X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=e8fd3c42909bcc06e03636a3f32d90e775e2cacb;hp=806face80c33782428bb66ae39800331869908fb;hb=80909c24d0e4ca5061f3379852ac07b296760883;hpb=1410e40e1a425d3eb7e080180e3733dc30b586c2

diff --git a/vm_hosted b/vm_hosted
index 806face..e8fd3c4 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -727,22 +727,31 @@ rule_mysql_configure () {
 	        /etc/mysql/my.cnf
 	sudo install -d -m 751 -o mysql -g mysql \
 	 /home/mysql
+	sudo rm -rf /etc/mysql
+	sudo install -d -m 750 -o mysql -g mysql \
+	 /etc/mysql \
+	 /home/mysql/etc
+	sudo ln -fns \
+	            /etc/mysql \
+	 /home/mysql/etc/mysql
 	if sudo test ! -d /home/mysql/data
 	 then
 		sudo install -d -m 750 -o mysql -g mysql-data \
 		 /home/mysql/data
 		sudo -u mysql mysql_install_db \
-		 --no-defaults \
-		 --datadir=/home/mysql/data
+		 --datadir=/home/mysql/data \
+		 --no-defaults
 	 fi
 	sudo service tmpfs restart
+	sudo insserv -r mysql
 	case $(sudo sv status mysql || true) in
 	 (''|run:*|*"s, normally up;"*)
 		sudo sv restart mysql
 		case $(sudo inotifywait -e create -- /run/mysqld/sock/) in
 		 ("/run/mysqld/sock/ CREATE mysql")
 			# NOTE:
-			# - ajoute l'accÃ¨s par socket Unix Ã  root
+			# - ajoute l'accÃ¨s par socket Unix Ã  mysql
+			# - ajoute les droits de super-utilisateur Ã  mysql
 			# - supprime l'accÃ¨s par mot-de-passe Ã  root
 			# - supprime les bases de donnÃ©es de l'utilisateurice anonyme
 			# - supprime l'utilisateurice anonyme
@@ -753,8 +762,8 @@ rule_mysql_configure () {
 			#   DELETE FROM mysql.user WHERE user = 'root' AND host NOT IN ('localhost', '127.0.0.1', '::1');
 			sudo mysql -u root --batch --verbose <<-EOF
 				DELETE FROM mysql.user WHERE user = 'root' and plugin = '';
-				GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED WITH auth_socket;
-				UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='root';
+				GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' IDENTIFIED WITH auth_socket;
+				UPDATE mysql.user SET grant_priv='Y',super_priv='Y' WHERE user='mysql';
 				DELETE FROM mysql.db   WHERE user = '';
 				DELETE FROM mysql.user WHERE user = '';
 				FLUSH PRIVILEGES;
@@ -764,7 +773,7 @@ rule_mysql_configure () {
 	 esac
  }
 rule_mysql_db_add () { # SYNTAX: $user $db
-	sudo mysql --batch -u root <<-EOF
+	sudo -u mysql mysql --batch <<-EOF
 		DROP   DATABASE IF EXISTS $db;
 		CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci;
 		GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket;
@@ -772,8 +781,10 @@ rule_mysql_db_add () { # SYNTAX: $user $db
 		EOF
  }
 rule_mysql_user_add () { # SYNTAX: $user
-	sudo mysql --batch -u root <<-EOF
+	sudo mysql -u mysql --batch <<-EOF || true
 		DROP   USER '$user'@'localhost';
+		EOF
+	sudo mysql -u mysql --batch <<-EOF
 		CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket;
 		EOF
  }
@@ -1144,14 +1155,117 @@ rule_postfix_configure () {
 	sudo service postfix restart
  }
 rule_postgresql_configure () {
+ # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting
 	rule apt_get_install postgresql-9.1
-	if [ ! -d /var/lib/postgresql/9.1/ ]; then
-	    pg_createcluster -u postgres --start 9.1 main
-	fi
-	sudo install -m 660 -o root -g root \
-		"$tool"/etc/postgresql/9.1/main/postgresql.conf \
-		/etc/postgresql/9.1/main/postgresql.conf
-	sudo service postgresql restart
+	rule adduser postgres \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home /home/postgresql \
+	 --shell /bin/false \
+	 --system
+	rule adduser postgres-data \
+	 --disabled-login \
+	 --disabled-password \
+	 --group \
+	 --home /home/postgresql/data \
+	 --no-create-home \
+	 --shell /bin/false \
+	 --system
+	sudo usermod --home /home/postgresql postgres
+	sudo adduser postgres postgres-data
+	sudo rm -rf \
+	 /etc/postgresql
+	sudo install -d -m 750 -o postgres -g postgres \
+	 /home/postgresql \
+	 /home/postgresql/etc \
+	 /etc/postgresql \
+	 /etc/postgresql/9.1 \
+	 /etc/postgresql/9.1/main
+	sudo ln -fns \
+	                 /etc/postgresql \
+	 /home/postgresql/etc/postgresql
+	sudo install -d -m 751 -o postgres -g postgres \
+	 /home/postgresql/log \
+	 /home/postgresql/log/9.1
+	sudo service tmpfs restart
+	if sudo test ! -d /home/postgresql/data
+	 then
+		sudo install -d -m 750 -o postgres -g postgres \
+		 /home/postgresql/data
+		(
+		cd /
+		sudo -u postgres pg_createcluster \
+		 --datadir=/home/postgresql/data \
+		 --logfile=/home/postgresql/log/9.1/main  \
+		 --socketdir=/run/postgresql/sock \
+		 --start 9.1 main
+		)
+	 fi
+	sudo install -m 770 -o postgres -g postgres /dev/stdin \
+	 /etc/postgresql/9.1/main/pg_hba.conf <<-EOF
+		local all postgres peer
+		local all all      peer
+		EOF
+	sudo install -m 660 -o postgres -g postgres \
+	 "$tool"/etc/postgresql/9.1/main/postgresql.conf \
+	        /etc/postgresql/9.1/main/postgresql.conf
+	sudo insserv -r postgresql
+	case $(sudo sv status postgres || true) in
+	 (''|run:*|*"s, normally up;"*)
+		sudo sv restart postgres
+		(
+		cd /
+		case $(sudo inotifywait -e create -- /run/postgresql/sock/) in
+		 ("/run/postgresql/sock/ CREATE .s.PGSQL."*)
+			# NOTE:
+			# - supprime l'accÃ¨s au schÃ©ma public depuis public,
+			#   de sorte Ã  ce que les diffÃ©rents utilisateurices
+			#   ne voient pas leurs bases de donnÃ©es entre-elleux ;
+			# - ajoute le support de PL/PGSQL
+			sudo -u postgres psql template1 -f - <<-EOF
+				REVOKE ALL ON DATABASE template1 FROM public;
+				REVOKE ALL ON SCHEMA   public    FROM public;
+				GRANT  ALL ON SCHEMA   public    TO   postgres;
+				CREATE LANGUAGE plpgsql;
+				EOF
+			# NOTE:
+			# - supprime l'accÃ¨s Ã  la liste des bases donnÃ©es
+			#   et utilisateurices depuis public.
+			sudo -u postgres psql template1 -f - <<-EOF
+				REVOKE ALL ON pg_auth_members FROM public;
+				REVOKE ALL ON pg_authid       FROM public;
+				REVOKE ALL ON pg_database     FROM public;
+				REVOKE ALL ON pg_group        FROM public;
+				REVOKE ALL ON pg_roles        FROM public;
+				REVOKE ALL ON pg_settings     FROM public;
+				REVOKE ALL ON pg_tablespace   FROM public;
+				REVOKE ALL ON pg_user         FROM public;
+				EOF
+			;;
+		 esac
+		)
+		;;
+	 esac
+ }
+rule_postgresql_db_add () { # SYNTAX: $db $db_user
+	local db="$1" db_user="$2"
+	sudo -u postgresql psql template1 -f - <<-EOF
+		CREATE ROLE $db      NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN;
+		CREATE ROLE $db_user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+		GRANT $db TO $db_user;
+		CREATE DATABASE $db WITH OWNER=$db_user;
+		REVOKE ALL ON DATABASE $db FROM public;
+		EOF
+ }
+rule_postgresql_db_user_add () { # SYNTAX: $db $user
+	local db="$1" user="$2"
+	sudo -u postgresql psql template1 -f - <<-EOF
+		CREATE ROLE $user NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN ENCRYPTED;
+		GRANT USAGE ON SCHEMA public TO $user;
+		GRANT CONNECT,TEMPORARY ON DATABASE $db TO $user;
+		GRANT $db TO $user;
+		EOF
  }
 rule_openerp_configure () {
 	sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF