Commit b71ae0d2 authored by Paul Cammish's avatar Paul Cammish
Browse files

Sets hostname correctly, and sets remaining roundcube default

parent aca46a37
......@@ -94,7 +94,6 @@ install:quick:
stage: install
allow_failure: false
script:
- echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
- chmod -x $( which gitlab-runner )
- hostname quick.sympl.test
- echo "$( hostname )" > /etc/hostname ; echo "$( hostname -I | head -n 1 ) $(hostname)" >> /etc/hosts
......@@ -105,6 +104,7 @@ install:quick:
- apt-get -qq update
- apt-get -y --allow-unauthenticated install --install-recommends sympl-core
- run-parts --verbose --exit-on-error autotest/test.d
- hostname
- dpkg -l 'sympl*'
variables:
CI_DEBUG_TRACE: "false"
......@@ -120,10 +120,8 @@ install:clean:
stage: install
allow_failure: false
script:
- echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
- chmod -x $( which gitlab-runner )
- hostname clean.sympl.test
- echo "$( hostname )" > /etc/hostname ; echo "$( hostname -I | head -n 1 ) $(hostname)" >> /etc/hosts
- apt-get -qq update; apt-get -qq -y upgrade
- cp -r repo/ /
- chmod -R 664 /repo ; chmod -R +X /repo
......@@ -131,6 +129,7 @@ install:clean:
- apt-get -qq update
- apt-get -y --allow-unauthenticated install --install-recommends sympl-core
- run-parts --verbose --exit-on-error autotest/test.d
- hostname
- dpkg -l 'sympl*'
variables:
CI_DEBUG_TRACE: "false"
......@@ -146,20 +145,22 @@ install:upgrade:
stage: install
allow_failure: false
script:
- echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections
- chmod -x $( which gitlab-runner )
- hostname upgrade.sympl.test
- echo "$( hostname )" > /etc/hostname ; echo "$( hostname -I | head -n 1 ) $(hostname)" >> /etc/hosts
- apt-get -qq update; apt-get -qq -y upgrade
- wget -qO- http://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
- echo deb http://packages.mythic-beasts.com/mythic/ stretch-testing main > /etc/apt/sources.list.d/sympl_mythic-beasts.list
- apt-get -qq update; apt-get -qq install --install-recommends sympl-core
- dpkg -l 'sympl-*' | grep '^ii' | awk '{ print $2 " " $3 }' | sort > pre-upgrade
- cp -r repo/ /
- chmod -R 664 /repo ; chmod -R +X /repo
- echo "deb file:/repo stretch main" > /etc/apt/sources.list.d/local.list
- apt-get -qq update; apt-get -y --allow-unauthenticated upgrade
- apt-get -y autoremove
- dpkg -l 'sympl-*' | grep '^ii' | awk '{ print $2 " " $3 }' | sort > post-upgrade
- autotest/checkupgrade
- run-parts --verbose --exit-on-error autotest/test.d
- hostname
- dpkg -l 'sympl*'
variables:
CI_DEBUG_TRACE: "false"
......
CHANGELOG
---------
* 2019-06-13 - Improved hostname & webmail installs
- Hostname misconfiguration will be repaired automatically
- If a FQDN isn't set, one will be created automatically.
- Webmail should no longer prompt for web server to configure
* 2019-06-12 - Changes to web stats
- Stats are no longer generated by default.
- If it exists, public/htdocs/stats will require HTTPS and a
......
#!/bin/bash
if [ $( diff pre-upgrade post-upgrade | wc -l ) -eq 0 ]; then
echo 'E: Versions not changed'
exit 1
fi
diff pre-upgrade post-upgrade
exit 0
......@@ -14,7 +14,7 @@ fi
# remove any existing definations
rm -r /var/lib/clamav/*.tmp /var/lib/clamav/*.cvd /var/lib/clamav/*.cld 2> /dev/null
touch /srv/$(hostname)/config/antivirus
touch /srv/$(hostname -f)/config/antivirus
# Start freshclam to download new definitions, whatever state it's in
systemctl unmask clamav-freshclam
......@@ -56,7 +56,7 @@ service clamav-daemon start
# Enable antispam and antivirus as default, otherwise monit would stop them.
echo "I: Enabling Antivirus and Antispam config"
touch /srv/$(hostname)/config/anti{spam,virus}
touch /srv/$(hostname -f)/config/anti{spam,virus}
# We need to wait a little while for spamd and clamd to start properly before testing.
......@@ -69,7 +69,7 @@ echo ' done.'
# Start spamassassin, from whatever state
touch /srv/$(hostname)/config/antispam
touch /srv/$(hostname -f)/config/antispam
systemctl unmask spamassassin
service spamassassin stop
service spamassassin start
......
......@@ -18,14 +18,14 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans"
#
# Set the mailbox password using our newly encrypted password
#
echo "$ans" > /srv/$(hostname)/mailboxes/root/password
chown sympl.sympl /srv/$(hostname)/mailboxes/root/password
echo "$ans" > /srv/$(hostname -f)/mailboxes/root/password
chown sympl.sympl /srv/$(hostname -f)/mailboxes/root/password
#
# Set the FTP password
#
echo "$ans" > /srv/$(hostname)/config/ftp-password
chown sympl.sympl /srv/$(hostname)/config/ftp-password
echo "$ans" > /srv/$(hostname -f)/config/ftp-password
chown sympl.sympl /srv/$(hostname -f)/config/ftp-password
#
# This just returns the IP address
......@@ -98,7 +98,7 @@ symbiosis-firewall-whitelist --verbose
#
# Check the FTP password
#
AUTHD_ACCOUNT="$(hostname)" AUTHD_PASSWORD="$pw" AUTHD_REMOTE_IP="1.2.3.4" symbiosis-ftpd-check-password
AUTHD_ACCOUNT="$(hostname -f)" AUTHD_PASSWORD="$pw" AUTHD_REMOTE_IP="1.2.3.4" symbiosis-ftpd-check-password
#=============================================================================================================
# symbiosis-httpd
......
......@@ -6,7 +6,7 @@ if [ -f /tmp/ssl-hook-test ]; then rm /tmp/ssl-hook-test ; fi
echo 'echo $1 > /tmp/ssl-hook-test' > /etc/sympl/ssl-hooks.d/ssl-hook-test
chmod +x /etc/sympl/ssl-hooks.d/ssl-hook-test
sympl-ssl --force $(hostname) > /dev/null
sympl-ssl --force $(hostname -f) > /dev/null
if [ "x$( cat /tmp/ssl-hook-test )" != "xlive-update" ] || [ ! -f /tmp/ssl-hook-test ] ; then
rm /etc/sympl/ssl-hooks.d/ssl-hook-test /tmp/ssl-hook-test
......
sympl-core (9.0.190613.0) stable; urgency=medium
* Improved hostname handling on install
-- Paul Cammish <sympl@kelduum.net> Thu, 13 Jun 2019 15:52:00 +0100
sympl-core (9.0.190612.0) stable; urgency=medium
* Improved security for /srv
......
......@@ -38,7 +38,6 @@ shadowconfig on
#
if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then
echo "Adding 'sympl' account"
adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl
#
......@@ -70,57 +69,91 @@ if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
fi
#
# Find the hostname, if not set already.
# Set the hostname, preferring the FQDN if it's there.
#
if [ -z "$HOSTNAME" ] ; then
if [ -f /etc/hostname ] ; then
HOSTNAME=$(< /etc/hostname)
# We default to what it's been set to at the moment, rather than
# what's in /etc/hostname, as its easy to change one but forget the other.
#
if hostname --fqdn > /dev/null ; then
_HOSTNAME="$( hostname --fqdn )"
else
_HOSTNAME="$( hostname )"
fi
echo "I: Hostname is $_HOSTNAME"
#
# Append ".localdomain" if HOSTNAME has no dots
# (which is unlikely to happen with a clean install)
#
if ! [[ "$_HOSTNAME" =~ ^[_a-z0-9-]+\.([_a-z0-9-]+\.?)+$ ]] ; then
echo "I: Hostname is not an FQDN, changing to $_HOSTNAME.localdomain."
_HOSTNAME="$_HOSTNAME.localdomain"
fi
#
# If the full hostname isn't now in /etc/hosts, then add it
#
# This assumes that theres only one entry for each IP, and doesn't deal with
# partially mangled hosts files, but will deal with someone changing the
# hostname but not also changing /etc/hosts
#
if [ $( grep -c $_HOSTNAME '/etc/hosts' ) == 0 ]; then
echo "I: Updating hostname configuration with complete name."
if hostname -i > /dev/null ; then
hostname_ips="$( hostname -i )"
else
HOSTNAME=$(hostname --fqdn)
hostname_ips="127.0.1.1"
fi
sed -i "s|^$hostname_ips|# $hostname_ips|" '/etc/hosts'
sed -i "1i$hostname_ips\t$_HOSTNAME $( echo $_HOSTNAME | cut -d '.' -f 1 )" '/etc/hosts'
export HOSTNAME="$_HOSTNAME"
hostname -b "$_HOSTNAME"
fi
#
# Append ".localdomain" if HOSTNAME has no dots.
# Enforce using the full hostname
#
if ! [[ "$HOSTNAME" =~ ^[_a-z0-9-]+\.([_a-z0-9-]+\.?)+$ ]] ; then
HOSTNAME="$HOSTNAME.localdomain"
fi
echo "I: Checking hostname configuration files."
if [ "$HOSTNAME" != "$_HOSTNAME" ]; then export HOSTNAME="$_HOSTNAME"; fi
if [ "$( hostname )" != "$_HOSTNAME" ]; then hostname -b "$_HOSTNAME" ; fi
if [ "$( cat /etc/hostname )" != "$_HOSTNAME" ]; then echo "$_HOSTNAME" > "/etc/hostname" ; fi
if [ -f "/etc/mailname" ] && [ "$( cat "/etc/mailname" )" != "$_HOSTNAME" ]; then echo "$_HOSTNAME" > "/etc/mailname" ; fi
#
# If there are no existing directories beneath /srv/ create a default.
# If there are no existing directories beneath /srv/ create the defaults.
#
if [ ! -e "/srv/$HOSTNAME" ] ; then
if [ ! -e "/srv/$_HOSTNAME" ] ; then
#
# Create the standard directories
#
mkdir -p /srv/$HOSTNAME/public/htdocs
mkdir -p /srv/$HOSTNAME/public/logs
mkdir -p /srv/$HOSTNAME/config
mkdir -p /srv/$HOSTNAME/mailboxes/root
chown -R sympl:sympl /srv/$HOSTNAME
chown -R www-data:www-data /srv/$HOSTNAME/public
#
mkdir -p /srv/$_HOSTNAME/public/htdocs
mkdir -p /srv/$_HOSTNAME/public/logs
mkdir -p /srv/$_HOSTNAME/config
mkdir -p /srv/$_HOSTNAME/mailboxes/root
# With the right permissions
chown -R sympl:sympl /srv/$_HOSTNAME
chown -R www-data:www-data /srv/$_HOSTNAME/public
fi
#
# We'd like to generate a certificate for the hostname. Naturally this will go in /srv/$HOSTNAME
# We'd like to generate a certificate for the hostname. Naturally this will go in /srv/$_HOSTNAME
#
if [ -d "/srv/$HOSTNAME/config" ] ; then
if [ -d "/srv/$_HOSTNAME/config" ] ; then
#
# Generate certificates for this host
#
if ! ( sympl-ssl --verbose $HOSTNAME ) ; then
if ! ( sympl-ssl --verbose $_HOSTNAME ) ; then
echo "W: SSL certificate generation failed. Retrying with a self-signed certificate..."
echo selfsigned > /srv/$HOSTNAME/config/ssl-provider
sympl-ssl --verbose $HOSTNAME || true
echo selfsigned > /srv/$_HOSTNAME/config/ssl-provider
sympl-ssl --verbose $_HOSTNAME || true
fi
fi
#
# Not interested in linking from /etc/$HOSTNAME/config/ssl.*
# Not interested in linking from /etc/$_HOSTNAME/config/ssl.*
#
ssl_current_dir="/srv/$HOSTNAME/config/ssl/current"
ssl_current_dir="/srv/$_HOSTNAME/config/ssl/current"
#
# If there are no cerificates in /etc/ssl, symlink those from this directory.
......@@ -129,7 +162,7 @@ ssl_current_dir="/srv/$HOSTNAME/config/ssl/current"
if [ ! -e "/etc/ssl/ssl.key" ] &&
[ ! -e "/etc/ssl/ssl.crt" ] &&
[ ! -e "/etc/ssl/ssl.combined" ] &&
( sympl-ssl --no-generate --no-rollover $HOSTNAME ) &&
( sympl-ssl --no-generate --no-rollover $_HOSTNAME ) &&
[ -e "$ssl_current_dir/ssl.key" ] &&
[ -e "$ssl_current_dir/ssl.crt" ] &&
[ -e "$ssl_current_dir/ssl.combined" ] ; then
......@@ -155,11 +188,6 @@ if [ ! -e "/etc/ssl/ssl.key" ] &&
fi
# set defaults for roundcube so we don't get prompted
echo "roundcube-core roundcube/dbconfig-install boolean true" | debconf-set-selections
echo "roundcube-core roundcube/database-type select mysql" | debconf-set-selections
echo "roundcube-core roundcube/mysql/app-pass password" | debconf-set-selections
# Run sympl-filesystem-security to enforce permissions
sympl-filesystem-security
......
......@@ -29,7 +29,7 @@ SCRIPTNAME=/etc/init.d/$NAME
case "$1" in
'start')
log_action_msg "System configured with $DESC."
log_action_msg "System configured with $DESC"
cat <<EOF
┌─────┐ v9.0
......@@ -49,11 +49,11 @@ EOF
;;
'stop')
log_action_msg "Thanks for using $DESC!"
log_action_msg "Thanks for using $DESC"
;;
'restart'|'reload'|'force-reload'|'status')
log_action_msg "System configured with $DESC."
log_action_msg "System configured with $DESC"
;;
*)
......
sympl-webmail (9.0.190612.0) stable; urgency=medium
* Improved webmail auto-configuration
-- Paul Cammish <sympl@kelduum.net> Thu, 13 Jun 2019 15:53:00 +0100
sympl-webmail (9.0.190611.0) stable; urgency=medium
* Merged sympl-common into sympl-core
......
#!/bin/bash
set -e
case "$1" in
install)
# set defaults for roundcube so we don't get prompted
echo "roundcube-core roundcube/dbconfig-install boolean true" | debconf-set-selections
echo "roundcube-core roundcube/database-type select mysql" | debconf-set-selections
echo "roundcube-core roundcube/mysql/app-pass password" | debconf-set-selections
echo "roundcube-core roundcube/reconfigure-webserver select apache2" | debconf-set-selections
;;
upgrade)
# do nothing
;;
abort-upgrade)
;;
*)
echo "preinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
#DEBHELPER#
exit 0
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment