X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=de2074eda15053350d410afefc9243afacf16abf;hp=4f305bebb8e072f102b1b02542a094d663ee122c;hb=11ad3e26a495747801c9290a1fb7b4537d123ae0;hpb=0c31c835855a6e8d9a03b06361bb707dda0b17a7
diff --git a/vm_hosted b/vm_hosted
index 4f305be..de2074e 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -35,6 +35,16 @@ rule_git_configure () {
tool=$(cd "$tool"; cd -)
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
+ sudo install -m 770 /dev/stdin .git/hooks/post-update <<-EOF
+ #!/bin/sh -efux
+ case \$1 in
+ (refs/remotes/master)
+ cd ..
+ git --git-dir=\$PWD/.git checkout -f -B master remotes/master
+ git --git-dir=\$PWD/.git clean -f -d -
+ ;;
+ esac
+ EOF
)
}
rule_git_reset () {
@@ -107,52 +117,51 @@ rule_apache2_configure () {
for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
do conf=${conf#"$tool"/etc/apache2/site.d/}
local port site
- IFS=. read -r port site <<-EOF
+ IFS=. read -r port domain <<-EOF
${conf%\/VirtualHost\.conf}
EOF
- assert 'test "${site:+set}"'
assert 'test "${port:+set}"'
- local site_user="$user.$port.$site"
- local site_dir="$user.$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
case $port in
(443)
local hint="run vm_remote apache2_key_send before"
- assert "sudo test -f /etc/apache2/site.d/\"$site_dir\"/x509/key.pem" hint
- sudo install -d -m 770 -o "$user" -g "$user" \
+ assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
/etc/apache2 \
- /etc/apache2/site.d/"$site_dir" \
- /etc/apache2/site.d/"$site_dir"/x509 \
- /etc/apache2/site.d/"$site_dir"/x509/ca \
- /etc/apache2/site.d/"$site_dir"/x509/empty \
- /etc/apache2/site.d/"$site_dir"/x509/rvk \
- /etc/apache2/site.d/"$site_dir"/x509/usr
+ /etc/apache2/site.d/"$site" \
+ /etc/apache2/site.d/"$site"/x509 \
+ /etc/apache2/site.d/"$site"/x509/ca \
+ /etc/apache2/site.d/"$site"/x509/empty \
+ /etc/apache2/site.d/"$site"/x509/rvk \
+ /etc/apache2/site.d/"$site"/x509/usr
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.self-signed.pem
- #sudo install -m 664 -o "$user" -g "$user" \
+ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
+ #sudo install -m 664 -o www."$site" -g www."$site" \
# "$tool"/var/pub/x509/"$site"/rvk.pem \
- # /etc/apache2/site.d/"$site_dir"/x509/rvk.pem
+ # /etc/apache2/site.d/"$site"/x509/rvk.pem
sudo install -m 664 -o www -g www \
"$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \
- /etc/apache2/site.d/"$site_dir"/x509/ca/crt.pem
+ /etc/apache2/site.d/"$site"/x509/ca/crt.pem
sudo install -m 664 -o www -g www \
- "$tool"/var/pub/x509/"$site"/crt.pem \
- /etc/apache2/site.d/"$site_dir"/x509/crt.pem
+ "$tool"/var/pub/x509/"$site"/crt.pem \
+ /etc/apache2/site.d/"$site"/x509/crt.pem
;;
esac
case $port in
(80)
cat <<-EOF
- AssignUserID $site_user $site_user
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ AssignUserID www.$site www.$site
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
- ServerName $site
+ ServerName $domain
LogLevel Warn
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
EOF
;;
@@ -160,26 +169,26 @@ rule_apache2_configure () {
cat <<-EOF
- AssignUserID $site_user $site_user
+ AssignUserID www.$site www.$site
BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
- CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/access/%Y-%m-%d.log 86400 60" Combined
+ CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
#CustomLog "/dev/null" Combined
- DocumentRoot /home/www/pub/$site_dir
- ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site_dir/apache2/error/%Y-%m-%d.log 86400 60"
+ DocumentRoot /home/www/pub/$site
+ ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
#ErrorLog "/dev/null"
LogLevel Warn
- ServerName $site
- SSLCACertificateFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCACertificatePath /etc/apache2/site.d/$site_dir/x509/usr/
- #SSLCARevocationFile /etc/apache2/site.d/$site_dir/x509/rvk.pem
- SSLCADNRequestFile /etc/apache2/site.d/$site_dir/x509/crt.self-signed.pem
- SSLCADNRequestPath /etc/apache2/site.d/$site_dir/x509/empty/
+ ServerName $domain
+ SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/
+ #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem
+ SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem
+ SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/
# NOTE: ne publie pas les certificats dâutilisateur-ice-s acceptés
- SSLCARevocationPath /etc/apache2/site.d/$site_dir/x509/rvk/
- SSLCertificateChainFile /etc/apache2/site.d/$site_dir/x509/ca/crt.pem
- SSLCertificateFile /etc/apache2/site.d/$site_dir/x509/crt.pem
- SSLCertificateKeyFile /etc/apache2/site.d/$site_dir/x509/key.pem
+ SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/
+ SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem
+ SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem
+ SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem
SSLCipherSuite AES+RSA+SHA256
SSLEngine On
SSLInsecureRenegotiation Off
@@ -191,45 +200,45 @@ rule_apache2_configure () {
SSLUserName SSL_CLIENT_S_DN_CN
SSLVerifyClient None
SSLVerifyDepth 1
- $(cat "$tool"/etc/apache2/site.d/"$site_dir"/VirtualHost.conf)
+ $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
EOF
;;
esac |
sudo install -m 660 -o root -g root /dev/stdin \
- /etc/apache2/site.d/"$site_dir"/VirtualHost.conf
+ /etc/apache2/site.d/"$site"/VirtualHost.conf
sudo ln -fns \
- ../site.d/"$site_dir"/VirtualHost.conf \
- /etc/apache2/sites-available/"$site_dir"
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/log/"$site_dir" \
- /home/www/log/"$site_dir"/apache2
+ ../site.d/"$site"/VirtualHost.conf \
+ /etc/apache2/sites-available/"$site"
+ sudo install -d -m 770 -o www."$site" -g www."$site" \
+ /home/www/log/"$site" \
+ /home/www/log/"$site"/apache2
sudo ln -fns \
- /etc/apache2/site.d/"$site_dir" \
- /home/www/etc/apache2/"$site_dir"
- test -e /home/www/pub/"$site_dir" ||
- sudo install -d -m 770 -o "$user" -g "$user" \
- /home/www/pub/"$site_dir"
- getent passwd "$site_user" >/dev/null ||
+ /etc/apache2/site.d/"$site" \
+ /home/www/etc/apache2/"$site"
+ test -e /home/www/pub/"$site" ||
+ sudo install -d -m 2770 -o www."$site" -g www."$site" \
+ /home/www/pub/"$site"
+ getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-password \
--group \
--no-create-home \
- --home /home/www/pub/"$site_dir" \
+ --home /home/www/pub/"$site" \
--shell /bin/false \
--system \
- "$site_user"
- sudo setfacl -m u:"$site_user":--x \
- /home/www/ \
- /home/www/pub/ \
- /home/www/pub/"$site_dir"/
- sudo setfacl -m d:u:"$site_user":rwx \
- "$home"/pub/www/"$site_dir"/
- test ! -r "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh ||
- . "$tool"/etc/apache2/site.d/"$site_dir"/configure.sh
- test -e /etc/apache2/sites-enabled/"$site_dir" ||
- sudo a2ensite "$site_dir"
+ www."$site"
+ #sudo setfacl -m u:"www.$site":--x \
+ # /home/www/ \
+ # /home/www/pub/ \
+ # /home/www/pub/"$site"/
+ #sudo setfacl -m d:u:"www.$site":rwx \
