X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=dc86ddcc152591cd1fbd87f8261446edb9709878;hp=8afa6b4b0432defaa7114a7b9a0c3c7a6e2874a7;hb=d501326a3e710da0ea34928b4a44d13103c0106a;hpb=fe76c838090f262ec477c6a73d1bf9d988033b56 diff --git a/vm_hosted b/vm_hosted index 8afa6b4..dc86ddc 100755 --- a/vm_hosted +++ b/vm_hosted @@ -1,8 +1,9 @@ #!/bin/sh set -e -f ${DRY_RUN:+-n} -u tool=${0%/*} -. "$tool"/lib/functions.sh +. "$tool"/lib/rule.sh . "$tool"/etc/vm.sh +. "$tool"/lib/mk.sh rule_help () { # SYNTAX: [--hidden] local hidden; [ ${1:+set} ] || hidden=set @@ -32,18 +33,28 @@ rule_git_config () { rule_git_reset () { ( cd "$tool" - git checkout -f -B master origin + git checkout -f -B master remotes/master git clean -f -d -x ) } -rule_chrooted () { +rule_apt_get_install () { # SYNTAX: $package + case $(dpkg -s "$1" | grep '^Status: ') in + ("Status: install ok installed");; + (*) + test ! -x /usr/bin/etckeeper || + assert 'sudo etckeeper unclean' + sudo apt-get "$@";; + esac + } + +rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? export LANG=C export LC_CTYPE=C . /etc/profile } -rule_apt_init () { +rule_apt_configure () { mk_reg mod= own= /etc/apt/sources.list <<-EOF deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free EOF @@ -63,8 +74,8 @@ rule_apt_init () { deb http://nightly.openerp.com/trunk/nightly/deb/ ./ EOF } -rule_apticron_init () { - sudo apt-get install --reinstall apticron +rule_apticron_configure () { + rule apt_get_install apticron mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF EMAIL="admin@heureux-cyclage.org" # DIFF_ONLY="1" @@ -80,12 +91,12 @@ rule_apticron_init () { # CUSTOM_NO_UPDATES_SUBJECT="" # CUSTOM_FROM="root@ateliers.heureux-cyclage.org" EOF - sudo service apticron restart } -rule_boot_init () { - sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé ! +rule_boot_configure () { + warn "attention à n'installer GRUB sur AUCUN disque proposé !" + rule apt_get_install grub-pc mk_dir mod=644 own=root:root /boot/grub - sudo apt-get install --reinstall linux-image-$vm_arch + rule apt_get_install linux-image-$vm_arch mk_reg mod=644 own=root:root /etc/default/grub <<-EOF GRUB_DEFAULT=0 GRUB_TIMEOUT=5 @@ -100,9 +111,9 @@ rule_boot_init () { (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') EOF sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map - rule initramfs_init + rule initramfs_configure } -rule_etckeeper_init () { +rule_etckeeper_configure () { mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF VCS=git GIT_COMMIT_OPTIONS="" @@ -112,8 +123,9 @@ rule_etckeeper_init () { HIGHLEVEL_PACKAGE_MANAGER=apt LOWLEVEL_PACKAGE_MANAGER=dpkg EOF + rule apt_get_install etckeeper } -rule_filesystem_init () { +rule_filesystem_configure () { mk_reg mod=644 own=root:root /etc/fstab <<-EOF # LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 @@ -137,7 +149,7 @@ rule_filesystem_init () { vm.vfs_cache_pressure=50 EOF } -rule_initramfs_init () { +rule_initramfs_configure () { mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF MODULES=most BUSYBOX=y @@ -163,23 +175,18 @@ rule_initramfs_init () { sudo sed -e '/^configure_networking /s/ &$//' \ -i /usr/share/initramfs-tools/scripts/init-premount/dropbear # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. - sudo rm -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | ( while IFS= read -r line do case $line in (*" RSA") return 0; break;; esac done; return 1 ) || + { + sudo rm -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub sudo dropbearkey -t rsa -s 4096 -f \ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key - ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" DSA") return 0; break;; esac - done; return 1 ) || - sudo dropbearkey -t dss -s 1024 -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key + } + # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins. mk_dir mod=640 own=root:root \ /etc/initramfs-tools/root \ /etc/initramfs-tools/root/.ssh @@ -200,13 +207,13 @@ rule_initramfs_init () { # NOTE: clefs générées par Debian sudo update-initramfs -u } -rule_locale_init () { +rule_locale_configure () { mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF fr_FR.UTF-8 UTF-8 EOF sudo update-locale } -rule_login_init () { +rule_login_configure () { grep -q '^hvc0$' /etc/securetty || mk_reg mod= own= --append /etc/securetty <<-EOF hvc0 @@ -300,7 +307,7 @@ rule_login_init () { session optional pam_umask.so EOF } -rule_network_init () { +rule_network_configure () { mk_reg mod= own= /etc/hostname <<-EOF $vm EOF @@ -319,12 +326,28 @@ rule_network_init () { network $vm_ipv4 broadcast $vm_ipv4 netmask 255.255.255.255 - #mtu 1300 + mtu 1300 + # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode + # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. + # + # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net + # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. + # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms + # + # --- soupirail.grenode.net ping statistics --- + # 1 packets transmitted, 1 received, 0% packet loss, time 0ms + # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms + # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net + # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. + # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) + # + # --- soupirail.grenode.net ping statistics --- + # 0 packets transmitted, 0 received, +1 errors post-up ip address add $vm_ipv4/32 dev \$IFACE pre-down ip address delete $vm_ipv4/32 dev \$IFACE EOF } -rule_user_init () { +rule_user_configure () { mk_dir mod=750 own="root:adm" /etc/skel/etc mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh @@ -409,7 +432,7 @@ rule_user_init () { 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac' EOF } -rule_user_root_init () { +rule_user_root_configure () { mk_dir mod=750 own=root:root /root/etc mk_dir mod=750 own=root:root /root/etc/ssh mk_dir mod=750 own=root:root /root/etc/gpg @@ -425,30 +448,35 @@ rule_user_root_init () { done done | mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys - local key + local key; local -; set +f for key in "$tool"/var/pub/openpgp/*.key do sudo gpg --import "$key" done } -rule_bin_init () { +rule_bin_configure () { mk_lnk "$tool"/vm_hosted /usr/local/sbin/ } -rule_init () { - rule etckeeper_init - rule locale_init - rule network_init - rule apt_init - rule filesystem_init - rule login_init - rule user_root_init - rule boot_init - rule bin_init +rule_configure () { + rule etckeeper_configure + rule locale_configure + rule network_configure + rule apt_configure + rule filesystem_configure + rule login_configure + rule user_root_configure + rule boot_configure + rule apticron_configure + rule bin_configure } -rule_disk_key_change () { +rule_luks_key_change () { sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root } +rule_user_admin_configure () { + rule initramfs_configure + rule user_root_configure + } rule_user_admin_add () { # SYNTAX: $user local user=$1 id "$user" >/dev/null || @@ -458,12 +486,11 @@ rule_user_admin_add () { # SYNTAX: $user sudo adduser "$user" sudo mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \ <"$tool"/var/pub/ssh/"$user".key - rule initramfs_init - rule user_root_init local key; local -; set +f for key in "$tool"/var/pub/openpgp/*.key do sudo -u "$user" gpg --import "$key" done + rule user_admin_configure } rule_user_mail_format () { mk_dir mod=770 own=root:adm /etc/skel/etc/procmail @@ -826,7 +853,7 @@ rule_user_mail_format () { mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF EOF } -rule_mail_init () { +rule_mail_configure () { sudo apt-get install postfix postgrey dovecot } @@ -836,7 +863,6 @@ case $rule in (help);; (*) assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn - ${TRACE:+set -x} ;; esac rule $rule "$@"