From b5c3eb9e01b09367935f558a57633b68a65a1a21 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 17 Dec 2020 15:08:14 +0100 Subject: [SSPS] Refactor static_files: Submodules with tree Add submodules (aka directories) to static_files, named according to what component they are for. Add function "install_files" to copy the contents of one of those modules to the root directory. This should make the resulting setup more obvious and require less manual copying of files everywhere. --- satellit_installer/includes/10-configurations.inc | 108 +++------- .../includes/10-install_packages.inc | 10 + satellit_installer/includes/10-script_dropper.inc | 4 +- satellit_installer/includes/10-sudo_config.inc | 22 -- satellit_installer/includes/20-setup_samba.inc | 35 ---- satellit_installer/includes/50-copyscripts.inc | 35 +--- .../includes/50-install_dnbd3-server.inc | 30 +-- satellit_installer/includes/50-install_ldadp.inc | 13 ++ .../includes/50-install_taskmanager.inc | 18 +- satellit_installer/includes/60-setup_logging.inc | 6 - satellit_installer/includes/90-patch_slxadmin.inc | 34 +-- .../includes/90-set_directory_permissions.inc | 13 -- satellit_installer/satellit_installer | 22 +- satellit_installer/static_files/dnbd3/alt-servers | 4 - .../static_files/dnbd3/dnbd3-master-proxy.service | 10 - .../static_files/dnbd3/dnbd3-server.service | 13 -- .../dnbd3/etc/dnbd3-server/alt-servers | 4 + .../static_files/dnbd3/etc/dnbd3-server/rpc.acl | 2 + .../dnbd3/etc/dnbd3-server/server.conf | 29 +++ .../etc/systemd/system/dnbd3-master-proxy.service | 10 + .../dnbd3/etc/systemd/system/dnbd3-server.service | 13 ++ .../dnbd3-master-proxy.service | 1 + .../multi-user.target.wants/dnbd3-server.service | 1 + satellit_installer/static_files/dnbd3/rpc.acl | 2 - satellit_installer/static_files/dnbd3/server.conf | 29 --- satellit_installer/static_files/finalize | 21 -- .../static_files/finish_setup_public_key.pem | 14 -- satellit_installer/static_files/firstrun_script.sh | 59 ------ .../ldadp/etc/systemd/system/ldadp@.service | 10 + .../static_files/lighttpd-auto-ssl.sh | 80 ------- .../static_files/lighttpd-include-conf-d.sh | 16 -- satellit_installer/static_files/lighttpd.conf | 54 ----- .../lighttpd/etc/lighttpd/lighttpd.conf | 54 +++++ .../10-dynamic_php_children.conf | 2 + .../static_files/lighttpd/opt/openslx/slx-cert | 232 +++++++++++++++++++++ .../usr/local/sbin/patch_lighttpd_phpchildren | 23 ++ .../lighttpd/usr/share/lighttpd/auto-ssl.sh | 80 +++++++ .../lighttpd/usr/share/lighttpd/include-conf-d.sh | 16 ++ .../static_files/logging/80-dmsd.conf | 2 - .../static_files/logging/90-taskmanager.conf | 2 - .../static_files/logging/satellite-logrotate | 14 -- satellit_installer/static_files/netsetup | 200 ------------------ .../static_files/patch_lighttpd_phpchildren | 23 -- satellit_installer/static_files/rclocal_script.sh | 113 ---------- satellit_installer/static_files/slx-cert | 232 --------------------- .../static_files/slxadmin-boot.service | 13 -- .../static_files/slxadmin-bootscript | 13 -- .../static_files/slxadmin-config.php | 61 ------ .../static_files/slxadmin-cronscript | 17 -- satellit_installer/static_files/slxadmin-crontab | 9 - .../static_files/slxadmin-init/gpg-key.asc | 52 ----- .../static_files/slxadmin-init/init.sh | 3 - .../static_files/slxadmin-init/slxadmin-init.php | 51 ----- .../static_files/slxadmin/etc/cron.d/slx-admin | 9 + .../multi-user.target.wants/slxadmin-boot.service | 1 + .../etc/systemd/system/slxadmin-boot.service | 13 ++ .../openslx/restore.d/slxadmin-init/gpg-key.asc | 52 +++++ .../opt/openslx/restore.d/slxadmin-init/init.sh | 3 + .../restore.d/slxadmin-init/slxadmin-init.php | 51 +++++ .../slxadmin/opt/openslx/slxadmin-bootscript | 13 ++ .../slxadmin/opt/openslx/slxadmin-cronscript | 17 ++ .../slxadmin/srv/openslx/www/index.php | 3 + .../slxadmin/srv/openslx/www/slx-admin/config.php | 61 ++++++ satellit_installer/static_files/slxlog | 6 - .../static_files/system/apt-upgrade-conf | 2 - .../system/etc/apt/apt.conf.d/02periodic | 2 + .../system/etc/cron.daily/tmpdelete.sh | 9 + .../system/root/installer/firstrun_script.sh | 59 ++++++ .../system/root/installer/rclocal_script.sh | 113 ++++++++++ .../static_files/system/usr/local/bin/finalize | 21 ++ .../static_files/system/usr/local/bin/slxlog | 6 + .../static_files/system/usr/local/sbin/netsetup | 200 ++++++++++++++++++ satellit_installer/static_files/taskmanager/config | 2 - .../static_files/taskmanager/environment | 6 - .../taskmanager/etc/sudoers.d/taskmanager | 12 ++ .../multi-user.target.wants/taskmanager.service | 1 + .../etc/systemd/system/taskmanager.service | 17 ++ .../taskmanager/opt/taskmanager/config/config | 2 + .../taskmanager/opt/taskmanager/config/environment | 6 + .../static_files/taskmanager/taskmanager.service | 17 -- .../multi-user.target.wants/tftpd-hpa.service | 1 + .../tftpd/etc/systemd/system/tftpd-hpa.service | 11 + .../static_files/tftpd/opt/openslx/tftpd-remap | 1 + satellit_installer/static_files/tftpd/tftpd-hpa | 6 - .../static_files/tftpd/tftpd-hpa.service | 11 - satellit_installer/static_files/tftpd/tftpd-remap | 1 - .../redneck-timesync.service | 1 + .../etc/systemd/system/redneck-timesync.service | 12 ++ .../static_files/timesync/redneck-timesync.service | 12 -- .../static_files/timesync/redneck-timesync.sh | 77 ------- .../timesync/usr/local/sbin/redneck-timesync.sh | 77 +++++++ satellit_installer/static_files/tmpdelete.sh | 9 - 92 files changed, 1328 insertions(+), 1529 deletions(-) delete mode 100644 satellit_installer/includes/10-sudo_config.inc delete mode 100644 satellit_installer/includes/20-setup_samba.inc delete mode 100644 satellit_installer/includes/60-setup_logging.inc delete mode 100644 satellit_installer/static_files/dnbd3/alt-servers delete mode 100644 satellit_installer/static_files/dnbd3/dnbd3-master-proxy.service delete mode 100644 satellit_installer/static_files/dnbd3/dnbd3-server.service create mode 100644 satellit_installer/static_files/dnbd3/etc/dnbd3-server/alt-servers create mode 100644 satellit_installer/static_files/dnbd3/etc/dnbd3-server/rpc.acl create mode 100644 satellit_installer/static_files/dnbd3/etc/dnbd3-server/server.conf create mode 100644 satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-master-proxy.service create mode 100644 satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-server.service create mode 120000 satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-master-proxy.service create mode 120000 satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-server.service delete mode 100644 satellit_installer/static_files/dnbd3/rpc.acl delete mode 100644 satellit_installer/static_files/dnbd3/server.conf delete mode 100755 satellit_installer/static_files/finalize delete mode 100644 satellit_installer/static_files/finish_setup_public_key.pem delete mode 100644 satellit_installer/static_files/firstrun_script.sh create mode 100644 satellit_installer/static_files/ldadp/etc/systemd/system/ldadp@.service delete mode 100755 satellit_installer/static_files/lighttpd-auto-ssl.sh delete mode 100755 satellit_installer/static_files/lighttpd-include-conf-d.sh delete mode 100644 satellit_installer/static_files/lighttpd.conf create mode 100644 satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf create mode 100644 satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf create mode 100755 satellit_installer/static_files/lighttpd/opt/openslx/slx-cert create mode 100755 satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren create mode 100755 satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh create mode 100755 satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh delete mode 100644 satellit_installer/static_files/logging/80-dmsd.conf delete mode 100644 satellit_installer/static_files/logging/90-taskmanager.conf delete mode 100644 satellit_installer/static_files/logging/satellite-logrotate delete mode 100755 satellit_installer/static_files/netsetup delete mode 100755 satellit_installer/static_files/patch_lighttpd_phpchildren delete mode 100644 satellit_installer/static_files/rclocal_script.sh delete mode 100755 satellit_installer/static_files/slx-cert delete mode 100644 satellit_installer/static_files/slxadmin-boot.service delete mode 100755 satellit_installer/static_files/slxadmin-bootscript delete mode 100644 satellit_installer/static_files/slxadmin-config.php delete mode 100755 satellit_installer/static_files/slxadmin-cronscript delete mode 100644 satellit_installer/static_files/slxadmin-crontab delete mode 100644 satellit_installer/static_files/slxadmin-init/gpg-key.asc delete mode 100755 satellit_installer/static_files/slxadmin-init/init.sh delete mode 100644 satellit_installer/static_files/slxadmin-init/slxadmin-init.php create mode 100644 satellit_installer/static_files/slxadmin/etc/cron.d/slx-admin create mode 120000 satellit_installer/static_files/slxadmin/etc/systemd/system/multi-user.target.wants/slxadmin-boot.service create mode 100644 satellit_installer/static_files/slxadmin/etc/systemd/system/slxadmin-boot.service create mode 100644 satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/gpg-key.asc create mode 100755 satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/init.sh create mode 100644 satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/slxadmin-init.php create mode 100755 satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-bootscript create mode 100755 satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-cronscript create mode 100644 satellit_installer/static_files/slxadmin/srv/openslx/www/index.php create mode 100644 satellit_installer/static_files/slxadmin/srv/openslx/www/slx-admin/config.php delete mode 100755 satellit_installer/static_files/slxlog delete mode 100644 satellit_installer/static_files/system/apt-upgrade-conf create mode 100644 satellit_installer/static_files/system/etc/apt/apt.conf.d/02periodic create mode 100755 satellit_installer/static_files/system/etc/cron.daily/tmpdelete.sh create mode 100755 satellit_installer/static_files/system/root/installer/firstrun_script.sh create mode 100755 satellit_installer/static_files/system/root/installer/rclocal_script.sh create mode 100755 satellit_installer/static_files/system/usr/local/bin/finalize create mode 100755 satellit_installer/static_files/system/usr/local/bin/slxlog create mode 100755 satellit_installer/static_files/system/usr/local/sbin/netsetup delete mode 100644 satellit_installer/static_files/taskmanager/config delete mode 100644 satellit_installer/static_files/taskmanager/environment create mode 100644 satellit_installer/static_files/taskmanager/etc/sudoers.d/taskmanager create mode 120000 satellit_installer/static_files/taskmanager/etc/systemd/system/multi-user.target.wants/taskmanager.service create mode 100644 satellit_installer/static_files/taskmanager/etc/systemd/system/taskmanager.service create mode 100644 satellit_installer/static_files/taskmanager/opt/taskmanager/config/config create mode 100644 satellit_installer/static_files/taskmanager/opt/taskmanager/config/environment delete mode 100644 satellit_installer/static_files/taskmanager/taskmanager.service create mode 120000 satellit_installer/static_files/tftpd/etc/systemd/system/multi-user.target.wants/tftpd-hpa.service create mode 100644 satellit_installer/static_files/tftpd/etc/systemd/system/tftpd-hpa.service create mode 100644 satellit_installer/static_files/tftpd/opt/openslx/tftpd-remap delete mode 100644 satellit_installer/static_files/tftpd/tftpd-hpa delete mode 100644 satellit_installer/static_files/tftpd/tftpd-hpa.service delete mode 100644 satellit_installer/static_files/tftpd/tftpd-remap create mode 120000 satellit_installer/static_files/timesync/etc/systemd/system/network-online.target.wants/redneck-timesync.service create mode 100644 satellit_installer/static_files/timesync/etc/systemd/system/redneck-timesync.service delete mode 100644 satellit_installer/static_files/timesync/redneck-timesync.service delete mode 100755 satellit_installer/static_files/timesync/redneck-timesync.sh create mode 100755 satellit_installer/static_files/timesync/usr/local/sbin/redneck-timesync.sh delete mode 100755 satellit_installer/static_files/tmpdelete.sh diff --git a/satellit_installer/includes/10-configurations.inc b/satellit_installer/includes/10-configurations.inc index 5f9312a..19052dc 100644 --- a/satellit_installer/includes/10-configurations.inc +++ b/satellit_installer/includes/10-configurations.inc @@ -1,112 +1,62 @@ -patch_tftpd-hpa_config() { - echo "# Stopping tftpd-hpa server in case it's not managed by inetd... " - systemctl stop tftpd-hpa || perror "Failed" - # No sense in patching, we will drop this little entry. - echo "# Copying tftpd-hpa configuration... " - cp -p "$BASEDIR/static_files/tftpd/tftpd-hpa" "/etc/default/tftpd-hpa" || perror "failed" - echo "# Copying remap file... " - mkdir -p "/opt/openslx" - cp -p "$BASEDIR/static_files/tftpd/tftpd-remap" "/opt/openslx/tftpd-remap" || perror "failed" - # sometimes a tftp stating line remains in /etc/inetd.conf. Let's have a look and kill this interesting line: - echo -n "# Checking /etc/inetd.conf for a tftp entry... " +write_tftpd_config() { + install_files "tftpd" + echo "# Removing any tftpd config from (x)inetd... " + # sometimes a tftp stating line remains in /etc/inetd.conf if [ -f /etc/inetd.conf ]; then - if [ "$(grep -c "^tftp.*dgram.*udp4" /etc/inetd.conf)" -gt 0 ]; then - echo -n " found. Deleting... " + if grep -q "^tftp.*dgram.*udp4" /etc/inetd.conf; then + echo "Deleting /etc/inetd.conf entry for tftpd" sed -i '/^tftp.*dgram.*udp4/d' /etc/inetd.conf - echo " ok." - else - echo " no entry found." fi - else - echo " no /etc/inetd.conf found." - fi -} - -copy_tftpd-hpa_service() { - echo "# Copying tftpd-hpa service file... " - cp -p "$BASEDIR/static_files/tftpd/tftpd-hpa.service" "/etc/systemd/system/tftpd-hpa.service" || perror "failed" - echo -n "# Linking tftpd-hpa service file into (/etc/systemd/system/)multi-user.target.wants... " - ln -s ../tftpd-hpa.service /etc/systemd/system/multi-user.target.wants/tftpd-hpa.service \ - && echo "ok." || perror "Could not link tftpd-hpa service file into multiuser target!" + fi + for i in /etc/xinetd.d/*; do + [ -f "$i" ] || continue + grep -q 'service.*tftp' "$i" || continue + echo "Deleting $i" + rm -f -- "$i" + done } patch_lighttpd_config() { local mod file echo "# Customizing lighttpd config" - cp -p "$BASEDIR/static_files/lighttpd.conf" /etc/lighttpd/lighttpd.conf || perror "failed." - cp -p "$BASEDIR/static_files/lighttpd-auto-ssl.sh" /usr/share/lighttpd/auto-ssl.sh || perror "failed." - cp -p "$BASEDIR/static_files/lighttpd-include-conf-d.sh" /usr/share/lighttpd/include-conf-d.sh || perror "failed." - cp -a "$BASEDIR/static_files/patch_lighttpd_phpchildren" /usr/local/sbin/patch_lighttpd_phpchildren || perror "failed." - mkdir -p /opt/openslx - cp -a "$BASEDIR/static_files/slx-cert" /opt/openslx/slx-cert || perror "failed." - chmod +x /usr/share/lighttpd/auto-ssl.sh || perror "failed" - chmod +x /usr/share/lighttpd/include-conf-d.sh || perror "failed" - chmod +x /usr/local/sbin/patch_lighttpd_phpchildren || perror "failed" for mod in fastcgi fastcgi-php; do file=$(echo /etc/lighttpd/conf-available/??