[enh] Update yunohost, ssl and ssh conf_regen hooks

This commit is contained in:
Jérôme Lebleu 2016-04-11 21:26:13 +02:00
parent 9229210538
commit 4090630bd9
6 changed files with 149 additions and 119 deletions

View file

@ -1,25 +0,0 @@
set -e
force=$1
cd /usr/share/yunohost/templates/yunohost
sudo mkdir -p /etc/yunohost
if [ ! -f /etc/yunohost/current_host ]; then
echo "yunohost.org" | sudo tee /etc/yunohost/current_host
fi
if [ ! -f /etc/yunohost/firewall.yml ]; then
sudo cp firewall.yml /etc/yunohost/firewall.yml
fi
if [ ! -f /etc/yunohost/services.yml ]; then
sudo cp services.yml /etc/yunohost/services.yml
fi
# Allow users to access /media directory
if [ ! -d /etc/skel/media ]; then
mkdir -p /media
ln -s /media /etc/skel/
fi

View file

@ -1,64 +0,0 @@
set -e
force=$1
function safe_copy () {
if [ ! -f /etc/yunohost/installed ]; then
sudo cp $1 $2
else
if [ $force ]; then
sudo yunohost service safecopy \
-s ssl $1 $2 --force
else
sudo yunohost service safecopy \
-s ssl $1 $2
fi
fi
}
cd /usr/share/yunohost/templates/ssl
ssl_dir=/usr/share/yunohost/yunohost-config/ssl/yunoCA
sudo mkdir -p /etc/yunohost/certs/yunohost.org
sudo mkdir -p $ssl_dir/{ca,certs,crl,newcerts}
safe_copy openssl.cnf $ssl_dir/openssl.cnf
[ -f $ssl_dir/serial ] \
|| (echo "00" | sudo tee $ssl_dir/serial)
[ -f $ssl_dir/index.txt ] \
|| sudo touch $ssl_dir/index.txt
if [ ! -f /etc/yunohost/certs/yunohost.org/ca.pem ]; then
sudo openssl req -x509 -new -config $ssl_dir/openssl.cnf \
-days 3650 -out $ssl_dir/ca/cacert.pem \
-keyout $ssl_dir/ca/cakey.pem -nodes -batch
sudo cp $ssl_dir/ca/cacert.pem \
/etc/yunohost/certs/yunohost.org/ca.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/ca.pem \
/etc/ssl/certs/ca-yunohost_crt.pem
sudo update-ca-certificates
fi
if [ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]; then
sudo openssl req -new -config $ssl_dir/openssl.cnf \
-days 730 -out $ssl_dir/certs/yunohost_csr.pem \
-keyout $ssl_dir/certs/yunohost_key.pem -nodes -batch
sudo openssl ca -config $ssl_dir/openssl.cnf \
-days 730 -in $ssl_dir/certs/yunohost_csr.pem \
-out $ssl_dir/certs/yunohost_crt.pem -batch
last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
sudo chmod 640 $ssl_dir/certs/yunohost_key.pem
sudo chmod 640 $last_cert
sudo cp $ssl_dir/certs/yunohost_key.pem \
/etc/yunohost/certs/yunohost.org/key.pem
sudo cp $last_cert \
/etc/yunohost/certs/yunohost.org/crt.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/crt.pem \
/etc/ssl/certs/yunohost_crt.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/key.pem \
/etc/ssl/private/yunohost_key.pem
fi

View file

@ -1,30 +0,0 @@
set -e
force=$1
function safe_copy () {
if [ $force ]; then
sudo yunohost service safecopy \
-s ssh \
$1 $2 \
--force
else
sudo yunohost service safecopy \
-s ssh \
$1 $2
fi
}
cd /usr/share/yunohost/templates/ssh
# Only overwrite SSH configuration on an ISO installation
if [ ! -f /etc/yunohost/from_script ]; then
# Do not listen to IPv6 if unavailable
if [ ! -f /proc/net/if_inet6 ]; then
sudo sed -i "s/ListenAddress ::/#ListenAddress ::/g" sshd_config
fi
safe_copy sshd_config /etc/ssh/sshd_config
sudo service ssh restart
fi

View file

@ -0,0 +1,40 @@
set -e
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/yunohost
[[ -d /etc/yunohost ]] || mkdir -p /etc/yunohost
# set default current_host
[[ -f /etc/yunohost/current_host ]] \
|| echo "yunohost.org" | sudo tee /etc/yunohost/current_host
# copy default firewall and services
# TODO: update them as needed with upgrades
[[ -f /etc/yunohost/firewall.yml ]] \
|| sudo cp firewall.yml /etc/yunohost/firewall.yml
[[ -f /etc/yunohost/services.yml ]] \
|| sudo cp services.yml /etc/yunohost/services.yml
# allow users to access /media directory
[[ -d /etc/skel/media ]] \
|| (mkdir -p /media && ln -s /media /etc/skel/media)
}
FORCE=$2
case "$1" in
pre)
do_pre_regen $3
;;
post)
;;
*)
echo "hook called with unknown argument \`$status'" >&2
exit 1
;;
esac
exit 0

View file

@ -0,0 +1,71 @@
set -e
ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/ssl
install -D openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
}
do_post_regen() {
sudo mkdir -p "/etc/yunohost/certs/yunohost.org"
sudo mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}
[[ -f "${ssl_dir}/serial" ]] \
|| (echo "00" | sudo tee "${ssl_dir}/serial")
[[ -f "${ssl_dir}/index.txt" ]] \
|| sudo touch "${ssl_dir}/index.txt"
if [[ ! -f /etc/yunohost/certs/yunohost.org/ca.pem ]]; then
sudo openssl req -x509 -new -config $ssl_dir/openssl.cnf \
-days 3650 -out $ssl_dir/ca/cacert.pem \
-keyout $ssl_dir/ca/cakey.pem -nodes -batch 2>&1
sudo cp $ssl_dir/ca/cacert.pem \
/etc/yunohost/certs/yunohost.org/ca.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/ca.pem \
/etc/ssl/certs/ca-yunohost_crt.pem
sudo update-ca-certificates
fi
if [[ ! -f /etc/yunohost/certs/yunohost.org/crt.pem ]]; then
sudo openssl req -new -config $ssl_dir/openssl.cnf \
-days 730 -out $ssl_dir/certs/yunohost_csr.pem \
-keyout $ssl_dir/certs/yunohost_key.pem -nodes -batch 2>&1
sudo openssl ca -config $ssl_dir/openssl.cnf \
-days 730 -in $ssl_dir/certs/yunohost_csr.pem \
-out $ssl_dir/certs/yunohost_crt.pem -batch 2>&1
last_cert=$(ls $ssl_dir/newcerts/*.pem | sort -V | tail -n 1)
sudo chmod 640 $ssl_dir/certs/yunohost_key.pem
sudo chmod 640 $last_cert
sudo cp $ssl_dir/certs/yunohost_key.pem \
/etc/yunohost/certs/yunohost.org/key.pem
sudo cp $last_cert \
/etc/yunohost/certs/yunohost.org/crt.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/crt.pem \
/etc/ssl/certs/yunohost_crt.pem
sudo ln -sf /etc/yunohost/certs/yunohost.org/key.pem \
/etc/ssl/private/yunohost_key.pem
fi
}
FORCE=$2
case "$1" in
pre)
do_pre_regen $3
;;
post)
do_post_regen
;;
*)
echo "hook called with unknown argument \`$status'" >&2
exit 1
;;
esac
exit 0

View file

@ -0,0 +1,38 @@
set -e
do_pre_regen() {
pending_dir=$1
cd /usr/share/yunohost/templates/ssh
# only overwrite SSH configuration on an ISO installation
if [[ ! -f /etc/yunohost/from_script ]]; then
# do not listen to IPv6 if unavailable
[[ -f /proc/net/if_inet6 ]] \
|| sed -i "s/ListenAddress ::/#ListenAddress ::/g" sshd_config
install -D sshd_config "${pending_conf}/etc/ssh/sshd_config"
fi
}
do_post_regen() {
[[ -f /etc/yunohost/from_script ]] \
|| sudo service ssh restart
}
FORCE=$2
case "$1" in
pre)
do_pre_regen $3
;;
post)
do_post_regen
;;
*)
echo "hook called with unknown argument \`$status'" >&2
exit 1
;;
esac
exit 0