dépôts / lhc / ateliers.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c14dd04)
Correction : vm_{hosted,remote} : chemins et noms .
authorJulien Moutinho <julm+burette@autogeree.net>
Wed, 20 Mar 2013 15:59:31 +0000 (16:59 +0100)
committerJulien Moutinho <julm+burette@autogeree.net>
Thu, 21 Mar 2013 03:11:15 +0000 (04:11 +0100)
38 files changed:
etc/init.d/tmpfs patch | blob | history
etc/nginx/conf.d/ssl.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh [deleted file] patch | blob | history
etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf [deleted symlink] patch | blob | history
etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh [deleted file] patch | blob | history
etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf [deleted symlink] patch | blob | history
etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf [deleted file] patch | blob | history
etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf [deleted file] patch | blob | history
etc/nginx/site.d/lhc-git-tls/configure.sh [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git-tls/key_send [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git-tls/listen.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git-tls/server.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git/configure.sh [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git/listen.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-git/server.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www-tls/configure.sh [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www-tls/key_send [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www-tls/listen.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www-tls/server.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www/configure.sh [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www/listen.conf [new file with mode: 0644] patch | blob
etc/nginx/site.d/lhc-www/server.conf [new file with mode: 0644] patch | blob
etc/php5/fpm/php-fpm.conf patch | blob | history
etc/php5/fpm/php.ini patch | blob | history
etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf [deleted symlink] patch | blob | history
etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf [deleted file] patch | blob | history
etc/php5/fpm/pool.d/lhc-git.conf [new file with mode: 0644] patch | blob
etc/php5/fpm/pool.d/lhc-www.conf [new file with mode: 0644] patch | blob
etc/sv/fcgi.80.git.heureux-cyclage.org/configure [deleted file] patch | blob | history
etc/sv/fcgi.80.git.heureux-cyclage.org/run [deleted file] patch | blob | history
etc/sv/git-daemon/configure patch | blob | history
etc/sv/mysql.3306/run [deleted file] patch | blob | history
etc/sv/mysql/run [new file with mode: 0755] patch | blob
etc/sv/nginx/configure [new file with mode: 0755] patch | blob
etc/sv/nginx/log/run [new file with mode: 0644] patch | blob
etc/sv/nginx/run [new file with mode: 0755] patch | blob
vm_hosted patch | blob | history
vm_remote patch | blob | history

diff --git a/etc/init.d/tmpfs b/etc/init.d/tmpfs
index 3a9915c..fff6f88 100755 (executable)
--- a/etc/init.d/tmpfs
+++ b/etc/init.d/tmpfs
@@ -27,19 +27,27 @@ do_start() {
                if mountpoint -q /run/shm &&
                        test -f /run/shm/.tmpfs
                 then
+                       set -x
                        sudo install -d -m 1777 -o root -g root \
-                        /run/shm/cache
+                        /run/shm/cache \
+                        /run/shm/tmp
                        
-                       ! getent passwd www-data ||
-                       sudo install -d -m 660 -o www-data -g www-data \
+                       ! getent passwd www-data >/dev/null ||
+                       sudo install -d -m 770 -o www-data -g www-data \
                         /run/shm/cache/nginx \
                         /run/shm/cache/nginx/fastcgi \
                         /run/shm/cache/nginx/client_body
                        
-                       ! getent passwd php5 ||
-                       sudo install -d -m 1667 -o php5 -g php5 \
+                       ! getent passwd php5 >/dev/null ||
+                       sudo install -d -m 1771 -o php5 -g php5 \
+                        /run/php5 \
+                        /run/php5/fpm \
                         /run/shm/cache/php5 \
                         /run/shm/cache/php5/fpm
+                       
+                       ! getent passwd gitweb >/dev/null ||
+                       sudo install -d -m 770 -o gitweb -g gitweb \
+                        /run/tmp/gitweb
                 fi
                
                ES=$?
diff --git a/etc/nginx/conf.d/ssl.conf b/etc/nginx/conf.d/ssl.conf
new file mode 100644 (file)
index 0000000..68c3dd8
--- /dev/null
+++ b/etc/nginx/conf.d/ssl.conf
@@ -0,0 +1,7 @@
+# DOC: http://wiki.nginx.org/HttpSslModule
+keepalive_timeout 70;
+ssl on;
+ssl_ciphers HIGH:!ADH:!MD5;
+ssl_prefer_server_ciphers on;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_session_cache shared:SSL:10m;
diff --git a/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh b/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh
deleted file mode 100644 (file)
index 9cbda68..0000000
--- a/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-set -e -f -u
-sudo rmdir "$home"/pub/www/"$site_dir" || true
-sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir"
diff --git a/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf b/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf
deleted file mode 120000 (symlink)
index 0abf0a1..0000000
--- a/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf
+++ /dev/null
@@ -1 +0,0 @@
-../80.git.heureux-cyclage.org/server.conf
\ No newline at end of file
diff --git a/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh b/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh
deleted file mode 100644 (file)
index 9cbda68..0000000
--- a/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-set -e -f -u
-sudo rmdir "$home"/pub/www/"$site_dir" || true
-sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir"
diff --git a/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf b/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf
deleted file mode 120000 (symlink)
index 041e55c..0000000
--- a/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf
+++ /dev/null
@@ -1 +0,0 @@
-../80.www.heureux-cyclage.org/server.conf
\ No newline at end of file
diff --git a/etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf b/etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf
deleted file mode 100644 (file)
index 410304f..0000000
--- a/etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf
+++ /dev/null
@@ -1,67 +0,0 @@
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-location / {
-       index index.html index.htm index.php;
- }
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
-       access_log off;
-       expires 30d;
-       log_not_found off;
- }
-location ~ /\. {
-       access_log off;
-       deny all;
-       log_not_found off;
- }
-location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
- # NOTE: static repo files for cloning over HTTP
-       root /home/git/repositories/;
- }
-location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
- # NOTE: requests that need to go to git-http-backend
-       root /home/git/pub/git
-       fastcgi_param GIT_HTTP_EXPORT_ALL "";
-       fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
-       fastcgi_param PATH_INFO $uri;
-       fastcgi_param REMOTE_USER $remote_user;
-       fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
- }
-location @gitweb {
-       include /etc/nginx/conf.d/fastcgi.conf;
-       set $no_cache "";
-       if ($request_method !~ ^(GET|HEAD)$) {
-        # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
-               set $no_cache "1";
-        }
-       if ($no_cache = "1") {
-        # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
-               add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
-               add_header X-Microcachable "0";
-        }
-       if ($http_cookie ~* "_mcnc") {
-        # NOTE: bypass cache if no-cache cookie is set.
