3 # fixes the cakelampvm permissions according to the way.
7 if [[ $EUID != 0 ]]; then
8 echo "This script must be run as root or sudo."
14 export WORKDIR="$( \cd "$(\dirname "$0")" && \pwd )" # obtain the script's working directory.
15 export FEISTY_MEOW_APEX="$( \cd "$WORKDIR/../.." && \pwd )"
18 source "$FEISTY_MEOW_APEX/scripts/core/launch_feisty_meow.sh"
19 # load dependencies for our script.
20 source "$FEISTY_MEOW_SCRIPTS/system/common_sysadmin.sh"
21 source "$FEISTY_MEOW_SCRIPTS/security/password_functions.sh"
25 # new requirement to have the sql root password, since we need to do some sql db configuration.
28 load_password /etc/mysql/secret_password mysql_passwd
30 if [ -z "$mysql_passwd" ]; then
32 read_password "Please enter the MySQL root account password:" mysql_passwd
34 echo password was found as: $mysql_passwd
35 # echo -n "Please enter the MySQL root account password: "
36 # # turn off echo but remember former setting.
40 # # turn echo back on.
43 if [ -z "$mysql_passwd" ]; then
45 echo "This script must have the sql root password to proceed."
49 store_password /etc/mysql/secret_password "$mysql_passwd"
56 echo "Regenerating feisty meow loading dock."
59 test_or_die "regenerating feisty meow configuration"
60 chown -R "$(logname)":"$(logname)" /home/$(logname)/.[a-zA-Z0-9]*
61 test_or_die "fix after reconfigured as sudo"
65 # set up some crucial users in the mysql db that we seem to have missed previously.
69 echo "Adding users to the mysql database."
71 #hmmm: good application for hiding output unless error here.
72 mysql -u root -p"$mysql_passwd" &>/dev/null <<EOF
73 create user if not exists 'root'@'%' IDENTIFIED BY '$mysql_passwd';
74 grant all privileges on *.* TO 'root'@'%' with grant option;
76 create user if not exists 'wampcake'@'%' IDENTIFIED BY 'bakecamp';
77 grant all privileges on *.* TO 'wampcake'@'%' with grant option;
79 create user if not exists 'lampcake'@'%' IDENTIFIED BY 'bakecamp';
80 grant all privileges on *.* TO 'lampcake'@'%' with grant option;
82 test_or_die "configuring root, wampcake and lampcake users on mysql"
88 echo "Making some important permission changes..."
90 # fix up the main web storage.
91 chown -R www-data:www-data /var/www
92 test_or_die "chown www-data"
94 test_or_die "group_perm www-data"
98 # set up access on some important folders for the developer user.
99 chown -R developer:developer /home/developer /home/developer/.[a-zA-Z0-9]*
100 test_or_die "chown developer home"
101 harsh_perm /home/developer/.ssh
102 test_or_die "harsh_perm setting on developer .ssh"
103 chown -R developer:developer /etc/apache2 /etc/bind
104 test_or_die "chown apache2 and bind to developer"
105 group_perm /etc/apache2 /etc/bind
106 test_or_die "group perms on apache2 and bind"
110 # fix perms for fred user.
111 chown -R fred:fred /home/fred /home/archives/stuffing /home/fred/.[a-zA-Z0-9]*
112 test_or_die "chown fred home"
113 group_perm $HOME/apps
114 test_or_die "group perms on fred's apps"
115 harsh_perm /home/fred/.ssh
116 test_or_die "harsh_perm setting on fred .ssh"
117 chown -R fred:fred /opt/feistymeow.org
118 test_or_die "chown feisty meow to fred"
119 group_perm /opt/feistymeow.org
120 test_or_die "group perms on feisty meow"
121 group_perm /home/fred/apps/mapsdemo
122 test_or_die "group perms on mapsdemo app"
124 echo "Done with important permission changes."
128 # some slightly tricky bits start here. we want to massage the vm into the
129 # best possible shape without needing to re-release it.
135 echo "Updating developer welcome file."
137 # only update hello if they've still got the file there. we don't want to
138 # keep forcing our hellos at people.
139 if [ -f "$HOME/hello.txt" ]; then
140 # copy the most recent hello file into place for the user.
141 \cp -f "$FEISTY_MEOW_APEX/production/sites/cakelampvm.com/hello.txt" "$HOME"
142 test_or_continue "copying hello file for user"
147 # install a better editor app.
151 echo "The script is about to install the bluefish editor and some dependencies.
152 If the app is not already installed, then this process takes about one minute
153 on a slow home DSL internet connection..."
155 apt-get install -y bluefish &> "/tmp/install_bluefish-$(logname).log"
156 test_or_continue "installing bluefish editor"
160 # deploy any site updates here to the VM's cakelampvm.com site.
162 # we want to upgrade the default apache site to the latest, since the new
163 # version mirrors the one on the internet (but with green checks instead
164 # of red X's) and since we also support https on the new default version.
165 # we can do this again later if needed, by upping the numbers on the apache
166 # site config files. our original site was 000 and the new version is 001,
167 # which we've done as a prefix on the config for some reason. makes the
168 # code below easy at least.
169 if [ -L /etc/apache2/sites-enabled/000-default.conf ]; then
173 # the old site is in place still, so let's update that.
174 echo "Updating default web sites to latest version."
177 test_or_die "enabling SSL for secure websites"
180 test_or_die "getting SSL loaded in apache"
182 a2dissite 000-default
183 test_or_die "disabling old apache site"
185 rm -f /etc/apache2/sites-available/000-default.conf
186 test_or_die "removing old apache site"
188 # copy in our new version of the default page.
189 #hmmm: would be nice if this worked without mods for any new version, besides just 001. see apache env var file below for example implem.
190 \cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/default_page.001/* \
191 /etc/apache2/sites-available
192 test_or_die "installing new apache default sites"
194 # there should only be ours at this version level and with that prefix.
196 test_or_die "enabling new apache default sites"
203 # fix up the apache site so that HSTS is disabled. otherwise we can't view
204 # the https site for cakelampvm.com once the domain name switch has occurred.
208 # we operate only on our own specialized tls conf file. hopefully no one has messed with it besides revamp.
209 # note the use of the character class :blank: below to match spaces or tabs.
210 search_replace "^[[:blank:]]*Header always set Strict-Transport-Security.*" "# not good for cakelampvm.com -- Header always set Strict-Transport-Security \"max-age=63072000; includeSubdomains;\"" /etc/apache2/conf-library/tls-enabling.conf
211 if [ $? -ne 0 ]; then
212 echo the apache tls-enabling.conf file seems to have already been patched to disable strict transport security.
215 echo successfully patched the apache tls-enabling.conf file to disable strict transport security.
220 # fix up bind so that we think of any address with cakelampvm.com on the end
221 # as being on the vm. this is already true for some specific sites, but we
222 # want the wildcard enabled to ease the use of DNS for windows folks.
226 grep -q "\*[[:blank:]]*IN A[[:blank:]]*10.28.42.20" /etc/bind/cakelampvm.com.conf
227 if [ $? -eq 0 ]; then
229 echo the bind settings for wildcard domains off of cakelampvm.com seems to already be present.
236 ; our bind magic, a wildcard domain, for all other sites with cakelampvm.com
237 ; in the domain. this forces any other sites besides the ones above to route
238 ; to the actual vm IP address, which currently is singular and very fixated.
240 IN HINFO \"linux vm\" \"ubuntu\"
246 " >> /etc/bind/cakelampvm.com.conf
248 echo "successfully added wildcard domains to the cakelampvm.com bind configuration."
253 # fix samba configuration for (ass-headed) default of read-only in user homes.
254 # why cripple a necessary feature by default?
258 pattern="[#;][[:blank:]]*read only = yes"
259 replacement="read only = no"
261 # we just always do the replacement now, after realizing the sentinel pattern
262 # was acutally already in the file... too much subtlety can get one into trouble.
263 sed -i "0,/$pattern/{s/$pattern/$replacement/}" /etc/samba/smb.conf
264 test_or_die "patching samba configuration to enable write acccess on user home dirs"
265 # sweet, looks like that worked...
267 echo successfully patched the samba configuration to enable writes on user home directories.
271 # add the latest version of the cakelampvm environment variables for apache.
275 # drop existing file, if already configured. ignore errors.
276 a2disconf env_vars_cakelampvm &>/dev/null
278 # plug in the new version, just stomping anything there.
279 # note: we only expect to have one version of the env_vars dir at a time in place in feisty...
280 \cp -f $FEISTY_MEOW_APEX/production/sites/cakelampvm.com/rolling/env_vars.*/env_vars_cakelampvm.conf /etc/apache2/conf-available
281 test_or_die "copying environment variables file into place"
283 # enable the new version of the config file.
284 a2enconf env_vars_cakelampvm
285 test_or_die "enabling the new cakelampvm environment config for apache"
287 echo Successfully configured the apache2 environment variables needed for cakelampvm.
291 # add in a swap mount if not already configured.
295 echo "Checking existing swap partition configuration.
298 # check for existing swap.
299 free | grep -q "Swap:[[:blank:]]*[1-9][0-9]"
300 if [ $? -ne 0 ]; then
301 # no swap in current session, so add it.
302 echo "Enabling ramdisk swap partition...
306 Enabled ramdisk swap partition for current boot session."
309 # the above just gives this session a swap partition, but we want to have
310 # the vm boot with one also.
312 # check if there is already swap mentioned in the root crontab. we will get root's
313 # crontab below since this script has to run as sudo.
314 crontab -l | grep -iq add_swap_mount
315 if [ $? -ne 0 ]; then
316 # no existing swap setup in crontab, so add it.
318 Adding a boot-time ramdisk swap partition...
320 # need to do it carefully, since sed won't add lines to a null file. we thus
321 # create a temporary file to do our work in and ignore sed as a tool for this.
322 tmpfile="$(mktemp junk.XXXXXX)"
323 crontab -l 2>/dev/null >"$tmpfile"
325 # need to explicitly set any variables we will use.
326 FEISTY_MEOW_APEX=${FEISTY_MEOW_APEX}
327 # add swap space to increase memory available.
328 @reboot bash $FEISTY_MEOW_APEX/scripts/system/add_swap_mount.sh
330 # now install our new version of the crontab.
335 Added boot-time ramdisk swap partition to crontab for root."
342 # next bit can go here.
347 # sequel--tell them they're great and show the hello again also.
352 test_or_die "regenerating feisty meow scripts"
353 chown -R "$(logname)":"$(logname)" /home/$(logname)/.[a-zA-Z0-9]*
354 test_or_die "fix after regenerate as sudo"
358 Thanks for revamping your cakelampvm. :-)
360 You may want to update your current shell's feisty meow environment by typing: