kaz-vagrant/files/provision.sh
2022-11-30 19:43:06 +01:00

316 lines
12 KiB
Bash
Executable File

#!/bin/bash
if [ -z "${KAZGUARD}" ] ; then
exit 1
fi
resize2fs /dev/sda1
DIR=$(cd "$(dirname $0)"; pwd)
cd "${DIR}"
set -e
export VAGRANT_SRC_DIR=/vagrant/files
mkdir -p "${VAGRANT_SRC_DIR}/log/"
export DebugLog="${VAGRANT_SRC_DIR}/log/log-vagrant-$(date +%y-%m-%d-%T)-"
(
echo "########## ********** Start Vagrant $(date +%D-%T)"
#pour la résolution de noms dans /etc/hosts
SERVICES_LIST="smtp mail ldap www depot tableur pad webmail sondage garradin test-garradin wiki git agora cloud office cachet quotas"
# Copie de qques fichiers
cp "${VAGRANT_SRC_DIR}/keyboard" /etc/default/keyboard
# Lock grub (https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1758060.html)
sysctl -w net.ipv4.ip_forward=1
DEBIAN_FRONTEND=noninteractive apt-mark hold grub*
# MAJ et install
sed -i -e 's/main.*/main contrib non-free/' /etc/apt/sources.list
if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# pour ceux qui disposent d'un cache apt local et pas la fibre
# suffit d'indiquer "host:port" dans le fichier ".apt-mirror-config"
. "${VAGRANT_SRC_DIR}/.apt-mirror-config"
sed -i \
-e "s%s\?://deb.debian.org%://${APT_MIRROR_DEBIAN}%g" \
-e "s%s\?://security.debian.org%://${APT_MIRROR_DEBIAN_SECURITY}%g" \
-e "s%s\?://archive.ubuntu.com%://${APT_MIRROR_UBUNTU}%g" \
-e "s%s\?://security.ubuntu.com%://${APT_MIRROR_UBUNTU_SECURITY}%g" \
/etc/apt/sources.list
fi
DEBIAN_FRONTEND=noninteractive apt-get --allow-releaseinfo-change update
DEBIAN_FRONTEND=noninteractive apt-get -y upgrade
DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade
DEBIAN_FRONTEND=noninteractive apt-get install -y apg curl git sudo unzip rsync firefox-esr tcpdump net-tools mousepad wireshark swapspace whois ldap-utils # could be with --no-install-recommends
DEBIAN_FRONTEND=noninteractive apt-get install -y xfce4 lightdm xfce4-terminal xserver-xorg gitk # needs to install recommends
ssh-keygen -t rsa -b 4096 -N '' <<<$'\ny'
rsync /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
# Pour le confort de chacun
# Le fihcier .customDocker.sh contient
# DEBIAN_FRONTEND=noninteractive apt-get install -y joe
# DEBIAN_FRONTEND=noninteractive apt-get install -y emacs
# DEBIAN_FRONTEND=noninteractive apt-get install -y vim
if [ -f "${VAGRANT_SRC_DIR}/.customDocker.sh" ]; then
chmod a+x "${VAGRANT_SRC_DIR}/.customDocker.sh"
"${VAGRANT_SRC_DIR}/.customDocker.sh"
fi
# Localisation du $LANG, en par défaut, timezone Paris
if [ -z "${HOSTLANG}" ] ; then
HOSTLANG="en_US.UTF-8"
fi
echo "Europe/Paris" > /etc/timezone
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
dpkg-reconfigure -f noninteractive tzdata
sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
sed -i -e "s/# ${HOSTLANG} /${HOSTLANG} /" /etc/locale.gen
echo "LANG=\"${HOSTLANG}\"">/etc/default/locale
dpkg-reconfigure --frontend=noninteractive locales || true # don't fail for a locales problem
update-locale LANG=${HOSTLANG} || true # don't fail for a locales problem
echo -e "\n #### create user\n"
# Creation des utilisateurs
usermod -p $(mkpasswd --method=sha-512 root) root
useradd -m -s "/bin/bash" -p $(mkpasswd --method=sha-512 debian) debian || true # don't fail if user already exists
# augmentation de la taille de /run si lowmem
#echo "tmpfs /run tmpfs nosuid,noexec,size=26M 0 0" >> /etc/fstab
#mount -o remount /run
# Désactivation de la mise en veille de l'écran
mkdir -p /etc/X11/xorg.conf.d/
rsync -a "${VAGRANT_SRC_DIR}/10-monitor.conf" /etc/X11/xorg.conf.d/
# mv /etc/xdg/autostart/light-locker.desktop /etc/xdg/autostart/light-locker.desktop.bak
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y light-locker
#faut virer exim, il fout la grouille avec le docker postfix
DEBIAN_FRONTEND=noninteractive apt-get remove --purge -y exim4-base exim4-config exim4-daemon-light
#login ssh avec mot de passe
sed -i "s/PasswordAuthentication no/PasswordAuthentication yes/" /etc/ssh/sshd_config
if ! grep -q "PasswordAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
fi
# autorisation du routing et augmentation inotify
if ! grep -q "net.ipv4.ip_forward" /etc/sysctl.conf 2>/dev/null; then
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
fi
sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" /etc/sysctl.conf
if ! grep -q "fs.inotify.max_queued_events" /etc/sysctl.conf 2>/dev/null; then
echo -e "fs.inotify.max_queued_events=1048576\nfs.inotify.max_user_instances=1048576\nfs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf
fi
sysctl -p
# enable bash autocompletion
if ! grep -q "/usr/share/bash-completion/bash_completion" /etc/bash.bashrc 2>/dev/null; then
cat >> /etc/bash.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
EOF
fi
# XFCE4 panel: use default config
# source: https://forum.xfce.org/viewtopic.php?pid=36585#p36585
rsync -a /etc/xdg/xfce4/panel/default.xml /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml
# Permetre l'édition emacs des lignes de commande (exemple "Esc. flèche gauche" pour "déplace d'un mot à gauche")
TERM_CFG=/root/.config/xfce4/terminal/terminalrc
mkdir -p $(dirname "${TERM_CFG}")
touch "${TERM_CFG}"
if ! grep -q "ShortcutsNoMnemonics" "${TERM_CFG}" 2>/dev/null; then
echo -e "[Configuration]\nShortcutsNoMnemonics=TRUE" >> "${TERM_CFG}"
fi
echo -e "\n #### set swapspace\n"
# free swapspace at shutdown
sed -i -e 's/ExecStart=\/usr\/sbin\/swapspace/ExecStart=\/usr\/sbin\/swapspace\nExecStop=\/usr\/sbin\/swapspace -e/' /lib/systemd/system/swapspace.service
systemctl daemon-reload
# limit journald log size
mkdir -p /etc/systemd/journald.conf.d
if [ ! -f /etc/systemd/journald.conf.d/sizelimit.conf ]; then
cat > /etc/systemd/journald.conf.d/sizelimit.conf <<EOF
[Journal]
SystemMaxUse=20M
SystemMaxFileSize=2M
EOF
fi
# KAZ specific things
#installation de docker, docker-compose et on y fourre le user debian dans le groupe idoine
DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io docker-compose docker-clean
usermod -G docker debian
# activation dans alias dans /root/.bashrc
sed -i \
-e 's/^\# alias/alias/g' \
-e 's/^\# export/export/g' \
-e 's/^\# eval/eval/g' \
/root/.bashrc
if ! grep -q "for file in /dockers" /root/.bashrc 2>/dev/null; then
cat >> /root/.bashrc <<EOF
# enable bash completion in interactive shells
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
for file in /kaz/bin/.*-completion.bash ; do
source "\${file}"
done
EOF
fi
# # Localisation du $LANG, en par défaut, timezone Paris
# if [ -z "${KAZBRANCH}" ] ; then
# KAZBRANCH="develop-vm"
# fi
# echo -e "\n #### git checkout ${KAZBRANCH}\n"
#
# # copie des sources
# cd /
# [ -f kaz ] || git clone https://git.kaz.bzh/KAZ/kaz.git
# (cd /kaz ; git checkout "${KAZBRANCH}" )
# find /kaz -name \*.sh -exec chmod a+x {} \;
#
# # pour ceux qui disposent d'un cache apt local et pas la fibre
# if [ -f "${VAGRANT_SRC_DIR}/.apt-mirror-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.apt-mirror-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.proxy-config" ]; then
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /etc/profile.d/proxy.sh
# rsync -a "${VAGRANT_SRC_DIR}/.proxy-config" /kaz/
# fi
# if [ -f "${VAGRANT_SRC_DIR}/.docker-config.json" ]; then
# mkdir -p /root/.docker
# rsync -a "${VAGRANT_SRC_DIR}/.docker-config.json" /root/.docker/config.json
# fi
# Ajout d'un serveur DNS sur la VM
#*****************ATTENTION: semble inutile. peut-être privilégié les entrées dans /etc/hosts tout simplement ?
