kaz-vagrant/files/provision.sh

#!/bin/bash

if [ -z "${KAZGUARD}" ] ; then
    exit 1
fi

resize2fs /dev/sda1

DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files

mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
(
    echo "########## ********** Start Vagrant $(date +%D-%T)"
    #pour la résolution de noms dans /etc/hosts
    SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"

    # Copie de qques fichiers
    cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard

    # Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
    sysctl -w net.ipv4.ip_forward=1
    DEBIAN_FRONTEND=noninteractive apt-mark hold grub*

    # MAJ et install
    sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
    if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
	# pour ceux qui disposent d'un cache apt local et pas la fibre
	# suffit d'indiquer "host:port" dans le fichier ".apt-mirror-config"
	. "${VAGRANT_SRC_DIR}/.apt-mirror-config"
	sed -i \
	    -e "s%s\?://deb.debian.org%://${APT_MIRROR_DEBIAN}%g" \
	    -e "s%s\?://security.debian.org%://${APT_MIRROR_DEBIAN_SECURITY}%g" \
	    -e "s%s\?://archive.ubuntu.com%://${APT_MIRROR_UBUNTU}%g" \
	    -e "s%s\?://security.ubuntu.com%://${APT_MIRROR_UBUNTU_SECURITY}%g" \
	    /etc/apt/sources.list
    fi

    DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
    DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
    DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
    DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
    DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends

    ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
    rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys

    # Pour le confort de chacun
    # Le fihcier .customDocker.sh contient
    # DEBIAN_FRONTEND=noninteractive apt-get install -y joe
    # DEBIAN_FRONTEND=noninteractive apt-get install -y emacs
    # DEBIAN_FRONTEND=noninteractive apt-get install -y vim
    if [ -f "${VAGRANT_SRC_DIR}/.customDocker.sh" ]; then
	chmod a+x "${VAGRANT_SRC_DIR}/.customDocker.sh"
	"${VAGRANT_SRC_DIR}/.customDocker.sh"
    fi



    # Localisation du $LANG, en par défaut, timezone Paris
    if [ -z "${HOSTLANG}" ] ; then
	HOSTLANG="en_US.UTF-8"
    fi
    echo "Europe/Paris" > /etc/timezone
    ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
    dpkg-reconfigure -f noninteractive tzdata
    sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
    sed -i -e "s/# ${HOSTLANG} /${HOSTLANG} /" /etc/locale.gen
    echo "LANG=\"${HOSTLANG}\"">/etc/default/locale
    dpkg-reconfigure --frontend=noninteractive locales || true  # don't fail for a locales problem
    update-locale LANG=${HOSTLANG} || true   # don't fail for a locales problem


    echo -e "\n    #### create user\n"
    # Creation des utilisateurs
    usermod -p $(mkpasswd --method=sha-512 root) root
    useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists

    # augmentation de la taille de /run si lowmem
    #echo "tmpfs /run tmpfs nosuid,noexec,size=26M 0  0" >> /etc/fstab
    #mount -o remount /run

    # Désactivation de la mise en veille de l'écran
    mkdir -p /etc/X11/xorg.conf.d/
    rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/
    # mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak
    DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker

    #faut virer exim, il fout la grouille avec le docker postfix
    DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light

    #login ssh avec mot de passe
    sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
    if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
	echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
    fi

    # autorisation du routing et augmentation inotify
    if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then
	echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    fi
    sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf
    if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then
	echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
    fi
    sysctl -p


    # enable bash autocompletion
    if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
	cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi
EOF
    fi

    # XFCE4 panel: use default config
    # source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
    rsync -a /etc/xdg/xfce4/panel/default.xml /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml

    # Permetre l'édition emacs des lignes de commande (exemple "Esc. flèche gauche" pour "déplace d'un mot à gauche")
    TERM_CFG=/root/.config/xfce4/terminal/terminalrc
    mkdir -p $(dirname "${TERM_CFG}")
    touch "${TERM_CFG}"
    if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then
	echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}"
    fi

    echo -e "\n    #### set swapspace\n"
    # free swapspace at shutdown
    sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service
    systemctl daemon-reload

    # limit journald log size
    mkdir -p /etc/systemd/journald.conf.d
    if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then
	cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF
[Journal]
SystemMaxUse=20M
SystemMaxFileSize=2M
EOF
    fi

    # KAZ specific things
    #installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine

    DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
    usermod -G docker debian
    # activation dans alias dans /root/.bashrc
    sed -i \
	-e 's/^\# alias/alias/g' \
	-e 's/^\# export/export/g' \
	-e 's/^\# eval/eval/g' \
	/root/.bashrc

    if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
	cat >> /root/.bashrc <<EOF

# enable bash completion in interactive shells
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

for file in /kaz/bin/.*-completion.bash ; do
    source "\${file}"
done
EOF
    fi

  #   # Localisation du $LANG, en par défaut, timezone Paris
  #   if [ -z "${KAZBRANCH}" ] ; then
	#      KAZBRANCH="develop-vm"
  #   fi
  #   echo -e "\n    #### git checkout ${KAZBRANCH}\n"
  #
  #   # copie des sources
  #   cd /
  #   [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
  #   (cd /kaz ; git checkout "${KAZBRANCH}" )
  #   find /kaz -name \*.sh -exec chmod a+x {} \;
  #
  #   # pour ceux qui disposent d'un cache apt local et pas la fibre
  #   if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
	# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
  #   fi
  #   if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
	# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
  #   fi
  #   if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
	# mkdir -p /root/.docker
	# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
  #   fi

    # Ajout d'un serveur DNS sur la VM
    #*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
    DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq

    #***********DEBUT CERTIF*******************
    #*****************ATTENTION:  MARCHE PAS (il faut accepter toutes les exceptions de sécurité

    echo -e "\n    #### mkcert\n"
    # Récupérer mkcert et générer la CA
    DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools

    mkdir -p /root/mkcert
    cd /root/mkcert
    if [ ! -f mkcert ]; then
	wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
	chmod +x mkcert
	mkdir -p /etc/letsencrypt/local/
	export CAROOT=/etc/letsencrypt/local/
	/root/mkcert/mkcert -install      # CA dans /etc/letsencrypt/local/
	cd "${CAROOT}"
	/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/

	mkdir -p /etc/letsencrypt/live/kaz.local/
	ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
	ln -s ../../local/_wildcard.kaz.local-key.pem /etc/letsencrypt/live/kaz.local/privkey.pem
    fi

    # Essai pour faire accepter la CA à FFOX dès le début
    # Add to Firefox store
    if  [ ! -f /usr/lib/firefox-esr/distribution/policies.json ]; then
	cat > /usr/lib/firefox-esr/distribution/policies.json << EOF
{
 "policies": {
   "Certificates": {
      "ImportEnterpriseRoots": true,
      "Install": ["/etc/letsencrypt/local/rootCA.pem"]
   }
 }
}
EOF
    fi

    #***********FIN CERTIF*******************

    #ajout des services dans le host
    echo -e "\n    #### update /etc/hosts\n"
    if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
	echo "127.0.0.1	kaz.local" >>/etc/hosts
    fi
    if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
	echo "127.0.0.2	listes.kaz.local" >>/etc/hosts
    fi
    for SERVICE in ${SERVICES_LIST}; do
	if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
	    sed -i /etc/hosts \
		-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
	fi
    done

    echo -e "\n    #### clawsmail\n"
    # les scripts de créations de BAL pour clawsmail
    cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
    cd /clawsmail
    chmod +x addclawsuser.sh
    chmod +x genpasswd

    #client pour tester la messagerie
    DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail

    # On met le KAZGUARD pour la mise au point
    echo "export KAZGUARD='true'" >> /root/.bashrc


  #   echo -e "\n    #### rsync download\n"
  #   [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
	# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
  #   [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
	# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
  #   [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
	# [ ! -f "/kaz/config/dockers.env" ] &&
	# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
  #   for type in mail orga proxy withMail withoutMail ; do
	# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
	#     [ ! -f "/kaz/config/config/container-${type}.list" ] &&
	#     rsync -a  "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
  #   done
  #
  #   echo -e "\n    #### secretGen\n"
  #   /kaz/bin/secretGen.sh
  #
  #   #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
  #   if [ "${NOKAZ}" == "true" ]; then
	# echo "on ne lance pas install.sh"
  #   else
	# echo "on lance install.sh"
	# /kaz/bin/install.sh
  #   fi

    ${VAGRANT_SRC_DIR}/kaz.sh

    # clear apt cache
    DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
    DEBIAN_FRONTEND=noninteractive apt-get clean

    echo "########## ********** End Vagrant $(date +%D-%T)"
)  > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)

reboot