From: Clinton Ebadi Date: Sat, 26 Apr 2014 00:05:10 +0000 (-0400) Subject: merge toplevel-dynamic-environment X-Git-Tag: release_20140428~3 X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/d63aa5e7b08630cc17a606e85e35acc5bd0041ee?hp=38d4fd3b42b382d86be4b67fda8889894c89f087 merge toplevel-dynamic-environment --- diff --git a/Makefile b/Makefile index 7f5d7d5..2d798cb 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,29 @@ +# Supported flags +# BUILD32=1 Target 32-bit x86 (Doesn't Work) +# TC=1 Stop after typchecking when building using mlton +# DEBUG=1 Keep debugging information when building using mlton + all: mlton bin/vmailpasswd elisp/domtool-tables.el bin/vmailpasswd: src/mail/vmailpasswd.c - $(CC) -lcrypt -o $@ $< + $(CC) $(CFLAGS) -lcrypt -o $@ $< + +ifeq ($(BUILD32), 1) + CFLAGS += -m32 +endif COMMON_DEPS := configDefault/config.sig configDefault/configDefault.sml \ openssl/openssl_sml.so pcre/pcre_sml.so config.sml EMACS_DIR := /usr/local/share/emacs/site-lisp/domtool-mode +clean: + rm -f bin/* + rm -f openssl/openssl_sml.so + rm -f openssl/openssl_sml.o + rm -f pcre/pcre_sml.so + rm -f pcre/pcre_sml.o + config.sml: /bin/echo -e 'structure Config :> CONFIG = struct\nopen ConfigDefault\nend' > $@ @@ -16,12 +32,13 @@ config.sml: mlton: bin/domtool-server bin/domtool-client bin/domtool-slave \ bin/domtool-admin bin/domtool-doc bin/dbtool bin/vmail \ bin/smtplog bin/setsa bin/mysql-fixperms bin/webbw bin/domtool-tail \ - bin/fwtool + bin/fwtool bin/domtool-config smlnj: $(COMMON_DEPS) openssl/smlnj/FFI/libssl.h.cm pcre/smlnj/FFI/libpcre.h.cm \ src/domtool.cm + CFLAGS += -m32 -configDefault/config.sig: src/config.sig.header \ +configDefault/config.sig: config/core/core.sig src/config.sig.header \ configDefault/*.csg configDefault/*.cfs \ src/config.sig.footer cat configDefault/*.csg \ @@ -30,7 +47,7 @@ configDefault/config.sig: src/config.sig.header \ src/config.sig.footer \ >configDefault/config.sig -configDefault/configDefault.sml: src/configDefault.sml.header \ +configDefault/configDefault.sml: config/core/core.sml src/configDefault.sml.header \ configDefault/*.cfg src/configDefault.sml.footer cat src/configDefault.sml.header \ configDefault/*.cfg \ @@ -38,18 +55,18 @@ configDefault/configDefault.sml: src/configDefault.sml.header \ >configDefault/configDefault.sml openssl/openssl_sml.o: openssl/openssl_sml.c - gcc -fPIC -c openssl/openssl_sml.c -o openssl/openssl_sml.o + gcc $(CFLAGS) -fPIC -c openssl/openssl_sml.c -o openssl/openssl_sml.o openssl/openssl_sml.so: openssl/openssl_sml.o - gcc -shared -Wl,-soname,openssl_sml.so \ + gcc $(CFLAGS) -shared -Wl,-soname,openssl_sml.so \ -o openssl/openssl_sml.so \ openssl/openssl_sml.o -lssl pcre/pcre_sml.o: pcre/pcre_sml.c - gcc -fPIC -c pcre/pcre_sml.c -o pcre/pcre_sml.o + gcc $(CFLAGS) -fPIC -c pcre/pcre_sml.c -o pcre/pcre_sml.o pcre/pcre_sml.so: pcre/pcre_sml.o - gcc -shared -Wl,-soname,pcre_sml.so \ + gcc $(CFLAGS) -shared -Wl,-soname,pcre_sml.so \ -o pcre/pcre_sml.so \ pcre/pcre_sml.o -lpcre @@ -104,6 +121,10 @@ src/fwtool.mlb: src/prefix.mlb src/sources src/suffix.mlb $(MAKE_MLB_BASE) >src/fwtool.mlb echo "main-fwtool.sml" >>src/fwtool.mlb +src/domtool-config.mlb: src/prefix.mlb src/sources src/suffix.mlb + $(MAKE_MLB_BASE) >src/domtool-config.mlb + echo "main-config.sml" >>src/domtool-config.mlb + openssl/smlnj/FFI/libssl.h.cm: openssl/openssl_sml.h cd openssl/smlnj ; ml-nlffigen -d FFI -lh LibsslH.libh -include ../libssl-h.sml \ -cm libssl.h.cm -D__builtin_va_list="void*" \ @@ -140,10 +161,18 @@ COMMON_MLTON_DEPS := openssl/mlton/FFI/libssl.h.mlb \ MLTON := mlton -link-opt -ldl -ifdef DEBUG +ifeq ($(BUILD32),1) + MLTON += -codegen c -target i386 -cc-opt -m32 +endif + +ifeq ($(DEBUG), 1) MLTON += -const 'Exn.keepHistory true' endif +ifeq ($(TC), 1) + MLTON += -stop tc +endif + bin/domtool-server: $(COMMON_MLTON_DEPS) src/domtool-server.mlb $(MLTON) -output bin/domtool-server src/domtool-server.mlb @@ -183,6 +212,9 @@ bin/webbw: $(COMMON_MLTON_DEPS) src/stats/webbw.mlb src/stats/*.sml bin/domtool-tail: $(COMMON_MLTON_DEPS) src/tail/tail.mlb src/tail/*.sml mlton -output bin/domtool-tail src/tail/tail.mlb +bin/domtool-config: $(COMMON_MLTON_DEPS) src/domtool-config.mlb src/main-config.sml + $(MLTON) -output bin/domtool-config src/domtool-config.mlb + elisp/domtool-tables.el: lib/*.dtl bin/domtool-doc bin/domtool-doc -basis -emacs >$@ @@ -219,6 +251,7 @@ install: install_sos -cp bin/webbw /usr/local/sbin/ -cp bin/domtool-tail /usr/local/bin/ -chmod +s /usr/local/bin/domtool-tail + cp bin/domtool-config /usr/local/bin/ cp src/plugins/domtool-postgres /usr/local/sbin/ cp src/plugins/domtool-mysql /usr/local/sbin/ -mkdir -p $(EMACS_DIR) diff --git a/bootstrap/README b/bootstrap/README