From de0435e3d96f9205fd7a27809d2004d5737469fa Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 20 Mar 2013 16:59:31 +0100 Subject: [PATCH] Correction : vm_{hosted,remote} : chemins et noms . --- etc/init.d/tmpfs | 18 +- etc/nginx/conf.d/ssl.conf | 7 + .../443.git.heureux-cyclage.org/configure.sh | 4 - .../443.git.heureux-cyclage.org/server.conf | 1 - .../443.www.heureux-cyclage.org/configure.sh | 4 - .../443.www.heureux-cyclage.org/server.conf | 1 - etc/nginx/site.d/lhc-git-tls/configure.sh | 10 + etc/nginx/site.d/lhc-git-tls/key_send | 1 + etc/nginx/site.d/lhc-git-tls/listen.conf | 1 + etc/nginx/site.d/lhc-git-tls/server.conf | 2 + etc/nginx/site.d/lhc-git/configure.sh | 2 + etc/nginx/site.d/lhc-git/listen.conf | 1 + .../server.conf | 9 +- etc/nginx/site.d/lhc-www-tls/configure.sh | 9 + etc/nginx/site.d/lhc-www-tls/key_send | 1 + etc/nginx/site.d/lhc-www-tls/listen.conf | 1 + etc/nginx/site.d/lhc-www-tls/server.conf | 2 + etc/nginx/site.d/lhc-www/configure.sh | 1 + etc/nginx/site.d/lhc-www/listen.conf | 1 + .../server.conf | 2 +- etc/php5/fpm/php-fpm.conf | 5 - etc/php5/fpm/php.ini | 22 +- .../hc.443.www.heureux-cyclage.org.conf | 1 - ....heureux-cyclage.org.conf => lhc-git.conf} | 0 etc/php5/fpm/pool.d/lhc-www.conf | 11 + .../fcgi.80.git.heureux-cyclage.org/configure | 15 - etc/sv/fcgi.80.git.heureux-cyclage.org/run | 19 - etc/sv/git-daemon/configure | 19 - etc/sv/{mysql.3306 => mysql}/run | 0 etc/sv/nginx/configure | 1 + etc/sv/nginx/log/run | 3 + etc/sv/nginx/run | 3 + vm_hosted | 390 +++++++++--------- vm_remote | 79 ++-- 34 files changed, 320 insertions(+), 326 deletions(-) create mode 100644 etc/nginx/conf.d/ssl.conf delete mode 100644 etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh delete mode 120000 etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf delete mode 100644 etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh delete mode 120000 etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf create mode 100644 etc/nginx/site.d/lhc-git-tls/configure.sh create mode 100644 etc/nginx/site.d/lhc-git-tls/key_send create mode 100644 etc/nginx/site.d/lhc-git-tls/listen.conf create mode 100644 etc/nginx/site.d/lhc-git-tls/server.conf create mode 100644 etc/nginx/site.d/lhc-git/configure.sh create mode 100644 etc/nginx/site.d/lhc-git/listen.conf rename etc/nginx/site.d/{80.git.heureux-cyclage.org => lhc-git}/server.conf (92%) create mode 100644 etc/nginx/site.d/lhc-www-tls/configure.sh create mode 100644 etc/nginx/site.d/lhc-www-tls/key_send create mode 100644 etc/nginx/site.d/lhc-www-tls/listen.conf create mode 100644 etc/nginx/site.d/lhc-www-tls/server.conf create mode 100644 etc/nginx/site.d/lhc-www/configure.sh create mode 100644 etc/nginx/site.d/lhc-www/listen.conf rename etc/nginx/site.d/{80.www.heureux-cyclage.org => lhc-www}/server.conf (94%) delete mode 120000 etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf rename etc/php5/fpm/pool.d/{hc.80.www.heureux-cyclage.org.conf => lhc-git.conf} (100%) create mode 100644 etc/php5/fpm/pool.d/lhc-www.conf delete mode 100755 etc/sv/fcgi.80.git.heureux-cyclage.org/configure delete mode 100755 etc/sv/fcgi.80.git.heureux-cyclage.org/run rename etc/sv/{mysql.3306 => mysql}/run (100%) create mode 100755 etc/sv/nginx/configure create mode 100644 etc/sv/nginx/log/run create mode 100755 etc/sv/nginx/run diff --git a/etc/init.d/tmpfs b/etc/init.d/tmpfs index 3a9915c..fff6f88 100755 --- a/etc/init.d/tmpfs +++ b/etc/init.d/tmpfs @@ -27,19 +27,27 @@ do_start() { if mountpoint -q /run/shm && test -f /run/shm/.tmpfs then + set -x sudo install -d -m 1777 -o root -g root \ - /run/shm/cache + /run/shm/cache \ + /run/shm/tmp - ! getent passwd www-data || - sudo install -d -m 660 -o www-data -g www-data \ + ! getent passwd www-data >/dev/null || + sudo install -d -m 770 -o www-data -g www-data \ /run/shm/cache/nginx \ /run/shm/cache/nginx/fastcgi \ /run/shm/cache/nginx/client_body - ! getent passwd php5 || - sudo install -d -m 1667 -o php5 -g php5 \ + ! getent passwd php5 >/dev/null || + sudo install -d -m 1771 -o php5 -g php5 \ + /run/php5 \ + /run/php5/fpm \ /run/shm/cache/php5 \ /run/shm/cache/php5/fpm + + ! getent passwd gitweb >/dev/null || + sudo install -d -m 770 -o gitweb -g gitweb \ + /run/tmp/gitweb fi ES=$? diff --git a/etc/nginx/conf.d/ssl.conf b/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..68c3dd8 --- /dev/null +++ b/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,7 @@ +# DOC: http://wiki.nginx.org/HttpSslModule +keepalive_timeout 70; +ssl on; +ssl_ciphers HIGH:!ADH:!MD5; +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_session_cache shared:SSL:10m; diff --git a/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh b/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh deleted file mode 100644 index 9cbda68..0000000 --- a/etc/nginx/site.d/443.git.heureux-cyclage.org/configure.