+# Supported flags
+# BUILD32=1 Target 32-bit x86 (Doesn't Work)
+# TC=1 Stop after typchecking when building using mlton
+# DEBUG=1 Keep debugging information when building using mlton
+
all: mlton bin/vmailpasswd elisp/domtool-tables.el
bin/vmailpasswd: src/mail/vmailpasswd.c
- $(CC) -lcrypt -o $@ $<
+ $(CC) $(CFLAGS) -lcrypt -o $@ $<
+
+ifeq ($(BUILD32), 1)
+ CFLAGS += -m32
+endif
COMMON_DEPS := configDefault/config.sig configDefault/configDefault.sml \
openssl/openssl_sml.so pcre/pcre_sml.so config.sml
EMACS_DIR := /usr/local/share/emacs/site-lisp/domtool-mode
+clean:
+ rm -f bin/*
+ rm -f openssl/openssl_sml.so
+ rm -f openssl/openssl_sml.o
+ rm -f pcre/pcre_sml.so
+ rm -f pcre/pcre_sml.o
+
config.sml:
/bin/echo -e 'structure Config :> CONFIG = struct\nopen ConfigDefault\nend' > $@
mlton: bin/domtool-server bin/domtool-client bin/domtool-slave \
bin/domtool-admin bin/domtool-doc bin/dbtool bin/vmail \
bin/smtplog bin/setsa bin/mysql-fixperms bin/webbw bin/domtool-tail \
- bin/fwtool
+ bin/fwtool bin/domtool-config
smlnj: $(COMMON_DEPS) openssl/smlnj/FFI/libssl.h.cm pcre/smlnj/FFI/libpcre.h.cm \
src/domtool.cm
+ CFLAGS += -m32
-configDefault/config.sig: src/config.sig.header \
+configDefault/config.sig: config/core/core.sig src/config.sig.header \
configDefault/*.csg configDefault/*.cfs \
src/config.sig.footer
cat configDefault/*.csg \
src/config.sig.footer \
>configDefault/config.sig
-configDefault/configDefault.sml: src/configDefault.sml.header \
+configDefault/configDefault.sml: config/core/core.sml src/configDefault.sml.header \
configDefault/*.cfg src/configDefault.sml.footer
cat src/configDefault.sml.header \
configDefault/*.cfg \
>configDefault/configDefault.sml
openssl/openssl_sml.o: openssl/openssl_sml.c
- gcc -fPIC -c openssl/openssl_sml.c -o openssl/openssl_sml.o
+ gcc $(CFLAGS) -fPIC -c openssl/openssl_sml.c -o openssl/openssl_sml.o
openssl/openssl_sml.so: openssl/openssl_sml.o
- gcc -shared -Wl,-soname,openssl_sml.so \
+ gcc $(CFLAGS) -shared -Wl,-soname,openssl_sml.so \
-o openssl/openssl_sml.so \
openssl/openssl_sml.o -lssl
pcre/pcre_sml.o: pcre/pcre_sml.c
- gcc -fPIC -c pcre/pcre_sml.c -o pcre/pcre_sml.o
+ gcc $(CFLAGS) -fPIC -c pcre/pcre_sml.c -o pcre/pcre_sml.o
pcre/pcre_sml.so: pcre/pcre_sml.o
- gcc -shared -Wl,-soname,pcre_sml.so \
+ gcc $(CFLAGS) -shared -Wl,-soname,pcre_sml.so \
-o pcre/pcre_sml.so \
pcre/pcre_sml.o -lpcre
$(MAKE_MLB_BASE) >src/fwtool.mlb
echo "main-fwtool.sml" >>src/fwtool.mlb
+src/domtool-config.mlb: src/prefix.mlb src/sources src/suffix.mlb
+ $(MAKE_MLB_BASE) >src/domtool-config.mlb
+ echo "main-config.sml" >>src/domtool-config.mlb
+
openssl/smlnj/FFI/libssl.h.cm: openssl/openssl_sml.h
cd openssl/smlnj ; ml-nlffigen -d FFI -lh LibsslH.libh -include ../libssl-h.sml \
-cm libssl.h.cm -D__builtin_va_list="void*" \
MLTON := mlton -link-opt -ldl
-ifdef DEBUG
+ifeq ($(BUILD32),1)
+ MLTON += -codegen c -target i386 -cc-opt -m32
+endif
+
+ifeq ($(DEBUG), 1)
MLTON += -const 'Exn.keepHistory true'
endif
+ifeq ($(TC), 1)
+ MLTON += -stop tc
+endif
+
bin/domtool-server: $(COMMON_MLTON_DEPS) src/domtool-server.mlb
$(MLTON) -output bin/domtool-server src/domtool-server.mlb
bin/domtool-tail: $(COMMON_MLTON_DEPS) src/tail/tail.mlb src/tail/*.sml
mlton -output bin/domtool-tail src/tail/tail.mlb
+bin/domtool-config: $(COMMON_MLTON_DEPS) src/domtool-config.mlb src/main-config.sml
+ $(MLTON) -output bin/domtool-config src/domtool-config.mlb
+
elisp/domtool-tables.el: lib/*.dtl bin/domtool-doc
bin/domtool-doc -basis -emacs >$@
-cp bin/webbw /usr/local/sbin/
-cp bin/domtool-tail /usr/local/bin/
-chmod +s /usr/local/bin/domtool-tail
+ cp bin/domtool-config /usr/local/bin/
cp src/plugins/domtool-postgres /usr/local/sbin/
cp src/plugins/domtool-mysql /usr/local/sbin/
-mkdir -p $(EMACS_DIR)
--- /dev/null
+Basic bootstrapping
+
+ - Customize config/core/core.sml and configDefault/ as needed
+ - Use config.sml for changes other than core. At least set defaultDomain.