-               set $no_cache "1";
-        }
-       fastcgi_cache_bypass $no_cache;
-       fastcgi_cache_use_stale updating;
-       fastcgi_cache_valid 200 10s;
-       fastcgi_cache_valid 404 30m;
-       fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
-       fastcgi_max_temp_file_size 2M;
-       fastcgi_no_cache $no_cache;
-       fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
-       fastcgi_param PATH_INFO $uri;
-       fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
-       
-       fastcgi_pass_header Cookie;
-       fastcgi_pass_header Set-Cookie;
-       fastcgi_split_path_info ^(.+\.php)(/.+)$;
-       
-       fastcgi_pass unix:/run/nginx/fastcgi/fcgi.git.80.git.heureux-cyclage.org;
- }
-root /usr/share/gitweb;
-ssl_session_timeout 5m;
-try_files $uri @gitweb;
- # NOTE: send anything else to gitweb if it's not a real file
-
-# vim: ft=sh
diff --git a/etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf b/etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf
deleted file mode 100644 (file)
index 89edfa0..0000000
--- a/etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-client_body_buffer_size 8k;
-client_max_body_size 10m;
-location / {
-       index index.html index.htm index.php;
- }
-location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
-       access_log off;
-       expires 30d;
-       log_not_found off;
- }
-location ~ /\. {
-       access_log off;
-       deny all;
-       log_not_found off;
- }
-location ~ \.php$ {
-       include /etc/nginx/conf.d/fastcgi.conf;
-       set $no_cache "";
-       if ($request_method !~ ^(GET|HEAD)$) {
-        # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
-               set $no_cache "1";
-        }
-       if ($no_cache = "1") {
-        # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
-               add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
-               add_header X-Microcachable "0";
-        }
-       if ($http_cookie ~* "_mcnc") {
-        # NOTE: bypass cache if no-cache cookie is set
-               set $no_cache "1";
-        }
-       fastcgi_cache_bypass $no_cache;
-       fastcgi_cache_use_stale updating;
-       fastcgi_cache_valid 200 10s;
-       fastcgi_cache_valid 404 30m;
-       fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
-       fastcgi_max_temp_file_size 2M;
-       fastcgi_no_cache $no_cache;
-       fastcgi_pass_header Cookie;
-       fastcgi_pass_header Set-Cookie;
-       fastcgi_split_path_info ^(.+\.php)(/.+)$;
-       
-       fastcgi_pass unix:/run/nginx/fastcgi/php5-fpm.hc.80.www.heureux-cyclage.org;
- }
-server_name www.heureux-cyclage.org heureux-cyclage.org;
-
-# vim: ft=sh
diff --git a/etc/nginx/site.d/lhc-git-tls/configure.sh b/etc/nginx/site.d/lhc-git-tls/configure.sh
new file mode 100644 (file)
index 0000000..88f45be
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git-tls/configure.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e -f -u -x
+local hint="run vm_remote nginx_key_send before"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
+
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
diff --git a/etc/nginx/site.d/lhc-git-tls/key_send b/etc/nginx/site.d/lhc-git-tls/key_send
new file mode 100644 (file)
index 0000000..09b542c
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git-tls/key_send
@@ -0,0 +1 @@
+git.heureux-cyclage.org
diff --git a/etc/nginx/site.d/lhc-git-tls/listen.conf b/etc/nginx/site.d/lhc-git-tls/listen.conf
new file mode 100644 (file)
index 0000000..2c4d6f6
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git-tls/listen.conf
@@ -0,0 +1 @@
+listen 443;
diff --git a/etc/nginx/site.d/lhc-git-tls/server.conf b/etc/nginx/site.d/lhc-git-tls/server.conf
new file mode 100644 (file)
index 0000000..1426dea
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git-tls/server.conf
@@ -0,0 +1,2 @@
+include /etc/nginx/conf.d/ssl.conf;
+include /etc/nginx/site.d/lhc-git-tls/server.conf;
diff --git a/etc/nginx/site.d/lhc-git/configure.sh b/etc/nginx/site.d/lhc-git/configure.sh
new file mode 100644 (file)
index 0000000..f37b180
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git/configure.sh
@@ -0,0 +1,2 @@
+sudo adduser php5-gitweb     www-"$site"
+sudo adduser www-"$site"-tls www-"$site"
diff --git a/etc/nginx/site.d/lhc-git/listen.conf b/etc/nginx/site.d/lhc-git/listen.conf
new file mode 100644 (file)
index 0000000..56b9f1c
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git/listen.conf
@@ -0,0 +1 @@
+listen 80;
diff --git a/etc/nginx/site.d/lhc-git/server.conf b/etc/nginx/site.d/lhc-git/server.conf
new file mode 100644 (file)
index 0000000..49cbac3
--- /dev/null
+++ b/etc/nginx/site.d/lhc-git/server.conf
@@ -0,0 +1,68 @@
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+       index index.html index.htm index.php;
+       root /usr/share/gitweb;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+       access_log off;
+       expires 30d;
+       log_not_found off;
+ }
+location ~ /\. {
+       access_log off;
+       deny all;
+       log_not_found off;
+ }
+location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) {
+ # NOTE: static repo files for cloning over HTTP
+       root /home/git/pub;
+ }
+location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ {
+ # NOTE: requests that need to go to git-http-backend
+       root /home/git/pub;
+       fastcgi_param GIT_HTTP_EXPORT_ALL "";
+       fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git;
+       fastcgi_param PATH_INFO $uri;
+       fastcgi_param REMOTE_USER $remote_user;
+       fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ }
+location @gitweb {
+       include /etc/nginx/conf.d/fastcgi.conf;
+       set $no_cache "";
+       if ($request_method !~ ^(GET|HEAD)$) {
+        # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+               set $no_cache "1";
+        }
+       if ($no_cache = "1") {
+        # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+               add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+               add_header X-Microcachable "0";
+        }
+       if ($http_cookie ~* "_mcnc") {
+        # NOTE: bypass cache if no-cache cookie is set.
