From: Julien Moutinho Date: Thu, 21 Mar 2013 10:36:48 +0000 (+0100) Subject: Correction : vm_{hosted,remote} : chemins et noms, suite. X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=commitdiff_plain;h=2d48a198262604098443c6a90e58b0084600a4d7 Correction : vm_{hosted,remote} : chemins et noms, suite. --- diff --git a/etc/init.d/tmpfs b/etc/init.d/tmpfs index fff6f88..df392b8 100755 --- a/etc/init.d/tmpfs +++ b/etc/init.d/tmpfs @@ -43,7 +43,8 @@ do_start() { /run/php5 \ /run/php5/fpm \ /run/shm/cache/php5 \ - /run/shm/cache/php5/fpm + /run/shm/cache/php5/fpm \ + /run/shm/tmp/php5 ! getent passwd gitweb >/dev/null || sudo install -d -m 770 -o gitweb -g gitweb \ diff --git a/etc/nginx/conf.d/fastcgi.conf b/etc/nginx/conf.d/fastcgi.conf index 57e350e..c7a736d 100644 --- a/etc/nginx/conf.d/fastcgi.conf +++ b/etc/nginx/conf.d/fastcgi.conf @@ -1,4 +1,4 @@ -# DOC: http://wiki.nginx.org/HttpFastcgiModule +## DOC: http://wiki.nginx.org/HttpFastcgiModule fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; @@ -11,6 +11,7 @@ fastcgi_param CONTENT_TYPE $content_type; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param HTTPS $https; fastcgi_param PATH_INFO $fastcgi_script_name; #fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param QUERY_STRING $query_string; @@ -19,7 +20,8 @@ fastcgi_param REMOTE_PORT $remote_port; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param REMOTE_USER $remote_user; fastcgi_param REQUEST_URI $request_uri; -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_NAME $server_name; @@ -29,3 +31,5 @@ fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_read_timeout 180; fastcgi_send_timeout 180; fastcgi_temp_file_write_size 256k; +fastcgi_param REDIRECT_STATUS 200; + # NOTE: PHP only, required if PHP was built with --enable-force-cgi-redirect diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index fc2e23d..f8d0328 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,3 +1,5 @@ +# DOC: http://blog.martinfjordvald.com/2010/07/nginx-primer/ +daemon on; events { multi_accept on; use epoll; @@ -7,7 +9,9 @@ http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache'; + '"$http_user_agent" "$http_x_forwarded_for" nocache:$no_cache document_root:$document_root' + ' fastcgi_script_name:$fastcgi_script_name' + ' request_filename:$request_filename'; access_log /var/log/nginx/access.log main buffer=32k; client_body_buffer_size 4K; # NOTE: % getconf PAGESIZE @@ -26,6 +30,7 @@ http { keys_zone=microcache:10m inactive=5m max_size=64m; + fastcgi_cache microcache; gzip on; gzip_buffers 16 8k; gzip_comp_level 6; diff --git a/etc/nginx/site.d/lhc-git-tls/listen.conf b/etc/nginx/site.d/lhc-git-tls/listen.conf deleted file mode 100644 index 2c4d6f6..0000000 --- a/etc/nginx/site.d/lhc-git-tls/listen.conf +++ /dev/null @@ -1 +0,0 @@ -listen 443; diff --git a/etc/nginx/site.d/lhc-git-tls/local.conf b/etc/nginx/site.d/lhc-git-tls/local.conf new file mode 100644 index 0000000..4b65307 --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/local.conf @@ -0,0 +1,4 @@ +listen 443; +include /etc/nginx/conf.d/ssl.conf; +ssl_certificate /etc/nginx/x509.d/lhc-git-tls/crt.pem; +ssl_certificate_key /etc/nginx/x509.d/lhc-git-tls/key.pem; diff --git a/etc/nginx/site.d/lhc-git-tls/server.conf b/etc/nginx/site.d/lhc-git-tls/server.conf deleted file mode 100644 index 1426dea..0000000 --- a/etc/nginx/site.d/lhc-git-tls/server.conf +++ /dev/null @@ -1,2 +0,0 @@ -include /etc/nginx/conf.d/ssl.conf; -include /etc/nginx/site.d/lhc-git-tls/server.conf; diff --git a/etc/nginx/site.d/lhc-git-tls/site.conf b/etc/nginx/site.d/lhc-git-tls/site.conf new file mode 120000 index 0000000..accacc0 --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/site.conf @@ -0,0 +1 @@ +../lhc-git/site.conf \ No newline at end of file diff --git a/etc/nginx/site.d/lhc-git/configure.sh b/etc/nginx/site.d/lhc-git/configure.sh index f37b180..6983926 100644 --- a/etc/nginx/site.d/lhc-git/configure.sh +++ b/etc/nginx/site.d/lhc-git/configure.sh @@ -1,2 +1,4 @@ -sudo adduser php5-gitweb www-"$site" +sudo adduser php5-lhc-git www-"$site" +sudo adduser php5-lhc-git git-data +sudo adduser www-data git-data sudo adduser www-"$site"-tls www-"$site" diff --git a/etc/nginx/site.d/lhc-git/listen.conf b/etc/nginx/site.d/lhc-git/listen.conf deleted file mode 100644 index 56b9f1c..0000000 --- a/etc/nginx/site.d/lhc-git/listen.conf +++ /dev/null @@ -1 +0,0 @@ -listen 80; diff --git a/etc/nginx/site.d/lhc-git/local.conf b/etc/nginx/site.d/lhc-git/local.conf new file mode 100644 index 0000000..56b9f1c --- /dev/null +++ b/etc/nginx/site.d/lhc-git/local.conf @@ -0,0 +1 @@ +listen 80; diff --git a/etc/nginx/site.d/lhc-git/server.conf b/etc/nginx/site.d/lhc-git/server.conf deleted file mode 100644 index 49cbac3..0000000 --- a/etc/nginx/site.d/lhc-git/server.conf +++ /dev/null @@ -1,68 +0,0 @@ -client_body_buffer_size 8k; -client_max_body_size 10m; -location / { - index index.html index.htm index.php; - root /usr/share/gitweb; - } -location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { - access_log off; - expires 30d; - log_not_found off; - } -location ~ /\. { - access_log off; - deny all; - log_not_found off; - } -location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) { - # NOTE: static repo files for cloning over HTTP - root /home/git/pub; - } -location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { - # NOTE: requests that need to go to git-http-backend - root /home/git/pub; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; - fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git; - fastcgi_param PATH_INFO $uri; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - } -location @gitweb { - include /etc/nginx/conf.d/fastcgi.conf; - set $no_cache ""; - if ($request_method !~ ^(GET|HEAD)$) { - # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. - set $no_cache "1"; - } - if ($no_cache = "1") { - # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). - add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; - add_header X-Microcachable "0"; - } - if ($http_cookie ~* "_mcnc") { - # NOTE: bypass cache if no-cache cookie is set. - set $no_cache "1"; - } - fastcgi_cache_bypass $no_cache; - fastcgi_cache_use_stale updating; - fastcgi_cache_valid 200 10s; - fastcgi_cache_valid 404 30m; - fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_max_temp_file_size 2M; - fastcgi_no_cache $no_cache; - fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf; - fastcgi_param PATH_INFO $uri; - fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi; - - fastcgi_pass_header Cookie; - fastcgi_pass_header Set-Cookie; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - - fastcgi_pass unix:/run/php5/fpm/gitweb; - } -ssl_session_timeout 5m; -try_files $uri @gitweb; - # NOTE: send anything else to gitweb if it's not a real file -server_name git.heureux-cyclage.org - -# vim: ft=sh diff --git a/etc/nginx/site.d/lhc-git/site.conf b/etc/nginx/site.d/lhc-git/site.conf new file mode 100644 index 0000000..930d973 --- /dev/null +++ b/etc/nginx/site.d/lhc-git/site.conf @@ -0,0 +1,70 @@ +server_name git.heureux-cyclage.org; + +client_body_buffer_size 8k; +client_max_body_size 10m; +location / { + index index.html index.htm index.php; + root /usr/share/gitweb; + } +location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { + access_log off; + expires 30d; + log_not_found off; + } +location ~ /\. { + access_log off; + deny all; + log_not_found off; + } +location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) { + # NOTE: static repo files for cloning over HTTP + root /home/git/pub; + } +location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { + # NOTE: requests that need to go to git-http-backend + root /home/git/pub; + include /etc/nginx/conf.d/fastcgi.conf; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git; + fastcgi_param PATH_INFO $uri; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + } +location @gitweb { + include /etc/nginx/conf.d/fastcgi.conf; + set $no_cache "0"; + if ($request_method !~ ^(GET|HEAD)$) { + # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. + set $no_cache "1"; + } + if ($no_cache = "1") { + # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). + add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; + add_header X-Microcachable "0"; + } + if ($http_cookie ~* "_mcnc") { + # NOTE: bypass cache if no-cache cookie is set. + set $no_cache "1"; + } + fastcgi_cache_bypass $no_cache; + fastcgi_cache_use_stale updating; + fastcgi_cache_valid 200 10s; + fastcgi_cache_valid 404 30m; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_max_temp_file_size 2M; + fastcgi_no_cache $no_cache; + fastcgi_param GITWEB_CONFIG /etc/gitweb/gitweb.conf; + fastcgi_param PATH_INFO $uri; + fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi; + + fastcgi_pass_header Cookie; + fastcgi_pass_header Set-Cookie; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/php5/fpm/gitweb; + } +ssl_session_timeout 5m; +try_files $uri @gitweb; + # NOTE: send anything else to gitweb if it's not a real file + +# vim: ft=sh diff --git a/etc/nginx/site.d/lhc-www-tls/configure.sh b/etc/nginx/site.d/lhc-www-tls/configure.sh index 50f5f51..4bc8526 100644 --- a/etc/nginx/site.d/lhc-www-tls/configure.sh +++ b/etc/nginx/site.d/lhc-www-tls/configure.sh @@ -1,9 +1,11 @@ #!/bin/sh set -e -f -u -x -sudo rmdir ~www-data/"$site" || true -sudo ln -fns "${site%-tls}" ~www-data/"$site" local hint="run vm_remote nginx_key_send before" assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \ /etc/nginx/x509.d/"$site"/crt.pem + +sudo rmdir ~www-data/"$site" || true +sudo ln -fns "${site%-tls}" ~www-data/"$site" + diff --git a/etc/nginx/site.d/lhc-www-tls/listen.conf b/etc/nginx/site.d/lhc-www-tls/listen.conf deleted file mode 100644 index 2c4d6f6..0000000 --- a/etc/nginx/site.d/lhc-www-tls/listen.conf +++ /dev/null @@ -1 +0,0 @@ -listen 443; diff --git a/etc/nginx/site.d/lhc-www-tls/local.conf b/etc/nginx/site.d/lhc-www-tls/local.conf new file mode 100644 index 0000000..6b94c2f --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/local.conf @@ -0,0 +1,4 @@ +listen 443; +include /etc/nginx/conf.d/ssl.conf; +ssl_certificate /etc/nginx/x509.d/lhc-www-tls/crt.pem; +ssl_certificate_key /etc/nginx/x509.d/lhc-www-tls/key.pem; diff --git a/etc/nginx/site.d/lhc-www-tls/server.conf b/etc/nginx/site.d/lhc-www-tls/server.conf deleted file mode 100644 index f05ef5f..0000000 --- a/etc/nginx/site.d/lhc-www-tls/server.conf +++ /dev/null @@ -1,2 +0,0 @@ -include /etc/nginx/conf.d/ssl.conf; -include /etc/nginx/site.d/lhc-www-tls/server.conf; diff --git a/etc/nginx/site.d/lhc-www-tls/site.conf b/etc/nginx/site.d/lhc-www-tls/site.conf new file mode 120000 index 0000000..0d64512 --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/site.conf @@ -0,0 +1 @@ +../lhc-www/site.conf \ No newline at end of file diff --git a/etc/nginx/site.d/lhc-www/configure.sh b/etc/nginx/site.d/lhc-www/configure.sh index fca7d99..052d4b9 100644 --- a/etc/nginx/site.d/lhc-www/configure.sh +++ b/etc/nginx/site.d/lhc-www/configure.sh @@ -1 +1,2 @@ +sudo adduser php5-lhc-www www-"$site" sudo adduser www-"$site"-tls www-"$site" diff --git a/etc/nginx/site.d/lhc-www/listen.conf b/etc/nginx/site.d/lhc-www/listen.conf deleted file mode 100644 index 56b9f1c..0000000 --- a/etc/nginx/site.d/lhc-www/listen.conf +++ /dev/null @@ -1 +0,0 @@ -listen 80; diff --git a/etc/nginx/site.d/lhc-www/local.conf b/etc/nginx/site.d/lhc-www/local.conf new file mode 100644 index 0000000..56b9f1c --- /dev/null +++ b/etc/nginx/site.d/lhc-www/local.conf @@ -0,0 +1 @@ +listen 80; diff --git a/etc/nginx/site.d/lhc-www/server.conf b/etc/nginx/site.d/lhc-www/server.conf deleted file mode 100644 index 5ff974d..0000000 --- a/etc/nginx/site.d/lhc-www/server.conf +++ /dev/null @@ -1,47 +0,0 @@ -client_body_buffer_size 8k; -client_max_body_size 10m; -location / { - index index.html index.htm index.php; - } -location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { - access_log off; - expires 30d; - log_not_found off; - } -location ~ /\. { - access_log off; - deny all; - log_not_found off; - } -location ~ \.php$ { - include /etc/nginx/conf.d/fastcgi.conf; - set $no_cache ""; - if ($request_method !~ ^(GET|HEAD)$) { - # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. - set $no_cache "1"; - } - if ($no_cache = "1") { - # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). - add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; - add_header X-Microcachable "0"; - } - if ($http_cookie ~* "_mcnc") { - # NOTE: bypass cache if no-cache cookie is set - set $no_cache "1"; - } - fastcgi_cache_bypass $no_cache; - fastcgi_cache_use_stale updating; - fastcgi_cache_valid 200 10s; - fastcgi_cache_valid 404 30m; - fastcgi_ignore_headers Cache-Control Expires Set-Cookie; - fastcgi_max_temp_file_size 2M; - fastcgi_no_cache $no_cache; - fastcgi_pass_header Cookie; - fastcgi_pass_header Set-Cookie; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - - fastcgi_pass unix:/run/php5/fpm/lhc-www; - } -server_name www.heureux-cyclage.org heureux-cyclage.org; - -# vim: ft=sh diff --git a/etc/nginx/site.d/lhc-www/site.conf b/etc/nginx/site.d/lhc-www/site.conf new file mode 100644 index 0000000..a866306 --- /dev/null +++ b/etc/nginx/site.d/lhc-www/site.conf @@ -0,0 +1,49 @@ +server_name www.heureux-cyclage.org heureux-cyclage.org; + +client_body_buffer_size 8k; +client_max_body_size 10m; +location / { + root /home/www/pub/lhc-www; + index index.html index.htm index.php; + } +location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { + access_log off; + expires 30d; + log_not_found off; + } +location ~ /\. { + access_log off; + deny all; + log_not_found off; + } +location ~ \.php$ { + include /etc/nginx/conf.d/fastcgi.conf; + set $no_cache "0"; + if ($request_method !