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -set -e -f -u -sudo rmdir "$home"/pub/www/"$site_dir" || true -sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir" diff --git a/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf b/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf deleted file mode 120000 index 0abf0a1..0000000 --- a/etc/nginx/site.d/443.git.heureux-cyclage.org/server.conf +++ /dev/null @@ -1 +0,0 @@ -../80.git.heureux-cyclage.org/server.conf \ No newline at end of file diff --git a/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh b/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh deleted file mode 100644 index 9cbda68..0000000 --- a/etc/nginx/site.d/443.www.heureux-cyclage.org/configure.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -set -e -f -u -sudo rmdir "$home"/pub/www/"$site_dir" || true -sudo ln -fns "$service.$site.80" "$home"/pub/www/"$site_dir" diff --git a/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf b/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf deleted file mode 120000 index 041e55c..0000000 --- a/etc/nginx/site.d/443.www.heureux-cyclage.org/server.conf +++ /dev/null @@ -1 +0,0 @@ -../80.www.heureux-cyclage.org/server.conf \ No newline at end of file diff --git a/etc/nginx/site.d/lhc-git-tls/configure.sh b/etc/nginx/site.d/lhc-git-tls/configure.sh new file mode 100644 index 0000000..88f45be --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/configure.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e -f -u -x +local hint="run vm_remote nginx_key_send before" +assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint +sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/git.heureux-cyclage.org/crt+ca.pem \ + /etc/nginx/x509.d/"$site"/crt.pem + +sudo rmdir ~www-data/"$site" || true +sudo ln -fns "${site%-tls}" ~www-data/"$site" diff --git a/etc/nginx/site.d/lhc-git-tls/key_send b/etc/nginx/site.d/lhc-git-tls/key_send new file mode 100644 index 0000000..09b542c --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/key_send @@ -0,0 +1 @@ +git.heureux-cyclage.org diff --git a/etc/nginx/site.d/lhc-git-tls/listen.conf b/etc/nginx/site.d/lhc-git-tls/listen.conf new file mode 100644 index 0000000..2c4d6f6 --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/listen.conf @@ -0,0 +1 @@ +listen 443; diff --git a/etc/nginx/site.d/lhc-git-tls/server.conf b/etc/nginx/site.d/lhc-git-tls/server.conf new file mode 100644 index 0000000..1426dea --- /dev/null +++ b/etc/nginx/site.d/lhc-git-tls/server.conf @@ -0,0 +1,2 @@ +include /etc/nginx/conf.d/ssl.conf; +include /etc/nginx/site.d/lhc-git-tls/server.conf; diff --git a/etc/nginx/site.d/lhc-git/configure.sh b/etc/nginx/site.d/lhc-git/configure.sh new file mode 100644 index 0000000..f37b180 --- /dev/null +++ b/etc/nginx/site.d/lhc-git/configure.sh @@ -0,0 +1,2 @@ +sudo adduser php5-gitweb www-"$site" +sudo adduser www-"$site"-tls www-"$site" diff --git a/etc/nginx/site.d/lhc-git/listen.conf b/etc/nginx/site.d/lhc-git/listen.conf new file mode 100644 index 0000000..56b9f1c --- /dev/null +++ b/etc/nginx/site.d/lhc-git/listen.conf @@ -0,0 +1 @@ +listen 80; diff --git a/etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf b/etc/nginx/site.d/lhc-git/server.conf similarity index 92% rename from etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf rename to etc/nginx/site.d/lhc-git/server.conf index 410304f..49cbac3 100644 --- a/etc/nginx/site.d/80.git.heureux-cyclage.org/server.conf +++ b/etc/nginx/site.d/lhc-git/server.conf @@ -2,6 +2,7 @@ client_body_buffer_size 8k; client_max_body_size 10m; location / { index index.html index.htm index.php; + root /usr/share/gitweb; } location ~* ^.+.(css|gif|html|ico|jpeg|js|jpg|png|txt|xml)$ { access_log off; @@ -15,11 +16,11 @@ location ~ /\. { } location ~ ^.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)) { # NOTE: static repo files for cloning over HTTP - root /home/git/repositories/; + root /home/git/pub; } location ~ ^.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { # NOTE: requests that need to go to git-http-backend - root /home/git/pub/git + root /home/git/pub; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /home/git/pub/git; fastcgi_param PATH_INFO $uri; @@ -57,11 +58,11 @@ location @gitweb { fastcgi_pass_header Set-Cookie; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/nginx/fastcgi/fcgi.git.80.git.heureux-cyclage.org; + fastcgi_pass unix:/run/php5/fpm/gitweb; } -root /usr/share/gitweb; ssl_session_timeout 5m; try_files $uri @gitweb; # NOTE: send anything else to gitweb if it's not a real file +server_name git.heureux-cyclage.org # vim: ft=sh diff --git a/etc/nginx/site.d/lhc-www-tls/configure.sh b/etc/nginx/site.d/lhc-www-tls/configure.sh new file mode 100644 index 0000000..50f5f51 --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/configure.sh @@ -0,0 +1,9 @@ +#!