+ - Create a user for domtool
+ - `make install' domtool
+ - Run domtool-create-shared-root to bootstrap shared directories
+ - Run domtool-create-local-root to bootstrap local work directories if this machine will be a node
+ - Customize and copy test.domain.core.conf to $defaultDomain.core.ssl.conf
+ - You unfortunately have to duplicate the value of Config.caPath here
+ - Run domtool-create-ca to boostrap your local domtool ca
+ - Run domtool-init-truststore to initialize the trust store
+ - Run domtool-init-acl $you to add yourself as an administrator of domtool
+ - Run `domtool-addcert $host -unsafe` where $host is the short name
+ of the machine that will run domtool-server. E.g. for
+ "foo.test.domain", $host = foo. Repeat for any machines that will
+ be domtool workers.
+ - Start domtool-server
+ - Run `domtool-adduser $you -unsafe' to create your certificates and
+ grant yourself access to your $HOME path
+ - In theory, domtool should start and you should be able to grant
+ yourself domains and configure things
\ No newline at end of file
--- /dev/null
+#!/bin/sh -e
+
+# Bootstrap everything for a DEVELOPMENT ENVIRONMENT (an insecure one
+# at that), assuming you are going to be domtool root
+
+if [ -z "`getent passwd domtool`" ]; then
+ adduser --disabled-password domtool
+fi
+
+./domtool-create-shared-root
+./domtool-create-local-root
+./domtool-create-ca -force
+./domtool-init-truststore
+./domtool-init-acl `whoami`
+domtool-addcert `uname -n` -unsafe
+
+/usr/local/sbin/domtool-server &
+SERVER_PID=$!
+
+domtool-adduser `whoami` -unsafe
+
+kill $SERVER_PID
--- /dev/null
+# Minimal openssl configuration needed to be a CA for domtool
+
+# intentionally not setting RANDFILE, because it is useless on modern
+# machines.
+
+[ ca ]
+default_ca = Domtool_CA
+
+[ Domtool_CA ]
+dir = ${Domtool_Defaults::ca_dir}
+
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index
+
+# Needed because domtool does not revoke certs before
+# reissuing. Possibly bad behavior, if a private key were to leak.
+unique_subject = no
+
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/ca-cert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+
+crl = $dir/crl.pem
+private_key = $dir/private/ca-key.pem
+RANDFILE = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+crl_extensions = crl_ext
+
+default_days = 365
+default_crl_days= 30
+default_md = sha1
+preserve = no
+
+policy = policy_domtool
+
+[ policy_domtool ]
+# Domtool doesn't care where you claim to live
+#countryName = optional
+#stateOrProvinceName = optional
+#localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = supplied
+
+# req section is only used when generating the request for the CA to sign itself!
+[ req ]
+default_bits = 4096
+default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
+default_md = sha1
+
+prompt = no
+distinguished_name = root_ca_distinguished_name
+string_mask = nombstr
+
+# Extensions to add to the self-signed cert generated to certificate the CA
+x509_extensions = v3_ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+
+[ v3_ca ]
+# These extensions are added when the CA signs itself
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+# Ensure only user certificates and not another ca can be signed
+basicConstraints = critical,CA:true,pathlen:0
+
+[ root_ca_distinguished_name ]
+commonName = ${Domtool_Defaults::org_name}
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Berkeley
+0.organizationName = ${Domtool_Defaults::org_domain}
+emailAddress = ca@${Domtool_Defaults::org_domain}
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always
--- /dev/null
+#!/bin/bash
+# -*- sh -*-
+
+# Create a domtool certificate authority
+# WARNING: Will not create a secure CA if it is in afs space
+
+if [[ `whoami` != "root" && "$1" != "-force" ]]; then
+ echo "This should be run as root. Use -force to force creating a CA"
+ echo "as a normal user"
+ exit 1
+fi
+
+# use domtool-config to extract ca path and site domain
+
+CAPATH=`../bin/domtool-config -path cert ca`
+BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf
+
+if [ ! -f $BASE_OPENSSL_CONFIG ]; then
+ echo "You need to create $BASE_OPENSSL_CONFIG before continuing"
+ exit 1
+fi
+
+cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf
+
+if [ -z "$CAPATH" ]; then
+ echo "No CA path set. Domtool has not yet been built?"
+ exit 1
+fi
+
+# 1. Create directory structure
+
+mkdir -p $CAPATH
+for d in crl newcerts private; do
+ mkdir $CAPATH/$d
+done
+
+chmod go-rwx $CAPATH/private
+echo '01' > $CAPATH/serial
+touch $CAPATH/index
+
+# 2. Generate private key
+
+openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM
+
+# 3. Copy ssl configuration to ca dir
+
+# In general, publishing the openssl config for a domain in the ca
+# directory might not be the best idea, but since this is a limited
+# use internal CA, it is probably not a big deal.
+cp domtool-openssl.conf $CAPATH/
+chmod 600 $CAPATH/domtool-openssl.conf
+
+# Does the CA need to be readable by domtool? Issues with sudo and
+# tickets, but those could be solved by creating a 700
+# /tmp/domtool-ca-out/ and chowning to the actual user after for the
+# copy/delete. Or maybe the ca ought to live in afs
+# space... generality issues arise, probably just do option #1.
--- /dev/null
+#!/bin/bash
+
+# ideally: domtool-create-local-root service+
+# service = bind, apache, exim, courier, etc.
+# actually: domtool-create-local-root -> every possible service dir is created
+
+LOCALROOT=`domtool-config -path local-root`
+
+if [ -z "$LOCALROOT" ]; then
+ echo "ERROR: local root not set. Domtool not built?"
+ exit 1
+fi
+
+set -x
+
+mkdir -p $LOCALROOT
+
+for d in firewall vhosts zones; do
+ mkdir $LOCALROOT/$d
+done
+
+# domtool probably ought to ensure directories exist, since the
+# services configured by a worker are set statically. It makes little
+# sense for a worker to advertise that it can configure a service, and
+# not actually be able to do so.
+
--- /dev/null
+#!/bin/bash
+
+# Create shared directories, set permissions
+
+SHAREDROOT=`../bin/domtool-config -path shared-root`
+
+if [ -z "$SHAREDROOT" ]; then
+ echo "shared-root not set, domtool not built?"
+ exit 1
+fi
+
+function if_afs () {
+ if [[ $SHAREDROOT == /afs/* ]]; then
+ $*
+ fi
+}
+
+if_afs echo "AFS in use. This will not work correctly."
+
+set -x
+
+mkdir -p $SHAREDROOT
+
+for d in backup certs email firewall keys lib logs nodes nodes.old serials webalizer; do
+ mkdir $SHAREDROOT/$d
+done
+
+touch $SHAREDROOT/firewall/user.rules
+
--- /dev/null
+#!/bin/bash
+
+SHAREDROOT=`../bin/domtool-config -path shared-root`
+DOMTOOLROOT="$1"
+
+if [ -z "$SHAREDROOT" ]; then
+ echo "shared-root not set, domtool not built?"
+ exit 1
+fi
+
+if [ -z "$DOMTOOLROOT" ]; then
+ echo "Usage: $0 USER"
+ exit 1
+fi
+
+if [ -f $SHAREDROOT/acl ]; then
+ echo "acl file already exists. Refusing to overwrite"
+ exit 1
+fi
+
+cat > $SHAREDROOT/acl <<EOF
+$USER
+priv all
+
+EOF
--- /dev/null
+#!/bin/bash
+
+# After creating CA, add certificate to the trust store.
