3 # fixes the cakelampvm permissions according to the way.
7 if [[ $EUID != 0 ]]; then
8 echo "This script must be run as root or sudo."
14 export WORKDIR="$( \cd "$(\dirname "$0")" && \pwd )" # obtain the script's working directory.
15 export FEISTY_MEOW_APEX="$( \cd "$WORKDIR/../.." && \pwd )"
18 source "$FEISTY_MEOW_APEX/scripts/core/launch_feisty_meow.sh"
19 # load dependencies for our script.
20 source "$FEISTY_MEOW_SCRIPTS/system/common_sysadmin.sh"
21 source "$FEISTY_MEOW_SCRIPTS/security/password_functions.sh"
25 # new requirement to have the sql root password, since we need to do some sql db configuration.
27 mysql_passwd="$(load_password /etc/mysql/secret_password)"
28 if [ -z "$mysql_password" ]; then
29 mysql_password="$(read_password "Please enter the MySQL root account password:")"
30 # echo -n "Please enter the MySQL root account password: "
31 # # turn off echo but remember former setting.
35 # # turn echo back on.
38 if [ -z "$mysql_passwd" ]; then
39 echo "This script must have the sql root password to proceed."
42 store_password /etc/mysql/secret_password "$mysql_password"
49 echo "Regenerating feisty meow loading dock."
52 test_or_die "regenerating feisty meow configuration"
53 chown -R "$(logname)":"$(logname)" /home/$(logname)/.[a-zA-Z0-9]*
54 test_or_die "fix after reconfigured as sudo"
58 # set up some crucial users in the mysql db that we seem to have missed previously.
62 echo "Adding users to the mysql database."
64 #hmmm: good application for hiding output unless error here.
65 mysql -u root -p"$mysql_passwd" &>/dev/null <<EOF
66 create user if not exists 'root'@'%' IDENTIFIED BY '$mysql_passwd';
67 grant all privileges on *.* TO 'root'@'%' with grant option;
69 create user if not exists 'wampcake'@'%' IDENTIFIED BY 'bakecamp';
70 grant all privileges on *.* TO 'wampcake'@'%' with grant option;
72 create user if not exists 'lampcake'@'%' IDENTIFIED BY 'bakecamp';
73 grant all privileges on *.* TO 'lampcake'@'%' with grant option;
75 test_or_die "configuring root, wampcake and lampcake users on mysql"
81 echo "Making some important permission changes..."
83 # fix up the main web storage.
84 chown -R www-data:www-data /var/www
85 test_or_die "chown www-data"
87 test_or_die "group_perm www-data"
91 # set up access on some important folders for the developer user.
92 chown -R developer:developer /home/developer /home/developer/.[a-zA-Z0-9]*
93 test_or_die "chown developer home"
94 harsh_perm /home/developer/.ssh
95 test_or_die "harsh_perm setting on developer .ssh"
96 chown -R developer:developer /etc/apache2 /etc/bind
97 test_or_die "chown apache2 and bind to developer"
98 group_perm /etc/apache2 /etc/bind
99 test_or_die "group perms on apache2 and bind"
103 # fix perms for fred user.
104 chown -R fred:fred /home/fred /home/archives/stuffing /home/fred/.[a-zA-Z0-9]*
105 test_or_die "chown fred home"
106 group_perm $HOME/apps
107 test_or_die "group perms on fred's apps"
108 harsh_perm /home/fred/.ssh
109 test_or_die "harsh_perm setting on fred .ssh"
110 chown -R fred:fred /opt/feistymeow.org
111 test_or_die "chown feisty meow to fred"
112 group_perm /opt/feistymeow.org
113 test_or_die "group perms on feisty meow"
114 group_perm /home/fred/apps/mapsdemo
115 test_or_die "group perms on mapsdemo app"
117 echo "Done with important permission changes."
121 # some slightly tricky bits start here. we want to massage the vm into the
122 # best possible shape without needing to re-release it.
128 echo "Updating developer welcome file."
130 # only update hello if they've still got the file there. we don't want to
131 # keep forcing our hellos at people.
132 if [ -f "$HOME/hello.txt" ]; then
133 # copy the most recent hello file into place for the user.
134 \cp -f "$FEISTY_MEOW_APEX/production/sites/cakelampvm.com/hello.txt" "$HOME"
135 test_or_continue "copying hello file for user"
140 # install a better editor app.
144 echo "The script is about to install the bluefish editor and some dependencies.
145 If the app is not already installed, then this process takes about one minute
146 on a slow home DSL internet connection..."
148 apt-get install -y bluefish &> "/tmp/install_bluefish-$(logname).log"
149 test_or_continue "installing bluefish editor"
153 # deploy any site updates here to the VM's cakelampvm.com site.
155 # we want to upgrade the default apache site to the latest, since the new
156 # version mirrors the one on the internet (but with green checks instead
157 # of red X's) and since we also support https on the new default version.
158 # we can do this again later if needed, by upping the numbers on the apache
159 # site config files. our original site was 000 and the new version is 001,
160 # which we've done as a prefix on the config for some reason. makes the
161 # code below easy at least.
162 if [ -L /etc/apache2/sites-enabled/000-default.conf ]; then
166 # the old site is in place still, so let's update that.
167 echo "Updating default web sites to latest version."
170 test_or_die "enabling SSL for secure websites"
173 test_or_die "getting SSL loaded in apache"
175 a2dissite 000-default
176 test_or_die "disabling old apache site"
178 rm -f /etc/apache2/sites-available/000-default.conf
179 test_or_die "removing old apache site"
181 # copy in our new version of the default page.
182 #hmmm: would be nice if this worked without mods for any new version, besides just 001. see apache env var file below for example implem.
183 \cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/default_page.001/* \
184 /etc/apache2/sites-available
185 test_or_die "installing new apache default sites"
187 # there should only be ours at this version level and with that prefix.
189 test_or_die "enabling new apache default sites"
196 # fix up the apache site so that HSTS is disabled. otherwise we can't view
197 # the https site for cakelampvm.com once the domain name switch has occurred.
201 # we operate only on our own specialized tls conf file. hopefully no one has messed with it besides revamp.
202 # note the use of the character class :blank: below to match spaces or tabs.
203 search_replace "^[[:blank:]]*Header always set Strict-Transport-Security.*" "# not good for cakelampvm.com -- Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"" /etc/apache2/conf-library/tls-enabling.conf
204 if [ $? -ne 0 ]; then
205 echo the apache tls-enabling.conf file seems to have already been patched to disable strict transport security.
208 echo successfully patched the apache tls-enabling.conf file to disable strict transport security.
213 # fix up bind so that we think of any address with cakelampvm.com on the end
214 # as being on the vm. this is already true for some specific sites, but we
215 # want the wildcard enabled to ease the use of DNS for windows folks.
219 grep -q "\*[[:blank:]]*IN A[[:blank:]]*10.28.42.20" /etc/bind/cakelampvm.com.conf
220 if [ $? -eq 0 ]; then
222 echo the bind settings for wildcard domains off of cakelampvm.com seems to already be present.
229 ; our bind magic, a wildcard domain, for all other sites with cakelampvm.com
230 ; in the domain. this forces any other sites besides the ones above to route
231 ; to the actual vm IP address, which currently is singular and very fixated.
233 IN HINFO \"linux vm\" \"ubuntu\"
239 " >> /etc/bind/cakelampvm.com.conf
241 echo "successfully added wildcard domains to the cakelampvm.com bind configuration."
246 # fix samba configuration for (ass-headed) default of read-only in user homes.
247 # why cripple a necessary feature by default?
251 pattern="[#;][[:blank:]]*read only = yes"
252 replacement="read only = no"
254 # we just always do the replacement now, after realizing the sentinel pattern
255 # was acutally already in the file... too much subtlety can get one into trouble.
256 sed -i "0,/$pattern/{s/$pattern/$replacement/}" /etc/samba/smb.conf
257 test_or_die "patching samba configuration to enable write acccess on user home dirs"
258 # sweet, looks like that worked...
260 echo successfully patched the samba configuration to enable writes on user home directories.
264 # add the latest version of the cakelampvm environment variables for apache.
268 # drop existing file, if already configured. ignore errors.
269 a2disconf env_vars_cakelampvm &>/dev/null
271 # plug in the new version, just stomping anything there.
272 # note: we only expect to have one version of the env_vars dir at a time in place in feisty...
273 \cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/env_vars.*/env_vars_cakelampvm.conf /etc/apache2/conf-available
274 test_or_die "copying environment variables file into place"
276 # enable the new version of the config file.
277 a2enconf env_vars_cakelampvm
278 test_or_die "enabling the new cakelampvm environment config for apache"
280 echo Successfully configured the apache2 environment variables needed for cakelampvm.
284 # add in a swap mount if not already configured.
288 echo "Checking existing swap partition configuration.
291 # check for existing swap.
292 free | grep -q "Swap:[[:blank:]]*[1-9][0-9]"
293 if [ $? -ne 0 ]; then
294 # no swap in current session, so add it.
295 echo "Enabling ramdisk swap partition...
299 Enabled ramdisk swap partition for current boot session."
302 # the above just gives this session a swap partition, but we want to have
303 # the vm boot with one also.
305 # check if there is already swap mentioned in the root crontab. we will get root's
306 # crontab below since this script has to run as sudo.
307 crontab -l | grep -iq add_swap_mount
308 if [ $? -ne 0 ]; then
309 # no existing swap setup in crontab, so add it.
311 Adding a boot-time ramdisk swap partition...
313 # need to do it carefully, since sed won't add lines to a null file. we thus
314 # create a temporary file to do our work in and ignore sed as a tool for this.
315 tmpfile="$(mktemp junk.XXXXXX)"
316 crontab -l 2>/dev/null >"$tmpfile"
318 # need to explicitly set any variables we will use.
319 FEISTY_MEOW_APEX=${FEISTY_MEOW_APEX}
320 # add swap space to increase memory available.
321 @reboot bash $FEISTY_MEOW_APEX/scripts/system/add_swap_mount.sh
323 # now install our new version of the crontab.
328 Added boot-time ramdisk swap partition to crontab for root."
335 # next bit can go here.
340 # sequel--tell them they're great and show the hello again also.
345 test_or_die "regenerating feisty meow scripts"
346 chown -R "$(logname)":"$(logname)" /home/$(logname)/.[a-zA-Z0-9]*
347 test_or_die "fix after regenerate as sudo"
351 Thanks for revamping your cakelampvm. :-)
353 You may want to update your current shell's feisty meow environment by typing: