot-time system configuration/initialization script. - # This is run first except when booting in emergency (-b) mode. - si::sysinit:/etc/init.d/rcS - - # What to do in single-user mode. - ~~:S:wait:/sbin/sulogin - - # /etc/init.d executes the S and K scripts upon change - # of runlevel. - # - # Runlevel 0 is halt. - # Runlevel 1 is single-user. - # Runlevels 2-5 are multi-user. - # Runlevel 6 is reboot. - - l0:0:wait:/etc/init.d/rc 0 - l1:1:wait:/etc/init.d/rc 1 - l2:2:wait:/etc/init.d/rc 2 - l3:3:wait:/etc/init.d/rc 3 - l4:4:wait:/etc/init.d/rc 4 - l5:5:wait:/etc/init.d/rc 5 - l6:6:wait:/etc/init.d/rc 6 - # Normally not reached, but fallthrough in case of emergency. - z6:6:respawn:/sbin/sulogin - - # What to do when CTRL-ALT-DEL is pressed. - ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now - - # What to do when the power fails/returns. - pf::powerwait:/etc/init.d/powerfail start - pn::powerfailnow:/etc/init.d/powerfail now - po::powerokwait:/etc/init.d/powerfail stop - - # Xen hypervisor console - hvc:2345:respawn:/sbin/getty 38400 hvc0 - #xvc:2345:respawn:/sbin/getty 38400 xvc0 - - #-- runit begin - SV:123456:respawn:/usr/sbin/runsvdir-start - #-- runit end - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF - MAIL_DIR /var/mail - FAILLOG_ENAB yes - LOG_UNKFAIL_ENAB no - LOG_OK_LOGINS no - SYSLOG_SU_ENAB yes - SYSLOG_SG_ENAB yes - FTMP_FILE /var/log/btmp - SU_NAME su - HUSHLOGIN_FILE .hushlogin - ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - # NOTE: met les sbin/ dans ENV_PATH ; - # - ça n'apporte aucune protection de ne pas les mettre ; - # - ça frustre de ne pas les trouver. - TTYGROUP tty - TTYPERM 0600 - ERASECHAR 0177 - KILLCHAR 025 - UMASK 007 - # NOTE: rwxrwx--- ; - # - donne une même confiance au groupe propriétaire qu'au propriétaire ; - # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 - PASS_WARN_AGE 7 - UID_MIN 1000 - UID_MAX 60000 - GID_MIN 1000 - GID_MAX 60000 - LOGIN_RETRIES 3 - LOGIN_TIMEOUT 60 - CHFN_RESTRICT rwh - DEFAULT_HOME yes - USERGROUPS_ENAB yes - ENCRYPT_METHOD SHA512 - EOF + sudo install -m 644 -o root -g root \ + "$tool"/etc/inittab \ + /etc/inittab + sudo install -m 644 -o root -g root \ + "$tool"/etc/login.defs \ + /etc/login.defs grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF $(cat /etc/pam.d/common-session) @@ -696,48 +571,6 @@ rule_login_configure () { xvc0 EOF } -rule_mail_configure () { - rule postfix_configure - rule postgrey_configure - rule procmail_configure - rule dovecot_configure - } -rule_mysql_configure () { - rule apt_get_install mysql-server-5.5 - rule adduser mysql \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/mysql \ - --shell /bin/false \ - --system - rule adduser mysql-data \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/mysql/data \ - --shell /bin/false \ - --system - sudo usermod --home /home/mysql mysql - sudo adduser mysql mysql-data - sudo install -m 640 -o mysql -g mysql \ - "$tool"/etc/mysql/my.cnf \ - /etc/mysql/my.cnf - sudo install -d -m 751 -o mysql -g mysql \ - /home/mysql - sudo install -d -m 750 -o mysql-data -g mysql-data \ - /home/mysql/data - if test ! -d /home/mysql/data - then - sudo -u mysql mysql_install_db \ - --no-defaults \ - --datadir=/home/mysql/data - fi - sudo service tmpfs restart - case $(sudo sv status mysql || true) in - (run:*) sudo sv restart mysql - esac - } rule_network_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF $vm @@ -747,484 +580,144 @@ rule_network_configure () { $(cat /etc/hosts) 127.0.0.1 $vm_fqdn $vm EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - mtu 1300 - # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode - # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. - # - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. - # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms - # - # --- soupirail.grenode.net ping statistics --- - # 1 packets transmitted, 1 received, 0% packet loss, time 0ms - # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. - # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) - # - # --- soupirail.grenode.net ping statistics --- - # 0 packets transmitted, 0 received, +1 errors - post-up ip address add $vm_ipv4/32 dev \$IFACE - pre-down ip address delete $vm_ipv4/32 dev \$IFACE + sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver ${vm_host_nameserver} EOF + m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/network/interfaces.m4 | + sudo install -m 640 -o root -g root /dev/stdin \ + /etc/network/interfaces } -rule_www_configure () { - rule adduser www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www \ - --shell /bin/false \ - --system - rule adduser log-www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log \ - --shell /bin/false \ - --system - #sudo adduser www www-data - sudo adduser www log-www - #sudo adduser log log-www - usermod --home /home/www/pub www-data - sudo install -d -m 751 -o www -g www \ - /home/www - sudo install -d -m 750 -o www -g www \ - /home/www/etc - sudo install -d -m 1771 -o www-data -g www-data \ - /home/www/pub - sudo install -d -m 1771 -o log-www -g log-www \ - /home/www/log +rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options + rule apt_get_install runit + if test $# = 0 + then + set +x + sudo sv status \ + $(sudo find /etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -printf '%p\n' | sort) + else + local services= + while [ $# -gt 0 ] + do case $1 in + (--) shift; break;; + (*) services="$services $1"; shift;; + esac + done + #for sv in $(sudo find /etc/sv \ + # -mindepth 1 -maxdepth 1 -type d \ + # -false $(printf -- '-or -name %s\n' $services) \ + # -printf '%f\n') + # do + # case $(sudo sv stop "$sv" | tee /dev/stderr) in + # (*": runsv not running") true;; + # (*": unable to open supervise/ok: file does not exist") true;; + # ("ok: down:"*) true;; + # (*) false;; + # esac + # done + for sv in $(find "$tool"/etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -false $(printf -- '-or -name %s\n' $services) \ + -printf '%f\n') + do + rule _runit_sv_configure "$sv" "$@" + rule _runit_sv_start "$sv" + done + #sleep 3 + #sudo find -L /etc/service -type l -delete + fi } -rule_nginx_configure () { - local -; set +f - rule apt_get_install nginx - sudo rm -rf \ - /etc/nginx/conf.d \ - /etc/nginx/site.d - sudo install -d -m 770 -o www -g www \ - /etc/nginx \ - /etc/nginx/conf.d \ - /etc/nginx/site.d \ - /etc/nginx/x509.d +rule__runit_sv_configure () { # SYNTAX: $sv $configure_options + local sv="$1"; shift + sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv" + sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/run \ + /etc/sv/"$sv"/run + if test -e "$tool"/etc/sv/"$sv"/log/run + then + sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv"/log + sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/log/run \ + /etc/sv/"$sv"/log/run + fi + ( + test ! -r "$tool"/etc/sv/"$sv"/configure.sh || + . "$tool"/etc/sv/"$sv"/configure.sh || return 1 + ) + ( + test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh || + . "$tool"/etc/sv/"$sv"/log/configure.sh || return 1 + ) sudo ln -fns \ - /etc/nginx \ - /home/www/etc/nginx - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/nginx.conf \ - /etc/nginx/nginx.conf - local conf - for conf in "$tool"/etc/nginx/conf.d/*.conf - do conf=${conf#"$tool"/etc/nginx/conf.d/} - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/conf.d/"$conf" \ - /etc/nginx/conf.d/"$conf" - done - for conf in "$tool"/etc/nginx/site.d/*/site.conf - do conf=${conf#"$tool"/etc/nginx/site.d/} - local site="${conf%/site.conf}" - rule adduser www-"$site" \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/pub/"$site" \ - --shell /bin/false \ - --system - rule adduser log-www-"$site" \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log/"$site"/nginx \ - --shell /bin/false \ - --system - sudo install -d -m 771 -o log-www -g log-www \ - /home/www/log/"$site" - sudo install -d -m 770 -o www -g www \ - /etc/nginx/site.d/"$site" - sudo install -d -m 770 -o www -g www \ - /etc/nginx/x509.d/"$site" - test -L /home/www/pub/"$site" || - sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ - /home/www/pub/"$site" - sudo adduser www-data www-"$site" - sudo adduser www-data