~ ^(GET|HEAD)$) { + # NOTE: if non GET/HEAD, don't cache and mark user as uncacheable for 1 second via cookie. + set $no_cache "1"; + } + if ($no_cache = "1") { + # NOTE: drop no cache cookie if need be (for some reason, add_header fails if included in prior if-block). + add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; + add_header X-Microcachable "0"; + } + if ($http_cookie ~* "_mcnc") { + # NOTE: bypass cache if no-cache cookie is set + set $no_cache "1"; + } + fastcgi_cache_bypass $no_cache; + fastcgi_cache_use_stale updating; + fastcgi_cache_valid 200 10s; + fastcgi_cache_valid 404 10m; + fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_max_temp_file_size 2M; + fastcgi_no_cache $no_cache; + fastcgi_pass_header Cookie; + fastcgi_pass_header Set-Cookie; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/run/php5/fpm/lhc-www; + } + +# vim: ft=sh diff --git a/etc/php5/fpm/php.ini b/etc/php5/fpm/php.ini index 9f32597..00fc40d 100644 --- a/etc/php5/fpm/php.ini +++ b/etc/php5/fpm/php.ini @@ -11,7 +11,7 @@ apc.include_once_override = 0 apc.localcache = 1 apc.localcache.size = 256 apc.max_file_size = 1M -apc.mmap_file_mask = /tmp/apc.XXXXXX +apc.mmap_file_mask = /run/shm/tmp/php5/apc.XXXXXX apc.num_files_hint = 512 apc.optimization = 0 apc.report_autofilter = 0 diff --git a/etc/sv/git-daemon/log/run b/etc/sv/git-daemon/log/run index bcecd63..5314155 100755 --- a/etc/sv/git-daemon/log/run +++ b/etc/sv/git-daemon/log/run @@ -1,4 +1,5 @@ #!/bin/sh -efux user=git-daemon -install -d -m 770 -o log."$user" -g log."$user" /home/git/log/git-daemon/ -exec chpst -u log."$user" svlogd -tt /home/git/log/git-daemon/ +cd /home/git/log/git-daemon/ +exec chpst -u log-"$user":log-"$user" \ + /usr/bin/svlogd -tt /home/git/log/git-daemon/ diff --git a/etc/sv/git-daemon/run b/etc/sv/git-daemon/run index c994c65..05140d7 100755 --- a/etc/sv/git-daemon/run +++ b/etc/sv/git-daemon/run @@ -3,10 +3,9 @@ exec 2>&1 exec /usr/bin/chpst \ -u git-daemon:git-daemon \ /usr/bin/git daemon \ - --base-path=/home/git/pub/git \ - --interpolated-path=/home/git/srv/git/%H%D \ + --base-path=/home/git/pub \ + --interpolated-path=/home/git/srv/%H%D \ --reuseaddr \ - --syslog \ --user-path=pub/git \ --verbose \ -- \ diff --git a/etc/sv/nginx/configure b/etc/sv/nginx/configure deleted file mode 100755 index e95c7d7..0000000 --- a/etc/sv/nginx/configure +++ /dev/null @@ -1 +0,0 @@ -#!/bin/sh -efux diff --git a/etc/sv/nginx/log/run b/etc/sv/nginx/log/run deleted file mode 100644 index 2dd4ada..0000000 --- a/etc/sv/nginx/log/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -efux -install -d -m 770 -o log.www -g log.www ~www/log/nginx/ -exec chpst -u log.www svlogd -tt ~www/log/nginx/ diff --git a/etc/sv/nginx/run b/etc/sv/nginx/run deleted file mode 100755 index 37dc216..0000000 --- a/etc/sv/nginx/run +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -efux -exec 2>&1 -exec /usr/sbin/nginx diff --git a/vm_hosted b/vm_hosted index a75d9cb..31b4326 100755 --- a/vm_hosted +++ b/vm_hosted @@ -90,6 +90,12 @@ rule_apache2_configure () { # cependant l'usage de suexec impose des forks il semble.. # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; # donc pour l'instant : apache2-mpm-itk + sudo rm -rf \ + /etc/apache2/site.d + sudo