+               set $no_cache "1";
+        }
+       fastcgi_cache_bypass $no_cache;
+       fastcgi_cache_use_stale updating;
+       fastcgi_cache_valid 200 10s;
+       fastcgi_cache_valid 404 30m;
+       fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+       fastcgi_max_temp_file_size 2M;
+       fastcgi_no_cache $no_cache;
+       fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf;
+       fastcgi_param PATH_INFO $uri;
+       fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+       
+       fastcgi_pass_header Cookie;
+       fastcgi_pass_header Set-Cookie;
+       fastcgi_split_path_info ^(.+\.php)(/.+)$;
+       
+       fastcgi_pass unix:/run/php5/fpm/gitweb;
+ }
+ssl_session_timeout 5m;
+try_files $uri @gitweb;
+ # NOTE: send anything else to gitweb if it's not a real file
+server_name git.heureux-cyclage.org
+
+# vim: ft=sh
diff --git a/etc/nginx/site.d/lhc-www-tls/configure.sh b/etc/nginx/site.d/lhc-www-tls/configure.sh
new file mode 100644 (file)
index 0000000..50f5f51
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www-tls/configure.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e -f -u -x
+sudo rmdir ~www-data/"$site" || true
+sudo ln -fns "${site%-tls}" ~www-data/"$site"
+local hint="run vm_remote nginx_key_send before"
+assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint
+sudo install -m 664 -o www -g www \
+ "$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \
+ /etc/nginx/x509.d/"$site"/crt.pem
diff --git a/etc/nginx/site.d/lhc-www-tls/key_send b/etc/nginx/site.d/lhc-www-tls/key_send
new file mode 100644 (file)
index 0000000..814e9a5
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www-tls/key_send
@@ -0,0 +1 @@
+www.heureux-cyclage.org
diff --git a/etc/nginx/site.d/lhc-www-tls/listen.conf b/etc/nginx/site.d/lhc-www-tls/listen.conf
new file mode 100644 (file)
index 0000000..2c4d6f6
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www-tls/listen.conf
@@ -0,0 +1 @@
+listen 443;
diff --git a/etc/nginx/site.d/lhc-www-tls/server.conf b/etc/nginx/site.d/lhc-www-tls/server.conf
new file mode 100644 (file)
index 0000000..f05ef5f
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www-tls/server.conf
@@ -0,0 +1,2 @@
+include /etc/nginx/conf.d/ssl.conf;
+include /etc/nginx/site.d/lhc-www-tls/server.conf;
diff --git a/etc/nginx/site.d/lhc-www/configure.sh b/etc/nginx/site.d/lhc-www/configure.sh
new file mode 100644 (file)
index 0000000..fca7d99
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www/configure.sh
@@ -0,0 +1 @@
+sudo adduser www-"$site"-tls www-"$site"
diff --git a/etc/nginx/site.d/lhc-www/listen.conf b/etc/nginx/site.d/lhc-www/listen.conf
new file mode 100644 (file)
index 0000000..56b9f1c
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www/listen.conf
@@ -0,0 +1 @@
+listen 80;
diff --git a/etc/nginx/site.d/lhc-www/server.conf b/etc/nginx/site.d/lhc-www/server.conf
new file mode 100644 (file)
index 0000000..5ff974d
--- /dev/null
+++ b/etc/nginx/site.d/lhc-www/server.conf
@@ -0,0 +1,47 @@
+client_body_buffer_size 8k;
+client_max_body_size 10m;
+location / {
+       index index.html index.htm index.php;
+ }
+location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ {
+       access_log off;
+       expires 30d;
+       log_not_found off;
+ }
+location ~ /\. {
+       access_log off;
+       deny all;
+       log_not_found off;
+ }
+location ~ \.php$ {
+       include /etc/nginx/conf.d/fastcgi.conf;
+       set $no_cache "";
+       if ($request_method !~ ^(GET|HEAD)$) {
+        # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie.
+               set $no_cache "1";
+        }
+       if ($no_cache = "1") {
+        # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block).
+               add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
+               add_header X-Microcachable "0";
+        }
+       if ($http_cookie ~* "_mcnc") {
+        # NOTE: bypass cache if no-cache cookie is set
+               set $no_cache "1";
+        }
+       fastcgi_cache_bypass $no_cache;
+       fastcgi_cache_use_stale updating;
+       fastcgi_cache_valid 200 10s;
+       fastcgi_cache_valid 404 30m;
+       fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+       fastcgi_max_temp_file_size 2M;
+       fastcgi_no_cache $no_cache;
+       fastcgi_pass_header Cookie;
+       fastcgi_pass_header Set-Cookie;
+       fastcgi_split_path_info ^(.+\.php)(/.+)$;
+       
+       fastcgi_pass unix:/run/php5/fpm/lhc-www;
+ }
+server_name www.heureux-cyclage.org heureux-cyclage.org;
+
+# vim: ft=sh
diff --git a/etc/php5/fpm/php-fpm.conf b/etc/php5/fpm/php-fpm.conf
index 88831d7..58b9fe7 100644 (file)
--- a/etc/php5/fpm/php-fpm.conf
+++ b/etc/php5/fpm/php-fpm.conf
@@ -5,11 +5,6 @@ emergency_restart_threshold = 10
 error_log = syslog
 ;events.mechanism = epoll
 log_level = notice
-php_admin_flag[log_errors] = on
-php_admin_value[error_log] = syslog
-php_admin_value[error_reporting] = 0
-php_admin_value[memory_limit] = 128M
-php_flag[display_errors] = off
 pid = /run/php5-fpm.pid
 process.max = 128
 process_control_timeout = 10s
diff --git a/etc/php5/fpm/php.ini b/etc/php5/fpm/php.ini
index 6e1ddfc..9f32597 100644 (file)
--- a/etc/php5/fpm/php.ini
+++ b/etc/php5/fpm/php.ini
@@ -104,16 +104,19 @@ odbc.max_persistent = -1
 [OCI8]
 [PHP]
 allow_url_fopen = Off
-allow_url_fopen = Off ; DEFAULT: On
+allow_url_fopen = Off
+; DEFAULT: On
 allow_url_include = Off
 asp_tags = Off
 auto_append_file =
 auto_globals_jit = On
 auto_prepend_file =
-default_charset = "UTF-8" ; DEFAULT: 
+default_charset = "UTF-8"
+; DEFAULT: 
 default_mimetype = "text/html"
 default_socket_timeout = 30
-default_socket_timeout = 30 ; DEFAULT: 60
+default_socket_timeout = 30
+; DEFAULT: 60
 disable_classes =
 disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
 display_errors = Off
@@ -122,6 +125,7 @@ doc_root =
 enable_dl = Off
 engine = On
 error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+error_log = syslog
 expose_php = On
 file_uploads = On
 html_errors = On
@@ -135,18 +139,22 @@ max_execution_time = 30
 max_file_uploads = 20
 max_input_time = 60
 memory_limit = 128M
-mysql.allow_persistent = Off ; DEFAULT: 
+mysql.allow_persistent = Off
+; DEFAULT: 
