log_not_found off;
}
location / {
- index index.html index.htm;
include /etc/nginx/conf.d/fastcgi.conf;
set $no_cache "0";
if ($request_method !~ ^(GET|HEAD)$) {
fastcgi_max_temp_file_size 2M;
fastcgi_no_cache $no_cache;
fastcgi_param PATH_INFO $uri;
+ fastcgi_param SCRIPT_NAME '';
fastcgi_pass_header Cookie;
fastcgi_pass_header Set-Cookie;
# ipv6-edns-size: 4096
# logfile: "/var/log/nsd.log"
# nsid: "aabbccdd"
-pidfile: "/run/nsd3.pid"
+pidfile: "/run/nsd3/nsd.pid"
# NOTE: utilisé par nsdc reload pour envoyer SIGHUP ou SIGUSR1,
# attention que SIGHUP fait changer le pid, et du coup fonctionne mal avec runsv
+ # XXX: username doit pouvoir le supprimer.
port: 53
rrl-ratelimit: 200
rrl-size: 10000
define(`LAUTRENET_IP4', `80.67.160.70')
define(`LAUTRENET_MX_NAME', `mx.lautre.net.')
define(`LAUTRENET_MX2_NAME', `mx2.lautre.net.')
+define(`LAUTRENET_SPF_NAME', `mx1a.lautre.net')
divert(0)dnl
$TTL 1d ; TTL (Time To Live) par défaut pour les enregistrements
; http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations
; ENREGISTREMENTS "SPF" (Sender Policy Framework)
-@ 3600 IN SPF "v=spf1 mx a:mail.ZONE_DOMAIN -all"
-@ 3600 IN TXT "v=spf1 mx a:mail.ZONE_DOMAIN -all"
+@ 3600 IN SPF "v=spf1 mx ip4:IP4(GRESILLE) a:NAME(LAUTRENET_SPF) -all"
+@ 3600 IN TXT "v=spf1 mx ip4:IP4(GRESILLE) a:NAME(LAUTRENET_SPF) -all"
; ENREGISTREMENTS « SRV » (SeRVice)
_git._tcp.git 18000 IN SRV 0 0 9418 git
; ENREGISTREMENTS « SSHFP » (Secure SHell FingerPrint)
-esyscmd(sudo ssh-keygen -r $(hostname))
+esyscmd(sudo ssh-keygen -r @)
root: esyscmd(getent group sudo | cut -f 4 -d : | tr '\054' ' ')
#-- SYMPA begin
-abuse-feedback-report: "| /usr/lib/sympa/bin/bouncequeue sympa@heureux-cyclage.org"
-bounce+*: "| /usr/lib/sympa/bin/bouncequeue sympa@heureux-cyclage.org"
-listmaster: "| /usr/lib/sympa/bin/queue listmaster@heureux-cyclage.org"
-sympa: "| /usr/lib/sympa/bin/queue sympa@heureux-cyclage.org"
-sympa-owner: postmaster@heureux-cyclage.org
-sympa-request: postmaster@heureux-cyclage.org
+sympa-owner: postmaster
+sympa-request: postmaster
+
+abuse-feedback-report: "| /usr/lib/sympa/bin/bouncequeue sympa@VM_DOMAINNAME"
+bounce+*: "| /usr/lib/sympa/bin/bouncequeue sympa@VM_DOMAINNAME"
+listmaster: "| /usr/lib/sympa/bin/queue listmaster@VM_DOMAINNAME"
+sympa: "| /usr/lib/sympa/bin/queue sympa@VM_DOMAINNAME"
