2 set -e -f ${DRY_RUN:+-n} -u
3 tool
=$
(readlink
-e "${0%/*}")
8 rule_help
() { # SYNTAX: [--hidden]
9 local hidden
; [ ${1:+set} ] || hidden
=set
12 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
13 _depuis_ une machine distante ;
14 il sert à la fois d'outil (aisément bidouillable)
15 et de documentation (préçise).
16 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
17 Voir \`$tool/vm_hosted' pour les règles côté VM hébergée ($vm_fqdn).
18 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
20 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
22 TRACE # affiche les commandes avant leur exécution
23 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
27 rule_git_configure
() { # DESCRIPTION: configure ./.git correctement
30 git remote
rm host || true
31 git remote add
host $vm_host:src
/vm
32 git config
--replace remote.
host.push HEAD
:refs
/remotes
/master
33 git remote
rm hosted || true
34 git remote add hosted
$vm_fqdn:src
/vm
35 git config
--replace remote.hosted.push HEAD
:refs
/remotes
/master
36 git submodule update
--init
39 rule_git_push
() { # SYNTAX: {host|hosted} $git_push_options
42 local remote
=${1#remote=}; shift
43 GIT_SSH
=.
/lib
/ssh git push
-v "$remote" "$@"
48 "$tool"/lib
/ssh $vm_fqdn "$@"
51 mosh
--ssh="$tool/lib/ssh ${ssh-}" -- $vm_fqdn "$@"
53 rule__ssh_known_hosts_update
() {
55 -o StrictHostKeyChecking
=no \
57 -o HashKnownHosts
=no \
61 rule__x509_site_key_decrypt
() { # SYNTAX: $site
62 local site
="$1"; shift
63 gpg
--decrypt "$tool"/var
/sec
/x509
/"$site"/key.pass.gpg |
64 openssl rsa
-passin 'stdin' \
65 -in var
/sec
/x509
/"$site"/key.pem \
69 rule_luks_key_send
() { # DESCRIPTION: envoie la clef de déchiffrement des partitions au démarrage de la VM.
70 gpg
--decrypt var
/sec
/luks
/$vm_fqdn.key.gpg |
71 "$tool"/lib
/ssh root@
$vm_fqdn "$@" \
73 -o HostKeyAlias
=init.
$vm_fqdn \
74 tee /lib
/cryptsetup
/passfifo \
>/dev
/null
76 rule_luks_key_backup
() { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées.
77 test "${*+set}" ||
set -- --recipient "$USER@"
78 for part
in root var home
84 tmp=$(mktemp -t "luks.'"$part"'.XXXXXXXX.tmp" --dry-run);
85 cryptsetup luksHeaderBackup >/dev/null \
86 /dev/'"$vm_lvm_vg"'/'"$vm_lvm_lv"'_'"$part"' \
87 --header-backup-file "$tmp"; \
89 shred >/dev/null --remove "$tmp"; \
92 -o var
/sec
/luks
/${vm_lvm_lv}_
${part}.luks.gpg
96 rule_gitolite_git
() {
98 cd "$tool"/etc
/gitolite
99 GIT_SSH
=..
/..
/lib
/ssh \
101 SSH_ASKPASS='"$tool"'/lib/ssh-pass \
103 ssh-add '"$tool"'/var/sec/ssh/git </dev/null && \
107 rule_runit_configure
() { # SYNTAX: $sv [...] -- $configure_options
111 rule
ssh sudo sv status \
112 $
(sudo
find /etc
/sv \
113 -mindepth 1 -maxdepth 1 -type d \
114 -printf '%p\n' |
sort)
120 (*) services
="$services $1"; shift;;
123 for sv
in $
(find "$tool"/etc
/sv \
124 -mindepth 1 -maxdepth 1 -type d \
125 -false $
(printf -- '-or -name %s\n' $services) \
128 rule _runit_sv_configure
"$sv" "$@"
132 rule__runit_sv_configure
() { # SYNTAX: $sv $configure_options
135 test ! -r "$tool"/etc
/sv
/"$sv"/remote.sh ||
136 .
"$tool"/etc
/sv
/"$sv"/remote.sh ||
return 1
141 rule_duplicity_configure
() {
143 rule gpg_gen_key
"backup+$vm_hostname@$vm_domainname" <<-EOF
145 Name-Email: backup+$vm_hostname@$vm_domainname
146 Name-Comment: (duplicity)
150 rule_duplicity_key_send
() {
151 gpg
--export-options export-reset-subkey-passwd \
152 --export-secret-subkeys "backup+$vm_hostname@$vm_domainname" |
153 rule
ssh gpg
--import -
155 rule_gpg
() { # SYNTAX: $gpg_options
156 LANG
=C gpg
--no-permission-warning --homedir "$tool"/var
/pub
/openpgp
"$@"
158 rule_gpg_gen_key
() { # SYNTAX: $uid ENV: $gpg_options
165 if test ! -e "$tool"/var
/sec
/openpgp
/"$uid".pass.gpg
166 then gpg
--encrypt $gpg_options -o "$tool"/var
/sec
/openpgp
/"$uid".pass.gpg
<<-EOF
167 $(stdbuf --output 0 tr -d -c '[:alnum:][:punct:]' <"${random:-/dev/urandom}" | head -c 42)
170 if ! rule gpg
--list-keys -- "$uid" >/dev
/null
172 rule gpg
--batch --gen-key
173 # DOC: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS;hb=refs/heads/STABLE-BRANCH-1-4
177 Passphrase
:$
(gpg
--decrypt ${gpg_options-} "$tool"/var
/sec
/openpgp
/"$uid".pass.gpg
)
178 Preferences
: TWOFISH AES256 CAST5 BLOWFISH CAMELLIA256
3DES SHA512 SHA384 SHA256 SHA224 SHA1 BZIP2 ZLIB ZIP NONE MDC NO-KS-MODIFY
184 rule gpg
--with-colons --fixed-list-mode --with-fingerprint --list-secret-keys \
186 sed -e 's/^ssb\(:[^:]*\)\{11\}.*/\1/;t;d'
188 for cap
in ${subkey_caps:-}
190 test ! "$caps" = "$(printf %s "$caps" | sed -e 's/'"$cap"'//g')" ||
191 printf '%s\n' 8 s e
$cap q
4096 ${expire:-0} save |
192 rule gpg
--keyid-format "long" --with-colons --fixed-list-mode --expert \
193 --passphrase-fd 3 --command-fd 0 --edit-key "$uid" addkey
3<<-EOF
194 $(gpg --decrypt ${gpg_options-} "$tool"/var/sec/openpgp/"$uid".pass.gpg)
198 rule_mysql_backup
() {
199 mkdir
-p "$tool"/var
/backup
/mysql
201 for db in $(sudo -u backup mysql -u backup --skip-column-names <<-EOF
203 FROM information_schema.schemata
204 WHERE schema_name NOT IN ("information_schema", "performance_schema");
217 assert
'test ! "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
218 assert
'test ! "$(hostname --fqdn)" = "$vm_host"' vm_host