kaz-vagrant/files/vm-provision.sh

238 lines
9.5 KiB
Bash
Raw Normal View History

2022-11-30 19:43:06 +01:00
#!/bin/bash
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
resize2fs /dev/sda1
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files
mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start Vagrant $(date +%D-%T)"
#pour la résolution de noms dans /etc/hosts
SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
# Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
sysctl -w net.ipv4.ip_forward=1
# MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# pour ceux qui disposent d'un cache apt local et pas la fibre
# suffit d'indiquer "host:port" dans le fichier ".apt-mirror-config"
. "${VAGRANT_SRC_DIR}/.apt-mirror-config"
sed -i \
-e "s%s\?://deb.debian.org%://${APT_MIRROR_DEBIAN}%g" \
-e "s%s\?://security.debian.org%://${APT_MIRROR_DEBIAN_SECURITY}%g" \
-e "s%s\?://archive.ubuntu.com%://${APT_MIRROR_UBUNTU}%g" \
-e "s%s\?://security.ubuntu.com%://${APT_MIRROR_UBUNTU_SECURITY}%g" \
/etc/apt/sources.list
fi
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
2023-02-07 22:11:03 +01:00
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils python3-lxc lxc python3-pygraphviz python3-pil python3-yaml imagemagick btrfs-progs # could be with --no-install-recommends
2022-11-30 19:43:06 +01:00
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
# Pour le confort de chacun
# Le fihcier .customDocker.sh contient
# DEBIAN_FRONTEND=noninteractive apt-get install -y joe
# DEBIAN_FRONTEND=noninteractive apt-get install -y emacs
# DEBIAN_FRONTEND=noninteractive apt-get install -y vim
if [ -f "${VAGRANT_SRC_DIR}/.customDocker.sh" ]; then
chmod a+x "${VAGRANT_SRC_DIR}/.customDocker.sh"
"${VAGRANT_SRC_DIR}/.customDocker.sh"
fi
# Localisation du $LANG, en par défaut, timezone Paris
if [ -z "${HOSTLANG}" ] ; then
HOSTLANG="en_US.UTF-8"
fi
echo "Europe/Paris" > /etc/timezone
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
dpkg-reconfigure -f noninteractive tzdata
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
sed -i -e "s/# ${HOSTLANG} /${HOSTLANG} /" /etc/locale.gen
echo "LANG=\"${HOSTLANG}\"">/etc/default/locale
dpkg-reconfigure --frontend=noninteractive locales || true # don't fail for a locales problem
update-locale LANG=${HOSTLANG} || true # don't fail for a locales problem
echo -e "\n #### create user\n"
# Creation des utilisateurs
usermod -p $(mkpasswd --method=sha-512 root) root
useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists
# augmentation de la taille de /run si lowmem
#echo "tmpfs /run tmpfs nosuid,noexec,size=26M 0 0" >> /etc/fstab
#mount -o remount /run
# Désactivation de la mise en veille de l'écran
mkdir -p /etc/X11/xorg.conf.d/
rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/
# mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker
#faut virer exim, il fout la grouille avec le docker postfix
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light
#login ssh avec mot de passe
sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
fi
# autorisation du routing et augmentation inotify
if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
fi
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf
if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then
echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
fi
sysctl -p
# enable bash autocompletion
cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
EOF
# XFCE4 panel: use default config
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
rsync -a /etc/xdg/xfce4/panel/default.xml /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
# Permetre l'édition emacs des lignes de commande (exemple "Esc. flèche gauche" pour "déplace d'un mot à gauche")
TERM_CFG=/root/.config/xfce4/terminal/terminalrc
mkdir -p $(dirname "${TERM_CFG}")
touch "${TERM_CFG}"
if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then
echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}"