+ # "$home"/pub/www/"$site"/
+ test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
+ . "$tool"/etc/apache2/site.d/"$site"/configure.sh
+ test -e /etc/apache2/sites-enabled/"$site" ||
+ sudo a2ensite "$site"
done
sudo service apache2 restart
}
@@ -590,7 +599,7 @@ rule_gitolite_configure () {
rmdir "$home"/etc/gitolite/"$d"
done
rule apt_get_install gitweb highlight
- #sudo sv restart spawn-fcgi.git.80.git.heureux-cyclage.org
+ #sudo sv restart fcgi.git.80.git.heureux-cyclage.org
#sudo sv restart git-daemon.git.9418
}
rule_locales_configure () {
@@ -709,7 +718,14 @@ rule_mail_configure () {
}
rule_mysql_configure () {
rule apt_get_install mysql-server-5.5
- sudo service mysql restart
+ sudo install -m 644 -o root -g root \
+ "$tool"/etc/mysql/my.cnf \
+ /etc/mysql/my.cnf
+ if test ! -d /home/mysql; then
+ sudo install -d -m 750 -o mysql -g mysql \
+ /home/mysql
+ sudo -u mysql mysql_install_db --no-defaults --datadir=/home/mysql/
+ fi
}
rule_network_configure () {
sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
@@ -779,7 +795,7 @@ rule_www_configure () {
sudo install -d -m 750 -o www -g www \
/home/www/etc
sudo install -d -m 1771 -o www-data -g www-data \
- /home/www/pub \
+ /home/www/pub
sudo install -d -m 1771 -o log.www -g log.www \
/home/www/log
}
@@ -809,13 +825,13 @@ rule_nginx_configure () {
done
for conf in "$tool"/etc/nginx/site.d/*/server.conf
do conf=${conf#"$tool"/etc/nginx/site.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\/server\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
getent passwd www."$site" >/dev/null ||
sudo adduser \
--disabled-login \
@@ -853,7 +869,7 @@ rule_nginx_configure () {
access_log /home/www/log/$site/nginx/access.log main;
error_log /home/www/log/$site/nginx/error.log warn;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
$(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
}
EOF
@@ -866,7 +882,7 @@ rule_nginx_configure () {
error_log /home/www/log/$site/nginx/error.log warn;
keepalive_timeout 70;
root /home/www/pub/$site;
- server_name $site;
+ server_name $domain;
# DOC: http://wiki.nginx.org/HttpSslModule
ssl on;
ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem;
@@ -882,9 +898,9 @@ rule_nginx_configure () {
esac |
sudo install -m 660 -o www -g www /dev/stdin \
/etc/nginx/site.d/"$site"/server.conf
- adduser www-data "$site"
+ adduser www-data www."$site"
test -e /home/www/pub/"$site" ||
- sudo install -d -m 3770 -o "$site" -g "$site" \
+ sudo install -d -m 3770 -o www."$site" -g www."$site" \
/home/www/pub/"$site"
sudo install -d -m 3770 -o log."$site" -g log."$site" \
/home/www/log/"$site"/nginx
@@ -916,14 +932,14 @@ rule_php5_fpm_configure () {
sudo rm -f /etc/php5/fpm/pool.d/*
for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
- local port site
- IFS=. read -r port site <<-EOF
+ local port domain
+ IFS=. read -r port domain <<-EOF
${conf%\.conf}
EOF
assert 'test "${port:+set}"'
- assert 'test "${site:+set}"'
- site="$port.$site"
- getent passwd php5"$site" >/dev/null ||
+ assert 'test "${domain:+set}"'
+ local site="$port.$domain"
+ getent passwd php5."$site" >/dev/null ||
sudo adduser \
--disabled-login \
--disabled-password \
@@ -938,7 +954,7 @@ rule_php5_fpm_configure () {
/home/www/log/php5/fpm
sudo install -d -m 770 -o log."$site" -g log."$site" \
/home/www/log/"$site"
- sudo adduser php5."$user" www."$site"
+ sudo adduser php5."$site" www."$site"
sudo install -m 660 -o root -g root /dev/stdin \
/etc/php5/fpm/pool.d/"$conf" <<-EOF
[php5.$site]
@@ -987,15 +1003,8 @@ rule_postfix_configure () {
sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
*.db
EOF
- sudo install -d -m 770 -o root -g root \
- /etc/postfix/$vm_domainname/ \
- /etc/postfix/$vm_domainname/smtp \
- /etc/postfix/$vm_domainname/smtp/x509 \
- /etc/postfix/$vm_domainname/smtp/x509/ca \
- /etc/postfix/$vm_domainname/smtpd \
- /etc/postfix/$vm_domainname/smtpd/x509 \
- /etc/postfix/$vm_domainname/smtpd/x509/ca
- sudo install -d -m 770 -o root -g root \
+ sudo install -d -m 771 -o root -g root \
+ /etc/postfix/ \
/etc/postfix/$vm_domainname/ \
/etc/postfix/$vm_domainname/smtp \
/etc/postfix/$vm_domainname/smtp/x509 \
@@ -1007,17 +1016,17 @@ rule_postfix_configure () {
../crt+crl.self-signed.pem \
/etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+ca.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem
sudo install -m 400 -o root -g root \
- "$tool"/var/pub/x509/$vm_domainname/smtpd/crt+crl.self-signed.pem \
- /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
sudo install -m 660 -o root -g root \
"$tool"/etc/postfix/$vm_domainname/header_checks \
/etc/postfix/$vm_domainname/header_checks
@@ -1027,6 +1036,7 @@ rule_postfix_configure () {
abuse: root
admin: root
contact: root
+ mailer-daemon: root
postmaster: root
root: $(getent group sudo | cut -f 4 -d : | tr , ' ')
EOF
@@ -1074,6 +1084,12 @@ rule_postfix_configure () {
}
rule_postgresql_configure () {
rule apt_get_install postgresql-9.1
+ if [ ! -d /var/lib/postgresql/9.1/ ]; then
+ pg_createcluster -u postgres --start 9.1 main
+ fi
+ sudo install -m 660 -o root -g root \
+ "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+ /etc/postgresql/9.1/main/postgresql.conf
sudo service postgresql restart
}
rule_openerp_configure () {
@@ -1122,6 +1138,7 @@ rule_runit_configure () {
"$tool"/etc/sv/"$sv"/configure
then
ln -fns ../sv/"$sv" /etc/service/"$sv"
+ test ! -e /etc/sv/"$sv"/supervise/ok ||
sv restart "$sv"
fi
done
@@ -1261,28 +1278,6 @@ rule_user_configure () {
USERGROUPS=yes
USERS_GID=100
EOF
- }
-rule_user_admin_add () { # SYNTAX: $user
- rule user_configure
- local user=$1
- getent passwd "$user" >/dev/null ||
- sudo adduser --disabled-password "$user"
- eval local home\; home="~$user"
- sudo adduser "$user" sudo
- sudo install -m 640 -o root -g root \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- local key; local -; set +f
- for key in "$tool"/var/pub/openpgp/*.key
- do sudo -u "$user" gpg --import - <"$key"
- done
- rule user_admin_configure
- }
-rule_user_admin_configure () {
- rule initramfs_configure
- rule user_root_configure
- }
-rule_user_configure () {
sudo install -d -m 750 -o root -g root \
/etc/skel \
/etc/skel/etc \
@@ -1326,6 +1321,26 @@ rule_user_configure () {
"$tool"/etc/screenrc \
/etc/screenrc
}
+rule_user_admin_add () { # SYNTAX: $user
+ rule user_configure
+ local user=$1
+ getent passwd "$user" >/dev/null ||
+ sudo adduser --disabled-password "$user"
+ eval local home\; home="~$user"
+ sudo adduser "$user" sudo
+ sudo install -m 640 -o root -g root \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+ local key; local -; set +f
+ for key in "$tool"/var/pub/openpgp/*.key
+ do sudo -u "$user" gpg --import - <"$key"
+ done
+ rule user_admin_configure
+ }
+rule_user_admin_configure () {
+ rule initramfs_configure
+ rule user_root_configure
+ }
rule_user_root_configure () {
sudo install -d -m 750 -o root -g root \
/root/etc \