From 3ad6118386977e346d81042e924e5db9c5f15b7d Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 20 Apr 2013 05:17:34 +0200 Subject: [PATCH] Modification : vm_{host,hosted,remote} -> {host,local,remote}/ . --- README | 32 +- etc/host.sh | 21 + etc/{vm.sh => local.sh} | 9 +- .../gitweb-tls/{configure.sh => local.sh} | 0 .../site.d/gitweb/{configure.sh => local.sh} | 2 +- .../{configure.sh => local.sh} | 0 .../{configure.sh => local.sh} | 0 .../lhc-remorque/{configure.sh => local.sh} | 6 +- etc/nginx/site.d/lhc-remorque/remote.sh | 2 +- .../lhc-stats-tls/{configure.sh => local.sh} | 0 .../lhc-stats/{configure.sh => local.sh} | 0 .../lhc-www-tls/{configure.sh => local.sh} | 0 .../site.d/lhc-www/{configure.sh => local.sh} | 0 .../site.d/sympa/{configure.sh => local.sh} | 0 .../{configure.sh => local.sh} | 16 +- .../log/local.sh} | 2 +- etc/sv/dovecot/{configure.sh => local.sh} | 4 +- etc/sv/dovecot/remote.sh | 4 +- etc/sv/git-daemon/{configure.sh => local.sh} | 2 +- .../git-daemon/log/{configure.sh => local.sh} | 2 +- etc/sv/gitweb/{configure.sh => local.sh} | 4 +- etc/sv/gitweb/log/{configure.sh => local.sh} | 2 +- .../lhc-remorque/{configure.sh => local.sh} | 4 +- .../log/{configure.sh => local.sh} | 2 +- etc/sv/mysql/{configure.sh => local.sh} | 10 +- .../log/configure.sh => mysql/log/local.sh} | 2 +- etc/sv/nginx/{configure.sh => local.sh} | 16 +- etc/sv/nginx/remote.sh | 4 +- etc/sv/nsd3/{configure.sh => local.sh} | 6 +- etc/sv/ntp/{configure.sh => local.sh} | 6 +- etc/sv/php5-fpm/{configure.sh => local.sh} | 14 +- etc/sv/postfix/{configure.sh => local.sh} | 4 +- etc/sv/postfix/remote.sh | 5 +- etc/sv/postgres/{configure.sh => local.sh} | 10 +- .../postgres/log/{configure.sh => local.sh} | 2 +- etc/sv/postgrey/configure.sh | 2 - etc/sv/postgrey/local.sh | 2 + etc/sv/sshd/{configure.sh => local.sh} | 4 +- etc/sv/sympa/{configure.sh => local.sh} | 10 +- etc/sv/unbound/{configure.sh => local.sh} | 2 +- etc/sv/wwsympa/{configure.sh => local.sh} | 3 +- .../{configure.sh => local.sh} | 2 +- etc/user.d/lhc/{configure.sh => local.sh} | 2 +- .../ptitvelo/{configure.sh => local.sh} | 2 +- .../velorution_idf/{configure.sh => local.sh} | 2 +- .../velosenville/{configure.sh => local.sh} | 2 +- host/chroot | 26 + host/chroot-clean | 17 + host/debootstrap | 57 ++ host/disk-format | 33 + host/disk-mount | 6 + host/disk-umount | 25 + host/git-configure | 23 + host/lib.sh | 3 + host/part-boot-format | 8 + host/part-boot-mount | 8 + host/part-boot-umount | 6 + host/part-home-format | 12 + host/part-home-mount | 7 + host/part-home-umount | 7 + host/part-luks-format | 12 + host/part-luks-mount | 9 + host/part-luks-umount | 8 + host/part-lvm-format | 14 + host/part-lvm-mount | 10 + host/part-lvm-umount | 14 + host/part-randomize | 6 + host/part-randomize-stats | 6 + host/part-root-format | 28 + host/part-root-mount | 8 + host/part-root-umount | 8 + host/part-swap-format | 9 + host/part-var-format | 11 + host/part-var-mount | 7 + host/part-var-umount | 7 + host/xen-vm-attach | 7 + host/xen-vm-configure | 44 + host/xen-vm-start | 7 + host/xen-vm-stop | 5 + host/xen-vm-stop-force | 5 + lib/rule.sh | 11 - lib/ssh | 3 +- local/adduser | 6 + local/apt-configure | 29 + local/apt-get-install | 8 + local/boot-configure | 35 + local/configure | 20 + local/dpkg-reconfigure | 8 + local/duplicity-configure | 35 + local/etckeeper-configure | 18 + local/filesystem-configure | 31 + local/git-configure | 18 + local/git-reset | 7 + local/gitolite-configure | 107 ++ local/initramfs-configure | 65 ++ local/lib.sh | 3 + local/locales-configure | 9 + local/login-configure | 30 + local/luks-key-change | 5 + .../createdb => local/mysql-database-create | 0 .../bin/createuser => local/mysql-user-create | 0 local/network-configure | 24 + local/passwd-init | 4 + .../postgresql-database-create | 0 .../postgresql-user-create | 0 local/runit-configure | 44 + local/runit-sv-configure | 30 + local/runit-sv-restart | 13 + local/runit-sv-start | 13 + local/shorewall-configure | 42 + local/sysctl-configure | 16 + local/user-add | 19 + local/user-admin-add | 21 + local/user-configure | 61 ++ local/user-root-configure | 28 + local/www-init | 31 + remote/duplicity-configure | 11 + remote/duplicity-key-send | 7 + remote/git-configure | 11 + remote/git-push | 6 + remote/gpg | 5 + remote/gpg-gen-key | 46 + remote/lib.sh | 4 + remote/luks-key-backup | 23 + remote/luks-key-send | 10 + remote/mosh | 5 + remote/mysql-backup | 15 + remote/runit-configure | 31 + remote/site-x509-key-decrypt | 9 + remote/ssh | 7 + remote/ssh-pass | 4 + remote/ssh-update-known-hosts | 9 + vm_host | 456 --------- vm_hosted | 934 ------------------ vm_remote | 221 ----- 135 files changed, 1568 insertions(+), 1729 deletions(-) create mode 100644 etc/host.sh rename etc/{vm.sh => local.sh} (93%) rename etc/nginx/site.d/gitweb-tls/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/gitweb/{configure.sh => local.sh} (61%) rename etc/nginx/site.d/lhc-questionnaires-tls/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/lhc-questionnaires/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/lhc-remorque/{configure.sh => local.sh} (95%) rename etc/nginx/site.d/lhc-stats-tls/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/lhc-stats/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/lhc-www-tls/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/lhc-www/{configure.sh => local.sh} (100%) rename etc/nginx/site.d/sympa/{configure.sh => local.sh} (100%) rename etc/sv/cyclo_paris_est__openerp/{configure.sh => local.sh} (75%) rename etc/sv/{mysql/log/configure.sh => cyclo_paris_est__openerp/log/local.sh} (85%) rename etc/sv/dovecot/{configure.sh => local.sh} (89%) rename etc/sv/git-daemon/{configure.sh => local.sh} (92%) rename etc/sv/git-daemon/log/{configure.sh => local.sh} (86%) rename etc/sv/gitweb/{configure.sh => local.sh} (95%) rename etc/sv/gitweb/log/{configure.sh => local.sh} (84%) rename etc/sv/lhc-remorque/{configure.sh => local.sh} (68%) rename etc/sv/lhc-remorque/log/{configure.sh => local.sh} (88%) rename etc/sv/mysql/{configure.sh => local.sh} (94%) rename etc/sv/{cyclo_paris_est__openerp/log/configure.sh => mysql/log/local.sh} (84%) rename etc/sv/nginx/{configure.sh => local.sh} (88%) rename etc/sv/nsd3/{configure.sh => local.sh} (90%) rename etc/sv/ntp/{configure.sh => local.sh} (73%) rename etc/sv/php5-fpm/{configure.sh => local.sh} (90%) rename etc/sv/postfix/{configure.sh => local.sh} (97%) rename etc/sv/postgres/{configure.sh => local.sh} (95%) rename etc/sv/postgres/log/{configure.sh => local.sh} (87%) delete mode 100644 etc/sv/postgrey/configure.sh create mode 100644 etc/sv/postgrey/local.sh rename etc/sv/sshd/{configure.sh => local.sh} (88%) rename etc/sv/sympa/{configure.sh => local.sh} (96%) rename etc/sv/unbound/{configure.sh => local.sh} (92%) rename etc/sv/wwsympa/{configure.sh => local.sh} (80%) rename etc/user.d/cyclo_paris_est/{configure.sh => local.sh} (65%) rename etc/user.d/lhc/{configure.sh => local.sh} (63%) rename etc/user.d/ptitvelo/{configure.sh => local.sh} (66%) rename etc/user.d/velorution_idf/{configure.sh => local.sh} (65%) rename etc/user.d/velosenville/{configure.sh => local.sh} (68%) create mode 100755 host/chroot create mode 100755 host/chroot-clean create mode 100755 host/debootstrap create mode 100755 host/disk-format create mode 100755 host/disk-mount create mode 100755 host/disk-umount create mode 100755 host/git-configure create mode 100644 host/lib.sh create mode 100755 host/part-boot-format create mode 100755 host/part-boot-mount create mode 100755 host/part-boot-umount create mode 100755 host/part-home-format create mode 100755 host/part-home-mount create mode 100755 host/part-home-umount create mode 100755 host/part-luks-format create mode 100755 host/part-luks-mount create mode 100755 host/part-luks-umount create mode 100755 host/part-lvm-format create mode 100755 host/part-lvm-mount create mode 100755 host/part-lvm-umount create mode 100755 host/part-randomize create mode 100755 host/part-randomize-stats create mode 100755 host/part-root-format create mode 100755 host/part-root-mount create mode 100755 host/part-root-umount create mode 100755 host/part-swap-format create mode 100755 host/part-var-format create mode 100755 host/part-var-mount create mode 100755 host/part-var-umount create mode 100755 host/xen-vm-attach create mode 100755 host/xen-vm-configure create mode 100755 host/xen-vm-start create mode 100755 host/xen-vm-stop create mode 100755 host/xen-vm-stop-force delete mode 100644 lib/rule.sh create mode 100755 local/adduser create mode 100755 local/apt-configure create mode 100755 local/apt-get-install create mode 100755 local/boot-configure create mode 100755 local/configure create mode 100755 local/dpkg-reconfigure create mode 100755 local/duplicity-configure create mode 100755 local/etckeeper-configure create mode 100755 local/filesystem-configure create mode 100755 local/git-configure create mode 100755 local/git-reset create mode 100755 local/gitolite-configure create mode 100755 local/initramfs-configure create mode 100644 local/lib.sh create mode 100755 local/locales-configure create mode 100755 local/login-configure create mode 100755 local/luks-key-change rename etc/mysql/bin/createdb => local/mysql-database-create (100%) rename etc/mysql/bin/createuser => local/mysql-user-create (100%) create mode 100755 local/network-configure create mode 100755 local/passwd-init rename etc/postgresql/bin/createdb => local/postgresql-database-create (100%) rename etc/postgresql/bin/createuser => local/postgresql-user-create (100%) create mode 100755 local/runit-configure create mode 100755 local/runit-sv-configure create mode 100755 local/runit-sv-restart create mode 100755 local/runit-sv-start create mode 100755 local/shorewall-configure create mode 100755 local/sysctl-configure create mode 100755 local/user-add create mode 100755 local/user-admin-add create mode 100755 local/user-configure create mode 100755 local/user-root-configure create mode 100755 local/www-init create mode 100755 remote/duplicity-configure create mode 100755 remote/duplicity-key-send create mode 100755 remote/git-configure create mode 100755 remote/git-push create mode 100755 remote/gpg create mode 100755 remote/gpg-gen-key create mode 100644 remote/lib.sh create mode 100755 remote/luks-key-backup create mode 100755 remote/luks-key-send create mode 100755 remote/mosh create mode 100755 remote/mysql-backup create mode 100755 remote/runit-configure create mode 100755 remote/site-x509-key-decrypt create mode 100755 remote/ssh create mode 100755 remote/ssh-pass create mode 100755 remote/ssh-update-known-hosts delete mode 100755 vm_host delete mode 100755 vm_hosted delete mode 100755 vm_remote diff --git a/README b/README index 4a5f9cc..be0145e 100644 --- a/README +++ b/README @@ -25,12 +25,12 @@ TASK: obtenir une installation chrootable TASK: obtenir une installation démarable @host % ~/tool/ateliers/vm_host chroot @host % export TRACE=1 LANG=C LC_CTYPE=C - @host % /root/tool/vm/vm_hosted init + @host % /root/tool/vm/local/init # TODO: revoir ça @host % exit TASK: initialiser la VM - @host % ~/tool/ateliers/vm_host vm_configure - @host % ~/tool/ateliers/vm_host vm_start - @hosted % vm_hosted user_configure + @host % ~/tool/ateliers/vm_host vm_configure + @host % ~/tool/ateliers/vm_host vm_start + @local % local/user-configure TASK: démarrer la VM @host % vm_host vm_start TASK: ajouter un-e administrateurice $user @@ -38,17 +38,17 @@ TASK: ajouter un-e administrateurice $user @remote % gpg --armor --export --export-options export-clean >var/pub/openpgp/$user.key @remote % git add var/pub/{openpgp,ssh}/$user.key @remote % git commit -a -m "Ajout : admin : $user ." - @remote % ./vm_remote git_push - @hosted % vm_hosted git_reset - @hosted % vm_hosted user_admin_add $user + @remote % remote/git-push + @local % local/git-reset + @local % local/user-admin-add $user TASK: démarrer la VM @host % vm_host vm_start - @remote % ./vm_remote key_disk_send + @remote % remote/luks-key-disk-send TASK: pousser des changements locaux sur la VM - @remote % ./vm_remote push hosted - @hosted % vm_hosted git_reset + @remote % remote/git-push + @local % local/git-reset TASK: se connecter interactivement en root à la VM avec une connection SSH persistante - @remote % ./vm_remote mosh -l root + @remote % remote/mosh -l root TASK: générer une autorité de certification et des sous-certificats TLS % export TRACE=all % random=/dev/urandom gpg_options="-r $USER@ -r $SOME_OTHER_USER@" lib/tool/openssl/make etc/openssl/heureux-cyclage.org @@ -58,11 +58,11 @@ TASK: gérer gitolite % cd etc/gitolite % vim conf/gitolite.conf % git commit - % ../../vm_remote gitolite_push + % ../../remote/gitolite-push TASK: configurer une zone DNS - @hosted % vm runit_configure nsd3 -- heureux-cyclage.org + @local % local/runit-configure nsd3 -- heureux-cyclage.org TASK: configurer un membre du groupe php5-fpm - @remote % ./vm_remote runit_configure nginx -- lhc_www - @hosted % vm_hosted runit_configure nginx -- lhc_www + @remote % remote/runit-configure nginx -- lhc_www + @local % local/runit-configure nginx -- lhc_www TASK: configurer un site nginx - @hosted % vm_hosted runit_configure nginx -- lhc_www + @local % local/runit-configure nginx -- lhc_www diff --git a/etc/host.sh b/etc/host.sh new file mode 100644 index 0000000..d89bb2f --- /dev/null +++ b/etc/host.sh @@ -0,0 +1,21 @@ +. "$tool"/etc/local.sh + +readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g') +readonly vm_dev_disk_boot="${vm_dev_disk}1" + +case $vm_use_lvm in + (no) + readonly vm_dev_disk_swap="${vm_dev_disk}5" + readonly vm_dev_disk_root="${vm_dev_disk}6" + readonly vm_dev_disk_var="${vm_dev_disk}7" + readonly vm_dev_disk_home="${vm_dev_disk}8" + ;; + (yes) + readonly vm_lvm_pv="${vm_dev_disk}2" + readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap + readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root + readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var + readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home + ;; + (*) exit 1;; + esac diff --git a/etc/vm.sh b/etc/local.sh similarity index 93% rename from etc/vm.sh rename to etc/local.sh index 3e539b8..9eff864 100644 --- a/etc/vm.sh +++ b/etc/local.sh @@ -1,6 +1,3 @@ -#!