-${mod}.conf) # expand ?? [ -f "$file" ] || perror "Could not find path for $mod" file=$(basename "$file") ln -sf "../conf-available/$file" "/etc/lighttpd/conf-enabled/$file" || perror "Could not enable module $mod" done - - # Increase php threads (set dynamically) - mkdir -p /etc/systemd/system/lighttpd.service.d || perror "Could not create /etc/systemd/system/lighttpd.service.d" - cat > "/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf" <<-HDOC - [Service] - ExecStartPre=/usr/local/sbin/patch_lighttpd_phpchildren - HDOC mkdir -p "$WWWDIR" || perror "Could not create www-dir ($WWWDIR)" + install_files "lighttpd" } patch_php_config() { - echo -n "# Patching php configuration... " - - if [ $(ls -d /etc/php/*/|wc -l) -eq 1 ]; then - local PHPINIFILE="$(ls -d /etc/php/*/)/cgi/php.ini" - else - pwarning "No php ini file dir found - or more than one." - fi - - if [ -f "$PHPINIFILE" ]; then - grep -E "^\s*upload_max_filesize" "$PHPINIFILE" # 2>/dev/null 1>&2 - - if [ "$?" -eq 0 ]; then - echo -n "upload_max_filesize entry found; patching to 100M... " - sed -i.sik -e '/^\s*upload_max_filesize/c\upload_max_filesize = 100M' "$PHPINIFILE" + local PHPINIFILE + echo "# Patching php configuration... " + # TODO Throw snippet into conf.d/ instead + for PHPINIFILE in /etc/php*/cgi/php.ini /etc/php/*/cgi/php.ini; do + [ -f "$PHPINIFILE" ] || continue + if grep -q -E "^\s*upload_max_filesize" "$PHPINIFILE"; then + sed -i -e '/^\s*upload_max_filesize/c\upload_max_filesize = 100M' "$PHPINIFILE" || pwarning "Could not increase PHP upload limit" else - echo -n "no upload_max_filesize entry found; appending 100M entry... " - echo "upload_max_filesize = 100M" >> "$PHPINIFILE" + echo "upload_max_filesize = 100M" >> "$PHPINIFILE" || pwarning "Could not increase PHP upload limit" fi if grep -q -E '^\s*post_max_size' "$PHPINIFILE"; then - sed -i -e '/^\s*post_max_size/c\post_max_size = 100M' "$PHPINIFILE" || pwarning "Could not increase PHP upload limit" + sed -i -e '/^\s*post_max_size/c\post_max_size = 100M' "$PHPINIFILE" || pwarning "Could not increase PHP POST limit" else - echo "post_max_size = 100M" >> "$PHPINIFILE" || pwarning "Could not increase PHP upload limit" + echo "post_max_size = 100M" >> "$PHPINIFILE" || pwarning "Could not increase PHP POST limit" fi - - echo "ok." - service lighttpd reload - else - echo "php ini file (${PHPINIFILE}) not found." - pwarning "Could not patch php ini file. Please check manually and make sure upload_max_filesize is appropriately set (50-100MB)." - fi + done } config_nfs() { - echo -n "# Patching /etc/exports for NFS... " - if [ $(grep -c "/srv/openslx/nfs" /etc/exports) -gt 0 ]; then - echo -n "NFS entry already there; doing nothing." + echo "# Patching /etc/exports for NFS and creating directories... " + if grep -q "/srv/openslx/nfs" /etc/exports; then + echo "NFS entry already there; doing nothing." else echo '/srv/openslx/nfs *(ro,async,insecure,no_root_squash,no_subtree_check)' >> /etc/exports - echo "ok." fi mkdir -p /srv/openslx/nfs 2>/dev/null - chown dmsd:images /srv/openslx/nfs + chown dmsd:images /srv/openslx/nfs || perror "Setting owner of /srv/openslx/nfs failed" chmod 775 /srv/openslx/nfs } - -write_apt_config() { - echo -n "# Configuring apt unattended/periodic updates... " - cp "$BASEDIR/static_files/system/apt-upgrade-conf" "/etc/apt/apt.conf.d/02periodic" && echo " done." || pwarning "failed." -} - diff --git a/satellit_installer/includes/10-install_packages.inc b/satellit_installer/includes/10-install_packages.inc index 5a64b0e..1892ec2 100644 --- a/satellit_installer/includes/10-install_packages.inc +++ b/satellit_installer/includes/10-install_packages.inc @@ -51,3 +51,13 @@ install_packages() { esac } +# install_files +install_files() { + local dir="${BASEDIR}/static_files/${1}" + [ -d "$dir" ] || perror "static files for module $1 not found" + tar -cpP --owner=root --group=root --transform "s,^\(./\)*${dir}/*,," "$dir" | tar -xp -C / + local ps=( ${PIPESTATUS[*]} ) + [ "${ps[0]}" != 0 ] && perror "tarcopy: Read failed" + [ "${ps[1]}" != 0 ] && perror "tarcopy: Write failed" + return 0 +} diff --git a/satellit_installer/includes/10-script_dropper.inc b/satellit_installer/includes/10-script_dropper.inc index 512b4cf..efae442 100644 --- a/satellit_installer/includes/10-script_dropper.inc +++ b/satellit_installer/includes/10-script_dropper.inc @@ -12,9 +12,6 @@ drop_script() { # So we know all the paths and the mysql password cat "${BASEDIR}/includes/00-dirs.inc" "${CONFIGDIR}/config" > "/root/installer/config" chmod 0600 /root/installer/config - cp "${BASEDIR}/static_files/firstrun_script.sh" "${BASEDIR}/static_files/rclocal_script.sh" /root/installer/ - chmod u+x /root/installer/firstrun_script.sh /root/installer/rclocal_script.sh - } drop_keychanger_rclocal() { @@ -33,6 +30,7 @@ drop_keychanger_rclocal() { HIERDOK chmod +x /etc/rc.local fi + # WTF? Why forking? cat > /etc/systemd/system/rc-local.service <<-DORTDOK [Unit] Description=/etc/rc.local Compatibility diff --git a/satellit_installer/includes/10-sudo_config.inc b/satellit_installer/includes/10-sudo_config.inc deleted file mode 100644 index 8b3b369..0000000 --- a/satellit_installer/includes/10-sudo_config.inc +++ /dev/null @@ -1,22 +0,0 @@ -sudo_config() { - - local TM_SUDO_CONF="/etc/sudoers.d/taskmanager" - [ -n "$1" ] && TM_SUDO_CONF="$1" - - cat > "${TM_SUDO_CONF}" <<-EOF - # Sudoers configuration for user 'taskmanager' - # Auto-generated on: $(date) - taskmanager ALL=(ldadp) NOPASSWD: /opt/taskmanager/scripts/ldadp-launcher - taskmanager ALL=(root) NOPASSWD: /sbin/reboot - taskmanager ALL=(root) NOPASSWD: /bin/netstat - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/systemctl - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/mount-store - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/system-backup - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/system-restore - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/install-https - taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/ldadp-setperms - ALL ALL=(www-data) NOPASSWD: /usr/local/bin/slxlog - Defaults env_keep += "TM_*" - EOF - chmod 0440 "${TM_SUDO_CONF}" || perror "# Could not set perms of '${TM_SUDO_CONF}' to 0440!" -} diff --git a/satellit_installer/includes/20-setup_samba.inc b/satellit_installer/includes/20-setup_samba.inc deleted file mode 100644 index 13a143d..0000000 --- a/satellit_installer/includes/20-setup_samba.inc +++ /dev/null @@ -1,35 +0,0 @@ -setup_sambauser() { - echo -n "# Setting up samba user $1..." - echo -ne "$2\n$2\n" | smbpasswd -a -s -U "$1" 2>/dev/null # $1: User, $2: Password - ERR=$? - if [ "$ERR" -ne 0 ]; then - echo - echo "# WARNING: Could not enter password for samba user $1." - echo "# Please remember to set a password for user $1 by hand." - else - echo " ok." - fi -} - -setup_sambaconfig() { - - echo -n "# Writing samba config..." - if [ $(grep -c "\[imageshare\]" /etc/samba/smb.conf) -gt 0 ]; then - echo " config already written; doing nothing." - else - cat >>/etc/samba/smb.conf<<-EOF - - [imageshare] - path = /srv/openslx/nfs - comment = VM image share - writable = yes - valid users = vmware - EOF - echo "ok." - fi -} - -setup_samba() { - setup_sambauser vmware openslx-ng - setup_sambaconfig -} diff --git a/satellit_installer/includes/50-copyscripts.inc b/satellit_installer/includes/50-copyscripts.inc index 687b1a2..aee3944 100644 --- a/satellit_installer/includes/50-copyscripts.inc +++ b/satellit_installer/includes/50-copyscripts.inc @@ -1,36 +1,9 @@ -install_tmpdelete() { - echo "# Copying tmpdelete.sh to /etc/cron.daily... " - cp "$BASEDIR/static_files/tmpdelete.sh" /etc/cron.daily/tmpdelete - chmod +x /etc/cron.daily/tmpdelete -} - -install_config_static_ip() { - echo -n "# Copying config_static_ip to /usr/local/sbin... " - mkdir -p /usr/local/sbin 2>/dev/null # Just for being on the safe side. - cp "$BASEDIR/static_files/netsetup" /usr/local/sbin - echo "ok." -} - -install_slxlog() { - mkdir -p "/usr/local/bin" - cp -a "$BASEDIR/static_files/slxlog" "/usr/local/bin/" || perror "Could not install slxlog" - chown root:root "/usr/local/bin/slxlog" -} - -install_finalize() { - mkdir -p "/usr/local/bin" - cp -a "$BASEDIR/static_files/finalize" "/usr/local/bin/" || perror "Could not install finalize script" - chown root:root "/usr/local/bin/finalize" +install_system_scripts() { + # Different stuff like slxlog, finalize, firstrun, netsetup + install_files "system" } install_timesync() { - mkdir -p "/usr/local/sbin" "/etc/systemd/system/network.target.wants" \ - || perror "install_timesync: mkdir failed" - install -m 0755 -o root "$BASEDIR/static_files/timesync/redneck-timesync.sh" "/usr/local/sbin/" \ - || perror "Could not copy redneck-timesync.sh" - install -m 0644 -o root "$BASEDIR/static_files/timesync/redneck-timesync.service" "/etc/systemd/system/" \ - || perror "Could not copy redneck-timesync.service" - ln -sf "../redneck-timesync.service" "/etc/systemd/system/network.target.wants/redneck-timesync.service" \ - || perror "Could not symlink redneck-timesync.service from /etc/systemd/system/network.target.wants/redneck-timesync.service" + install_files "timesync" } diff --git a/satellit_installer/includes/50-install_dnbd3-server.inc b/satellit_installer/includes/50-install_dnbd3-server.inc index 8e69db2..2b8e8fa 100644 --- a/satellit_installer/includes/50-install_dnbd3-server.inc +++ b/satellit_installer/includes/50-install_dnbd3-server.inc @@ -1,17 +1,3 @@ -install_dnbd3-server_service() { - echo "# copying dnbd3-server service file..." - cp -p "$BASEDIR/static_files/dnbd3/dnbd3-server.service" /etc/systemd/system/dnbd3-server.service || perror "failed." - echo "# Linking dnbd3-server service file into (/etc/systemd/system/)multi-user.target.wants..." - ln -s /etc/systemd/system/dnbd3-server.service /etc/systemd/system/multi-user.target.wants/dnbd3-server.service \ - || perror "Could not link dnbd3-server service file into multiuser target!" - # For accessing stage4 on master server via SSL tunnel - echo "# copying dnbd3-master-proxy service file..." - cp -p "$BASEDIR/static_files/dnbd3/dnbd3-master-proxy.service" /etc/systemd/system/dnbd3-master-proxy.service || perror "failed." - echo "# Linking dnbd3-master-proxy service file into (/etc/systemd/system/)multi-user.target.wants..." - ln -s /etc/systemd/system/dnbd3-master-proxy.service /etc/systemd/system/multi-user.target.wants/dnbd3-master-proxy.service \ - || perror "Could not link dnbd3-master-proxy service file into multiuser target!" -} - install_dnbd3-server() { # $1: directory to install dnbd3-server to echo "# Installing dnbd3 server... " @@ -21,21 +7,13 @@ install_dnbd3-server() { git clone https://git.openslx.org/dnbd3.git "$BASEDIR/tmp/dnbd3" || perror "Could not clone dnbd3" mkdir "$BASEDIR/tmp/dnbd3/build" cd "$BASEDIR/tmp/dnbd3/build" || perror "Build dir == where?" - cmake -DBUILD_FUSE_CLIENT=OFF -DBUILD_KERNEL_MODULE=OFF -DBUILD_STRESSTEST=OFF -DBUILD_SERVER=ON -DCMAKE_BUILD_TYPE=Release .. || perror "cmake failed" + cmake -DDNBD3_CLIENT_FUSE=OFF -DDNBD3_KERNEL_MODULE=OFF -DDNBD3_SERVER=ON -DCMAKE_BUILD_TYPE=Release .. || perror "cmake failed" make dnbd3-server || perror "Building dnbd3-server failed" - cp dnbd3-server "$1/" || perror "Could not copy dnbd3-server binary to $1" + cp src/server/dnbd3-server "$1/" || perror "Could not copy dnbd3-server binary to $1" cd - &>/dev/null - # Copy config files - mkdir -p /etc/dnbd3-server || perror "mkdir /etc/dnbd3-server failed" - for i in rpc.acl server.conf alt-servers; do - cp -p "$BASEDIR/static_files/dnbd3/$i" "/etc/dnbd3-server/$i" \ - || perror "Could not copy $i to /etc/dnbd3-server" - chmod 644 "/etc/dnbd3-server/$i" - done - chown -R root:root "$1" - - install_dnbd3-server_service "/etc/systemd/system/" + # Install static files + install_files "dnbd3" echo "# dnbd3-server ok." } diff --git a/satellit_installer/includes/50-install_ldadp.inc b/satellit_installer/includes/50-install_ldadp.inc index 9dc4847..6fe1e69 100644 --- a/satellit_installer/includes/50-install_ldadp.inc +++ b/satellit_installer/includes/50-install_ldadp.inc @@ -10,6 +10,19 @@ install_ldadp() { cp ldadp "$DIR" || perror "Could not copy ldadp binary to $DIR" cd .. || perror "Could not cd .." rm -r ldadptmp # Should we care if fail? + + # Static files + install_files "ldadp" + + # ldadp dirs + mkdir -p "$LDADPDIR" "$LDADPDIR/configs" || perror "Creating ldadp directories failed" + chmod 755 "$LDADPDIR" + chown root:root "$LDADPDIR" # Prob. unnecessary, but to be sure. + chmod 750 "$LDADPDIR/configs" + chown -R taskmanager:ldadp "$LDADPDIR/configs" + # Make sure we spare the binary + chown root:root "$LDADPDIR/ldadp" # ... not the binary. + return 0 } diff --git a/satellit_installer/includes/50-install_taskmanager.inc b/satellit_installer/includes/50-install_taskmanager.inc index b02cb6b..0c6b70c 100644 --- a/satellit_installer/includes/50-install_taskmanager.inc +++ b/satellit_installer/includes/50-install_taskmanager.inc @@ -3,14 +3,12 @@ install_taskmanager() { echo "# Installing taskmanager... " mkdir -p "$1" unpack_tar_gz "$BASEDIR/static_files/taskmanager.tar.gz" "-C $1" - chown -R root:root "$1" - install -o root "$BASEDIR/static_files/taskmanager/taskmanager.service" "/etc/systemd/system/taskmanager.service" || perror "Could not install systemd service" - systemctl daemon-reload - systemctl enable taskmanager.service || perror "Could not enable taskmanager.service" - mkdir -m 0750 -p "$TASKMANDIR/config" - chown root:taskmanager "$TASKMANDIR/config" - install -o root -g taskmanager -m 0640 \ - "$BASEDIR/static_files/taskmanager/config" \ - "$BASEDIR/static_files/taskmanager/environment" \ - "$TASKMANDIR/config/" || perror "Could not install taskmanager config" + chown -R root:root "$1" || perror "chown $1 failed" + install_files "taskmanager" + chown -R root:taskmanager "$TASKMANDIR/config" + chmod 0750 "$TASKMANDIR/config" + chmod 0640 \ + "$TASKMANDIR/config/config" \ + "$TASKMANDIR/config/environment" \ + || perror "chmod of taskmanager config failed" } diff --git a/satellit_installer/includes/60-setup_logging.inc b/satellit_installer/includes/60-setup_logging.inc deleted file mode 100644 index 746dd14..0000000 --- a/satellit_installer/includes/60-setup_logging.inc +++ /dev/null @@ -1,6 +0,0 @@ -setup_logging() { - echo "# Setting up rsyslog logging for dmsd, and taskmanager (to /var/log/xxxx)... " - cp "$BASEDIR/static_files/logging/80-dmsd.conf" \ - "$BASEDIR/static_files/logging/90-taskmanager.conf" /etc/rsyslog.d/ || perror "Could not add rsyslog rules" - cp "$BASEDIR/static_files/logging/satellite-logrotate" /etc/logrotate.d/ || perror "Could not add logrotate rules" -} diff --git a/satellit_installer/includes/90-patch_slxadmin.inc b/satellit_installer/includes/90-patch_slxadmin.inc index f254ae7..69afbcb 100644 --- a/satellit_installer/includes/90-patch_slxadmin.inc +++ b/satellit_installer/includes/90-patch_slxadmin.inc @@ -1,19 +1,5 @@ -copy_slxadmin_config () { - # Install config - cp -p "${BASEDIR}/static_files/slxadmin-config.php" "$WWWDIR/slx-admin/config.php" || perror "slxadmin config.php not found" - chmod 640 "$WWWDIR/slx-admin/config.php" - chown root:www-data "$WWWDIR/slx-admin/config.php" -} - # Prepare files and symlinks in slx-admin www dir patch_slxadmin_dir () { - # Create redirect for / - cat > "$WWWDIR/index.php" <<-HIERDOCK - /dev/null - # Add system cronjob to execute slx-admin cronjob - cp "$BASEDIR/static_files/slxadmin-crontab" "/etc/cron.d/slx-admin" || perror "could not install slxadmin crontab" - cp "$BASEDIR/static_files/slxadmin-cronscript" "/opt/openslx/slxadmin-cronscript" || perror "could not install slxadmin cronscript" - # Add script and service to trigger init hook - cp "$BASEDIR/static_files/slxadmin-bootscript" "/opt/openslx/slxadmin-bootscript" || perror "could not install slxadmin bootscript" - cp "$BASEDIR/static_files/slxadmin-boot.service" "/etc/systemd/system/slxadmin-boot.service" || perror "could not install slxadmin boot service" - ln -nfs "../slxadmin-boot.service" "/etc/systemd/system/multi-user.target.wants/slxadmin-boot.service" || perror "Could not enable slxadmin boot service" } # This needs to be called after mysql