fi
echo -e "\n #### set swapspace\n"
# free swapspace at shutdown
sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service
systemctl daemon-reload
# limit journald log size
mkdir -p /etc/systemd/journald.conf.d
if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then
cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF
[Journal]
SystemMaxUse=20M
SystemMaxFileSize=2M
EOF
fi
#***********DEBUT CERTIF*******************
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
echo -e "\n #### mkcert\n"
# Récupérer mkcert et générer la CA
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
mkdir -p /root/mkcert
cd /root/mkcert
if [ ! -f mkcert ]; then
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
chmod +x mkcert
mkdir -p /etc/letsencrypt/local/
export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}"
2022-12-23 15:15:49 +01:00
/root/mkcert/mkcert "*.kaz.sns" # cert et clé dans /etc/letsencrypt/local/
2022-11-30 19:43:06 +01:00
2022-12-23 15:15:49 +01:00
mkdir -p /etc/letsencrypt/live/kaz.sns/
ln -s ../../local/_wildcard.kaz.sns.pem /etc/letsencrypt/live/kaz.sns/fullchain.pem
ln -s ../../local/_wildcard.kaz.sns-key.pem /etc/letsencrypt/live/kaz.sns/privkey.pem
2022-11-30 19:43:06 +01:00
fi
#***********FIN CERTIF*******************
2022-12-23 13:50:27 +01:00
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
2022-12-22 17:25:05 +01:00
# SNSTER
cd
git clone https://framagit.org/flesueur/snster.git
cd snster
2023-02-06 12:26:55 +01:00
# git checkout tags/v1.1.0
2023-02-07 22:11:03 +01:00
git checkout fe59ef1f
2022-12-22 17:25:05 +01:00
./install.sh
2023-02-07 22:11:03 +01:00
# BTRFS avec hotfix sale de SNSTER
freespace=`df /root | awk '/[0-9]%/{print $(NF-2)}'`
btrsize=$(( $freespace - 5000000 )) # on laisse 5GB libres
truncate -s ${btrsize}k /root/btrfs.img
mkfs.btrfs -f /root/btrfs.img
echo "/root/btrfs.img /var/lib/lxc btrfs loop 0 0" >> /etc/fstab
mount /var/lib/lxc
#losetup -f /root/btrfs.img
#mount /dev/loop0 /var/lib/lxc
sed -i -e "s/template=self.template/template=self.template, bdevtype='btrfs'/" /usr/local/lib/python3.9/dist-packages/backends/LxcBackend.py
2022-12-22 18:52:38 +01:00
# SNSTER KAZ
2023-01-27 21:15:36 +01:00
# cp -ar ${VAGRANT_SRC_DIR}/templates /root
2022-12-22 18:52:38 +01:00
cp -ar ${VAGRANT_SRC_DIR}/snster-kaz /root
# crypto keys
cp -ar /etc/letsencrypt /root/snster-kaz/kaz/prod/
cp -ar /etc/letsencrypt /root/snster-kaz/isp-a/home/
2023-02-03 16:35:24 +01:00
# On monte le filesystem de kaz-prod dans le /kaz de la VM pour le dév (en nofail)
2023-02-07 22:11:03 +01:00
# mkdir /kaz-prod /kaz
# echo "overlay /kaz-prod overlay lowerdir=/var/lib/lxc/sr-masters-bullseye/rootfs,upperdir=/var/lib/lxc/kaz-kaz-prod/overlay/delta,workdir=/var/lib/lxc/kaz-kaz-prod/overlay/work,nofail 0 0" >> /etc/fstab
# echo "/kaz-prod/kaz /kaz none bind,nofail 0 0" >> /etc/fstab
ln -s /var/lib/lxc/kaz-kaz-prod/rootfs/ /kaz-prod
ln -s /kaz-prod/kaz /kaz
2023-02-03 16:35:24 +01:00
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
2022-12-22 18:52:38 +01:00
# Build SNSTER KAZ !
2023-01-27 21:15:36 +01:00
snster -c /root/snster-kaz create
2023-01-18 12:13:48 +01:00
cp "${VAGRANT_SRC_DIR}/vm-install-kaz.sh" /root/
chmod +x /root/vm-install-kaz.sh
2023-02-03 16:35:24 +01:00
cp "${VAGRANT_SRC_DIR}/vm-upgrade.sh" /root/
chmod +x /root/vm-upgrade.sh
2023-01-18 12:13:48 +01:00
if [ "${NOKAZ}" == "true" ]; then
echo "on ne fait pas l'install de kaz sur kaz-prod"
else
echo "on installe kaz sur kaz-prod"
bash "/root/vm-install-kaz.sh"
fi
2022-11-30 19:43:06 +01:00
echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
reboot
2023-01-15 21:03:43 +01:00
# Pour sympa-SOAP
# KAZPROD="snster -c /root/snster-kaz -t /root/templates attach kaz-prod -x"
# ${KAZPROD} "docker cp /etc/letsencrypt/local/rootCA.pem sympaServ:/usr/local/share/ca-certificates/rootCA.crt"
# ${KAZPROD} "docker exec -it sympaServ update-ca-certificates"