From: Julien Moutinho Date: Fri, 12 Apr 2013 07:52:21 +0000 (+0200) Subject: Modification : vm_hosted -> etc/sv/*/configure.sh . X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=commitdiff_plain;h=5ce6d51b9c15b2e316d60fad4ecfa1ea1b32bf7b Modification : vm_hosted -> etc/sv/*/configure.sh . --- diff --git a/TODO b/TODO index 08d133c..e7662ed 100644 --- a/TODO +++ b/TODO @@ -4,9 +4,9 @@ - quota : configurer - sftp : configurer - fail2ban : configurer -- ferm/shorewall (pare-feu) : configurer - agendav/caldavzap + davical - sympa - gitolite : rationalisation des adresses de notification dans hooks.mailinglist - ansible ? - varnish ? +- munin, monit, check_mk diff --git a/etc/mysql/bin/createdb b/etc/mysql/bin/createdb new file mode 100755 index 0000000..582051b --- /dev/null +++ b/etc/mysql/bin/createdb @@ -0,0 +1,9 @@ +#!/bin/sh -eux +db="$1" +user="$2" +sudo -u mysql mysql --batch <<-EOF + DROP DATABASE IF EXISTS $db; + CREATE DATABASE $db CHARACTER SET utf8 COLLATE utf8_general_ci; + GRANT ALL PRIVILEGES ON $base.* TO '$user'@'localhost' IDENTIFIED WITH auth_socket; + FLUSH PRIVILEGES; + EOF diff --git a/etc/mysql/bin/createuser b/etc/mysql/bin/createuser new file mode 100755 index 0000000..bf58fea --- /dev/null +++ b/etc/mysql/bin/createuser @@ -0,0 +1,8 @@ +#!/bin/sh -eux +user="$1" +sudo mysql -u mysql --batch <<-EOF || true + DROP USER '$user'@'localhost'; + EOF +sudo mysql -u mysql --batch <<-EOF + CREATE USER '$user'@'localhost' IDENTIFIED WITH auth_socket; + EOF diff --git a/etc/sv/cyclo_paris_est__openerp/configure.sh b/etc/sv/cyclo_paris_est__openerp/configure.sh new file mode 100644 index 0000000..33d826f --- /dev/null +++ b/etc/sv/cyclo_paris_est__openerp/configure.sh @@ -0,0 +1,48 @@ +home=/home/"$sv" + +rule runit_sv_configure postgres +rule runit_sv_start postgres + +while ! sudo -u postgres psql /dev/null || -adduser "$sv" \ - --disabled-login \ - --disabled-password \ - --group \ - --home "$home" \ - --shell /bin/false \ - --system -getent passwd "$sv" >/dev/null || -adduser "$sv"-addon \ - --disabled-login \ - --disabled-password \ - --group \ - --home "$home"/addon.d \ - --shell /bin/false \ - --system - -install -d -m 710 -o root -g "$sv" \ - /etc/sv/"$sv" \ - /etc/sv/"$sv"/supervise -install -d -m 3771 -o "$sv" -g "$sv" \ - "$home" -install -d -m 2770 -o "$sv" -g "$sv"-addon \ - "$home"/addon.d -install -d -m 750 -o "$sv" -g "$sv" \ - "$home"/etc \ - /etc/openerp/"$sv" -ln -fns \ - /etc/openerp/"$sv" \ - "$home"/etc/openerp - -adduser git "$sv"-addon -adduser "$sv" "$sv"-addon -adduser "$sv" postgres-data - for addon in \ bikecoop \ bikecoop_l10n_fr \ diff --git a/etc/sv/git-daemon/configure.sh b/etc/sv/git-daemon/configure.sh new file mode 100644 index 0000000..6d3f8aa --- /dev/null +++ b/etc/sv/git-daemon/configure.sh @@ -0,0 +1,21 @@ +home=~git/daemon +rule adduser "$sv"\ + --disabled-login \ + --disabled-password \ + --group \ + --home "$home" \ + --shell /bin/false \ + --system + +sudo install -d -m 770 -o git -g "$sv" \ + "$home" + +sudo adduser "$sv" git-data + +sudo ln -fns \ + ../pub \ + "$home"/git.$vm_domainname +sudo ln -fns \ + ../pub \ + "$home"/burette.$vm_domainname + # NOTE : rétro-compatibilité diff --git a/etc/sv/git-daemon/run b/etc/sv/git-daemon/run index 9b627bf..07ff0a3 100755 --- a/etc/sv/git-daemon/run +++ b/etc/sv/git-daemon/run @@ -1,33 +1,7 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} -home=~git/daemon -domainname=$(domainname) -case ${domainname-} in - (""|"(none)") false;; - esac - -getent passwd "$sv" >/dev/null || -adduser "$sv"\ - --disabled-login \ - --disabled-password \ - --group \ - --home "$home" \ - --shell /bin/false \ - --system - -install -d -m 770 -o git -g "$sv" \ - "$home" - -adduser "$sv" git-data - -ln -fns \ - ../pub \ - "$home"/git.$domainname -ln -fns \ - ../pub \ - "$home"/burette.$domainname - # NOTE : rétro-compatibilité +eval "home=~$sv" exec /usr/bin/chpst \ -u "$sv":"$sv":git-data \ diff --git a/etc/sv/gitweb/configure.sh b/etc/sv/gitweb/configure.sh new file mode 100644 index 0000000..ce7f920 --- /dev/null +++ b/etc/sv/gitweb/configure.sh @@ -0,0 +1,53 @@ +home=~git-data +rule adduser fcgi-"$sv" \ + --disabled-login \ + --disabled-password \ + --group \ + --home "$home" \ + --shell /bin/false \ + --system + +sudo adduser fcgi-"$sv" www-"$sv" +sudo adduser fcgi-"$sv" git-data + +sudo install -d -m 2750 -o git -g fcgi-"$sv" \ + /etc/gitweb +sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \ + /etc/gitweb/gitweb.conf <<-EOF + \$commit_oneline_message_width = 70; + \$default_projects_order = 'project'; + \$default_text_plain_charset = 'UTF-8'; + @diff_opts = (); + \$favicon = "static/git-favicon.png"; + \$feature{'highlight'}{'default'} = [1]; + \$git_temp = "/run/shm/tmp/gitweb"; + \$home_text = "/etc/gitweb/home_text.html"; + \$home_link = "/"; + \$home_link_str = 'dépôts'; + \$home_th_age = 'activité'; + \$home_th_descr = 'description'; + \$home_th_owner = 'contact'; + \$home_th_project = 'dépôt'; + \$javascript = "static/gitweb.js"; + \$logo = "static/git-logo.png"; + \$my_uri = ""; + \$projectroot = "/home/git/pub"; + \$projects_list = "/etc/gitweb/projects.list"; + \$projects_list_description_width = 42; + \$projects_list_owner_width = 15; + \$search_str = "Filtre :"; + \$site_footer = "/etc/gitweb/site_footer.html"; + \$site_header = "/etc/gitweb/site_header.html"; + \$site_name = "git.$vm_domainname"; + @stylesheets = ("static/gitweb.css");# + EOF +sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \ + /etc/gitweb/home_text.html <<-EOF +

Forge logicielle publique de l'Heureux Cyclage

+

Pour récupérer un dépôt public :

+ 
git clone git://git.heureux-cyclage.org/<projet>
+ EOF + +sudo ln -fns \ + /etc/gitweb \ + ~git/etc/gitweb diff --git a/etc/sv/gitweb/run b/etc/sv/gitweb/run index 48f26ec..0dc098f 100755 --- a/etc/sv/gitweb/run +++ b/etc/sv/gitweb/run @@ -1,65 +1,6 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} -home=~git-data -domainname=$(domainname) -case ${domainname-} in - (""|"(none)") false;; - esac - -getent passwd fcgi-"$sv" >/dev/null || -adduser fcgi-"$sv" \ - --disabled-login \ - --disabled-password \ - --group \ - --home "$home" \ - --shell /bin/false \ - --system - -adduser fcgi-"$sv" www-"$sv" -adduser fcgi-"$sv" git-data - -install -d -m 2750 -o git -g fcgi-"$sv" \ - /etc/gitweb -install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \ - /etc/gitweb/gitweb.conf <<-EOF - \$commit_oneline_message_width = 70; - \$default_projects_order = 'project'; - \$default_text_plain_charset = 'UTF-8'; - @diff_opts = (); - \$favicon = "static/git-favicon.png"; - \$feature{'highlight'}{'default'} = [1]; - \$git_temp = "/run/shm/tmp/gitweb"; - \$home_text = "/etc/gitweb/home_text.html"; - \$home_link = "/"; - \$home_link_str = 'dépôts'; - \$home_th_age = 'activité'; - \$home_th_descr = 'description'; - \$home_th_owner = 'contact'; - \$home_th_project = 'dépôt'; - \$javascript = "static/gitweb.js"; - \$logo = "static/git-logo.png"; - \$my_uri = ""; - \$projectroot = "/home/git/pub"; - \$projects_list = "/etc/gitweb/projects.list"; - \$projects_list_description_width = 42; - \$projects_list_owner_width = 15; - \$search_str = "Filtre :"; - \$site_footer = "/etc/gitweb/site_footer.html"; - \$site_header = "/etc/gitweb/site_header.html"; - \$site_name = "git.$domainname"; - @stylesheets = ("static/gitweb.css");# - EOF -sudo install -m 400 -o fcgi-"$sv" -g fcgi-"$sv" /dev/stdin \ - /etc/gitweb/home_text.html <<-EOF -

Forge logicielle publique de l'Heureux Cyclage

-

Pour récupérer un dépôt public :

- 
git clone git://git.heureux-cyclage.org/<projet>
- EOF - -ln -fns \ - /etc/gitweb \ - ~git/etc/gitweb install -d -m 1771 -o root -g root \ /run/spawn-fcgi diff --git a/etc/sv/lhc-remorque/configure.sh b/etc/sv/lhc-remorque/configure.sh new file mode 100644 index 0000000..ee0e4bc --- /dev/null +++ b/etc/sv/lhc-remorque/configure.sh @@ -0,0 +1,11 @@ +rule www_configure + +home=~www/pub/"$sv" + +rule adduser fcgi-"$sv" \ + --disabled-login \ + --disabled-password \ + --group \ + --home "$home" \ + --shell /bin/false \ + --system diff --git a/etc/sv/lhc-remorque/run b/etc/sv/lhc-remorque/run index 0241c21..7f8b35a 100755 --- a/etc/sv/lhc-remorque/run +++ b/etc/sv/lhc-remorque/run @@ -1,19 +1,9 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} -home=~www/pub/"$sv" /usr/bin/sv -w 3 start sshd -getent passwd fcgi-"$sv" >/dev/null || -adduser fcgi-"$sv" \ - --disabled-login \ - --disabled-password \ - --group \ - --home "$home" \ - --shell /bin/false \ - --system - install -d -m 1771 -o root -g root \ /run/spawn-fcgi diff --git a/etc/sv/mysql/configure.sh b/etc/sv/mysql/configure.sh new file mode 100644 index 0000000..4dcef57 --- /dev/null +++ b/etc/sv/mysql/configure.sh @@ -0,0 +1,89 @@ +rule apt_get_install mysql-server-5.5 +rule insserv_remove mysql + +eval "home=~$sv" + +rule adduser mysql \ + --disabled-login \ + --disabled-password \ + --group \ + --home "$home" \ + --shell /bin/false \ + --system +rule adduser mysql-data \ + --disabled-login \ + --disabled-password \ + --group \ + --home "$home"/data \ + --no-create-home \ + --shell /bin/false \ + --system +sudo usermod --home "$home" mysql +sudo adduser mysql mysql-data +sudo install -d -m 751 -o mysql -g mysql \ + "$home" \ + "$home"/bin +sudo rm -rf /etc/mysql +sudo install -d -m 750 -o mysql -g mysql \ + /etc/mysql \ + /etc/mysql/conf.d \ + "$home"/etc +sudo ln -fns \ + /etc/mysql \ + "$home"/etc/mysql +sudo install -m 644 -o mysql -g mysql \ + "$tool"/etc/mysql/my.cnf \ + /etc/mysql/my.cnf +if sudo test ! -d "$home"/data + then + sudo install -d -m 750 -o mysql -g mysql-data \ + "$home"/data + sudo -u mysql mysql_install_db \ + --datadir="$home"/data \ + --no-defaults + fi + +sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \ + install -m 755 -o root -g root \ + -t /home/postgresql/bin/ {} + + +sudo ln -fns \ + ../sv/"$sv" \ + /etc/service/"$sv" +rule runit_sv_start "$sv" +while ! sudo -u mysql mysql -u mysql &1 sv=${PWD#/etc/sv/} -install -d -m 1771 -o mysql -g mysql \ +eval "home=~$sv" + +install -d -m 1771 -o "$sv" -g "$sv" \ /run/mysqld \ /run/mysqld/sock -eval "home=~$sv" + exec /usr/bin/chpst \ -u "$sv":"$sv" \ /usr/sbin/mysqld \ --basedir=/usr \ - --datadir=$home/data \ + --datadir="$home"/data \ --plugin-dir=/usr/lib/mysql/plugin \ --port=3306 \ --socket=/run/mysqld/sock/"$sv" \ - --user=$sv + --user="$sv" diff --git a/etc/sv/nginx/configure.sh b/etc/sv/nginx/configure.sh new file mode 100644 index 0000000..c413979 --- /dev/null +++ b/etc/sv/nginx/configure.sh @@ -0,0 +1,75 @@ +rule runit_configure php5-fpm +rule apt_get_install nginx spawn-fcgi fcgiwrap +rule insserv_remove nginx +rule insserv_remove