/bin/sh +set -e -f -u -x +sudo rmdir ~www-data/"$site" || true +sudo ln -fns "${site%-tls}" ~www-data/"$site" +local hint="run vm_remote nginx_key_send before" +assert "sudo test -f /etc/nginx/x509.d/\"$site\"/key.pem" hint +sudo install -m 664 -o www -g www \ + "$tool"/var/pub/x509/www.heureux-cyclage.org/crt+ca.pem \ + /etc/nginx/x509.d/"$site"/crt.pem diff --git a/etc/nginx/site.d/lhc-www-tls/key_send b/etc/nginx/site.d/lhc-www-tls/key_send new file mode 100644 index 0000000..814e9a5 --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/key_send @@ -0,0 +1 @@ +www.heureux-cyclage.org diff --git a/etc/nginx/site.d/lhc-www-tls/listen.conf b/etc/nginx/site.d/lhc-www-tls/listen.conf new file mode 100644 index 0000000..2c4d6f6 --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/listen.conf @@ -0,0 +1 @@ +listen 443; diff --git a/etc/nginx/site.d/lhc-www-tls/server.conf b/etc/nginx/site.d/lhc-www-tls/server.conf new file mode 100644 index 0000000..f05ef5f --- /dev/null +++ b/etc/nginx/site.d/lhc-www-tls/server.conf @@ -0,0 +1,2 @@ +include /etc/nginx/conf.d/ssl.conf; +include /etc/nginx/site.d/lhc-www-tls/server.conf; diff --git a/etc/nginx/site.d/lhc-www/configure.sh b/etc/nginx/site.d/lhc-www/configure.sh new file mode 100644 index 0000000..fca7d99 --- /dev/null +++ b/etc/nginx/site.d/lhc-www/configure.sh @@ -0,0 +1 @@ +sudo adduser www-"$site"-tls www-"$site" diff --git a/etc/nginx/site.d/lhc-www/listen.conf b/etc/nginx/site.d/lhc-www/listen.conf new file mode 100644 index 0000000..56b9f1c --- /dev/null +++ b/etc/nginx/site.d/lhc-www/listen.conf @@ -0,0 +1 @@ +listen 80; diff --git a/etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf b/etc/nginx/site.d/lhc-www/server.conf similarity index 94% rename from etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf rename to etc/nginx/site.d/lhc-www/server.conf index 89edfa0..5ff974d 100644 --- a/etc/nginx/site.d/80.www.heureux-cyclage.org/server.conf +++ b/etc/nginx/site.d/lhc-www/server.conf @@ -40,7 +40,7 @@ location ~ \.php$ { fastcgi_pass_header Set-Cookie; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/nginx/fastcgi/php5-fpm.hc.80.www.heureux-cyclage.org; + fastcgi_pass unix:/run/php5/fpm/lhc-www; } server_name www.heureux-cyclage.org heureux-cyclage.org; diff --git a/etc/php5/fpm/php-fpm.conf b/etc/php5/fpm/php-fpm.conf index 88831d7..58b9fe7 100644 --- a/etc/php5/fpm/php-fpm.conf +++ b/etc/php5/fpm/php-fpm.conf @@ -5,11 +5,6 @@ emergency_restart_threshold = 10 error_log = syslog ;events.mechanism = epoll log_level = notice -php_admin_flag[log_errors] = on -php_admin_value[error_log] = syslog -php_admin_value[error_reporting] = 0 -php_admin_value[memory_limit] = 128M -php_flag[display_errors] = off pid = /run/php5-fpm.pid process.max = 128 process_control_timeout = 10s diff --git a/etc/php5/fpm/php.ini b/etc/php5/fpm/php.ini index 6e1ddfc..9f32597 100644 --- a/etc/php5/fpm/php.ini +++ b/etc/php5/fpm/php.ini @@ -104,16 +104,19 @@ odbc.max_persistent = -1 [OCI8] [PHP] allow_url_fopen = Off -allow_url_fopen = Off ; DEFAULT: On +allow_url_fopen = Off +; DEFAULT: On allow_url_include = Off asp_tags = Off auto_append_file = auto_globals_jit = On auto_prepend_file = -default_charset = "UTF-8" ; DEFAULT: +default_charset = "UTF-8" +; DEFAULT: default_mimetype = "text/html" default_socket_timeout = 30 -default_socket_timeout = 30 ; DEFAULT: 60 +default_socket_timeout = 30 +; DEFAULT: 60 disable_classes = disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, display_errors = Off @@ -122,6 +125,7 @@ doc_root = enable_dl = Off engine = On error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT +error_log = syslog expose_php = On file_uploads = On html_errors = On @@ -135,18 +139,22 @@ max_execution_time = 30 max_file_uploads = 20 max_input_time = 60 memory_limit = 128M -mysql.allow_persistent = Off ; DEFAULT: +mysql.allow_persistent = Off +; DEFAULT: output_buffering = 4096 -post_max_size = 15M ; DEFAULT: 8M +post_max_size = 15M +; DEFAULT: 8M precision = 14 register_argc_argv = Off report_memleaks = On request_order = "GP" serialize_precision = 17 -short_open_tag = Off ; DEFAULT: On +short_open_tag = Off +; DEFAULT: On track_errors = Off unserialize_callback_func = -upload_max_filesize = 20M ; DEFAULT: 2M +upload_max_filesize = 20M +; DEFAULT: 2M user_dir = variables_order = "GPCS" zend.enable_gc = On diff --git a/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf b/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf deleted file mode 120000 index f847fde..0000000 --- a/etc/php5/fpm/pool.d/hc.443.www.heureux-cyclage.org.conf +++ /dev/null @@ -1 +0,0 @@ -hc.80.www.heureux-cyclage.org.conf \ No newline at end of file diff --git a/etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf b/etc/php5/fpm/pool.d/lhc-git.conf similarity index 100% rename from etc/php5/fpm/pool.d/hc.80.www.heureux-cyclage.org.conf rename to etc/php5/fpm/pool.d/lhc-git.conf diff --git a/etc/php5/fpm/pool.d/lhc-www.conf b/etc/php5/fpm/pool.d/lhc-www.conf new file mode 100644 index 0000000..9f4f8c1 --- /dev/null +++ b/etc/php5/fpm/pool.d/lhc-www.conf @@ -0,0 +1,11 @@ +pm.max_children = 15 +pm.max_requests = 200 +pm.max_spare_servers = 15 +pm.min_spare_servers = 2 +pm.process_idle_timeout = 60s +pm.start_servers = 3 +request_slowlog_timeout = 5s +request_terminate_timeout = 120s +rlimit_core = unlimited +rlimit_files = 131072 +security.limit_extensions = .php diff --git a/etc/sv/fcgi.80.git.heureux-cyclage.org/configure b/etc/sv/fcgi.80.git.heureux-cyclage.org/configure deleted file mode 100755 index 23bd42e..0000000 --- a/etc/sv/fcgi.80.git.heureux-cyclage.org/configure +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh -efux -sv=$(basename "$(cd "$(dirname "$0")" && pwd)") -IFS=. read -r service site <<-EOF - $sv - EOF -user=$sv -getent passwd "$user" >/dev/null || -sudo adduser \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/www/pub/"$site" \ - --shell /bin/false \ - --system \ - "$user" diff --git a/etc/sv/fcgi.80.git.heureux-cyclage.org/run b/etc/sv/fcgi.80.git.heureux-cyclage.org/run deleted file mode 100755 index 530ee5a..0000000 --- a/etc/sv/fcgi.80.git.heureux-cyclage.org/run +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -efux -exec 2>&1 -sv=$(basename "$(cd "$(dirname "$0")" && pwd)") -IFS=. read -r service site <<-EOF - $sv - EOF -run_user=$sv -sock_user=www-data -exec /usr/bin/spawn-fcgi \ - -g "$run_user" \ - -G "$sock_user" \ - -M 0660 \ - -n \ - -s /run/nginx/fastcgi/fcgi.80.git.heureux-cyclage.org \ - -u "$run_user" \ - -U "$sock_user" \ - -- /usr/bin/multiwatch \ - --forks 10 \ - -- /usr/sbin/fcgiwrap diff --git a/etc/sv/git-daemon/configure b/etc/sv/git-daemon/configure index 8c3783b..e95c7d7 100755 --- a/etc/sv/git-daemon/configure +++ b/etc/sv/git-daemon/configure @@ -1,20 +1 @@ #!/bin/sh -efux -user=git-daemon -getent passwd "$user" >/dev/null || -sudo adduser \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/git/pub \ - --shell /bin/false \ - --system \ - "$user" -getent passwd log."$user" >/dev/null || -sudo adduser \ - --disabled-login \ - --disabled-password \ - --group \ - --home /home/git/log/git-daemon \ - --shell /bin/false \ - --system \ - log."$user" diff --git a/etc/sv/mysql.3306/run b/etc/sv/mysql/run similarity index 100% rename from etc/sv/mysql.3306/run rename to etc/sv/mysql/run diff --git a/etc/sv/nginx/configure b/etc/sv/nginx/configure new file mode 100755 index 0000000..e95c7d7 --- /dev/null +++ b/etc/sv/nginx/configure @@ -0,0 +1 @@ +#!/bin/sh -efux diff --git a/etc/sv/nginx/log/run b/etc/sv/nginx/log/run new file mode 100644 index 0000000..2dd4ada --- /dev/null +++ b/etc/sv/nginx/log/run @@ -0,0 +1,3 @@ +#!/bin/sh -efux +install -d -m 770 -o log.www -g log.www ~www/log/nginx/ +exec chpst -u log.www svlogd -tt ~www/log/nginx/ diff --git a/etc/sv/nginx/run b/etc/sv/nginx/run new file mode 100755 index 0000000..37dc216 --- /dev/null +++ b/etc/sv/nginx/run @@ -0,0 +1,3 @@ +#!/bin/sh -efux +exec 2>&1 +exec /usr/sbin/nginx diff --git a/vm_hosted b/vm_hosted index 9743830..a75d9cb 100755 --- a/vm_hosted +++ b/vm_hosted @@ -56,6 +56,11 @@ rule_git_reset () { ) } +rule_adduser () { + local user="$1"; shift + getent passwd "$user" >/dev/null || + sudo adduser "$@" "$user" + } rule_apt_get_install () { # SYNTAX: $package sudo DEBIAN_FRONTEND=noninteractive apt-get install "$@" } @@ -85,7 +90,6 @@ rule_apache2_configure () { # cependant l'usage de suexec impose des forks il semble.. # et mod_proxy_fcgi n'apparaît que dans apache 2.4 ; # donc pour l'instant : apache2-mpm-itk - rule www_configure cat /dev/stdin "$tool"/etc/apache2/apache2.conf <<-EOF | ServerName "$vm_fqdn" EOF @@ -117,18 +121,12 @@ rule_apache2_configure () { /home/www/etc/apache2 for conf in "$tool"/etc/apache2/site.d/*/VirtualHost.conf do conf=${conf#"$tool"/etc/apache2/site.d/} - local port site - IFS=. read -r port domain <<-EOF - ${conf%\/VirtualHost\.conf} - EOF - assert 'test "${port:+set}"' - assert 'test "${domain:+set}"' - local site="$port.$domain" - case $port in - (443) + local site=${conf%/VirtualHost.conf} + case $site in + (*-tls) local hint="run vm_remote apache2_key_send before" assert "sudo test -f /etc/apache2/site.d/\"$site\"/x509/key.pem" hint - sudo install -d -m 770 -o www."$site" -g www."$site" \ + sudo install -d -m 770 -o www-"$site" -g www-"$site" \ /etc/apache2 \ /etc/apache2/site.d/"$site" \ /etc/apache2/site.d/"$site"/x509 \ @@ -139,7 +137,7 @@ rule_apache2_configure () { sudo install -m 664 -o www -g www \ "$tool"/var/pub/x509/"$site"/crt.self-signed.pem \ /etc/apache2/site.d/"$site"/x509/crt.self-signed.pem - #sudo install -m 664 -o www."$site" -g www."$site" \ + #sudo install -m 664 -o www-"$site" -g www-"$site" \ # "$tool"/var/pub/x509/"$site"/rvk.pem \ # /etc/apache2/site.d/"$site"/x509/rvk.pem sudo install -m 664 -o www -g www \ @@ -150,27 +148,12 @@ rule_apache2_configure () { /etc/apache2/site.d/"$site"/x509/crt.pem ;; esac - case $port in - (80) - cat <<-EOF - - AssignUserID www.$site www.$site - CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined - #CustomLog "/dev/null" Combined - DocumentRoot /home/www/pub/$site - ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" - #ErrorLog "/dev/null" - ServerName $domain - LogLevel Warn - $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) - - EOF - ;; - (443) + case $site in + (*-tls) cat <<-EOF - AssignUserID www.$site www.