DEBIAN_FRONTEND=noninteractive apt-get install -y dnsmasq
#***********DEBUT CERTIF*******************
#*****************ATTENTION: MARCHE PAS (il faut accepter toutes les exceptions de sécurité
echo -e "\n #### mkcert\n"
# Récupérer mkcert et générer la CA
DEBIAN_FRONTEND=noninteractive apt-get install -y libnss3-tools
mkdir -p /root/mkcert
cd /root/mkcert
if [ ! -f mkcert ]; then
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64 -O mkcert
chmod +x mkcert
mkdir -p /etc/letsencrypt/local/
export CAROOT=/etc/letsencrypt/local/
/root/mkcert/mkcert -install # CA dans /etc/letsencrypt/local/
cd "${CAROOT}"
/root/mkcert/mkcert "*.kaz.local" # cert et clé dans /etc/letsencrypt/local/
mkdir -p /etc/letsencrypt/live/kaz.local/
ln -s ../../local/_wildcard.kaz.local.pem /etc/letsencrypt/live/kaz.local/fullchain.pem
ln -s ../../local/_wildcard.kaz.local-key.pem /etc/letsencrypt/live/kaz.local/privkey.pem
fi
# Essai pour faire accepter la CA à FFOX dès le début
# Add to Firefox store
if [ ! -f /usr/lib/firefox-esr/distribution/policies.json ]; then
cat > /usr/lib/firefox-esr/distribution/policies.json << EOF
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true,
"Install": ["/etc/letsencrypt/local/rootCA.pem"]
}
}
}
EOF
fi
#***********FIN CERTIF*******************
#ajout des services dans le host
echo -e "\n #### update /etc/hosts\n"
if ! grep -q "\skaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.1 kaz.local" >>/etc/hosts
fi
if ! grep -q "\slistes.kaz.local\b" /etc/hosts 2>/dev/null; then
echo "127.0.0.2 listes.kaz.local" >>/etc/hosts
fi
for SERVICE in ${SERVICES_LIST}; do
if ! grep -q "\s${SERVICE}.kaz.local\b" /etc/hosts 2>/dev/null; then
sed -i /etc/hosts \
-e "/\skaz.local\b/ s/$/ ${SERVICE}.kaz.local/"
fi
done
echo -e "\n #### clawsmail\n"
# les scripts de créations de BAL pour clawsmail
cp -ar "${VAGRANT_SRC_DIR}/clawsmail" /
cd /clawsmail
chmod +x addclawsuser.sh
chmod +x genpasswd
#client pour tester la messagerie
DEBIAN_FRONTEND=noninteractive apt-get install -y claws-mail
# On met le KAZGUARD pour la mise au point
echo "export KAZGUARD='true'" >> /root/.bashrc
# echo -e "\n #### rsync download\n"
# [ -d "${VAGRANT_SRC_DIR}/kaz/download" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/download/" /kaz/download/
# [ -d "${VAGRANT_SRC_DIR}/kaz/git" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/git/" /kaz/git/
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" ] &&
# [ ! -f "/kaz/config/dockers.env" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/dockers.env" /kaz/config/dockers.env
# for type in mail orga proxy withMail withoutMail ; do
# [ -f "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" ] &&
# [ ! -f "/kaz/config/config/container-${type}.list" ] &&
# rsync -a "${VAGRANT_SRC_DIR}/kaz/config/container-${type}.list" /kaz/config/
# done
#
# echo -e "\n #### secretGen\n"
# /kaz/bin/secretGen.sh
#
# #possibilité de lancer vagrant up NOKAZ="true" quand on construit la machine
# if [ "${NOKAZ}" == "true" ]; then
# echo "on ne lance pas install.sh"
# else
# echo "on lance install.sh"
# /kaz/bin/install.sh
# fi
${VAGRANT_SRC_DIR}/kaz.sh
# clear apt cache
DEBIAN_FRONTEND=noninteractive apt-get autoremove -y
DEBIAN_FRONTEND=noninteractive apt-get clean
echo "########## ********** End Vagrant $(date +%D-%T)"
) > >(tee ${DebugLog}stdout.log) 2> >(tee ${DebugLog}stderr.log >&2)
reboot