install -d -m 770 -o www -g www \ + /etc/apache2 \ + /etc/apache2/site.d \ + /etc/apache2/x509.d cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | ServerName "$vm_fqdn" EOF @@ -129,23 +135,23 @@ rule_apache2_configure () { sudo install -d -m 770 -o www-"$site" -g www-"$site" \ /etc/apache2 \ /etc/apache2/site.d/"$site" \ - /etc/apache2/site.d/"$site"/x509 \ - /etc/apache2/site.d/"$site"/x509/ca \ - /etc/apache2/site.d/"$site"/x509/empty \ - /etc/apache2/site.d/"$site"/x509/rvk \ - /etc/apache2/site.d/"$site"/x509/usr + /etc/apache2/x509.d/"$site" \ + /etc/apache2/x509.d/"$site"/ca \ + /etc/apache2/x509.d/"$site"/empty \ + /etc/apache2/x509.d/"$site"/rvk \ + /etc/apache2/x509.d/"$site"/usr sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem + "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ + /etc/apache2/x509.d/"$site"/crt.self-signed.pem #sudo install -m 664 -o www-"$site" -g www-"$site" \ # "$tool"/var/pub/x509/"$site"/rvk.pem \ - # /etc/apache2/site.d/"$site"/x509/rvk.pem + # /etc/apache2/x509.d/"$site"/rvk.pem sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ - /etc/apache2/site.d/"$site"/x509/ca/crt.pem + /etc/apache2/x509.d/"$site"/ca/crt.pem sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.pem \ - /etc/apache2/site.d/"$site"/x509/crt.pem + "$tool"/var/pub/x509/"$site"/crt.pem \ + /etc/apache2/x509.d/"$site"/crt.pem ;; esac case $site in @@ -162,16 +168,16 @@ rule_apache2_configure () { ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" LogLevel Warn - SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/ - #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem - SSLCADNRequestFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem - SSLCADNRequestPath /etc/apache2/site.d/$site/x509/empty/ + SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCACertificatePath /etc/apache2/x509.d/$site/usr/ + #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem + SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem + SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/ # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés - SSLCARevocationPath /etc/apache2/site.d/$site/x509/rvk/ - SSLCertificateChainFile /etc/apache2/site.d/$site/x509/ca/crt.pem - SSLCertificateFile /etc/apache2/site.d/$site/x509/crt.pem - SSLCertificateKeyFile /etc/apache2/site.d/$site/x509/key.pem + SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/ + SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem + SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem + SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem SSLCipherSuite AES+RSA+SHA256 SSLEngine On SSLInsecureRenegotiation Off @@ -487,6 +493,7 @@ rule_gitolite_configure () { rule adduser git \ --disabled-password \ --group \ + --home /home/git \ --shell /bin/bash \ --system sudo chfn --full-name git git @@ -494,7 +501,14 @@ rule_gitolite_configure () { --disabled-login \ --disabled-password \ --group \ - --home ~git/log \ + --home /home/git/log \ + --shell /bin/false \ + --system + rule adduser git-data\ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/git/pub \ --shell /bin/false \ --system rule adduser git-daemon\ @@ -504,24 +518,40 @@ rule_gitolite_configure () { --home /home/git/pub \ --shell /bin/false \ --system + rule adduser log-git-daemon\ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/git/log/git-daemon \ + --shell /bin/false \ + --system + sudo adduser git git-data + sudo adduser git-daemon git-data + sudo adduser log-git log-git-daemon sudo install -d -m 770 -o git -g git \ /etc/gitolite \ - ~git/etc \ - ~git/etc/ssh \ - ~git/pub - sudo install -d -m 770 -o log-git -g log-git \ - ~git/log \ - ~git/log/gitolite \ - ~git/log/gitolite/perf + /home/git/etc \ + /home/git/etc/ssh + sudo install -d -m 751 -o git -g git \ + /home/git + sudo install -d -m 3771 -o git-data -g git-data \ + /home/git/pub + sudo install -d -m 1771 -o git -g git \ + /home/git/log + sudo install -d -m 2770 -o git -g log-git \ + /home/git/log/gitolite \ + /home/git/log/gitolite/perf + sudo install -d -m 770 -o log-git-daemon -g log-git-daemon \ + /home/git/log/git-daemon sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \ /etc/gitweb \ /etc/gitweb/cgi - sudo ln -fns /etc/gitolite ~git/etc/gitolite - sudo ln -fns /etc/gitweb ~git/etc/gitweb - sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc - sudo ln -fns etc/ssh ~git/.ssh + sudo ln -fns /etc/gitolite /home/git/etc/gitolite + sudo ln -fns /etc/gitweb /home/git/etc/gitweb + sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc + sudo ln -fns etc/ssh /home/git/.ssh sudo install -m 770 -o git -g git /dev/stdin \ - ~git/etc/gitolite/gitolite.rc <<-EOF + /home/git/etc/gitolite/gitolite.rc <<-EOF #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; #\$BIG_INFO_CAP = 20; #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; @@ -566,7 +596,7 @@ rule_gitolite_configure () { 1; EOF sudo install -m 740 -o git -g www-lhc-git /dev/stdin \ - ~git/etc/gitweb/gitweb.conf <<-EOF + /home/git/etc/gitweb/gitweb.conf <<-EOF \$commit_oneline_message_width = 70; \$default_projects_order = 'age'; \$default_text_plain_charset = 'UTF-8'; @@ -598,15 +628,15 @@ rule_gitolite_configure () { EOF sudo install -m 600 -o git -g git \ "$tool"/var/pub/ssh/git.key \ - ~git/etc/ssh/git.pub + /home/git/etc/ssh/git.pub sudo -u git \ GL_RC=/home/git/etc/gitolite/gitolite.rc \ GIT_AUTHOR_NAME=git \ - gl-setup -q ~git/etc/ssh/git.pub git + gl-setup -q /home/git/etc/ssh/git.pub git local d for d in doc logs src - do test ! -d ~git/etc/gitolite/"$d" || - rmdir ~git/etc/gitolite/"$d" + do test ! -d /home/git/etc/gitolite/"$d" || + rmdir /home/git/etc/gitolite/"$d" done rule apt_get_install gitweb highlight sudo service tmpfs restart @@ -829,9 +859,9 @@ rule_nginx_configure () { "$tool"/etc/nginx/conf.d/"$conf" \ /etc/nginx/conf.d/"$conf" done - for conf in "$tool"/etc/nginx/site.d/*/server.conf + for conf in "$tool"/etc/nginx/site.d/*/site.conf do conf=${conf#"$tool"/etc/nginx/site.d/} - local site="${conf%/server.conf}" + local site="${conf%/site.conf}" rule adduser www-"$site" \ --disabled-login \ --disabled-password \ @@ -853,23 +883,26 @@ rule_nginx_configure () { sudo install -d -m 770 -o www -g www \ /etc/nginx/x509.d/"$site" test -L /home/www/pub/"$site" || - sudo install -d -m 3770 -o www-"$site" -g www-"$site" \ + sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ /home/www/pub/"$site" sudo adduser www-data www-"$site" sudo adduser www-data log-www-"$site" + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/local.conf \ + /etc/nginx/site.d/"$site"/local.inc + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/site.conf \ + /etc/nginx/site.d/"$site"/site.inc sudo install -m 660 -o www -g www /dev/stdin \ /etc/nginx/site.d/"$site"/server.conf <<-EOF server { access_log /home/www/log/$site/nginx/access.log