+
+# This is its own script because root will likely not have afs tokens
+# and be unable to write to the truststore if it is stored in afs
+
+CAPATH=`../bin/domtool-config -path cert ca`
+TRUSTSTORE=`../bin/domtool-config -path cert truststore`
+
+if [ -f "$TRUSTSTORE" ]; then
+ echo "Warning: $TRUSTSTORE exists, appending new cert instead of overwriting."
+fi
+
+cat $CAPATH/ca-cert.pem >> $TRUSTSTORE
--- /dev/null
+# You should be able to customize the settings in Domtool_Defaults and
+# have everything Just Work (tm)
+[ Domtool_Defaults ]
+ca_dir = ${ENV::HOME}/domtool/ca
+org_domain = test.domain
+org_name = Foo Hacker, Inc.
+#ca_dir = /etc/domtool/ca
+#org_domain = hcoop.net
+#org_name = HCoop, Inc.
\ No newline at end of file
--- /dev/null
+structure Config :> CONFIG = struct
+
+open ConfigDefault
+
+val myNode = "doomfaring"
+
+val nodeIps = [(myNode, "127.0.0.1")]
+val defaultDomain = "home.unknownlamer.org" (* $node.$defaultDomain must resolve *)
+val dispatcherName = myNode
+val caDir = "/home/clinton/domtool/ca" (* Replace with your homedir *)
+
+val dnsNodes_all = [myNode]
+val dnsNodes_admin = []
+
+val mailNodes_all = [myNode]
+val mailNodes_admin = []
+
+structure Apache : APACHE_CONFIG = struct
+open Apache
+open ConfigTypes
+
+val webNodes_all = [(myNode, {version = APACHE_2, auth = MOD_WAKLOG})]
+val webNodes_admin = []
+val webNodes_default = [myNode]
+
+end
+
+structure Bind : BIND_CONFIG = struct
+open Bind
+val masterNode = myNode
+val slaveNodes = []
+end
+
+structure Dbms : DBMS_CONFIG = struct
+open Dbms
+val dbmsNode = myNode
+end
+
+structure Firewall : FIREWALL_CONFIG = struct
+open Firewall
+val firewallNodes = [myNode]
+end
+
+structure Mailman : MAILMAN_CONFIG = struct
+open Mailman
+val node = myNode
+end
+
+end
--- /dev/null
+(* Core configure to allow domtool to be easily relocated *)
+signature CONFIG_CORE = sig
+
+ val sharedRoot : string
+ (* Global file system space for domtool daemon to share *)
+
+ val localRoot : string
+ (* Local file system space for domtool to generate configuration into *)
+
+ val installPrefix : string
+ (* Prefix for domtool bin/share data ala GNU $PREFIX *)
+
+ val cat : string
+ val cp : string
+ val diff : string
+ val rm : string
+ val echo : string
+ val grep : string
+ val sudo : string
+ (* Paths to standard UNIX utilities *)
+
+end
--- /dev/null
+structure ConfigCore :> CONFIG_CORE = struct
+
+val sharedRoot = "/afs/hcoop.net/common/etc/domtool"
+val localRoot = "/var/domtool"
+val installPrefix = "/usr/local"
+
+val cat = "/bin/cat"
+val cp = "/bin/cp"
+val diff = "/usr/bin/diff"
+val rm = "/bin/rm"
+val echo = "/bin/echo"
+val grep = "/bin/grep"
+val sudo = "/usr/bin/sudo"
+
+end
open ConfigTypes
-val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache"
-val down = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-down"
-val undown = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-undown"
-val fixperms = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-fixperms"
+val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache"
+val down = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-down"
+val undown = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-undown"
+val fixperms = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-fixperms"
-val reload1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3"
-val down1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-down"
-val undown1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-undown"
-val fixperms1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-fixperms"
+val reload1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3"
+val down1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-down"
+val undown1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-undown"
+val fixperms1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-fixperms"
-val confDir = "/var/domtool/vhosts"
+val confDir = ConfigCore.localRoot ^ "/vhosts"
val webNodes_all = [("navajos", {version = APACHE_2, auth = MOD_WAKLOG})]
val webNodes_admin = [("deleuze", {version = APACHE_2, auth = MOD_WAKLOG})]
user,
"/apache/log"]
+(* FIXME: hcoop.net reference *)
fun realLogDirOf user =
if size user < 2 then
"/bad_username"
fun backupLogDirOf version1 =
if version1 then
- "/afs/hcoop.net/common/etc/domtool/backup/apache/"
+ ConfigCore.sharedRoot ^ "/backup/apache/"
else
- "/afs/hcoop.net/common/etc/domtool/backup/apache2/"
+ ConfigCore.sharedRoot ^ "/backup/apache2/"
val defaultPhpVersion = 5
-val waklogUserFile = "/var/domtool/waklog.conf"
+val waklogUserFile = ConfigCore.localRoot ^ "/waklog.conf"
end
structure Bind :> BIND_CONFIG = struct
-val defaultTTL = 3600
+val masterNode = "deleuze"
+val slaveNodes = ["outpost"]
+val defaultTTL = 3600
-val zonePath = "/var/domtool/zones"
+val zonePath = ConfigCore.localRoot ^ "/zones"
val zonePath_real = "/etc/bind/zones"
-val namedConf = "/var/domtool/named.conf.local"
+val serialDir = ConfigCore.sharedRoot ^ "/serials"
+
+val namedConf = ConfigCore.localRoot ^ "/named.conf.local"
-val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish bind"
+val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish bind"
end
signature BIND_CONFIG = sig
+ val masterNode : string
+ val slaveNodes : string list
+
val defaultTTL : int
val zonePath : string
val zonePath_real : string
+ val serialDir : string
+
val namedConf : string
val reload : string
val userdbDir = "/etc/courier/userdb"
(* Directory for storing userdb info *)
-val postReload = "/usr/bin/sudo /usr/local/sbin/domtool-publish courier"
+val postReload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish courier"
(* Command to run after reloading userdb data *)
val logFile = "/var/log/exim4/mainlog"
(* SMTP log *)
-val pushUserdb = "/usr/bin/rsync -r --delete /etc/courier/userdb/* /afs/hcoop.net/common/etc/domtool/email/userdb/"
-val pullUserdb = "/usr/bin/rsync -r --delete /afs/hcoop.net/common/etc/domtool/email/userdb/* /etc/courier/userdb/"
+(* FIXME: should probably be in an external script *)
+val pushUserdb = "/usr/bin/rsync -r --delete /etc/courier/userdb/* " ^ ConfigCore.sharedRoot ^ "/email/userdb/"
+val pullUserdb = "/usr/bin/rsync -r --delete " ^ ConfigCore.sharedRoot ^ "/email/userdb/* /etc/courier/userdb/"
end
-val libRoot = "/afs/hcoop.net/common/etc/domtool/lib"
-val resultRoot = "/afs/hcoop.net/common/etc/domtool/nodes"
+open ConfigCore
+
+val libRoot = ConfigCore.sharedRoot ^ "/lib"
+val resultRoot = ConfigCore.sharedRoot ^ "/nodes"
val tmpDir = "/tmp/domtool"
-val oldResultRoot = "/afs/hcoop.net/common/etc/domtool/nodes.old"
+val oldResultRoot = ConfigCore.sharedRoot ^ "/nodes.old"
-val cat = "/bin/cat"
-val cp = "/bin/cp"
-val diff = "/usr/bin/diff"
-val rm = "/bin/rm"
-val echo = "/bin/echo"
-val grep = "/bin/grep"
-val sudo = "/usr/bin/sudo"
-val domtool_publish = "/usr/local/sbin/domtool-publish"
+val domtool_publish = ConfigCore.installPrefix ^ "/sbin/domtool-publish"
val nodeIps = [("deleuze", "69.90.123.67"), ("hopper", "69.90.123.74"), ("fritz", "69.90.123.75"), ("navajos", "69.90.123.70"), ("bog", "69.90.123.72"), ("outpost", "151.236.216.192")]
-val defaultNode = "deleuze"
-
-val masterNode = "deleuze"
-val slaveNodes = ["outpost"]
-(* THESE ARE THE DNS MASTER/SLAVE, NOT DOMTOOL NODES *)
+val dispatcherName = "fritz"
val dnsNodes_all = ["deleuze", "outpost"]
val dnsNodes_admin = []
val mailNodes_all = ["deleuze"]
val mailNodes_admin = []
-val aclFile = "/afs/hcoop.net/common/etc/domtool/acl"
+val aclFile = ConfigCore.sharedRoot ^ "/acl"
val testUser = "test"
val defaultDomain = "hcoop.net"
-val dispatcher = "deleuze.hcoop.net"
val dispatcherPort = 1234
val slavePort = 1235
val queueSize = 5
val bufSize = 1024
-val trustStore = "/afs/hcoop.net/common/etc/domtool/TrustStore.pem"
-
-val certDir = "/afs/hcoop.net/common/etc/domtool/certs"
-val keyDir = "/afs/hcoop.net/common/etc/domtool/keys"
-val serialDir = "/afs/hcoop.net/common/etc/domtool/serials"
+val trustStore = ConfigCore.sharedRoot ^ "/TrustStore.pem"
-val dispatcherName = "deleuze"
+val certDir = ConfigCore.sharedRoot ^ "/certs"