new file mode 100644 index 0000000..658f047 --- /dev/null +++ b/bootstrap/README @@ -0,0 +1,22 @@ +Basic bootstrapping + + - Customize config/core/core.sml and configDefault/ as needed + - Use config.sml for changes other than core. At least set defaultDomain. + - Create a user for domtool + - `make install' domtool + - Run domtool-create-shared-root to bootstrap shared directories + - Run domtool-create-local-root to bootstrap local work directories if this machine will be a node + - Customize and copy test.domain.core.conf to $defaultDomain.core.ssl.conf + - You unfortunately have to duplicate the value of Config.caPath here + - Run domtool-create-ca to boostrap your local domtool ca + - Run domtool-init-truststore to initialize the trust store + - Run domtool-init-acl $you to add yourself as an administrator of domtool + - Run `domtool-addcert $host -unsafe` where $host is the short name + of the machine that will run domtool-server. E.g. for + "foo.test.domain", $host = foo. Repeat for any machines that will + be domtool workers. + - Start domtool-server + - Run `domtool-adduser $you -unsafe' to create your certificates and + grant yourself access to your $HOME path + - In theory, domtool should start and you should be able to grant + yourself domains and configure things \ No newline at end of file diff --git a/bootstrap/bootstrap b/bootstrap/bootstrap new file mode 100755 index 0000000..b3a6a4f --- /dev/null +++ b/bootstrap/bootstrap @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# Bootstrap everything for a DEVELOPMENT ENVIRONMENT (an insecure one +# at that), assuming you are going to be domtool root + +if [ -z "`getent passwd domtool`" ]; then + adduser --disabled-password domtool +fi + +./domtool-create-shared-root +./domtool-create-local-root +./domtool-create-ca -force +./domtool-init-truststore +./domtool-init-acl `whoami` +domtool-addcert `uname -n` -unsafe + +/usr/local/sbin/domtool-server & +SERVER_PID=$! + +domtool-adduser `whoami` -unsafe + +kill $SERVER_PID diff --git a/bootstrap/common.ssl.conf b/bootstrap/common.ssl.conf new file mode 100644 index 0000000..c2c0ddb --- /dev/null +++ b/bootstrap/common.ssl.conf @@ -0,0 +1,91 @@ +# Minimal openssl configuration needed to be a CA for domtool + +# intentionally not setting RANDFILE, because it is useless on modern +# machines. + +[ ca ] +default_ca = Domtool_CA + +[ Domtool_CA ] +dir = ${Domtool_Defaults::ca_dir} + +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index + +# Needed because domtool does not revoke certs before +# reissuing. Possibly bad behavior, if a private key were to leak. +unique_subject = no + +new_certs_dir = $dir/newcerts + +certificate = $dir/ca-cert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber + +crl = $dir/crl.pem +private_key = $dir/private/ca-key.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +crl_extensions = crl_ext + +default_days = 365 +default_crl_days= 30 +default_md = sha1 +preserve = no + +policy = policy_domtool + +[ policy_domtool ] +# Domtool doesn't care where you claim to live +#countryName = optional +#stateOrProvinceName = optional +#localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = supplied + +# req section is only used when generating the request for the CA to sign itself! +[ req ] +default_bits = 4096 +default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem +default_md = sha1 + +prompt = no +distinguished_name = root_ca_distinguished_name +string_mask = nombstr + +# Extensions to add to the self-signed cert generated to certificate the CA +x509_extensions = v3_ca + +[ usr_cert ] +# These extensions are added when 'ca' signs a request. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem + +[ v3_ca ] +# These extensions are added when the CA signs itself +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +# Ensure only user certificates and not another ca can be signed +basicConstraints = critical,CA:true,pathlen:0 + +[ root_ca_distinguished_name ] +commonName = ${Domtool_Defaults::org_name} +#countryName = US +#stateOrProvinceName = CA +#localityName = Berkeley +0.organizationName = ${Domtool_Defaults::org_domain} +emailAddress = ca@${Domtool_Defaults::org_domain} + +[ crl_ext ] +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/bootstrap/domtool-create-ca b/bootstrap/domtool-create-ca new file mode 100755 index 0000000..bab09ca --- /dev/null +++ b/bootstrap/domtool-create-ca @@ -0,0 +1,57 @@ +#!/bin/bash +# -*- sh -*- + +# Create a domtool certificate authority +# WARNING: Will not create a secure CA if it is in afs space + +if [[ `whoami` != "root" && "$1" != "-force" ]]; then + echo "This should be run as root. Use -force to force creating a CA" + echo "as a normal user" + exit 1 +fi + +# use domtool-config to extract ca path and site domain + +CAPATH=`../bin/domtool-config -path cert ca` +BASE_OPENSSL_CONFIG=`../bin/domtool-config -domain`.core.ssl.conf + +if [ ! -f $BASE_OPENSSL_CONFIG ]; then + echo "You need to create $BASE_OPENSSL_CONFIG before continuing" + exit 1 +fi + +cat $BASE_OPENSSL_CONFIG common.ssl.conf > domtool-openssl.conf + +if [ -z "$CAPATH" ]; then + echo "No CA path set. Domtool has not yet been built?" + exit 1 +fi + +# 1. Create directory structure + +mkdir -p $CAPATH +for d in crl newcerts private; do + mkdir $CAPATH/$d +done + +chmod go-rwx $CAPATH/private +echo '01' > $CAPATH/serial +touch $CAPATH/index + +# 2. Generate private key + +openssl req -nodes -config domtool-openssl.conf -days 1825 -x509 -newkey rsa -out $CAPATH/ca-cert.pem -outform PEM + +# 3. Copy ssl configuration to ca dir + +# In general, publishing the openssl config for a domain in the ca +# directory might not be the best idea, but since this is a limited +# use internal CA, it is probably not a big deal. +cp domtool-openssl.conf $CAPATH/ +chmod 600 $CAPATH/domtool-openssl.conf + +# Does the CA need to be readable by domtool? Issues with sudo and +# tickets, but those could be solved by creating a 700 +# /tmp/domtool-ca-out/ and chowning to the actual user after for the +# copy/delete. Or maybe the ca ought to live in afs +# space... generality issues arise, probably just do option #1. diff --git a/bootstrap/domtool-create-local-root b/bootstrap/domtool-create-local-root new file mode 100755 index 0000000..e566f06 --- /dev/null +++ b/bootstrap/domtool-create-local-root @@ -0,0 +1,26 @@ +#!/bin/bash + +# ideally: domtool-create-local-root service+ +# service = bind, apache, exim, courier, etc. +# actually: domtool-create-local-root -> every possible service dir is created + +LOCALROOT=`domtool-config -path local-root` + +if [ -z "$LOCALROOT" ]; then + echo "ERROR: local root not set. Domtool not built?" + exit 1 +fi + +set -x + +mkdir -p $LOCALROOT + +for d in firewall vhosts zones; do + mkdir $LOCALROOT/$d +done + +# domtool probably ought to ensure directories exist, since the +# services configured by a worker are set statically. It makes little +# sense for a worker to advertise that it can configure a service, and +# not actually be able to do so. + diff --git a/bootstrap/domtool-create-shared-root b/bootstrap/domtool-create-shared-root new file mode 100755 index 0000000..ba0ebbf --- /dev/null +++ b/bootstrap/domtool-create-shared-root @@ -0,0 +1,29 @@ +#!/bin/bash + +# Create shared directories, set permissions + +SHAREDROOT=`../bin/domtool-config -path shared-root` + +if [ -z "$SHAREDROOT" ]; then + echo "shared-root not set, domtool not built?" + exit 1 +fi + +function if_afs () { + if [[ $SHAREDROOT == /afs/* ]]; then + $* + fi +} + +if_afs echo "AFS in use. This will not work correctly." + +set -x + +mkdir -p $SHAREDROOT + +for d in backup certs email firewall keys lib logs nodes nodes.old serials webalizer; do + mkdir $SHAREDROOT/$d +done + +touch $SHAREDROOT/firewall/user.rules + diff --git a/bootstrap/domtool-init-acl b/bootstrap/domtool-init-acl new file mode 100755 index 0000000..3759fa4 --- /dev/null +++ b/bootstrap/domtool-init-acl @@ -0,0 +1,25 @@ +#!/bin/bash + +SHAREDROOT=`../bin/domtool-config -path shared-root` +DOMTOOLROOT="$1" + +if [ -z "$SHAREDROOT" ]; then + echo "shared-root not set, domtool not built?" + exit 1 +fi + +if [ -z "$DOMTOOLROOT" ]; then + echo "Usage: $0 USER" + exit 1 +fi + +if [ -f $SHAREDROOT/acl ]; then + echo "acl file already exists. Refusing to overwrite" + exit 1 +fi + +cat > $SHAREDROOT/acl <> $TRUSTSTORE diff --git a/bootstrap/test.domain.core.ssl.conf b/bootstrap/test.domain.core.ssl.conf new file mode 100644 index 0000000..12ef0ee --- /dev/null +++ b/bootstrap/test.domain.core.ssl.conf @@ -0,0 +1,9 @@ +# You should be able to customize the settings in Domtool_Defaults and +# have everything Just Work (tm) +[ Domtool_Defaults ] +ca_dir = ${ENV::HOME}/domtool/ca +org_domain = test.domain +org_name = Foo Hacker, Inc. +#ca_dir = /etc/domtool/ca +#org_domain = hcoop.net +#org_name = HCoop, Inc. \ No newline at end of file diff --git a/config.example.sml b/config.example.sml new file mode 100644 index 0000000..a04f400 --- /dev/null +++ b/config.example.sml @@ -0,0 +1,49 @@ +structure Config :> CONFIG = struct + +open ConfigDefault + +val myNode = "doomfaring" + +val nodeIps = [(myNode, "127.0.0.1")] +val defaultDomain = "home.unknownlamer.org" (* $node.