HCoop / hcoop / zz_old / machine-template.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
preseed/jessie: install fail2ban by default
[hcoop/zz_old/machine-template.git] / mccarthy-postinstall.sh
1 #!/bin/bash
2
3 # FIXME BEFORE REINSTALLING Override /etc/adduser.conf to set
4 # min_system_uid/gid to 110 to skip over domtool. We are going to kill
5 # the domtool identity for domtool2 eventually, but...
6
7 # Overriding in hcoop-common-config is sufficient, as long as fewer
8 # than 8 packages requesting dynamically allocated system uids are
9 # installed by d-i
10
11 # Run on newly created node as a kerberos/afs admin with local sudo rights
12
13 set -e
14 set -v
15 set -x
16
17 # Misc postinst stuff
18 # Unfortunately has to be run after the first reboot by an admin user
19
20 # Domtool was created in pts with id #108, so we skip to 110 for
21 # dynamically allocated UID/GIDs to avoid conflict until the domtool
22 # pts user can be replaced.
23 sudo su -c "cat /etc/adduser.conf | sed -e 's/^FIRST_SYSTEM_UID=.*/FIRST_SYSTEM_UID=110/' -e 's/^FIRST_SYSTEM_GID=.*/FIRST_SYSTEM_GID=110/' > /etc/adduser.conf.hcoop"
24 sudo mv /etc/adduser.conf /etc/adduser.conf.hcoop-orig
25 sudo ln -s /etc/adduser.conf.hcoop /etc/adduser.conf
26
27 sudo apt-get install hcoop-admin-common-config
28
29 # Extract host keytab
30 sudo kadmin -p ${USER}@HCOOP.NET -r HCOOP.NET -q "ktadd -k /etc/krb5.keytab host/mccarthy.hcoop.net@HCOOP.NET"
31 sudo chown root:root /etc/krb5.keytab
32 sudo chmod go-rwx /etc/krb5.keytab
33
34 # Sync initial set of keytabs
35 sudo mkdir -p /etc/keytabs
36 sudo mkdir -p /etc/keytabs/service
37
38 (ssh fritz.hcoop.net cd /etc/keytabs \; sudo tar clpf - domtool hcoop | \
39 (cd /etc/keytabs; sudo tar xlpf -))
40
41 # Web Server
42 sudo kadmin -p ${USER}@HCOOP.NET -r HCOOP.NET -q "ktadd -k /etc/keytabs/service/apache apache2/mccarthy.hcoop.net@HCOOP.NET"
43 sudo chown www-data:root /etc/keytabs/service/apache
44 sudo chmod 400 /etc/keytabs/service/apache
45
46 sudo addgroup hcoop-tlscert
47
48 (ssh navajos.hcoop.net sudo tar clpf - /etc/hcoop-ssl/hcoop.pem | \
49 (cd /; sudo tar xlpf -))
50
51 # Just in case
52 sudo chown root:hcoop-tlscert /etc/hcoop-ssl
53 sudo chown root:hcoop-tlscert /etc/hcoop-ssl/hcoop.pem
54
55 sudo chmod 750 /etc/hcoop-ssl
56 sudo chmod 440 /etc/hcoop-ssl/hcoop.pem
57
58 # deploy domtool locally
59 sudo touch /var/log/domtool.log
60 sudo chown domtool:nogroup /var/log/domtool.log
61 sudo chmod 600 /var/log/domtool.log
62
63 sudo mkdir -p /var/domtool
64 sudo chown domtool:nogroup /var/domtool
65 sudo chmod 755 /var/domtool
66
67 sudo -u domtool mkdir -p /var/domtool/vhosts
68 sudo -u domtool mkdir -p /var/domtool/firewall
69
70 /afs/hcoop.net/common/etc/scripts/deploy-domtool-on-host --slave --bootstrap
71
72 fwtool regen mccarthy
73
74 echo "Manually run 'domtool-admin regen' if needed"
Unnamed repository; edit this file 'description' to name the repository.