/bin/sh -# DESCRIPTION: ce fichier regroupe les variables propres à la VM - readonly PATH=$PATH:/usr/sbin:/sbin readonly vm_domainname="heureux-cyclage.org" readonly vm_hostname="ateliers" @@ -79,7 +76,7 @@ readonly vm_e2fs_stripe_size= # et donc pas de chunk size. readonly vm_e2fs_stride=${vm_e2fs_stripe_size:+$((vm_e2fs_stripe_size / vm_e2fs_block_size))} readonly vm_e2fs_stripe_width=${vm_e2fs_stride:+$((vm_e2fs_stride * vm_raid_effective_disks))} - vm_e2fs_extended_options=${vm_e2fs_stride:+,stride=$vm_e2fs_stride}${vm_e2fs_stripe_width:+,stripe_width=$vm_e2fs_stripe_width} +vm_e2fs_extended_options=${vm_e2fs_stride:+,stride=$vm_e2fs_stride}${vm_e2fs_stripe_width:+,stripe_width=$vm_e2fs_stripe_width} readonly vm_arch="amd64" readonly vm_bridge="br-gresille" @@ -90,7 +87,3 @@ readonly vm_mac="00:16:3E:E5:98:42" # NOTE: addresse MAC assignée par Grésille # dans l'idée de ne pas s'embêter avec # une migration squeeze -> wheezy dans deux mois ; # et parce qu'on juge wheezy « suffisamment stable ». - -rule_env () { # DESCRIPTION: affiche les $vm_* - set | grep '^vm_' - } diff --git a/etc/nginx/site.d/gitweb-tls/configure.sh b/etc/nginx/site.d/gitweb-tls/local.sh similarity index 100% rename from etc/nginx/site.d/gitweb-tls/configure.sh rename to etc/nginx/site.d/gitweb-tls/local.sh diff --git a/etc/nginx/site.d/gitweb/configure.sh b/etc/nginx/site.d/gitweb/local.sh similarity index 61% rename from etc/nginx/site.d/gitweb/configure.sh rename to etc/nginx/site.d/gitweb/local.sh index 8e5b1a0..c4d0111 100644 --- a/etc/nginx/site.d/gitweb/configure.sh +++ b/etc/nginx/site.d/gitweb/local.sh @@ -1,4 +1,4 @@ -rule apt_get_install gitweb highlight +"$tool"/local/apt-get-install gitweb highlight #sudo adduser www-data git-data sudo adduser www-"$site"-tls www-"$site" diff --git a/etc/nginx/site.d/lhc-questionnaires-tls/configure.sh b/etc/nginx/site.d/lhc-questionnaires-tls/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-questionnaires-tls/configure.sh rename to etc/nginx/site.d/lhc-questionnaires-tls/local.sh diff --git a/etc/nginx/site.d/lhc-questionnaires/configure.sh b/etc/nginx/site.d/lhc-questionnaires/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-questionnaires/configure.sh rename to etc/nginx/site.d/lhc-questionnaires/local.sh diff --git a/etc/nginx/site.d/lhc-remorque/configure.sh b/etc/nginx/site.d/lhc-remorque/local.sh similarity index 95% rename from etc/nginx/site.d/lhc-remorque/configure.sh rename to etc/nginx/site.d/lhc-remorque/local.sh index 1bf5045..410743e 100644 --- a/etc/nginx/site.d/lhc-remorque/configure.sh +++ b/etc/nginx/site.d/lhc-remorque/local.sh @@ -2,17 +2,17 @@ local hint="run before: ./vm_remote runit_configure nginx -- $site" assert "sudo getent passwd wiki-\"$site\" >/dev/null" hint assert "sudo test -f ~wiki-$site/etc/ssh/id_rsa" hint -rule apt_get_install ikiwiki \ +"$tool"/local/apt-get-install ikiwiki \ libsearch-xapian-perl -rule adduser fcgi-"$site" \ +"$tool"/local/adduser fcgi-"$site" \ --disabled-login \ --disabled-password \ --group \ --home /home/www/pub/"$site" \ --shell /bin/false \ --system -rule adduser www-"$site" \ +"$tool"/local/adduser www-"$site" \ --disabled-login \ --disabled-password \ --group \ diff --git a/etc/nginx/site.d/lhc-remorque/remote.sh b/etc/nginx/site.d/lhc-remorque/remote.sh index d86a039..d2cc256 100644 --- a/etc/nginx/site.d/lhc-remorque/remote.sh +++ b/etc/nginx/site.d/lhc-remorque/remote.sh @@ -1,5 +1,5 @@ gpg --decrypt "$tool"/var/sec/ssh/wiki-"$site".gpg | -rule ssh -l root ' \ +"$tool"/remote/ssh -l root ' \ set -e -f -u -x sudo install -d -m 1751 -o lhc -g lhc \ /home/lhc \ diff --git a/etc/nginx/site.d/lhc-stats-tls/configure.sh b/etc/nginx/site.d/lhc-stats-tls/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-stats-tls/configure.sh rename to etc/nginx/site.d/lhc-stats-tls/local.sh diff --git a/etc/nginx/site.d/lhc-stats/configure.sh b/etc/nginx/site.d/lhc-stats/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-stats/configure.sh rename to etc/nginx/site.d/lhc-stats/local.sh diff --git a/etc/nginx/site.d/lhc-www-tls/configure.sh b/etc/nginx/site.d/lhc-www-tls/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-www-tls/configure.sh rename to etc/nginx/site.d/lhc-www-tls/local.sh diff --git a/etc/nginx/site.d/lhc-www/configure.sh b/etc/nginx/site.d/lhc-www/local.sh similarity index 100% rename from etc/nginx/site.d/lhc-www/configure.sh rename to etc/nginx/site.d/lhc-www/local.sh diff --git a/etc/nginx/site.d/sympa/configure.sh b/etc/nginx/site.d/sympa/local.sh similarity index 100% rename from etc/nginx/site.d/sympa/configure.sh rename to etc/nginx/site.d/sympa/local.sh diff --git a/etc/sv/cyclo_paris_est__openerp/configure.sh b/etc/sv/cyclo_paris_est__openerp/local.sh similarity index 75% rename from etc/sv/cyclo_paris_est__openerp/configure.sh rename to etc/sv/cyclo_paris_est__openerp/local.sh index b5e74c6..cd02d50 100644 --- a/etc/sv/cyclo_paris_est__openerp/configure.sh +++ b/etc/sv/cyclo_paris_est__openerp/local.sh @@ -1,29 +1,29 @@ home=/home/"$sv" -rule _runit_sv_configure postgres -rule _runit_sv_start postgres +"$tool"/local/runit-sv-configure postgres +"$tool"/local/runit-sv-start postgres while ! sudo -u postgres psql " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk +# enfin, ôter l'éventuel verrou dans /var/lock/lvm/ diff --git a/host/git-configure b/host/git-configure new file mode 100755 index 0000000..a56d788 --- /dev/null +++ b/host/git-configure @@ -0,0 +1,23 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +cd "$tool" +git config --replace branch.master.remote . +git config --replace branch.master.merge refs/remotes/master +local tool +tool=$(cd "$tool"; cd -) +install -m 770 /dev/stdin \ + .git/hooks/post-update <<-EOF + #!/bin/sh -efux + case \$1 in + (refs/remotes/master) + cd .. + #git --git-dir=\$PWD/.git checkout -f -B master remotes/master && + git --git-dir=\$PWD/.git checkout HEAD'^' && + git --git-dir=\$PWD/.git branch -f master remotes/master && + git --git-dir=\$PWD/.git checkout master + git --git-dir=\$PWD/.git clean -f -d -x + ;; + esac + EOF diff --git a/host/lib.sh b/host/lib.sh new file mode 100644 index 0000000..81f7438 --- /dev/null +++ b/host/lib.sh @@ -0,0 +1,3 @@ +. "$tool"/etc/host.sh +set -x +test "$(hostname --fqdn)" = "$vm_host" diff --git a/host/part-boot-format b/host/part-boot-format new file mode 100755 index 0000000..c292f23 --- /dev/null +++ b/host/part-boot-format @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +mount | grep -q "^$vm_dev_disk_boot " || +sudo mke2fs -t ext2 -c -c -m 5 -T small \ + -E resize=1G${vm_e2fs_extended_options} \ + -L ${vm_lvm_lv}_boot $vm_dev_disk_boot diff --git a/host/part-boot-mount b/host/part-boot-mount new file mode 100755 index 0000000..82a6cef --- /dev/null +++ b/host/part-boot-mount @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +mountpoint -q /mnt/$vm_fqdn +test -d /mnt/$vm_fqdn/boot +mountpoint -q /mnt/$vm_fqdn/boot || +sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot diff --git a/host/part-boot-umount b/host/part-boot-umount new file mode 100755 index 0000000..bc09e4d --- /dev/null +++ b/host/part-boot-umount @@ -0,0 +1,6 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +! mountpoint -q /mnt/$vm_fqdn/boot || +sudo umount -v /mnt/$vm_fqdn/boot diff --git a/host/part-home-format b/host/part-home-format new file mode 100755 index 0000000..cedffbc --- /dev/null +++ b/host/part-home-format @@ -0,0 +1,12 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-luks-format home +"$tool"/host/part-luks-mount home +sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \ + -E resize=400G${vm_e2fs_extended_options} \ + -L ${vm_lvm_lv}_home \ + /dev/mapper/${vm_lvm_lv}_home_deciphered + # NOTE: -O quota pas supporté par e2fsprogs/squeeze +"$tool"/host/part-luks-umount home diff --git a/host/part-home-mount b/host/part-home-mount new file mode 100755 index 0000000..f1558d0 --- /dev/null +++ b/host/part-home-mount @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-luks-mount home +mountpoint -q /mnt/$vm_fqdn/home || +sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_home_deciphered /mnt/$vm_fqdn/home diff --git a/host/part-home-umount b/host/part-home-umount new file mode 100755 index 0000000..8fd1be7 --- /dev/null +++ b/host/part-home-umount @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +! mountpoint -q /mnt/$vm_fqdn/home || +sudo umount -v /mnt/$vm_fqdn/home +"$tool"/host/part-luks-umount home diff --git a/host/part-luks-format b/host/part-luks-format new file mode 100755 index 0000000..3ed5ebd --- /dev/null +++ b/host/part-luks-format @@ -0,0 +1,12 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +# NOTE: la clef de chiffrement est dérivée de celle de /, +# / doit être déchiffrée pour que cela fonctionne. +part="$1" +eval "dev=\"\$vm_dev_disk_$part\"" +test ! -e /dev/mapper/${vm_lvm_lv}_root_deciphered || +sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered | +cryptsetup luksFormat --hash=sha512 --key-size=512 \ + --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev" diff --git a/host/part-luks-mount b/host/part-luks-mount new file mode 100755 index 0000000..e1d26d9 --- /dev/null +++ b/host/part-luks-mount @@ -0,0 +1,9 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +part="$1" +eval "dev=\"\$vm_dev_disk_$part\"" +test -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered || +sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered | +cryptsetup luksOpen --key-file=- $dev ${vm_lvm_lv}_${part}_deciphered" diff --git a/host/part-luks-umount b/host/part-luks-umount new file mode 100755 index 0000000..f2924c5 --- /dev/null +++ b/host/part-luks-umount @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +part="$1" +eval "dev=\"\$vm_dev_disk_$part\"" +test ! -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered || +sudo cryptsetup luksClose ${vm_lvm_lv}_${part}_deciphered diff --git a/host/part-lvm-format b/host/part-lvm-format new file mode 100755 index 0000000..b13012e --- /dev/null +++ b/host/part-lvm-format @@ -0,0 +1,14 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-lvm-umount +! sudo vgs | grep -q "^ $vm_lvm_vg " || +sudo vgremove $vm_lvm_vg +sudo pvcreate --dataalignment 512k $vm_lvm_pv +sudo vgcreate --dataalignment 512k $vm_lvm_vg $vm_lvm_pv +sudo lvcreate --contiguous y -n ${vm_lvm_lv}_swap -L 1G $vm_lvm_vg +sudo lvcreate --contiguous y -n ${vm_lvm_lv}_root -L 15G $vm_lvm_vg +sudo lvcreate --contiguous y -n ${vm_lvm_lv}_var -L 5G $vm_lvm_vg +sudo lvcreate --contiguous y -n ${vm_lvm_lv}_home -l 99%FREE $vm_lvm_vg +"$tool"/host/part-lvm-umount diff --git a/host/part-lvm-mount b/host/part-lvm-mount new file mode 100755 index 0000000..16a93c1 --- /dev/null +++ b/host/part-lvm-mount @@ -0,0 +1,10 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +case $vm_use_lvm in + (yes) + sudo vgchange -a y $vm_lvm_vg + ;; + (*) exit 1;; + esac diff --git a/host/part-lvm-umount b/host/part-lvm-umount new file mode 100755 index 0000000..3bf535b --- /dev/null +++ b/host/part-lvm-umount @@ -0,0 +1,14 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +case $vm_use_lvm in + (yes) + "$tool"/host/part-root-umount + "$tool"/host/part-var-umount + "$tool"/host/part-home-umount + ! sudo vgs | grep -q "^ $vm_lvm_vg " || + sudo vgchange -a n $vm_lvm_vg + ;; + (*) exit 1;; + esac diff --git a/host/part-randomize b/host/part-randomize new file mode 100755 index 0000000..6a9796f --- /dev/null +++ b/host/part-randomize @@ -0,0 +1,6 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +part="$1" +eval "sudo dd if=/dev/urandom of=\$vm_dev_disk_$part" diff --git a/host/part-randomize-stats b/host/part-randomize-stats new file mode 100755 index 0000000..7b691fc --- /dev/null +++ b/host/part-randomize-stats @@ -0,0 +1,6 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +part="$1" +eval "pkill -USR1 -f \"^dd if=/dev/urandom of=\$vm_dev_disk_$part\"" diff --git a/host/part-root-format b/host/part-root-format new file mode 100755 index 0000000..b959501 --- /dev/null +++ b/host/part-root-format @@ -0,0 +1,28 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +if ! mount | grep -q "^$vm_dev_disk_root " + then + sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \ + --cipher=aes-xts-essiv:sha256 --align-payload=8 $vm_dev_disk_root + sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered + sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ + -E resize=30G${vm_e2fs_extended_options} \ + -L ${vm_lvm_lv}_root \ + /dev/mapper/${vm_lvm_lv}_root_deciphered + ! mountpoint -q /mnt/$vm_fqdn + sudo mount -v /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn + sudo install -d -m 770 -o root -g root \ + /mnt/$vm_fqdn/boot \ + /mnt/$vm_fqdn/dev \ + /mnt/$vm_fqdn/home \ + /mnt/$vm_fqdn/proc \ + /mnt/$vm_fqdn/root \ + /mnt/$vm_fqdn/root/src \ + /mnt/$vm_fqdn/root/src/$vm \ + /mnt/$vm_fqdn/sys \ + /mnt/$vm_fqdn/var + sudo umount -v /mnt/$vm_fqdn + sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered + fi diff --git a/host/part-root-mount b/host/part-root-mount new file mode 100755 index 0000000..0d0bafc --- /dev/null +++ b/host/part-root-mount @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +test -e /dev/mapper/${vm_lvm_lv}_root_deciphered || +sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered +mountpoint -q /mnt/$vm_fqdn || +sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn diff --git a/host/part-root-umount b/host/part-root-umount new file mode 100755 index 0000000..77beda8 --- /dev/null +++ b/host/part-root-umount @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +! mountpoint -q /mnt/$vm_fqdn || +sudo umount -v /mnt/$vm_fqdn +! test -e /dev/mapper/${vm_lvm_lv}_root_deciphered || +sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered diff --git a/host/part-swap-format b/host/part-swap-format new file mode 100755 index 0000000..d82abec --- /dev/null +++ b/host/part-swap-format @@ -0,0 +1,9 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-luks-format swap +"$tool"/host/part-luks-mount swap +sudo mkswap -f -L ${vm_lvm_lv}_swap \ + /dev/mapper/${vm_lvm_lv}_swap_deciphered +"$tool"/host/part-luks-umount swap diff --git a/host/part-var-format b/host/part-var-format new file mode 100755 index 0000000..3aa0574 --- /dev/null +++ b/host/part-var-format @@ -0,0 +1,11 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-luks-format var +"$tool"/host/part-luks-mount var +sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ + -E resize=10G${vm_e2fs_extended_options} \ + -L ${vm_lvm_lv}_var \ + /dev/mapper/${vm_lvm_lv}_var_deciphered +"$tool"/host/part-luks-umount var diff --git a/host/part-var-mount b/host/part-var-mount new file mode 100755 index 0000000..b8455e6 --- /dev/null +++ b/host/part-var-mount @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +"$tool"/host/part-luks-mount var +mountpoint -q /mnt/$vm_fqdn/var || +sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_var_deciphered /mnt/$vm_fqdn/var diff --git a/host/part-var-umount b/host/part-var-umount new file mode 100755 index 0000000..fe9f34a --- /dev/null +++ b/host/part-var-umount @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +! mountpoint -q /mnt/$vm_fqdn/var || +sudo umount -v /mnt/$vm_fqdn/var +"$tool"/host/part-luks-umount var diff --git a/host/xen-vm-attach b/host/xen-vm-attach new file mode 100755 index 0000000..5c83ce2 --- /dev/null +++ b/host/xen-vm-attach @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +! pgrep -f "sudo xm console $vm_fqdn" +info 'Ctrl-] pour se détacher de la console' +sudo xm console $vm_fqdn diff --git a/host/xen-vm-configure b/host/xen-vm-configure new file mode 100755 index 0000000..1f3e9a6 --- /dev/null +++ b/host/xen-vm-configure @@ -0,0 +1,44 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +sudo install -m 644 -u root -g root /dev/stdin \ + /etc/xen/$vm_fqdn.cfg <<-EOF + # -*- mode: python; -*- + # DOC: http://wiki.xen.org/wiki/Xen_Linux_PV_on_HVM_drivers + import os, re + name = "$vm_fqdn" + arch = os.uname()[4] + memory = 2048 + vcpus = 1 + pae = 1 + acpi = 1 + apic = 1 + vif = ['mac=$vm_mac,bridge=$vm_bridge'] + disk = ['phy:/dev/domU/$vm_fqdn-disk,hda,w'] + device_model = 'qemu-dm' + # HVM : + #kernel = "/usr/lib/xen-4.0/boot/hvmloader" + #builder = 'hvm' + #xen_platform_pci = 1 # NOTE: the guest VM can use optimized PV on HVM drivers + # PV : + #kernel = "pv-grub.gz" # NOTE: pas encore dans Debian car il ne fonctionne qu'avec grub-legacy + #extra = "(hd0,0)/grub/grub.cfg" + bootloader = '/usr/bin/pygrub' + + # boot on floppy (a), hard disk (c) or CD-ROM (d) + #boot = 'd' + + #vnc = 1 + #sdl = 0 + #vncconsole = 0 + #vnclisten = "0.0.0.0" + #vncpasswd = "" + #usbdevice = 'tablet' + + keymap = 'fr' + serial = 'pty' + on_poweroff = 'destroy' + on_reboot = 'restart' + on_crash = 'restart' + EOF diff --git a/host/xen-vm-start b/host/xen-vm-start new file mode 100755 index 0000000..8b84913 --- /dev/null +++ b/host/xen-vm-start @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +test ! -e /dev/domU/$vm_fqdn-disk1 +sudo xm create $vm_fqdn.cfg +"$tool"/host/xen-vm-attach diff --git a/host/xen-vm-stop b/host/xen-vm-stop new file mode 100755 index 0000000..7672338 --- /dev/null +++ b/host/xen-vm-stop @@ -0,0 +1,5 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +sudo xm shutdown $vm_fqdn diff --git a/host/xen-vm-stop-force b/host/xen-vm-stop-force new file mode 100755 index 0000000..32ea204 --- /dev/null +++ b/host/xen-vm-stop-force @@ -0,0 +1,5 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/host/lib.sh + +sudo xm destroy $vm_fqdn diff --git a/lib/rule.sh b/lib/rule.sh deleted file mode 100644 index 9990962..0000000 --- a/lib/rule.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -. "$tool"/lib/log.sh - -rule () { - local - - local rule="$1"; shift - info "$*" rule - ${TRACE:+set -x} - rule_$rule "$@" - } diff --git a/lib/ssh b/lib/ssh index 93ecbcf..2ebd542 100755 --- a/lib/ssh +++ b/lib/ssh @@ -1,5 +1,4 @@ -#!/bin/sh -set -e -f ${DRY_RUN:+-n} -u +#!/bin/sh -eux tool=${0%/*}/.. ssh \ -o StrictHostKeyChecking=yes \ diff --git a/local/adduser b/local/adduser new file mode 100755 index 0000000..08950fe --- /dev/null +++ b/local/adduser @@ -0,0 +1,6 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +getent passwd "$user" >/dev/null || +sudo adduser "$@" "$user" diff --git a/local/apt-configure b/local/apt-configure new file mode 100755 index 0000000..bbfd1e3 --- /dev/null +++ b/local/apt-configure @@ -0,0 +1,29 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF + deb http://ftp.rezopole.net/debian $vm_lsb_name main + EOF +sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF + deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main + EOF +sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF + deb http://nightly.openerp.com/7.0/nightly/deb/ ./ + EOF +sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF + Package: * + Pin: release a=$vm_lsb_name + Pin-Priority: 200 + + Package: * + Pin: release a=$vm_lsb_name-backports + Pin-Priority: 170 + EOF +sudo apt-get update +"$tool"/local/apt-get-install apticron +m4 \ + --define=VM_DOMAINNAME=$vm_domainname \ + <"$tool"/etc/apticron/apticron.conf.m4 | +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/apticron/apticron.conf diff --git a/local/apt-get-install b/local/apt-get-install new file mode 100755 index 0000000..7476e25 --- /dev/null +++ b/local/apt-get-install @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + apt-get install --yes "$@" diff --git a/local/boot-configure b/local/boot-configure new file mode 100755 index 0000000..a0d5ae2 --- /dev/null +++ b/local/boot-configure @@ -0,0 +1,35 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo debconf-set-selections <<-EOF + grub-pc grub-pc/install_devices multiselect + EOF +"$tool"/local/apt-get-install grub-pc +sudo install -d -m 644 -o root -g root /boot/grub +"$tool"/local/apt-get-install linux-image-$vm_arch +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/grub <<-EOF + GRUB_DEFAULT=0 + GRUB_TIMEOUT=5 + GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\` + GRUB_CMDLINE_LINUX_DEFAULT="quiet" + GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered" + GRUB_DISABLE_RECOVERY="true" + #GRUB_PRELOAD_MODULES="lvm" + EOF +sudo install -m 644 -o root -g root /dev/stdin \ + /boot/grub/device.map <<-EOF + (hd0) /dev/xvda + (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') + EOF +sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map +"$tool"/local/initramfs-configure +"$tool"/local/apt-get-install molly-guard +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/molly-guard/rc <<-EOF + ALWAYS_QUERY_HOSTNAME=true + # NOTE: une alternative est de dire à sudo de conserver les SSH_* + # néamoins demander tout le temps n'est pas trop contraignant + # et davantage sécurisant. + EOF diff --git a/local/configure b/local/configure new file mode 100755 index 0000000..48dee54 --- /dev/null +++ b/local/configure @@ -0,0 +1,20 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/apt-configure +"$tool"/local/git-configure +"$tool"/local/etckeeper-configure +"$tool"/local/locales-configure +"$tool"/local/time-configure +"$tool"/local/network-configure +"$tool"/local/filesystem-configure +"$tool"/local/login-configure +"$tool"/local/ssh-configure +"$tool"/local/user-root-configure +"$tool"/local/boot-configure +"$tool"/local/sysctl-configure +"$tool"/local/user-configure +"$tool"/local/gitolite-configure +"$tool"/local/shorewall-configure +"$tool"/local/runit-configure '*' -- '*' diff --git a/local/dpkg-reconfigure b/local/dpkg-reconfigure new file mode 100755 index 0000000..b4ab82a --- /dev/null +++ b/local/dpkg-reconfigure @@ -0,0 +1,8 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo \ + DEBIAN_FRONTEND=noninteractive \ + DEBIAN_PRIORITY=low \ + dpkg-reconfigure "$@" diff --git a/local/duplicity-configure b/local/duplicity-configure new file mode 100755 index 0000000..6c81e05 --- /dev/null +++ b/local/duplicity-configure @@ -0,0 +1,35 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/apt-get-install duplicity +home="/home/backup" +"$tool"/local/adduser backup \ + --disabled-password \ + --group \ + --home "$home" \ + --shell /bin/bash \ + --system +sudo usermod --home "$home" backup +sudo install -d -m 750 -o backup -g backup \ + "$home" \ + "$home"/etc \ + "$home"/etc/gpg \ + "$home"/etc/ssh +sudo install -d -m 770 -o backup -g backup \ + "$home"/mysql \ + "$home"/postgres +getent group sudo backup | +while IFS=: read -r group x x users + do while test -n "$users" && IFS=, read -r user users <<-EOF + $users + EOF + do eval home="~$user" + sudo cat "$home"/etc/ssh/authorized_keys + done + done | +sudo install -m 640 -o backup -g backup /dev/stdin \ + "$home"/etc/ssh/authorized_keys +sudo ln -fns etc/gpg "$home"/.gnupg +#sudo adduser backup mysql-data +#sudo adduser backup postgres-data diff --git a/local/etckeeper-configure b/local/etckeeper-configure new file mode 100755 index 0000000..ae5bdb5 --- /dev/null +++ b/local/etckeeper-configure @@ -0,0 +1,18 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/etckeeper/etckeeper.conf <<-EOF + VCS=git + GIT_COMMIT_OPTIONS="" + AVOID_DAILY_AUTOCOMMITS=1 + #AVOID_SPECIAL_FILE_WARNING=1 + AVOID_COMMIT_BEFORE_INSTALL=1 + HIGHLEVEL_PACKAGE_MANAGER=apt + LOWLEVEL_PACKAGE_MANAGER=dpkg + EOF +sudo install -m 644 -o root -g root \ + "$tool"/etc/etckeeper/prompt.sh \ + /etc/etckeeper/prompt.sh +"$tool"/local/apt-get-install etckeeper diff --git a/local/filesystem-configure b/local/filesystem-configure new file mode 100755 index 0000000..c6f3cf8 --- /dev/null +++ b/local/filesystem-configure @@ -0,0 +1,31 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/fstab.m4 | +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/fstab +m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/crypttab.m4 | +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/crypttab +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/tmpfs <<-EOF + LOCK_SIZE=5242880 # NOTE: 5MiB + RAMLOCK=yes + RAMSHM=yes + RAMTMP=yes + RUN_SIZE=10% + SHM_SIZE= + TMP_MODE=1777,nr_inodes=1000k,noatime + TMP_OVERFLOW_LIMIT=1024 + # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB) + # on the root filesystem (overriding RAMTMP). + TMP_SIZE=200m + TMPFS_SIZE=20%VM + EOF diff --git a/local/git-configure b/local/git-configure new file mode 100755 index 0000000..e7ff6c1 --- /dev/null +++ b/local/git-configure @@ -0,0 +1,18 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +cd "$tool" +git config --replace branch.master.remote . +git config --replace branch.master.merge refs/remotes/master +install -m 770 /dev/stdin \ + .git/hooks/post-update <<-EOF + #!/bin/sh -efux + case \$1 in + (refs/remotes/master) + cd .. + git --git-dir=\$PWD/.git checkout -f -B master remotes/master + git --git-dir=\$PWD/.git clean -f -d -x + ;; + esac + EOF diff --git a/local/git-reset b/local/git-reset new file mode 100755 index 0000000..3a3f875 --- /dev/null +++ b/local/git-reset @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +cd "$tool" +git checkout -f -B master remotes/master +git clean -f -d -x diff --git a/local/gitolite-configure b/local/gitolite-configure new file mode 100755 index 0000000..0be27e6 --- /dev/null +++ b/local/gitolite-configure @@ -0,0 +1,107 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo debconf-set-selections <<-EOF + gitolite gitolite/gituser string git + gitolite gitolite/adminkey string + gitolite gitolite/gitdir string /home/git + EOF +"$tool"/local/apt-get-install gitolite +"$tool"/local/adduser git \ + --disabled-password \ + --group \ + --home /home/git \ + --shell /bin/bash \ + --system +sudo chfn --full-name git git +"$tool"/local/adduser log-git \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/git/log \ + --shell /bin/false \ + --system +"$tool"/local/adduser git-data \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/git/pub \ + --shell /bin/false \ + --system +sudo adduser git git-data +sudo install -d -m 750 -o git -g git \ + /etc/gitolite \ + /home/git/etc \ + /home/git/etc/ssh +sudo install -d -m 751 -o git -g git \ + /home/git +sudo install -d -m 2770 -o git-data -g git-data \ + /home/git/pub +sudo install -d -m 1771 -o git -g git \ + /home/git/log +sudo install -d -m 2770 -o git -g log-git \ + /home/git/log/gitolite \ + /home/git/log/gitolite/perf +sudo install -d -m 3771 -o git -g git \ + /home/git/hooks +sudo ln -fns /etc/gitolite /home/git/etc/gitolite +sudo ln -fns /etc/gitweb /home/git/etc/gitweb +sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc +sudo ln -fns etc/ssh /home/git/.ssh +sudo install -m 770 -o git -g git /dev/stdin \ + /home/git/etc/gitolite/gitolite.rc <<-EOF + #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; + #\$BIG_INFO_CAP = 20; + #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; + # NOTE: Please use single quotes, not double quotes. + #\$GITWEB_URI_ESCAPE = 0; + \$GIT_PATH = ""; + #\$GL_ADC_PATH = ""; + \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite"; + #\$GL_ALL_INCLUDES_SPECIAL = 0; + #\$GL_ALL_READ_ALL = 0; + \$GL_BIG_CONFIG = 0; + \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf"; + \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm"; + #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" + \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*"; + #\$GL_HOSTNAME = "git.$vm_domainname"; + # NOTE: read doc/mirroring.mkd COMPLETELY before setting this. + #\$GL_HTTP_ANON_USER = "mob"; + \$GL_KEYDIR = "\$GL_ADMINDIR/keydir"; + \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log"; + #\$GL_NICE_VALUE = 0; + \$GL_NO_CREATE_REPOS = 0; + \$GL_NO_DAEMON_NO_GITWEB = 0; + \$GL_NO_SETUP_AUTHKEYS = 0; + \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf"; + \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks"; + #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log"; + #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$); + \$GL_SITE_INFO = "git.$vm_domainname"; + #\$GL_SLAVE_MODE = 0; + \$GL_WILDREPOS = 0; + #\$GL_WILDREPOS_DEFPERMS = 'R @all'; + \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; + \$HTPASSWD_FILE = ""; + \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list"; + \$REPO_BASE = "pub"; + \$REPO_UMASK = 0007; + \$RSYNC_BASE = ""; + \$SVNSERVE = ""; + #\$UPDATE_CHAINS_TO = "hooks/update.secondary"; + \$WEB_INTERFACE = "gitweb"; + 1; + EOF +sudo install -m 600 -o git -g git \ + "$tool"/var/pub/ssh/git.key \ + /home/git/etc/ssh/git.pub +sudo -u git \ + GL_RC=/home/git/etc/gitolite/gitolite.rc \ + GIT_AUTHOR_NAME=git \ + gl-setup -q /home/git/etc/ssh/git.pub git +for d in doc logs src + do test ! -d /home/git/etc/gitolite/"$d" || + rmdir /home/git/etc/gitolite/"$d" + done diff --git a/local/initramfs-configure b/local/initramfs-configure new file mode 100755 index 0000000..8fa1075 --- /dev/null +++ b/local/initramfs-configure @@ -0,0 +1,65 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/initramfs.conf <<-EOF + MODULES=most + BUSYBOX=y + KEYMAP=y + COMPRESS=gzip + DEVICE=eth0 + EOF +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/modprobe.d/xen-pv.conf <<-EOF + alias eth0 xennet + alias scsi_hostadapter xenblk + EOF +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/modules <<-EOF + sha1_generic + sha256_generic + sha512_generic + aes-x86_64 + xts + # NOTE: pour Xen en mode HVM : + #modprobe xen-platform-pci + EOF +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/modules <<-EOF + EOF +sudo sed -e '/^configure_networking /s/ &$//' \ + -i /usr/share/initramfs-tools/scripts/init-premount/dropbear + # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. +ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | +( while IFS= read -r line + do case $line in (*" RSA") return 0; break;; esac + done; return 1 ) || + { +sudo rm -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub +sudo dropbearkey -t rsa -s 4096 -f \ + /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key + } +# NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins. +sudo install -d -m 640 -o root -g root \ + /etc/initramfs-tools/root \ + /etc/initramfs-tools/root/.ssh +getent group sudo | +while IFS=: read -r group x x users + do while test -n "$users" && IFS=, read -r user users <<-EOF + $users + EOF + do eval home="~$user" + sudo cat "$home"/etc/ssh/authorized_keys + done + done | +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/initramfs-tools/root/.ssh/authorized_keys +sudo rm -f \ + /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ + /etc/initramfs-tools/root/.ssh/id_rsa.pub \ + /etc/initramfs-tools/root/.ssh/id_rsa + # NOTE: clefs générées par Debian +sudo update-initramfs -u diff --git a/local/lib.sh b/local/lib.sh new file mode 100644 index 0000000..f1d4c3d --- /dev/null +++ b/local/lib.sh @@ -0,0 +1,3 @@ +. "$tool"/etc/local.sh +set -x +test "$(hostname --fqdn)" = "$vm_fqdn" diff --git a/local/locales-configure b/local/locales-configure new file mode 100755 index 0000000..0009be1 --- /dev/null +++ b/local/locales-configure @@ -0,0 +1,9 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo debconf-set-selections <<-EOF + locales locales/default_environment_locale select None + locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8 + EOF +"$tool"/local/dpkg-reconfigure locales diff --git a/local/login-configure b/local/login-configure new file mode 100755 index 0000000..956b2da --- /dev/null +++ b/local/login-configure @@ -0,0 +1,30 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -m 644 -o root -g root \ + "$tool"/etc/inittab \ + /etc/inittab +sudo install -m 644 -o root -g root \ + "$tool"/etc/login.defs \ + /etc/login.defs +grep -q '^session optional pam_umask.so\>' \ + /etc/pam.d/common-session || +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/pam.d/common-session <<-EOF + $(cat /etc/pam.d/common-session) + session optional pam_umask.so + EOF +grep -q '^hvc0$' \ + /etc/securetty || +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/securetty <<-EOF + $(cat /etc/securetty) + hvc0 + EOF +grep -q '^xvc0$' /etc/securetty || +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/securetty <<-EOF + $(cat /etc/securetty) + xvc0 + EOF diff --git a/local/luks-key-change b/local/luks-key-change new file mode 100755 index 0000000..f4a0f57 --- /dev/null +++ b/local/luks-key-change @@ -0,0 +1,5 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root diff --git a/etc/mysql/bin/createdb b/local/mysql-database-create similarity index 100% rename from etc/mysql/bin/createdb rename to local/mysql-database-create diff --git a/etc/mysql/bin/createuser b/local/mysql-user-create similarity index 100% rename from etc/mysql/bin/createuser rename to local/mysql-user-create diff --git a/local/network-configure b/local/network-configure new file mode 100755 index 0000000..d70b6ff --- /dev/null +++ b/local/network-configure @@ -0,0 +1,24 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/hostname <<-EOF + $vm + EOF +grep -q " $vm\$" /etc/hosts || +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/hosts <<-EOF + $(cat /etc/hosts) + 127.0.0.1 $vm_fqdn $vm + EOF +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/resolv.conf <<-EOF + search ${vm_host#*.} + nameserver ${vm_host_nameserver} + EOF +m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/network/interfaces.m4 | +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/network/interfaces diff --git a/local/passwd-init b/local/passwd-init new file mode 100755 index 0000000..28d5d1c --- /dev/null +++ b/local/passwd-init @@ -0,0 +1,4 @@ +#!/bin/sh -efu +# DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système. +sudo /bin/sh -e -f -u -c \ + 'case $(/usr/bin/passwd --status "$SUDO_USER") in ("$SUDO_USER L "*) /usr/bin/passwd $SUDO_USER;; esac' diff --git a/etc/postgresql/bin/createdb b/local/postgresql-database-create similarity index 100% rename from etc/postgresql/bin/createdb rename to local/postgresql-database-create diff --git a/etc/postgresql/bin/createuser b/local/postgresql-user-create similarity index 100% rename from etc/postgresql/bin/createuser rename to local/postgresql-user-create diff --git a/local/runit-configure b/local/runit-configure new file mode 100755 index 0000000..06cb218 --- /dev/null +++ b/local/runit-configure @@ -0,0 +1,44 @@ +#!/bin/sh -eu +# SYNTAX: $sv [...] -- $sv_options +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/apt-get-install runit +if test $# = 0 + then + set +x + sudo sv status \ + $(sudo find /etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -printf '%p\n' | sort) + else + services= + while [ $# -gt 0 ] + do case $1 in + (--) shift; break;; + (*) services="$services ${1#etc/sv/}"; shift;; + esac + done + #for sv in $(sudo find /etc/sv \ + # -mindepth 1 -maxdepth 1 -type d \ + # -false $(printf -- '-or -name %s\n' $services) \ + # -printf '%f\n') + # do + # case $(sudo sv stop "$sv" | tee /dev/stderr) in + # (*": runsv not running") true;; + # (*": unable to open supervise/ok: file does not exist") true;; + # ("ok: down:"*) true;; + # (*) false;; + # esac + # done + for sv in $(find "$tool"/etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -false $(printf -- '-or -name %s\n' $services) \ + -printf '%f\n') + do + "$tool"/local/runit-sv-configure "$sv" "$@" + "$tool"/local/runit-sv-start "$sv" + done + #sleep 3 + #sudo find -L /etc/service -type l -delete + fi diff --git a/local/runit-sv-configure b/local/runit-sv-configure new file mode 100755 index 0000000..1bd8909 --- /dev/null +++ b/local/runit-sv-configure @@ -0,0 +1,30 @@ +#!/bin/sh -eu +# SYNTAX: $sv [...] -- $configure_options +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sv="$1"; shift +sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv" +sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/run \ + /etc/sv/"$sv"/run +if test -e "$tool"/etc/sv/"$sv"/log/run + then + sudo install -d -m 770 -o root -g root \ + /etc/sv/"$sv"/log + sudo install -m 770 -o root -g root \ + "$tool"/etc/sv/"$sv"/log/run \ + /etc/sv/"$sv"/log/run + fi +( +test ! -r "$tool"/etc/sv/"$sv"/local.sh || +. "$tool"/etc/sv/"$sv"/local.sh || return 1 +) +( +test ! -r "$tool"/etc/sv/"$sv"/log/local.sh || +. "$tool"/etc/sv/"$sv"/log/local.sh || return 1 +) +sudo ln -fns \ + ../sv/"$sv" \ + /etc/service/"$sv" diff --git a/local/runit-sv-restart b/local/runit-sv-restart new file mode 100755 index 0000000..569580a --- /dev/null +++ b/local/runit-sv-restart @@ -0,0 +1,13 @@ +#!/bin/sh -eu +# SYNTAX: $sv +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sv="$1" +while true + do case $(sudo sv restart "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; + esac + done diff --git a/local/runit-sv-start b/local/runit-sv-start new file mode 100755 index 0000000..e4b8332 --- /dev/null +++ b/local/runit-sv-start @@ -0,0 +1,13 @@ +#!/bin/sh -eu +# SYNTAX: $sv +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sv="$1" +while true + do case $(sudo sv start "$sv" | tee /dev/stderr) in + (*": runsv not running") sleep 1;; + (*": unable to open supervise/ok: file does not exist") sleep 1;; + (*) break;; + esac + done diff --git a/local/shorewall-configure b/local/shorewall-configure new file mode 100755 index 0000000..4c5511b --- /dev/null +++ b/local/shorewall-configure @@ -0,0 +1,42 @@ +#!/bin/sh -eu +# SYNTAX: $sv [...] -- $configure_options +# DOC: http://shorewall.net/Introduction.html +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/apt-get-install shorewall +sudo install -m 644 -o root -g root /dev/stdin \ + /etc/default/shorewall <<-EOF + INITLOG=/dev/null + OPTIONS="" + RESTARTOPTIONS="" + SAFESTOP=0 + STARTOPTIONS="" + startup=1 + EOF +for conf in "$tool"/etc/shorewall/* + do conf=${conf#"$tool"/etc/shorewall/} + sudo test ! -f "$tool"/etc/shorewall/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/"$conf" \ + /etc/shorewall/"$conf" + done +sudo install -d -m 750 -o root -g root \ + /etc/shorewall/macro.d +for conf in "$tool"/etc/shorewall/macro.d/* + do conf=${conf#"$tool"/etc/shorewall/macro.d/} + sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" || + sudo install -m 640 -o root -g root \ + "$tool"/etc/shorewall/macro.d/"$conf" \ + /etc/shorewall/macro.d/"$conf" + done +sudo install -d -m 750 -o root -g root \ + /etc/shorewall/action.d +#for conf in "$tool"/etc/shorewall/action.d/* +# do conf=${conf#"$tool"/etc/shorewall/action.d/} +# sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" || +# sudo install -m 640 -o root -g root \ +# "$tool"/etc/shorewall/action.d/"$conf" \ +# /etc/shorewall/action.d/"$conf" +# done +#sudo shorewall safe-restart diff --git a/local/sysctl-configure b/local/sysctl-configure new file mode 100755 index 0000000..a33bad9 --- /dev/null +++ b/local/sysctl-configure @@ -0,0 +1,16 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +for conf in "$tool"/etc/sysctl.d/*.conf + do conf=${conf#"$tool"/etc/sysctl.d/} + sudo install -m 660 -o root -g root \ + "$tool"/etc/sysctl.d/"$conf" \ + /etc/sysctl.d/"$conf" + done +sudo install -m 660 -o root -g root /dev/stdin \ + /etc/sysctl.d/local-kernel-name.conf <<-EOF + kernel.hostname = $vm_hostname + kernel.domainname = $vm_domainname + EOF +sudo sysctl --system diff --git a/local/user-add b/local/user-add new file mode 100755 index 0000000..f734444 --- /dev/null +++ b/local/user-add @@ -0,0 +1,19 @@ +#!/bin/sh -eu +# SYNTAX: $user +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +user="$1"; shift +"$tool"/local/adduser "$user" --disabled-password "$@" + # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . +eval home="~$user" +sudo adduser "$user" users +sudo install -m 640 -o "$user" -g "$user" \ + "$tool"/var/pub/ssh/"$user".key \ + "$home"/etc/ssh/authorized_keys +gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | +sudo -u "$user" gpg --import - diff --git a/local/user-admin-add b/local/user-admin-add new file mode 100755 index 0000000..97ad0d2 --- /dev/null +++ b/local/user-admin-add @@ -0,0 +1,21 @@ +#!/bin/sh -eu +# SYNTAX: $user +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/user-configure +user=$1 +"$tool"/local/adduser "$user" --disabled-password +eval home="~$user" +sudo adduser "$user" sudo +sudo install -m 640 -o root -g root \ + "$tool"/var/pub/ssh/"$user".key \ + "$home"/etc/ssh/authorized_keys +gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | +sudo -u "$user" gpg --import - +"$tool"/local/initramfs-configure +"$tool"/local/user-root-configure diff --git a/local/user-configure b/local/user-configure new file mode 100755 index 0000000..fc825f7 --- /dev/null +++ b/local/user-configure @@ -0,0 +1,61 @@ +#!