X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=4cf4b9d14c113463ad1c6fac846fa05870a890ca;hp=a75d9cb45f27e245244d1a47c95d01d53bd150c3;hb=22f04b9fac14adc3d3fc98273ba126c3a51792c3;hpb=de0435e3d96f9205fd7a27809d2004d5737469fa diff --git a/vm_hosted b/vm_hosted index a75d9cb..4cf4b9d 100755 --- a/vm_hosted +++ b/vm_hosted @@ -34,9 +34,7 @@ rule_git_configure () { git config --replace branch.master.merge refs/remotes/master local tool tool=$(cd "$tool"; cd -) - sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/ - sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm - sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF + install -m 770 /dev/stdin .git/hooks/post-update <<-EOF #!/bin/sh -efux case \$1 in (refs/remotes/master) @@ -62,10 +60,16 @@ rule_adduser () { sudo adduser "$@" "$user" } rule_apt_get_install () { # SYNTAX: $package - sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@" + sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + apt-get install --yes "$@" } rule_dpkg_reconfigure () { # SYNTAX: $package - sudo DEBIAN_FRONTEND=noninteractive dpkg-reconfigure "$@" + sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + dpkg-reconfigure "$@" } rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? @@ -74,7 +78,7 @@ rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? . /etc/profile } -rule_apache2_configure () { +rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour local -; set +f rule apt_get_install \ apache2-mpm-itk \ @@ -90,6 +94,12 @@ rule_apache2_configure () { # cependant l'usage de suexec impose des forks il semble.. # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; # donc pour l'instant : apache2-mpm-itk + sudo rm -rf \ + /etc/apache2/site.d + sudo install -d -m 770 -o www -g www \ + /etc/apache2 \ + /etc/apache2/site.d \ + /etc/apache2/x509.d cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | ServerName "$vm_fqdn" EOF @@ -129,23 +139,23 @@ rule_apache2_configure () { sudo install -d -m 770 -o www-"$site" -g www-"$site" \ /etc/apache2 \ /etc/apache2/site.d/"$site" \ - /etc/apache2/site.d/"$site"/x509 \ - /etc/apache2/site.d/"$site"/x509/ca \ - /etc/apache2/site.d/"$site"/x509/empty \ - /etc/apache2/site.d/"$site"/x509/rvk \ - /etc/apache2/site.d/"$site"/x509/usr + /etc/apache2/x509.d/"$site" \ + /etc/apache2/x509.d/"$site"/ca \ + /etc/apache2/x509.d/"$site"/empty \ + /etc/apache2/x509.d/"$site"/rvk \ + /etc/apache2/x509.d/"$site"/usr sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/x509.d/"$site"/crt.self-signed.pem #sudo install -m 664 -o www-"$site" -g www-"$site" \ # "$tool"/var/pub/x509/"$site"/rvk.pem \ - # /etc/apache2/site.d/"$site"/x509/rvk.pem + # /etc/apache2/x509.d/"$site"/rvk.pem sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/ca/crt.pem + /etc/apache2/x509.d/"$site"/ca/crt.pem sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.pem \ - /etc/apache2/site.d/"$site"/x509/crt.pem + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/x509.d/"$site"/crt.pem ;; esac case $site in @@ -162,16 +172,16 @@ rule_apache2_configure () { ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" LogLevel Warn - SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/ - #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem - SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/ + SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/x509.d/$site/usr/ + #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem + SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/ # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés - SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/ - SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem - SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem - SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem + SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/ + SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem + SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem + SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem SSLCipherSuite AES+RSA+SHA256 SSLEngine On SSLInsecureRenegotiation Off @@ -238,38 +248,31 @@ rule_apache2_configure () { sudo service apache2 restart } rule_apt_configure () { - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF - deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF + deb http://ftp.rezopole.net/debian $vm_lsb_name main + EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF + deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main EOF - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF - #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF + deb http://nightly.openerp.com/7.0/nightly/deb/ ./ EOF - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF + sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF Package: * Pin: release a=$vm_lsb_name - Pin-Priority: 170 + Pin-Priority: 200 Package: * Pin: release a=$vm_lsb_name-backports - Pin-Priority: 200 + Pin-Priority: 170 EOF sudo apt-get update rule apt_get_install apticron - sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF - EMAIL="admin@$vm_domainname" - # DIFF_ONLY="1" - # LISTCHANGES_PROFILE="apticron" - # ALL_FQDNS="1" - # SYSTEM="foobar.example.com" - # IPADDRESSNUM="1" - # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" - # NOTIFY_HOLDS="0" - # NOTIFY_NEW="0" - # NOTIFY_NO_UPDATES="0" - # CUSTOM_SUBJECT="" - # CUSTOM_NO_UPDATES_SUBJECT="" - # CUSTOM_FROM="root@$vm_fqdn" - EOF + m4 \ + --define=VM_DOMAINNAME=$vm_domainname \ + <"$tool"/etc/apticron/apticron.conf.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/apticron/apticron.conf } rule_boot_configure () { #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" @@ -302,86 +305,38 @@ rule_boot_configure () { # et davantage sécurisant. EOF } -rule_dovecot_configure () { - rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve - local hint="run vm_remote dovecot_key_send before" - assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \ - /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem - sudo install -d -m 770 -o root -g root \ - /etc/skel/etc/mail \ - /etc/skel/etc/sieve - sudo install -d -m 1777 -o root -g root \ - /var/lib/dovecot-control \ - /var/lib/dovecot-index - sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u - # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc - # VOIR: http://wiki2.dovecot.org/Quota/FS - mail_plugins = \$mail_plugins quota - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - plugin { - quota = fs:user - recipient_delimiter = + - sieve = ~/etc/mail/filter.sieve - sieve_dir = ~/etc/mail/sieve - sieve_global_dir = /var/lib/dovecot/sieve/global/ - sieve_max_script_size = 1M - sieve_quota_max_scripts = 0 - sieve_quota_max_storage = 10M - sieve_user_log = ~/var/log/mail/sieve.log - } - protocol imap { - mail_plugins = \$mail_plugins imap_quota - } - protocol lda { - auth_socket_path = /var/run/dovecot/auth-master - hostname = $vm_domainname - info_log_path = - log_path = - mail_plugins = \$mail_plugins sieve - postmaster_address = contact+dovecot+lda@$vm_domainname - syslog_facility = mail - } - protocols = imap sieve - service auth { - user = root - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } - } - ssl_ca = - LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 - proc /proc proc defaults 0 0 - sysfs /sys sysfs defaults 0 0 - /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 - # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. - /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0 - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF - # - ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg - ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - EOF + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/fstab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/fstab + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/crypttab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/crypttab rule tmpfs_configure } rule_initramfs_configure () { @@ -466,10 +415,11 @@ rule_initramfs_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | - sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/root/.ssh/authorized_keys sudo rm -f \ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ /etc/initramfs-tools/root/.ssh/id_rsa.pub \ @@ -477,6 +427,14 @@ rule_initramfs_configure () { # NOTE: clefs générées par Debian sudo update-initramfs -u } +rule_insserv_remove () { # SYNTAX: $sv + local sv="$1" + #sudo chmod u+x /etc/init.d/"$sv" + sudo insserv --force --remove "$sv" + sudo test ! -x /etc/init.d/"$sv" || + sudo /etc/init.d/"$sv" stop + sudo chmod ugo-x /etc/init.d/"$sv" + } rule_gitolite_configure () { sudo debconf-set-selections <<-EOF gitolite gitolite/gituser string git @@ -487,6 +445,7 @@ rule_gitolite_configure () { rule adduser git \ --disabled-password \ --group \ + --home /home/git \ --shell /bin/bash \ --system sudo chfn --full-name git git @@ -494,34 +453,38 @@ rule_gitolite_configure () { --disabled-login \ --disabled-password \ --group \ - --home ~git/log \ + --home /home/git/log \ --shell /bin/false \ --system - rule adduser git-daemon\ + rule adduser git-data \ --disabled-login \ --disabled-password \ --group \ --home /home/git/pub \ --shell /bin/false \ --system - sudo install -d -m 770 -o git -g git \ + sudo adduser git git-data + sudo install -d -m 750 -o git -g git \ /etc/gitolite \ - ~git/etc \ - ~git/etc/ssh \ - ~git/pub - sudo install -d -m 770 -o log-git -g log-git \ - ~git/log \ - ~git/log/gitolite \ - ~git/log/gitolite/perf - sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \ - /etc/gitweb \ - /etc/gitweb/cgi - sudo ln -fns /etc/gitolite ~git/etc/gitolite - sudo ln -fns /etc/gitweb ~git/etc/gitweb - sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc - sudo ln -fns etc/ssh ~git/.ssh + /home/git/etc \ + /home/git/etc/ssh + sudo install -d -m 751 -o git -g git \ + /home/git + sudo install -d -m 2770 -o git-data -g git-data \ + /home/git/pub + sudo install -d -m 1771 -o git -g git \ + /home/git/log + sudo install -d -m 2770 -o git -g log-git \ + /home/git/log/gitolite \ + /home/git/log/gitolite/perf + sudo install -d -m 3771 -o git -g git \ + /home/git/hooks + sudo ln -fns /etc/gitolite /home/git/etc/gitolite + sudo ln -fns /etc/gitweb /home/git/etc/gitweb + sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc + sudo ln -fns etc/ssh /home/git/.ssh sudo install -m 770 -o git -g git /dev/stdin \ - ~git/etc/gitolite/gitolite.rc <<-EOF + /home/git/etc/gitolite/gitolite.rc <<-EOF #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; #\$BIG_INFO_CAP = 20; #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; @@ -536,7 +499,7 @@ rule_gitolite_configure () { \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf"; \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm"; #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" - \$GL_GITCONFIG_KEYS = "hooks\\..* repo\\..*"; + \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*"; #\$GL_HOSTNAME = "git.$vm_domainname"; # NOTE: read doc/mirroring.mkd COMPLETELY before setting this. #\$GL_HTTP_ANON_USER = "mob"; @@ -556,7 +519,7 @@ rule_gitolite_configure () { #\$GL_WILDREPOS_DEFPERMS = 'R @all'; \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; \$HTPASSWD_FILE = ""; - \$PROJECTS_LIST = \$ENV{HOME} . "/projects.list"; + \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list"; \$REPO_BASE = "pub"; \$REPO_UMASK = 0007; \$RSYNC_BASE = ""; @@ -565,51 +528,18 @@ rule_gitolite_configure () { \$WEB_INTERFACE = "gitweb"; 1; EOF - sudo install -m 740 -o git -g www-lhc-git /dev/stdin \ - ~git/etc/gitweb/gitweb.conf <<-EOF - \$commit_oneline_message_width = 70; - \$default_projects_order = 'age'; - \$default_text_plain_charset = 'UTF-8'; - @diff_opts = (); - \$favicon = "img/git-favicon.png"; - \$git_temp = "/run/shm/tmp/gitweb"; - \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc"; - \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc"; - \$home_link = "/"; - \$home_link_str = 'dépôts'; - \$home_th_age = 'activité'; - \$home_th_descr = 'description'; - \$home_th_owner = 'contact'; - \$home_th_project = 'dépôt'; - \$javascript = "js/gitweb.js"; - \$logo = "img/git-logo.png"; - \$my_uri = ""; - \$projectroot = "../git"; - \$projects_list = "/etc/gitolite/projects.list"; - \$projects_list_description_width = 42; - \$projects_list_owner_width = 15; - \$search_str = "Filtre :"; - \$site_footer = "/etc/gitweb/cgi/site-footer.bin"; - \$site_header = undef; - \$site_name = "git.$vm_domainname"; - \$space_to_nbsp = 0; - @stylesheets = ("css/gitweb.css");# - \$untabify_tabstop = 2; - EOF sudo install -m 600 -o git -g git \ "$tool"/var/pub/ssh/git.key \ - ~git/etc/ssh/git.pub + /home/git/etc/ssh/git.pub sudo -u git \ GL_RC=/home/git/etc/gitolite/gitolite.rc \ GIT_AUTHOR_NAME=git \ - gl-setup -q ~git/etc/ssh/git.pub git + gl-setup -q /home/git/etc/ssh/git.pub git local d for d in doc logs src - do test ! -d ~git/etc/gitolite/"$d" || - rmdir ~git/etc/gitolite/"$d" + do test ! -d /home/git/etc/gitolite/"$d" || + rmdir /home/git/etc/gitolite/"$d" done - rule apt_get_install gitweb highlight - sudo service tmpfs restart } rule_locales_configure () { sudo debconf-set-selections <<-EOF @@ -619,90 +549,12 @@ rule_locales_configure () { rule dpkg_reconfigure locales } rule_login_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF - # /etc/inittab: init(8) configuration. - - # The default runlevel. - id:2:initdefault: - - # Boot-time system configuration/initialization script. - # This is run first except when booting in emergency (-b) mode. - si::sysinit:/etc/init.d/rcS - - # What to do in single-user mode. - ~~:S:wait:/sbin/sulogin - - # /etc/init.d executes the S and K scripts upon change - # of runlevel. - # - # Runlevel 0 is halt. - # Runlevel 1 is single-user. - # Runlevels 2-5 are multi-user. - # Runlevel 6 is reboot. - - l0:0:wait:/etc/init.d/rc 0 - l1:1:wait:/etc/init.d/rc 1 - l2:2:wait:/etc/init.d/rc 2 - l3:3:wait:/etc/init.d/rc 3 - l4:4:wait:/etc/init.d/rc 4 - l5:5:wait:/etc/init.d/rc 5 - l6:6:wait:/etc/init.d/rc 6 - # Normally not reached, but fallthrough in case of emergency. - z6:6:respawn:/sbin/sulogin - - # What to do when CTRL-ALT-DEL is pressed. - ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now - - # What to do when the power fails/returns. - pf::powerwait:/etc/init.d/powerfail start - pn::powerfailnow:/etc/init.d/powerfail now - po::powerokwait:/etc/init.d/powerfail stop - - # Xen hypervisor console - hvc:2345:respawn:/sbin/getty 38400 hvc0 - #xvc:2345:respawn:/sbin/getty 38400 xvc0 - - #-- runit begin - SV:123456:respawn:/usr/sbin/runsvdir-start - #-- runit end - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF - MAIL_DIR /var/mail - FAILLOG_ENAB yes - LOG_UNKFAIL_ENAB no - LOG_OK_LOGINS no - SYSLOG_SU_ENAB yes - SYSLOG_SG_ENAB yes - FTMP_FILE /var/log/btmp - SU_NAME su - HUSHLOGIN_FILE .hushlogin - ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - # NOTE: met les sbin/ dans ENV_PATH ; - # - ça n'apporte aucune protection de ne pas les mettre ; - # - ça frustre de ne pas les trouver. - TTYGROUP tty - TTYPERM 0600 - ERASECHAR 0177 - KILLCHAR 025 - UMASK 007 - # NOTE: rwxrwx--- ; - # - donne une même confiance au groupe propriétaire qu'au propriétaire ; - # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 - PASS_WARN_AGE 7 - UID_MIN 1000 - UID_MAX 60000 - GID_MIN 1000 - GID_MAX 60000 - LOGIN_RETRIES 3 - LOGIN_TIMEOUT 60 - CHFN_RESTRICT rwh - DEFAULT_HOME yes - USERGROUPS_ENAB yes - ENCRYPT_METHOD SHA512 - EOF + sudo install -m 644 -o root -g root \ + "$tool"/etc/inittab \ + /etc/inittab + sudo install -m 644 -o root -g root \ + "$tool"/etc/login.defs \ + /etc/login.defs grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF $(cat /etc/pam.d/common-session) @@ -719,23 +571,6 @@ rule_login_configure () { xvc0 EOF } -rule_mail_configure () { - rule postfix_configure - rule postgrey_configure - rule procmail_configure - rule dovecot_configure - } -rule_mysql_configure () { - rule apt_get_install mysql-server-5.5 - sudo install -m 644 -o root -g root \ - "$tool"/etc/mysql/my.cnf \ - /etc/mysql/my.cnf - if test ! -d /home/mysql; then - sudo install -d -m 750 -o mysql -g mysql \ - /home/mysql - sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/ - fi - } rule_network_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF $vm @@ -745,463 +580,144 @@ rule_network_configure () { $(cat /etc/hosts) 127.0.0.1 $vm_fqdn $vm EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - mtu 1300 - # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode - # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. - # - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. - # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms - # - # --- soupirail.grenode.net ping statistics --- - # 1 packets transmitted, 1 received, 0% packet loss, time 0ms - # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. - # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) - # - # --- soupirail.grenode.net ping statistics --- - # 0 packets transmitted, 0 received, +1 errors - post-up ip address add $vm_ipv4/32 dev \$IFACE - pre-down ip address delete $vm_ipv4/32 dev \$IFACE + sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver ${vm_host_nameserver} EOF + m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/network/interfaces.m4 | + sudo install -m 640 -o root -g root /dev/stdin \ + /etc/network/interfaces } -rule_www_configure () { - rule adduser www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www \ - --shell /bin/false \ - --system - rule adduser log-www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log \ - --shell /bin/false \ - --system - #sudo adduser www www-data - sudo adduser www log-www - #sudo adduser log log-www - usermod --home /home/www/pub www-data - sudo install -d -m 751 -o www -g www \ - /home/www - sudo install -d -m 750 -o www -g www \ - /home/www/etc - sudo install -d -m 1771 -o www-data -g www-data \ - /home/www/pub - sudo install -d -m 1771 -o log-www -g log-www \ - /home/www/log +rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options + rule apt_get_install runit + if test $# = 0 + then + set +x + sudo sv status \ + $(sudo find /etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -printf '%p\n' | sort) + else + local services= + while [ $# -gt 0 ] + do case $1 in + (--) shift; break;; + (*) services="$services $1"; shift;; + esac + done + #for sv in $(sudo find /etc/sv \ + # -mindepth 1 -maxdepth 1 -type d \ + # -false $(printf -- '-or -name %s\n' $services) \ + # -printf '%f\n') + # do + # case $(sudo sv stop "$sv" | tee /dev/stderr) in + # (*": runsv not running") true;; + # (*": unable to open supervise/ok: file does not exist") true;; + # ("ok: down:"*) true;; + # (*) false;; + # esac + # done + for sv in $(find "$tool"/etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -false $(printf -- '-or -name %s\n' $services) \ + -printf '%f\n') + do + rule _runit_sv_configure "$sv" "$@" + rule _runit_sv_start "$sv" + done + #sleep 3 + #sudo find -L /etc/service -type l -delete + fi } -rule_nginx_configure () { - local -; set +f - rule apt_get_install nginx - sudo rm -rf \ - /etc/nginx/conf.d \ - /etc/nginx/site.d - sudo install -d -m 770 -o www -g www \ - /etc/nginx \ - /etc/nginx/conf.d \ - /etc/nginx/site.d \ - /etc/nginx/x509.d +rule__runit_sv_configure () { # SYNTAX: $sv $configure_options + local sv="$1"; shift + sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv" + sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/run \ + /etc/sv/"$sv"/run + if test -e "$tool"/etc/sv/"$sv"/log/run + then + sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv"/log + sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/log/run \ + /etc/sv/"$sv"/log/run + fi + ( + test ! -r "$tool"/etc/sv/"$sv"/configure.sh || + . "$tool"/etc/sv/"$sv"/configure.sh || return 1 + ) + ( + test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh || + . "$tool"/etc/sv/"$sv"/log/configure.sh || return 1 + ) sudo ln -fns \ - /etc/nginx \ - /home/www/etc/nginx - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/nginx.conf \ - /etc/nginx/nginx.conf - local conf - for conf in "$tool"/etc/nginx/conf.d/*.conf - do conf=${conf#"$tool"/etc/nginx/conf.d/} - sudo install -m 660 -o www -g www \ - "$tool"/etc/nginx/conf.d/"$conf" \ - /etc/nginx/conf.d/"$conf" - done - for conf in "$tool"/etc/nginx/site.d/*/server.conf - do conf=${conf#"$tool"/etc/nginx/site.d/} - local site="${conf%/server.conf}" - rule adduser www-"$site" \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www-data/"$site" \ - --shell /bin/false \ - --system - rule adduser log-www-"$site" \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log/"$site"/nginx \ - --shell /bin/false \ - --system - sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \ - /home/www/log/"$site" - sudo install -d -m 770 -o www -g www \ - /etc/nginx/site.d/"$site" - sudo install -d -m 770 -o www -g www \ - /etc/nginx/x509.d/"$site" - test -L /home/www/pub/"$site" || - sudo install -d -m 3770 -o www-"$site" -g www-"$site" \ - /home/www/pub/"$site" - sudo adduser www-data www-"$site" - sudo adduser www-data log-www-"$site" - sudo install -m 660 -o www -g www /dev/stdin \ - /etc/nginx/site.d/"$site"/server.conf <<-EOF - server { - access_log /home/www/log/$site/nginx/access.log main; - error_log /home/www/log/$site/nginx/error.log warn; - root /home/www/pub/$site; - ssl_certificate /etc/nginx/x509.d/$site/crt.pem; - ssl_certificate_key /etc/nginx/x509.d/$site/key.pem; - $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf) - $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) - } - EOF - test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" || - test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || - . "$tool"/etc/nginx/site.d/"$site"/configure.sh + ../sv/"$sv" \ + /etc/service/"$sv" + } +rule__runit_sv_restart () { # SYNTAX: $sv + local sv="$1" + while true + do case $(sudo sv restart "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; + esac done - rule apt_get_install spawn-fcgi fcgiwrap - sudo insserv --remove fcgiwrap - sudo insserv --remove nginx - rule tmpfs_configure - case $(sv status nginx) in - (run:*) sudo sv restart nginx - esac } -rule_php5_fpm_configure () { - local -; set +f - rule apt_get_install \ - php5-fpm \ - php-apc - rule adduser php5 \ - --disabled-login \ - --disabled-password \ - --group \ - --home /etc/php5/fpm \ - --shell /bin/false \ - --system - rule adduser log-php5 \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log/php5/fpm \ - --shell /bin/false \ - --system - sudo ln -fns \ - /etc/php5/fpm \ - /home/www/etc/php5 - sudo rm -rf \ - /etc/php5/fpm/conf.d \ - /etc/php5/fpm/pool.d - sudo install -d -m 770 -o php5 -g php5 \ - /etc/php5/fpm/conf.d \ - /etc/php5/fpm/pool.d - sudo install -m 770 -o php5 -g php5 \ - "$tool"/etc/php5/fpm/php-fpm.conf \ - /etc/php5/fpm/php-fpm.conf - local conf - #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf - # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/} - # sudo install -m 660 -o php5 -g php5 \ - # "$tool"/etc/php5/fpm/conf.d/"$conf" \ - # /etc/php5/fpm/conf.d/"$conf" - # done - for conf in "$tool"/etc/php5/fpm/pool.d/*.conf - do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} - IFS=. read -r pool <<-EOF - ${conf%.conf} - EOF - assert 'test "${pool:+set}"' - rule adduser php5-"$pool" \ - --disabled-login \ - --disabled-password \ - --group \ - --no-create-home \ - --home /etc/php5/fpm/pool.d \ - --shell /bin/false \ - --system - rule adduser log-php5-"$pool" \ - --disabled-login \ - --disabled-password \ - --group \ - --no-create-home \ - --home /home/www/log/php5/fpm \ - --shell /bin/false \ - --system - sudo install -d -m 770 -o log-php5 -g log-php5 \ - /home/www/log/php5 \ - /home/www/log/php5/fpm - sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \ - /home/www/log/php5/fpm/"$pool" - sudo install -m 660 -o php5 -g php5 /dev/stdin \ - /etc/php5/fpm/pool.d/"$pool".conf <<-EOF - [$pool] - access.log = /home/www/log/php5/fpm/$pool/access.log - catch_workers_output = yes - chdir = / - env[HOSTNAME] = \$HOSTNAME - env[TEMP] = /tmp - env[TMPDIR] = /tmp - env[TMP] = /tmp - group = php5-$pool - #listen = 127.0.0.1:9000 - listen = /run/php5/fpm/$pool - #listen.allowed_clients = 127.0.0.1 - listen.group = www-data - listen.mode = 0660 - #listen.owner = www-data - listen.backlog = -1 - pm = dynamic - pm.max_children = 5 - pm.max_requests = 200 - pm.max_spare_servers = 4 - pm.min_spare_servers = 2 - pm.start_servers = 3 - pm.status_path = /status - request_slowlog_timeout = 5s - request_terminate_timeout = 120s - rlimit_core = unlimited - rlimit_files = 131072 - slowlog = /home/www/log/php5/fpm/$pool/slow.log - user = php5-$pool - $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") - EOF - sudo install -m 664 -o php5 -g php5 \ - "$tool"/etc/php5/fpm/php.ini \ - /etc/php5/fpm/php.ini - case $(sv status php5-"$pool") in - (run:*) sudo sv restart php5-"$pool" +rule__runit_sv_start () { # SYNTAX: $sv + local sv="$1" + while true + do case $(sudo sv start "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; esac done - rule tmpfs_configure - sudo service php5-fpm restart - } -rule_postfix_configure () { - local hint="run vm_remote postfix_key_send before" - assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint - #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix" - sudo debconf-set-selections <<-EOF - postfix postfix/main_mailer_type select No configuration - EOF - rule apt_get_install postfix - sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF - *.db - EOF - sudo install -d -m 771 -o root -g root \ - /etc/postfix/ \ - /etc/postfix/$vm_domainname/ \ - /etc/postfix/$vm_domainname/smtp \ - /etc/postfix/$vm_domainname/smtp/x509 \ - /etc/postfix/$vm_domainname/smtp/x509/ca \ - /etc/postfix/$vm_domainname/smtpd \ - /etc/postfix/$vm_domainname/smtpd/x509 \ - /etc/postfix/$vm_domainname/smtpd/x509/ca - sudo ln -fns \ - ../crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ - /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/header_checks \ - /etc/postfix/$vm_domainname/header_checks - sudo install -m 664 -o root -g root /dev/stdin \ - /etc/postfix/aliases <<-EOF - # See man 5 aliases for format - abuse: root - admin: root - contact: root - mailer-daemon: root - postmaster: root - root: $(getent group sudo | cut -f 4 -d : | tr , ' ') - EOF - sudo newaliases -oA/etc/postfix/aliases - cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF | - mydomain = $vm_domainname - myorigin = \$mydomain - myhostname = $vm_hostname.\$mydomain - mail_name = \$myhostname - mydestination = $vm_hostname \$myhostname \$myorigin - EOF - sudo install -m 664 -o root -g root /dev/stdin \ - /etc/postfix/main.cf - sudo install -m 664 -o root -g root \ - "$tool"/etc/postfix/master.cf \ - /etc/postfix/master.cf - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \ - /etc/postfix/$vm_domainname/smtp/x509/policy - sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \ - /etc/postfix/$vm_domainname/smtp/header_checks - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \ - /etc/postfix/$vm_domainname/smtpd/sender_access - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \ - /etc/postfix/$vm_domainname/smtpd/client_blacklist - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \ - /etc/postfix/$vm_domainname/smtpd/relay_clientcerts - sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/transport \ - /etc/postfix/$vm_domainname/transport - sudo postmap hash:/etc/postfix/$vm_domainname/transport - sudo install -m 660 -o root -g root \ - "$tool"/etc/postfix/$vm_domainname/virtual_alias \ - /etc/postfix/$vm_domainname/virtual_alias - sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias - sudo service postfix restart - } -rule_postgresql_configure () { - rule apt_get_install postgresql-9.1 - if [ ! -d /var/lib/postgresql/9.1/ ]; then - pg_createcluster -u postgres --start 9.1 main - fi - sudo install -m 660 -o root -g root \ - "$tool"/etc/postgresql/9.1/main/postgresql.conf \ - /etc/postgresql/9.1/main/postgresql.conf - sudo service postgresql restart - } -rule_openerp_configure () { - sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF - deb http://nightly.openerp.com/trunk/nightly/deb/ ./ - EOF - sudo apt-get update - rule apt_get_install openerp } -rule_postgrey_configure () { - rule apt_get_install postgrey - sudo service postgrey restart - } -rule_procmail_configure () { - rule apt_get_install procmail - sudo install -d -m 770 -o root -g root \ - /etc/skel/etc/mail \ - /etc/skel/var/cache/mail \ - /etc/skel/var/log/mail \ - /etc/skel/var/mail - sudo install -m 660 -o root -g root \ - "$tool"/etc/skel/etc/mail/delivery.procmailrc \ - /etc/skel/etc/mail/delivery.procmailrc - } -rule_runit_configure () { - rule apt_get_install runit +rule_shorewall_configure () { + # DOC: http://shorewall.net/Introduction.html local -; set +f - for sv in ${1-/etc/service/*} - # NOTE: stoppe les services en retenant leur status de départ - do sv=$(basename "$sv") - local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ') - local sv_status - IFS= read -r sv_status_$sv_hash <<-EOF - $(sv status "$sv") - EOF - rm -f /etc/service/"$sv" + rule apt_get_install shorewall + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/shorewall <<-EOF + INITLOG=/dev/null + OPTIONS="" + RESTARTOPTIONS="" + SAFESTOP=0 + STARTOPTIONS="" + startup=1 + EOF + local conf + for conf in "$tool"/etc/shorewall/* + do conf=${conf#"$tool"/etc/shorewall/} + sudo test ! -f "$tool"/etc/shorewall/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/"$conf" \ + /etc/shorewall/"$conf" done - for sv in ${1-"$tool"/etc/sv/*} - # NOTE: configure et (re-)démarre les services - do sv=$(basename "$sv") - local sv_hash=$(printf %s "$sv" | sha1sum | cut -f 1 -d ' ') - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv" - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/run \ - /etc/sv/"$sv"/run - if test -e "$tool"/etc/sv/"$sv"/log/run - then - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv"/log - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/log/run \ - /etc/sv/"$sv"/log/run - fi - test ! -x "$tool"/etc/sv/"$sv"/configure || - "$tool"/etc/sv/"$sv"/configure - ln -fns ../sv/"$sv" /etc/service/"$sv" - eval local sv_status=\"\${sv_status_$sv_hash-}\" - case $sv_status in - ("") sv start "$sv";; - (run:*) sv restart "$sv";; - esac + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/macro.d + for conf in "$tool"/etc/shorewall/macro.d/* + do conf=${conf#"$tool"/etc/shorewall/macro.d/} + sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/macro.d/"$conf" \ + /etc/shorewall/macro.d/"$conf" done - } -rule_ssh_configure () { - ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" RSA") return 0; break;; esac - done; return 1 ) || - sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key - sudo rm -f \ - /etc/ssh/ssh_host_dsa_key \ - /etc/ssh/ssh_host_dsa_key.pub \ - /etc/ssh/ssh_host_ecdsa_key \ - /etc/ssh/ssh_host_ecdsa_key.pub - # NOTE: clefs générées par Debian - sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF - Port 22 - ListenAddress $vm_ipv4 - #ListenAddress :: - Protocol 2 - Compression yes - HostKey /etc/ssh/ssh_host_rsa_key - UsePrivilegeSeparation yes - KeyRegenerationInterval 3600 - ServerKeyBits 768 - SyslogFacility AUTH - LogLevel INFO - LoginGraceTime 120 - PermitRootLogin yes - StrictModes yes - RSAAuthentication yes - PubkeyAuthentication yes - AuthorizedKeysFile %h/etc/ssh/authorized_keys - IgnoreRhosts yes - RhostsRSAAuthentication no - HostbasedAuthentication no - IgnoreUserKnownHosts no - PermitEmptyPasswords no - ChallengeResponseAuthentication no - PasswordAuthentication no - KerberosAuthentication no - GSSAPIAuthentication no - X11Forwarding no - X11DisplayOffset 10 - PrintMotd no - DebianBanner no - PrintLastLog yes - TCPKeepAlive yes - ClientAliveInterval 0 - AcceptEnv LANG LC_* - Subsystem sftp /usr/lib/openssh/sftp-server - UsePAM yes - EOF - sudo service ssh restart + sudo install -d -m 750 -o root -g root \ + /etc/shorewall/action.d + #for conf in "$tool"/etc/shorewall/action.d/* + # do conf=${conf#"$tool"/etc/shorewall/action.d/} + # sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" || + # sudo install -m 640 -o root -g root \ + # "$tool"/etc/shorewall/action.d/"$conf" \ + # /etc/shorewall/action.d/"$conf" + # done + #sudo shorewall safe-restart } rule_sysctl_configure () { local -; set +f @@ -1211,6 +727,11 @@ rule_sysctl_configure () { "$tool"/etc/sysctl.d/"$conf" \ /etc/sysctl.d/"$conf" done + sudo install -m 660 -o root -g root /dev/stdin \ + /etc/sysctl.d/local-kernel-name.conf <<-EOF + kernel.hostname = $vm_hostname + kernel.domainname = $vm_domainname + EOF sudo sysctl --system } rule_tmpfs_configure () { @@ -1228,64 +749,28 @@ rule_tmpfs_configure () { TMP_SIZE=200m TMPFS_SIZE=20%VM EOF - sudo install -m 775 -o root -g root \ - "$tool"/etc/init.d/tmpfs \ - /etc/init.d/tmpfs - sudo update-rc.d tmpfs defaults - sudo service tmpfs restart - } -rule_time_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF - Europe/Paris - EOF - sudo debconf-set-selections <<-EOF - tzdata tzdata/Areas select Europe - tzdata tzdata/Zones/Europe select Paris - EOF - rule dpkg_reconfigure tzdata - rule apt_get_install ntp } rule_user_add () { # SYNTAX: $user - rule user_configure - local user=$1 - rule adduser "$user" --disabled-password + local user="$1"; shift + rule adduser "$user" --disabled-password "$@" # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . eval local home\; home="~$user" sudo adduser "$user" users - sudo install -m 640 -o root -g root \ + sudo install -m 640 -o "$user" -g "$user" \ "$tool"/var/pub/ssh/"$user".key \ "$home"/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo -u "$user" gpg --import - <"$key" - done + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo -u "$user" gpg --import - } rule_user_configure () { - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/adduser.conf <<-EOF - ADD_EXTRA_GROUPS=1 - DHOME=/home - DIR_MODE=0750 - DSHELL=/bin/bash - EXTRA_GROUPS="users" - FIRST_GID=1000 - FIRST_SYSTEM_GID=100 - FIRST_SYSTEM_UID=100 - FIRST_UID=1000 - GROUPHOMES=no - LAST_GID=29999 - LAST_SYSTEM_GID=999 - LAST_SYSTEM_UID=999 - LAST_UID=29999 - LETTERHOMES=no - NAME_REGEX="^[a-z][-a-z0-9_.]*\$" - QUOTAUSER="" # TODO: init - SETGID_HOME=no - SKEL=/etc/skel - SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)" - USERGROUPS=yes - USERS_GID=100 - EOF + rule apt_get_install bash-completion + sudo install -m 660 -o root -g root \ + "$tool"/etc/adduser.conf \ + /etc/adduser.conf sudo install -d -m 750 -o root -g root \ /etc/skel \ /etc/skel/etc \ @@ -1305,7 +790,7 @@ rule_user_configure () { ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF - %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean + %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean EOF sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF Defaults env_keep = " \\ @@ -1325,9 +810,20 @@ rule_user_configure () { sudo install -m 644 -o root -g root \ "$tool"/etc/bash.bashrc \ /etc/bash.bashrc + sudo install -m 644 -o root -g root \ + "$tool"/etc/inputrc \ + /etc/inputrc sudo install -m 644 -o root -g root \ "$tool"/etc/screenrc \ /etc/screenrc + local sh; local -; set +f + for sh in "$tool"/etc/user.d/*/configure.sh + do sh=${sh#"$tool"/etc/user.d/} + local user="${sh%/configure.sh}" + ( + . "$tool"/etc/user.d/"$sh" || return 1 + ) + done } rule_user_admin_add () { # SYNTAX: $user rule user_configure @@ -1338,10 +834,12 @@ rule_user_admin_add () { # SYNTAX: $user sudo install -m 640 -o root -g root \ "$tool"/var/pub/ssh/"$user".key \ "$home"/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo -u "$user" gpg --import - <"$key" - done + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo -u "$user" gpg --import - rule user_admin_configure } rule_user_admin_configure () { @@ -1361,14 +859,45 @@ rule_user_root_configure () { $users EOF do eval local home\; home="~$user" - cat "$home"/etc/ssh/authorized_keys + sudo cat "$home"/etc/ssh/authorized_keys done done | - sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo gpg --import "$key" - done + sudo install -m 640 -o root -g root /dev/stdin \ + /root/etc/ssh/authorized_keys + gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | + sudo gpg --import - + } +rule__www_configure () { + rule adduser www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www \ + --shell /bin/false \ + --system + rule adduser log-www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log \ + --shell /bin/false \ + --system + #sudo adduser www www-data + sudo adduser www log-www + #sudo adduser log log-www + usermod --home /home/www/pub www-data + sudo install -d -m 751 -o www -g www \ + /home/www + sudo install -d -m 750 -o www -g www \ + /home/www/etc + sudo install -d -m 1771 -o www-data -g www-data \ + /home/www/pub + sudo install -d -m 1771 -o log-www -g log-www \ + /home/www/log } rule_configure () { rule apt_configure @@ -1384,12 +913,8 @@ rule_configure () { rule boot_configure rule sysctl_configure rule user_configure - rule mail_configure - rule www_configure - rule php5_fpm_configure - rule nginx_configure - #rule apache2_configure rule gitolite_configure + rule shorewall_configure rule runit_configure } @@ -1403,6 +928,7 @@ case $rule in (help);; (*) assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn + cd / ;; esac rule $rule "$@"