 output_buffering = 4096
-post_max_size = 15M ; DEFAULT: 8M
+post_max_size = 15M
+; DEFAULT: 8M
 precision = 14
 register_argc_argv = Off
 report_memleaks = On
 request_order = "GP"
 serialize_precision = 17
-short_open_tag = Off ; DEFAULT: On
+short_open_tag = Off
+; DEFAULT: On
 track_errors = Off
 unserialize_callback_func =
-upload_max_filesize = 20M ; DEFAULT: 2M
+upload_max_filesize = 20M
+; DEFAULT: 2M
 user_dir =
 variables_order = "GPCS"
 zend.enable_gc = On
diff --git a/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf b/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf
deleted file mode 120000 (symlink)
index f847fde..0000000
--- a/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf
+++ /dev/null
@@ -1 +0,0 @@
-hc.80.www.heureux-cyclage.org.conf
\ No newline at end of file
diff --git a/etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf b/etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf
deleted file mode 100644 (file)
index 9f4f8c1..0000000
--- a/etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-pm.max_children = 15
-pm.max_requests = 200
-pm.max_spare_servers = 15
-pm.min_spare_servers = 2
-pm.process_idle_timeout = 60s
-pm.start_servers = 3
-request_slowlog_timeout = 5s
-request_terminate_timeout = 120s
-rlimit_core = unlimited
-rlimit_files = 131072
-security.limit_extensions = .php
diff --git a/etc/php5/fpm/pool.d/lhc-git.conf b/etc/php5/fpm/pool.d/lhc-git.conf
new file mode 100644 (file)
index 0000000..9f4f8c1
--- /dev/null
+++ b/etc/php5/fpm/pool.d/lhc-git.conf
@@ -0,0 +1,11 @@
+pm.max_children = 15
+pm.max_requests = 200
+pm.max_spare_servers = 15
+pm.min_spare_servers = 2
+pm.process_idle_timeout = 60s
+pm.start_servers = 3
+request_slowlog_timeout = 5s
+request_terminate_timeout = 120s
+rlimit_core = unlimited
+rlimit_files = 131072
+security.limit_extensions = .php
diff --git a/etc/php5/fpm/pool.d/lhc-www.conf b/etc/php5/fpm/pool.d/lhc-www.conf
new file mode 100644 (file)
index 0000000..9f4f8c1
--- /dev/null
+++ b/etc/php5/fpm/pool.d/lhc-www.conf
@@ -0,0 +1,11 @@
+pm.max_children = 15
+pm.max_requests = 200
+pm.max_spare_servers = 15
+pm.min_spare_servers = 2
+pm.process_idle_timeout = 60s
+pm.start_servers = 3
+request_slowlog_timeout = 5s
+request_terminate_timeout = 120s
+rlimit_core = unlimited
+rlimit_files = 131072
+security.limit_extensions = .php
diff --git a/etc/sv/fcgi.80.git.heureux-cyclage.org/configure b/etc/sv/fcgi.80.git.heureux-cyclage.org/configure
deleted file mode 100755 (executable)
index 23bd42e..0000000
--- a/etc/sv/fcgi.80.git.heureux-cyclage.org/configure
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh -efux
-sv=$(basename "$(cd "$(dirname "$0")" && pwd)")
-IFS=. read -r service site <<-EOF
-       $sv
-       EOF
-user=$sv
-getent passwd "$user" >/dev/null ||
-sudo adduser \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/www/pub/"$site" \
- --shell /bin/false \
- --system \
- "$user"
diff --git a/etc/sv/fcgi.80.git.heureux-cyclage.org/run b/etc/sv/fcgi.80.git.heureux-cyclage.org/run
deleted file mode 100755 (executable)
index 530ee5a..0000000
--- a/etc/sv/fcgi.80.git.heureux-cyclage.org/run
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/sh -efux
-exec 2>&1
-sv=$(basename "$(cd "$(dirname "$0")" && pwd)")
-IFS=. read -r service site <<-EOF
-       $sv
-       EOF
-run_user=$sv
-sock_user=www-data
-exec /usr/bin/spawn-fcgi \
- -g "$run_user" \
- -G "$sock_user" \
- -M 0660 \
- -n \
- -s /run/nginx/fastcgi/fcgi.80.git.heureux-cyclage.org \
- -u "$run_user" \
- -U "$sock_user" \
- -- /usr/bin/multiwatch \
- --forks 10 \
- -- /usr/sbin/fcgiwrap
diff --git a/etc/sv/git-daemon/configure b/etc/sv/git-daemon/configure
index 8c3783b..e95c7d7 100755 (executable)
--- a/etc/sv/git-daemon/configure
+++ b/etc/sv/git-daemon/configure
@@ -1,20 +1 @@
 #!/bin/sh -efux
-user=git-daemon
-getent passwd "$user" >/dev/null ||
-sudo adduser \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/pub \
- --shell /bin/false \
- --system \
- "$user"
-getent passwd log."$user" >/dev/null ||
-sudo adduser \
- --disabled-login \
- --disabled-password \
- --group \
- --home /home/git/log/git-daemon \
- --shell /bin/false \
- --system \
- log."$user"
diff --git a/etc/sv/mysql.3306/run b/etc/sv/mysql.3306/run
deleted file mode 100755 (executable)
index f8597b2..0000000
--- a/etc/sv/mysql.3306/run
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh -efux
-exec 2>&1
-exec /usr/bin/chpst \
- -u mysql:mysql \
- /usr/sbin/mysqld \
- --basedir=/usr \
- --datadir=/home/mysql \
- --pid-file=/var/run/mysqld/mysqld.pid \
- --plugin-dir=/usr/lib/mysql/plugin \
- --port=3306 \
- --socket=/var/run/mysqld/mysqld.sock \
- --user=mysql
diff --git a/etc/sv/mysql/run b/etc/sv/mysql/run
new file mode 100755 (executable)
index 0000000..f8597b2
--- /dev/null
+++ b/etc/sv/mysql/run
@@ -0,0 +1,12 @@
+#!/bin/sh -efux
+exec 2>&1
+exec /usr/bin/chpst \
+ -u mysql:mysql \
+ /usr/sbin/mysqld \
+ --basedir=/usr \
+ --datadir=/home/mysql \
+ --pid-file=/var/run/mysqld/mysqld.pid \
+ --plugin-dir=/usr/lib/mysql/plugin \
+ --port=3306 \
+ --socket=/var/run/mysqld/mysqld.sock \
+ --user=mysql
diff --git a/etc/sv/nginx/configure b/etc/sv/nginx/configure
new file mode 100755 (executable)
index 0000000..e95c7d7
--- /dev/null
+++ b/etc/sv/nginx/configure
@@ -0,0 +1 @@
+#!/bin/sh -efux
diff --git a/etc/sv/nginx/log/run b/etc/sv/nginx/log/run
new file mode 100644 (file)
index 0000000..2dd4ada
--- /dev/null
+++ b/etc/sv/nginx/log/run
@@ -0,0 +1,3 @@
+#!/bin/sh -efux
+install -d -m 770 -o log.www -g log.www ~www/log/nginx/
+exec chpst -u log.www svlogd -tt ~www/log/nginx/
diff --git a/etc/sv/nginx/run b/etc/sv/nginx/run
new file mode 100755 (executable)
index 0000000..37dc216
--- /dev/null
+++ b/etc/sv/nginx/run
@@ -0,0 +1,3 @@
+#!/bin/sh -efux
+exec 2>&1
+exec /usr/sbin/nginx
diff --git a/vm_hosted b/vm_hosted
index 9743830..a75d9cb 100755 (executable)
--- a/vm_hosted
+++ b/vm_hosted
@@ -56,6 +56,11 @@ rule_git_reset () {
        )
  }
 
+rule_adduser () {
+       local user="$1"; shift
+       getent passwd "$user" >/dev/null ||
+       sudo adduser "$@" "$user"
+ }
 rule_apt_get_install () { # SYNTAX: $package
        sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@"