$defaultDomain must resolve *) +val dispatcherName = myNode +val caDir = "/home/clinton/domtool/ca" (* Replace with your homedir *) + +val dnsNodes_all = [myNode] +val dnsNodes_admin = [] + +val mailNodes_all = [myNode] +val mailNodes_admin = [] + +structure Apache : APACHE_CONFIG = struct +open Apache +open ConfigTypes + +val webNodes_all = [(myNode, {version = APACHE_2, auth = MOD_WAKLOG})] +val webNodes_admin = [] +val webNodes_default = [myNode] + +end + +structure Bind : BIND_CONFIG = struct +open Bind +val masterNode = myNode +val slaveNodes = [] +end + +structure Dbms : DBMS_CONFIG = struct +open Dbms +val dbmsNode = myNode +end + +structure Firewall : FIREWALL_CONFIG = struct +open Firewall +val firewallNodes = [myNode] +end + +structure Mailman : MAILMAN_CONFIG = struct +open Mailman +val node = myNode +end + +end diff --git a/config/core/core.sig b/config/core/core.sig new file mode 100644 index 0000000..c3377ee --- /dev/null +++ b/config/core/core.sig @@ -0,0 +1,22 @@ +(* Core configure to allow domtool to be easily relocated *) +signature CONFIG_CORE = sig + + val sharedRoot : string + (* Global file system space for domtool daemon to share *) + + val localRoot : string + (* Local file system space for domtool to generate configuration into *) + + val installPrefix : string + (* Prefix for domtool bin/share data ala GNU $PREFIX *) + + val cat : string + val cp : string + val diff : string + val rm : string + val echo : string + val grep : string + val sudo : string + (* Paths to standard UNIX utilities *) + +end diff --git a/config/core/core.sml b/config/core/core.sml new file mode 100644 index 0000000..b03556a --- /dev/null +++ b/config/core/core.sml @@ -0,0 +1,15 @@ +structure ConfigCore :> CONFIG_CORE = struct + +val sharedRoot = "/afs/hcoop.net/common/etc/domtool" +val localRoot = "/var/domtool" +val installPrefix = "/usr/local" + +val cat = "/bin/cat" +val cp = "/bin/cp" +val diff = "/usr/bin/diff" +val rm = "/bin/rm" +val echo = "/bin/echo" +val grep = "/bin/grep" +val sudo = "/usr/bin/sudo" + +end diff --git a/configDefault/apache.cfg b/configDefault/apache.cfg index a70a554..48d852a 100644 --- a/configDefault/apache.cfg +++ b/configDefault/apache.cfg @@ -2,17 +2,17 @@ structure Apache :> APACHE_CONFIG = struct open ConfigTypes -val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache" -val down = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-down" -val undown = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-undown" -val fixperms = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache-fixperms" +val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache" +val down = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-down" +val undown = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-undown" +val fixperms = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache-fixperms" -val reload1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3" -val down1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-down" -val undown1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-undown" -val fixperms1 = "/usr/bin/sudo /usr/local/sbin/domtool-publish apache1.3-fixperms" +val reload1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3" +val down1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-down" +val undown1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-undown" +val fixperms1 = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish apache1.3-fixperms" -val confDir = "/var/domtool/vhosts" +val confDir = ConfigCore.localRoot ^ "/vhosts" val webNodes_all = [("navajos", {version = APACHE_2, auth = MOD_WAKLOG})] val webNodes_admin = [("deleuze", {version = APACHE_2, auth = MOD_WAKLOG})] @@ -39,6 +39,7 @@ fun logDirOf version1 user = user, "/apache/log"] +(* FIXME: hcoop.net reference *) fun realLogDirOf user = if size user < 2 then "/bad_username" @@ -53,12 +54,12 @@ fun realLogDirOf user = fun backupLogDirOf version1 = if version1 then - "/afs/hcoop.net/common/etc/domtool/backup/apache/" + ConfigCore.sharedRoot ^ "/backup/apache/" else - "/afs/hcoop.net/common/etc/domtool/backup/apache2/" + ConfigCore.sharedRoot ^ "/backup/apache2/" val defaultPhpVersion = 5 -val waklogUserFile = "/var/domtool/waklog.conf" +val waklogUserFile = ConfigCore.localRoot ^ "/waklog.conf" end diff --git a/configDefault/bind.cfg b/configDefault/bind.cfg index a0577df..6178bef 100644 --- a/configDefault/bind.cfg +++ b/configDefault/bind.cfg @@ -1,13 +1,17 @@ structure Bind :> BIND_CONFIG = struct -val defaultTTL = 3600 +val masterNode = "deleuze" +val slaveNodes = ["outpost"] +val defaultTTL = 3600 -val zonePath = "/var/domtool/zones" +val zonePath = ConfigCore.localRoot ^ "/zones" val zonePath_real = "/etc/bind/zones" -val namedConf = "/var/domtool/named.conf.local" +val serialDir = ConfigCore.sharedRoot ^ "/serials" + +val namedConf = ConfigCore.localRoot ^ "/named.conf.local" -val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish bind" +val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish bind" end diff --git a/configDefault/bind.csg b/configDefault/bind.csg index e89b146..ec2f372 100644 --- a/configDefault/bind.csg +++ b/configDefault/bind.csg @@ -1,10 +1,15 @@ signature BIND_CONFIG = sig + val masterNode : string + val slaveNodes : string list + val defaultTTL : int val zonePath : string val zonePath_real : string + val serialDir : string + val namedConf : string val reload : string diff --git a/configDefault/courier.cfg b/configDefault/courier.cfg index a4ffa87..a0da8b3 100644 --- a/configDefault/courier.cfg +++ b/configDefault/courier.cfg @@ -9,13 +9,14 @@ val makeuserdb = "/usr/sbin/makeuserdb" val userdbDir = "/etc/courier/userdb" (* Directory for storing userdb info *) -val postReload = "/usr/bin/sudo /usr/local/sbin/domtool-publish courier" +val postReload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish courier" (* Command to run after reloading userdb data *) val logFile = "/var/log/exim4/mainlog" (* SMTP log *) -val pushUserdb = "/usr/bin/rsync -r --delete /etc/courier/userdb/* /afs/hcoop.net/common/etc/domtool/email/userdb/" -val pullUserdb = "/usr/bin/rsync -r --delete /afs/hcoop.net/common/etc/domtool/email/userdb/* /etc/courier/userdb/" +(* FIXME: should probably be in an external script *) +val pushUserdb = "/usr/bin/rsync -r --delete /etc/courier/userdb/* " ^ ConfigCore.sharedRoot ^ "/email/userdb/" +val pullUserdb = "/usr/bin/rsync -r --delete " ^ ConfigCore.sharedRoot ^ "/email/userdb/* /etc/courier/userdb/" end diff --git a/configDefault/domtool.cfg b/configDefault/domtool.cfg index 7fb4183..69dcf8a 100644 --- a/configDefault/domtool.cfg +++ b/configDefault/domtool.cfg @@ -1,23 +1,14 @@ -val libRoot = "/afs/hcoop.net/common/etc/domtool/lib" -val resultRoot = "/afs/hcoop.net/common/etc/domtool/nodes" +open ConfigCore + +val libRoot = ConfigCore.sharedRoot ^ "/lib" +val resultRoot = ConfigCore.sharedRoot ^ "/nodes" val tmpDir = "/tmp/domtool" -val oldResultRoot = "/afs/hcoop.net/common/etc/domtool/nodes.old" +val oldResultRoot = ConfigCore.sharedRoot ^ "/nodes.old" -val cat = "/bin/cat" -val cp = "/bin/cp" -val diff = "/usr/bin/diff" -val rm = "/bin/rm" -val echo = "/bin/echo" -val grep = "/bin/grep" -val sudo = "/usr/bin/sudo" -val domtool_publish = "/usr/local/sbin/domtool-publish" +val domtool_publish = ConfigCore.installPrefix ^ "/sbin/domtool-publish" val nodeIps = [("deleuze", "69.90.123.67"), ("hopper", "69.90.123.74"), ("fritz", "69.90.123.75"), ("navajos", "69.90.123.70"), ("bog", "69.90.123.72"), ("outpost", "151.236.216.192")] -val defaultNode = "deleuze" - -val masterNode = "deleuze" -val slaveNodes = ["outpost"] -(* THESE ARE THE DNS MASTER/SLAVE, NOT DOMTOOL NODES *) +val dispatcherName = "fritz" val dnsNodes_all = ["deleuze", "outpost"] val dnsNodes_admin = [] @@ -25,33 +16,30 @@ val dnsNodes_admin = [] val mailNodes_all = ["deleuze"] val mailNodes_admin = [] -val aclFile = "/afs/hcoop.net/common/etc/domtool/acl" +val aclFile = ConfigCore.sharedRoot ^ "/acl" val testUser = "test" val defaultDomain = "hcoop.net" -val dispatcher = "deleuze.hcoop.net" val dispatcherPort = 1234 val slavePort = 1235 val queueSize = 5 val bufSize = 1024 -val trustStore = "/afs/hcoop.net/common/etc/domtool/TrustStore.pem" - -val certDir = "/afs/hcoop.net/common/etc/domtool/certs" -val keyDir = "/afs/hcoop.net/common/etc/domtool/keys" -val serialDir = "/afs/hcoop.net/common/etc/domtool/serials" +val trustStore = ConfigCore.sharedRoot ^ "/TrustStore.pem" -val dispatcherName = "deleuze" +val certDir = ConfigCore.sharedRoot ^ "/certs" +val keyDir = ConfigCore.sharedRoot ^ "/keys" +val caDir = "/etc/domtool/ca" fun domtoolDir user = case user of - "domtool" => "/afs/hcoop.net/common/etc/domtool/.domtool" + "domtool" => ConfigCore.sharedRoot ^ "/.domtool" | _ => OS.Path.joinDirFile {dir = Posix.SysDB.Passwd.home (Posix.SysDB.getpwnam user), file = ".domtool"} val worldReadable = ["/usr/share/moin", "/usr/share/apache/icons", "/afs/hcoop.net/common/app/moin/installed"] -val publish_reusers = "/usr/bin/sudo " ^ domtool_publish ^ " users" +val publish_reusers = ConfigCore.sudo ^ " " ^ domtool_publish ^ " users" diff --git a/configDefault/domtool.cfs b/configDefault/domtool.cfs index b464d46..94b0076 100644 --- a/configDefault/domtool.cfs +++ b/configDefault/domtool.cfs @@ -11,22 +11,11 @@ val oldResultRoot : string val tmpDir : string (* Filesystem location for creating temporary directories *) -(* Paths to standard UNIX utilities *) -val cat : string -val cp : string -val diff : string -val rm : string -val echo : string -val grep : string -val sudo : string val domtool_publish : string (* Names of machines who will receive configuration *) val nodeIps : (string * string) list -val defaultNode : string - -val masterNode : string -val slaveNodes : string list +val dispatcherName : string val aclFile : string (* Place to serialize ACL information *) @@ -35,7 +24,6 @@ val testUser : string val defaultDomain : string -val dispatcher : string val dispatcherPort : int val slavePort : int val queueSize : int @@ -46,9 +34,7 @@ val trustStore : string val certDir : string val keyDir : string -val serialDir : string - -val dispatcherName : string +val caDir : string val dnsNodes_all : string list val dnsNodes_admin : string list @@ -61,3 +47,5 @@ val domtoolDir : string -> string val worldReadable : string list val publish_reusers : string + +include CONFIG_CORE diff --git a/configDefault/exim.cfg b/configDefault/exim.cfg dissimilarity index 75% index 6a79253..4724054 100644 --- a/configDefault/exim.cfg +++ b/configDefault/exim.cfg @@ -1,12 +1,12 @@ -structure Exim :> EXIM_CONFIG = struct - -val aliases = "/var/domtool/aliases" -val aliasesDefault = "/var/domtool/aliases.default" -val handleDomains = "/var/domtool/local_domains.cfg" -val relayDomains = "/var/domtool/relay_domains.cfg" - -val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish exim" - -val mainLog = "/var/log/exim4/mainlog" - -end +structure Exim :> EXIM_CONFIG = struct + +val aliases = ConfigCore.localRoot ^ "/aliases" +val aliasesDefault = ConfigCore.localRoot ^ "/aliases.default" +val handleDomains = ConfigCore.localRoot ^ "/local_domains.cfg" +val relayDomains = ConfigCore.localRoot ^ "/relay_domains.cfg" + +val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish exim" + +val mainLog = "/var/log/exim4/mainlog" + +end diff --git a/configDefault/firewall.cfg b/configDefault/firewall.cfg index 4eaa0af..7bd179a 100644 --- a/configDefault/firewall.cfg +++ b/configDefault/firewall.cfg @@ -1,10 +1,10 @@ (* -*- sml -*- *) structure Firewall :> FIREWALL_CONFIG = struct -val firewallRules = "/afs/hcoop.net/common/etc/domtool/firewall/user.rules" -val firewallDir = "/var/domtool/firewall/" +val firewallRules = ConfigCore.sharedRoot ^ "/firewall/user.rules" +val firewallDir = ConfigCore.localRoot ^ "/firewall/" val firewallNodes = ["bog", "navajos"] -val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish firewall" +val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish firewall" end diff --git a/configDefault/mailman.cfg b/configDefault/mailman.cfg index 090de39..bc80616 100644 --- a/configDefault/mailman.cfg +++ b/configDefault/mailman.cfg @@ -2,9 +2,9 @@ structure Mailman :> MAILMAN_CONFIG = struct val node = "deleuze" -val mapFile = "/var/domtool/mailman.map" -val handleDomains = "/var/domtool/mailman_domains.cfg" +val mapFile = ConfigCore.localRoot ^ "/mailman.map" +val handleDomains = ConfigCore.localRoot ^ "/mailman_domains.cfg" -val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish mailman" +val reload = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-publish mailman" end diff --git a/configDefault/mysql.cfg b/configDefault/mysql.cfg dissimilarity index 87% index 05faa7a..3673718 100644 --- a/configDefault/mysql.cfg +++ b/configDefault/mysql.cfg @@ -1,9 +1,9 @@ -structure MySQL :> MYSQL_CONFIG = struct - -val adduser = "/usr/bin/sudo /usr/local/sbin/domtool-mysql adduser" -val passwd = "/usr/bin/sudo /usr/local/sbin/domtool-mysql passwd" -val createdb = "/usr/bin/sudo /usr/local/sbin/domtool-mysql createdb" -val dropdb = "/usr/bin/sudo /usr/local/sbin/domtool-mysql dropdb" -val grant = "/usr/bin/sudo /usr/local/sbin/domtool-mysql grant" - -end +structure MySQL :> MYSQL_CONFIG = struct + +val adduser = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql adduser" +val passwd = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql passwd" +val createdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql createdb" +val dropdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql dropdb" +val grant = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-mysql grant" + +end diff --git a/configDefault/postgres.cfg b/configDefault/postgres.cfg dissimilarity index 65% index 83dfe53..4f0d3e0 100644 --- a/configDefault/postgres.cfg +++ b/configDefault/postgres.cfg @@ -1,10 +1,10 @@ -structure Postgres :> POSTGRES_CONFIG = struct - -val adduser = "/usr/bin/sudo /usr/local/sbin/domtool-postgres adduser" -val createdb = "/usr/bin/sudo /usr/local/sbin/domtool-postgres createdb" -val dropdb = "/usr/bin/sudo /usr/local/sbin/domtool-postgres dropdb" - -val postgres81port = "5432"; -val postgres91port = "5433" - -end +structure Postgres :> POSTGRES_CONFIG = struct + +val adduser = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres adduser" +val createdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres createdb" +val dropdb = ConfigCore.sudo ^ " " ^ ConfigCore.installPrefix ^ "/sbin/domtool-postgres dropdb" + +val postgres81port = "5432"; +val postgres91port = "5433" + +end diff --git a/configDefault/webalizer.cfg b/configDefault/webalizer.cfg index addea9c..02be716 100644 --- a/configDefault/webalizer.cfg +++ b/configDefault/webalizer.cfg @@ -1,10 +1,10 @@ structure Webalizer :> WEBALIZER_CONFIG = struct -val configDir = "/afs/hcoop.net/common/etc/domtool/webalizer/config" -val outputDir = "/afs/hcoop.net/common/etc/domtool/webalizer/output" -val backupDir = "/afs/hcoop.net/common/etc/domtool/backup/webalizer" +val configDir = ConfigCore.sharedRoot ^ "/webalizer/config" +val outputDir = ConfigCore.sharedRoot ^ "/webalizer/output" +val backupDir = ConfigCore.sharedRoot ^ "/backup/webalizer" -val defaultOutput = "/afs/hcoop.net/common/etc/domtool/webalizer/output/main/" +val defaultOutput = ConfigCore.sharedRoot ^ "/webalizer/output/main/" val defaultHost = "www.hcoop.net" end diff --git a/lib/web_apps.dtl b/lib/web_apps.dtl index d9d6f5b..124a6d0 100644 --- a/lib/web_apps.dtl +++ b/lib/web_apps.dtl @@ -14,10 +14,11 @@ val addWordPress = \ loc : (location) -> {{Add a standard WordPress blog set-up code to a virtual host. The WordPress files should be rooted at the location you specify.}} -val wordPress = \ host : (host) -> +val wordPress = \ host : (host) -> \\ config : Vhost -> web host with addWordPress "/"; - diskCache "/wp-content" + diskCache "/wp-content"; + config end; {{Create a WordPress blog with just the standard set-up code. The WordPress blog should be rooted at the vhost's DocumentRoot.}} @@ -36,12 +37,13 @@ val addMoinMoin = begin end; {{Add a MoinMoin wiki to a vhost.}} -val moinMoin = \ host : (host) -> +val moinMoin = \ host : (host) -> \\ config : Vhost -> web host with addMoinMoin where Htdocs = moin_default_htdocs; Prefix = "/" - end + end; + config end; {{Create a new vhost with just a MoinMoin wiki.}} diff --git a/scripts/domtool-addacl b/scripts/domtool-addacl index f61bd31..56c3951 100755 --- a/scripts/domtool-addacl +++ b/scripts/domtool-addacl @@ -6,8 +6,7 @@ if test -z "$USER"; then exit 1 fi -PATHBITS=`echo $USER | head -c 1`/`echo $USER | head -c 2`/$USER -HOMEPATH=/afs/hcoop.net/user/$PATHBITS +HOMEPATH=`getent passwd $USER | cut -d : -f 6` domtool-admin grant $USER user $USER domtool-admin grant $USER path $HOMEPATH diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert index 6e58197..25533b1 100755 --- a/scripts/domtool-addcert +++ b/scripts/domtool-addcert @@ -6,16 +6,28 @@ if test -z "$USER"; then exit 1 fi - KEYDIR=/afs/hcoop.net/common/etc/domtool/keys/$USER + KEYDIR=`domtool-config -path cert keys`/$USER KEYFILE=$KEYDIR/key.pem -CERTFILE=/afs/hcoop.net/common/etc/domtool/certs/$USER.pem +CERTFILE=`domtool-config -path cert certs`/$USER.pem NEWREQ=~/.newreq.pem NEW=~/.new.pem KEYIN=~/.keyin + CACONF=`domtool-config -path cert ca`/domtool-openssl.conf mkdir $KEYDIR || echo Key directory already exists. -openssl genrsa -out $KEYFILE -chown -R domtool.nogroup $KEYDIR +openssl genrsa -out $KEYFILE 4096 +# chown -R domtool.nogroup $KEYDIR +# chmod for non-afs systems +chmod 700 $KEYDIR +chmod 600 $KEYFILE +if [ "$2" != '-unsafe' ]; then + if [ -z "`getent passwd $USER`" ]; then + echo "$USER does not exist. This must be a server principal." + else + chown -R $USER.nogroup $KEYDIR + fi +fi + fs sa $KEYDIR $USER read || echo This must be a server principal. echo "." >$KEYIN echo "." >>$KEYIN @@ -23,13 +35,23 @@ echo "." >>$KEYIN echo "." >>$KEYIN echo "." >>$KEYIN echo "$USER" >>$KEYIN -echo "$USER@hcoop.net" >>$KEYIN +# fixme: domtool-config -domain +echo "$USER@`domtool-config -domain`" >>$KEYIN echo "" >>$KEYIN echo "" >>$KEYIN openssl req -new -key $KEYFILE -out $NEWREQ -days 365 <$KEYIN rm $KEYIN cat $NEWREQ $KEYFILE >$NEW rm $NEWREQ -openssl ca -batch -config /etc/domtool/openssl.cnf -policy policy_anything -out $CERTFILE -infiles $NEW + +ROOTCMD="" +# Insecure CA is OK for development, and if the CA is in afs it is +# assumed the script is being run with sufficient +# permissions. Otherwise, become root to use the ca private key, +if [ ! -r $CACONF ]; then + ROOTCMD=sudo +fi + +$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW rm $NEW -chown domtool.nogroup $CERTFILE +#chown domtool.nogroup $CERTFILE diff --git a/scripts/domtool-adduser b/scripts/domtool-adduser index c8497ee..34a82a5 100755 --- a/scripts/domtool-adduser +++ b/scripts/domtool-adduser @@ -1,7 +1,7 @@ #!