users have been created install_slxadmin_db () { # Prepare temporary config - copy_slxadmin_config - sed -i "s/%MYSQL_OPENSLX_PASS%/${MYSQL_OPENSLX_PASS}/" "$WWWDIR/slx-admin/config.php" + install_files "slxadmin" + sed -i "s/%MYSQL_OPENSLX_PASS%/${MYSQL_OPENSLX_PASS}/" "$WWWDIR/slx-admin/config.php" || perror "Could not write temporary DB password to config.php" # Install slx-admin DB cd "$WWWDIR/slx-admin" || perror "Cannot cd to $WWWDIR" echo "# Installing slx-admin database" sudo -n -u www-data ./install-all || perror "Could not install slx-admin database" cd - 1>/dev/null - # Copy init script for later use (restoring backup) - mkdir -p "/opt/openslx/restore.d" - cp -a "${BASEDIR}/static_files/slxadmin-init" "/opt/openslx/restore.d/" || perror "Could not copy slxadmin-init" - # Fill database with data we need + # Fill database with data we need (run as root) /opt/openslx/restore.d/slxadmin-init/init.sh || perror "Filling tables with required data failed" # Reset with original template for firstboot script - copy_slxadmin_config + install_files "slxadmin" + chmod 640 "$WWWDIR/slx-admin/config.php" + chown root:www-data "$WWWDIR/slx-admin/config.php" # appending a variable with satellite server build date/time to slx-admin config: echo "define('CONFIG_FOOTER', 'Build time: $(date "+%Y-%m-%d %H:%m:%S"), $VERSION');" >> "$WWWDIR/slx-admin/config.php" } diff --git a/satellit_installer/includes/90-set_directory_permissions.inc b/satellit_installer/includes/90-set_directory_permissions.inc index 72f3f05..fc211da 100644 --- a/satellit_installer/includes/90-set_directory_permissions.inc +++ b/satellit_installer/includes/90-set_directory_permissions.inc @@ -35,19 +35,6 @@ set_directory_permissions() { chown -R taskmanager "$TFTPDIR" - # ldadp dirs - mkdir -p "$LDADPDIR" "$LDADPDIR/configs" "$LDADPDIR/pid" "/var/log/ldadp" - chmod 755 "$LDADPDIR" - chown root:root "$LDADPDIR" # Prob. unnecessary, but to be sure. - chmod 750 "$LDADPDIR/configs" - chown -R taskmanager:ldadp "$LDADPDIR/configs" - chmod 755 "$LDADPDIR/pid" 2>/dev/null # if already there - chown -R ldadp:root "$LDADPDIR/pid" - chmod 750 "/var/log/ldadp" - chown -R ldadp:adm "/var/log/ldadp" - # Make sure we spare the binary - chown root:root "$LDADPDIR/ldadp" # ... not the binary. - mkdir -p -m 755 "$OPENSLXDIR"/proxy 2>/dev/null chmod 755 "$OPENSLXDIR"/proxy 2>/dev/null # if already there chown www-data "$OPENSLXDIR"/proxy 2>/dev/null diff --git a/satellit_installer/satellit_installer b/satellit_installer/satellit_installer index c113680..d56039b 100755 --- a/satellit_installer/satellit_installer +++ b/satellit_installer/satellit_installer @@ -105,16 +105,13 @@ check_users # Meet interesting users with uid>=1000 and kill them. # user 65534/sync will be ignored. add_users_groups # Adding necessary users and groups -sudo_config # Adding sudo config for user taskmanager - install_ipxe "$IPXEDIR" compile_ipxe "$IPXEDIR" &>/tmp/ipxesuccess & add_mysql_dbs_users # mysql stuff; adding databases and users patch_mysql_config # adding utf8 entries to /etc/mysql/my.cnf -patch_tftpd-hpa_config -copy_tftpd-hpa_service +write_tftpd_config patch_lighttpd_config patch_php_config # This takes a lot of time, so any background stuff before this. @@ -125,8 +122,6 @@ patch_ldapsearch patch_java -write_apt_config - install_bwSuite_server "$DMSDDIR" install_dnbd3-server "$DNBD3DIR" @@ -144,16 +139,7 @@ install_ldadp "$LDADPDIR" || perror "Could not install ldadp" # NFS server configuration: config_nfs -# Samba configuration: User and share -# This is out-commented, as not needed recently -# setup_samba - -# Copying a script to configure a static IP -install_config_static_ip - -# Set a cronjob to cron.daily which cleans bwlp-* stuff from /tmp if older than 2 days -# and images from /srv/openslx/nfs/temp -install_tmpdelete +install_system_scripts # Sometimes a low device timeout has lead to problems. So we set a rule to increase the # block device timeout (sd*) from 30 to 180 using an udev rule. @@ -164,14 +150,10 @@ patch_bashrc # vim config patch_vim -setup_logging - # This part drops a script and anchors it's execution within root's .profile: drop_firstrun_script -install_slxlog install_timesync # cheap HTTP based timesync on boot -install_finalize # Script for cleaning some stuff after installation # Remove translation from menu etc., enable required modules patch_slxadmin_dir diff --git a/satellit_installer/static_files/dnbd3/alt-servers b/satellit_installer/static_files/dnbd3/alt-servers deleted file mode 100644 index 4bf5a12..0000000 --- a/satellit_installer/static_files/dnbd3/alt-servers +++ /dev/null @@ -1,4 +0,0 @@ -[127.0.0.1:5005] -comment=SSL tunnel to bwlp-masterserver.ruf.uni-freiburg.de:5006 for MaxiLinux -for=replication -namespace=stage4/bwlp/ diff --git a/satellit_installer/static_files/dnbd3/dnbd3-master-proxy.service b/satellit_installer/static_files/dnbd3/dnbd3-master-proxy.service deleted file mode 100644 index 332f64d..0000000 --- a/satellit_installer/static_files/dnbd3/dnbd3-master-proxy.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=SSL Proxy for DNBD3 on bwLehrpool Master-Server - -[Service] -User=nobody -ExecStart=/usr/bin/socat tcp-listen:5005,bind=127.0.0.1,fork,reuseaddr openssl-connect:bwlp-masterserver.ruf.uni-freiburg.de:5006,capath=/etc/ssl/certs/ -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/satellit_installer/static_files/dnbd3/dnbd3-server.service b/satellit_installer/static_files/dnbd3/dnbd3-server.service deleted file mode 100644 index c062609..0000000 --- a/satellit_installer/static_files/dnbd3/dnbd3-server.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=DNBD3 Server -ConditionPathExists=!/srv/openslx/nfs/.notmounted -After=remote-fs.target local-fs.target - -[Service] -User=dnbd3 -ExecStart=/opt/openslx/dnbd3/dnbd3-server -n -Restart=always -RestartSec=5 -TimeoutStopSec=10 -LimitNOFILE=16384 - diff --git a/satellit_installer/static_files/dnbd3/etc/dnbd3-server/alt-servers b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/alt-servers new file mode 100644 index 0000000..4bf5a12 --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/alt-servers @@ -0,0 +1,4 @@ +[127.0.0.1:5005] +comment=SSL tunnel to bwlp-masterserver.ruf.uni-freiburg.de:5006 for MaxiLinux +for=replication +namespace=stage4/bwlp/ diff --git a/satellit_installer/static_files/dnbd3/etc/dnbd3-server/rpc.acl b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/rpc.acl new file mode 100644 index 0000000..576757c --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/rpc.acl @@ -0,0 +1,2 @@ +# Everything from localhost +127.0.0.0/8 ALL diff --git a/satellit_installer/static_files/dnbd3/etc/dnbd3-server/server.conf b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/server.conf new file mode 100644 index 0000000..c2327d6 --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/dnbd3-server/server.conf @@ -0,0 +1,29 @@ +[dnbd3] +listenPort=5003 +basePath=/srv/openslx/nfs +serverPenalty=0 +clientPenalty=5000 +isProxy=true +removeMissingImages=true +uplinkTimeout=5000 +clientTimeout=15000 +vmdkLegacyMode=true +closeUnusedFd=true +autoFreeDiskSpaceDelay=-1 +ignoreAllocErrors=true + +; Log related config +[logging] +; protip: use SIGUSR2 to reopen log file +; DEACTIVATED +;;file=./dnbd3.log +fileMask=ERROR WARNING MINOR INFO DEBUG1 +consoleMask=ERROR WARNING MINOR INFO +; Valid types +; ERROR Fatal error, server will terminate +; WARNING Major issue, something is broken but keep running +; MINOR Minor issue, more of a hickup than serious problem +; INFO Informational message +; DEBUG1 Debug information, used for medium verbosity +; DEBUG2 Used for debug messages that would show up a lot + diff --git a/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-master-proxy.service b/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-master-proxy.service new file mode 100644 index 0000000..332f64d --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-master-proxy.service @@ -0,0 +1,10 @@ +[Unit] +Description=SSL Proxy for DNBD3 on bwLehrpool Master-Server + +[Service] +User=nobody +ExecStart=/usr/bin/socat tcp-listen:5005,bind=127.0.0.1,fork,reuseaddr openssl-connect:bwlp-masterserver.ruf.uni-freiburg.de:5006,capath=/etc/ssl/certs/ +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-server.service b/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-server.service new file mode 100644 index 0000000..c062609 --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/systemd/system/dnbd3-server.service @@ -0,0 +1,13 @@ +[Unit] +Description=DNBD3 Server +ConditionPathExists=!/srv/openslx/nfs/.notmounted +After=remote-fs.target local-fs.target + +[Service] +User=dnbd3 +ExecStart=/opt/openslx/dnbd3/dnbd3-server -n +Restart=always +RestartSec=5 +TimeoutStopSec=10 +LimitNOFILE=16384 + diff --git a/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-master-proxy.service b/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-master-proxy.service new file mode 120000 index 0000000..013e595 --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-master-proxy.service @@ -0,0 +1 @@ +../dnbd3-master-proxy.service \ No newline at end of file diff --git a/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-server.service b/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-server.service new file mode 120000 index 0000000..b7ffd5b --- /dev/null +++ b/satellit_installer/static_files/dnbd3/etc/systemd/system/multi-user.target.wants/dnbd3-server.service @@ -0,0 +1 @@ +../dnbd3-server.service \ No newline at end of file diff --git a/satellit_installer/static_files/dnbd3/rpc.acl b/satellit_installer/static_files/dnbd3/rpc.acl deleted file mode 100644 index 576757c..0000000 --- a/satellit_installer/static_files/dnbd3/rpc.acl +++ /dev/null @@ -1,2 +0,0 @@ -# Everything from localhost -127.0.0.0/8 ALL diff --git a/satellit_installer/static_files/dnbd3/server.conf b/satellit_installer/static_files/dnbd3/server.conf deleted file mode 100644 index c2327d6..0000000 --- a/satellit_installer/static_files/dnbd3/server.conf +++ /dev/null @@ -1,29 +0,0 @@ -[dnbd3] -listenPort=5003 -basePath=/srv/openslx/nfs -serverPenalty=0 -clientPenalty=5000 -isProxy=true -removeMissingImages=true -uplinkTimeout=5000 -clientTimeout=15000 -vmdkLegacyMode=true -closeUnusedFd=true -autoFreeDiskSpaceDelay=-1 -ignoreAllocErrors=true - -; Log related config -[logging] -; protip: use SIGUSR2 to reopen log file -; DEACTIVATED -;;file=./dnbd3.log -fileMask=ERROR WARNING MINOR INFO DEBUG1 -consoleMask=ERROR WARNING MINOR INFO -; Valid types -; ERROR Fatal error, server will terminate -; WARNING Major issue, something is broken but keep running -; MINOR Minor issue, more of a hickup than serious problem -; INFO Informational message -; DEBUG1 Debug information, used for medium verbosity -; DEBUG2 Used for debug messages that would show up a lot - diff --git a/satellit_installer/static_files/finalize b/satellit_installer/static_files/finalize deleted file mode 100755 index 1be85e2..0000000 --- a/satellit_installer/static_files/finalize +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/dash - -# Funny dash has a funny 'kill' builtin, which we -# do not want to use. -KILL=$(which kill) - -EIGENEPID=$(ps -o ppid $$|fgrep -v PPID) - -# kill every bash in reach, but not the parent('s parent): -for i in $(ps axo pid,comm|grep bash|cut -d " " -f 2); do - [ $EIGENEPID != $i ] && $KILL -SIGKILL $i 2>/dev/null -done - -# Now, empty root's ~/.bash_history: ->~/.bash_history - -# Now we delete the script - necessary only once. -rm -f "$_" 2>/dev/null - -exit - diff --git a/satellit_installer/static_files/finish_setup_public_key.pem b/satellit_installer/static_files/finish_setup_public_key.pem deleted file mode 100644 index bc67f08..0000000 --- a/satellit_installer/static_files/finish_setup_public_key.pem +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtfNz/RzI8XfNPhOlvSGU -retnk8ShsItLNVDqtWf1GOfOG88S0d+wQtH6+GAuZTstfnPukWEsa1WWxUus0/PQ -9KXKNfy3qpxTmPjHyBQgSlu7Q1hCh20q9IMySf43SmlkKPYtqO66XjtpzJBg0lQD -lTP0PERJrKlwNhBxkrsyt2YPXzQpKEQrS7QQSRZqJigr/MjWsCe//2uk9a74do6D -60X26+WXL8XGIeU/Rt8RLqG9i7woD1FummtQTmWhO3tQbok19iSn3MEKhPSMCA5S -1cAveXxDZBnnVsAbsxwz9NufyWDqcRKtCe3YOWMsNKsuQPu+0elG59deeN0YYo5G -lGKHgG/R6jXO0NDb3rB6tQCkNAtdwU5NROwH8An6XYH8ORa6rkD+nJRpWA+eD+mr -Pn28XT4Qs6/BTNROfhT9VIVKXlux03yEgRTubxzLfGOza6T7KBvq30vqZ+oQiC7k -uHG2SwO3IoxNvWe2e8UiK6OUiOI3hfqiWsyLuf4jsy6k8FtMj6usJXCaM2Ugm3r3 -Lkd64I/yqbSiScJnacHAL2c7JY0yPwxHs8Wsv35WzoDSrXvdjGpro9Eaho7F/45j -FDov3wP89WyUxRkDZyZ+CCbSoO2Kp0bUR1qyOcAeKWVHf8qV6wAfGOe0SXfhPW6v -efQQsHnImME3N5Rv4NSFTsMCAwEAAQ== ------END PUBLIC KEY----- diff --git a/satellit_installer/static_files/firstrun_script.sh b/satellit_installer/static_files/firstrun_script.sh deleted file mode 100644 index 343be4d..0000000 --- a/satellit_installer/static_files/firstrun_script.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash - -cat <<-HEREDOC -Willkommen zur Grundkonfiguration des bwLehrpool-Satellitenservers. - -Diese einmalige Konfiguration dient dazu, das root-Passwort des Servers -zu ändern, sowie ggf. die Netzwerkkonfiguration des Servers anzupassen. - -Aus Sicherheitsgründen ist es dringend zu empfehlen, das root-Passwort -im Produktivbetrieb zu ändern! - -HEREDOC - -ERR=1 -while [ "$ERR" -ne 0 ]; do - passwd - ERR=$? -done - -echo "Abschließend können Sie festlegen, ob der Server seine IP-Konfiguration" -echo "per DHCP erhält, oder eine statische Konfiguration verwendet wird." -/usr/local/sbin/netsetup - -cat </dev/null || \ - echo "Achtung: Konnte Verzeichnis /root/installer nicht löschen - Verzeichnis nicht leer." -reboot diff --git a/satellit_installer/static_files/ldadp/etc/systemd/system/ldadp@.service b/satellit_installer/static_files/ldadp/etc/systemd/system/ldadp@.service new file mode 100644 index 0000000..b04118f --- /dev/null +++ b/satellit_installer/static_files/ldadp/etc/systemd/system/ldadp@.service @@ -0,0 +1,10 @@ +[Unit] +Description=LDAP-Proxy for AD/LDAP communication #%i +ConditionFileNotEmpty=/opt/ldadp/configs/%i.cfg + +[Service] +ExecStart=/opt/ldadp/ldadp -n /opt/ldadp/configs/%i.cfg +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/satellit_installer/static_files/lighttpd-auto-ssl.sh b/satellit_installer/static_files/lighttpd-auto-ssl.sh deleted file mode 100755 index 0f88864..0000000 --- a/satellit_installer/static_files/lighttpd-auto-ssl.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/bash - -declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" -declare -rg CHAIN="/etc/lighttpd/chain.pem" -declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" -declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" -declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" -declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" - -if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then - openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & -fi - -/opt/openslx/slx-cert >&2 & - -wait - -[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= -readonly INTERNAL_CHAIN - -cat < "on" - ) - - # intermediate configuration, tweak to your needs - ssl.use-sslv2 = "disable" - ssl.use-sslv3 = "disable" - ssl.honor-cipher-order = "enable" - ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" - - # pemfile is cert+privkey, ca-file is the intermediate chain in one file -HEREDOC -if [ -s "$PUBLIC_BOTH" ]; then - echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" - [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" -elif [ -s "$INTERNAL_BOTH" ]; then - echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" - echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" -fi - -[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" - -# VHost for server.bwlehrpool -if [ -s "${INTERNAL_BOTH}" ]; then - cat < %0 in redirect pattern - # must be the most inner block to the redirect rule - $HTTP["host"] =~ ".*" { - url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" ) - url.redirect-code = 302 - } -} -HEREDOC - -exit 0 - diff --git a/satellit_installer/static_files/lighttpd-include-conf-d.sh b/satellit_installer/static_files/lighttpd-include-conf-d.sh deleted file mode 100755 index a54ed3f..0000000 --- a/satellit_installer/static_files/lighttpd-include-conf-d.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -if [ -n "$1" ]; then - DIR="$1" -else - DIR="/etc/lighttpd" -fi - -cd "$DIR" || exit 1 -[ -d "conf.d" ] || exit 0 - -for file in conf.d/*; do - [ -f "$file" ] && echo 'include "'"$DIR/$file"'"' -done -exit 0 - diff --git a/satellit_installer/static_files/lighttpd.conf b/satellit_installer/static_files/lighttpd.conf deleted file mode 100644 index 0ae7c9d..0000000 --- a/satellit_installer/static_files/lighttpd.conf +++ /dev/null @@ -1,54 +0,0 @@ -server.modules = ( - "mod_access", -# "mod_alias", - "mod_compress", - "mod_redirect", - "mod_rewrite", -# "mod_proxy", -) - -server.document-root = "/srv/openslx/www" -server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) -server.errorlog = "/var/log/lighttpd/error.log" -server.pid-file = "/var/run/lighttpd.pid" -server.username = "www-data" -server.groupname = "www-data" -server.port = 80 -server.reject-expect-100-with-417 = "disable" - - -index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) -url.access-deny = ( "~", ".inc" ) -static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) - -compress.cache-dir = "/var/cache/lighttpd/compress/" -compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) - -# default listening port for IPv6 falls back to the IPv4 port -include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -include_shell "/usr/share/lighttpd/create-mime.conf.pl" -include "/etc/lighttpd/conf-enabled/*.conf" -# Check if server.pem exists, if so output configuration block for HTTPS -include_shell "/usr/share/lighttpd/auto-ssl.sh" - -url.rewrite-once = ( - "^/*boot/+([a-z0-9_/-]+)/+config$" => "/slx-admin/api.php?do=getconfig&type=$1", - "^/*boot/+([a-z0-9_/-]+)/+config\?(.*)$" => "/slx-admin/api.php?$2&do=getconfig&type=$1", - "^/*boot/+([a-z0-9_/-]+)/+config\.tgz$" => "/slx-admin/api.php?do=sysconfig&type=$1", - "^/*boot/+([a-z0-9_/-]+)/+config\.tgz\?(.*)$" => "/slx-admin/api.php?$2&do=sysconfig&type=$1", - "^/*boot/+ipxe$" => "/slx-admin/api.php?do=serversetup", - "^/*boot/+ipxe\?(.*)$" => "/slx-admin/api.php?$1&do=serversetup", - "^/*vmchooser/+list[^?]*$" => "/slx-admin/api.php?do=dozmod&resource=list", - "^/*vmchooser/+list[^?]*\?(.*)$" => "/slx-admin/api.php?$1&do=dozmod&resource=list", - "^/*vmchooser/+lecture/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=vmx&lecture=$1", - "^/*vmchooser/+lecture/+([^/]+)/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=$2&lecture=$1", - "^/*vmchooser/+([^/]+)$" => "/slx-admin/api.php?do=news&type=$1", - "^/panel/([^?]{36})$" => "/slx-admin/?do=locationinfo&show=panel&uuid=$1", - "^/panel/([^?]*\.(js|css|png|svg))$" => "/slx-admin/$1", - "^/panel/api/([^?]*)$" => "/slx-admin/api.php?$1&do=locationinfo" -) - -# Add support for a conf.d directory -- include /etc/lighttpd/conf.d/* -# Use this is you want to modify the satellite server, as future updates might overwrite lighttpd.conf -include_shell "/usr/share/lighttpd/include-conf-d.sh" - diff --git a/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf new file mode 100644 index 0000000..0ae7c9d --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/lighttpd/lighttpd.conf @@ -0,0 +1,54 @@ +server.modules = ( + "mod_access", +# "mod_alias", + "mod_compress", + "mod_redirect", + "mod_rewrite", +# "mod_proxy", +) + +server.document-root = "/srv/openslx/www" +server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/var/run/lighttpd.pid" +server.username = "www-data" +server.groupname = "www-data" +server.port = 80 +server.reject-expect-100-with-417 = "disable" + + +index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) +url.access-deny = ( "~", ".inc" ) +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) + +compress.cache-dir = "/var/cache/lighttpd/compress/" +compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) + +# default listening port for IPv6 falls back to the IPv4 port +include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port +include_shell "/usr/share/lighttpd/create-mime.conf.pl" +include "/etc/lighttpd/conf-enabled/*.conf" +# Check if server.pem exists, if so output configuration block for HTTPS +include_shell "/usr/share/lighttpd/auto-ssl.sh" + +url.rewrite-once = ( + "^/*boot/+([a-z0-9_/-]+)/+config$" => "/slx-admin/api.php?do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\?(.*)$" => "/slx-admin/api.php?$2&do=getconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz$" => "/slx-admin/api.php?do=sysconfig&type=$1", + "^/*boot/+([a-z0-9_/-]+)/+config\.tgz\?(.*)$" => "/slx-admin/api.php?$2&do=sysconfig&type=$1", + "^/*boot/+ipxe$" => "/slx-admin/api.php?do=serversetup", + "^/*boot/+ipxe\?(.*)$" => "/slx-admin/api.php?$1&do=serversetup", + "^/*vmchooser/+list[^?]*$" => "/slx-admin/api.php?do=dozmod&resource=list", + "^/*vmchooser/+list[^?]*\?(.*)$" => "/slx-admin/api.php?$1&do=dozmod&resource=list", + "^/*vmchooser/+lecture/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=vmx&lecture=$1", + "^/*vmchooser/+lecture/+([^/]+)/+([^/]+)(\?|$)" => "/slx-admin/api.php?do=dozmod&resource=$2&lecture=$1", + "^/*vmchooser/+([^/]+)$" => "/slx-admin/api.php?do=news&type=$1", + "^/panel/([^?]{36})$" => "/slx-admin/?do=locationinfo&show=panel&uuid=$1", + "^/panel/([^?]*\.(js|css|png|svg))$" => "/slx-admin/$1", + "^/panel/api/([^?]*)$" => "/slx-admin/api.php?$1&do=locationinfo" +) + +# Add support for a conf.d directory -- include /etc/lighttpd/conf.d/* +# Use this is you want to modify the satellite server, as future updates might overwrite lighttpd.conf +include_shell "/usr/share/lighttpd/include-conf-d.sh" + diff --git a/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf new file mode 100644 index 0000000..ab7d5f4 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/etc/systemd/system/lighttpd.service.d/10-dynamic_php_children.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/usr/local/sbin/patch_lighttpd_phpchildren diff --git a/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert new file mode 100755 index 0000000..3f5cc3e --- /dev/null +++ b/satellit_installer/static_files/lighttpd/opt/openslx/slx-cert @@ -0,0 +1,232 @@ +#!/bin/bash + +# OpenSLX SSL Certificate management + +if ! mkdir "/run/openslx-cert-manager"; then + echo "Already in progress." + exit 1 +fi +trap 'rm -rf -- /run/openslx-cert-manager' EXIT + +declare -rg BASE="/etc/ssl/openslx" +declare -rg PRIV="$BASE/private" +declare -rg CERT="$BASE/cert" +declare -rg LIGHT="$BASE/lighttpd" + +mkdir -p "$BASE" "$PRIV" "$CERT" + +chown -R root:root "$BASE" || exit 1 +chmod u+rwx,go+rx-w "$BASE" "$CERT" || exit 1 +chmod u+rwx,go-rwx "$PRIV" || exit 1 +# Before doing anything, make sure we have a CA with enough validity left +# File name format for ca is: +# ${PRIV}/ca-FFFFFFFFFF-TTTTTTTTTT.key +# ${CERT}/ca-TTTTTTTTTT.crt +# Where TT is the unix timestamp of "validTo" of that cert +# And FF is the unix timestamp of when we should starting using a CA to +# sign our certificates. This is for a grace period between CA certs. +# We deliver a new CA certificate immediately when it was generated, but +# only start signing server certificates with it after a grace period of +# 180 days. Any client that rebooted within those 180 days will not run +# into any certificate issues, but if you wanted to cover that case too +# you could make it so the client re-downloads trusted CA-certs every +# couple days. + +declare -rg NOW="$( date +%s )" +# PROD +declare -rg ca_days="$(( 10 * 365 ))" # 10y +declare -rg ca_min_remain_s="$(( 400 * 86400 ))" # bit more than 1y +declare -rg ca_new_expire_ts="$(( ca_days * 86400 + NOW ))" +declare -rg srv_days=365 # 1y +declare -rg srv_min_remain_s="$(( 180 * 86400 ))" # half a year +declare -rg srv_new_ts="$(( srv_days * 86400 + NOW ))" +# TEST +#declare -rg ca_days=1825 # 5y +#declare -rg ca_min_remain_s="$(( 1260 ))" # bit more than 1y +#declare -rg ca_new_expire_ts="$(( 1320 + NOW ))" +#declare -rg srv_days=365 # 1y +#declare -rg srv_min_remain_s="$(( 1200 ))" # half a year +#declare -rg srv_new_ts="$(( 1230 + NOW ))" + + +get_ts () { + ts="${1%.*}" + ts="${ts##*/ca-}" + ts="${ts##*/srv-}" + from="${ts%-*}" + if [ "$from" = "$ts" ]; then + from= + else + ts="${ts#*-}" + fi +} + +create_conf () { + ca_dir="$( mktemp -d /tmp/bwlp-XXXXXXXX )" + [ -z "$ca_dir" ] && exit 1 + mkdir "$ca_dir"/{certs,crl,newcerts,private} + touch "$ca_dir"/index.txt + ca_config="$ca_dir/openssl.cnf" + cp -f "/etc/ssl/openssl.cnf" "$ca_config" + cat >> "$ca_config" <<-MYCA + [ CA_openslx ] + dir = $ca_dir + certs = \$dir/certs + crl_dir = \$dir/crl + database = \$dir/index.txt + new_certs_dir = \$dir/newcerts + serial = \$dir/serial + crl = \$dir/crl.pem + x509_extensions = usr_cert + name_opt = ca_default + cert_opt = ca_default + default_md = default + preserve = no + policy = policy_match + MYCA +} + +ca_last= +for i in "${PRIV}"/ca-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if ! [ -f "${CERT}/ca-${ts}.crt" ] || (( ts < NOW )); then + # Missing cert, or expired -> delete + rm -f -- "${CERT}/ca-${ts}.crt" "${PRIV}/ca-${ts}.key" + continue + fi + ca_last="$ts" +done + +mknew= +if [ -z "$ca_last" ] || (( NOW + ca_min_remain_s > ca_last )); then + # Make new CA + echo "Creating new CA..." + openssl req -new -newkey rsa:4096 -x509 -days "$ca_days" -extensions v3_ca \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=ca-${NOW}.bwlehrpool" \ + -keyout "${PRIV}/ca-${ca_new_expire_ts}.key" -out "${CERT}/ca-${ca_new_expire_ts}.crt" || exit 2 + mknew=1 + # + # Create new intermediate, sign with all CAs + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + # Create request, CA:TRUE + echo "Generate intermediate key+CSR..." + [ -f "${PRIV}/intermediate.key" ] || openssl genrsa -out "${PRIV}/intermediate.key" 4096 + openssl req -new -key "${PRIV}/intermediate.key" \ + -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=intermediate.bwlehrpool" \ + -out "$csr" || exit 2 + create_conf + # Sign request, CA:TRUE + echo "Sign new intermediate key with CA..." + openssl ca -config "$ca_config" -extensions v3_ca -create_serial \ + -policy policy_anything -days "$ca_days" \ + -cert "${CERT}/ca-${ca_new_expire_ts}.crt" -keyfile "${PRIV}/ca-${ca_new_expire_ts}.key" \ + -notext -name CA_openslx -batch -out "${CERT}/intermediate-${ca_new_expire_ts}.crt" -in "$csr" || exit 2 + rm -rf -- "$ca_dir" "$csr" +fi + +if [ -n "$mknew" ]; then + # Rebuild config module for clients + echo "Updating client config module..." + ( + tmpdir="$( mktemp -d '/tmp/bwlp-XXXXXXX' )" + cp -a "${CERT}/"ca-*.crt "$tmpdir/" + cd "$tmpdir/" || exit 6 + openssl rehash . + tar -c -k -f "/opt/openslx/configs/modules/self-signed-ca.tar" \ + --transform 's#^[./][./]*#/opt/openslx/ssl/#' . + cd /tmp + rm -rf -- "$tmpdir" + sudo -u www-data -n php /srv/openslx/www/slx-admin/api.php sysconfig --action rebuild + echo "." + ) +fi + +# Now check the server certificate + +declare -a srv_list +srv_list=() +for i in "${PRIV}"/srv-??????????.key; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )) || ! [ -f "${CERT}/srv-${ts}.crt" ]; then + rm -f -- "$i" "${CERT}/srv-${ts}.crt" + continue + fi + srv_list+=( "$ts" ) +done + +if [ -n "$mknew" ] || [ "${#srv_list[@]}" = 0 ] \ + || [ "$(( NOW + srv_min_remain_s ))" -gt "${srv_list[-1]}" ]; then + # Request ServerCert + csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" + echo "Generating new Server Certificate. Key+CSR..." + rm -f -- "${CERT}"/srv-*.crt "${PRIV}/srv.key.tmp" "${PRIV}"/srv-*.key + openssl req -new -nodes -keyout "${PRIV}/srv.key.tmp" -out "$csr" \ + -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=satellite.bwlehrpool" || exit 4 + echo "Signing Server Certificate with intermediate..." + declare -a in_list + in_list=() + for i in "${CERT}"/intermediate-??????????.crt; do + [ -f "$i" ] || continue + get_ts "$i" + if (( ts < NOW )); then + echo "Expired intermediate $i" + rm -f -- "$i" + continue + fi + echo "Have intermediate $i" + in_list+=( "$i" ) + done + if [ "${#in_list[@]}" = 0 ]; then + echo "ERROR: Have no intermediate certificate" + exit 11 + fi + for in_cert in "${in_list[@]}"; do + get_ts "$in_cert" + (( ts < 30 * 86400 + NOW )) && continue # Expiring in a month, ignore + break # Need only one really + done + echo "Signing with $in_cert" + create_conf + # Need extfile for SAN, chromium doesn't honor CN anymore + cat > "${csr}.cnf" <<-END + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth + subjectAltName = @alt_names + [alt_names] + DNS.1 = satellite.bwlehrpool + END + openssl ca -config "$ca_config" -create_serial -policy policy_anything -days "$srv_days" \ + -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" -extfile "${csr}.cnf" \ + -notext -name CA_openslx -batch -out "${CERT}/srv-${srv_new_ts}.crt" -in "$csr" || exit 4 + rm -rf -- "$ca_dir" + rm -f -- "$csr" "${csr}.cnf" + mv "${PRIV}/srv.key.tmp" "${PRIV}/srv-${srv_new_ts}.key" || exit 5 + srv_list+=( "$srv_new_ts" ) + + # Combine and prepare for lighttpd + + mkdir -p "$LIGHT" || exit 10 + + # Combine cert and key, as required by lighttpd + echo "Writing out lighttpd PEMs..." + cat "${CERT}/srv-${srv_new_ts}.crt" "${PRIV}/srv-${srv_new_ts}.key" > "${LIGHT}/server.pem" || exit 10 + chmod 0600 "${LIGHT}/server.pem" + + # Create ca-chain + cat "${in_list[@]}" > "${LIGHT}/ca-chain.pem" + + if [ "$1" = "--restart" ] || [ -t 0 ]; then + echo "Restarting lighttpd..." + systemctl restart lighttpd.service + fi +fi + +echo "Done." +exit 0 diff --git a/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren new file mode 100755 index 0000000..a8e44e5 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/local/sbin/patch_lighttpd_phpchildren @@ -0,0 +1,23 @@ +#!/bin/sh + +# Could be written in one line, but for better editing when values change... +MEM=$(grep ^MemTotal /proc/meminfo | awk '{print $2}') # RAM in KB +MEM=$(( MEM / 1024 / 4 )) # to MB, and assess a fourth of RAM for PHP +CHILDREN=$(( MEM / 16 )) # assume 16 MB per child +# min 16, no more than 128 (inverse logic to handle NaN) +[ "$CHILDREN" -ge 16 ] || CHILDREN=16 +[ "$CHILDREN" -le 128 ] || CHILDREN=128 + +## Use ?? in case the ordering changes one day +file=$(echo /etc/lighttpd/conf-enabled/??-fastcgi-php.conf) +if [ -f "$file" ]; then + sed -i 's/"PHP_FCGI_CHILDREN.*$/"PHP_FCGI_CHILDREN" => "'$CHILDREN'",/' "$file" + if ! grep -qF '"PHP_FCGI_CHILDREN" => "'$CHILDREN'"' "$file"; then + echo "WARNING: Cannot adjust php cgildren count for fastcgi -- line not found in $file" >&2 + fi +else + echo "WARNING: Cannot adjust php children count for fastcgi -- file not found" >&2 + exit 1 +fi +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh new file mode 100755 index 0000000..0f88864 --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/auto-ssl.