From 8eb1ec9c265b8994222499cfcc0ca376d4efbdb3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 11 Apr 2013 17:44:37 +0200 Subject: [PATCH] Modification : vm_host{,ed} : utilise m4. --- etc/adduser.conf | 24 +++ etc/apticron/apticron.conf.m4 | 13 ++ etc/crypttab.m4 | 5 + etc/dovecot/local.conf.m4 | 54 +++++ etc/fstab.m4 | 9 + etc/inittab | 45 +++++ etc/login.defs | 35 ++++ etc/network/interfaces.m4 | 29 +++ etc/ssh/ssh_config | 14 ++ etc/ssh/sshd_config.m4 | 37 ++++ vm_host | 1 + vm_hosted | 361 +++++++--------------------------- 12 files changed, 332 insertions(+), 295 deletions(-) create mode 100644 etc/adduser.conf create mode 100644 etc/apticron/apticron.conf.m4 create mode 100644 etc/crypttab.m4 create mode 100644 etc/dovecot/local.conf.m4 create mode 100644 etc/fstab.m4 create mode 100644 etc/inittab create mode 100644 etc/login.defs create mode 100644 etc/network/interfaces.m4 create mode 100644 etc/ssh/ssh_config create mode 100644 etc/ssh/sshd_config.m4 diff --git a/etc/adduser.conf b/etc/adduser.conf new file mode 100644 index 0000000..57825c8 --- /dev/null +++ b/etc/adduser.conf @@ -0,0 +1,24 @@ +ADD_EXTRA_GROUPS=1 +DHOME=/home +DIR_MODE=0750 +DSHELL=/bin/bash +EXTRA_GROUPS="users" +FIRST_GID=1000 +FIRST_SYSTEM_GID=100 +FIRST_SYSTEM_UID=100 +FIRST_UID=1000 +GROUPHOMES=no +LAST_GID=29999 +LAST_SYSTEM_GID=999 +LAST_SYSTEM_UID=999 +LAST_UID=29999 +LETTERHOMES=no +NAME_REGEX="^[a-z][-a-z0-9_]*$" +QUOTAUSER="" +# TODO: configure a template user (with edquota or setquota) +# and indicate their user name in the QUOTAUSER variable. +SETGID_HOME=no +SKEL=/etc/skel +SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)" +USERGROUPS=yes +USERS_GID=100 diff --git a/etc/apticron/apticron.conf.m4 b/etc/apticron/apticron.conf.m4 new file mode 100644 index 0000000..9144169 --- /dev/null +++ b/etc/apticron/apticron.conf.m4 @@ -0,0 +1,13 @@ +EMAIL="admin@VM_DOMAINNAME" +# DIFF_ONLY="1" +# LISTCHANGES_PROFILE="apticron" +# ALL_FQDNS="1" +# SYSTEM="foobar.example.com" +# IPADDRESSNUM="1" +# IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" +# NOTIFY_HOLDS="0" +# NOTIFY_NEW="0" +# NOTIFY_NO_UPDATES="0" +# CUSTOM_SUBJECT="" +# CUSTOM_NO_UPDATES_SUBJECT="" +# CUSTOM_FROM="root@VM_DOMAINNAME" diff --git a/etc/crypttab.m4 b/etc/crypttab.m4 new file mode 100644 index 0000000..c145737 --- /dev/null +++ b/etc/crypttab.m4 @@ -0,0 +1,5 @@ +# +VM_LVM_LV`'_root_deciphered /dev/VM_LVM_VG/VM_LVM_LV`'_root none luks,lvm=VM_LVM_VG +VM_LVM_LV`'_var_deciphered /dev/VM_LVM_VG/VM_LVM_LV`'_var VM_LVM_LV`'_root_deciphered luks,lvm=VM_LVM_VG,keyscript=/lib/cryptsetup/scripts/decrypt_derived +VM_LVM_LV`'_home_deciphered /dev/VM_LVM_VG/VM_LVM_LV`'_home VM_LVM_LV`'_root_deciphered luks,lvm=VM_LVM_VG,keyscript=/lib/cryptsetup/scripts/decrypt_derived +VM_LVM_LV`'_swap_deciphered /dev/VM_LVM_VG/VM_LVM_LV`'_swap VM_LVM_LV`'_root_deciphered luks,lvm=VM_LVM_VG,keyscript=/lib/cryptsetup/scripts/decrypt_derived diff --git a/etc/dovecot/local.conf.m4 b/etc/dovecot/local.conf.m4 new file mode 100644 index 0000000..953ece5 --- /dev/null +++ b/etc/dovecot/local.conf.m4 @@ -0,0 +1,54 @@ +auth_ssl_username_from_cert = yes +listen = * +log_timestamp = "%Y-%m-%d %H:%M:%S " +mail_debug = yes +mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u +# NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc +# VOIR: http://wiki2.dovecot.org/Quota/FS +mail_plugins = $mail_plugins quota +mail_privileged_group = mail +passdb { + args = /home/%u/etc/dovecot/passwd + driver = passwd-file + } +plugin { + quota = fs:user + recipient_delimiter = + + sieve = ~/etc/mail/filter.sieve + sieve_dir = ~/etc/mail/sieve + sieve_global_dir = /var/lib/dovecot/sieve/global/ + sieve_max_script_size = 1M + sieve_quota_max_scripts = 0 + sieve_quota_max_storage = 10M + sieve_user_log = ~/var/log/mail/sieve.log + } +protocol imap { + mail_plugins = $mail_plugins imap_quota + } +protocol lda { + auth_socket_path = /var/run/dovecot/auth-master + hostname = VM_DOMAINNAME + info_log_path = + log_path = + mail_plugins = $mail_plugins sieve + postmaster_address = contact+dovecot+lda@VM_DOMAINNAME + syslog_facility = mail + } +protocols = imap sieve +service auth { + user = root + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } + } +ssl_ca = +LABEL=VM_LVM_LV`'_boot /boot ext2 defaults 0 0 +proc /proc proc defaults 0 0 +sysfs /sys sysfs defaults 0 0 +/dev/mapper/VM_LVM_LV`'_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 +/dev/mapper/VM_LVM_LV`'_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 +/dev/mapper/VM_LVM_LV`'_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 +# NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. +/dev/mapper/VM_LVM_LV`'_swap_deciphered swap swap sw 0 0 diff --git a/etc/inittab b/etc/inittab new file mode 100644 index 0000000..b0b7641 --- /dev/null +++ b/etc/inittab @@ -0,0 +1,45 @@ +# /etc/inittab: init(8) configuration. + +# The default runlevel. +id:2:initdefault: + +# Boot-time system configuration/initialization script. +# This is run first except when booting in emergency (-b) mode. +si::sysinit:/etc/init.d/rcS + +# What to do in single-user mode. +~~:S:wait:/sbin/sulogin + +# /etc/init.d executes the S and K scripts upon change +# of runlevel. +# +# Runlevel 0 is halt. +# Runlevel 1 is single-user. +# Runlevels 2-5 are multi-user. +# Runlevel 6 is reboot. + +l0:0:wait:/etc/init.d/rc 0 +l1:1:wait:/etc/init.d/rc 1 +l2:2:wait:/etc/init.d/rc 2 +l3:3:wait:/etc/init.d/rc 3 +l4:4:wait:/etc/init.d/rc 4 +l5:5:wait:/etc/init.d/rc 5 +l6:6:wait:/etc/init.d/rc 6 +# Normally not reached, but fallthrough in case of emergency. +z6:6:respawn:/sbin/sulogin + +# What to do when CTRL-ALT-DEL is pressed. +ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now + +# What to do when the power fails/returns. +pf::powerwait:/etc/init.d/powerfail start +pn::powerfailnow:/etc/init.d/powerfail now +po::powerokwait:/etc/init.d/powerfail stop + +# Xen hypervisor console +hvc:2345:respawn:/sbin/getty 38400 hvc0 +#xvc:2345:respawn:/sbin/getty 38400 xvc0 + +#-- runit begin +SV:123456:respawn:/usr/sbin/runsvdir-start +#-- runit end diff --git a/etc/login.defs b/etc/login.defs new file mode 100644 index 0000000..198e47a --- /dev/null +++ b/etc/login.defs @@ -0,0 +1,35 @@ +MAIL_DIR /var/mail +FAILLOG_ENAB yes +LOG_UNKFAIL_ENAB no +LOG_OK_LOGINS no +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes +FTMP_FILE /var/log/btmp +SU_NAME su +HUSHLOGIN_FILE .hushlogin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + # NOTE: met les sbin/ dans ENV_PATH ; + # - ça n'apporte aucune protection de ne pas les mettre ; + # - ça frustre de ne pas les trouver. +TTYGROUP tty +TTYPERM 0600 +ERASECHAR 0177 +KILLCHAR 025 +UMASK 007 + # NOTE: rwxrwx--- ; + # - donne une même confiance au groupe propriétaire qu'au propriétaire ; + # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 +UID_MIN 1000 +UID_MAX 60000 +GID_MIN 1000 +GID_MAX 60000 +LOGIN_RETRIES 3 +LOGIN_TIMEOUT 60 +CHFN_RESTRICT rwh +DEFAULT_HOME yes +USERGROUPS_ENAB yes +ENCRYPT_METHOD SHA512 diff --git a/etc/network/interfaces.m4 b/etc/network/interfaces.m4 new file mode 100644 index 0000000..73ff494 --- /dev/null +++ b/etc/network/interfaces.m4 @@ -0,0 +1,29 @@ +auto lo +iface lo inet loopback + +auto eth0=grenode +iface grenode inet static + address VM_IPV4 + gateway VM_IPV4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse + network VM_IPV4 + broadcast VM_IPV4 + netmask 255.255.255.255 + mtu 1300 + # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode + # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. + # + # root@ateliers:~# ping -M do -c 1 -s $((1500-20-8-200)) soupirail.grenode.net + # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. + # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms + # + # --- soupirail.grenode.net ping statistics --- + # 1 packets transmitted, 1 received, 0% packet loss, time 0ms + # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms + # root@ateliers:~# ping -M do -c 1 -s $((1500-20-8-200+1)) soupirail.grenode.net + # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. + # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) + # + # --- soupirail.grenode.net ping statistics --- + # 0 packets transmitted, 0 received, +1 errors + post-up ip address add VM_IPV4/32 dev $IFACE + pre-down ip address delete VM_IPV4/32 dev $IFACE diff --git a/etc/ssh/ssh_config b/etc/ssh/ssh_config new file mode 100644 index 0000000..6d38118 --- /dev/null +++ b/etc/ssh/ssh_config @@ -0,0 +1,14 @@ +Host * + #Compression yes + #CompressionLevel 9 + #ControlMaster auto + #ControlPath ~/var/run/ssh/sock/%h-%p-%r + GSSAPIAuthentication no + GSSAPIDelegateCredentials no + HashKnownHosts yes + IdentityFile ~/etc/ssh/id_dsa + IdentityFile ~/etc/ssh/id_rsa + IdentityFile ~/etc/ssh/identity + SendEnv LANG LC_* + StrictHostKeyChecking ask + UserKnownHostsFile ~/etc/ssh/known_hosts diff --git a/etc/ssh/sshd_config.m4 b/etc/ssh/sshd_config.m4 new file mode 100644 index 0000000..e60e1b8 --- /dev/null +++ b/etc/ssh/sshd_config.m4 @@ -0,0 +1,37 @@ +AcceptEnv LANG LC_* +AuthorizedKeysFile %h/etc/ssh/authorized_keys +ChallengeResponseAuthentication no +ClientAliveInterval 0 +Compression yes +DebianBanner no +GSSAPIAuthentication no +HostKey /etc/ssh/ssh_host_rsa_key +HostbasedAuthentication no +IgnoreRhosts yes +IgnoreUserKnownHosts no +KerberosAuthentication no +KeyRegenerationInterval 3600 +Port 22 +ListenAddress 127.0.0.1 +ListenAddress VM_IPV4 +LogLevel INFO +LoginGraceTime 120 +MaxAuthTries 1 +PasswordAuthentication no +PermitEmptyPasswords no +PermitRootLogin yes +PrintLastLog yes +PrintMotd no +Protocol 2 +PubkeyAuthentication yes +RSAAuthentication yes +RhostsRSAAuthentication no +ServerKeyBits 768 +StrictModes yes +Subsystem sftp /usr/lib/openssh/sftp-server +SyslogFacility AUTH +TCPKeepAlive yes +UsePAM yes +UsePrivilegeSeparation yes +X11DisplayOffset 10 +X11Forwarding no diff --git a/vm_host b/vm_host index 04dcc26..3c30672 100755 --- a/vm_host +++ b/vm_host @@ -375,6 +375,7 @@ rule_debian_install () { less \ locales \ lvm2 \ + m4 \ mosh \ molly-guard \ ncurses-term \ diff --git a/vm_hosted b/vm_hosted index a502f9d..ed42445 100755 --- a/vm_hosted +++ b/vm_hosted @@ -260,21 +260,11 @@ rule_apt_configure () { EOF sudo apt-get update rule apt_get_install apticron - sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF - EMAIL="admin@$vm_domainname" - # DIFF_ONLY="1" - # LISTCHANGES_PROFILE="apticron" - # ALL_FQDNS="1" - # SYSTEM="foobar.example.com" - # IPADDRESSNUM="1" - # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1" - # NOTIFY_HOLDS="0" - # NOTIFY_NEW="0" - # NOTIFY_NO_UPDATES="0" - # CUSTOM_SUBJECT="" - # CUSTOM_NO_UPDATES_SUBJECT="" - # CUSTOM_FROM="root@$vm_fqdn" - EOF + m4 \ + --define=VM_DOMAINNAME=$vm_domainname \ + <"$tool"/etc/apticron/apticron.conf.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/apticron/apticron.conf } rule_boot_configure () { #warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" @@ -321,62 +311,11 @@ rule_dovecot_configure () { sudo install -d -m 1777 -o root -g root \ /var/lib/dovecot-control \ /var/lib/dovecot-index - sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u - # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc - # VOIR: http://wiki2.dovecot.org/Quota/FS - mail_plugins = \$mail_plugins quota - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - plugin { - quota = fs:user - recipient_delimiter = + - sieve = ~/etc/mail/filter.sieve - sieve_dir = ~/etc/mail/sieve - sieve_global_dir = /var/lib/dovecot/sieve/global/ - sieve_max_script_size = 1M - sieve_quota_max_scripts = 0 - sieve_quota_max_storage = 10M - sieve_user_log = ~/var/log/mail/sieve.log - } - protocol imap { - mail_plugins = \$mail_plugins imap_quota - } - protocol lda { - auth_socket_path = /var/run/dovecot/auth-master - hostname = $vm_domainname - info_log_path = - log_path = - mail_plugins = \$mail_plugins sieve - postmaster_address = contact+dovecot+lda@$vm_domainname - syslog_facility = mail - } - protocols = imap sieve - service auth { - user = root - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } - } - ssl_ca = - LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0 - proc /proc proc defaults 0 0 - sysfs /sys sysfs defaults 0 0 - /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1 - /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0 - # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers. - /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0 - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF - # - ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg - ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived - EOF + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/fstab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/fstab + m4 \ + --define=VM_LVM_LV=$vm_lvm_lv \ + --define=VM_LVM_VG=$vm_lvm_vg \ + <"$tool"/etc/crypttab.m4 | + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/crypttab rule tmpfs_configure } rule_initramfs_configure () { @@ -607,90 +538,12 @@ rule_locales_configure () { rule dpkg_reconfigure locales } rule_login_configure () { - sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF - # /etc/inittab: init(8) configuration. - - # The default runlevel. - id:2:initdefault: - - # Boot-time system configuration/initialization script. - # This is run first except when booting in emergency (-b) mode. - si::sysinit:/etc/init.d/rcS - - # What to do in single-user mode. - ~~:S:wait:/sbin/sulogin - - # /etc/init.d executes the S and K scripts upon change - # of runlevel. - # - # Runlevel 0 is halt. - # Runlevel 1 is single-user. - # Runlevels 2-5 are multi-user. - # Runlevel 6 is reboot. - - l0:0:wait:/etc/init.d/rc 0 - l1:1:wait:/etc/init.d/rc 1 - l2:2:wait:/etc/init.d/rc 2 - l3:3:wait:/etc/init.d/rc 3 - l4:4:wait:/etc/init.d/rc 4 - l5:5:wait:/etc/init.d/rc 5 - l6:6:wait:/etc/init.d/rc 6 - # Normally not reached, but fallthrough in case of emergency. - z6:6:respawn:/sbin/sulogin - - # What to do when CTRL-ALT-DEL is pressed. - ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now - - # What to do when the power fails/returns. - pf::powerwait:/etc/init.d/powerfail start - pn::powerfailnow:/etc/init.d/powerfail now - po::powerokwait:/etc/init.d/powerfail stop - - # Xen hypervisor console - hvc:2345:respawn:/sbin/getty 38400 hvc0 - #xvc:2345:respawn:/sbin/getty 38400 xvc0 - - #-- runit begin - SV:123456:respawn:/usr/sbin/runsvdir-start - #-- runit end - EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF - MAIL_DIR /var/mail - FAILLOG_ENAB yes - LOG_UNKFAIL_ENAB no - LOG_OK_LOGINS no - SYSLOG_SU_ENAB yes - SYSLOG_SG_ENAB yes - FTMP_FILE /var/log/btmp - SU_NAME su - HUSHLOGIN_FILE .hushlogin - ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - # NOTE: met les sbin/ dans ENV_PATH ; - # - ça n'apporte aucune protection de ne pas les mettre ; - # - ça frustre de ne pas les trouver. - TTYGROUP tty - TTYPERM 0600 - ERASECHAR 0177 - KILLCHAR 025 - UMASK 007 - # NOTE: rwxrwx--- ; - # - donne une même confiance au groupe propriétaire qu'au propriétaire ; - # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire. - PASS_MAX_DAYS 99999 - PASS_MIN_DAYS 0 - PASS_WARN_AGE 7 - UID_MIN 1000 - UID_MAX 60000 - GID_MIN 1000 - GID_MAX 60000 - LOGIN_RETRIES 3 - LOGIN_TIMEOUT 60 - CHFN_RESTRICT rwh - DEFAULT_HOME yes - USERGROUPS_ENAB yes - ENCRYPT_METHOD SHA512 - EOF + sudo install -m 644 -o root -g root \ + "$tool"/etc/inittab \ + /etc/inittab + sudo install -m 644 -o root -g root \ + "$tool"/etc/login.defs \ + /etc/login.defs grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session || sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF $(cat /etc/pam.d/common-session) @@ -808,37 +661,11 @@ rule_network_configure () { search ${vm_host#*.} nameserver ${vm_host_nameserver} EOF - sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF - auto lo - iface lo inet loopback - - auto eth0=grenode - iface grenode inet static - address $vm_ipv4 - gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse - network $vm_ipv4 - broadcast $vm_ipv4 - netmask 255.255.255.255 - mtu 1300 - # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode - # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose. - # - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data. - # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms - # - # --- soupirail.grenode.net ping statistics --- - # 1 packets transmitted, 1 received, 0% packet loss, time 0ms - # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms - # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net - # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data. - # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300) - # - # --- soupirail.grenode.net ping statistics --- - # 0 packets transmitted, 0 received, +1 errors - post-up ip address add $vm_ipv4/32 dev \$IFACE - pre-down ip address delete $vm_ipv4/32 dev \$IFACE - EOF + m4 \ + --define=VM_IPV4=$vm_ipv4 \ + <"$tool"/etc/network/interfaces.m4 | + sudo install -m 640 -o root -g root /dev/stdin \ + /etc/network/interfaces } rule_nginx_configure () { local -; set +f @@ -920,7 +747,7 @@ rule_nginx_configure () { } rule_nsd3_configure () { # NOTE: DNS autoritaire uniquement local -; set +f - rule apt_get_install nsd m4 + rule apt_get_install nsd rule insserv_remove nsd3 sudo rm -rf \ /etc/nsd3/zone.d @@ -1225,7 +1052,19 @@ rule_postgresql_configure () { --socketdir=/run/postgresql \ 9.1 main fi - sudo install -m 770 -o postgres -g postgres /dev/stdin \ + + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/pg_ctl.conf <<-EOF + pg_ctl_options = '' + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/pg_ident.conf <<-EOF + # MAPNAME SYSTEM-USERNAME PG-USERNAME + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ + /etc/postgresql/9.1/main/start.conf <<-EOF + EOF + sudo install -m 640 -o postgres -g postgres /dev/stdin \ /etc/postgresql/9.1/main/pg_hba.conf <<-EOF local all postgres peer local all all peer @@ -1236,7 +1075,7 @@ rule_postgresql_configure () { rule runit_sv_configure postgres rule runit_sv_restart postgres while ! sudo -u postgres psql