/bin/sh -eu +# SYNTAX: $user +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/apt-get-install bash-completion +sudo install -m 660 -o root -g root \ + "$tool"/etc/adduser.conf \ + /etc/adduser.conf +sudo install -d -m 750 -o root -g root \ + /etc/skel \ + /etc/skel/etc \ + /etc/skel/etc/gpg \ + /etc/skel/etc/ssh +sudo install -d -m 770 -o root -g root \ + /etc/skel/var \ + /etc/skel/var/cache \ + /etc/skel/var/log \ + /etc/skel/var/run \ + /etc/skel/var/run/ssh +sudo ln -fns etc/ssh /etc/skel/.ssh +sudo ln -fns etc/gpg /etc/skel/.gnupg +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/sudoers.d/passwd-init <<-EOF + %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\ + case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\ + ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac + EOF +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/sudoers.d/etckeeper-unclean <<-EOF + %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean + EOF +sudo install -m 640 -o root -g root /dev/stdin \ + /etc/sudoers.d/env_keep <<-EOF + Defaults env_keep = " \\ + EDITOR \\ + GIT_AUTHOR_NAME \\ + GIT_AUTHOR_EMAIL \\ + GIT_COMMITTER_NAME \\ + GIT_COMMITTER_EMAIL \\ + " + EOF +sudo install -m 755 -o root -g root \ + "$tool"/local/passwd-init \ + /usr/local/bin/passwd-init +sudo install -m 644 -o root -g root \ + "$tool"/etc/bash.bashrc \ + /etc/bash.bashrc +sudo install -m 644 -o root -g root \ + "$tool"/etc/inputrc \ + /etc/inputrc +sudo install -m 644 -o root -g root \ + "$tool"/etc/screenrc \ + /etc/screenrc +for sh in "$tool"/etc/user.d/*/local.sh + do sh=${sh#"$tool"/etc/user.d/} + user="${sh%/local.sh}" + ( + . "$tool"/etc/user.d/"$sh" || return 1 + ) + done diff --git a/local/user-root-configure b/local/user-root-configure new file mode 100755 index 0000000..1deaaa7 --- /dev/null +++ b/local/user-root-configure @@ -0,0 +1,28 @@ +#!/bin/sh -eu +# SYNTAX: $user +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +sudo install -d -m 750 -o root -g root \ + /root/etc \ + /root/etc/gpg \ + /root/etc/ssh +sudo ln -fns etc/gpg /root/.gnupg +sudo ln -fns etc/ssh /root/.ssh +getent group sudo | +while IFS=: read -r group x x users + do while test -n "$users" && IFS=, read -r user users <<-EOF + $users + EOF + do eval home="~$user" + sudo cat "$home"/etc/ssh/authorized_keys + done + done | +sudo install -m 640 -o root -g root /dev/stdin \ + /root/etc/ssh/authorized_keys +gpg \ + --homedir "$tool"/var/pub/openpgp/ \ + --no-default-keyring \ + --secret-keyring /dev/null \ + --export | +sudo gpg --import - diff --git a/local/www-init b/local/www-init new file mode 100755 index 0000000..1c3d8d3 --- /dev/null +++ b/local/www-init @@ -0,0 +1,31 @@ +#!/bin/sh -eu +# SYNTAX: $user +tool=$(readlink -e "${0%/*}/..") +. "$tool"/local/lib.sh + +"$tool"/local/adduser www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www \ + --shell /bin/false \ + --system +"$tool"/local/adduser log-www \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log \ + --shell /bin/false \ + --system +#sudo adduser www www-data +sudo adduser www log-www +#sudo adduser log log-www +usermod --home /home/www/pub www-data +sudo install -d -m 751 -o www -g www \ + /home/www +sudo install -d -m 750 -o www -g www \ + /home/www/etc +sudo install -d -m 1771 -o www-data -g www-data \ + /home/www/pub +sudo install -d -m 1771 -o log-www -g log-www \ + /home/www/log diff --git a/remote/duplicity-configure b/remote/duplicity-configure new file mode 100755 index 0000000..6a1850b --- /dev/null +++ b/remote/duplicity-configure @@ -0,0 +1,11 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +subkey_caps="e s" \ +"$tool"/remote/gpg-gen-key "backup+$vm_hostname@$vm_domainname" <<-EOF + Name-Real: $vm_fqdn + Name-Email: backup+$vm_hostname@$vm_domainname + Name-Comment: (duplicity) + Expire-Date: 0 + EOF diff --git a/remote/duplicity-key-send b/remote/duplicity-key-send new file mode 100755 index 0000000..0580e1b --- /dev/null +++ b/remote/duplicity-key-send @@ -0,0 +1,7 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +gpg --export-options export-reset-subkey-passwd \ + --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" | +"$tool"/remote/ssh gpg --import - diff --git a/remote/git-configure b/remote/git-configure new file mode 100755 index 0000000..c0c9c9e --- /dev/null +++ b/remote/git-configure @@ -0,0 +1,11 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +git remote rm host || true +git remote add host $vm_host:src/vm +git config --replace remote.host.push HEAD:refs/remotes/master +git remote rm local || true +git remote add local $vm_fqdn:src/vm +git config --replace remote.local.push HEAD:refs/remotes/master +git submodule update --init diff --git a/remote/git-push b/remote/git-push new file mode 100755 index 0000000..9bd0782 --- /dev/null +++ b/remote/git-push @@ -0,0 +1,6 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +remote=${1:-$vm_fqdn}; shift +GIT_SSH="$tool"/remote/ssh git push -v "$remote" "$@" diff --git a/remote/gpg b/remote/gpg new file mode 100755 index 0000000..0c5e0a7 --- /dev/null +++ b/remote/gpg @@ -0,0 +1,5 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +LANG=C gpg --no-permission-warning --homedir "$tool"/var/pub/openpgp "$@" diff --git a/remote/gpg-gen-key b/remote/gpg-gen-key new file mode 100755 index 0000000..fc7ddf7 --- /dev/null +++ b/remote/gpg-gen-key @@ -0,0 +1,46 @@ +#!/bin/sh -eu +# DESCRIPTION: génère une clef OpenPGP primaire pour $uid et une clef secondaire par $subkey_caps +# SYNTAX: $uid +# ENV: $gpg_options +# ENV: $subkey_caps +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +uid="$1" +install -d -m 700 \ + var/pub/openpgp +install -d -m 700 \ + var/sec \ + var/sec/openpgp +if test ! -e "$tool"/var/sec/openpgp/"$uid".pass.gpg + then gpg --encrypt $gpg_options -o "$tool"/var/sec/openpgp/"$uid".pass.gpg <<-EOF + $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42) + EOF + fi +if ! "$tool"/remote/gpg --list-keys -- "$uid" >/dev/null + then + "$tool"/remote/gpg --batch --gen-key + # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4 + Key-Type: RSA + Key-Length: 4096 + Key-Usage: sign + Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg) + Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY + $(cat -) + %commit + EOF + fi +caps=$( + "$tool"/remote/gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \ + -- "$uid" | + sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d' + ) +for cap in ${subkey_caps:-} + do + test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" || + printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save | + "$tool"/remote/gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \ + --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF + $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg) + EOF + done diff --git a/remote/lib.sh b/remote/lib.sh new file mode 100644 index 0000000..58ffb63 --- /dev/null +++ b/remote/lib.sh @@ -0,0 +1,4 @@ +. "$tool"/etc/local.sh +set -x +test ! "$(hostname --fqdn)" = "$vm_fqdn" +test ! "$(hostname --fqdn)" = "$vm_host" diff --git a/remote/luks-key-backup b/remote/luks-key-backup new file mode 100755 index 0000000..b99146f --- /dev/null +++ b/remote/luks-key-backup @@ -0,0 +1,23 @@ +#!/bin/sh -eu +# DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées. +# SYNTAX: ${gpg_options:---recipient $USER@} +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +test $# -gt 0 || set -- --recipient "$USER@" +for part in root var home + do + mkdir -p var/sec/luks + "$tool"/remote/ssh -l root ' \ + set -e -f -u; + exec 2>/dev/null; + tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run); + cryptsetup luksHeaderBackup >/dev/null \ + /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \ + --header-backup-file "$tmp"; \ + cat "$tmp"; + shred >/dev/null --remove "$tmp"; \ + ' | + gpg "$@" --encrypt \ + -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg + done diff --git a/remote/luks-key-send b/remote/luks-key-send new file mode 100755 index 0000000..869e436 --- /dev/null +++ b/remote/luks-key-send @@ -0,0 +1,10 @@ +#!/bin/sh -eu +# DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM. +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +gpg --decrypt "$tool"/var/sec/luks/$vm_fqdn.key.gpg | +"$tool"/remote/ssh root@$vm_fqdn "$@" \ + -o CheckHostIP=no \ + -o HostKeyAlias=init.$vm_fqdn \ + tee /lib/cryptsetup/passfifo \>/dev/null diff --git a/remote/mosh b/remote/mosh new file mode 100755 index 0000000..4f6f24e --- /dev/null +++ b/remote/mosh @@ -0,0 +1,5 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +mosh --ssh="$tool/remote/ssh ${ssh_options-}" -- $vm_fqdn "$@" diff --git a/remote/mysql-backup b/remote/mysql-backup new file mode 100755 index 0000000..0879dfd --- /dev/null +++ b/remote/mysql-backup @@ -0,0 +1,15 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +mkdir -p "$tool"/var/backup/mysql +"$tool"/remote/ssh -l backup ' + for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF + SELECT schema_name + FROM information_schema.schemata + WHERE schema_name NOT IN ("information_schema", "performance_schema"); + EOF + ); do + echo $db + done + ' diff --git a/remote/runit-configure b/remote/runit-configure new file mode 100755 index 0000000..0a9a5ea --- /dev/null +++ b/remote/runit-configure @@ -0,0 +1,31 @@ +#!/bin/sh -eu +# SYNTAX: $sv [...] -- $sv_options +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +if test $# = 0 + then + set +x + "$tool"/remote/ssh sudo sv status \ + $(sudo find /etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -printf '%p\n' | sort) + else + services= + while [ $# -gt 0 ] + do case $1 in + (--) shift; break;; + (*) services="$services ${1#etc/sv/}"; shift;; + esac + done + for sv in $(find "$tool"/etc/sv \ + -mindepth 1 -maxdepth 1 -type d \ + -false $(printf -- '-or -name %s\n' $services) \ + -printf '%f\n') + do + ( + test ! -r "$tool"/etc/sv/"$sv"/remote.sh || + . "$tool"/etc/sv/"$sv"/remote.sh || return 1 + ) + done + fi diff --git a/remote/site-x509-key-decrypt b/remote/site-x509-key-decrypt new file mode 100755 index 0000000..ab38d0e --- /dev/null +++ b/remote/site-x509-key-decrypt @@ -0,0 +1,9 @@ +#!/bin/sh -eu +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +site="$1"; shift +gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg | +openssl rsa -passin 'stdin' \ + -in var/sec/x509/"$site"/key.pem \ + -out '/dev/stdout' diff --git a/remote/ssh b/remote/ssh new file mode 100755 index 0000000..2ebd542 --- /dev/null +++ b/remote/ssh @@ -0,0 +1,7 @@ +#!/bin/sh -eux +tool=${0%/*}/.. +ssh \ + -o StrictHostKeyChecking=yes \ + -o UserKnownHostsFile="$tool"/etc/openssh/known_hosts \ + -o HashKnownHosts=no \ + "$@" diff --git a/remote/ssh-pass b/remote/ssh-pass new file mode 100755 index 0000000..8da082a --- /dev/null +++ b/remote/ssh-pass @@ -0,0 +1,4 @@ +#!/bin/sh +set -e -f -u +tool=${0%/*}/.. +gpg --decrypt "$tool"/var/sec/ssh/$SSH_ID.pass.gpg diff --git a/remote/ssh-update-known-hosts b/remote/ssh-update-known-hosts new file mode 100755 index 0000000..33b75de --- /dev/null +++ b/remote/ssh-update-known-hosts @@ -0,0 +1,9 @@ +#!/bin/sh -eux +tool=$(readlink -e "${0%/*}/..") +. "$tool"/remote/lib.sh + +"$tool"/remote/ssh \ + -o CheckHostIP=no \ + -o HashKnownHosts=no \ + -o StrictHostKeyChecking=no \ + whoami diff --git a/vm_host b/vm_host deleted file mode 100755 index 8bbe166..0000000 --- a/vm_host +++ /dev/null @@ -1,456 +0,0 @@ -#!/bin/sh -set -e -f ${DRY_RUN:+-n} -u -tool=${0%/*} -. "$tool"/lib/rule.sh -. "$tool"/etc/vm.sh -export TRACE=1 - -rule_help () { # SYNTAX: [--hidden] - local hidden; [ ${1:+set} ] || hidden=set - cat >&2 <<-EOF - DESCRIPTION: - ce script regroupe des règles pour administrer la VM ($vm_fqdn) - _depuis_ son hôte ($vm_host) ; - il sert à la fois d'outil (aisément bidouillable) - et de documentation (préçise). - Voir \`$tool/vm_hosted' pour les règles côté VM hébergée. - SYNTAX: $0 \$RULE \${RULE}_SYNTAX - RULES: - $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0") - ENVIRONMENT: - TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") - EOF - } - -readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g') -readonly vm_dev_disk_boot="${vm_dev_disk}1" - -rule_git_configure () { - ( - cd "$tool" - git config --replace branch.master.remote . - git config --replace branch.master.merge refs/remotes/master - local tool - tool=$(cd "$tool"; cd -) - install -m 770 /dev/stdin .git/hooks/post-update <<-EOF - #!/bin/sh -efux - case \$1 in - (refs/remotes/master) - cd .. - #git --git-dir=\$PWD/.git checkout -f -B master remotes/master && - git --git-dir=\$PWD/.git checkout HEAD'^' && - git --git-dir=\$PWD/.git branch -f master remotes/master && - git --git-dir=\$PWD/.git checkout master - git --git-dir=\$PWD/.git clean -f -d -x - ;; - esac - EOF - ) - } - -rule_vm_configure () { - sudo install -m 644 -u root -g root /dev/stdin /etc/xen/$vm_fqdn.cfg <<-EOF - # -*- mode: python; -*- - # DOC: http://wiki.xen.org/wiki/Xen_Linux_PV_on_HVM_drivers - import os, re - name = "$vm_fqdn" - arch = os.uname()[4] - memory = 2048 - vcpus = 1 - pae = 1 - acpi = 1 - apic = 1 - vif = ['mac=$vm_mac,bridge=$vm_bridge'] - disk = ['phy:/dev/domU/$vm_fqdn-disk,hda,w'] - device_model = 'qemu-dm' - # HVM : - #kernel = "/usr/lib/xen-4.0/boot/hvmloader" - #builder = 'hvm' - #xen_platform_pci = 1 # NOTE: the guest VM can use optimized PV on HVM drivers - # PV : - #kernel = "pv-grub.gz" # NOTE: pas encore dans Debian car il ne fonctionne qu'avec grub-legacy - #extra = "(hd0,0)/grub/grub.cfg" - bootloader = '/usr/bin/pygrub' - - # boot on floppy (a), hard disk (c) or CD-ROM (d) - #boot = 'd' - - #vnc = 1 - #sdl = 0 - #vncconsole = 0 - #vnclisten = "0.0.0.0" - #vncpasswd = "" - #usbdevice = 'tablet' - - keymap = 'fr' - serial = 'pty' - on_poweroff = 'destroy' - on_reboot = 'restart' - on_crash = 'restart' - EOF - } -rule_vm_start () { - test ! -e /dev/domU/$vm_fqdn-disk1 - sudo xm create $vm_fqdn.cfg - rule vm_attach - } -rule_vm_attach () { - assert '! pgrep -f "sudo xm console $vm_fqdn"' - info 'Ctrl-] pour se détacher de la console' - sudo xm console $vm_fqdn - } -rule_vm_stop () { - sudo xm shutdown $vm_fqdn - } -rule_vm_stop_force () { - sudo xm destroy $vm_fqdn - } - -rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte - sudo kpartx -a -v /dev/domU/$vm_fqdn-disk - #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w - } -rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte - rule part_boot_umount - case $vm_use_lvm in - (yes) - rule part_lvm_umount - ;; - (no) - rule part_root_umount - rule part_var_umount - rule part_home_umount - ;; - (*) exit 1;; - esac - sudo kpartx -d -v /dev/domU/$vm_fqdn-disk - #sudo xm block-detach 0 $vm_dev_disk - # XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé : - # utiliser xm block-detach 0 $vm_dev_disk --force ; - # ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ; - # ôter les mappages concernés dans /etc/lvm/cache/.cache, - # et pour bien trouver tous les mappages : - # % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk - # enfin, ôter l'éventuel verrou dans /var/lock/lvm/ - } - -case $vm_use_lvm in - (no) - readonly vm_dev_disk_swap="${vm_dev_disk}5" - readonly vm_dev_disk_root="${vm_dev_disk}6" - readonly vm_dev_disk_var="${vm_dev_disk}7" - readonly vm_dev_disk_home="${vm_dev_disk}8" - ;; - (yes) - readonly vm_lvm_pv="${vm_dev_disk}2" - readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap - readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root - readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var - readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home - ;; - (*) exit 1;; - esac - -rule_disk_format () { # DESCRIPTION: partitionnage du disque de la VM - case $vm_use_lvm in - (no) - sudo sfdisk $vm_dev_disk <<-EOF - # partition table of $vm_dev_disk - unit: sectors - - ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable - ${vm_dev_disk}2 : start= 498015, size=418927005, Id= 5 - ${vm_dev_disk}3 : start= 0, size= 0, Id= 0 - ${vm_dev_disk}4 : start= 0, size= 0, Id= 0 - ${vm_dev_disk}5 : start= 498078, size= 1959867, Id=82 - ${vm_dev_disk}6 : start= 2458008, size= 29302497, Id=83 - ${vm_dev_disk}7 : start= 31760568, size= 9767457, Id=83 - ${vm_dev_disk}8 : start= 41528088, size=377896932, Id=83 - EOF - ;; - (yes) - sudo sfdisk $vm_dev_disk <<-EOF - # partition table of $vm_dev_disk - unit: sectors - - ${vm_dev_disk}1 : start= 63, size= 497952, Id=83, bootable - ${vm_dev_disk}2 : start= 498015, size=418927005, Id=8E - EOF - ;; - (*) exit 1;; - esac - #sudo partprobe $vm_dev_disk - sudo kpartx -u -v /dev/domU/$vm_fqdn-disk - } - -rule_part_lvm_format () { - rule part_lvm_umount - ! sudo vgs | grep -q "^ $vm_lvm_vg " || - sudo vgremove $vm_lvm_vg - sudo pvcreate --dataalignment 512k $vm_lvm_pv - sudo vgcreate --dataalignment 512k $vm_lvm_vg $vm_lvm_pv - sudo lvcreate --contiguous y -n ${vm_lvm_lv}_swap -L 1G $vm_lvm_vg - sudo lvcreate --contiguous y -n ${vm_lvm_lv}_root -L 15G $vm_lvm_vg - sudo lvcreate --contiguous y -n ${vm_lvm_lv}_var -L 5G $vm_lvm_vg - sudo lvcreate --contiguous y -n ${vm_lvm_lv}_home -l 99%FREE $vm_lvm_vg - rule part_lvm_umount - } -rule_part_lvm_mount () { - case $vm_use_lvm in - (yes) - sudo vgchange -a y $vm_lvm_vg - ;; - (*) exit 1;; - esac - } -rule_part_lvm_umount () { - case $vm_use_lvm in - (yes) - rule part_root_umount - rule part_var_umount - rule part_home_umount - ! sudo vgs | grep -q "^ $vm_lvm_vg " || - sudo vgchange -a n $vm_lvm_vg - ;; - (*) exit 1;; - esac - } - -rule_part_randomize () { # SYNTAX: $part # NOTE: à anticiper - local part="$1" - eval "sudo dd if=/dev/urandom of=\$vm_dev_disk_$part" - } -rule_part_randomize_stat () { # SYNTAX: $part # DESCRIPTION: fait afficher la progression de rule_part_randomize - local part="$1" - eval "pkill -USR1 -f \"^dd if=/dev/urandom of=\$vm_dev_disk_$part\"" - } -rule__part_encrypted_format () { # SYNTAX: $part # DESCRIPTION: formatage d'une partition distincte de / - # NOTE: la clef de chiffrement est dérivée de celle de /, - # / doit être déchiffrée pour que cela fonctionne. - local part="$1" - eval "local dev=\"\$vm_dev_disk_$part\"" - test ! -e /dev/mapper/${vm_lvm_lv}_root_deciphered || - sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered | - cryptsetup luksFormat --hash=sha512 --key-size=512 \ - --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev" - } -rule__part_encrypted_mount () { # SYNTAX: $part - local part="$1" - eval "local dev=\"\$vm_dev_disk_$part\"" - test -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered || - sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm_lvm_lv}_root_deciphered | - cryptsetup luksOpen --key-file=- $dev ${vm_lvm_lv}_${part}_deciphered" - } -rule__part_encrypted_umount () { # SYNTAX: $part - local part="$1" - eval "local dev=\"\$vm_dev_disk_$part\"" - test ! -e /dev/mapper/${vm_lvm_lv}_${part}_deciphered || - sudo cryptsetup luksClose ${vm_lvm_lv}_${part}_deciphered - } - -rule_part_root_format () { - if ! mount | grep -q "^$vm_dev_disk_root " - then - sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \ - --cipher=aes-xts-essiv:sha256 --align-payload=8 $vm_dev_disk_root - sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered - sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ - -E resize=30G${vm_e2fs_extended_options} \ - -L ${vm_lvm_lv}_root \ - /dev/mapper/${vm_lvm_lv}_root_deciphered - ! mountpoint -q /mnt/$vm_fqdn - sudo mount -v /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn - sudo install -d -m 770 -o root -g root \ - /mnt/$vm_fqdn/boot \ - /mnt/$vm_fqdn/dev \ - /mnt/$vm_fqdn/home \ - /mnt/$vm_fqdn/proc \ - /mnt/$vm_fqdn/root \ - /mnt/$vm_fqdn/root/src \ - /mnt/$vm_fqdn/root/src/$vm \ - /mnt/$vm_fqdn/sys \ - /mnt/$vm_fqdn/var - sudo umount -v /mnt/$vm_fqdn - sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered - fi - } -rule_part_root_mount () { - test -e /dev/mapper/${vm_lvm_lv}_root_deciphered || - sudo cryptsetup luksOpen $vm_dev_disk_root ${vm_lvm_lv}_root_deciphered - mountpoint -q /mnt/$vm_fqdn || - sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_root_deciphered /mnt/$vm_fqdn - } -rule_part_root_umount () { - ! mountpoint -q /mnt/$vm_fqdn || - sudo umount -v /mnt/$vm_fqdn - ! test -e /dev/mapper/${vm_lvm_lv}_root_deciphered || - sudo cryptsetup luksClose ${vm_lvm_lv}_root_deciphered - } -rule_part_swap_format () { - rule _part_encrypted_format swap - rule _part_encrypted_mount swap - sudo mkswap -f -L ${vm_lvm_lv}_swap \ - /dev/mapper/${vm_lvm_lv}_swap_deciphered - rule _part_encrypted_umount swap - } -rule_part_boot_format () { - mount | grep -q "^$vm_dev_disk_boot " || - sudo mke2fs -t ext2 -c -c -m 5 -T small \ - -E resize=1G${vm_e2fs_extended_options} \ - -L ${vm_lvm_lv}_boot $vm_dev_disk_boot - } -rule_part_boot_mount () { - mountpoint -q /mnt/$vm_fqdn - test -d /mnt/$vm_fqdn/boot - mountpoint -q /mnt/$vm_fqdn/boot || - sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot - } -rule_part_boot_umount () { - ! mountpoint -q /mnt/$vm_fqdn/boot || - sudo umount -v /mnt/$vm_fqdn/boot - } -rule_part_var_format () { - rule _part_encrypted_format var - rule _part_encrypted_mount var - sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \ - -E resize=10G${vm_e2fs_extended_options} \ - -L ${vm_lvm_lv}_var \ - /dev/mapper/${vm_lvm_lv}_var_deciphered - rule _part_encrypted_umount var - } -rule_part_var_mount () { - rule _part_encrypted_mount var - mountpoint -q /mnt/$vm_fqdn/var || - sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_var_deciphered /mnt/$vm_fqdn/var - } -rule_part_var_umount () { - ! mountpoint -q /mnt/$vm_fqdn/var || - sudo umount -v /mnt/$vm_fqdn/var - rule _part_encrypted_umount var - } -rule_part_home_format () { - rule _part_encrypted_format home - rule _part_encrypted_mount home - sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \ - -E resize=400G${vm_e2fs_extended_options} \ - -L ${vm_lvm_lv}_home \ - /dev/mapper/${vm_lvm_lv}_home_deciphered - # NOTE: -O quota pas supporté par e2fsprogs/squeeze - rule _part_encrypted_umount home - } -rule_part_home_mount () { - rule _part_encrypted_mount home - mountpoint -q /mnt/$vm_fqdn/home || - sudo mount -v -t ext4 /dev/mapper/${vm_lvm_lv}_home_deciphered /mnt/$vm_fqdn/home - } -rule_part_home_umount () { - ! mountpoint -q /mnt/$vm_fqdn/home || - sudo umount -v /mnt/$vm_fqdn/home - rule _part_encrypted_umount home - } - -rule_debian_install () { - rule disk_mount - rule part_lvm_mount - rule part_root_mount - rule part_boot_mount - rule part_var_mount - sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ LANG=C LC_CTYPE=C debootstrap \ - --arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ - --exclude=vim-tiny \ - --include=$(printf '%s,' \ - acl \ - bsdmainutils \ - busybox \ - ca-certificates \ - console-setup \ - cryptsetup \ - dash \ - dnsutils \ - dropbear \ - etckeeper \ - git-core \ - gnupg \ - hashalot \ - htop \ - ifupdown \ - initramfs-tools \ - kbd \ - less \ - locales \ - lvm2 \ - m4 \ - mosh \ - molly-guard \ - ncurses-term \ - openssh-client \ - openssh-server \ - openssl \ - pciutils \ - procps \ - quota \ - quotatool \ - rsync \ - screen \ - sudo \ - sysprofile \ - vim-nox \ - wget \ - zsh \ - ) \ - $vm_lsb_name /mnt/$vm_fqdn/ \ - http://ftp.fr.debian.org/debian/ - rule part_var_umount - rule part_boot_umount - rule part_root_umount - } - -rule_chroot () { - rule disk_mount - rule part_lvm_mount - rule part_root_mount - rule part_boot_mount - rule part_var_mount - #rule_part_home_mount - mountpoint -q /mnt/$vm_fqdn/proc || - sudo mount -t proc proc /mnt/$vm_fqdn/proc - mountpoint -q /mnt/$vm_fqdn/sys || - sudo mount -t sysfs sys /mnt/$vm_fqdn/sys - mountpoint -q /mnt/$vm_fqdn/dev || - sudo mount --bind /dev /mnt/$vm_fqdn/dev - if test -d /mnt/$vm_fqdn/root/src/vm/.git - then - mountpoint -q /mnt/$vm_fqdn/root/src/vm || - sudo mount --bind "$tool" /mnt/$vm_fqdn/root/src/vm - else - sudo rsync -a "$tool"/ /mnt/$vm_fqdn/root/src/vm - fi - sudo chroot /mnt/$vm_fqdn /bin/bash || true - rule _chroot_clean - } -rule__chroot_clean () { - ! sudo mountpoint -q /mnt/$vm_fqdn/root/src/vm || - sudo umount -v /mnt/$vm_fqdn/root/src/vm - ! mountpoint -q /mnt/$vm_fqdn/dev || - sudo umount -v /mnt/$vm_fqdn/dev - ! mountpoint -q /mnt/$vm_fqdn/sys || - sudo umount -v /mnt/$vm_fqdn/sys - ! mountpoint -q /mnt/$vm_fqdn/proc || - sudo umount -v /mnt/$vm_fqdn/proc - rule part_home_umount - rule part_var_umount - rule part_boot_umount - rule part_root_umount - rule disk_umount - } - -rule=${1:-help} -${1+shift} -case $rule in - (help);; - (*) - assert 'test "$(hostname --fqdn)" = "$vm_host"' vm_host - ;; - esac -rule $rule "$@" diff --git a/vm_hosted b/vm_hosted deleted file mode 100755 index 4cf4b9d..0000000 --- a/vm_hosted +++ /dev/null @@ -1,934 +0,0 @@ -#!/bin/sh -set -e -f ${DRY_RUN:+-n} -u -tool=$0 -while test -L "$tool" - do tool=$(readlink "$tool") - done -tool=${tool%/*} -. "$tool"/lib/rule.sh -. "$tool"/etc/vm.sh -export TRACE=1 - -rule_help () { # SYNTAX: [--hidden] - local hidden; [ ${1:+set} ] || hidden=set - cat >&2 <<-EOF - DESCRIPTION: - ce script regroupe des règles pour administrer la VM ($vm_fqdn) - _depuis_ la VM hébergée ($vm_fqdn) ; - il sert à la fois d'outil (aisément bidouillable) - et de documentation (préçise). - Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host). - SYNTAX: $0 \$RULE \${RULE}_SYNTAX - RULES: - $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0") - ENVIRONMENT: - TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") - EOF - } - -rule_git_configure () { - ( - cd "$tool" - git config --replace branch.master.remote . - git config --replace branch.master.merge refs/remotes/master - local tool - tool=$(cd "$tool"; cd -) - install -m 770 /dev/stdin .git/hooks/post-update <<-EOF - #!/bin/sh -efux - case \$1 in - (refs/remotes/master) - cd .. - git --git-dir=\$PWD/.git checkout -f -B master remotes/master - git --git-dir=\$PWD/.git clean -f -d -x - ;; - esac - EOF - ) - } -rule_git_reset () { - ( - cd "$tool" - git checkout -f -B master remotes/master - git clean -f -d -x - ) - } - -rule_adduser () { - local user="$1"; shift - getent passwd "$user" >/dev/null || - sudo adduser "$@" "$user" - } -rule_apt_get_install () { # SYNTAX: $package - sudo \ - DEBIAN_FRONTEND=noninteractive \ - DEBIAN_PRIORITY=low \ - apt-get install --yes "$@" - } -rule_dpkg_reconfigure () { # SYNTAX: $package - sudo \ - DEBIAN_FRONTEND=noninteractive \ - DEBIAN_PRIORITY=low \ - dpkg-reconfigure "$@" - } - -rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ? - export LANG=C - export LC_CTYPE=C - . /etc/profile - } - -rule_apache2_configure () { # XXX: cette règle n'est pas testée/mise-à-jour - local -; set +f - rule apt_get_install \ - apache2-mpm-itk \ - libapache2-mod-php5 - # VOIR: http://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 - # VOIR: http://jkroon.blogs.uls.co.za/it/security/using-php-fpm-and-mod_proxy_fcgi-to-optimize-and-secure-lamp-servers - # NOTE: apache2-mpm-itk semble le plus sécurisé, - # car on est certain que tout est exécuté avec les uid/gid - # assignés au VirtualHost/Directory/Location - # néamoins il se peut qu'une combinaison du genre : - # apache2-mpm-{worker,event} + mod_proxy_fcgi + apache2-suexec-custom + php-fpm - # soit plus performante (threads et pas forks), - # cependant l'usage de suexec impose des forks il semble.. - # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; - # donc pour l'instant : apache2-mpm-itk - sudo rm -rf \ - /etc/apache2/site.d - sudo install -d -m 770 -o www -g www \ - /etc/apache2 \ - /etc/apache2/site.d \ - /etc/apache2/x509.d - cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | - ServerName "$vm_fqdn" - EOF - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/apache2/apache2.conf - sudo install -m 660 -o root -g root \ - "$tool"/etc/apache2/envvars \ - /etc/apache2/envvars - sudo install -m 660 -o root -g root \ - "$tool"/etc/apache2/httpd.conf \ - /etc/apache2/httpd.conf - #sudo install -m 660 -o root -g root /dev/stdin \ - # /etc/apache2/suexec/www-data <<-EOF - # /home - # pub/www/cgi - # EOF - sudo install -m 660 -o root -g root \ - "$tool"/etc/apache2/ports.conf \ - /etc/apache2/ports.conf - sudo a2enmod actions - sudo a2enmod headers - sudo a2enmod rewrite - sudo a2enmod ssl - sudo a2enmod userdir - local conf - sudo a2dissite "*" - sudo ln -fns \ - /etc/apache2 \ - /home/www/etc/apache2 - for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf - do conf=${conf#"$tool"/etc/apache2/site.d/} - local