+val keyDir = ConfigCore.sharedRoot ^ "/keys"
+val caDir = "/etc/domtool/ca"
fun domtoolDir user =
case user of
- "domtool" => "/afs/hcoop.net/common/etc/domtool/.domtool"
+ "domtool" => ConfigCore.sharedRoot ^ "/.domtool"
| _ => OS.Path.joinDirFile {dir = Posix.SysDB.Passwd.home (Posix.SysDB.getpwnam user),
file = ".domtool"}
val worldReadable = ["/usr/share/moin", "/usr/share/apache/icons", "/afs/hcoop.net/common/app/moin/installed"]
-val publish_reusers = "/usr/bin/sudo " ^ domtool_publish ^ " users"
+val publish_reusers = ConfigCore.sudo ^ " " ^ domtool_publish ^ " users"
val tmpDir : string
(* Filesystem location for creating temporary directories *)
-(* Paths to standard UNIX utilities *)
-val cat : string
-val cp : string
-val diff : string
-val rm : string
-val echo : string
-val grep : string
-val sudo : string
val domtool_publish : string
(* Names of machines who will receive configuration *)
val nodeIps : (string * string) list
-val defaultNode : string
-
-val masterNode : string
-val slaveNodes : string list
+val dispatcherName : string
val aclFile : string
(* Place to serialize ACL information *)
val defaultDomain : string
-val dispatcher : string
val dispatcherPort : int
val slavePort : int
val queueSize : int
val certDir : string
val keyDir : string
-val serialDir : string
-
-val dispatcherName : string
+val caDir : string
val dnsNodes_all : string list
val dnsNodes_admin : string list
val worldReadable : string list
val publish_reusers : string
+
+include CONFIG_CORE
-structure Exim :> EXIM_CONFIG = struct
-
-val aliases = "/var/domtool/aliases"
-val aliasesDefault = "/var/domtool/aliases.default"
-val handleDomains = "/var/domtool/local_domains.cfg"
-val relayDomains = "/var/domtool/relay_domains.cfg"
-
-val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish exim"
-
-val mainLog = "/var/log/exim4/mainlog"
-
-end
+structure Exim :> EXIM_CONFIG = struct
+
+val aliases = ConfigCore.localRoot ^ "/aliases"
+val aliasesDefault = ConfigCore.localRoot ^ "/aliases.default"
+val handleDomains = ConfigCore.localRoot ^ "/local_domains.cfg"
+val relayDomains = ConfigCore.localRoot ^ "/relay_domains.cfg"
+
+val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish exim"
+
+val mainLog = "/var/log/exim4/mainlog"
+
+end
(* -*- sml -*- *)
structure Firewall :> FIREWALL_CONFIG = struct
-val firewallRules = "/afs/hcoop.net/common/etc/domtool/firewall/user.rules"
-val firewallDir = "/var/domtool/firewall/"
+val firewallRules = ConfigCore.sharedRoot ^ "/firewall/user.rules"
+val firewallDir = ConfigCore.localRoot ^ "/firewall/"
val firewallNodes = ["bog", "navajos"]
-val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish firewall"
+val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish firewall"
end
val node = "deleuze"
-val mapFile = "/var/domtool/mailman.map"
-val handleDomains = "/var/domtool/mailman_domains.cfg"
+val mapFile = ConfigCore.localRoot ^ "/mailman.map"
+val handleDomains = ConfigCore.localRoot ^ "/mailman_domains.cfg"
-val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish mailman"
+val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish mailman"
end
-structure MySQL :> MYSQL_CONFIG = struct
-
-val adduser = "/usr/bin/sudo /usr/local/sbin/domtool-mysql adduser"
-val passwd = "/usr/bin/sudo /usr/local/sbin/domtool-mysql passwd"
-val createdb = "/usr/bin/sudo /usr/local/sbin/domtool-mysql createdb"
-val dropdb = "/usr/bin/sudo /usr/local/sbin/domtool-mysql dropdb"
-val grant = "/usr/bin/sudo /usr/local/sbin/domtool-mysql grant"
-
-end
+structure MySQL :> MYSQL_CONFIG = struct
+
+val adduser = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql adduser"
+val passwd = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql passwd"
+val createdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql createdb"
+val dropdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql dropdb"
+val grant = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql grant"
+
+end
-structure Postgres :> POSTGRES_CONFIG = struct
-
-val adduser = "/usr/bin/sudo /usr/local/sbin/domtool-postgres adduser"
-val createdb = "/usr/bin/sudo /usr/local/sbin/domtool-postgres createdb"
-val dropdb = "/usr/bin/sudo /usr/local/sbin/domtool-postgres dropdb"
-
-val postgres81port = "5432";
-val postgres91port = "5433"
-
-end
+structure Postgres :> POSTGRES_CONFIG = struct
+
+val adduser = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres adduser"
+val createdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres createdb"
+val dropdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres dropdb"
+
+val postgres81port = "5432";
+val postgres91port = "5433"
+
+end
structure Webalizer :> WEBALIZER_CONFIG = struct
-val configDir = "/afs/hcoop.net/common/etc/domtool/webalizer/config"
-val outputDir = "/afs/hcoop.net/common/etc/domtool/webalizer/output"
-val backupDir = "/afs/hcoop.net/common/etc/domtool/backup/webalizer"
+val configDir = ConfigCore.sharedRoot ^ "/webalizer/config"
+val outputDir = ConfigCore.sharedRoot ^ "/webalizer/output"
+val backupDir = ConfigCore.sharedRoot ^ "/backup/webalizer"
-val defaultOutput = "/afs/hcoop.net/common/etc/domtool/webalizer/output/main/"
+val defaultOutput = ConfigCore.sharedRoot ^ "/webalizer/output/main/"
val defaultHost = "www.hcoop.net"
end
{{Add a standard WordPress blog set-up code to a virtual host. The WordPress
files should be rooted at the location you specify.}}
-val wordPress = \ host : (host) ->
+val wordPress = \ host : (host) -> \\ config : Vhost ->
web host with
addWordPress "/";
- diskCache "/wp-content"
+ diskCache "/wp-content";
+ config
end;
{{Create a WordPress blog with just the standard set-up code. The WordPress blog should
be rooted at the vhost's <tt>DocumentRoot</tt>.}}
end;
{{Add a MoinMoin wiki to a vhost.}}
-val moinMoin = \ host : (host) ->
+val moinMoin = \ host : (host) -> \\ config : Vhost ->
web host with
addMoinMoin where
Htdocs = moin_default_htdocs;
Prefix = "/"
- end
+ end;
+ config
end;
{{Create a new vhost with just a MoinMoin wiki.}}
exit 1
fi
-PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER
-HOMEPATH=/afs/hcoop.net/user/$PATHBITS
+HOMEPATH=`getent passwd $USER | cut -d : -f 6`
domtool-admin grant $USER user $USER
domtool-admin grant $USER path $HOMEPATH
exit 1
fi
- KEYDIR=/afs/hcoop.net/common/etc/domtool/keys/$USER
+ KEYDIR=`domtool-config -path cert keys`/$USER
KEYFILE=$KEYDIR/key.pem
-CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem
+CERTFILE=`domtool-config -path cert certs`/$USER.pem
NEWREQ=~/.newreq.pem
NEW=~/.new.pem
KEYIN=~/.keyin
+ CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
mkdir $KEYDIR || echo Key directory already exists.
-openssl genrsa -out $KEYFILE
-chown -R domtool.nogroup $KEYDIR
+openssl genrsa -out $KEYFILE 4096
+# chown -R domtool.nogroup $KEYDIR
+# chmod for non-afs systems
+chmod 700 $KEYDIR
+chmod 600 $KEYFILE
+if [ "$2" != '-unsafe' ]; then
+ if [ -z "`getent passwd $USER`" ]; then
+ echo "$USER does not exist. This must be a server principal."
+ else
+ chown -R $USER.nogroup $KEYDIR
+ fi
+fi
+
fs sa $KEYDIR $USER read || echo This must be a server principal.
echo "." >$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "." >>$KEYIN
echo "$USER" >>$KEYIN
-echo "$USER@hcoop.net" >>$KEYIN
+# fixme: domtool-config -domain
+echo "$USER@`domtool-config -domain`" >>$KEYIN
echo "" >>$KEYIN
echo "" >>$KEYIN
openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN
rm $KEYIN
cat $NEWREQ $KEYFILE >$NEW
rm $NEWREQ
-openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW
+
+ROOTCMD=""
+# Insecure CA is OK for development, and if the CA is in afs it is
+# assumed the script is being run with sufficient
+# permissions. Otherwise, become root to use the ca private key,
+if [ ! -r $CACONF ]; then
+ ROOTCMD=sudo
+fi
+
+$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
rm $NEW
-chown domtool.nogroup $CERTFILE
+#chown domtool.nogroup $CERTFILE
#!/bin/sh -e
-if ! [ -e /etc/domtool ]; then
- echo "/etc/domtool not found. Are you running this on the same machine as domtool-server?"