  }
@@ -85,7 +90,6 @@ rule_apache2_configure () {
                # cependant l'usage de suexec impose des forks il semble..
                # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ;
                # donc pour l'instant : apache2-mpm-itk
-       rule www_configure
        cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF |
                ServerName "$vm_fqdn"
                EOF
@@ -117,18 +121,12 @@ rule_apache2_configure () {
         /home/www/etc/apache2
        for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf
         do conf=${conf#"$tool"/etc/apache2/site.d/}
-               local port site
-               IFS=. read -r port domain <<-EOF
-                       ${conf%\/VirtualHost\.conf}
-                       EOF
-               assert 'test "${port:+set}"'
-               assert 'test "${domain:+set}"'
-               local site="$port.$domain"
-               case $port in
-                (443)
+               local site=${conf%/VirtualHost.conf}
+               case $site in
+                (*-tls)
                        local hint="run vm_remote apache2_key_send before"
                        assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint
-                       sudo install -d -m 770 -o www."$site" -g www."$site" \
+                       sudo install -d -m 770 -o www-"$site" -g www-"$site" \
                         /etc/apache2 \
                         /etc/apache2/site.d/"$site" \
                         /etc/apache2/site.d/"$site"/x509 \
@@ -139,7 +137,7 @@ rule_apache2_configure () {
                        sudo install -m 664 -o www -g www \
                             "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \
                         /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem
-                       #sudo install -m 664 -o www."$site" -g www."$site" \
+                       #sudo install -m 664 -o www-"$site" -g www-"$site" \
                        # "$tool"/var/pub/x509/"$site"/rvk.pem \
                        # /etc/apache2/site.d/"$site"/x509/rvk.pem
                        sudo install -m 664 -o www -g www \
@@ -150,27 +148,12 @@ rule_apache2_configure () {
                         /etc/apache2/site.d/"$site"/x509/crt.pem
                        ;;
                 esac
-               case $port in
-                (80)
-                       cat <<-EOF
-                               <VirtualHost *:$port>
-                                       AssignUserID www.$site www.$site
-                                       CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
-                                       #CustomLog "/dev/null" Combined
-                                       DocumentRoot /home/www/pub/$site
-                                       ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
-                                       #ErrorLog "/dev/null"
-                                       ServerName $domain
-                                       LogLevel Warn
-                                       $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
-                                </VirtualHost>
-                               EOF
-                       ;;
-                (443)
+               case $site in
+                (*-tls)
                        cat <<-EOF
                                <IfModule mod_ssl.c>
                                        <VirtualHost *:$port>
-                                               AssignUserID www.$site www.$site
+                                               AssignUserID www-$site www-$site
                                                BrowserMatch "MSIE [2-6]"  ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0
                                                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
                                                CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
@@ -179,7 +162,6 @@ rule_apache2_configure () {
                                                ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
                                                #ErrorLog "/dev/null"
                                                LogLevel Warn
-                                               ServerName $domain
                                                SSLCACertificateFile    /etc/apache2/site.d/$site/x509/crt.self-signed.pem
                                                SSLCACertificatePath    /etc/apache2/site.d/$site/x509/usr/
                                                #SSLCARevocationFile    /etc/apache2/site.d/$site/x509/rvk.pem
@@ -206,35 +188,47 @@ rule_apache2_configure () {
                                 </IfModule>
                                EOF
                        ;;
+                (*)
+                       cat <<-EOF
+                               <VirtualHost *:$port>
+                                       AssignUserID www-$site www-$site
+                                       CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined
+                                       #CustomLog "/dev/null" Combined
+                                       DocumentRoot /home/www/pub/$site
+                                       ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60"
+                                       #ErrorLog "/dev/null"
+                                       LogLevel Warn
+                                       $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf)
+                                </VirtualHost>
+                               EOF
+                       ;;
                 esac |
                sudo install -m 660 -o root -g root /dev/stdin \
                 /etc/apache2/site.d/"$site"/VirtualHost.conf
                sudo ln -fns \
                 ../site.d/"$site"/VirtualHost.conf \
                 /etc/apache2/sites-available/"$site"
-               sudo install -d -m 770 -o www."$site" -g www."$site" \
+               sudo install -d -m 770 -o www-"$site" -g www-"$site" \
                 /home/www/log/"$site" \
                 /home/www/log/"$site"/apache2
                sudo ln -fns \
                 /etc/apache2/site.d/"$site" \
                 /home/www/etc/apache2/"$site"
                test -e /home/www/pub/"$site" ||
-               sudo install -d -m 2770 -o www."$site" -g www."$site" \
+               sudo install -d -m 2770 -o www-"$site" -g www-"$site" \
                 /home/www/pub/"$site"
-               getent passwd www."$site" >/dev/null ||
-               sudo adduser \
+               rule adduser www-"$site"
                 --disabled-password \
                 --group \
                 --no-create-home \
                 --home /home/www/pub/"$site" \
                 --shell /bin/false \
-                --system \
-                www."$site"
-               #sudo setfacl -m u:"www.$site":--x \
+                --system
+               #sudo setfacl -m u:"www-$site":--x \
                # /home/www/ \
                # /home/www/pub/ \
                # /home/www/pub/"$site"/
-               #sudo setfacl -m d:u:"www.$site":rwx \
+               #sudo setfacl -m d:u:"www-$site":rwx \
                # "$home"/pub/www/"$site"/
                test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh ||
                .         "$tool"/etc/apache2/site.d/"$site"/configure.sh
@@ -313,8 +307,8 @@ rule_dovecot_configure () {
        local hint="run vm_remote dovecot_key_send before"
        assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint
        sudo install -m 400 -o root -g root \
-            "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \
-        /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+        "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \
+           /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem
        sudo install -d -m 770 -o root -g root \
         /etc/skel/etc/mail \
         /etc/skel/etc/sieve
@@ -484,35 +478,50 @@ rule_initramfs_configure () {
        sudo update-initramfs -u
  }
 rule_gitolite_configure () {
-       local user=git
        sudo debconf-set-selections <<-EOF
-               gitolite        gitolite/gituser        string  $user
+               gitolite        gitolite/gituser        string  git
                gitolite        gitolite/adminkey       string  
-               gitolite        gitolite/gitdir string  /home/$user
+               gitolite        gitolite/gitdir string  /home/git
                EOF
        rule apt_get_install gitolite
-       getent passwd "$user" >/dev/null ||
-       sudo adduser \
+       rule adduser git \
         --disabled-password \
         --group \
         --shell /bin/bash \
-        --system \
-        "$user"
-       sudo chfn --full-name "$user" "$user"
-       eval local home\; home="~$user"
-       sudo install -d -m 770 -o "$user" -g "$user" \
+        --system
+       sudo chfn --full-name git git
+       rule adduser log-git \
+        --disabled-login \
+        --disabled-password \
+        --group \
+        --home ~git/log \
+        --shell /bin/false \
+        --system
+       rule adduser git-daemon\
+        --disabled-login \
+        --disabled-password \
+        --group \
+        --home /home/git/pub \
+        --shell /bin/false \
+        --system
+       sudo install -d -m 770 -o git -g git \
         /etc/gitolite \
-        "$home"/etc \
-        "$home"/etc/ssh \
-        "$home"/pub \
-        "$home"/log \
-        "$home"/log/gitolite \
-        "$home"/log/gitolite/perf
-       sudo ln -fns /etc/gitolite "$home"/etc/gitolite
-       sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc
-       sudo ln -fns etc/ssh "$home"/.ssh
-       sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
-        "$home"/etc/gitolite/gitolite.rc <<-EOF
+        ~git/etc \
+        ~git/etc/ssh \
+        ~git/pub
+       sudo install -d -m 770 -o log-git -g log-git \
+        ~git/log \
+        ~git/log/gitolite \
+        ~git/log/gitolite/perf
+       sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \
+        /etc/gitweb \
+        /etc/gitweb/cgi
+       sudo ln -fns /etc/gitolite ~git/etc/gitolite
+       sudo ln -fns /etc/gitweb ~git/etc/gitweb
+       sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc
+       sudo ln -fns etc/ssh ~git/.ssh
+       sudo install -m 770 -o git -g git /dev/stdin \
+        ~git/etc/gitolite/gitolite.rc <<-EOF
                #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
                #\$BIG_INFO_CAP = 20;
                #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3';
@@ -553,17 +562,17 @@ rule_gitolite_configure () {
                \$RSYNC_BASE = "";
                \$SVNSERVE = "";
                #\$UPDATE_CHAINS_TO = "hooks/update.secondary";
-               #\$WEB_INTERFACE = "gitweb";
+               \$WEB_INTERFACE = "gitweb";
                1;
                EOF
-       sudo install -m 770 -o "$user" -g "$user" /dev/stdin \
-        "$home"/etc/gitweb/gitweb.conf <<-EOF
+       sudo install -m 740 -o git -g www-lhc-git /dev/stdin \
+        ~git/etc/gitweb/gitweb.conf <<-EOF
                \$commit_oneline_message_width = 70;
                \$default_projects_order = 'age';
                \$default_text_plain_charset = 'UTF-8';
                @diff_opts = ();
                \$favicon = "img/git-favicon.png";
-               \$git_temp = "/run/shm/gitweb";
+               \$git_temp = "/run/shm/tmp/gitweb";
                \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc";
                \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc";
                \$home_link = "/";
@@ -580,28 +589,27 @@ rule_gitolite_configure () {
                \$projects_list_description_width = 42;
                \$projects_list_owner_width = 15;
                \$search_str = "Filtre&nbsp;:";
-               \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin";
+               \$site_footer = "/etc/gitweb/cgi/site-footer.bin";
                \$site_header = undef;
                \$site_name = "git.$vm_domainname";
                \$space_to_nbsp = 0;
                @stylesheets = ("css/gitweb.css");#
                \$untabify_tabstop = 2;
                EOF
-       sudo install -m 600 -o "$user" -g "$user" \
-        "$tool"/var/pub/ssh/"$user".key \
-            "$home"/etc/ssh/"$user".pub
-       sudo -u "$user" \
-        GL_RC="$home"/etc/gitolite/gitolite.rc \
-        GIT_AUTHOR_NAME="$user" \
-               gl-setup -q "$home"/etc/ssh/"$user".pub "$user"
+       sudo install -m 600 -o git -g git \
+        "$tool"/var/pub/ssh/git.key \
+               ~git/etc/ssh/git.pub
+       sudo -u git \
+        GL_RC=/home/git/etc/gitolite/gitolite.rc \
+        GIT_AUTHOR_NAME=git \
+               gl-setup -q ~git/etc/ssh/git.pub git
        local d
        for d in doc logs src
-        do test ! -d "$home"/etc/gitolite/"$d" ||
-               rmdir "$home"/etc/gitolite/"$d"
+        do test ! -d ~git/etc/gitolite/"$d" ||
+               rmdir ~git/etc/gitolite/"$d"
         done
        rule apt_get_install gitweb highlight
-       #sudo sv restart fcgi.git.80.git.heureux-cyclage.org
-       #sudo sv restart git-daemon.git.9418
+       sudo service tmpfs restart
  }
 rule_locales_configure () {
        sudo debconf-set-selections <<-EOF
@@ -770,26 +778,23 @@ rule_network_configure () {
                EOF
  }
 rule_www_configure () {
-       getent passwd www >/dev/null ||
-       sudo adduser \
+       rule adduser www \
         --disabled-login \
         --disabled-password \
         --group \
         --home /home/www \
         --shell /bin/false \
-        --system \
-        www
-       sudo adduser \
+        --system
+       rule adduser log-www \
         --disabled-login \
         --disabled-password \
         --group \
-        --home ~www/log \
+        --home /home/www/log \
         --shell /bin/false \
-        --system \
-        log.www
+        --system
        #sudo adduser www www-data
-       sudo adduser www log.www
-       #sudo adduser log log.www
+       sudo adduser www log-www
+       #sudo adduser log log-www
        usermod --home /home/www/pub www-data
        sudo install -d -m 751 -o www -g www \
         /home/www
@@ -797,20 +802,20 @@ rule_www_configure () {
         /home/www/etc
        sudo install -d -m 1771 -o www-data -g www-data \
         /home/www/pub
-       sudo install -d -m 1771 -o log.www -g log.www \
+       sudo install -d -m 1771 -o log-www -g log-www \
         /home/www/log
  }
 rule_nginx_configure () {
        local -; set +f
        rule apt_get_install nginx
-       rule www_configure
        sudo rm -rf \
         /etc/nginx/conf.d \
         /etc/nginx/site.d
        sudo install -d -m 770 -o www -g www \
         /etc/nginx \
         /etc/nginx/conf.d \
-        /etc/nginx/site.d
+        /etc/nginx/site.d \
+        /etc/nginx/x509.d
        sudo ln -fns \
         /etc/nginx \
         /home/www/etc/nginx
@@ -826,150 +831,138 @@ rule_nginx_configure () {
         done
        for conf in "$tool"/etc/nginx/site.d/*/server.conf
         do conf=${conf#"$tool"/etc/nginx/site.d/}
-               local port domain
-               IFS=. read -r port domain <<-EOF
-                       ${conf%\/server\.conf}
-                       EOF
-               assert 'test "${port:+set}"'
-               assert 'test "${domain:+set}"'
-               local site="$port.$domain"
-               getent passwd www."$site" >/dev/null ||
-               sudo adduser \
+               local site="${conf%/server.conf}"
+               rule adduser www-"$site" \
                 --disabled-login \
                 --disabled-password \
                 --group \
-                --home ~www-data/"$site" \
+                --home /home/www-data/"$site" \
                 --shell /bin/false \
-                --system \
-                www."$site"
-               getent passwd log."$site" >/dev/null ||
-               sudo adduser \
+                --system
+               rule adduser log-www-"$site" \
                 --disabled-login \
                 --disabled-password \
                 --group \
+                --home /home/www/log/"$site"/nginx \
                 --shell /bin/false \
-                --system \
-                log."$site"
-               sudo usermod --home ~www/log/"$site"/nginx log."$site"
+                --system
+               sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \
+                /home/www/log/"$site"
                sudo install -d -m 770 -o www -g www \
                 /etc/nginx/site.d/"$site"
-               case $port in
-                (443)
-                       local hint="run vm_remote nginx_key_send before"
-                       assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint
-                       sudo install -m 664 -o www -g www \
-                        "$tool"/var/pub/x509/"$site"/crt+ca.pem \
-                        /etc/nginx/site.d/"$site"/x509/crt.pem
-                       ;;
-                esac
-               case $port in