$site + AssignUserID www-$site www-$site BrowserMatch "MSIE [2-6]" ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined @@ -179,7 +162,6 @@ rule_apache2_configure () { ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" #ErrorLog "/dev/null" LogLevel Warn - ServerName $domain SSLCACertificateFile /etc/apache2/site.d/$site/x509/crt.self-signed.pem SSLCACertificatePath /etc/apache2/site.d/$site/x509/usr/ #SSLCARevocationFile /etc/apache2/site.d/$site/x509/rvk.pem @@ -206,35 +188,47 @@ rule_apache2_configure () { EOF ;; + (*) + cat <<-EOF + + AssignUserID www-$site www-$site + CustomLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/access/%Y-%m-%d.log 86400 60" Combined + #CustomLog "/dev/null" Combined + DocumentRoot /home/www/pub/$site + ErrorLog "|/usr/sbin/rotatelogs /home/www/log/$site/apache2/error/%Y-%m-%d.log 86400 60" + #ErrorLog "/dev/null" + LogLevel Warn + $(cat "$tool"/etc/apache2/site.d/"$site"/VirtualHost.conf) + + EOF + ;; esac | sudo install -m 660 -o root -g root /dev/stdin \ /etc/apache2/site.d/"$site"/VirtualHost.conf sudo ln -fns \ ../site.d/"$site"/VirtualHost.conf \ /etc/apache2/sites-available/"$site" - sudo install -d -m 770 -o www."$site" -g www."$site" \ + sudo install -d -m 770 -o www-"$site" -g www-"$site" \ /home/www/log/"$site" \ /home/www/log/"$site"/apache2 sudo ln -fns \ /etc/apache2/site.d/"$site" \ /home/www/etc/apache2/"$site" test -e /home/www/pub/"$site" || - sudo install -d -m 2770 -o www."$site" -g www."$site" \ + sudo install -d -m 2770 -o www-"$site" -g www-"$site" \ /home/www/pub/"$site" - getent passwd www."$site" >/dev/null || - sudo adduser \ + rule adduser www-"$site" --disabled-password \ --group \ --no-create-home \ --home /home/www/pub/"$site" \ --shell /bin/false \ - --system \ - www."$site" - #sudo setfacl -m u:"www.$site":--x \ + --system + #sudo setfacl -m u:"www-$site":--x \ # /home/www/ \ # /home/www/pub/ \ # /home/www/pub/"$site"/ - #sudo setfacl -m d:u:"www.$site":rwx \ + #sudo setfacl -m d:u:"www-$site":rwx \ # "$home"/pub/www/"$site"/ test ! -r "$tool"/etc/apache2/site.d/"$site"/configure.sh || . "$tool"/etc/apache2/site.d/"$site"/configure.sh @@ -313,8 +307,8 @@ rule_dovecot_configure () { local hint="run vm_remote dovecot_key_send before" assert "sudo test -f /etc/dovecot/\"$vm_domainname\"/imap/x509/key.pem" hint sudo install -m 400 -o root -g root \ - "$tool"/var/pub/x509/$vm_domainname/imap/crt+crl.self-signed.pem \ - /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem + "$tool"/var/pub/x509/imap."$vm_domainname"/crt+crl.self-signed.pem \ + /etc/dovecot/"$vm_domainname"/imap/x509/crt+crl.self-signed.pem sudo install -d -m 770 -o root -g root \ /etc/skel/etc/mail \ /etc/skel/etc/sieve @@ -484,35 +478,50 @@ rule_initramfs_configure () { sudo update-initramfs -u } rule_gitolite_configure () { - local user=git sudo debconf-set-selections <<-EOF - gitolite gitolite/gituser string $user + gitolite gitolite/gituser string git gitolite gitolite/adminkey string - gitolite gitolite/gitdir string /home/$user + gitolite gitolite/gitdir string /home/git EOF rule apt_get_install gitolite - getent passwd "$user" >/dev/null || - sudo adduser \ + rule adduser git \ --disabled-password \ --group \ --shell /bin/bash \ - --system \ - "$user" - sudo chfn --full-name "$user" "$user" - eval local home\; home="~$user" - sudo install -d -m 770 -o "$user" -g "$user" \ + --system + sudo chfn --full-name git git + rule adduser log-git \ + --disabled-login \ + --disabled-password \ + --group \ + --home ~git/log \ + --shell /bin/false \ + --system + rule adduser git-daemon\ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/git/pub \ + --shell /bin/false \ + --system + sudo install -d -m 770 -o git -g git \ /etc/gitolite \ - "$home"/etc \ - "$home"/etc/ssh \ - "$home"/pub \ - "$home"/log \ - "$home"/log/gitolite \ - "$home"/log/gitolite/perf - sudo ln -fns /etc/gitolite "$home"/etc/gitolite - sudo ln -fns etc/gitolite/gitolite.rc "$home"/.gitolite.rc - sudo ln -fns etc/ssh "$home"/.ssh - sudo install -m 770 -o "$user" -g "$user" /dev/stdin \ - "$home"/etc/gitolite/gitolite.rc <<-EOF + ~git/etc \ + ~git/etc/ssh \ + ~git/pub + sudo install -d -m 770 -o log-git -g log-git \ + ~git/log \ + ~git/log/gitolite \ + ~git/log/gitolite/perf + sudo install -d -m 550 -o www-lhc-git -g www-lhc-git \ + /etc/gitweb \ + /etc/gitweb/cgi + sudo ln -fns /etc/gitolite ~git/etc/gitolite + sudo ln -fns /etc/gitweb ~git/etc/gitweb + sudo ln -fns etc/gitolite/gitolite.rc ~git/.gitolite.rc + sudo ln -fns etc/ssh ~git/.ssh + sudo install -m 770 -o git -g git /dev/stdin \ + ~git/etc/gitolite/gitolite.rc <<-EOF #\$ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; #\$BIG_INFO_CAP = 20; #\$ENV{GL_SLAVES} = 'gitolite@server2 gitolite@server3'; @@ -553,17 +562,17 @@ rule_gitolite_configure () { \$RSYNC_BASE = ""; \$SVNSERVE = ""; #\$UPDATE_CHAINS_TO = "hooks/update.secondary"; - #\$WEB_INTERFACE = "gitweb"; + \$WEB_INTERFACE = "gitweb"; 1; EOF - sudo install -m 770 -o "$user" -g "$user" /dev/stdin \ - "$home"/etc/gitweb/gitweb.conf <<-EOF + sudo install -m 740 -o git -g www-lhc-git /dev/stdin \ + ~git/etc/gitweb/gitweb.conf <<-EOF \$commit_oneline_message_width = 70; \$default_projects_order = 'age'; \$default_text_plain_charset = 'UTF-8'; @diff_opts = (); \$favicon = "img/git-favicon.png"; - \$git_temp = "/run/shm/gitweb"; + \$git_temp = "/run/shm/tmp/gitweb"; \$home_footer = "/etc/gitweb/cgi/home-footer.cgi.inc"; \$home_header = "/etc/gitweb/cgi/home-header.cgi.inc"; \$home_link = "/"; @@ -580,28 +589,27 @@ rule_gitolite_configure () { \$projects_list_description_width = 42; \$projects_list_owner_width = 15; \$search_str = "Filtre :"; - \$site_footer = "/home/fai/pub/www/git.autogeree.net/cgi/site-footer.bin"; + \$site_footer = "/etc/gitweb/cgi/site-footer.bin"; \$site_header = undef; \$site_name = "git.$vm_domainname"; \$space_to_nbsp = 0; @stylesheets = ("css/gitweb.css");# \$untabify_tabstop = 2; EOF - sudo install -m 600 -o "$user" -g "$user" \ - "$tool"/var/pub/ssh/"$user".key \ - "$home"/etc/ssh/"$user".pub - sudo -u "$user" \ - GL_RC="$home"/etc/gitolite/gitolite.rc \ - GIT_AUTHOR_NAME="$user" \ - gl-setup -q "$home"/etc/ssh/"$user".pub "$user" + sudo install -m 600 -o git -g git \ + "$tool"/var/pub/ssh/git.key \ + ~git/etc/ssh/git.pub + sudo -u git \ + GL_RC=/home/git/etc/gitolite/gitolite.rc \ + GIT_AUTHOR_NAME=git \ + gl-setup -q ~git/etc/ssh/git.pub git local d for d in doc logs src - do test ! -d "$home"/etc/gitolite/"$d" || - rmdir "$home"/etc/gitolite/"$d" + do test ! -d ~git/etc/gitolite/"$d" || + rmdir ~git/etc/gitolite/"$d" done rule apt_get_install gitweb highlight - #sudo sv restart fcgi.git.80.git.heureux-cyclage.org - #sudo sv restart git-daemon.git.9418 + sudo service tmpfs restart } rule_locales_configure () { sudo debconf-set-selections <<-EOF @@ -770,26 +778,23 @@ rule_network_configure () { EOF } rule_www_configure () { - getent passwd www >/dev/null || - sudo adduser \ + rule adduser www \ --disabled-login \ --disabled-password \ --group \ --home /home/www \ --shell /bin/false \ - --system \ - www - sudo adduser \ + --system + rule adduser log-www \ --disabled-login \ --disabled-password \ --group \ - --home ~www/log \ + --home /home/www/log \ --shell /bin/false \ - --system \ - log.www + --system #sudo adduser www www-data - sudo adduser www log.www - #sudo adduser log log.www + sudo adduser www log-www + #sudo adduser log log-www usermod --home /home/www/pub www-data sudo install -d -m 751 -o www -g www \ /home/www @@ -797,20 +802,20 @@ rule_www_configure () { /home/www/etc sudo install -d -m 1771 -o www-data -g www-data \ /home/www/pub - sudo install -d -m 1771 -o log.www -g log.www \ + sudo install -d -m 1771 -o log-www -g log-www \ /home/www/log } rule_nginx_configure () { local -; set +f rule apt_get_install nginx - rule www_configure sudo rm -rf \ /etc/nginx/conf.d \ /etc/nginx/site.d sudo install -d -m 770 -o www -g www \ /etc/nginx \ /etc/nginx/conf.d \ - /etc/nginx/site.d + /etc/nginx/site.d \ + /etc/nginx/x509.d sudo ln -fns \ /etc/nginx \ /home/www/etc/nginx @@ -826,150 +831,138 @@ rule_nginx_configure () { done for conf in "$tool"/etc/nginx/site.d/*/server.conf do conf=${conf#"$tool"/etc/nginx/site.d/} - local port domain - IFS=. read -r port domain <<-EOF - ${conf%\/server\.conf} - EOF - assert 'test "${port:+set}"' - assert 'test "${domain:+set}"' - local site="$port.$domain" - getent passwd www."$site" >/dev/null || - sudo adduser \ + local site="${conf%/server.conf}" + rule adduser www-"$site" \ --disabled-login \ --disabled-password \ --group \ - --home ~www-data/"$site" \ + --home /home/www-data/"$site" \ --shell /bin/false \ - --system \ - www."$site" - getent passwd log."$site" >/dev/null || - sudo adduser \ + --system + rule adduser log-www-"$site" \ --disabled-login \ --disabled-password \ --group \ + --home /home/www/log/"$site"/nginx \ --shell /bin/false \ - --system \ - log."$site" - sudo usermod --home ~www/log/"$site"/nginx log."$site" + --system + sudo install -d -m 2770 -o log-www-"$site" -g log-www-"$site" \ + /home/www/log/"$site" sudo install -d -m 770 -o www -g www \ /etc/nginx/site.d/"$site" - case $port in - (443) - local hint="run vm_remote nginx_key_send before" - assert "sudo test -f /etc/nginx/\"$site\"/x509/key.pem" hint - sudo install -m 664 -o www -g www \ - "$tool"/var/pub/x509/"$site"/crt+ca.pem \ - /etc/nginx/site.d/"$site"/x509/crt.pem - ;; - esac - case $port in - (80) - cat <<-EOF - server { - listen $port; - access_log /home/www/log/$site/nginx/access.log main; - error_log /home/www/log/$site/nginx/error.log warn; - root /home/www/pub/$site; - server_name $domain; - $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) - } - EOF - ;; - (443) - cat <<-EOF - server { - listen $port; - access_log /home/www/log/$site/nginx/access.log main; - error_log /home/www/log/$site/nginx/error.log warn; - keepalive_timeout 70; - root /home/www/pub/$site; - server_name $domain; - # DOC: http://wiki.nginx.org/HttpSslModule - ssl on; - ssl_certificate /home/www/etc/nginx/site.d/$site/x509/crt.pem; - ssl_certificate_key /home/www/etc/nginx/site.d/$site/x509/key.pem; - ssl_ciphers HIGH:!ADH:!MD5; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_session_cache shared:SSL:10m; - $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) - } - EOF - ;; - esac | - sudo install -m 660 -o www -g www /dev/stdin \ - /etc/nginx/site.d/"$site"/server.conf - adduser www-data www."