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +declare -rg PUBLIC_BOTH="/etc/lighttpd/server.pem" +declare -rg CHAIN="/etc/lighttpd/chain.pem" +declare -rg DHPARAM="/etc/lighttpd/dhparam.pem" +declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag" +declare -rg INTERNAL_BOTH="/etc/ssl/openslx/lighttpd/server.pem" +declare -g INTERNAL_CHAIN="/etc/ssl/openslx/lighttpd/ca-chain.pem" + +if ! [ -s "$DHPARAM" ] && ! ps aux | grep 'openssl dhparam' | grep -q -v grep; then + openssl dhparam -out "$DHPARAM" 2048 &>/dev/null & +fi + +/opt/openslx/slx-cert >&2 & + +wait + +[ -s "$INTERNAL_CHAIN" ] || INTERNAL_CHAIN= +readonly INTERNAL_CHAIN + +cat < "on" + ) + + # intermediate configuration, tweak to your needs + ssl.use-sslv2 = "disable" + ssl.use-sslv3 = "disable" + ssl.honor-cipher-order = "enable" + ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" + + # pemfile is cert+privkey, ca-file is the intermediate chain in one file +HEREDOC +if [ -s "$PUBLIC_BOTH" ]; then + echo " ssl.pemfile = \"${PUBLIC_BOTH}\"" + [ -s "$CHAIN" ] && echo " ssl.ca-file = \"${CHAIN}\"" +elif [ -s "$INTERNAL_BOTH" ]; then + echo " ssl.pemfile = \"${INTERNAL_BOTH}\"" + echo " ssl.ca-file = \"${INTERNAL_CHAIN}\"" +fi + +[ -s "$DHPARAM" ] && echo " ssl.dh-file = \"${DHPARAM}\"" + +# VHost for server.bwlehrpool +if [ -s "${INTERNAL_BOTH}" ]; then + cat < %0 in redirect pattern + # must be the most inner block to the redirect rule + $HTTP["host"] =~ ".*" { + url.redirect = ( "^/slx-admin/($|\?|index.php).*" => "https://%0$0" ) + url.redirect-code = 302 + } +} +HEREDOC + +exit 0 + diff --git a/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh new file mode 100755 index 0000000..a54ed3f --- /dev/null +++ b/satellit_installer/static_files/lighttpd/usr/share/lighttpd/include-conf-d.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +if [ -n "$1" ]; then + DIR="$1" +else + DIR="/etc/lighttpd" +fi + +cd "$DIR" || exit 1 +[ -d "conf.d" ] || exit 0 + +for file in conf.d/*; do + [ -f "$file" ] && echo 'include "'"$DIR/$file"'"' +done +exit 0 + diff --git a/satellit_installer/static_files/logging/80-dmsd.conf b/satellit_installer/static_files/logging/80-dmsd.conf deleted file mode 100644 index 3554f43..0000000 --- a/satellit_installer/static_files/logging/80-dmsd.conf +++ /dev/null @@ -1,2 +0,0 @@ -:app-name, isequal, "dmsd" -/var/log/dmsd.log -& ~ diff --git a/satellit_installer/static_files/logging/90-taskmanager.conf b/satellit_installer/static_files/logging/90-taskmanager.conf deleted file mode 100644 index 578d905..0000000 --- a/satellit_installer/static_files/logging/90-taskmanager.conf +++ /dev/null @@ -1,2 +0,0 @@ -:app-name, isequal, "taskmanager" -/var/log/taskmanager.log -& ~ diff --git a/satellit_installer/static_files/logging/satellite-logrotate b/satellit_installer/static_files/logging/satellite-logrotate deleted file mode 100644 index 2d1d946..0000000 --- a/satellit_installer/static_files/logging/satellite-logrotate +++ /dev/null @@ -1,14 +0,0 @@ -/var/log/dmsd.log -/var/log/taskmanager.log -{ - rotate 7 - daily - missingok - notifempty - delaycompress - compress - postrotate - invoke-rc.d rsyslog rotate > /dev/null - endscript -} - diff --git a/satellit_installer/static_files/netsetup b/satellit_installer/static_files/netsetup deleted file mode 100755 index 6616c50..0000000 --- a/satellit_installer/static_files/netsetup +++ /dev/null @@ -1,200 +0,0 @@ -#!/bin/bash - -DATUM=$(date +%Y%m%d_%H%M%S) -INTERFACES="/etc/network/interfaces" -ETHALIAS=$( ifconfig -a | grep -oEm1 '^e\w+' ) -RESOLV="/etc/resolv.conf" -HOSTNAMEFILE="/etc/hostname" -SKRIPT=$(readlink -f "$0") -ERR=0 - - -write_banner() { - echo - echo "Dieses Skript konfiguriert das Netzwerk-Interface." - echo - echo "Wenn Sie die Netzwerkkonfiguration ändern, sollten Sie anschließend" - echo "den Server rebooten." - echo -} - - -detect_config() { - if grep -q -E "^[[:space:]]*iface[[:space:]]+${ETHALIAS}[[:space:]]+inet[[:space:]]+dhcp" "$INTERFACES"; then - # dhcp detected, we presume - TYPE=dhcp-basierte - WUNSCH=statische - TOUCHE_TYPE=d - TOUCHE_DESIR=s - else - TYPE=statische - WUNSCH=dhcp-basierte - TOUCHE_TYPE=s - TOUCHE_DESIR=d - fi -} - -ask_config() { - echo - echo "Es ist aktuell eine $TYPE IP-Adresse konfiguriert." - echo - echo "Wollen Sie eine $WUNSCH IP konfigurieren (${TOUCHE_DESIR})," - echo "möchten Sie die $TYPE IP neu konfigurieren (${TOUCHE_TYPE})," - echo "oder möchten Sie gar nichts tun (leere Eingabe)?" - echo - echo -n "Ihre Wahl? [${TOUCHE_DESIR}/${TOUCHE_TYPE}/nichts]: " - read CONFIG_ME - [ "$CONFIG_ME" == "" ] && exit 0 -} - -decide_action() { - case "$CONFIG_ME" in - ${TOUCHE_DESIR}*) backup_configs - if [ "$WUNSCH" == "statische" ]; then - enter_values_static - write_config_static - else - write_config_dyn - fi - ;; - ${TOUCHE_TYPE}*) backup_configs - if [ "$TYPE" == "statische" ]; then - enter_values_static - write_config_static - else - write_config_dyn - fi - ;; - *) echo; echo - echo "Ihre eingegebene Option $CONFIG_ME wurde nicht erkannt - Neustart." - echo - sleep 1 - exec "$SKRIPT" - ;; - esac -} - -backup_configs() { - if [ -f "$INTERFACES" ]; then - cp -p "$INTERFACES" "$INTERFACES.${DATUM}" || \ - { echo "Konnte Datei $INTERFACES nicht nach $INTERFACES.$DATUM sichern - Abbruch."; \ - exit 1 ; } - cp -p "$RESOLV" "$RESOLV.${DATUM}" || \ - { echo "Konnte Datei $RESOLV nicht nach $RESOLV.$DATUM sichern - Abbruch."; \ - exit 1 ; } - fi -} - -restore_configs() { - cp -p "$INTERFACES.$DATUM" "$INTERFACES" - cp -p "$RESOLV.{DATUM}" "$RESOLV" -} - -write_config_static() { - cat > "$INTERFACES" <<-HIER - # This file was written by the satellite auto installer. - # If any problems arise, copy $INTERFACES.${DATUM}. - # The loopback network interface - auto lo - iface lo inet loopback - - # Primary network interface - auto $ETHALIAS - iface $ETHALIAS inet static - address $IPADRESS - gateway $GATEWAY - netmask $NETMASK - HIER - - echo "# This file was written by the satellite server install script." > "$RESOLV" - echo "# If any problems arise, copy $RESOLV.${DATUM}." >> "$RESOLV" - [ -n "$DOMAIN" ] && echo "domain $DOMAIN" >> "$RESOLV" - [ -n "$SEARCH" ] && echo "search $SEARCH" >> "$RESOLV" - [ -n "$PRIMARYDNS" ] && echo "nameserver $PRIMARYDNS" >> "$RESOLV" - [ -n "$SECONDARYDNS" ] && echo "nameserver $SECONDARYDNS" >> "$RESOLV" - - echo "$HOSTNAME" > "$HOSTNAMEFILE" - - [ -n "$DOMAIN" ] && DOMAIN=".${DOMAIN}" - sed "s/127.0.1.1.*/127.0.1.1\t${HOSTNAME}${DOMAIN}\t${HOSTNAME}/g" -i /etc/hosts --in-place=.alt - -} - -write_config_dyn() { - cat > "$INTERFACES" <<-HIER - # This file was written by the satellite auto installer. - # If any problems arise, copy $INTERFACES.${DATUM}. - # The loopback network interface - auto lo - iface lo inet loopback - - # Primary network interface - auto $ETHALIAS - iface $ETHALIAS inet dhcp - # Leaving /etc/resolv alone; pump/dhclient/whatever will take care of that. - HIER -} - -enter_values_static() { - OLDHOSTNAME=$(hostname) - unset ENTRY - while true; do - echo - echo -n "IP-Adresse: " - read IPADRESS - echo -n "Gateway: " - read GATEWAY - echo -n "Netzmaske - leere Eingabe für 255.255.255.0: " - read NETMASK - [ -z "$NETMASK" ] && NETMASK=255.255.255.0 - echo -n "Domain - leere Eingabe, wenn nicht erwünscht: " - read DOMAIN - echo -n "Search domain - leere Eingabe, wenn nicht erwünscht: " - read SEARCH - echo -n "Primärer Nameserver: " - read PRIMARYDNS - echo -n "Sekundärer Nameserver - Leere Eingabe, wenn nicht vorhanden: " - read SECONDARYDNS - echo -n "Hostname - leere Eingabe für bestehenden Hostname $OLDHOSTNAME: " - read HOSTNAME - [ "$HOSTNAME" == "" ] && HOSTNAME="$OLDHOSTNAME" - echo - echo "# IP-Adresse : $IPADRESS" - echo "# Gateway : $GATEWAY" - echo "# Netzmaske : $NETMASK" - echo "# Domain : $DOMAIN" - echo "# Search domain : $SEARCH" - echo "# Primärer Nameserver : $PRIMARYDNS" - echo "# Sekundärer Nameserver : $SECONDARYDNS" - echo "# Hostname : $HOSTNAME" - echo - while true; do - echo -n "Sind diese Eingaben korrekt? [J/n]: " - read ENTRY - echo - [[ -z "$ENTRY" || "$ENTRY" == j* || "$ENTRY" == J* ]] && return - if [[ "$ENTRY" == n* || "$ENTRY" == N* ]]; then - echo "Neustart der Eingabe..." - echo - break - fi - done - done -} - -last_words() { - echo - echo "Einträge geschrieben... beende Skript." - echo -} - -detect_config -write_banner -ask_config - -decide_action # do the stuff! - -last_words - -exit 0 - diff --git a/satellit_installer/static_files/patch_lighttpd_phpchildren b/satellit_installer/static_files/patch_lighttpd_phpchildren deleted file mode 100755 index a8e44e5..0000000 --- a/satellit_installer/static_files/patch_lighttpd_phpchildren +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -# Could be written in one line, but for better editing when values change... -MEM=$(grep ^MemTotal /proc/meminfo | awk '{print $2}') # RAM in KB -MEM=$(( MEM / 1024 / 4 )) # to MB, and assess a fourth of RAM for PHP -CHILDREN=$(( MEM / 16 )) # assume 16 MB per child -# min 16, no more than 128 (inverse logic to handle NaN) -[ "$CHILDREN" -ge 16 ] || CHILDREN=16 -[ "$CHILDREN" -le 128 ] || CHILDREN=128 - -## Use ?? in case the ordering changes one day -file=$(echo /etc/lighttpd/conf-enabled/??-fastcgi-php.conf) -if [ -f "$file" ]; then - sed -i 's/"PHP_FCGI_CHILDREN.*$/"PHP_FCGI_CHILDREN" => "'$CHILDREN'",/' "$file" - if ! grep -qF '"PHP_FCGI_CHILDREN" => "'$CHILDREN'"' "$file"; then - echo "WARNING: Cannot adjust php cgildren count for fastcgi -- line not found in $file" >&2 - fi -else - echo "WARNING: Cannot adjust php children count for fastcgi -- file not found" >&2 - exit 1 -fi -exit 0 - diff --git a/satellit_installer/static_files/rclocal_script.sh b/satellit_installer/static_files/rclocal_script.sh deleted file mode 100644 index 07da0ee..0000000 --- a/satellit_installer/static_files/rclocal_script.sh +++ /dev/null @@ -1,113 +0,0 @@ -#!/bin/bash - -MY_PID=$$ -perror() { - echo "$@" >> /root/init.log - [ "$MY_PID" != "$$" ] && kill "$MY_PID" - - if ! grep -q "rclocal_script.sh has thrown an error" /etc/motd; then - cat <<-EOF >> /etc/motd - - WARNING! - - rclocal_script.sh has thrown an error! - Please read /root/init.log and take appropriate measures! - This server may not work correctly! - - EOF - fi - exit 5 -} - -echo "$(basename $0) gestartet: $(date "+%Y-%m-%d %H:%m:%S")" >> /root/init.log - -[ -r "/root/installer/config" ] || perror "Installationsfehler: Keine firstrun-config gefunden!" - -source "/root/installer/config" || { echo "Fehler beim Sourcen der firstrun-config." >> /root/init.log; exit 1; } - -generate_password() { - tr -dc _A-Za-z0-9 < /dev/urandom | head -c 16 -} - -patchfiles() { - # ... - # Warning: does not escape! - FIND=$1 - REPLACE=$2 - shift 2 - while [ $# -gt 0 ]; do - sed -i "s/${FIND}/${REPLACE}/g" "$1" - shift - done -} - -echo -n "Lösche alte ssh-Schlüssel ..." >> /root/init.log -rm -f /etc/ssh/ssh_host_*key* 2>/dev/null -echo " done." - -echo -n "Generating new ssh keys..." >> /root/init.log -ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N "" -t rsa -q -ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N "" -t dsa -q -ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N "" -t ecdsa -q -ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519 -q -echo "... done." >> /root/init.log - -export LANG=de_DE.UTF-8 - -echo "Generiere intern genutzte Passwörter (z.B. MySQL-Zugänge) neu ..." >> /root/init.log -umask 0077 - -MYSQL_SAT_NEW=$(generate_password) -echo "SET PASSWORD FOR 'sat'@'localhost' = PASSWORD('$MYSQL_SAT_NEW');" | mysql -u root || perror "Neusetzen des sat-MySQL-Passworts fehlgeschlagen." - -MYSQL_OPENSLX_NEW=$(generate_password) -echo "SET PASSWORD FOR 'openslx'@'localhost' = PASSWORD('$MYSQL_OPENSLX_NEW');" | mysql -u root || perror "Neusetzen des openslx-MySQL-Passworts fehlgeschlagen." - -echo -n "Konfigurationsdateien werden aktualisiert..." >> /root/init.log - -# sat mysql pass -# Patch dmsd -patchfiles "%MYSQL_SAT_PASS%" "$MYSQL_SAT_NEW" "$DMSDDIR/config.properties" - -# openslx mysql pass -# Patching openslx-mysql-userpass into slx-admin config: -patchfiles "%MYSQL_OPENSLX_PASS%" "$MYSQL_OPENSLX_NEW" "$WWWDIR/slx-admin/config.php" - -# taskmanager password -TASKMANAGER_PASS=$(generate_password) -patchfile "%TM_OPENSLX_PASS%" "$TASKMANAGER_PASS" "$WWWDIR/slx-admin/config.php" "$TASKMANDIR/config/config" - -echo " ok." >> /root/init.log - -echo "Dienste werden aktiviert..." >> /root/init.log - -# Enable bwLehrpool related services -for i in dmsd.service taskmanager.service; do - systemctl enable $i - [ $? -ne 0 ] && echo "Warnung - konnte systemd-Service $i nicht aktivieren!" >> /root/init.log - systemctl start $i -done - -# Write MOTD -cat > /etc/motd < /etc/sat_version - -sed -i "/rclocal_script.sh/d" /etc/rc.local -unlink "/root/installer/config" 2>/dev/null -unlink "/root/installer/rclocal_script.sh" 2>/dev/null -mv /etc/rc.local.sik /etc/rc.local -exit 0 - diff --git a/satellit_installer/static_files/slx-cert b/satellit_installer/static_files/slx-cert deleted file mode 100755 index 3f5cc3e..0000000 --- a/satellit_installer/static_files/slx-cert +++ /dev/null @@ -1,232 +0,0 @@ -#!/bin/bash - -# OpenSLX SSL Certificate management - -if ! mkdir "/run/openslx-cert-manager"; then - echo "Already in progress." - exit 1 -fi -trap 'rm -rf -- /run/openslx-cert-manager' EXIT - -declare -rg BASE="/etc/ssl/openslx" -declare -rg PRIV="$BASE/private" -declare -rg CERT="$BASE/cert" -declare -rg LIGHT="$BASE/lighttpd" - -mkdir -p "$BASE" "$PRIV" "$CERT" - -chown -R root:root "$BASE" || exit 1 -chmod u+rwx,go+rx-w "$BASE" "$CERT" || exit 1 -chmod u+rwx,go-rwx "$PRIV" || exit 1 -# Before doing anything, make sure we have a CA with enough validity left -# File name format for ca is: -# ${PRIV}/ca-FFFFFFFFFF-TTTTTTTTTT.key -# ${CERT}/ca-TTTTTTTTTT.crt -# Where TT is the unix timestamp of "validTo" of that cert -# And FF is the unix timestamp of when we should starting using a CA to -# sign our certificates. This is for a grace period between CA certs. -# We deliver a new CA certificate immediately when it was generated, but -# only start signing server certificates with it after a grace period of -# 180 days. Any client that rebooted within those 180 days will not run -# into any certificate issues, but if you wanted to cover that case too -# you could make it so the client re-downloads trusted CA-certs every -# couple days. - -declare -rg NOW="$( date +%s )" -# PROD -declare -rg ca_days="$(( 10 * 365 ))" # 10y -declare -rg ca_min_remain_s="$(( 400 * 86400 ))" # bit more than 1y -declare -rg ca_new_expire_ts="$(( ca_days * 86400 + NOW ))" -declare -rg srv_days=365 # 1y -declare -rg srv_min_remain_s="$(( 180 * 86400 ))" # half a year -declare -rg srv_new_ts="$(( srv_days * 86400 + NOW ))" -# TEST -#declare -rg ca_days=1825 # 5y -#declare -rg ca_min_remain_s="$(( 1260 ))" # bit more than 1y -#declare -rg ca_new_expire_ts="$(( 1320 + NOW ))" -#declare -rg srv_days=365 # 1y -#declare -rg srv_min_remain_s="$(( 1200 ))" # half a year -#declare -rg srv_new_ts="$(( 1230 + NOW ))" - - -get_ts () { - ts="${1%.