fcgiwrap + +rule www_configure + +sudo rm -rf \ + /etc/nginx/conf.d \ + /etc/nginx/site.d +sudo install -d -m 770 -o www -g www \ + /etc/nginx \ + /etc/nginx/conf.d \ + /etc/nginx/site.d \ + /etc/nginx/x509.d +sudo ln -fns \ + /etc/nginx \ + /home/www/etc/nginx +sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/nginx.conf \ + /etc/nginx/nginx.conf +local conf +for conf in "$tool"/etc/nginx/conf.d/*.conf + do conf=${conf#"$tool"/etc/nginx/conf.d/} + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/conf.d/"$conf" \ + /etc/nginx/conf.d/"$conf" + done +for conf in "$tool"/etc/nginx/site.d/*/site.conf + do conf=${conf#"$tool"/etc/nginx/site.d/} + local site="${conf%/site.conf}" + rule adduser www-"$site" \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/pub/"$site" \ + --shell /bin/false \ + --system + rule adduser log-www-"$site" \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log/"$site"/nginx \ + --shell /bin/false \ + --system + sudo install -d -m 771 -o log-www -g log-www \ + /home/www/log/"$site" + sudo install -d -m 770 -o www -g www \ + /etc/nginx/site.d/"$site" + sudo install -d -m 770 -o www -g www \ + /etc/nginx/x509.d/"$site" + test -L /home/www/pub/"$site" || + sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ + /home/www/pub/"$site" + sudo adduser www-data www-"$site" + sudo adduser www-data log-www-"$site" + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/local.conf \ + /etc/nginx/site.d/"$site"/local.inc + sudo install -m 660 -o www -g www \ + "$tool"/etc/nginx/site.d/"$site"/site.conf \ + /etc/nginx/site.d/"$site"/site.inc + sudo install -m 660 -o www -g www /dev/stdin \ + /etc/nginx/site.d/"$site"/server.conf <<-EOF + server { + access_log /home/www/log/$site/nginx/access.log main; + error_log /home/www/log/$site/nginx/error.log warn; + root /home/www/pub/$site; + include /etc/nginx/site.d/$site/local.inc; + include /etc/nginx/site.d/$site/site.inc; + } + EOF + test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || + . "$tool"/etc/nginx/site.d/"$site"/configure.sh + done diff --git a/etc/sv/nginx/run b/etc/sv/nginx/run index aa49fd8..8bc0f31 100755 --- a/etc/sv/nginx/run +++ b/etc/sv/nginx/run @@ -1,16 +1,19 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} + /usr/bin/sv -w 3 start \ lhc-remorque \ gitweb \ php5-fpm + install -d -m 770 -o www-data -g www-data \ /run/nginx \ /run/nginx/fastcgi \ /run/shm/cache/nginx \ /run/shm/cache/nginx/fastcgi \ /run/shm/cache/nginx/client_body + exec /usr/sbin/nginx \ -c /etc/nginx/nginx.conf \ -g 'daemon off;' diff --git a/etc/sv/nsd3/configure.sh b/etc/sv/nsd3/configure.sh new file mode 100644 index 0000000..0e870e3 --- /dev/null +++ b/etc/sv/nsd3/configure.sh @@ -0,0 +1,40 @@ +rule apt_get_install nsd +rule insserv_remove nsd3 +sudo rm -rf \ + /etc/nsd3/zone.d +sudo install -d -m 750 -o root -g nsd \ + /etc/nsd3/zone.d +{ + cat <<-EOF + server: + ip-address: $vm_ipv4 + ip4-only: yes + EOF + cat "$tool"/etc/nsd3/nsd.conf + local conf + for conf in "$tool"/etc/nsd3/zone.d/*.conf + do conf=${conf#"$tool"/etc/nsd3/zone.d/} + local domain=${conf%.conf} + if test -e "$tool"/etc/nsd3/zone.d/"$domain".zone.m4 + then m4 \ + --define=ZONE_DOMAIN=$domain \ + --define=ZONE_SERIAL=$(cd "$tool" && git log -1 --format="%ct" -- etc/nsd3/zone.d/"$domain".zone.m4) \ + --define=VM_IP4=$vm_ipv4 \ + "$tool"/etc/nsd3/zone.d/"$domain".zone.m4 + else cat "$tool"/etc/nsd3/zone.d/"$domain".zone + fi | + sudo install -m 440 -o root -g nsd /dev/stdin \ + /etc/nsd3/zone.d/"$domain".zone + sudo install -m 440 -o root -g nsd \ + "$tool"/etc/nsd3/zone.d/"$conf" \ + /etc/nsd3/zone.d/"$conf" + cat <<-EOF + zone: + name: $domain + zonefile: /etc/nsd3/zone.d/$domain.zone + EOF + done +} | +sudo install -m 640 -o root -g nsd /dev/stdin \ + /etc/nsd3/nsd.conf +sudo nsdc rebuild diff --git a/etc/sv/nsd3/run b/etc/sv/nsd3/run index 9989289..6212559 100755 --- a/etc/sv/nsd3/run +++ b/etc/sv/nsd3/run @@ -1,8 +1,10 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} + install -d -m 770 -o root -g root \ /run/nsd3 + exec /usr/sbin/nsd \ -c /etc/nsd3/nsd.conf \ -d diff --git a/etc/sv/ntp/configure.sh b/etc/sv/ntp/configure.sh new file mode 100644 index 0000000..8e2cc1a --- /dev/null +++ b/etc/sv/ntp/configure.sh @@ -0,0 +1,13 @@ +# NOTE: http://my.opera.com/marcomarongiu/blog/2011/01/05/independent-wallclock-in-xen-4 + +rule apt_get_install ntp +rule insserv_remove ntp + +sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF + Europe/Paris + EOF +sudo debconf-set-selections <<-EOF + tzdata tzdata/Areas select Europe + tzdata tzdata/Zones/Europe select Paris + EOF +rule dpkg_reconfigure tzdata diff --git a/etc/sv/ntp/run b/etc/sv/ntp/run index f99231e..40cf173 100755 --- a/etc/sv/ntp/run +++ b/etc/sv/ntp/run @@ -1,6 +1,7 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} + exec /usr/sbin/ntpd \ -c /etc/ntp.conf \ -g \ diff --git a/etc/sv/php5-fpm/configure.sh b/etc/sv/php5-fpm/configure.sh new file mode 100644 index 0000000..5639822 --- /dev/null +++ b/etc/sv/php5-fpm/configure.sh @@ -0,0 +1,102 @@ +rule apt_get_install php5-fpm php-apc +rule insserv_remove php5-fpm + +rule www_configure + +rule adduser php5 \ + --disabled-login \ + --disabled-password \ + --group \ + --home /etc/php5/fpm \ + --shell /bin/false \ + --system +rule adduser log-php5 \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log/php5/fpm \ + --shell /bin/false \ + --system +sudo ln -fns \ + /etc/php5/fpm \ + /home/www/etc/php5 +sudo rm -rf \ + /etc/php5/fpm/conf.d \ + /etc/php5/fpm/pool.d +sudo install -d -m 770 -o php5 -g php5 \ + /etc/php5/fpm/conf.d \ + /etc/php5/fpm/pool.d +sudo install -m 440 -o php5 -g php5 \ + "$tool"/etc/php5/fpm/php-fpm.conf \ + /etc/php5/fpm/php-fpm.conf +local conf +#for conf in "$tool"/etc/php5/fpm/conf.d/*.conf +# do conf=${conf#"$tool"/etc/php5/fpm/conf.d/} +# sudo install -m 660 -o php5 -g php5 \ +# "$tool"/etc/php5/fpm/conf.d/"$conf" \ +# /etc/php5/fpm/conf.d/"$conf" +# done +for conf in "$tool"/etc/php5/fpm/pool.d/*.conf + do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} + IFS=. read -r pool <<-EOF + ${conf%.conf} + EOF + assert 'test "${pool:+set}"' + rule adduser php5-"$pool" \ + --disabled-login \ + --disabled-password \ + --group \ + --no-create-home \ + --home /etc/php5/fpm/pool.d \ + --shell /bin/false \ + --system + rule adduser log-php5-"$pool" \ + --disabled-login \ + --disabled-password \ + --group \ + --no-create-home \ + --home /home/www/log/php5/fpm/"$pool" \ + --shell /bin/false \ + --system + sudo install -d -m 770 -o log-php5 -g log-php5 \ + /home/www/log/php5 \ + /home/www/log/php5/fpm + sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \ + /home/www/log/php5/fpm/"$pool" + sudo install -m 660 -o php5 -g php5 /dev/stdin \ + /etc/php5/fpm/pool.d/"$pool".conf <<-EOF + [$pool] + access.log = /home/www/log/php5/fpm/$pool/access.log + catch_workers_output = yes + chdir = / + env[HOSTNAME] = \$HOSTNAME + env[TEMP] = /tmp + env[TMPDIR] = /tmp + env[TMP] = /tmp + group = php5-$pool + #listen = 127.0.0.1:9000 + listen = /run/php5/fpm/$pool + #listen.allowed_clients = 127.0.0.1 + listen.group = www-data + listen.mode = 0660 + #listen.owner = www-data + listen.backlog = -1 + pm = dynamic + pm.max_children = 5 + pm.max_requests = 200 + pm.max_spare_servers = 4 + pm.min_spare_servers = 2 + pm.start_servers = 3 + pm.status_path = /status + request_slowlog_timeout = 5s + request_terminate_timeout = 120s + rlimit_core = unlimited + rlimit_files = 131072 + slowlog = /home/www/log/php5/fpm/$pool/slow.log + user = php5-$pool + $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") + EOF + sudo install -m 664 -o php5 -g php5 \ + "$tool"/etc/php5/fpm/php.ini \ + /etc/php5/fpm/php.ini + done diff --git a/etc/sv/php5-fpm/run b/etc/sv/php5-fpm/run index 4af1b26..3646aed 100755 --- a/etc/sv/php5-fpm/run +++ b/etc/sv/php5-fpm/run @@ -1,12 +1,14 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} + install -d -m 1771 -o php5 -g php5 \ /run/php5 \ /run/php5/fpm \ /run/shm/cache/php5 \ /run/shm/cache/php5/fpm \ /run/shm/tmp/php5 + exec /usr/sbin/php5-fpm \ --fpm-config /etc/php5/fpm/php-fpm.conf \ --php-ini /etc/php5/fpm/php.ini diff --git a/etc/sv/postfix/configure.sh b/etc/sv/postfix/configure.sh new file mode 100644 index 0000000..e17af10 --- /dev/null +++ b/etc/sv/postfix/configure.sh @@ -0,0 +1,96 @@ +local hint="run vm_remote postfix_key_send before" +assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint +#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix" +sudo debconf-set-selections <<-EOF + postfix postfix/main_mailer_type select No configuration + EOF +rule apt_get_install postfix procmail +rule insserv_remove postfix +sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF + *.db + EOF +sudo install -d -m 771 -o root -g root \ + /etc/postfix/ \ + /etc/postfix/$vm_domainname/ \ + /etc/postfix/$vm_domainname/smtp \ + /etc/postfix/$vm_domainname/smtp/x509 \ + /etc/postfix/$vm_domainname/smtp/x509/ca \ + /etc/postfix/$vm_domainname/smtpd \ + /etc/postfix/$vm_domainname/smtpd/x509 \ + /etc/postfix/$vm_domainname/smtpd/x509/ca +sudo ln -fns \ + ../crt+crl.self-signed.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem +sudo install -m 400 -o root -g root \ + "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem +sudo install -m 400 -o root -g root \ + "$tool"/var/pub/x509/smtpd.$vm_domainname/crt.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt.pem +sudo install -m 400 -o root -g root \ + "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+ca.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+ca.pem +sudo install -m 400 -o root -g root \ + "$tool"/var/pub/x509/smtpd.$vm_domainname/crt+crl.self-signed.pem \ + /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/header_checks \ + /etc/postfix/$vm_domainname/header_checks +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/postfix/aliases <<-EOF + # See man 5 aliases for format + abuse: root + admin: root + contact: root + mailer-daemon: root + postmaster: root + root: $(getent group sudo | cut -f 4 -d : | tr , ' ') + EOF +sudo newaliases -oA/etc/postfix/aliases +cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF | + mydomain = $vm_domainname + myorigin = \$mydomain + myhostname = $vm_hostname.