X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=a793041250965f70df73d1211274a0b252bafe06;hp=59e40561c42adeb2ad6b81cdd8e22ae4efc22f67;hb=ac6452c7821434c9750210bf75a95e51d876dc3d;hpb=deeba8cf50893362d5af7bed3e94119e430af487

diff --git a/vm_hosted b/vm_hosted
index 59e4056..a793041 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -293,7 +293,7 @@ rule_dovecot_configure () {
 	local hint="run vm_remote dovecot_key_send before"
 	assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
 	sudo install -m 400 -o root -g root \
-	     "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
+	     "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
 	 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
 	sudo install -d -m 770 -o root -g adm \
 	 /etc/skel/etc/mail \
@@ -624,6 +624,230 @@ rule_network_configure () {
 		    pre-down  ip address delete $vm_ipv4/32 dev \$IFACE
 		EOF
  }
+rule_www_configure () {
+	getent passwd www >/dev/null ||
+	sudo adduser \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home /home/www \
+	 --shell /bin/false \
+	 --system \
+	 www
+	sudo adduser \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home ~www/log \
+	 --shell /bin/false \
+	 --system \
+	 log.www
+	#sudo adduser www www-data
+	sudo adduser www log.www
+	#sudo adduser log log.www
+	usermod --home /home/www/pub www-data
+	sudo install -d -m 751 -o www -g www \
+	 /home/www
+	sudo install -d -m 750 -o www -g www \
+	 /home/www/etc
+	sudo install -d -m 1771 -o www-data -g www-data \
+	 /home/www/pub \
+	sudo install -d -m 1771 -o log.www -g log.www \
+	 /home/www/log
+ }
+rule_nginx_configure () {
+	local -; set +f
+	rule apt_get_install nginx
+	rule www_configure
+	sudo rm -rf \
+	 /etc/nginx/conf.d \
+	 /etc/nginx/site.d
+	sudo install -d -m 770 -o www -g www \
+	 /etc/nginx \
+	 /etc/nginx/conf.d \
+	 /etc/nginx/site.d
+	sudo ln -fns \
+	 /etc/nginx \
+	 /home/www/etc/nginx
+	sudo install -m 660 -o www -g www \
+	 "$tool"/etc/nginx/nginx.conf \
+	        /etc/nginx/nginx.conf
+	local conf
+	for conf in "$tool"/etc/nginx/conf.d/*.conf
+	 do conf=${conf#"$tool"/etc/nginx/conf.d/}
+		sudo install -m 660 -o www -g www \
+		 "$tool"/etc/nginx/conf.d/"$conf" \
+		        /etc/nginx/conf.d/"$conf"
+	 done
+	for conf in "$tool"/etc/nginx/site.d/*/server.conf
+	 do conf=${conf#"$tool"/etc/nginx/site.d/}
+		local port site
+		IFS=. read -r port site <<-EOF
+			${conf%\/server\.conf}
+			EOF
+		assert 'test "${port:+set}"'
+		assert 'test "${site:+set}"'
+		site="$port.$site"
+		getent passwd www."$site" >/dev/null ||
+		sudo adduser \
+		 --disabled-login \
+		 --disabled-password \
+		 --group \
+		 --home ~www-data/"$site" \
+		 --shell /bin/false \
+		 --system \
+		 www."$site"
+		getent passwd log."$site" >/dev/null ||
+		sudo adduser \
+		 --disabled-login \
+		 --disabled-password \
+		 --group \
+		 --shell /bin/false \
+		 --system \
+		 log."$site"
+		sudo usermod --home ~www/log/"$site"/nginx log."$site"
+		sudo install -d -m 770 -o www -g www \
+		 /etc/nginx/site.d/"$site"
+		case $port in
+		 (443)
+			local hint="run vm_remote nginx_key_send before"
+			assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
+			sudo install -m 664 -o www -g www \
+			 "$tool"/var/pub/x509/"$site"/crt+ca.pem \
+			 /etc/nginx/site.d/"$site"/x509/crt.pem
+			;;
+		 esac
+		case $port in
+		 (80)
+			cat <<-EOF
+				server {
+					listen $port;
+					access_log /home/www/log/$site/nginx/access.log main;
+					error_log  /home/www/log/$site/nginx/error.log warn;
+					root /home/www/pub/$site;
+					server_name $site;
+					$(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+				 }
+				EOF
+			;;
+		 (443)
+			cat <<-EOF
+				server {
+					listen $port;
+					access_log /home/www/log/$site/nginx/access.log main;
+					error_log  /home/www/log/$site/nginx/error.log warn;
+					keepalive_timeout 70;
+					root /home/www/pub/$site;
+					server_name $site;
+					# DOC: http://wiki.nginx.org/HttpSslModule
+					ssl on;
+					ssl_certificate     /home/www/etc/nginx/site.d/$site/x509/crt.pem;
+					ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
+					ssl_ciphers HIGH:!ADH:!MD5;
+					ssl_prefer_server_ciphers on;
+					ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+					ssl_session_cache shared:SSL:10m;
+					$(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+				 }
+				EOF
+			;;
+		 esac |
+		sudo install -m 660 -o www -g www /dev/stdin \
+		 /etc/nginx/site.d/"$site"/server.conf
+		adduser www-data "$site"
+		test -e /home/www/pub/"$site" ||
+		sudo install -d -m 3770 -o "$site" -g "$site" \
+		 /home/www/pub/"$site"
+		sudo install -d -m 3770 -o log."$site" -g log."$site" \
+		 /home/www/log/"$site"/nginx
+		test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
+		.         "$tool"/etc/nginx/site.d/"$site"/configure.sh
+	 done
+	rule apt_get_install spawn-fcgi fcgiwrap
+	sudo insserv --remove fcgiwrap
+	rule tmpfs_configure
+	sudo service nginx restart
+ }
+rule_php5_fpm_configure () {
+	local -; set +f
+	rule apt_get_install \
+	 php5-fpm \
+	 php-apc
+	getent passwd php5 >/dev/null ||
+	sudo adduser \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --shell /bin/false \
+	 --system \
+	 php5
+	local conf
+	sudo ln -fns \
+	 /etc/php5-fpm \
+	 /home/www/etc/php5
+	sudo rm -f /etc/php5/fpm/pool.d/*
+	for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
+	 do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
+		local port site
+		IFS=. read -r port site <<-EOF
+			${conf%\.conf}
+			EOF
+		assert 'test "${port:+set}"'
+		assert 'test "${site:+set}"'
+		site="$port.$site"
+		getent passwd php5"$site" >/dev/null ||
+		sudo adduser \
+		 --disabled-login \
+		 --disabled-password \
+		 --group \
+		 --no-create-home \
+		 --home ~www/pub/"$site" \
+		 --shell /bin/false \
+		 --system \
+		 php5."$site"
+		sudo install -d -m 770 -o php5 -g php5 \
+		 /home/www/log/php5 \
+		 /home/www/log/php5/fpm
+		sudo install -d -m 770 -o log."$site" -g log."$site" \
+		 /home/www/log/"$site"
+		sudo adduser php5."$user" www."$site"
+		sudo install -m 660 -o root -g root /dev/stdin \
+		 /etc/php5/fpm/pool.d/"$conf" <<-EOF
+			[php5.$site]
+			access.log = /home/www/log/$site/php5/fpm/access.log
+			catch_workers_output = yes
+			chdir = /
+			env[HOSTNAME] = \$HOSTNAME
+			env[TEMP] = /tmp
+			env[TMPDIR] = /tmp
+			env[TMP] = /tmp
+			group = www-data
+			listen = /run/nginx/fastcgi/php5.$site
+			#listen = 127.0.0.1:9000
+			#listen.allowed_clients = 127.0.0.1
+			listen.backlog = -1
+			pm = dynamic
+			pm.max_children = 5
+			pm.max_requests = 200
+			pm.max_spare_servers = 4
+			pm.min_spare_servers = 2
+			pm.start_servers = 3
+			pm.status_path = /status
+			request_slowlog_timeout = 5s
+			request_terminate_timeout = 120s
+			rlimit_core = unlimited
+			rlimit_files = 131072
+			slowlog = /home/www/log/$site/php5/fpm/slow.log
+			user = $php5_user
+			$(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
+			EOF
+		sudo install -m 664 -o root -g root \
+		 "$tool"/etc/php5/fpm/php.ini \
+		        /etc/php5/fpm/php.ini
+	 done
+	rule tmpfs_configure
+	sudo service php5-fpm restart
+ }
 rule_postfix_configure () {
 	local hint="run vm_remote postfix_key_send before"
 	assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
@@ -652,16 +876,16 @@ rule_postfix_configure () {
 	 ../crt+crl.self-signed.pem \
 	 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
 	sudo install -m 400 -o root -g root \
-	     "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+	     "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
 	 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
 	sudo install -m 400 -o root -g root \
-	     "$tool"/var/pub/x509/service/smtpd/crt.pem \
+	     "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
 	 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
 	sudo install -m 400 -o root -g root \
-	     "$tool"/var/pub/x509/service/smtpd/crt+root.pem \
-	 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
+	     "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
 	sudo install -m 400 -o root -g root \
-	     "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+	     "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
 	 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
 	sudo install -m 660 -o root -g root \
 	 "$tool"/etc/postfix/$vm_domainname/header_checks \
@@ -831,9 +1055,10 @@ rule_user_configure () {
 	 /etc/skel/etc/ssh
 	sudo install -d -m 770 -o root -g adm \
 	 /etc/skel/var \
-	 /etc/skel/var/log \
 	 /etc/skel/var/cache \
-	 /etc/skel/var/cache/ssh
+	 /etc/skel/var/log \
+	 /etc/skel/var/run \
+	 /etc/skel/var/run/ssh
 	sudo ln -fns etc/ssh /etc/skel/.ssh
 	sudo ln -fns etc/gpg /etc/skel/.gnupg
 	sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
@@ -898,11 +1123,13 @@ rule_configure () {
 	rule filesystem_configure
 	rule login_configure
 	rule ssh_configure
-	rule mail_configure
-	rule apache2_configure
 	rule user_root_configure
 	rule boot_configure
 	rule user_configure
+	rule mail_configure
+	#rule apache2_configure
+	rule nginx_configure
+	rule php5_fpm_configure
  }
 
 rule_luks_key_change () {