# NOTE: compatibilité avec d'autres gestionnaires de listes
listserv: sympa
listserv-request: sympa-request
majordomo: sympa
listserv-owner: sympa-owner
+
#-- SYMPA end
relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
relay_domains =
$mydestination
- sympa.$mydomain
# NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
smtp_body_checks =
#smtp_cname_overrides_servername = no
permit
smtpd_starttls_timeout = 300s
#smtpd_tls_always_issue_session_ids = yes
-smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem
-smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/
+smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem
+smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
# NOTE: pas d'AUTH SASL sans TLS
smtpd_tls_ccert_verifydepth = 5
-smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem
+smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha512
-smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem
+smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1
# NOTE: non-blocking
transport_maps =
hash:/etc/postfix/$mydomain/transport
- #regexp:/etc/sympa/transport
+ regexp:/etc/sympa/transport
#virtual_alias_domains =
virtual_alias_maps =
hash:/etc/postfix/$mydomain/virtual_alias
- #regexp:/etc/sympa/virtual_alias
+ regexp:/etc/sympa/virtual_alias
# NOTE: do not specify virtual alias domain names in the main.cf
# mydestination or relay_domains configuration parameters.
#
user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
noclue unix - n n - - pipe
flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender}
-sympa unix - n n - - pipe
- flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient}
-sympabounce unix - n n - - pipe
- flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${recipient}
+#-- SYMPA begin
+#sympa unix - n n - - pipe
+# flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient}
+#sympabounce unix - n n - - pipe
+# flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${recipient}
+#-- SYMPA end
IMAPS(ACCEPT) net $FW
Managesieve(ACCEPT) net $FW
Mosh(ACCEPT) net $FW
-SMTP(ACCEPT) net $FW
Ping(ACCEPT) net $FW
-Limit(SSH,10,60):info net $FW tcp ssh
+SMTP(ACCEPT) net $FW
+SMTPS(ACCEPT) net $FW
SSH(ACCEPT) net $FW
+Limit(SSH,10,60):info net $FW tcp ssh
Submission(ACCEPT) net $FW
Limit(Submission,10,60):info net $FW tcp submission
HTTPS(ACCEPT) $FW net
NTP(ACCEPT) $FW net
SMTP(ACCEPT) $FW net
+SMTPS(ACCEPT) $FW net
SSH(ACCEPT) $FW net
-rule runit_sv_configure php5-fpm "$@"
-rule runit_sv_restart php5-fpm "$@"
+rule runit_sv_configure php5-fpm '*'
+rule runit_sv_restart php5-fpm
rule apt_get_install nginx spawn-fcgi fcgiwrap
rule insserv_remove nginx
rule insserv_remove fcgiwrap
exec 2>&1
sv=${PWD#/etc/sv/}
-! nsdc running ||
-pkill -TERM -F /run/nsd3.pid
-rm -f /run/nsd3.pid
+install -d -m 770 -o nsd -g nsd \
+ /run/nsd3
+
+pkill -TERM -F /run/nsd3/nsd.pid || true
+rm -f /run/nsd3/nsd.pid
# XXX: sv reload ou nsdc reload envoient SIGHUP à nsd
# ce qui le détache de runsv et du coup il n'est plus suivi..
# comme on ne peut pas se rattacher à un processus,
sudo install -m 440 -o php5 -g php5 \
"$tool"/etc/php5/fpm/php-fpm.conf \
/etc/php5/fpm/php-fpm.conf
+sudo install -m 664 -o php5 -g php5 \
+ "$tool"/etc/php5/fpm/php.ini \
+ /etc/php5/fpm/php.ini
for conf in $(find "$tool"/etc/php5/fpm/conf.d \
-mindepth 1 -maxdepth 1 -type f \
-name '*.conf' \
user = ${pool}__php5
$(cat "$tool"/etc/php5/fpm/pool.d/"$conf")
EOF
- sudo install -m 664 -o php5 -g php5 \
- "$tool"/etc/php5/fpm/php.ini \
- /etc/php5/fpm/php.ini
done
local hint="run vm_remote postfix_key_send before"
-assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
+assert "sudo test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
#warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
sudo debconf-set-selections <<-EOF
postfix postfix/main_mailer_type select No configuration
EOF
-#rule apt_get_install postfix procmail
+rule apt_get_install postfix procmail postfix-pcre