*}" - ts="${ts##*/ca-}" - ts="${ts##*/srv-}" - from="${ts%-*}" - if [ "$from" = "$ts" ]; then - from= - else - ts="${ts#*-}" - fi -} - -create_conf () { - ca_dir="$( mktemp -d /tmp/bwlp-XXXXXXXX )" - [ -z "$ca_dir" ] && exit 1 - mkdir "$ca_dir"/{certs,crl,newcerts,private} - touch "$ca_dir"/index.txt - ca_config="$ca_dir/openssl.cnf" - cp -f "/etc/ssl/openssl.cnf" "$ca_config" - cat >> "$ca_config" <<-MYCA - [ CA_openslx ] - dir = $ca_dir - certs = \$dir/certs - crl_dir = \$dir/crl - database = \$dir/index.txt - new_certs_dir = \$dir/newcerts - serial = \$dir/serial - crl = \$dir/crl.pem - x509_extensions = usr_cert - name_opt = ca_default - cert_opt = ca_default - default_md = default - preserve = no - policy = policy_match - MYCA -} - -ca_last= -for i in "${PRIV}"/ca-??????????.key; do - [ -f "$i" ] || continue - get_ts "$i" - if ! [ -f "${CERT}/ca-${ts}.crt" ] || (( ts < NOW )); then - # Missing cert, or expired -> delete - rm -f -- "${CERT}/ca-${ts}.crt" "${PRIV}/ca-${ts}.key" - continue - fi - ca_last="$ts" -done - -mknew= -if [ -z "$ca_last" ] || (( NOW + ca_min_remain_s > ca_last )); then - # Make new CA - echo "Creating new CA..." - openssl req -new -newkey rsa:4096 -x509 -days "$ca_days" -extensions v3_ca \ - -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=ca-${NOW}.bwlehrpool" \ - -keyout "${PRIV}/ca-${ca_new_expire_ts}.key" -out "${CERT}/ca-${ca_new_expire_ts}.crt" || exit 2 - mknew=1 - # - # Create new intermediate, sign with all CAs - csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" - # Create request, CA:TRUE - echo "Generate intermediate key+CSR..." - [ -f "${PRIV}/intermediate.key" ] || openssl genrsa -out "${PRIV}/intermediate.key" 4096 - openssl req -new -key "${PRIV}/intermediate.key" \ - -nodes -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=intermediate.bwlehrpool" \ - -out "$csr" || exit 2 - create_conf - # Sign request, CA:TRUE - echo "Sign new intermediate key with CA..." - openssl ca -config "$ca_config" -extensions v3_ca -create_serial \ - -policy policy_anything -days "$ca_days" \ - -cert "${CERT}/ca-${ca_new_expire_ts}.crt" -keyfile "${PRIV}/ca-${ca_new_expire_ts}.key" \ - -notext -name CA_openslx -batch -out "${CERT}/intermediate-${ca_new_expire_ts}.crt" -in "$csr" || exit 2 - rm -rf -- "$ca_dir" "$csr" -fi - -if [ -n "$mknew" ]; then - # Rebuild config module for clients - echo "Updating client config module..." - ( - tmpdir="$( mktemp -d '/tmp/bwlp-XXXXXXX' )" - cp -a "${CERT}/"ca-*.crt "$tmpdir/" - cd "$tmpdir/" || exit 6 - openssl rehash . - tar -c -k -f "/opt/openslx/configs/modules/self-signed-ca.tar" \ - --transform 's#^[./][./]*#/opt/openslx/ssl/#' . - cd /tmp - rm -rf -- "$tmpdir" - sudo -u www-data -n php /srv/openslx/www/slx-admin/api.php sysconfig --action rebuild - echo "." - ) -fi - -# Now check the server certificate - -declare -a srv_list -srv_list=() -for i in "${PRIV}"/srv-??????????.key; do - [ -f "$i" ] || continue - get_ts "$i" - if (( ts < NOW )) || ! [ -f "${CERT}/srv-${ts}.crt" ]; then - rm -f -- "$i" "${CERT}/srv-${ts}.crt" - continue - fi - srv_list+=( "$ts" ) -done - -if [ -n "$mknew" ] || [ "${#srv_list[@]}" = 0 ] \ - || [ "$(( NOW + srv_min_remain_s ))" -gt "${srv_list[-1]}" ]; then - # Request ServerCert - csr="$( mktemp /tmp/bwlp-XXXXXXX.csr )" - echo "Generating new Server Certificate. Key+CSR..." - rm -f -- "${CERT}"/srv-*.crt "${PRIV}/srv.key.tmp" "${PRIV}"/srv-*.key - openssl req -new -nodes -keyout "${PRIV}/srv.key.tmp" -out "$csr" \ - -subj "/C=DE/ST=PewPew/L=HeyHey/O=bwLehrpool/CN=satellite.bwlehrpool" || exit 4 - echo "Signing Server Certificate with intermediate..." - declare -a in_list - in_list=() - for i in "${CERT}"/intermediate-??????????.crt; do - [ -f "$i" ] || continue - get_ts "$i" - if (( ts < NOW )); then - echo "Expired intermediate $i" - rm -f -- "$i" - continue - fi - echo "Have intermediate $i" - in_list+=( "$i" ) - done - if [ "${#in_list[@]}" = 0 ]; then - echo "ERROR: Have no intermediate certificate" - exit 11 - fi - for in_cert in "${in_list[@]}"; do - get_ts "$in_cert" - (( ts < 30 * 86400 + NOW )) && continue # Expiring in a month, ignore - break # Need only one really - done - echo "Signing with $in_cert" - create_conf - # Need extfile for SAN, chromium doesn't honor CN anymore - cat > "${csr}.cnf" <<-END - basicConstraints = CA:FALSE - nsCertType = server - nsComment = "OpenSSL Generated Server Certificate" - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid,issuer:always - keyUsage = critical, digitalSignature, keyEncipherment - extendedKeyUsage = serverAuth - subjectAltName = @alt_names - [alt_names] - DNS.1 = satellite.bwlehrpool - END - openssl ca -config "$ca_config" -create_serial -policy policy_anything -days "$srv_days" \ - -cert "$in_cert" -keyfile "${PRIV}/intermediate.key" -extfile "${csr}.cnf" \ - -notext -name CA_openslx -batch -out "${CERT}/srv-${srv_new_ts}.crt" -in "$csr" || exit 4 - rm -rf -- "$ca_dir" - rm -f -- "$csr" "${csr}.cnf" - mv "${PRIV}/srv.key.tmp" "${PRIV}/srv-${srv_new_ts}.key" || exit 5 - srv_list+=( "$srv_new_ts" ) - - # Combine and prepare for lighttpd - - mkdir -p "$LIGHT" || exit 10 - - # Combine cert and key, as required by lighttpd - echo "Writing out lighttpd PEMs..." - cat "${CERT}/srv-${srv_new_ts}.crt" "${PRIV}/srv-${srv_new_ts}.key" > "${LIGHT}/server.pem" || exit 10 - chmod 0600 "${LIGHT}/server.pem" - - # Create ca-chain - cat "${in_list[@]}" > "${LIGHT}/ca-chain.pem" - - if [ "$1" = "--restart" ] || [ -t 0 ]; then - echo "Restarting lighttpd..." - systemctl restart lighttpd.service - fi -fi - -echo "Done." -exit 0 diff --git a/satellit_installer/static_files/slxadmin-boot.service b/satellit_installer/static_files/slxadmin-boot.service deleted file mode 100644 index 21bdf51..0000000 --- a/satellit_installer/static_files/slxadmin-boot.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Trigger init hooks of slx-admin -RefuseManualStart=yes -Before=lighttpd.service -After=mariadb.service mysql.service network.target taskmanager.service -Wants=network-online.target - -[Service] -Type=oneshot -ExecStart=/opt/openslx/slxadmin-bootscript - -[Install] -WantedBy=multi-user.target diff --git a/satellit_installer/static_files/slxadmin-bootscript b/satellit_installer/static_files/slxadmin-bootscript deleted file mode 100755 index a959dfd..0000000 --- a/satellit_installer/static_files/slxadmin-bootscript +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -FILE=$(mktemp) - -if ! php /srv/openslx/www/slx-admin/api.php init > "$FILE" 2>&1; then - php /srv/openslx/www/slx-admin/api.php init --crashreport "$FILE" -elif [ -s "$FILE" ]; then - php /srv/openslx/www/slx-admin/api.php init --logreport "$FILE" -fi - -rm -- "$FILE" -sleep 1 -exit 0 diff --git a/satellit_installer/static_files/slxadmin-config.php b/satellit_installer/static_files/slxadmin-config.php deleted file mode 100644 index a239fef..0000000 --- a/satellit_installer/static_files/slxadmin-config.php +++ /dev/null @@ -1,61 +0,0 @@ - array( - 'news', 'locations', 'exams', 'dozmod', 'adduser', 'permissionmanager', 'locationinfo' - ), - 'main.settings-client' => array( - 'sysconfig', 'baseconfig', 'minilinux' - ), - 'main.settings-server' => array( - 'serversetup', 'vmstore', 'webinterface', 'backup', 'dnbd3', 'rebootcontrol' - ), - 'main.status' => array( - 'systemstatus', 'eventlog', 'syslog', 'statistics', 'statistics_reporting' - ), - 'main.etc' => array( - 'runmode', 'translation' - ) -); - diff --git a/satellit_installer/static_files/slxadmin-cronscript b/satellit_installer/static_files/slxadmin-cronscript deleted file mode 100755 index 4ab7a21..0000000 --- a/satellit_installer/static_files/slxadmin-cronscript +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh - -PIDFILE="/tmp/bwlp-cronphppid" -OLDPID= -[ -s "$PIDFILE" ] && OLDPID=$(cat "$PIDFILE") - -[ -n "$OLDPID" ] && kill -0 "$OLDPID" && exit 0 - -echo $$ > "$PIDFILE" - -FILE=$(mktemp) -if ! php /srv/openslx/www/slx-admin/api.php cron >"$FILE" 2>&1; then - php /srv/openslx/www/slx-admin/api.php cron --crashreport "$FILE" -fi -rm -f -- "$FILE" "$PIDFILE" -exit 0 - diff --git a/satellit_installer/static_files/slxadmin-crontab b/satellit_installer/static_files/slxadmin-crontab deleted file mode 100644 index c6ae537..0000000 --- a/satellit_installer/static_files/slxadmin-crontab +++ /dev/null @@ -1,9 +0,0 @@ -# Trigger taskmanager init on boot - -SHELL=/bin/sh -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - -# web-cron runs every 5 minutes -*/5 * * * * www-data /opt/openslx/slxadmin-cronscript -# check certificate once a day -12 1 * * * root /opt/openslx/slx-cert --restart diff --git a/satellit_installer/static_files/slxadmin-init/gpg-key.asc b/satellit_installer/static_files/slxadmin-init/gpg-key.asc deleted file mode 100644 index abbe024..0000000 --- a/satellit_installer/static_files/slxadmin-init/gpg-key.asc +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.11 (GNU/Linux) - -mQINBFRjgJMBEADRhRM6UIFrH/vbo1VKzG3V7NFkLPK+L6ZG7arlJT06A4KNsEdu -YWyxYC94JTaZX7bKPMeVP5a4HJuFGPNkfwgBZmH445MOQ4IzEByrpwN76MmbeK53 -3b1ibCrkVWtXvzu/7dsb6dH/lrisHdz2kOpcdioMeD9KcXv71Uni/T2j6zTeDzpw -TWV5uxpAaVMFPpLRVJzuYOOz0a+cQ+eXgHQBBUL5pwXtiAp3G9FKq7zHHnoC1yJ1 -pm4y8pL8owp8NeIYzEFXnCGiNxQ1hP+O+gsG9r/yHxAODYEGwdXFoJ/4wDSwtyAl -HmAuI0SH7Cd8TsC3Oj9lg0m7U4PRkJZfxQImpJIeYdOx/EsX96oq0rJJqphVGCfE -TM5nvJaV7D0lFNNA5loeZVyk/wjuAeLqZcTrXgBABye3od/Vi3QX21OQtl68zsAN -r2dKrbubmzL6XmfqE4Tpi6nH6bHh+uLUiv4xNK+AaKdV9/X5R0vGVWQHbkgCx1ua -2apXHeuMQ8Omi1jYSqdbcLvDZvPvUFyAFQgT5g0ZFtsKON6CFr7LHO8GvJrVpBVH -K0GZRQvR9PZS/3WsKXYaphcCZlneemL7iZHtZbcAjOSFzvTUQil9pa4bRoJWa376 -AcZRha1JXUBd9RreQzWc2aUsLLRE2hGi1Ntx7FXPgtgN7HNJmc+B68DICwARAQAB -tDpid0xlaHJwb29sIEZyZWlidXJnIChid0xlaHJwb29sIFNjaGzDvHNzZWwpIDxz -cGFtQGFvbC5jb20+iQI4BBMBAgAiBQJUY4CTAhsDBgsJCAcDAgYVCAIJCgsEFgID -AQIeAQIXgAAKCRDLjw2Cr1tITCrvEADIGKoPhbU4aC5zeSyB6wCqhb4yOQXDWkrJ -+kpFMPAdAaLRTGjiIX8LoFT6b1khA0zoF/hKxCj8VJiSjJySYN6VK3zbs3bUZrKt -ph9zHFWOrRDY1+hVs9S4Pebvh22h+jvvNMupfF4qbEItEsGN1Evt6rK6LIWGePj8 -R4h/dAh+4UIZGQrtMWKndkw0IMiiL2Dgx8gRo55QxybK9519y1Pl9j1L2UWwZmOk -c8VF6mseZWyyTjLVsoOr4oWmUfppIqFbzLY7gZ5VYc3Be1I0smHfLbtZPWo04DUT -9A9p86VyY29/EqlBXxdc86SBl2mxV6raLPmpNFnu/3yfXVvIB9A/vS5iLzALSTkF -0OyWeNr0hNj5h1jHmJGA7Weoj5ncKN9YZmR9q19eKbFeNOI588HdH6ZkyNl1yN5+ -jotadDjpzY2SbkmN8QmIwxdkXg/w74PBcpXA/qww+/YIaeMuk/ofVDgluIrzIJL8 -y833MgdebbAZRZBlqJe7i450NTPuvJvQMeFfz4AQ2NZS7r9BCM/FmRnC3GRHTYZx -OLyzQUu2PaFJRGgbpPeK6CAoukYtmhUk5Pub8Wyf5ohOFD8ru8Wha/lM8Fv3qkWX -UY52wbAqoj83NodjnBckRWW8oy7+5nBs0dB7E94m7t5vKAMXwm6zVB8ZvNXnr9x1 -Z9cTcD06/bkCDQRUY4CTARAA32FvERUpUk/r9hpGJYMTMute30vCMSqxtI6ikqZH -Q+w5d785vNjSuRFyA9Nev9K5tDo2/bmws9upUVBWzBJUnmN5AI+OqMauDXdMjZnJ -rQ/AM6Cl0QcXIjZQgal9tbmGoQoLfAEFYRlObgOPXib4/rdjg2oIO12sd/BAX5Ch -qjmdOL3VgjmlOjU8nzwWpL/49br9GoS4hKlpwWA3qLo8yyYfhe7BJM9R9JiKk+vO -Q7JSX0jLaygrWt3F7aKsWx0LzOslUbw3Ce7z9TeiH7bPHIxQzYNE7hrzisyJyzrT -zGOrwiCHQDwJbovp0vrMi0c7aZE9P779yNqrHP2s7+HtV6VCemvt0VtYl9AUu6bS -603LBsJu6pCZURbGQKX8VqzvpBOkAG5XwgvVTY2ff0D5FTQY3EIms7/w58DJEWEm -a465r7zdVhFt2EB+ErWaz2UNAgpXP2tLI/UXaI1kDqruozQHIPq12ODYqVBGJBBA -cz2kjTRcxPGiEgUvA0sEDUYEKLfDVtgeJ0dESdlZvanLZzWxi4XIaxWCyg1/Kk27 -f94+Q7asUFYkcB3TSoyw74TolDVDr7DIhF6+aZhOdvgtYZEqElfVzbnkbFsQPB5S -rISe7SeJvBx1m1PqXUI6bsclalSueD7VlcrPhNbZqe+9IsUwSd9/qqQv6L5zlPtH -+dkAEQEAAYkCHwQYAQIACQUCVGOAkwIbDAAKCRDLjw2Cr1tITMNKEAC84wDBTUBu -PSaXfYNnmNBt9pi+cU0jrYSG6A5GJw+9YEYE8CDtjACFyAT/Ou4vKinT7mABGZHW -EaDvONfBlHr7Ia1ZdRu2nXRu3c+4gvSWujV0zs/PtSeSVdkuqCMpIhdApyeFayL1 -wSpnn5OQbVD5Pn31DBcG8nPLpwk/QnSXrDWQjLhL2UZokt6y/YaBKxE2vTVBIyS/ -KJwdXg/z5kJYaXhx5y1BkNKnO/Rxtikw1zk/uF5rte8eAH8Xq1fGuz8HLmvuMCMy -d/2X8ywb2eWuHDV0QMfem66SK/f/5t8NnKUGHIEdsuBZXrDiEP5QEYHblEvuMrmV -0iJos8tZtL5NRXxpeHJbfQolGvX5Br9RfU/cJ6UXG/ct48OqFzkM+jAsL5/jITcZ -3n7LbZxp5uqJtIGeSwRcYw0odDwlKHPQPlUUj9xhUFoRfeidOjaYSVQW3+OzJIxt -LyapFu10PCLbWUoDWs5DP4auVGeIXo31MUy58bGYdOYn5WItn9KDUkSv+ZbA1Egg -FJbNugNpsuBuAwohVkKmZOAylWL8zjja/f8U2n6p5NlEmcGnDuDEn5W5P0z3ShK0 -eozay7YCIKN73LLHLfi5P3oLGkmOgadLbzuivdkYK/TsbmANmEurMVQ4I0c6o9W7 -bNW+ww3uI6KYQJ/x7RKa7MLgplxcEtNJIQ== -=vxZn ------END PGP PUBLIC KEY BLOCK----- diff --git a/satellit_installer/static_files/slxadmin-init/init.sh b/satellit_installer/static_files/slxadmin-init/init.sh deleted file mode 100755 index b48a1bf..0000000 --- a/satellit_installer/static_files/slxadmin-init/init.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -exec sudo -n -u www-data php "$( dirname "$0" )/slxadmin-init.php" diff --git a/satellit_installer/static_files/slxadmin-init/slxadmin-init.php b/satellit_installer/static_files/slxadmin-init/slxadmin-init.php deleted file mode 100644 index ef3f0bd..0000000 --- a/satellit_installer/static_files/slxadmin-init/slxadmin-init.php +++ /dev/null @@ -1,51 +0,0 @@ -.inc.php -spl_autoload_register(function ($class) { - $file = 'inc/' . preg_replace('/[^a-z0-9]/', '', mb_strtolower($class)) . '.inc.php'; - if (!file_exists($file)) - return; - require_once $file; -}); - -/* - * Stuff starts here - */ - -/* - * Minilinux update source URL - */ - -if ($MINILINUX_PUBKEY === false) { - echo "Error reading GPG key from file\n"; - exit(1); -} - -Database::exec("INSERT INTO minilinux_source (sourceid, title, url, pubkey) - VALUES ('bwlp', 'bwLehrpool', :url, :pubkey) - ON DUPLICATE KEY UPDATE title = VALUES(title), url = VALUES(url), pubkey = VALUES(pubkey)", - ['url' => $MINILINUX_URL, 'pubkey' => $MINILINUX_PUBKEY]); - -exit(0); diff --git a/satellit_installer/static_files/slxadmin/etc/cron.d/slx-admin b/satellit_installer/static_files/slxadmin/etc/cron.d/slx-admin new file mode 100644 index 0000000..c6ae537 --- /dev/null +++ b/satellit_installer/static_files/slxadmin/etc/cron.d/slx-admin @@ -0,0 +1,9 @@ +# Trigger taskmanager init on boot + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# web-cron runs every 5 minutes +*/5 * * * * www-data /opt/openslx/slxadmin-cronscript +# check certificate once a day +12 1 * * * root /opt/openslx/slx-cert --restart diff --git a/satellit_installer/static_files/slxadmin/etc/systemd/system/multi-user.target.wants/slxadmin-boot.service b/satellit_installer/static_files/slxadmin/etc/systemd/system/multi-user.target.wants/slxadmin-boot.service new file mode 120000 index 0000000..052f93e --- /dev/null +++ b/satellit_installer/static_files/slxadmin/etc/systemd/system/multi-user.target.wants/slxadmin-boot.service @@ -0,0 +1 @@ +../slxadmin-boot.service \ No newline at end of file diff --git a/satellit_installer/static_files/slxadmin/etc/systemd/system/slxadmin-boot.service b/satellit_installer/static_files/slxadmin/etc/systemd/system/slxadmin-boot.service new file mode 100644 index 0000000..21bdf51 --- /dev/null +++ b/satellit_installer/static_files/slxadmin/etc/systemd/system/slxadmin-boot.service @@ -0,0 +1,13 @@ +[Unit] +Description=Trigger init hooks of slx-admin +RefuseManualStart=yes +Before=lighttpd.service +After=mariadb.service mysql.service network.target taskmanager.service +Wants=network-online.target + +[Service] +Type=oneshot +ExecStart=/opt/openslx/slxadmin-bootscript + +[Install] +WantedBy=multi-user.target diff --git a/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/gpg-key.asc b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/gpg-key.asc new file mode 100644 index 0000000..abbe024 --- /dev/null +++ b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/gpg-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFRjgJMBEADRhRM6UIFrH/vbo1VKzG3V7NFkLPK+L6ZG7arlJT06A4KNsEdu +YWyxYC94JTaZX7bKPMeVP5a4HJuFGPNkfwgBZmH445MOQ4IzEByrpwN76MmbeK53 +3b1ibCrkVWtXvzu/7dsb6dH/lrisHdz2kOpcdioMeD9KcXv71Uni/T2j6zTeDzpw +TWV5uxpAaVMFPpLRVJzuYOOz0a+cQ+eXgHQBBUL5pwXtiAp3G9FKq7zHHnoC1yJ1 +pm4y8pL8owp8NeIYzEFXnCGiNxQ1hP+O+gsG9r/yHxAODYEGwdXFoJ/4wDSwtyAl +HmAuI0SH7Cd8TsC3Oj9lg0m7U4PRkJZfxQImpJIeYdOx/EsX96oq0rJJqphVGCfE +TM5nvJaV7D0lFNNA5loeZVyk/wjuAeLqZcTrXgBABye3od/Vi3QX21OQtl68zsAN +r2dKrbubmzL6XmfqE4Tpi6nH6bHh+uLUiv4xNK+AaKdV9/X5R0vGVWQHbkgCx1ua +2apXHeuMQ8Omi1jYSqdbcLvDZvPvUFyAFQgT5g0ZFtsKON6CFr7LHO8GvJrVpBVH +K0GZRQvR9PZS/3WsKXYaphcCZlneemL7iZHtZbcAjOSFzvTUQil9pa4bRoJWa376 +AcZRha1JXUBd9RreQzWc2aUsLLRE2hGi1Ntx7FXPgtgN7HNJmc+B68DICwARAQAB +tDpid0xlaHJwb29sIEZyZWlidXJnIChid0xlaHJwb29sIFNjaGzDvHNzZWwpIDxz +cGFtQGFvbC5jb20+iQI4BBMBAgAiBQJUY4CTAhsDBgsJCAcDAgYVCAIJCgsEFgID +AQIeAQIXgAAKCRDLjw2Cr1tITCrvEADIGKoPhbU4aC5zeSyB6wCqhb4yOQXDWkrJ ++kpFMPAdAaLRTGjiIX8LoFT6b1khA0zoF/hKxCj8VJiSjJySYN6VK3zbs3bUZrKt +ph9zHFWOrRDY1+hVs9S4Pebvh22h+jvvNMupfF4qbEItEsGN1Evt6rK6LIWGePj8 +R4h/dAh+4UIZGQrtMWKndkw0IMiiL2Dgx8gRo55QxybK9519y1Pl9j1L2UWwZmOk +c8VF6mseZWyyTjLVsoOr4oWmUfppIqFbzLY7gZ5VYc3Be1I0smHfLbtZPWo04DUT +9A9p86VyY29/EqlBXxdc86SBl2mxV6raLPmpNFnu/3yfXVvIB9A/vS5iLzALSTkF +0OyWeNr0hNj5h1jHmJGA7Weoj5ncKN9YZmR9q19eKbFeNOI588HdH6ZkyNl1yN5+ +jotadDjpzY2SbkmN8QmIwxdkXg/w74PBcpXA/qww+/YIaeMuk/ofVDgluIrzIJL8 +y833MgdebbAZRZBlqJe7i450NTPuvJvQMeFfz4AQ2NZS7r9BCM/FmRnC3GRHTYZx +OLyzQUu2PaFJRGgbpPeK6CAoukYtmhUk5Pub8Wyf5ohOFD8ru8Wha/lM8Fv3qkWX +UY52wbAqoj83NodjnBckRWW8oy7+5nBs0dB7E94m7t5vKAMXwm6zVB8ZvNXnr9x1 +Z9cTcD06/bkCDQRUY4CTARAA32FvERUpUk/r9hpGJYMTMute30vCMSqxtI6ikqZH +Q+w5d785vNjSuRFyA9Nev9K5tDo2/bmws9upUVBWzBJUnmN5AI+OqMauDXdMjZnJ +rQ/AM6Cl0QcXIjZQgal9tbmGoQoLfAEFYRlObgOPXib4/rdjg2oIO12sd/BAX5Ch +qjmdOL3VgjmlOjU8nzwWpL/49br9GoS4hKlpwWA3qLo8yyYfhe7BJM9R9JiKk+vO +Q7JSX0jLaygrWt3F7aKsWx0LzOslUbw3Ce7z9TeiH7bPHIxQzYNE7hrzisyJyzrT +zGOrwiCHQDwJbovp0vrMi0c7aZE9P779yNqrHP2s7+HtV6VCemvt0VtYl9AUu6bS +603LBsJu6pCZURbGQKX8VqzvpBOkAG5XwgvVTY2ff0D5FTQY3EIms7/w58DJEWEm +a465r7zdVhFt2EB+ErWaz2UNAgpXP2tLI/UXaI1kDqruozQHIPq12ODYqVBGJBBA +cz2kjTRcxPGiEgUvA0sEDUYEKLfDVtgeJ0dESdlZvanLZzWxi4XIaxWCyg1/Kk27 +f94+Q7asUFYkcB3TSoyw74TolDVDr7DIhF6+aZhOdvgtYZEqElfVzbnkbFsQPB5S +rISe7SeJvBx1m1PqXUI6bsclalSueD7VlcrPhNbZqe+9IsUwSd9/qqQv6L5zlPtH ++dkAEQEAAYkCHwQYAQIACQUCVGOAkwIbDAAKCRDLjw2Cr1tITMNKEAC84wDBTUBu +PSaXfYNnmNBt9pi+cU0jrYSG6A5GJw+9YEYE8CDtjACFyAT/Ou4vKinT7mABGZHW +EaDvONfBlHr7Ia1ZdRu2nXRu3c+4gvSWujV0zs/PtSeSVdkuqCMpIhdApyeFayL1 +wSpnn5OQbVD5Pn31DBcG8nPLpwk/QnSXrDWQjLhL2UZokt6y/YaBKxE2vTVBIyS/ +KJwdXg/z5kJYaXhx5y1BkNKnO/Rxtikw1zk/uF5rte8eAH8Xq1fGuz8HLmvuMCMy +d/2X8ywb2eWuHDV0QMfem66SK/f/5t8NnKUGHIEdsuBZXrDiEP5QEYHblEvuMrmV +0iJos8tZtL5NRXxpeHJbfQolGvX5Br9RfU/cJ6UXG/ct48OqFzkM+jAsL5/jITcZ +3n7LbZxp5uqJtIGeSwRcYw0odDwlKHPQPlUUj9xhUFoRfeidOjaYSVQW3+OzJIxt +LyapFu10PCLbWUoDWs5DP4auVGeIXo31MUy58bGYdOYn5WItn9KDUkSv+ZbA1Egg +FJbNugNpsuBuAwohVkKmZOAylWL8zjja/f8U2n6p5NlEmcGnDuDEn5W5P0z3ShK0 +eozay7YCIKN73LLHLfi5P3oLGkmOgadLbzuivdkYK/TsbmANmEurMVQ4I0c6o9W7 +bNW+ww3uI6KYQJ/x7RKa7MLgplxcEtNJIQ== +=vxZn +-----END PGP PUBLIC KEY BLOCK----- diff --git a/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/init.sh b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/init.sh new file mode 100755 index 0000000..b48a1bf --- /dev/null +++ b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/init.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +exec sudo -n -u www-data php "$( dirname "$0" )/slxadmin-init.php" diff --git a/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/slxadmin-init.php b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/slxadmin-init.php new file mode 100644 index 0000000..ef3f0bd --- /dev/null +++ b/satellit_installer/static_files/slxadmin/opt/openslx/restore.d/slxadmin-init/slxadmin-init.php @@ -0,0 +1,51 @@ +.inc.php +spl_autoload_register(function ($class) { + $file = 'inc/' . preg_replace('/[^a-z0-9]/', '', mb_strtolower($class)) . '.inc.php'; + if (!file_exists($file)) + return; + require_once $file; +}); + +/* + * Stuff starts here + */ + +/* + * Minilinux update source URL + */ + +if ($MINILINUX_PUBKEY === false) { + echo "Error reading GPG key from file\n"; + exit(1); +} + +Database::exec("INSERT INTO minilinux_source (sourceid, title, url, pubkey) + VALUES ('bwlp', 'bwLehrpool', :url, :pubkey) + ON DUPLICATE KEY UPDATE title = VALUES(title), url = VALUES(url), pubkey = VALUES(pubkey)", + ['url' => $MINILINUX_URL, 'pubkey' => $MINILINUX_PUBKEY]); + +exit(0); diff --git a/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-bootscript b/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-bootscript new file mode 100755 index 0000000..a959dfd --- /dev/null +++ b/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-bootscript @@ -0,0 +1,13 @@ +#!/bin/sh + +FILE=$(mktemp) + +if ! php /srv/openslx/www/slx-admin/api.php init > "$FILE" 2>&1; then + php /srv/openslx/www/slx-admin/api.php init --crashreport "$FILE" +elif [ -s "$FILE" ]; then + php /srv/openslx/www/slx-admin/api.php init --logreport "$FILE" +fi + +rm -- "$FILE" +sleep 1 +exit 0 diff --git a/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-cronscript b/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-cronscript new file mode 100755 index 0000000..4ab7a21 --- /dev/null +++ b/satellit_installer/static_files/slxadmin/opt/openslx/slxadmin-cronscript @@ -0,0 +1,17 @@ +#!/bin/sh + +PIDFILE="/tmp/bwlp-cronphppid" +OLDPID= +[ -s "$PIDFILE" ] && OLDPID=$(cat "$PIDFILE") + +[ -n "$OLDPID" ] && kill -0 "$OLDPID" && exit 0 + +echo $$ > "$PIDFILE" + +FILE=$(mktemp) +if ! php /srv/openslx/www/slx-admin/api.php cron >"$FILE" 2>&1; then + php /srv/openslx/www/slx-admin/api.php cron --crashreport "$FILE" +fi +rm -f -- "$FILE" "$PIDFILE" +exit 0 + diff --git a/satellit_installer/static_files/slxadmin/srv/openslx/www/index.php b/satellit_installer/static_files/slxadmin/srv/openslx/www/index.php new file mode 100644 index 0000000..9f21f0b --- /dev/null +++ b/satellit_installer/static_files/slxadmin/srv/openslx/www/index.php @@ -0,0 +1,3 @@ + array( + 'news', 'locations', 'exams', 'dozmod', 'adduser', 'permissionmanager', 'locationinfo' + ), + 'main.settings-client' => array( + 'sysconfig', 'baseconfig', 'minilinux' + ), + 'main.settings-server' => array( + 'serversetup', 'vmstore', 'webinterface', 'backup', 'dnbd3', 'rebootcontrol' + ), + 'main.status' => array( + 'systemstatus', 'eventlog', 'syslog', 'statistics', 'statistics_reporting' + ), + 'main.etc' => array( + 'runmode', 'translation' + ) +); + diff --git a/satellit_installer/static_files/slxlog b/satellit_installer/static_files/slxlog deleted file mode 100755 index 55110ae..0000000 --- a/satellit_installer/static_files/slxlog +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -[ "x$(whoami)" != "xwww-data" ] && exec sudo -n -u www-data "$0" "$@" - -php /srv/openslx/www/slx-admin/api.php "$@" - diff --git a/satellit_installer/static_files/system/apt-upgrade-conf b/satellit_installer/static_files/system/apt-upgrade-conf deleted file mode 100644 index 8d6d7c8..0000000 --- a/satellit_installer/static_files/system/apt-upgrade-conf +++ /dev/null @@ -1,2 +0,0 @@ -APT::Periodic::Update-Package-Lists "1"; -APT::Periodic::Unattended-Upgrade "1"; diff --git a/satellit_installer/static_files/system/etc/apt/apt.conf.d/02periodic b/satellit_installer/static_files/system/etc/apt/apt.conf.d/02periodic new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/satellit_installer/static_files/system/etc/apt/apt.conf.d/02periodic @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/satellit_installer/static_files/system/etc/cron.daily/tmpdelete.sh b/satellit_installer/static_files/system/etc/cron.daily/tmpdelete.sh new file mode 100755 index 0000000..9e68658 --- /dev/null +++ b/satellit_installer/static_files/system/etc/cron.daily/tmpdelete.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# This is a mini script called by a cronjob to delete bwlp-entries in /tmp +# directory older ~2 days. +find /tmp -mtime +2 -name "bwlp-*" -maxdepth 1 -exec rm -rf -- {} \; 2>/dev/null +# Same for VM uploads +[ -d /srv/openslx/nfs ] && find /srv/openslx/nfs -mtime +2 -type f -name "*.upload.partial" -exec rm -f -- {} \; 2>/dev/null +# NFS silly renames +[ -d /srv/openslx/nfs ] && find /srv/openslx/nfs -mtime +4 -type f -name ".nfs*" -exec rm -f -- {} \; 2>/dev/null diff --git a/satellit_installer/static_files/system/root/installer/firstrun_script.sh b/satellit_installer/static_files/system/root/installer/firstrun_script.sh new file mode 100755 index 0000000..343be4d --- /dev/null +++ b/satellit_installer/static_files/system/root/installer/firstrun_script.sh @@ -0,0 +1,59 @@ +#!/bin/bash + +cat <<-HEREDOC +Willkommen zur Grundkonfiguration des bwLehrpool-Satellitenservers. + +Diese einmalige Konfiguration dient dazu, das root-Passwort des Servers +zu ändern, sowie ggf. die Netzwerkkonfiguration des Servers anzupassen. + +Aus Sicherheitsgründen ist es dringend zu empfehlen, das root-Passwort +im Produktivbetrieb zu ändern! + +HEREDOC + +ERR=1 +while [ "$ERR" -ne 0 ]; do + passwd + ERR=$? +done + +echo "Abschließend können Sie festlegen, ob der Server seine IP-Konfiguration" +echo "per DHCP erhält, oder eine statische Konfiguration verwendet wird." +/usr/local/sbin/netsetup + +cat </dev/null || \ + echo "Achtung: Konnte Verzeichnis /root/installer nicht löschen - Verzeichnis nicht leer." +reboot diff --git a/satellit_installer/static_files/system/root/installer/rclocal_script.sh b/satellit_installer/static_files/system/root/installer/rclocal_script.sh new file mode 100755 index 0000000..07da0ee --- /dev/null +++ b/satellit_installer/static_files/system/root/installer/rclocal_script.sh @@ -0,0 +1,113 @@ +#!/bin/bash + +MY_PID=$$ +perror() { + echo "$@" >> /root/init.log + [ "$MY_PID" != "$$" ] && kill "$MY_PID" + + if ! grep -q "rclocal_script.sh has thrown an error" /etc/motd; then + cat <<-EOF >> /etc/motd + + WARNING! + + rclocal_script.sh has thrown an error! + Please read /root/init.log and take appropriate measures! + This server may not work correctly! + + EOF + fi + exit 5 +} + +echo "$(basename $0) gestartet: $(date "+%Y-%m-%d %H:%m:%S")" >> /root/init.log + +[ -r "/root/installer/config" ] || perror "Installationsfehler: Keine firstrun-config gefunden!" + +source "/root/installer/config" || { echo "Fehler beim Sourcen der firstrun-config." >> /root/init.log; exit 1; } + +generate_password() { + tr -dc _A-Za-z0-9 < /dev/urandom | head -c 16 +} + +patchfiles() { + # ... + # Warning: does not escape! + FIND=$1 + REPLACE=$2 + shift 2 + while [ $# -gt 0 ]; do + sed -i "s/${FIND}/${REPLACE}/g" "$1" + shift + done +} + +echo -n "Lösche alte ssh-Schlüssel ..." >> /root/init.log +rm -f /etc/ssh/ssh_host_*key* 2>/dev/null +echo " done." + +echo -n "Generating new ssh keys..." >> /root/init.log +ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N "" -t rsa -q +ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N "" -t dsa -q +ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N "" -t ecdsa -q +ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N "" -t ed25519 -q +echo "... done." >> /root/init.log + +export LANG=de_DE.UTF-8 + +echo "Generiere intern genutzte Passwörter (z.B. MySQL-Zugänge) neu ..." >> /root/init.log +umask 0077 + +MYSQL_SAT_NEW=$(generate_password) +echo "SET PASSWORD FOR 'sat'@'localhost' = PASSWORD('$MYSQL_SAT_NEW');" | mysql -u root || perror "Neusetzen des sat-MySQL-Passworts fehlgeschlagen." + +MYSQL_OPENSLX_NEW=$(generate_password) +echo "SET PASSWORD FOR 'openslx'@'localhost' = PASSWORD('$MYSQL_OPENSLX_NEW');" | mysql -u root || perror "Neusetzen des openslx-MySQL-Passworts fehlgeschlagen." + +echo -n "Konfigurationsdateien werden aktualisiert..." >> /root/init.log + +# sat mysql pass +# Patch dmsd +patchfiles "%MYSQL_SAT_PASS%" "$MYSQL_SAT_NEW" "$DMSDDIR/config.properties" + +# openslx mysql pass +# Patching openslx-mysql-userpass into slx-admin config: +patchfiles "%MYSQL_OPENSLX_PASS%" "$MYSQL_OPENSLX_NEW" "$WWWDIR/slx-admin/config.php" + +# taskmanager password +TASKMANAGER_PASS=$(generate_password) +patchfile "%TM_OPENSLX_PASS%" "$TASKMANAGER_PASS" "$WWWDIR/slx-admin/config.php" "$TASKMANDIR/config/config" + +echo " ok." >> /root/init.log + +echo "Dienste werden aktiviert..." >> /root/init.log + +# Enable bwLehrpool related services +for i in dmsd.service taskmanager.service; do + systemctl enable $i + [ $? -ne 0 ] && echo "Warnung - konnte systemd-Service $i nicht aktivieren!" >> /root/init.log + systemctl start $i +done + +# Write MOTD +cat > /etc/motd < /etc/sat_version + +sed -i "/rclocal_script.sh/d" /etc/rc.local +unlink "/root/installer/config" 2>/dev/null +unlink "/root/installer/rclocal_script.sh" 2>/dev/null +mv /etc/rc.local.sik /etc/rc.local +exit 0 + diff --git a/satellit_installer/static_files/system/usr/local/bin/finalize b/satellit_installer/static_files/system/usr/local/bin/finalize new file mode 100755 index 0000000..1be85e2 --- /dev/null +++ b/satellit_installer/static_files/system/usr/local/bin/finalize @@ -0,0 +1,21 @@ +#!/bin/dash + +# Funny dash has a funny 'kill' builtin, which we +# do not want to use. +KILL=$(which kill) + +EIGENEPID=$(ps -o ppid $$|fgrep -v PPID) + +# kill every bash in reach, but not the parent('s parent): +for i in $(ps axo pid,comm|grep bash|cut -d " " -f 2); do + [ $EIGENEPID != $i ] && $KILL -SIGKILL $i 2>/dev/null +done + +# Now, empty root's ~/.bash_history: +>~/.bash_history + +# Now we delete the script - necessary only once. +rm -f "$_" 2>/dev/null + +exit + diff --git a/satellit_installer/static_files/system/usr/local/bin/slxlog b/satellit_installer/static_files/system/usr/local/bin/slxlog new file mode 100755 index 0000000..55110ae --- /dev/null +++ b/satellit_installer/static_files/system/usr/local/bin/slxlog @@ -0,0 +1,6 @@ +#!/bin/sh + +[ "x$(whoami)" != "xwww-data" ] && exec sudo -n -u www-data "$0" "$@" + +php /srv/openslx/www/slx-admin/api.php "$@" + diff --git a/satellit_installer/static_files/system/usr/local/sbin/netsetup b/satellit_installer/static_files/system/usr/local/sbin/netsetup new file mode 100755 index 0000000..6616c50 --- /dev/null +++ b/satellit_installer/static_files/system/usr/local/sbin/netsetup @@ -0,0 +1,200 @@ +#!/bin/bash + +DATUM=$(date +%Y%m%d_%H%M%S) +INTERFACES="/etc/network/interfaces" +ETHALIAS=$( ifconfig -a | grep -oEm1 '^e\w+' ) +RESOLV="/etc/resolv.conf" +HOSTNAMEFILE="/etc/hostname" +SKRIPT=$(readlink -f "$0") +ERR=0 + + +write_banner() { + echo + echo "Dieses Skript konfiguriert das Netzwerk-Interface." + echo + echo "Wenn Sie die Netzwerkkonfiguration ändern, sollten Sie anschließend" + echo "den Server rebooten." + echo +} + + +detect_config() { + if grep -q -E "^[[:space:]]*iface[[:space:]]+${ETHALIAS}[[:space:]]+inet[[:space:]]+dhcp" "$INTERFACES"; then + # dhcp detected, we presume + TYPE=dhcp-basierte + WUNSCH=statische + TOUCHE_TYPE=d + TOUCHE_DESIR=s + else + TYPE=statische + WUNSCH=dhcp-basierte + TOUCHE_TYPE=s + TOUCHE_DESIR=d + fi +} + +ask_config() { + echo + echo "Es ist aktuell eine $TYPE IP-Adresse konfiguriert." + echo + echo "Wollen Sie eine $WUNSCH IP konfigurieren (${TOUCHE_DESIR})," + echo "möchten Sie die $TYPE IP neu konfigurieren (${TOUCHE_TYPE})," + echo "oder möchten Sie gar nichts tun (leere Eingabe)?" + echo + echo -n "Ihre Wahl? [${TOUCHE_DESIR}/${TOUCHE_TYPE}/nichts]: " + read CONFIG_ME + [ "$CONFIG_ME" == "" ] && exit 0 +} + +decide_action() { + case "$CONFIG_ME" in + ${TOUCHE_DESIR}*) backup_configs + if [ "$WUNSCH" == "statische" ]; then + enter_values_static + write_config_static + else + write_config_dyn + fi + ;; + ${TOUCHE_TYPE}*) backup_configs + if [ "$TYPE" == "statische" ]; then + enter_values_static + write_config_static + else + write_config_dyn + fi + ;; + *) echo; echo + echo "Ihre eingegebene Option $CONFIG_ME wurde nicht erkannt - Neustart." + echo + sleep 1 + exec "$SKRIPT" + ;; + esac +} + +backup_configs() { + if [ -f "$INTERFACES" ]; then + cp -p "$INTERFACES" "$INTERFACES.${DATUM}" || \ + { echo "Konnte Datei $INTERFACES nicht nach $INTERFACES.$DATUM sichern - Abbruch."; \ + exit 1 ; } + cp -p "$RESOLV" "$RESOLV.${DATUM}" || \ + { echo "Konnte Datei $RESOLV nicht nach $RESOLV.$DATUM sichern - Abbruch."; \ + exit 1 ; } + fi +} + +restore_configs() { + cp -p "$INTERFACES.$DATUM" "$INTERFACES" + cp -p "$RESOLV.{DATUM}" "$RESOLV" +} + +write_config_static() { + cat > "$INTERFACES" <<-HIER + # This file was written by the satellite auto installer. + # If any problems arise, copy $INTERFACES.${DATUM}. + # The loopback network interface + auto lo + iface lo inet loopback + + # Primary network interface + auto $ETHALIAS + iface $ETHALIAS inet static + address $IPADRESS + gateway $GATEWAY + netmask $NETMASK + HIER + + echo "# This file was written by the satellite server install script." > "$RESOLV" + echo "# If any problems arise, copy $RESOLV.${DATUM}." >> "$RESOLV" + [ -n "$DOMAIN" ] && echo "domain $DOMAIN" >> "$RESOLV" + [ -n "$SEARCH" ] && echo "search $SEARCH" >> "$RESOLV" + [ -n "$PRIMARYDNS" ] && echo "nameserver $PRIMARYDNS" >> "$RESOLV" + [ -n "$SECONDARYDNS" ] && echo "nameserver $SECONDARYDNS" >> "$RESOLV" + + echo "$HOSTNAME" > "$HOSTNAMEFILE" + + [ -n "$DOMAIN" ] && DOMAIN=".${DOMAIN}" + sed "s/127.0.1.1.