site=${conf%/VirtualHost.conf} - case $site in - (*-tls) - local hint="run vm_remote apache2_key_send before" - assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint - sudo install -d -m 770 -o www-"$site" -g www-"$site" \ - /etc/apache2 \ - /etc/apache2/site.d/"$site" \ - /etc/apache2/x509.d/"$site" \ - /etc/apache2/x509.d/"$site"/ca \ - /etc/apache2/x509.d/"$site"/empty \ - /etc/apache2/x509.d/"$site"/rvk \ - /etc/apache2/x509.d/"$site"/usr - sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ - /etc/apache2/x509.d/"$site"/crt.self-signed.pem - #sudo install -m 664 -o www-"$site" -g www-"$site" \ - # "$tool"/var/pub/x509/"$site"/rvk.pem \ - # /etc/apache2/x509.d/"$site"/rvk.pem - sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/ca/crt.self-signed.pem \ - /etc/apache2/x509.d/"$site"/ca/crt.pem - sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt.pem \ - /etc/apache2/x509.d/"$site"/crt.pem - ;; - esac - case $site in - (*-tls) - cat <<-EOF - - - AssignUserID www-$site www-$site - BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 - BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined - #CustomLog "/dev/null" Combined - DocumentRoot /home/www/pub/$site - ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" - #ErrorLog "/dev/null" - LogLevel Warn - SSLCACertificateFile /etc/apache2/x509.d/$site/crt.self-signed.pem - SSLCACertificatePath /etc/apache2/x509.d/$site/usr/ - #SSLCARevocationFile /etc/apache2/x509.d/$site/rvk.pem - SSLCADNRequestFile /etc/apache2/x509.d/$site/crt.self-signed.pem - SSLCADNRequestPath /etc/apache2/x509.d/$site/empty/ - # NOTE: ne publie pas les certificats d’utilisateur-ice-s acceptés - SSLCARevocationPath /etc/apache2/x509.d/$site/rvk/ - SSLCertificateChainFile /etc/apache2/x509.d/$site/ca/crt.pem - SSLCertificateFile /etc/apache2/x509.d/$site/crt.pem - SSLCertificateKeyFile /etc/apache2/x509.d/$site/key.pem - SSLCipherSuite AES+RSA+SHA256 - SSLEngine On - SSLInsecureRenegotiation Off - SSLOptions +StrictRequire +OptRenegotiate +StdEnvVars - SSLProtocol -All +TLSv1 - #SSLRenegBufferSize 262144 - SSLSessionCacheTimeout 1200 - SSLStrictSNIVHostCheck On - SSLUserName SSL_CLIENT_S_DN_CN - SSLVerifyClient None - SSLVerifyDepth 1 - $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) - - - EOF - ;; - (*) - cat <<-EOF - - AssignUserID www-$site www-$site - CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined - #CustomLog "/dev/null" Combined - DocumentRoot /home/www/pub/$site - ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" - #ErrorLog "/dev/null" - LogLevel Warn - $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) - - EOF - ;; - esac | - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/apache2/site.d/"$site"/VirtualHost.conf - sudo ln -fns \ - ../site.d/"$site"/VirtualHost.conf \ - /etc/apache2/sites-available/"$site" - sudo install -d -m 770 -o www-"$site" -g www-"$site" \ - /home/www/log/"$site" \ - /home/www/log/"$site"/apache2 - sudo ln -fns \ - /etc/apache2/site.d/"$site" \ - /home/www/etc/apache2/"$site" - test -e /home/www/pub/"$site" || - sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ - /home/www/pub/"$site" - rule adduser www-"$site" - --disabled-password \ - --group \ - --no-create-home \ - --home /home/www/pub/"$site" \ - --shell /bin/false \ - --system - #sudo setfacl -m u:"www-$site":--x \ - # /home/www/ \ - # /home/www/pub/ \ - # /home/www/pub/"$site"/ - #sudo setfacl -m d:u:"www-$site":rwx \ - # "$home"/pub/www/"$site"/ - test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh || - . "$tool"/etc/apache2/site.d/"$site"/configure.sh - test -e /etc/apache2/sites-enabled/"$site" || - sudo a2ensite "$site" - done - sudo service apache2 restart - } -rule_apt_configure () { - sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF - deb http://ftp.rezopole.net/debian $vm_lsb_name main - EOF - sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF - deb http://ftp.rezopole.net/debian $vm_lsb_name-backports main - EOF - sudo install -m 664 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF - deb http://nightly.openerp.com/7.0/nightly/deb/ ./ - EOF - sudo install -m 664 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF - Package: * - Pin: release a=$vm_lsb_name - Pin-Priority: 200 - - Package: * - Pin: release a=$vm_lsb_name-backports - Pin-Priority: 170 - EOF - sudo apt-get update - rule apt_get_install apticron - m4 \ - --define=VM_DOMAINNAME=$vm_domainname \ - <"$tool"/etc/apticron/apticron.conf.m4 | - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/apticron/apticron.conf - } -rule_boot_configure () { - #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" - sudo debconf-set-selections <<-EOF - grub-pc grub-pc/install_devices multiselect - EOF - rule apt_get_install grub-pc - sudo install -d -m 644 -o root -g root /boot/grub - rule apt_get_install linux-image-$vm_arch - sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF - GRUB_DEFAULT=0 - GRUB_TIMEOUT=5 - GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\` - GRUB_CMDLINE_LINUX_DEFAULT="quiet" - GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered" - GRUB_DISABLE_RECOVERY="true" - #GRUB_PRELOAD_MODULES="lvm" - EOF - sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF - (hd0) /dev/xvda - (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g') - EOF - sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map - rule initramfs_configure - rule apt_get_install molly-guard - sudo install -m 644 -o root -g root /dev/stdin /etc/molly-guard/rc <<-EOF - ALWAYS_QUERY_HOSTNAME=true - # NOTE: une alternative est de dire à sudo de conserver les SSH_* - # néamoins demander tout le temps n'est pas trop contraignant - # et davantage sécurisant. - EOF - } -rule_duplicity_configure () { - rule apt_get_install duplicity - home="/home/backup" - rule adduser backup \ - --disabled-password \ - --group \ - --home "$home" \ - --shell /bin/bash \ - --system - sudo usermod --home "$home" backup - sudo install -d -m 750 -o backup -g backup \ - "$home" \ - "$home"/etc \ - "$home"/etc/gpg \ - "$home"/etc/ssh - sudo install -d -m 770 -o backup -g backup \ - "$home"/mysql \ - "$home"/postgres - getent group sudo backup | - while IFS=: read -r group x x users - do while test -n "$users" && IFS=, read -r user users <<-EOF - $users - EOF - do eval local home\; home="~$user" - sudo cat "$home"/etc/ssh/authorized_keys - done - done | - sudo install -m 640 -o backup -g backup /dev/stdin \ - "$home"/etc/ssh/authorized_keys - sudo ln -fns etc/gpg "$home"/.gnupg - #sudo adduser backup mysql-data - #sudo adduser backup postgres-data - } -rule_etckeeper_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF - VCS=git - GIT_COMMIT_OPTIONS="" - AVOID_DAILY_AUTOCOMMITS=1 - #AVOID_SPECIAL_FILE_WARNING=1 - AVOID_COMMIT_BEFORE_INSTALL=1 - HIGHLEVEL_PACKAGE_MANAGER=apt - LOWLEVEL_PACKAGE_MANAGER=dpkg - EOF - sudo install -m 644 -o root -g root \ - "$tool"/etc/etckeeper/prompt.sh \ - /etc/etckeeper/prompt.sh - rule apt_get_install etckeeper - } -rule_filesystem_configure () { - m4 \ - --define=VM_LVM_LV=$vm_lvm_lv \ - --define=VM_LVM_VG=$vm_lvm_vg \ - <"$tool"/etc/fstab.m4 | - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/fstab - m4 \ - --define=VM_LVM_LV=$vm_lvm_lv \ - --define=VM_LVM_VG=$vm_lvm_vg \ - <"$tool"/etc/crypttab.m4 | - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/crypttab - rule tmpfs_configure - } -rule_initramfs_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF - MODULES=most - BUSYBOX=y - KEYMAP=y - COMPRESS=gzip - DEVICE=eth0 - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF - alias eth0 xennet - alias scsi_hostadapter xenblk - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF - sha1_generic - sha256_generic - sha512_generic - aes-x86_64 - xts - # NOTE: pour Xen en mode HVM : - #modprobe xen-platform-pci - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF - EOF - sudo sed -e '/^configure_networking /s/ &$//' \ - -i /usr/share/initramfs-tools/scripts/init-premount/dropbear - # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré.. - ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts | - ( while IFS= read -r line - do case $line in (*" RSA") return 0; break;; esac - done; return 1 ) || - { - sudo rm -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub - sudo dropbearkey -t rsa -s 4096 -f \ - /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key - } - # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins. - sudo install -d -m 640 -o root -g root \ - /etc/initramfs-tools/root \ - /etc/initramfs-tools/root/.ssh - getent group sudo | - while IFS=: read -r group x x users - do while test -n "$users" && IFS=, read -r user users <<-EOF - $users - EOF - do eval local home\; home="~$user" - sudo cat "$home"/etc/ssh/authorized_keys - done - done | - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/initramfs-tools/root/.ssh/authorized_keys - sudo rm -f \ - /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \ - /etc/initramfs-tools/root/.ssh/id_rsa.pub \ - /etc/initramfs-tools/root/.ssh/id_rsa - # NOTE: clefs générées par Debian - sudo update-initramfs -u - } -rule_insserv_remove () { # SYNTAX: $sv - local sv="$1" - #sudo chmod u+x /etc/init.d/"$sv" - sudo insserv --force --remove "$sv" - sudo test ! -x /etc/init.d/"$sv" || - sudo /etc/init.d/"$sv" stop - sudo chmod ugo-x /etc/init.d/"$sv" - } -rule_gitolite_configure () { - sudo debconf-set-selections <<-EOF - gitolite gitolite/gituser string git - gitolite gitolite/adminkey string - gitolite gitolite/gitdir string /home/git - EOF - rule apt_get_install gitolite - rule adduser git \ - --disabled-password \ - --group \ - --home /home/git \ - --shell /bin/bash \ - --system - sudo chfn --full-name git git - rule adduser log-git \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/git/log \ - --shell /bin/false \ - --system - rule adduser git-data \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/git/pub \ - --shell /bin/false \ - --system - sudo adduser git git-data - sudo install -d -m 750 -o git -g git \ - /etc/gitolite \ - /home/git/etc \ - /home/git/etc/ssh - sudo install -d -m 751 -o git -g git \ - /home/git - sudo install -d -m 2770 -o git-data -g git-data \ - /home/git/pub - sudo install -d -m 1771 -o git -g git \ - /home/git/log - sudo install -d -m 2770 -o git -g log-git \ - /home/git/log/gitolite \ - /home/git/log/gitolite/perf - sudo install -d -m 3771 -o git -g git \ - /home/git/hooks - sudo ln -fns /etc/gitolite /home/git/etc/gitolite - sudo ln -fns /etc/gitweb /home/git/etc/gitweb - sudo ln -fns etc/gitolite/gitolite.rc /home/git/.gitolite.rc - sudo ln -fns etc/ssh /home/git/.ssh - sudo install -m 770 -o git -g git /dev/stdin \ - /home/git/etc/gitolite/gitolite.rc <<-EOF - #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; - #\$BIG_INFO_CAP = 20; - #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; - # NOTE: Please use single quotes, not double quotes. - #\$GITWEB_URI_ESCAPE = 0; - \$GIT_PATH = ""; - #\$GL_ADC_PATH = ""; - \$GL_ADMINDIR = \$ENV{HOME} . "/etc/gitolite"; - #\$GL_ALL_INCLUDES_SPECIAL = 0; - #\$GL_ALL_READ_ALL = 0; - \$GL_BIG_CONFIG = 0; - \$GL_CONF = "\$GL_ADMINDIR/conf/gitolite.conf"; - \$GL_CONF_COMPILED = "\$GL_ADMINDIR/conf/gitolite.conf.pm"; - #\$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" - \$GL_GITCONFIG_KEYS = "gitweb\\..* hooks\\..*"; - #\$GL_HOSTNAME = "git.$vm_domainname"; - # NOTE: read doc/mirroring.mkd COMPLETELY before setting this. - #\$GL_HTTP_ANON_USER = "mob"; - \$GL_KEYDIR = "\$GL_ADMINDIR/keydir"; - \$GL_LOGT = \$ENV{HOME} . "/log/gitolite/%y-%m-%d.log"; - #\$GL_NICE_VALUE = 0; - \$GL_NO_CREATE_REPOS = 0; - \$GL_NO_DAEMON_NO_GITWEB = 0; - \$GL_NO_SETUP_AUTHKEYS = 0; - \$GL_PACKAGE_CONF = "/usr/share/gitolite/conf"; - \$GL_PACKAGE_HOOKS = "/usr/share/gitolite/hooks"; - #\$GL_PERFLOGT = \$ENV{HOME} . "/log/gitolite/perf/%y-%m-%d.log"; - #\$GL_REF_OR_FILENAME_PATT = qr(^[0-9a-zA-Z][0-9a-zA-Z._\\@/+ :,-]*\$); - \$GL_SITE_INFO = "git.$vm_domainname"; - #\$GL_SLAVE_MODE = 0; - \$GL_WILDREPOS = 0; - #\$GL_WILDREPOS_DEFPERMS = 'R @all'; - \$GL_WILDREPOS_PERM_CATS = "READERS WRITERS"; - \$HTPASSWD_FILE = ""; - \$PROJECTS_LIST = \$ENV{HOME} . "/etc/gitweb/projects.list"; - \$REPO_BASE = "pub"; - \$REPO_UMASK = 0007; - \$RSYNC_BASE = ""; - \$SVNSERVE = ""; - #\$UPDATE_CHAINS_TO = "hooks/update.secondary"; - \$WEB_INTERFACE = "gitweb"; - 1; - EOF - sudo install -m 600 -o git -g git \ - "$tool"/var/pub/ssh/git.key \ - /home/git/etc/ssh/git.pub - sudo -u git \ - GL_RC=/home/git/etc/gitolite/gitolite.rc \ - GIT_AUTHOR_NAME=git \ - gl-setup -q /home/git/etc/ssh/git.pub git - local d - for d in doc logs src - do test ! -d /home/git/etc/gitolite/"$d" || - rmdir /home/git/etc/gitolite/"$d" - done - } -rule_locales_configure () { - sudo debconf-set-selections <<-EOF - locales locales/default_environment_locale select None - locales locales/locales_to_be_generated multiselect fr_FR.UTF-8 UTF-8 - EOF - rule dpkg_reconfigure locales - } -rule_login_configure () { - sudo install -m 644 -o root -g root \ - "$tool"/etc/inittab \ - /etc/inittab - sudo install -m 644 -o root -g root \ - "$tool"/etc/login.defs \ - /etc/login.defs - grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || - sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF - $(cat /etc/pam.d/common-session) - session optional pam_umask.so - EOF - grep -q '^hvc0$' /etc/securetty || - sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF - $(cat /etc/securetty) - hvc0 - EOF - grep -q '^xvc0$' /etc/securetty || - sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF - $(cat /etc/securetty) - xvc0 - EOF - } -rule_network_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF - $vm - EOF - grep -q " $vm\$" /etc/hosts || - sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF - $(cat /etc/hosts) - 127.0.0.1 $vm_fqdn $vm - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/resolv.conf <<-EOF - search ${vm_host#*.