\$mydomain + mail_name = \$myhostname + mydestination = $vm_hostname \$myhostname \$myorigin + EOF +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/postfix/main.cf +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/master.cf \ + /etc/postfix/master.cf +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \ + /etc/postfix/$vm_domainname/smtp/x509/policy +sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \ + /etc/postfix/$vm_domainname/smtp/header_checks +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \ + /etc/postfix/$vm_domainname/smtpd/sender_access +sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \ + /etc/postfix/$vm_domainname/smtpd/client_blacklist +sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \ + /etc/postfix/$vm_domainname/smtpd/relay_clientcerts +sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/transport \ + /etc/postfix/$vm_domainname/transport +sudo postmap hash:/etc/postfix/$vm_domainname/transport +sudo install -m 640 -o root -g root \ + "$tool"/etc/postfix/$vm_domainname/virtual_alias \ + /etc/postfix/$vm_domainname/virtual_alias +sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias +sudo install -d -m 770 -o root -g root \ + /etc/skel/etc/mail \ + /etc/skel/var/cache/mail \ + /etc/skel/var/log/mail \ + /etc/skel/var/mail +sudo install -m 660 -o root -g root \ + "$tool"/etc/skel/etc/mail/delivery.procmailrc \ + /etc/skel/etc/mail/delivery.procmailrc diff --git a/etc/sv/postfix/run b/etc/sv/postfix/run index f07ffa1..cfc8966 100755 --- a/etc/sv/postfix/run +++ b/etc/sv/postfix/run @@ -13,5 +13,4 @@ setgid_group=postdrop \ /etc/postfix/postfix-script check exec /usr/lib/postfix/master \ - -c /etc/postfix \ - + -c /etc/postfix diff --git a/etc/sv/postgres/configure.sh b/etc/sv/postgres/configure.sh index 4b33f11..db32e16 100644 --- a/etc/sv/postgres/configure.sh +++ b/etc/sv/postgres/configure.sh @@ -1,4 +1,5 @@ - # DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting +# DOC: http://wiki.postgresql.org/wiki/Shared_Database_Hosting + rule apt_get_install postgresql-9.1 rule insserv_remove postgresql rule adduser postgres \ @@ -65,9 +66,13 @@ sudo find "$tool"/etc/postgresql/bin/ -type f -perm /+x -exec \ install -m 755 -o root -g root \ -t /home/postgresql/bin/ {} + -sudo sv -w 1 start /etc/sv/postgres +sudo ln -fns \ + ../sv/"$sv" \ + /etc/service/"$sv" +rule runit_sv_start "$sv" while ! sudo -u postgres psql &1 sv=${PWD#/etc/sv/} + install -d -m 2710 -o postgrey -g postfix \ /run/postgrey + exec /usr/bin/chpst \ -u "$sv":"$sv" \ /usr/sbin/postgrey \ diff --git a/etc/sv/sshd/configure.sh b/etc/sv/sshd/configure.sh new file mode 100644 index 0000000..cca0bd2 --- /dev/null +++ b/etc/sv/sshd/configure.sh @@ -0,0 +1,21 @@ +rule apt_get_install openssh-server +rule insserv_remove ssh +ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | +( while IFS= read -r line + do case $line in (*" RSA") return 0; break;; esac + done; return 1 ) || +sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key +sudo rm -f \ + /etc/ssh/ssh_host_dsa_key \ + /etc/ssh/ssh_host_dsa_key.pub \ + /etc/ssh/ssh_host_ecdsa_key \ + /etc/ssh/ssh_host_ecdsa_key.pub + # NOTE: clefs générées par Debian +m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/ssh/sshd_config.m4 | +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/ssh/sshd_config +sudo install -m 644 -o root -g root \ + "$tool"/etc/ssh/ssh_config \ + /etc/ssh/ssh_config diff --git a/etc/sv/sshd/run b/etc/sv/sshd/run index 6a287a0..3846e60 100755 --- a/etc/sv/sshd/run +++ b/etc/sv/sshd/run @@ -1,8 +1,11 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} -install -d -m 755 -o root -g root /run/sshd + +install -d -m 755 -o root -g root \ + /run/sshd install -d -m 1777 -o root -g root \ /run/shm/cache \ /run/shm/tmp + exec /usr/sbin/sshd -D diff --git a/etc/sv/unbound/configure.sh b/etc/sv/unbound/configure.sh new file mode 100644 index 0000000..fc59084 --- /dev/null +++ b/etc/sv/unbound/configure.sh @@ -0,0 +1,17 @@ +sudo apt-get install unbound +rule insserv_remove unbound + +sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver 127.0.0.1 + #nameserver ${vm_host_nameserver} + EOF +sudo install -m 440 -o unbound -g unbound \ + "$tool"/etc/unbound/named.cache \ + /etc/unbound/named.cache + +m4 \ + --define=OUTGOING_INTERFACE=$vm_ipv4 \ + <"$tool"/etc/unbound/unbound.conf | +sudo install -m 440 -o unbound -g unbound /dev/stdin \ + /etc/unbound/unbound.conf diff --git a/etc/sv/unbound/run b/etc/sv/unbound/run index 79856ca..21510d6 100755 --- a/etc/sv/unbound/run +++ b/etc/sv/unbound/run @@ -1,7 +1,9 @@ #!/bin/sh -eux exec 2>&1 sv=${PWD#/etc/sv/} + /usr/bin/sv -w 3 start nsd3 + exec /usr/sbin/unbound \ -c /etc/unbound/unbound.conf \ -d diff --git a/vm_hosted b/vm_hosted index 54e7257..b9275fa 100755 --- a/vm_hosted +++ b/vm_hosted @@ -249,6 +249,9 @@ rule_apt_configure () { sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main EOF + sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF + deb http://nightly.openerp.com/7.0/nightly/deb/ ./ + EOF sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF Package: * Pin: release a=$vm_lsb_name @@ -297,35 +300,6 @@ rule_boot_configure () { # et davantage sécurisant. EOF } -rule_dovecot_configure () { - rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve - rule insserv_remove dovecot - local hint="run vm_remote dovecot_key_send before" - assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint - sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \ - /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem - sudo install -d -m 770 -o root -g root \ - /etc/skel/etc/mail \ - /etc/skel/etc/sieve - sudo install -d -m 1777 -o root -g root \ - /var/lib/dovecot-control \ - /var/lib/dovecot-index - m4 \ - --define=VM_DOMAINNAME=$vm_domainname \ - <"$tool"/etc/dovecot/local.conf.m4 | - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/dovecot/local.conf - sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF - #!/bin/sh -efux - # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot. - install -d -m 770 ~/etc/dovecot - install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF - \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT)::::::: - _EOF - EOF - rule runit_configure dovecot - } rule_etckeeper_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF VCS=git @@ -559,106 +533,6 @@ rule_login_configure () { xvc0 EOF } -rule_mail_configure () { - rule postfix_configure - rule postgrey_configure - rule procmail_configure - rule dovecot_configure - } -rule_mysql_configure () { - rule apt_get_install mysql-server-5.5 - rule insserv_remove mysql - rule adduser mysql \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/mysql \ - --shell /bin/false \ - --system - rule adduser mysql-data \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/mysql/data \ - --no-create-home \ - --shell /bin/false \ - --system - sudo usermod --home /home/mysql mysql - sudo adduser mysql mysql-data - sudo install -d -m 751 -o mysql -g mysql \ - /home/mysql - sudo rm -rf /etc/mysql - sudo install -d -m 750 -o mysql -g mysql \ - /etc/mysql \ - /etc/mysql/conf.d \ - /home/mysql/etc - sudo ln -fns \ - /etc/mysql \ - /home/mysql/etc/mysql - sudo install -m 644 -o mysql -g mysql \ - "$tool"/etc/mysql/my.cnf \ - /etc/mysql/my.cnf - if sudo test ! -d /home/mysql/data - then - sudo install -d -m 750 -o mysql -g mysql-data \ - /home/mysql/data - sudo -u mysql mysql_install_db \ - --datadir=/home/mysql/data \ - --no-defaults - fi - rule runit_configure mysql - while ! sudo -u mysql mysql -u mysql