*/127.0.1.1\t${HOSTNAME}${DOMAIN}\t${HOSTNAME}/g" -i /etc/hosts --in-place=.alt + +} + +write_config_dyn() { + cat > "$INTERFACES" <<-HIER + # This file was written by the satellite auto installer. + # If any problems arise, copy $INTERFACES.${DATUM}. + # The loopback network interface + auto lo + iface lo inet loopback + + # Primary network interface + auto $ETHALIAS + iface $ETHALIAS inet dhcp + # Leaving /etc/resolv alone; pump/dhclient/whatever will take care of that. + HIER +} + +enter_values_static() { + OLDHOSTNAME=$(hostname) + unset ENTRY + while true; do + echo + echo -n "IP-Adresse: " + read IPADRESS + echo -n "Gateway: " + read GATEWAY + echo -n "Netzmaske - leere Eingabe für 255.255.255.0: " + read NETMASK + [ -z "$NETMASK" ] && NETMASK=255.255.255.0 + echo -n "Domain - leere Eingabe, wenn nicht erwünscht: " + read DOMAIN + echo -n "Search domain - leere Eingabe, wenn nicht erwünscht: " + read SEARCH + echo -n "Primärer Nameserver: " + read PRIMARYDNS + echo -n "Sekundärer Nameserver - Leere Eingabe, wenn nicht vorhanden: " + read SECONDARYDNS + echo -n "Hostname - leere Eingabe für bestehenden Hostname $OLDHOSTNAME: " + read HOSTNAME + [ "$HOSTNAME" == "" ] && HOSTNAME="$OLDHOSTNAME" + echo + echo "# IP-Adresse : $IPADRESS" + echo "# Gateway : $GATEWAY" + echo "# Netzmaske : $NETMASK" + echo "# Domain : $DOMAIN" + echo "# Search domain : $SEARCH" + echo "# Primärer Nameserver : $PRIMARYDNS" + echo "# Sekundärer Nameserver : $SECONDARYDNS" + echo "# Hostname : $HOSTNAME" + echo + while true; do + echo -n "Sind diese Eingaben korrekt? [J/n]: " + read ENTRY + echo + [[ -z "$ENTRY" || "$ENTRY" == j* || "$ENTRY" == J* ]] && return + if [[ "$ENTRY" == n* || "$ENTRY" == N* ]]; then + echo "Neustart der Eingabe..." + echo + break + fi + done + done +} + +last_words() { + echo + echo "Einträge geschrieben... beende Skript." + echo +} + +detect_config +write_banner +ask_config + +decide_action # do the stuff! + +last_words + +exit 0 + diff --git a/satellit_installer/static_files/taskmanager/config b/satellit_installer/static_files/taskmanager/config deleted file mode 100644 index 055dd13..0000000 --- a/satellit_installer/static_files/taskmanager/config +++ /dev/null @@ -1,2 +0,0 @@ -tcp = 9215 -password = %TM_OPENSLX_PASS% diff --git a/satellit_installer/static_files/taskmanager/environment b/satellit_installer/static_files/taskmanager/environment deleted file mode 100644 index 7de812c..0000000 --- a/satellit_installer/static_files/taskmanager/environment +++ /dev/null @@ -1,6 +0,0 @@ -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -LANG=C -LOGNAME -USER -LOGIN -HOME diff --git a/satellit_installer/static_files/taskmanager/etc/sudoers.d/taskmanager b/satellit_installer/static_files/taskmanager/etc/sudoers.d/taskmanager new file mode 100644 index 0000000..b34bf9f --- /dev/null +++ b/satellit_installer/static_files/taskmanager/etc/sudoers.d/taskmanager @@ -0,0 +1,12 @@ +# Sudoers configuration for user 'taskmanager' +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/ldadp-launcher +taskmanager ALL=(root) NOPASSWD: /sbin/reboot +taskmanager ALL=(root) NOPASSWD: /bin/netstat +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/systemctl +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/mount-store +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/system-backup +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/system-restore +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/install-https +taskmanager ALL=(root) NOPASSWD: /opt/taskmanager/scripts/ldadp-setperms +ALL ALL=(www-data) NOPASSWD: /usr/local/bin/slxlog +Defaults env_keep += "TM_*" diff --git a/satellit_installer/static_files/taskmanager/etc/systemd/system/multi-user.target.wants/taskmanager.service b/satellit_installer/static_files/taskmanager/etc/systemd/system/multi-user.target.wants/taskmanager.service new file mode 120000 index 0000000..141a3f2 --- /dev/null +++ b/satellit_installer/static_files/taskmanager/etc/systemd/system/multi-user.target.wants/taskmanager.service @@ -0,0 +1 @@ +../taskmanager.service \ No newline at end of file diff --git a/satellit_installer/static_files/taskmanager/etc/systemd/system/taskmanager.service b/satellit_installer/static_files/taskmanager/etc/systemd/system/taskmanager.service new file mode 100644 index 0000000..97662cb --- /dev/null +++ b/satellit_installer/static_files/taskmanager/etc/systemd/system/taskmanager.service @@ -0,0 +1,17 @@ +[Unit] +Description=bwLehrpool Taskmanager + +[Service] +User=taskmanager +Group=taskmanager +WorkingDirectory=/opt/taskmanager/ +ExecStart=/opt/taskmanager/taskmanager.sh +Restart=always +RestartSec=5 +SyslogIdentifier=taskmanager +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target + diff --git a/satellit_installer/static_files/taskmanager/opt/taskmanager/config/config b/satellit_installer/static_files/taskmanager/opt/taskmanager/config/config new file mode 100644 index 0000000..055dd13 --- /dev/null +++ b/satellit_installer/static_files/taskmanager/opt/taskmanager/config/config @@ -0,0 +1,2 @@ +tcp = 9215 +password = %TM_OPENSLX_PASS% diff --git a/satellit_installer/static_files/taskmanager/opt/taskmanager/config/environment b/satellit_installer/static_files/taskmanager/opt/taskmanager/config/environment new file mode 100644 index 0000000..7de812c --- /dev/null +++ b/satellit_installer/static_files/taskmanager/opt/taskmanager/config/environment @@ -0,0 +1,6 @@ +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +LANG=C +LOGNAME +USER +LOGIN +HOME diff --git a/satellit_installer/static_files/taskmanager/taskmanager.service b/satellit_installer/static_files/taskmanager/taskmanager.service deleted file mode 100644 index 97662cb..0000000 --- a/satellit_installer/static_files/taskmanager/taskmanager.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=bwLehrpool Taskmanager - -[Service] -User=taskmanager -Group=taskmanager -WorkingDirectory=/opt/taskmanager/ -ExecStart=/opt/taskmanager/taskmanager.sh -Restart=always -RestartSec=5 -SyslogIdentifier=taskmanager -StandardOutput=syslog -StandardError=syslog - -[Install] -WantedBy=multi-user.target - diff --git a/satellit_installer/static_files/tftpd/etc/systemd/system/multi-user.target.wants/tftpd-hpa.service b/satellit_installer/static_files/tftpd/etc/systemd/system/multi-user.target.wants/tftpd-hpa.service new file mode 120000 index 0000000..c132ef5 --- /dev/null +++ b/satellit_installer/static_files/tftpd/etc/systemd/system/multi-user.target.wants/tftpd-hpa.service @@ -0,0 +1 @@ +../tftpd-hpa.service \ No newline at end of file diff --git a/satellit_installer/static_files/tftpd/etc/systemd/system/tftpd-hpa.service b/satellit_installer/static_files/tftpd/etc/systemd/system/tftpd-hpa.service new file mode 100644 index 0000000..b92254a --- /dev/null +++ b/satellit_installer/static_files/tftpd/etc/systemd/system/tftpd-hpa.service @@ -0,0 +1,11 @@ +[Unit] +Description=tftpd-hpa (OpenSLX Config) +After=network.target + +[Service] +ExecStart=/usr/sbin/in.tftpd --map-file /opt/openslx/tftpd-remap --user tftp --foreground --address :69 --secure /srv/openslx/tftp +#User=tftp +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/satellit_installer/static_files/tftpd/opt/openslx/tftpd-remap b/satellit_installer/static_files/tftpd/opt/openslx/tftpd-remap new file mode 100644 index 0000000..1650e92 --- /dev/null +++ b/satellit_installer/static_files/tftpd/opt/openslx/tftpd-remap @@ -0,0 +1 @@ +re (.)ÿ+ \1 diff --git a/satellit_installer/static_files/tftpd/tftpd-hpa b/satellit_installer/static_files/tftpd/tftpd-hpa deleted file mode 100644 index 1e4589b..0000000 --- a/satellit_installer/static_files/tftpd/tftpd-hpa +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/default/tftpd-hpa - -TFTP_USERNAME="tftp" -TFTP_DIRECTORY="/srv/openslx/tftp" -TFTP_ADDRESS="0.0.0.0:69" -TFTP_OPTIONS="--secure" diff --git a/satellit_installer/static_files/tftpd/tftpd-hpa.service b/satellit_installer/static_files/tftpd/tftpd-hpa.service deleted file mode 100644 index b92254a..0000000 --- a/satellit_installer/static_files/tftpd/tftpd-hpa.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=tftpd-hpa (OpenSLX Config) -After=network.target - -[Service] -ExecStart=/usr/sbin/in.tftpd --map-file /opt/openslx/tftpd-remap --user tftp --foreground --address :69 --secure /srv/openslx/tftp -#User=tftp -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/satellit_installer/static_files/tftpd/tftpd-remap b/satellit_installer/static_files/tftpd/tftpd-remap deleted file mode 100644 index 1650e92..0000000 --- a/satellit_installer/static_files/tftpd/tftpd-remap +++ /dev/null @@ -1 +0,0 @@ -re (.)ÿ+ \1 diff --git a/satellit_installer/static_files/timesync/etc/systemd/system/network-online.target.wants/redneck-timesync.service b/satellit_installer/static_files/timesync/etc/systemd/system/network-online.target.wants/redneck-timesync.service new file mode 120000 index 0000000..9f3e128 --- /dev/null +++ b/satellit_installer/static_files/timesync/etc/systemd/system/network-online.target.wants/redneck-timesync.service @@ -0,0 +1 @@ +../redneck-timesync.service \ No newline at end of file diff --git a/satellit_installer/static_files/timesync/etc/systemd/system/redneck-timesync.service b/satellit_installer/static_files/timesync/etc/systemd/system/redneck-timesync.service new file mode 100644 index 0000000..e019a92 --- /dev/null +++ b/satellit_installer/static_files/timesync/etc/systemd/system/redneck-timesync.service @@ -0,0 +1,12 @@ +[Unit] +Description=Redneck timesync via HTTP headers +Wants=network.target network-online.target +After=network.target network-online.target + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/usr/local/sbin/redneck-timesync.sh -s + +[Install] +WantedBy=network-online.target diff --git a/satellit_installer/static_files/timesync/redneck-timesync.service b/satellit_installer/static_files/timesync/redneck-timesync.service deleted file mode 100644 index e019a92..0000000 --- a/satellit_installer/static_files/timesync/redneck-timesync.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Redneck timesync via HTTP headers -Wants=network.target network-online.target -After=network.target network-online.target - -[Service] -Type=oneshot -RemainAfterExit=no -ExecStart=/usr/local/sbin/redneck-timesync.sh -s - -[Install] -WantedBy=network-online.target diff --git a/satellit_installer/static_files/timesync/redneck-timesync.sh b/satellit_installer/static_files/timesync/redneck-timesync.sh deleted file mode 100755 index 0175456..0000000 --- a/satellit_installer/static_files/timesync/redneck-timesync.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/sh - -USR=$(id -u) -if [ "$USR" != 0 ]; then - echo "Not running as root" - exit 1 -fi - -DRYRUN=false -[ "x$1" = "x-s" ] || DRYRUN=true - -# Check if clock is set properly by probing a bunch of web servers for -# their current time. Then -- after applying some sanity checks -- pick -# the median of the results and set the local clock to that time -# if the difference to our local clock is at least one minute and -# at most one day (limits adjustable below) -# This can be pretty useful in constrained environments with no -# real time servers accessible. - -MIN_DIFF=30 -MAX_DIFF=86400 - -URLS=" - https://www.google.de - https://www.cloudflare.com - https://www.uni-freiburg.de - https://www.bwlehrpool.de - https://www.dfn.de - https://www.amazon.de - https://www.microsoft.de -" - -F=$(mktemp) -[ -z "$F" ] && F=/tmp/timesync-boot -NOW=$(date +%s) -ECODE=0 - -# Request all at once, HEAD only, 2 sec timeout -for url in $URLS; do - curl -s -m 2 -I "$url" & -done | grep ^Date: | cut -c7- | while read -r line || [ -n "$line" ]; do - # convert each one to unix timestamp - T=$(date -d "$line" +%s) - # sanity check - [ -n "$T" ] && [ "$T" -gt 1234567890 ] && echo $T -done | sort -n > "$F" - -# Get the median of the sorted values -COUNT=$(wc -l "$F") -COUNT=${COUNT%% *} -if [ "$COUNT" -ge 3 ]; then - CENTER=$(( COUNT / 2 + 1 )) - BEST=$( head -n "$CENTER" "$F" | tail -n 1 ) - if [ "$BEST" -gt "$NOW" ]; then - DIFF=$(( BEST - NOW )) - else - DIFF=$(( NOW - BEST )) - fi - if [ "$DIFF" -gt "$MAX_DIFF" ]; then - echo "Clock difference too large ($DIFF seconds); refusing to fix." - ECODE=1 - elif [ "$DIFF" -lt "$MIN_DIFF" ]; then - echo "Clock difference ok (within $MIN_DIFF seconds)" - elif "$DRYRUN"; then - echo "Clock difference is $DIFF, but -s is not passed, not correcting time." - else - echo "Clock difference is $DIFF seconds, setting..." - date -s "@$BEST" - fi -else - echo "Not enough time probes from public servers to adjust time" - ECODE=1 -fi - -rm -f -- "$F" -exit $ECODE - diff --git a/satellit_installer/static_files/timesync/usr/local/sbin/redneck-timesync.sh b/satellit_installer/static_files/timesync/usr/local/sbin/redneck-timesync.sh new file mode 100755 index 0000000..0175456 --- /dev/null +++ b/satellit_installer/static_files/timesync/usr/local/sbin/redneck-timesync.sh @@ -0,0 +1,77 @@ +#!/bin/sh + +USR=$(id -u) +if [ "$USR" != 0 ]; then + echo "Not running as root" + exit 1 +fi + +DRYRUN=false +[ "x$1" = "x-s" ] || DRYRUN=true + +# Check if clock is set properly by probing a bunch of web servers for +# their current time. Then -- after applying some sanity checks -- pick +# the median of the results and set the local clock to that time +# if the difference to our local clock is at least one minute and +# at most one day (limits adjustable below) +# This can be pretty useful in constrained environments with no +# real time servers accessible. + +MIN_DIFF=30 +MAX_DIFF=86400 + +URLS=" + https://www.google.de + https://www.cloudflare.com + https://www.uni-freiburg.de + https://www.bwlehrpool.de + https://www.dfn.de + https://www.amazon.de + https://www.microsoft.de +" + +F=$(mktemp) +[ -z "$F" ] && F=/tmp/timesync-boot +NOW=$(date +%s) +ECODE=0 + +# Request all at once, HEAD only, 2 sec timeout +for url in $URLS; do + curl -s -m 2 -I "$url" & +done | grep ^Date: | cut -c7- | while read -r line || [ -n "$line" ]; do + # convert each one to unix timestamp + T=$(date -d "$line" +%s) + # sanity check + [ -n "$T" ] && [ "$T" -gt 1234567890 ] && echo $T +done | sort -n > "$F" + +# Get the median of the sorted values +COUNT=$(wc -l "$F") +COUNT=${COUNT%% *} +if [ "$COUNT" -ge 3 ]; then + CENTER=$(( COUNT / 2 + 1 )) + BEST=$( head -n "$CENTER" "$F" | tail -n 1 ) + if [ "$BEST" -gt "$NOW" ]; then + DIFF=$(( BEST - NOW )) + else + DIFF=$(( NOW - BEST )) + fi + if [ "$DIFF" -gt "$MAX_DIFF" ]; then + echo "Clock difference too large ($DIFF seconds); refusing to fix." + ECODE=1 + elif [ "$DIFF" -lt "$MIN_DIFF" ]; then + echo "Clock difference ok (within $MIN_DIFF seconds)" + elif "$DRYRUN"; then + echo "Clock difference is $DIFF, but -s is not passed, not correcting time." + else + echo "Clock difference is $DIFF seconds, setting..." + date -s "@$BEST" + fi +else + echo "Not enough time probes from public servers to adjust time" + ECODE=1 +fi + +rm -f -- "$F" +exit $ECODE + diff --git a/satellit_installer/static_files/tmpdelete.sh b/satellit_installer/static_files/tmpdelete.sh deleted file mode 100755 index 9e68658..0000000 --- a/satellit_installer/static_files/tmpdelete.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# This is a mini script called by a cronjob to delete bwlp-entries in /tmp -# directory older ~2 days. -find /tmp -mtime +2 -name "bwlp-*" -maxdepth 1 -exec rm -rf -- {} \; 2>/dev/null -# Same for VM uploads -[ -d /srv/openslx/nfs ] && find /srv/openslx/nfs -mtime +2 -type f -name "*.upload.partial" -exec rm -f -- {} \; 2>/dev/null -# NFS silly renames -[ -d /srv/openslx/nfs ] && find /srv/openslx/nfs -mtime +4 -type f -name ".nfs*" -exec rm -f -- {} \; 2>/dev/null -- cgit v1.2.3-55-g7522