rule insserv_remove postfix
sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
*.db
sudo install -m 640 -o root -g root \
"$tool"/etc/postfix/$vm_domainname/header_checks \
/etc/postfix/$vm_domainname/header_checks
-m4 <"$tool"/etc/postfix/aliases.m4 |
+m4 \
+ --define=VM_DOMAINNAME="$vm_domainname" \
+ <"$tool"/etc/postfix/aliases.m4 |
sudo install -m 644 -o root -g root /dev/stdin \
/etc/postfix/aliases
sudo newaliases -oA/etc/postfix/aliases
sudo install -m 660 -o root -g root \
"$tool"/etc/skel/etc/mail/delivery.procmailrc \
/etc/skel/etc/mail/delivery.procmailrc
+#-- SYMPA begin
+sudo install -d -m 755 -o root -g root \
+ /etc/sympa
+#sudo -u sympa newaliases -oA/etc/mail/sympa/aliases
+sudo install -m 640 -o "$sv" -g sympa \
+ "$tool"/etc/sympa/transport \
+ /etc/sympa/transport
+sudo install -m 640 -o "$sv" -g sympa \
+ "$tool"/etc/sympa/virtual_alias \
+ /etc/sympa/virtual_alias
+#-- SYMPA end
sudo install -m 644 -o root -g root \
/dev/stdin \
/etc/sympa/.gitignore <<-EOF
- cookie
key_passwd
EOF
m4 \
"$tool"/etc/sympa/sympa.conf.m4 |
sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \
/etc/sympa/sympa.conf
+sudo install -m 644 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/facility <<-EOF
+ mail
+ EOF
+
+for host in $(find "$tool"/etc/sympa/host.d \
+ -mindepth 1 -maxdepth 1 -type d \
+ -printf '%f\n')
+ do
+ sudo install -d -m 770 -o "$sv" -g "$sv" \
+ /etc/sympa/"$host"
+ m4 \
+ --define=HOST="$host" \
+ "$tool"/etc/sympa/host.d/"$host"/robot.conf.m4 |
+ sudo install -m 440 -o "$sv" -g "$sv" /dev/stdin \
+ /etc/sympa/"$host"/robot.conf
+ sudo install -d -m 770 -o "$sv" -g "$sv" \
+ "$home"/list_data/"$host"
+ done
sudo debconf-set-selections <<-EOF || true
sympa sympa/app-password-confirm password
sympa sympa/dbconfig-install boolean true
# Nom d'hôte du serveur pour sympa :
sympa sympa/remote/newhost string
- sympa sympa/listmaster string listmaster@$vm_domainname
+ sympa sympa/listmaster string postmaster@$vm_domainname
sympa wwsympa/wwsympa_url string https://$sv.$vm_domainname/wws
sympa wwsympa/webserver_restart boolean false
sympa sympa/remote/port string
-n \
-s /run/spawn-fcgi/"$sv" \
-- /usr/bin/multiwatch \
- --forks 3 \
+ --forks 1 \
-- /usr/lib/cgi-bin/sympa/wwsympa.fcgi
--- /dev/null
+host HOST
+http_host sympa.HOST
+wwsympa_url https://sympa.HOST
-changequote(,)
+changequote(,)dnl
###\\\\ Directories and file location ////###
etc /etc/sympa
home HOME/list_data
-http_host https://VM_DOMAINNAME
pidfile /run/sympa/sympa.pid
pidfile_bulk /run/sympa/bulk.pid
pidfile_creation /run/sympa/sympa-creation.pid
###\\\\ General definition ////###
create_list public_listmaster
-domain sympa.VM_DOMAINNAME
+domain VM_DOMAINNAME
edit_list owner
email sympa
-listmaster listmaster@VM_DOMAINNAME
+#host VM_DOMAINNAME
+#http_host sympa.VM_DOMAINNAME
+listmaster esyscmd(getent passwd $(getent group sudo | cut -d : -f 4 | tr '\054' ' ') |
+ cut -d : -f 5 | cut -d $(printf '\054') -f 5 | tr '\n' '\054' | sed -e 's/\x2C$//')
###\\\\ Tuning ////###
bulk_fork_threshold 1
max_wrong_password 19
soap_url http://--HOST--/sympasoap
spam_status x-spam-status
-wwsympa_url https://sympa.VM_DOMAINNAME/wws
+#wwsympa_url https://sympa.VM_DOMAINNAME
-/^.*+owner\@sympa\.heureux-cyclage\.org$/ sympabounce:
-/^.*\@sympa\.heureux-cyclage\.org$/ sympa:
+#/^.*+owner\@heureux-cyclage\.org$/ sympabounce:
+#/^.*\@heureux-cyclage\.org$/ sympa:
-/^(.*)-owner\@heureux-cyclage\.org$/ $1+owner@heureux-cyclage.org
+#/^(.*)-owner\@heureux-cyclage\.org$/ $1+owner@heureux-cyclage.org
-changequote(,)
+changequote(,)dnl
###\\\\ Directories and file location ////###
archived_pidfile /run/sympa/archived.pid
bounced_pidfile /run/sympa/bounced.pid
sudo install -m 640 -o root -g root /dev/stdin \
/etc/network/interfaces
}
-rule_runit_configure () { # SYNTAX: $sv
+rule_runit_configure () { # SYNTAX: $sv -- $configure_options
#rule apt_get_install runit
if test $# = 0
then