+if ! [ -e `domtool-config -path cert ca` ]; then
+ echo "domtool ca not found. Are you running this on the same machine as domtool-server?"
exit 1
fi
in
print ("New configuration for node " ^ site ^ "\n");
- if site = Config.defaultNode then
+ if site = Config.dispatcherName then
Slave.handleChanges files
else let
val bio = OpenSSL.connect true (valOf (!ssl_context),
let
fun doNode (site, ok) =
(print ("New vmail data for node " ^ site ^ "\n");
- if site = Config.defaultNode then
+ if site = Config.dispatcherName then
Slave.shell [Config.Courier.postReload] andalso ok
else let
val bio = OpenSSL.connect true (Domain.get_context (),
--- /dev/null
+(* HCoop Domtool (http://hcoop.sourceforge.net/)
+ * Copyright (c) 2014 Clinton Ebadi <clinton@unknownlamer.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *)
+
+(* Configuration Value Queries *)
+
+(* Not entirely clear what belongs here and what belongs in
+ domtool-admin.
+
+ Proposed dividing line: whatever can be deduced from the static
+ configuration can be queried with domtool-config, anything that
+ requires acessing the daemons goes through domtool-admin.
+*)
+
+fun println x = (print x; print "\n")
+
+val _ =
+ (case CommandLine.arguments () of
+ ("-path" :: path) => (case path of
+ ["shared-root"] => println Config.sharedRoot
+ | ["local-root"] => println Config.localRoot
+ | ["install-prefix"] => println Config.installPrefix
+ | ["cert", path] => (case path of
+ "ca" => println Config.caDir
+ | "certs" => println Config.certDir
+ | "keys" => println Config.keyDir
+ | "truststore" => println Config.trustStore
+ | _ => println "Invalid cert path type")
+ | _ => print "Invalid path type\n")
+ | ["-nodes"] => (app (fn (n, _) => (print n; print " ")) Config.nodeIps;
+ print "\n")
+ | ["-domain"] => println Config.defaultDomain
+ | _ => print "Invalid command-line arguments\n")
| (G, NONE) => (G, evs)
val dispatcher =
- Config.dispatcher ^ ":" ^ Int.toString Config.dispatcherPort
+ Domain.nodeIp Config.dispatcherName ^ ":" ^ Int.toString Config.dispatcherPort
val self =
"localhost:" ^ Int.toString Config.slavePort
val ok = ref true
fun contactNode (node, ip) =
- if node = Config.defaultNode then
+ if node = Config.dispatcherName then
Domain.resetLocal ()
else let
val bio = OpenSSL.connect true (context,
val {dir, file} = OS.Path.splitDirFile (#file fs)
fun dnsChanged () =
- if #domain fs = !didDomain orelse Slave.hostname () <> Config.masterNode then
+ if #domain fs = !didDomain orelse Slave.hostname () <> Config.Bind.masterNode then
()
else if Slave.isDelete (#action fs) then
let
val min = readILine inf
val () = TextIO.closeIn inf
- val serialPath = OS.Path.joinDirFile {dir = Config.serialDir,
+ val serialPath = OS.Path.joinDirFile {dir = Config.Bind.serialDir,
file = #domain fs}
val oldSerial = let
validSrvDomain
val _ = Env.registerFunction ("dns_master_node",
- fn [] => SOME (EString Config.masterNode, dl)
+ fn [] => SOME (EString Config.Bind.masterNode, dl)
| _ => NONE)
val _ = Env.registerFunction ("dns_slave_nodes",
- fn [] => SOME (EList (map (fn n => (EString n, dl)) Config.slaveNodes), dl)
+ fn [] => SOME (EList (map (fn n => (EString n, dl)) Config.Bind.slaveNodes), dl)
| _ => NONE)
end
configTypes.sml
+../config/core/core.sig
+../config/core/core.sml
../configDefault/config.sig
../configDefault/configDefault.sml
$(SML_LIB)/smlnj-lib/Util/smlnj-lib.mlb
../configTypes.sml
+../../config/core/core.sig
+../../config/core/core.sml
../../configDefault/config.sig
../../configDefault/configDefault.sml
../../config.sml