$site" - test -e /home/www/pub/"$site" || - sudo install -d -m 3770 -o www."$site" -g www."$site" \ + sudo install -d -m 770 -o www -g www \ + /etc/nginx/x509.d/"$site" + test -L /home/www/pub/"$site" || + sudo install -d -m 3770 -o www-"$site" -g www-"$site" \ /home/www/pub/"$site" - sudo install -d -m 3770 -o log."$site" -g log."$site" \ - /home/www/log/"$site"/nginx + sudo adduser www-data www-"$site" + sudo adduser www-data log-www-"$site" + sudo install -m 660 -o www -g www /dev/stdin \ + /etc/nginx/site.d/"$site"/server.conf <<-EOF + server { + access_log /home/www/log/$site/nginx/access.log main; + error_log /home/www/log/$site/nginx/error.log warn; + root /home/www/pub/$site; + ssl_certificate /etc/nginx/x509.d/$site/crt.pem; + ssl_certificate_key /etc/nginx/x509.d/$site/key.pem; + $(cat "$tool"/etc/nginx/site.d/"$site"/listen.conf) + $(cat "$tool"/etc/nginx/site.d/"$site"/server.conf) + } + EOF + test -d /home/www/pub/"$site" -o -L /home/www/pub/"$site" || test ! -r "$tool"/etc/nginx/site.d/"$site"/configure.sh || . "$tool"/etc/nginx/site.d/"$site"/configure.sh done rule apt_get_install spawn-fcgi fcgiwrap sudo insserv --remove fcgiwrap + sudo insserv --remove nginx rule tmpfs_configure - sudo service nginx restart + case $(sv status nginx) in + (run:*) sudo sv restart nginx + esac } rule_php5_fpm_configure () { local -; set +f rule apt_get_install \ php5-fpm \ php-apc - getent passwd php5 >/dev/null || - sudo adduser \ + rule adduser php5 \ --disabled-login \ --disabled-password \ --group \ + --home /etc/php5/fpm \ --shell /bin/false \ - --system \ - php5 - local conf + --system + rule adduser log-php5 \ + --disabled-login \ + --disabled-password \ + --group \ + --home /home/www/log/php5/fpm \ + --shell /bin/false \ + --system sudo ln -fns \ - /etc/php5-fpm \ + /etc/php5/fpm \ /home/www/etc/php5 - sudo rm -f /etc/php5/fpm/pool.d/* + sudo rm -rf \ + /etc/php5/fpm/conf.d \ + /etc/php5/fpm/pool.d + sudo install -d -m 770 -o php5 -g php5 \ + /etc/php5/fpm/conf.d \ + /etc/php5/fpm/pool.d + sudo install -m 770 -o php5 -g php5 \ + "$tool"/etc/php5/fpm/php-fpm.conf \ + /etc/php5/fpm/php-fpm.conf + local conf + #for conf in "$tool"/etc/php5/fpm/conf.d/*.conf + # do conf=${conf#"$tool"/etc/php5/fpm/conf.d/} + # sudo install -m 660 -o php5 -g php5 \ + # "$tool"/etc/php5/fpm/conf.d/"$conf" \ + # /etc/php5/fpm/conf.d/"$conf" + # done for conf in "$tool"/etc/php5/fpm/pool.d/*.conf do conf=${conf#"$tool"/etc/php5/fpm/pool.d/} - local port domain - IFS=. read -r port domain <<-EOF - ${conf%\.conf} + IFS=. read -r pool <<-EOF + ${conf%.conf} EOF - assert 'test "${port:+set}"' - assert 'test "${domain:+set}"' - local site="$port.$domain" - getent passwd php5."$site" >/dev/null || - sudo adduser \ + assert 'test "${pool:+set}"' + rule adduser php5-"$pool" \ + --disabled-login \ + --disabled-password \ + --group \ + --no-create-home \ + --home /etc/php5/fpm/pool.d \ + --shell /bin/false \ + --system + rule adduser log-php5-"$pool" \ --disabled-login \ --disabled-password \ --group \ --no-create-home \ - --home ~www/pub/"$site" \ + --home /home/www/log/php5/fpm \ --shell /bin/false \ - --system \ - php5."$site" - sudo install -d -m 770 -o php5 -g php5 \ + --system + sudo install -d -m 770 -o log-php5 -g log-php5 \ /home/www/log/php5 \ /home/www/log/php5/fpm - sudo install -d -m 770 -o log."$site" -g log."$site" \ - /home/www/log/"$site" - sudo adduser php5."$site" www."$site" - sudo install -m 660 -o root -g root /dev/stdin \ - /etc/php5/fpm/pool.d/"$conf" <<-EOF - [php5.$site] - access.log = /home/www/log/$site/php5/fpm/access.log + sudo install -d -m 770 -o log-php5-"$pool" -g log-php5-"$pool" \ + /home/www/log/php5/fpm/"$pool" + sudo install -m 660 -o php5 -g php5 /dev/stdin \ + /etc/php5/fpm/pool.d/"$pool".conf <<-EOF + [$pool] + access.log = /home/www/log/php5/fpm/$pool/access.log catch_workers_output = yes chdir = / env[HOSTNAME] = \$HOSTNAME env[TEMP] = /tmp env[TMPDIR] = /tmp env[TMP] = /tmp - group = www-data - listen = /run/nginx/fastcgi/php5.$site + group = php5-$pool #listen = 127.0.0.1:9000 + listen = /run/php5/fpm/$pool #listen.allowed_clients = 127.0.0.1 + listen.group = www-data + listen.mode = 0660 + #listen.owner = www-data listen.backlog = -1 pm = dynamic pm.max_children = 5 @@ -982,13 +975,16 @@ rule_php5_fpm_configure () { request_terminate_timeout = 120s rlimit_core = unlimited rlimit_files = 131072 - slowlog = /home/www/log/$site/php5/fpm/slow.log - user = $php5_user + slowlog = /home/www/log/php5/fpm/$pool/slow.log + user = php5-$pool $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") EOF - sudo install -m 664 -o root -g root \ + sudo install -m 664 -o php5 -g php5 \ "$tool"/etc/php5/fpm/php.ini \ /etc/php5/fpm/php.ini + case $(sv status php5-"$pool") in + (run:*) sudo sv restart php5-"$pool" + esac done rule tmpfs_configure sudo service php5-fpm restart @@ -1236,6 +1232,7 @@ rule_tmpfs_configure () { "$tool"/etc/init.d/tmpfs \ /etc/init.d/tmpfs sudo update-rc.d tmpfs defaults + sudo service tmpfs restart } rule_time_configure () { sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF @@ -1251,8 +1248,7 @@ rule_time_configure () { rule_user_add () { # SYNTAX: $user rule user_configure local user=$1 - getent passwd "$user" >/dev/null || - sudo adduser --disabled-password "$user" + rule adduser "$user" --disabled-password # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . eval local home\; home="~$user" sudo adduser "$user" users @@ -1336,8 +1332,7 @@ rule_user_configure () { rule_user_admin_add () { # SYNTAX: $user rule user_configure local user=$1 - getent passwd "$user" >/dev/null || - sudo adduser --disabled-password "$user" + rule adduser "$user" --disabled-password eval local home\; home="~$user" sudo adduser "$user" sudo sudo install -m 640 -o root -g root \ @@ -1390,9 +1385,10 @@ rule_configure () { rule sysctl_configure rule user_configure rule mail_configure - #rule apache2_configure - rule nginx_configure + rule www_configure rule php5_fpm_configure + rule nginx_configure + #rule apache2_configure rule gitolite_configure rule runit_configure } diff --git a/vm_remote b/vm_remote index 467d528..37e6dc1 100755 --- a/vm_remote +++ b/vm_remote @@ -57,18 +57,12 @@ rule__ssh_known_hosts_update () { whoami } -rule__x509_service_key_send_deciphered () { # SYNTAX: $service $remote_destination ${ssh_options-} - local service="$1"; shift - local remote_destination="$1"; shift - gpg --decrypt "var/sec/x509/$vm_domainname/$service/key.pass.gpg" | +rule__x509_site_key_decrypt () { # SYNTAX: $site + local site="$1"; shift + gpg --decrypt "$tool"/var/sec/x509/"$site"/key.pass.gpg | openssl rsa -passin 'stdin' \ - -in "var/sec/x509/$vm_domainname/$service/key.pem" \ - -out '/dev/stdout' | - rule ssh "$@" ' \ - install -m 400 -o root -g root \ - /dev/stdin \ - '"$remote_destination"' \ - ' + -in var/sec/x509/"$site"/key.pem \ + -out '/dev/stdout' } rule_luks_key_send () { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM. @@ -104,13 +98,14 @@ rule_apache2_key_send () { do conf=${conf#"$tool"/etc/apache2/site.d/} local port domain IFS=. read -r port domain <<-EOF - ${conf%\/VirtualHost\.conf} + ${conf%/VirtualHost.conf} EOF assert 'test "${port:+set}"' assert 'test "${domain:+set}"' local site="$port.$domain" case $port in (443) + rule _x509_site_key_decrypt "$domain" | rule ssh -l root ' \ sudo install -d -m 770 -o '"$user"' -g '"$user"' \ /etc/apache2 \ @@ -120,14 +115,16 @@ rule_apache2_key_send () { /etc/apache2/site.d/'"$site"'/x509/.gitignore <<-EOF key.pem EOF + sudo install -m 400 -o root -g root \ + /dev/stdin \ + /etc/apache2/'"'$site'"'/x509/key.pem ' - rule _x509_service_key_send_deciphered $service \ - /etc/apache2/"$site"/x509/key.pem -l root "$@" ;; esac done } rule_dovecot_key_send () { + rule _x509_site_key_decrypt imap."$vm_domainname" | rule ssh -l root ' \ sudo install -d -m 770 -o root -g root \ /etc/dovecot/'"$vm_domainname"'/ \ @@ -137,9 +134,10 @@ rule_dovecot_key_send () { /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF key.pem EOF + sudo install -m 400 -o root -g root \ + /dev/stdin \ + /etc/dovecot/"$vm_domainname"/imap/x509/key.pem ' - rule _x509_service_key_send_deciphered imap \ - /etc/dovecot/$vm_domainname/$service/x509/key.pem -l root "$@" } rule_gitolite_configure () { ( @@ -154,35 +152,29 @@ rule_gitolite_configure () { } rule_nginx_key_send () { local -; set +f - for conf in "$tool"/etc/nginx/site.d/*/server.conf + for conf in "$tool"/etc/nginx/site.d/*/key_send do conf=${conf#"$tool"/etc/nginx/site.d/} - local port domain - IFS=. read -r port domain <<-EOF - ${conf%\/server\.conf} - EOF - assert 'test "${port:+set}"' - assert 'test "${domain:+set}"' - local site="$port.$domain" - case $port in - (443) - rule ssh -l root ' \ - sudo install -d -m 770 -o root -g root \ - /etc/nginx \ - /etc/nginx/site.d \ - /etc/nginx/site.d/'"$site"' \ - /etc/nginx/site.d/'"$site"'/x509; \ - sudo install -m 644 -o root -g root /dev/stdin \ - /etc/nginx/site.d/'"$site"'/x509/.gitignore <<-EOF - key.pem - EOF - ' - rule _x509_service_key_send_deciphered $service \ - /etc/nginx/"$site"/x509/key.pem -l root "$@" - ;; - esac + local site=${conf%/key_send} + rule _x509_site_key_decrypt \ + "$(cat "$tool"/etc/nginx/site.d/"$site"/key_send)" | + rule ssh -l root ' \ + sudo install -d -m 770 -o root -g root \ + /etc/nginx \ + /etc/nginx/x509.d \ + /etc/nginx/x509.d/'"'$site'"'; \ + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/nginx/x509.d/'"'$site'"'/.gitignore <<-EOF + key.pem + EOF + + install -m 400 -o root -g root \ + /dev/stdin \ + /etc/nginx/x509.d/'"'$site'"'/key.pem + ' done } rule_postfix_key_send () { + rule _x509_site_key_decrypt smtpd."$vm_domainname" | rule ssh -l root ' \ sudo install -d -m 770 -o root -g root \ /etc/postfix/'"$vm_domainname"'/ \ @@ -196,9 +188,10 @@ rule_postfix_key_send () { /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF key.pem EOF + install -m 400 -o root -g root \ + /dev/stdin \ + /etc/postfix/'"'$vm_domainname'"'/smtpd/x509/key.pem ' - rule _x509_service_key_send_deciphered smtpd \ - /etc/postfix/$vm_domainname/smtpd/x509/key.pem -l root "$@" } rule=${1:-help} -- 2.20.1