main; error_log /home/www/log/$site/nginx/error.log warn; root /home/www/pub/$site; - ssl_certificate /etc/nginx/x509.d/$site/crt.pem; - ssl_certificate_key /etc/nginx/x509.d/$site/key.pem; - $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf) - $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) + include /etc/nginx/site.d/$site/local.inc; + include /etc/nginx/site.d/$site/site.inc; } EOF - test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" || test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || . "$tool"/etc/nginx/site.d/"$site"/configure.sh done @@ -877,9 +910,14 @@ rule_nginx_configure () { sudo insserv --remove fcgiwrap sudo insserv --remove nginx rule tmpfs_configure - case $(sv status nginx) in - (run:*) sudo sv restart nginx - esac + sudo service php5-fpm restart + # NOTE: relance les processus du pool + # pour leur donner les droits + # de leurs groupes supplémentaires. + sudo service nginx restart + #case $(sv status nginx) in + # (run:*) sudo sv restart nginx + # esac } rule_php5_fpm_configure () { local -; set +f @@ -938,7 +976,7 @@ rule_php5_fpm_configure () { --disabled-password \ --group \ --no-create-home \ - --home /home/www/log/php5/fpm \ + --home /home/www/log/php5/fpm/"$pool" \ --shell /bin/false \ --system sudo install -d -m 770 -o log-php5 -g log-php5 \ @@ -1278,7 +1316,7 @@ rule_user_configure () { LAST_SYSTEM_UID=999 LAST_UID=29999 LETTERHOMES=no - NAME_REGEX="^[a-z][-a-z0-9_.]*\$" + NAME_REGEX="^[a-z][-a-z0-9_]*\$" QUOTAUSER="" # TODO: init SETGID_HOME=no SKEL=/etc/skel diff --git a/vm_remote b/vm_remote index 37e6dc1..c167f30 100755 --- a/vm_remote +++ b/vm_remote @@ -94,33 +94,24 @@ rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTI rule_apache2_key_send () { local -; set +f - for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf - do conf=${conf#"$tool"/etc/apache2/site.d/} - local port domain - IFS=. read -r port domain <<-EOF - ${conf%/VirtualHost.conf} - EOF - assert 'test "${port:+set}"' - assert 'test "${domain:+set}"' - local site="$port.$domain" - case $port in - (443) - rule _x509_site_key_decrypt "$domain" | - rule ssh -l root ' \ - sudo install -d -m 770 -o '"$user"' -g '"$user"' \ - /etc/apache2 \ - /etc/apache2/site.d/'"$site"' \ - /etc/apache2/site.d/'"$site"'/x509; \ - sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \ - /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF - key.pem - EOF - sudo install -m 400 -o root -g root \ - /dev/stdin \ - /etc/apache2/'"'$site'"'/x509/key.pem - ' - ;; - esac + for conf in "$tool"/etc/nginx/site.d/*/key_send + do conf=${conf#"$tool"/etc/nginx/site.d/} + local site=${conf%/key_send} + rule _x509_site_key_decrypt \ + "$(cat "$tool"/etc/apache2/site.d/"$site"/key_send)" | + rule ssh -l root ' \ + sudo install -d -m 770 -o '"$user"' -g '"$user"' \ + /etc/apache2 \ + /etc/apache2/x509.d \ + /etc/apache2/x509.d/'"$site"'; \ + sudo install -m 644 -o '"$user"' -g '"$user"' /dev/stdin \ + /etc/apache2/x509.d/'"$site"'/.gitignore <<-EOF + key.pem + EOF + sudo install -m 400 -o root -g root \ + /dev/stdin \ + /etc/apache2/x509.d/'"'$site'"'/key.pem + ' done } rule_dovecot_key_send () { @@ -166,8 +157,7 @@ rule_nginx_key_send () { /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF key.pem EOF - - install -m 400 -o root -g root \ + sudo install -m 400 -o root -g root \ /dev/stdin \ /etc/nginx/x509.d/'"'$site'"'/key.pem '