log-www-"$site" - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/site.d/"$site"/local.conf \ - /etc/nginx/site.d/"$site"/local.inc - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/site.d/"$site"/site.conf \ - /etc/nginx/site.d/"$site"/site.inc - sudo install -m 660 -o www -g www /dev/stdin \ - /etc/nginx/site.d/"$site"/server.conf <<-EOF - server { - access_log /home/www/log/$site/nginx/access.log main; - error_log /home/www/log/$site/nginx/error.log warn; - root /home/www/pub/$site; - include /etc/nginx/site.d/$site/local.inc; - include /etc/nginx/site.d/$site/site.inc; - } - EOF - test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || - . "$tool"/etc/nginx/site.d/"$site"/configure.sh + ../sv/"$sv" \ + /etc/service/"$sv" + } +rule__runit_sv_restart () { # SYNTAX: $sv + local sv="$1" + while true + do case $(sudo sv restart "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; + esac done - rule apt_get_install spawn-fcgi fcgiwrap - sudo insserv --remove fcgiwrap - #sudo insserv --remove nginx - rule tmpfs_configure - sudo service php5-fpm restart - # NOTE: relance les processus du pool - # pour leur donner les droits - # de leurs groupes supplémentaires. - sudo service nginx restart } -rule_php5_fpm_configure () { - local -; set +f - rule apt_get_install \ - php5-fpm \ - php-apc - rule adduser php5 \ - --disabled-login \ - --disabled-password \ - --group \ - --home /etc/php5/fpm \ - --shell /bin/false \ - --system - rule adduser log-php5 \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log/php5/fpm \ - --shell /bin/false \ - --system - sudo ln -fns \ - /etc/php5/fpm \ - /home/www/etc/php5 - sudo rm -rf \ - /etc/php5/fpm/conf.d \ - /etc/php5/fpm/pool.d - sudo install -d -m 770 -o php5 -g php5 \ - /etc/php5/fpm/conf.d \ - /etc/php5/fpm/pool.d - sudo install -m 770 -o php5 -g php5 \ - "$tool"/etc/php5/fpm/php-fpm.conf \ - /etc/php5/fpm/php-fpm.conf - local conf - #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf - # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/} - # sudo install -m 660 -o php5 -g php5 \ - # "$tool"/etc/php5/fpm/conf.d/"$conf" \ - # /etc/php5/fpm/conf.d/"$conf" - # done - for conf in "$tool"/etc/php5/fpm/pool.d/*.conf - do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} - IFS=. read -r pool <<-EOF - ${conf%.conf} - EOF - assert 'test "${pool:+set}"' - rule adduser php5-"$pool" \ - --disabled-login \ - --disabled-password \ - --group \ - --no-create-home \ - --home /etc/php5/fpm/pool.d \ - --shell /bin/false \ - --system - rule adduser log-php5-"$pool" \ - --disabled-login \ - --disabled-password \ - --group \ - --no-create-home \ - --home /home/www/log/php5/fpm/"$pool" \ - --shell /bin/false \ - --system - sudo install -d -m 770 -o log-php5 -g log-php5 \ - /home/www/log/php5 \ - /home/www/log/php5/fpm - sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \ - /home/www/log/php5/fpm/"$pool" - sudo install -m 660 -o php5 -g php5 /dev/stdin \ - /etc/php5/fpm/pool.d/"$pool".conf <<-EOF - [$pool] - access.log = /home/www/log/php5/fpm/$pool/access.log - catch_workers_output = yes - chdir = / - env[HOSTNAME] = \$HOSTNAME - env[TEMP] = /tmp - env[TMPDIR] = /tmp - env[TMP] = /tmp - group = php5-$pool - #listen = 127.0.0.1:9000 - listen = /run/php5/fpm/$pool - #listen.allowed_clients = 127.0.0.1 - listen.group = www-data - listen.mode = 0660 - #listen.owner = www-data - listen.backlog = -1 - pm = dynamic - pm.max_children = 5 - pm.max_requests = 200 - pm.max_spare_servers = 4 - pm.min_spare_servers = 2 - pm.start_servers = 3 - pm.status_path = /status - request_slowlog_timeout = 5s - request_terminate_timeout = 120s - rlimit_core = unlimited - rlimit_files = 131072 - slowlog = /home/www/log/php5/fpm/$pool/slow.log - user = php5-$pool - $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") - EOF - sudo install -m 664 -o php5 -g php5 \ - "$tool"/etc/php5/fpm/php.ini \ - /etc/php5/fpm/php.ini - case $(sudo sv status php5-"$pool") in - (run:*) sudo sv restart php5-"$pool" +rule__runit_sv_start () { # SYNTAX: $sv + local sv="$1" + while true + do case $(sudo sv start "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; esac done - rule tmpfs_configure - sudo service php5-fpm restart - } -rule_postfix_configure () { - local hint="run vm_remote postfix_key_send before" - assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint - #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix" - sudo debconf-set-selections <<-EOF - postfix postfix/main_mailer_type select No configuration - EOF - rule apt_get_install postfix - sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF - *.db - EOF - sudo install -d -m 771 -o root -g root \ - /etc/postfix/ \ - /etc/postfix/$vm_domainname/ \ - /etc/postfix/$vm_domainname/smtp \ - /etc/postfix/$vm_domainname/smtp/x509 \ - /etc/postfix/$vm_domainname/smtp/x509/ca \ - /etc/postfix/$vm_domainname/smtpd \ - /etc/postfix/$vm_domainname/smtpd/x509 \ - /etc/postfix/$vm_domainname/smtpd/x509/ca - sudo ln -fns \ - ../crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/header_checks \ - /etc/postfix/$vm_domainname/header_checks - sudo install -m 664 -o root -g root /dev/stdin \ - /etc/postfix/aliases <<-EOF - # See man 5 aliases for format - abuse: root - admin: root - contact: root - mailer-daemon: root - postmaster: root - root: $(getent group sudo | cut -f 4 -d : | tr , ' ') - EOF - sudo newaliases -oA/etc/postfix/aliases - cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF | - mydomain = $vm_domainname - myorigin = \$mydomain - myhostname = $vm_hostname.\$mydomain - mail_name = \$myhostname - mydestination = $vm_hostname \$myhostname \$myorigin - EOF - sudo install -m 664 -o root -g root /dev/stdin \ - /etc/postfix/main.cf - sudo install -m 664 -o root -g root \ - "$tool"/etc/postfix/master.cf \ - /etc/postfix/master.cf - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \ - /etc/postfix/$vm_domainname/smtp/x509/policy - sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \ - /etc/postfix/$vm_domainname/smtp/header_checks - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \ - /etc/postfix/$vm_domainname/smtpd/sender_access - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \ - /etc/postfix/$vm_domainname/smtpd/client_blacklist - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \ - /etc/postfix/$vm_domainname/smtpd/relay_clientcerts - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/transport \ - /etc/postfix/$vm_domainname/transport - sudo postmap hash:/etc/postfix/$vm_domainname/transport - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/virtual_alias \ - /etc/postfix/$vm_domainname/virtual_alias - sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias - sudo service postfix restart - } -rule_postgresql_configure () { - rule apt_get_install postgresql-9.1 - if [ ! -d /var/lib/postgresql/9.1/ ]; then - pg_createcluster -u postgres --start 9.1 main - fi - sudo install -m 660 -o root -g root \ - "$tool"/etc/postgresql/9.1/main/postgresql.conf \ - /etc/postgresql/9.1/main/postgresql.conf - sudo service postgresql restart } -rule_openerp_configure () { - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF - deb http://nightly.openerp.com/trunk/nightly/deb/ ./ - EOF - sudo apt-get update - rule apt_get_install openerp - } -rule_postgrey_configure () { - rule apt_get_install postgrey - sudo service postgrey restart - } -rule_procmail_configure () { - rule apt_get_install procmail - sudo install -d -m 770 -o root -g root \ - /etc/skel/etc/mail \ - /etc/skel/var/cache/mail \ - /etc/skel/var/log/mail \ - /etc/skel/var/mail - sudo install -m 660 -o root -g root \ - "$tool"/etc/skel/etc/mail/delivery.procmailrc \ - /etc/skel/etc/mail/delivery.procmailrc - } -rule_runit_configure () { - rule apt_get_install runit +rule_shorewall_configure () { + # DOC: http://shorewall.net/Introduction.html local -; set +f - for sv in ${1-/etc/service/*} - # NOTE: stoppe les services en retenant leur status de départ - do sv=$(basename "$sv") - local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ') - local sv_status - IFS= read -r sv_status_$sv_hash <<-EOF - $(sudo sv status "$sv") - EOF - rm -f /etc/service/"$sv" + rule apt_get_install shorewall + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/shorewall <<-EOF + INITLOG=/dev/null + OPTIONS="" + RESTARTOPTIONS="" + SAFESTOP=0 + STARTOPTIONS="" + startup=1 + EOF + local conf + for conf in "$tool"/etc/shorewall/* + do conf=${conf#"$tool"/etc/shorewall/} + sudo test ! -f "$tool"/etc/shorewall/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/"$conf" \ + /etc/shorewall/"$conf" done - for sv in ${1-"$tool"/etc/sv/*} - # NOTE: configure et (re-)démarre les services - do sv=$(basename "$sv") - local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ') - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv" - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/run \ - /etc/sv/"$sv"/run - if test -e "$tool"/etc/sv/"$sv"/log/run - then - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv"/log - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/log/run \ - /etc/sv/"$sv"/log/run - fi - test ! -r "$tool"/etc/sv/"$sv"/configure.sh || - . "$tool"/etc/sv/"$sv"/configure.sh - ln -fns ../sv/"$sv" /etc/service/"$sv" - eval local sv_status=\"\${sv_status_$sv_hash-}\" - case $sv_status in - ("") true;; - (run:*) sudo sv restart "$sv";; - esac + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/macro.d + for conf in "$tool"/etc/shorewall/macro.d/* + do conf=${conf#"$tool"/etc/shorewall/macro.d/} + sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/macro.d/"$conf" \ + /etc/shorewall/macro.d/"$conf" done - } -rule_ssh_configure () { - ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" RSA") return 0; break;; esac - done; return 1 ) || - sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key - sudo rm -f \ - /etc/ssh/ssh_host_dsa_key \ - /etc/ssh/ssh_host_dsa_key.pub \ - /etc/ssh/ssh_host_ecdsa_key \ - /etc/ssh/ssh_host_ecdsa_key.pub - # NOTE: clefs générées par Debian - sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF - AcceptEnv LANG LC_* - AuthorizedKeysFile %h/etc/ssh/authorized_keys - ChallengeResponseAuthentication no - ClientAliveInterval 0 - Compression yes - DebianBanner no - GSSAPIAuthentication no - HostKey /etc/ssh/ssh_host_rsa_key - HostbasedAuthentication no - IgnoreRhosts yes - IgnoreUserKnownHosts no - KerberosAuthentication no - KeyRegenerationInterval 3600 - Port 22 - ListenAddress 127.0.0.1 - ListenAddress $vm_ipv4 - LogLevel INFO - LoginGraceTime 120 - PasswordAuthentication no - PermitEmptyPasswords no - PermitRootLogin yes - PrintLastLog yes - PrintMotd no - Protocol 2 - PubkeyAuthentication yes - RSAAuthentication yes - RhostsRSAAuthentication no - ServerKeyBits 768 - StrictModes yes - Subsystem sftp /usr/lib/openssh/sftp-server - SyslogFacility AUTH - TCPKeepAlive yes - UsePAM yes - UsePrivilegeSeparation yes - X11DisplayOffset 10 - X11Forwarding no - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/ssh_config <<-EOF - Host * - #Compression yes - #CompressionLevel 9 - #ControlMaster auto - #ControlPath ~/var/run/ssh/sock/%h-%p-%r - GSSAPIAuthentication no - GSSAPIDelegateCredentials no - HashKnownHosts yes - IdentityFile ~/etc/ssh/id_dsa - IdentityFile ~/etc/ssh/id_rsa - IdentityFile ~/etc/ssh/identity - SendEnv LANG LC_* - StrictHostKeyChecking ask - UserKnownHostsFile ~/etc/ssh/known_hosts - EOF - sudo service ssh restart + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/action.d + #for conf in "$tool"/etc/shorewall/action.d/* + # do conf=${conf#"$tool"/etc/shorewall/action.d/} + # sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" || + # sudo install -m 640 -o root -g root \ + # "$tool"/etc/shorewall/action.d/"$conf" \ + # /etc/shorewall/action.d/"$conf" + # done + #sudo shorewall safe-restart } rule_sysctl_configure () { local -; set +f @@ -1234,6 +727,11 @@ rule_sysctl_configure () { "$tool"/etc/sysctl.d/"$conf" \ /etc/sysctl.d/"$conf" done + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/sysctl.d/local-kernel-name.conf <<-EOF + kernel.hostname = $vm_hostname + kernel.domainname = $vm_domainname + EOF sudo sysctl --system } rule_tmpfs_configure () { @@ -1251,64 +749,28 @@ rule_tmpfs_configure () { TMP_SIZE=200m TMPFS_SIZE=20%VM EOF - sudo install -m 775 -o root -g root \ - "$tool"/etc/init.d/tmpfs \ - /etc/init.d/tmpfs - sudo update-rc.d tmpfs defaults - sudo service tmpfs restart - } -rule_time_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF - Europe/Paris - EOF - sudo debconf-set-selections <<-EOF - tzdata tzdata/Areas select Europe - tzdata tzdata/Zones/Europe select Paris - EOF - rule dpkg_reconfigure tzdata - rule apt_get_install ntp } rule_user_add () { # SYNTAX: $user - rule user_configure - local user=$1 - rule adduser "$user" --disabled-password + local user="$1"; shift + rule adduser "$user" --disabled-password "$@" # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . eval local home\; home="~$user" sudo adduser "$user" users - sudo install -m 640 -o root -g root \ + sudo install -m 640 -o "$user" -g "$user" \ "$tool"/var/pub/ssh/"$user".key \ "$home"/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo -u "$user" gpg --import - <"$key" - done + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo -u "$user" gpg --import - } rule_user_configure () { - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/adduser.conf <<-EOF - ADD_EXTRA_GROUPS=1 - DHOME=/home - DIR_MODE=0750 - DSHELL=/bin/bash - EXTRA_GROUPS="users" - FIRST_GID=1000 - FIRST_SYSTEM_GID=100 - FIRST_SYSTEM_UID=100 - FIRST_UID=1000 - GROUPHOMES=no - LAST_GID=29999 - LAST_SYSTEM_GID=999 - LAST_SYSTEM_UID=999 - LAST_UID=29999 - LETTERHOMES=no - NAME_REGEX="^[a-z][-a-z0-9_]*\$" - QUOTAUSER="" # TODO: init - SETGID_HOME=no - SKEL=/etc/skel - SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)" - USERGROUPS=yes - USERS_GID=100 - EOF + rule apt_get_install bash-completion + sudo install -m 660 -o root -g root \ + "$tool"/etc/adduser.conf \ + /etc/adduser.conf sudo install -d -m 750 -o root -g root \ /etc/skel \ /etc/skel/etc \ @@ -1348,9 +810,20 @@ rule_user_configure () { sudo install -m 644 -o root -g root \ "$tool"/etc/bash.bashrc \ /etc/bash.bashrc + sudo install -m 644 -o root -g root \ + "$tool"/etc/inputrc \ + /etc/inputrc sudo install -m 644 -o root -g root \ "$tool"/etc/screenrc \ /etc/screenrc + local sh; local -; set +f + for sh in "$tool"/etc/user.d/*/configure.sh + do sh=${sh#"$tool"/etc/user.d/} + local user="${sh%/configure.sh}" + ( + . "$tool"/etc/user.d/"$sh" || return 1 + ) + done } rule_user_admin_add () { # SYNTAX: $user rule user_configure @@ -1361,10 +834,12 @@ rule_user_admin_add () { # SYNTAX: $user sudo install -m 640 -o root -g root \ "$tool"/var/pub/ssh/"$user".key \ "$home"/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo -u "$user" gpg --import - <"$key" - done + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo -u "$user" gpg --import - rule user_admin_configure } rule_user_admin_configure () { @@ -1384,14 +859,45 @@ rule_user_root_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | - sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo gpg --import "$key" - done + sudo install -m 640 -o root -g root /dev/stdin \ + /root/etc/ssh/authorized_keys + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo gpg --import - + } +rule__www_configure () { + rule adduser www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www \ + --shell /bin/false \ + --system + rule adduser log-www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log \ + --shell /bin/false \ + --system + #sudo adduser www www-data + sudo adduser www log-www + #sudo adduser log log-www + usermod --home /home/www/pub www-data + sudo install -d -m 751 -o www -g www \ + /home/www + sudo install -d -m 750 -o www -g www \ + /home/www/etc + sudo install -d -m 1771 -o www-data -g www-data \ + /home/www/pub + sudo install -d -m 1771 -o log-www -g log-www \ + /home/www/log } rule_configure () { rule apt_configure @@ -1407,12 +913,8 @@ rule_configure () { rule boot_configure rule sysctl_configure rule user_configure - rule mail_configure rule gitolite_configure - rule www_configure - rule php5_fpm_configure - rule nginx_configure - #rule apache2_configure + rule shorewall_configure rule runit_configure } @@ -1426,6 +928,7 @@ case $rule in (help);; (*) assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn + cd / ;; esac rule $rule "$@"