-                (80)
-                       cat <<-EOF
-                               server {
-                                       listen $port;
-                                       access_log /home/www/log/$site/nginx/access.log main;
-                                       error_log  /home/www/log/$site/nginx/error.log warn;
-                                       root /home/www/pub/$site;
-                                       server_name $domain;
-                                       $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
-                                }
-                               EOF
-                       ;;
-                (443)
-                       cat <<-EOF
-                               server {
-                                       listen $port;
-                                       access_log /home/www/log/$site/nginx/access.log main;
-                                       error_log  /home/www/log/$site/nginx/error.log warn;
-                                       keepalive_timeout 70;
-                                       root /home/www/pub/$site;
-                                       server_name $domain;
-                                       # DOC: http://wiki.nginx.org/HttpSslModule
-                                       ssl on;
-                                       ssl_certificate     /home/www/etc/nginx/site.d/$site/x509/crt.pem;
-                                       ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem;
-                                       ssl_ciphers HIGH:!ADH:!MD5;
-                                       ssl_prefer_server_ciphers on;
-                                       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-                                       ssl_session_cache shared:SSL:10m;
-                                       $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
-                                }
-                               EOF
-                       ;;
-                esac |
-               sudo install -m 660 -o www -g www /dev/stdin \
-                /etc/nginx/site.d/"$site"/server.conf
-               adduser www-data www."$site"
-               test -e /home/www/pub/"$site" ||
-               sudo install -d -m 3770 -o www."$site" -g www."$site" \
+               sudo install -d -m 770 -o www -g www \
+                /etc/nginx/x509.d/"$site"
+               test -L /home/www/pub/"$site" ||
+               sudo install -d -m 3770 -o www-"$site" -g www-"$site" \
                 /home/www/pub/"$site"
-               sudo install -d -m 3770 -o log."$site" -g log."$site" \
-                /home/www/log/"$site"/nginx
+               sudo adduser www-data www-"$site"
+               sudo adduser www-data log-www-"$site"
+               sudo install -m 660 -o www -g www /dev/stdin \
+                /etc/nginx/site.d/"$site"/server.conf <<-EOF
+                       server {
+                               access_log          /home/www/log/$site/nginx/access.log main;
+                               error_log           /home/www/log/$site/nginx/error.log warn;
+                               root                /home/www/pub/$site;
+                               ssl_certificate     /etc/nginx/x509.d/$site/crt.pem;
+                               ssl_certificate_key /etc/nginx/x509.d/$site/key.pem;
+                               $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf)
+                               $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf)
+                        }
+                       EOF
+               test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" ||
                test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh ||
                .         "$tool"/etc/nginx/site.d/"$site"/configure.sh
         done
        rule apt_get_install spawn-fcgi fcgiwrap
        sudo insserv --remove fcgiwrap
+       sudo insserv --remove nginx
        rule tmpfs_configure
-       sudo service nginx restart
+       case $(sv status nginx) in
+        (run:*) sudo sv restart nginx
+        esac
  }
 rule_php5_fpm_configure () {
        local -; set +f
        rule apt_get_install \
         php5-fpm \
         php-apc
-       getent passwd php5 >/dev/null ||
-       sudo adduser \
+       rule adduser php5 \
         --disabled-login \
         --disabled-password \
         --group \
+        --home /etc/php5/fpm \
         --shell /bin/false \
-        --system \
-        php5
-       local conf
+        --system
+       rule adduser log-php5 \
+        --disabled-login \
+        --disabled-password \
+        --group \
+        --home /home/www/log/php5/fpm \
+        --shell /bin/false \
+        --system
        sudo ln -fns \
-        /etc/php5-fpm \
+        /etc/php5/fpm \
         /home/www/etc/php5
-       sudo rm -f /etc/php5/fpm/pool.d/*
+       sudo rm -rf \
+        /etc/php5/fpm/conf.d \
+        /etc/php5/fpm/pool.d
+       sudo install -d -m 770 -o php5 -g php5 \
+        /etc/php5/fpm/conf.d \
+        /etc/php5/fpm/pool.d
+       sudo install -m 770 -o php5 -g php5 \
+        "$tool"/etc/php5/fpm/php-fpm.conf \
+               /etc/php5/fpm/php-fpm.conf
+       local conf
+       #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf
+       # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/}
+       #       sudo install -m 660 -o php5 -g php5 \
+       #        "$tool"/etc/php5/fpm/conf.d/"$conf" \
+       #               /etc/php5/fpm/conf.d/"$conf"
+       # done
        for conf in "$tool"/etc/php5/fpm/pool.d/*.conf
         do conf=${conf#"$tool"/etc/php5/fpm/pool.d/}
-               local port domain
-               IFS=. read -r port domain <<-EOF
-                       ${conf%\.conf}
+               IFS=. read -r pool <<-EOF
+                       ${conf%.conf}
                        EOF
-               assert 'test "${port:+set}"'
-               assert 'test "${domain:+set}"'
-               local site="$port.$domain"
-               getent passwd php5."$site" >/dev/null ||
-               sudo adduser \
+               assert 'test "${pool:+set}"'
+               rule adduser php5-"$pool" \
+                --disabled-login \
+                --disabled-password \
+                --group \
+                --no-create-home \
+                --home /etc/php5/fpm/pool.d \
+                --shell /bin/false \
+                --system
+               rule adduser log-php5-"$pool" \
                 --disabled-login \
                 --disabled-password \
                 --group \
                 --no-create-home \
-                --home ~www/pub/"$site" \
+                --home /home/www/log/php5/fpm \
                 --shell /bin/false \
-                --system \
-                php5."$site"
-               sudo install -d -m 770 -o php5 -g php5 \
+                --system
+               sudo install -d -m 770 -o log-php5 -g log-php5 \
                 /home/www/log/php5 \
                 /home/www/log/php5/fpm
-               sudo install -d -m 770 -o log."$site" -g log."$site" \
-                /home/www/log/"$site"
-               sudo adduser php5."$site" www."$site"
-               sudo install -m 660 -o root -g root /dev/stdin \
-                /etc/php5/fpm/pool.d/"$conf" <<-EOF
-                       [php5.$site]
-                       access.log = /home/www/log/$site/php5/fpm/access.log
+               sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \
+                /home/www/log/php5/fpm/"$pool"
+               sudo install -m 660 -o php5 -g php5 /dev/stdin \
+                /etc/php5/fpm/pool.d/"$pool".conf <<-EOF
+                       [$pool]
+                       access.log = /home/www/log/php5/fpm/$pool/access.log
                        catch_workers_output = yes
                        chdir = /
                        env[HOSTNAME] = \$HOSTNAME
                        env[TEMP] = /tmp
                        env[TMPDIR] = /tmp
                        env[TMP] = /tmp
-                       group = www-data
-                       listen = /run/nginx/fastcgi/php5.$site
+                       group = php5-$pool
                        #listen = 127.0.0.1:9000
+                       listen = /run/php5/fpm/$pool
                        #listen.allowed_clients = 127.0.0.1
+                       listen.group = www-data
+                       listen.mode = 0660
+                       #listen.owner = www-data
                        listen.backlog = -1
                        pm = dynamic
                        pm.max_children = 5