/bin/sh -e -if ! [ -e /etc/domtool ]; then - echo "/etc/domtool not found. Are you running this on the same machine as domtool-server?" +if ! [ -e `domtool-config -path cert ca` ]; then + echo "domtool ca not found. Are you running this on the same machine as domtool-server?" exit 1 fi diff --git a/src/domain.sml b/src/domain.sml index 7286b2e..affa1b1 100644 --- a/src/domain.sml +++ b/src/domain.sml @@ -689,7 +689,7 @@ fun handleSite (site, files) = in print ("New configuration for node " ^ site ^ "\n"); - if site = Config.defaultNode then + if site = Config.dispatcherName then Slave.handleChanges files else let val bio = OpenSSL.connect true (valOf (!ssl_context), diff --git a/src/mail/vmail.sml b/src/mail/vmail.sml index 1d5262d..48d2287 100644 --- a/src/mail/vmail.sml +++ b/src/mail/vmail.sml @@ -26,7 +26,7 @@ fun rebuild () = let fun doNode (site, ok) = (print ("New vmail data for node " ^ site ^ "\n"); - if site = Config.defaultNode then + if site = Config.dispatcherName then Slave.shell [Config.Courier.postReload] andalso ok else let val bio = OpenSSL.connect true (Domain.get_context (), diff --git a/src/main-config.sml b/src/main-config.sml new file mode 100644 index 0000000..8aacdb0 --- /dev/null +++ b/src/main-config.sml @@ -0,0 +1,47 @@ +(* HCoop Domtool (http://hcoop.sourceforge.net/) + * Copyright (c) 2014 Clinton Ebadi + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + *) + +(* Configuration Value Queries *) + +(* Not entirely clear what belongs here and what belongs in + domtool-admin. + + Proposed dividing line: whatever can be deduced from the static + configuration can be queried with domtool-config, anything that + requires acessing the daemons goes through domtool-admin. +*) + +fun println x = (print x; print "\n") + +val _ = + (case CommandLine.arguments () of + ("-path" :: path) => (case path of + ["shared-root"] => println Config.sharedRoot + | ["local-root"] => println Config.localRoot + | ["install-prefix"] => println Config.installPrefix + | ["cert", path] => (case path of + "ca" => println Config.caDir + | "certs" => println Config.certDir + | "keys" => println Config.keyDir + | "truststore" => println Config.trustStore + | _ => println "Invalid cert path type") + | _ => print "Invalid path type\n") + | ["-nodes"] => (app (fn (n, _) => (print n; print " ")) Config.nodeIps; + print "\n") + | ["-domain"] => println Config.defaultDomain + | _ => print "Invalid command-line arguments\n") diff --git a/src/main.sml b/src/main.sml index 6cb3ef1..fe93791 100644 --- a/src/main.sml +++ b/src/main.sml @@ -208,7 +208,7 @@ fun eval G evs fname = | (G, NONE) => (G, evs) val dispatcher = - Config.dispatcher ^ ":" ^ Int.toString Config.dispatcherPort + Domain.nodeIp Config.dispatcherName ^ ":" ^ Int.toString Config.dispatcherPort val self = "localhost:" ^ Int.toString Config.slavePort @@ -1091,7 +1091,7 @@ fun regenerateEither tc checker context = val ok = ref true fun contactNode (node, ip) = - if node = Config.defaultNode then + if node = Config.dispatcherName then Domain.resetLocal () else let val bio = OpenSSL.connect true (context, diff --git a/src/plugins/bind.sml b/src/plugins/bind.sml index 89e8b06..ca35c2c 100644 --- a/src/plugins/bind.sml +++ b/src/plugins/bind.sml @@ -229,7 +229,7 @@ val () = Slave.registerFileHandler (fn fs => val {dir, file} = OS.Path.splitDirFile (#file fs) fun dnsChanged () = - if #domain fs = !didDomain orelse Slave.hostname () <> Config.masterNode then + if #domain fs = !didDomain orelse Slave.hostname () <> Config.Bind.masterNode then () else if Slave.isDelete (#action fs) then let @@ -257,7 +257,7 @@ val () = Slave.registerFileHandler (fn fs => val min = readILine inf val () = TextIO.closeIn inf - val serialPath = OS.Path.joinDirFile {dir = Config.serialDir, + val serialPath = OS.Path.joinDirFile {dir = Config.Bind.serialDir, file = #domain fs} val oldSerial = let @@ -375,11 +375,11 @@ val _ = Env.type_one "srv_domain" validSrvDomain val _ = Env.registerFunction ("dns_master_node", - fn [] => SOME (EString Config.masterNode, dl) + fn [] => SOME (EString Config.Bind.masterNode, dl) | _ => NONE) val _ = Env.registerFunction ("dns_slave_nodes", - fn [] => SOME (EList (map (fn n => (EString n, dl)) Config.slaveNodes), dl) + fn [] => SOME (EList (map (fn n => (EString n, dl)) Config.Bind.slaveNodes), dl) | _ => NONE) end diff --git a/src/sources b/src/sources index 3f72ec2..17a9fd4 100644 --- a/src/sources +++ b/src/sources @@ -7,6 +7,8 @@ ast.sml configTypes.sml +../config/core/core.sig +../config/core/core.sml ../configDefault/config.sig ../configDefault/configDefault.sml diff --git a/src/stats/webbw.mlb b/src/stats/webbw.mlb index cfc1dc8..d7ef6fd 100644 --- a/src/stats/webbw.mlb +++ b/src/stats/webbw.mlb @@ -2,6 +2,8 @@ $(SML_LIB)/basis/basis.mlb $(SML_LIB)/smlnj-lib/Util/smlnj-lib.mlb ../configTypes.sml +../../config/core/core.sig +../../config/core/core.sml ../../configDefault/config.sig ../../configDefault/configDefault.sml ../../config.sml