} - nameserver ${vm_host_nameserver} - EOF - m4 \ - --define=VM_IPV4=$vm_ipv4 \ - <"$tool"/etc/network/interfaces.m4 | - sudo install -m 640 -o root -g root /dev/stdin \ - /etc/network/interfaces - } -rule_runit_configure () { # SYNTAX: $sv [...] -- $configure_options - rule apt_get_install runit - if test $# = 0 - then - set +x - sudo sv status \ - $(sudo find /etc/sv \ - -mindepth 1 -maxdepth 1 -type d \ - -printf '%p\n' | sort) - else - local services= - while [ $# -gt 0 ] - do case $1 in - (--) shift; break;; - (*) services="$services $1"; shift;; - esac - done - #for sv in $(sudo find /etc/sv \ - # -mindepth 1 -maxdepth 1 -type d \ - # -false $(printf -- '-or -name %s\n' $services) \ - # -printf '%f\n') - # do - # case $(sudo sv stop "$sv" | tee /dev/stderr) in - # (*": runsv not running") true;; - # (*": unable to open supervise/ok: file does not exist") true;; - # ("ok: down:"*) true;; - # (*) false;; - # esac - # done - for sv in $(find "$tool"/etc/sv \ - -mindepth 1 -maxdepth 1 -type d \ - -false $(printf -- '-or -name %s\n' $services) \ - -printf '%f\n') - do - rule _runit_sv_configure "$sv" "$@" - rule _runit_sv_start "$sv" - done - #sleep 3 - #sudo find -L /etc/service -type l -delete - fi - } -rule__runit_sv_configure () { # SYNTAX: $sv $configure_options - local sv="$1"; shift - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv" - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/run \ - /etc/sv/"$sv"/run - if test -e "$tool"/etc/sv/"$sv"/log/run - then - sudo install -d -m 770 -o root -g root \ - /etc/sv/"$sv"/log - sudo install -m 770 -o root -g root \ - "$tool"/etc/sv/"$sv"/log/run \ - /etc/sv/"$sv"/log/run - fi - ( - test ! -r "$tool"/etc/sv/"$sv"/configure.sh || - . "$tool"/etc/sv/"$sv"/configure.sh || return 1 - ) - ( - test ! -r "$tool"/etc/sv/"$sv"/log/configure.sh || - . "$tool"/etc/sv/"$sv"/log/configure.sh || return 1 - ) - sudo ln -fns \ - ../sv/"$sv" \ - /etc/service/"$sv" - } -rule__runit_sv_restart () { # SYNTAX: $sv - local sv="$1" - while true - do case $(sudo sv restart "$sv" | tee /dev/stderr) in - (*": runsv not running") sleep 1;; - (*": unable to open supervise/ok: file does not exist") sleep 1;; - (*) break;; - esac - done - } -rule__runit_sv_start () { # SYNTAX: $sv - local sv="$1" - while true - do case $(sudo sv start "$sv" | tee /dev/stderr) in - (*": runsv not running") sleep 1;; - (*": unable to open supervise/ok: file does not exist") sleep 1;; - (*) break;; - esac - done - } -rule_shorewall_configure () { - # DOC: http://shorewall.net/Introduction.html - local -; set +f - rule apt_get_install shorewall - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/default/shorewall <<-EOF - INITLOG=/dev/null - OPTIONS="" - RESTARTOPTIONS="" - SAFESTOP=0 - STARTOPTIONS="" - startup=1 - EOF - local conf - for conf in "$tool"/etc/shorewall/* - do conf=${conf#"$tool"/etc/shorewall/} - sudo test ! -f "$tool"/etc/shorewall/"$conf" || - sudo install -m 640 -o root -g root \ - "$tool"/etc/shorewall/"$conf" \ - /etc/shorewall/"$conf" - done - sudo install -d -m 750 -o root -g root \ - /etc/shorewall/macro.d - for conf in "$tool"/etc/shorewall/macro.d/* - do conf=${conf#"$tool"/etc/shorewall/macro.d/} - sudo test ! -f "$tool"/etc/shorewall/macro.d/"$conf" || - sudo install -m 640 -o root -g root \ - "$tool"/etc/shorewall/macro.d/"$conf" \ - /etc/shorewall/macro.d/"$conf" - done - sudo install -d -m 750 -o root -g root \ - /etc/shorewall/action.d - #for conf in "$tool"/etc/shorewall/action.d/* - # do conf=${conf#"$tool"/etc/shorewall/action.d/} - # sudo test ! -f "$tool"/etc/shorewall/action.d/"$conf" || - # sudo install -m 640 -o root -g root \ - # "$tool"/etc/shorewall/action.d/"$conf" \ - # /etc/shorewall/action.d/"$conf" - # done - #sudo shorewall safe-restart - } -rule_sysctl_configure () { - local -; set +f - for conf in "$tool"/etc/sysctl.d/*.conf - do conf=${conf#"$tool"/etc/sysctl.d/} - sudo install -m 660 -o root -g root \ - "$tool"/etc/sysctl.d/"$conf" \ - /etc/sysctl.d/"$conf" - done - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/sysctl.d/local-kernel-name.conf <<-EOF - kernel.hostname = $vm_hostname - kernel.domainname = $vm_domainname - EOF - sudo sysctl --system - } -rule_tmpfs_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/default/tmpfs <<-EOF - LOCK_SIZE=5242880 # NOTE: 5MiB - RAMLOCK=yes - RAMSHM=yes - RAMTMP=yes - RUN_SIZE=10% - SHM_SIZE= - TMP_MODE=1777,nr_inodes=1000k,noatime - TMP_OVERFLOW_LIMIT=1024 - # NOTE: mount tmpfs on /tmp if there is less than the limit size (in kiB) - # on the root filesystem (overriding RAMTMP). - TMP_SIZE=200m - TMPFS_SIZE=20%VM - EOF - } -rule_user_add () { # SYNTAX: $user - local user="$1"; shift - rule adduser "$user" --disabled-password "$@" - # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . - eval local home\; home="~$user" - sudo adduser "$user" users - sudo install -m 640 -o "$user" -g "$user" \ - "$tool"/var/pub/ssh/"$user".key \ - "$home"/etc/ssh/authorized_keys - gpg \ - --homedir "$tool"/var/pub/openpgp/ \ - --no-default-keyring \ - --secret-keyring /dev/null \ - --export | - sudo -u "$user" gpg --import - - } -rule_user_configure () { - rule apt_get_install bash-completion - sudo install -m 660 -o root -g root \ - "$tool"/etc/adduser.conf \ - /etc/adduser.conf - sudo install -d -m 750 -o root -g root \ - /etc/skel \ - /etc/skel/etc \ - /etc/skel/etc/gpg \ - /etc/skel/etc/ssh - sudo install -d -m 770 -o root -g root \ - /etc/skel/var \ - /etc/skel/var/cache \ - /etc/skel/var/log \ - /etc/skel/var/run \ - /etc/skel/var/run/ssh - sudo ln -fns etc/ssh /etc/skel/.ssh - sudo ln -fns etc/gpg /etc/skel/.gnupg - sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF - %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\ - case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\ - ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac - EOF - sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF - %sudo ALL=(ALL) NOPASSWD: /usr/bin/etckeeper unclean - EOF - sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF - Defaults env_keep = " \\ - EDITOR \\ - GIT_AUTHOR_NAME \\ - GIT_AUTHOR_EMAIL \\ - GIT_COMMITTER_NAME \\ - GIT_COMMITTER_EMAIL \\ - " - EOF - sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF - #!/bin/sh -efu - # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système. - sudo /bin/sh -e -f -u -c \ - 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac' - EOF - sudo install -m 644 -o root -g root \ - "$tool"/etc/bash.bashrc \ - /etc/bash.bashrc - sudo install -m 644 -o root -g root \ - "$tool"/etc/inputrc \ - /etc/inputrc - sudo install -m 644 -o root -g root \ - "$tool"/etc/screenrc \ - /etc/screenrc - local sh; local -; set +f - for sh in "$tool"/etc/user.d/*/configure.sh - do sh=${sh#"$tool"/etc/user.d/} - local user="${sh%/configure.sh}" - ( - . "$tool"/etc/user.d/"$sh" || return 1 - ) - done - } -rule_user_admin_add () { # SYNTAX: $user - rule user_configure - local user=$1 - rule adduser "$user" --disabled-password - eval local home\; home="~$user" - sudo adduser "$user" sudo - sudo install -m 640 -o root -g root \ - "$tool"/var/pub/ssh/"$user".key \ - "$home"/etc/ssh/authorized_keys - gpg \ - --homedir "$tool"/var/pub/openpgp/ \ - --no-default-keyring \ - --secret-keyring /dev/null \ - --export | - sudo -u "$user" gpg --import - - rule user_admin_configure - } -rule_user_admin_configure () { - rule initramfs_configure - rule user_root_configure - } -rule_user_root_configure () { - sudo install -d -m 750 -o root -g root \ - /root/etc \ - /root/etc/gpg \ - /root/etc/ssh - sudo ln -fns etc/gpg /root/.gnupg - sudo ln -fns etc/ssh /root/.ssh - getent group sudo | - while IFS=: read -r group x x users - do while test -n "$users" && IFS=, read -r user users <<-EOF - $users - EOF - do eval local home\; home="~$user" - sudo cat "$home"/etc/ssh/authorized_keys - done - done | - sudo install -m 640 -o root -g root /dev/stdin \ - /root/etc/ssh/authorized_keys - gpg \ - --homedir "$tool"/var/pub/openpgp/ \ - --no-default-keyring \ - --secret-keyring /dev/null \ - --export | - sudo gpg --import - - } -rule__www_configure () { - rule adduser www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www \ - --shell /bin/false \ - --system - rule adduser log-www \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/log \ - --shell /bin/false \ - --system - #sudo adduser www www-data - sudo adduser www log-www - #sudo adduser log log-www - usermod --home /home/www/pub www-data - sudo install -d -m 751 -o www -g www \ - /home/www - sudo install -d -m 750 -o www -g www \ - /home/www/etc - sudo install -d -m 1771 -o www-data -g www-data \ - /home/www/pub - sudo install -d -m 1771 -o log-www -g log-www \ - /home/www/log - } -rule_configure () { - rule apt_configure - rule git_configure - rule etckeeper_configure - rule locales_configure - rule time_configure - rule network_configure - rule filesystem_configure - rule login_configure - rule ssh_configure - rule user_root_configure - rule boot_configure - rule sysctl_configure - rule user_configure - rule gitolite_configure - rule shorewall_configure - rule runit_configure - } - -rule_luks_key_change () { - sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root - } - -rule=${1:-help} -${1+shift} -case $rule in - (help);; - (*) - assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn - cd / - ;; - esac -rule $rule "$@" diff --git a/vm_remote b/vm_remote deleted file mode 100755 index 64e5353..0000000 --- a/vm_remote +++ /dev/null @@ -1,221 +0,0 @@ -#!/bin/sh -set -e -f ${DRY_RUN:+-n} -u -tool=$(readlink -e "${0%/*}") -. "$tool"/lib/rule.sh -. "$tool"/etc/vm.sh -TRACE=1 - -rule_help () { # SYNTAX: [--hidden] - local hidden; [ ${1:+set} ] || hidden=set - cat >&2 <<-EOF - DESCRIPTION: - ce script regroupe des règles pour administrer la VM ($vm_fqdn) - _depuis_ une machine distante ; - il sert à la fois d'outil (aisément bidouillable) - et de documentation (préçise). - Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host). - Voir \`$tool/vm_hosted' pour les règles côté VM hébergée ($vm_fqdn). - SYNTAX: $0 \$RULE \${RULE}_SYNTAX - RULES: - $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0") - ENVIRONMENT: - TRACE # affiche les commandes avant leur exécution - $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0") - EOF - } - -rule_git_configure () { # DESCRIPTION: configure ./.git correctement - ( - cd "$tool" - git remote rm host || true - git remote add host $vm_host:src/vm - git config --replace remote.host.push HEAD:refs/remotes/master - git remote rm hosted || true - git remote add hosted $vm_fqdn:src/vm - git config --replace remote.hosted.push HEAD:refs/remotes/master - git submodule update --init - ) - } -rule_git_push () { # SYNTAX: {host|hosted} $git_push_options - ( - cd "$tool" - local remote=${1#remote=}; shift - GIT_SSH=./lib/ssh git push -v "$remote" "$@" - ) - } - -rule_ssh () { - "$tool"/lib/ssh $vm_fqdn "$@" - } -rule_mosh () { - mosh --ssh="$tool/lib/ssh ${ssh-}" -- $vm_fqdn "$@" - } -rule__ssh_known_hosts_update () { - rule ssh \ - -o StrictHostKeyChecking=no \ - -o CheckHostIP=no \ - -o HashKnownHosts=no \ - whoami - } - -rule__x509_site_key_decrypt () { # SYNTAX: $site - local site="$1"; shift - gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg | - openssl rsa -passin 'stdin' \ - -in var/sec/x509/"$site"/key.pem \ - -out '/dev/stdout' - } - -rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM. - gpg --decrypt var/sec/luks/$vm_fqdn.key.gpg | - "$tool"/lib/ssh root@$vm_fqdn "$@" \ - -o CheckHostIP=no \ - -o HostKeyAlias=init.$vm_fqdn \ - tee /lib/cryptsetup/passfifo \>/dev/null - } -rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées. - test "${*+set}" || set -- --recipient "$USER@" - for part in root var home - do - mkdir -p var/sec/luks - rule ssh -l root ' \ - set -e -f -u; - exec 2>/dev/null; - tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run); - cryptsetup luksHeaderBackup >/dev/null \ - /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \ - --header-backup-file "$tmp"; \ - cat "$tmp"; - shred >/dev/null --remove "$tmp"; \ - ' | - gpg "$@" --encrypt \ - -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg - done - } - -rule_gitolite_git () { - ( - cd "$tool"/etc/gitolite - GIT_SSH=../../lib/ssh \ - ssh-agent sh -c ' \ - SSH_ASKPASS='"$tool"'/lib/ssh-pass \ - SSH_ID=git \ - ssh-add '"$tool"'/var/sec/ssh/git /dev/null - then - rule gpg --batch --gen-key - # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4 - Key-Type: RSA - Key-Length: 4096 - Key-Usage: sign - Passphrase:$(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg) - Preferences: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256 3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY - $(cat -) - %commit - EOF - fi - caps=$( - rule gpg --with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \ - -- "$uid" | - sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d' - ) - for cap in ${subkey_caps:-} - do - test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" || - printf '%s\n' 8 s e $cap q 4096 ${expire:-0} save | - rule gpg --keyid-format "long" --with-colons --fixed-list-mode --expert \ - --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey 3<<-EOF - $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg) - EOF - done - } -rule_mysql_backup () { - mkdir -p "$tool"/var/backup/mysql - rule ssh -l backup ' - for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF - SELECT schema_name - FROM information_schema.schemata - WHERE schema_name NOT IN ("information_schema", "performance_schema"); - EOF - ); do - $db - done - ' - } - -rule=${1:-help} -${1+shift} -case $rule in - (help);; - (*) - assert 'test ! "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn - assert 'test ! "$(hostname --fqdn)" = "$vm_host"' vm_host - ;; - esac -rule $rule "$@" -- 2.20.1