@@ -982,13 +975,16 @@ rule_php5_fpm_configure () {
                        request_terminate_timeout = 120s
                        rlimit_core = unlimited
                        rlimit_files = 131072
-                       slowlog = /home/www/log/$site/php5/fpm/slow.log
-                       user = $php5_user
+                       slowlog = /home/www/log/php5/fpm/$pool/slow.log
+                       user = php5-$pool
                        $(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
                        EOF
-               sudo install -m 664 -o root -g root \
+               sudo install -m 664 -o php5 -g php5 \
                 "$tool"/etc/php5/fpm/php.ini \
                        /etc/php5/fpm/php.ini
+               case $(sv status php5-"$pool") in
+                (run:*) sudo sv restart php5-"$pool"
+                esac
         done
        rule tmpfs_configure
        sudo service php5-fpm restart
@@ -1236,6 +1232,7 @@ rule_tmpfs_configure () {
         "$tool"/etc/init.d/tmpfs \
                /etc/init.d/tmpfs
        sudo update-rc.d tmpfs defaults
+       sudo service tmpfs restart
  }
 rule_time_configure () {
        sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
@@ -1251,8 +1248,7 @@ rule_time_configure () {
 rule_user_add () { # SYNTAX: $user
        rule user_configure
        local user=$1
-       getent passwd "$user" >/dev/null ||
-       sudo adduser --disabled-password "$user"
+       rule adduser "$user" --disabled-password
                # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
        eval local home\; home="~$user"
        sudo adduser "$user" users
@@ -1336,8 +1332,7 @@ rule_user_configure () {
 rule_user_admin_add () { # SYNTAX: $user
        rule user_configure
        local user=$1
-       getent passwd "$user" >/dev/null ||
-       sudo adduser --disabled-password "$user"
+       rule adduser "$user" --disabled-password
        eval local home\; home="~$user"
        sudo adduser "$user" sudo
        sudo install -m 640 -o root -g root \
@@ -1390,9 +1385,10 @@ rule_configure () {
        rule sysctl_configure
        rule user_configure
        rule mail_configure
-       #rule apache2_configure
-       rule nginx_configure
+       rule www_configure
        rule php5_fpm_configure
+       rule nginx_configure
+       #rule apache2_configure
        rule gitolite_configure
        rule runit_configure
  }
diff --git a/vm_remote b/vm_remote
index 467d528..37e6dc1 100755 (executable)
--- a/vm_remote
+++ b/vm_remote
@@ -57,18 +57,12 @@ rule__ssh_known_hosts_update () {
         whoami
  }
 
-rule__x509_service_key_send_deciphered () { # SYNTAX: $service $remote_destination ${ssh_options-}
-       local service="$1"; shift
-       local remote_destination="$1"; shift
-       gpg --decrypt "var/sec/x509/$vm_domainname/$service/key.pass.gpg" |
+rule__x509_site_key_decrypt () { # SYNTAX: $site
+       local site="$1"; shift
+       gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg |
        openssl rsa -passin 'stdin' \
-        -in  "var/sec/x509/$vm_domainname/$service/key.pem" \
-        -out '/dev/stdout' |
-       rule ssh "$@"  ' \
-               install -m 400 -o root -g root \
-                /dev/stdin \
-                '"$remote_destination"' \
-        '
+        -in  var/sec/x509/"$site"/key.pem \
+        -out '/dev/stdout'
  }
 
 rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
@@ -104,13 +98,14 @@ rule_apache2_key_send () {
         do conf=${conf#"$tool"/etc/apache2/site.d/}
                local port domain
                IFS=. read -r port domain <<-EOF
-                       ${conf%\/VirtualHost\.conf}
+                       ${conf%/VirtualHost.conf}
                        EOF
                assert 'test "${port:+set}"'
                assert 'test "${domain:+set}"'
                local site="$port.$domain"
                case $port in
                 (443)
+                       rule _x509_site_key_decrypt "$domain" |
                        rule ssh -l root ' \
                                sudo install -d -m 770 -o '"$user"' -g '"$user"' \
                                 /etc/apache2 \
@@ -120,14 +115,16 @@ rule_apache2_key_send () {
                                 /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF
                                        key.pem
                                        EOF
+                               sudo install -m 400 -o root -g root \
+                                /dev/stdin \
+                                /etc/apache2/'"'$site'"'/x509/key.pem
                         '
-                       rule _x509_service_key_send_deciphered $service \
-                        /etc/apache2/"$site"/x509/key.pem -l root "$@"
                        ;;
                 esac
         done
  }
 rule_dovecot_key_send () {
+       rule _x509_site_key_decrypt imap."$vm_domainname" |
        rule ssh -l root ' \
                sudo install -d -m 770 -o root -g root \
                 /etc/dovecot/'"$vm_domainname"'/ \
@@ -137,9 +134,10 @@ rule_dovecot_key_send () {
                 /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF
                        key.pem
                        EOF
+               sudo install -m 400 -o root -g root \
+                /dev/stdin \
+                /etc/dovecot/"$vm_domainname"/imap/x509/key.pem
         '
-       rule _x509_service_key_send_deciphered imap \
-        /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@"
  }
 rule_gitolite_configure () {
        (
@@ -154,35 +152,29 @@ rule_gitolite_configure () {
  }
 rule_nginx_key_send () {
        local -; set +f
-       for conf in "$tool"/etc/nginx/site.d/*/server.conf
+       for conf in "$tool"/etc/nginx/site.d/*/key_send
         do conf=${conf#"$tool"/etc/nginx/site.d/}
-               local port domain
-               IFS=. read -r port domain <<-EOF
-                       ${conf%\/server\.conf}
-                       EOF
-               assert 'test "${port:+set}"'
-               assert 'test "${domain:+set}"'
-               local site="$port.$domain"
-               case $port in
-                (443)
-                       rule ssh -l root ' \
-                               sudo install -d -m 770 -o root -g root \
-                                /etc/nginx \
-                                /etc/nginx/site.d \
-                                /etc/nginx/site.d/'"$site"' \
-                                /etc/nginx/site.d/'"$site"'/x509; \
-                               sudo install -m 644 -o root -g root /dev/stdin \
-                                /etc/nginx/site.d/'"$site"'/x509/.gitignore <<-EOF
-                                       key.pem
-                                       EOF
-                        '
-                       rule _x509_service_key_send_deciphered $service \
-                        /etc/nginx/"$site"/x509/key.pem -l root "$@"
-                       ;;
-                esac
+               local site=${conf%/key_send}
+               rule _x509_site_key_decrypt \
+                "$(cat "$tool"/etc/nginx/site.d/"$site"/key_send)" |
+               rule ssh -l root ' \
+                       sudo install -d -m 770 -o root -g root \
+                        /etc/nginx \
+                        /etc/nginx/x509.d \
+                        /etc/nginx/x509.d/'"'$site'"'; \
+                       sudo install -m 644 -o root -g root /dev/stdin \
+                        /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF
+                               key.pem
+                               EOF
+                       
+                       install -m 400 -o root -g root \
+                        /dev/stdin \
+                        /etc/nginx/x509.d/'"'$site'"'/key.pem
+                '
         done
  }
 rule_postfix_key_send () {
+       rule _x509_site_key_decrypt smtpd."$vm_domainname" |
        rule ssh -l root ' \
                sudo install -d -m 770 -o root -g root \
                 /etc/postfix/'"$vm_domainname"'/ \
@@ -196,9 +188,10 @@ rule_postfix_key_send () {
                 /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF
                        key.pem
                        EOF
+               install -m 400 -o root -g root \
+                /dev/stdin \
+                /etc/postfix/'"'$vm_domainname'"'/smtpd/x509/key.pem
         '
-       rule _x509_service_key_send_deciphered smtpd \
-        /etc/postfix/$vm_domainname/smtpd/x509/key.pem -l root "$@"
  }
 
 rule=${1:-help}
outils d'administration d'ateliers.heureux-cyclage.org