2 set -e -f ${DRY_RUN:+-n} -u
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM des ateliers _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0")
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
22 rule_filesystem_init
() {
23 mk_reg mod
= own
= --append /etc
/sysctl.conf
<<-EOF
24 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
25 vm.vfs_cache_pressure=50
28 rule_shell_source
() {
31 rule_network_init
() {
32 mk_reg mod
= own
= /etc
/hostname
<<-EOF
35 grep -q " $vm\$" /etc
/hosts ||
36 mk_reg mod
= own
= --append /etc
/hosts
<<-EOF
37 127.0.0.1 $vm_fqdn $vm
39 mk_reg mod
= own
= /etc
/network
/interfaces
<<-EOF
41 iface lo inet loopback
44 iface grenode inet static
46 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
49 netmask 255.255.255.255
50 mtu 1300 # TODO: voir si c'est nécessaire à Lyon
51 up ip address add $vm_ipv4/32 dev \$IFACE
52 down ip address delete $vm_ipv4/32 dev \$IFACE
56 mk_reg mod
= own
= /etc
/apt
/sources.list
<<-EOF
57 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
59 mk_reg mod
= own
= /etc
/apt
/sources.list.d
/openerp.list
<<-EOF
60 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
62 mk_reg mod
= own
= /etc
/apt
/sources.list.d
/$vm_lsb_name-backports.list
<<-EOF
63 deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
65 mk_reg mod
= own
= /etc
/apt
/preferences
<<-EOF
67 Pin: release a=$vm_lsb_name
71 Pin: release a=$vm_lsb_name-backports
76 mk_reg mod
= own
= /etc
/fstab
<<-EOF
77 # <file system> <mount point> <type> <options> <dump> <pass>
78 LABEL=boot /boot ext2 defaults,no-auto 0 0
79 proc /proc proc defaults 0 0
80 sysfs /sys sysfs defaults 0 0
81 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
82 /dev/mapper/${vm}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
83 /dev/mapper/${vm}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
84 /dev/mapper/${vm}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
85 /dev/mapper/${vm}_swap_deciphered swap swap sw 0 0
87 mk_reg mod
= own
= /etc
/crypttab
<<-EOF
88 # <target name> <source device> <key file> <options>
89 ${vm}_root_deciphered LABEL=${vm}_root ${vm}_root luks
90 ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
91 ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
92 ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
94 mk_reg mod
= own
= /etc
/initramfs-tools
/modules
<<-EOF
102 mk_reg mod
= own
= --append /etc
/default
/grub
<<-EOF
103 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 resume=/dev/mapper/${vm}_swap_deciphered"
106 rule_user_admin_add
() { # SYNTAX: <name>
108 ! id
"$admin" || adduser
"$admin"
110 adduser
"$admin" sudo
111 mk_reg mod
=0400 own
="$admin:$admin" "$home"/etc
/ssh
/authorized_keys
<"$tool"/key
/"$admin".
ssh.pub
113 rule_user_mail_format
() {
114 mk_dir mod
=0770 own
=root
:adm
/etc
/skel
/etc
/procmail
115 mk_dir mod
=0770 own
=root
:adm
/etc
/skel
/var
/mail
116 mk_dir mod
=0770 own
=root
:adm
/etc
/skel
/var
/cache
/procmail
117 mk_reg mod
=0660 own
=root
:adm
/etc
/skel
/etc
/procmail
/delivery.rc
<<-EOF
120 # NOTE: paramètres passés par postfix
126 ORIGINAL_RECIPIENT=\$6
128 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
129 MAILDIR="\$HOME/var/mail/"
131 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
137 SHELLMETAS=&|<>~;?*%{}
139 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
140 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
141 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
143 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
144 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
145 # NOTE: récupère l’adresse courriel dans le champ GECOS
146 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
147 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
149 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
153 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
158 # -I "\$HOME/etc/uucp/uucp.cfg" \
160 # --notification=error \
161 # --requestor "\$USER" \
162 # - "\$USER!rmail" "(\$USER)"
164 mk_reg mod
=0664 own
=root
:root
/etc
/postfix
/main.cf
<<-EOF
165 # /etc/postfix/main.cf
166 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
168 parent_domain_matches_subdomains =
172 #permit_mx_backup_networks
173 #qmqpd_authorized_clients
175 mydomain = $vm_domainname
176 myorigin = \$mydomain
177 myhostname = $vm_hostname.\$mydomain
178 mail_name = \$myhostname
186 inet_protocols = ipv4
187 # "all" to activate IPv6
188 inet_interfaces = all
189 permit_mx_backup_networks =
193 # NOTE: fichier de hash contenant une table d’alias mail.
194 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
195 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
198 recipient_delimiter = +
199 # NOTE: séparateur entre le nom d’utilisateur
200 # et les extensions d’adresse (par défaut le signe +).
201 #virtual_alias_domains =
203 hash:/etc/postfix/\$mydomain/virtual
204 # NOTE: do not specify virtual alias domain names in the main.cf
205 # mydestination or relay_domains configuration parameters.
207 # With a virtual alias domain, the Postfix SMTP server
208 # accepts mail for known-user@virtual-alias.domain, and
209 # rejects mail for unknown-user@virtual-alias.domain as
213 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
216 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
217 # pas dans mydestination ou virtual_alias...
219 maximal_queue_lifetime = 5d
222 regexp:/etc/postfix/\$mydomain/header_checks
224 nested_header_checks =
225 milter_header_checks =
228 #content_filter = amavisfeed:[127.0.0.1]:10024
229 #receive_override_options = no_address_mappings
230 # no_unknown_recipient_checks
231 # Do not try to reject unknown recipients (SMTP server only).
232 # This is typically specified AFTER an external content filter.
233 # no_address_mappings
234 # Disable canonical address mapping, virtual alias map expansion,
235 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
236 # This is typically specified BEFORE an external content filter (eg. amavis).
237 # no_header_body_checks
238 # Disable header/body_checks. This is typically specified AFTER an external content filter.
240 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
241 #local_header_rewrite_clients =
243 hash:/etc/postfix/\$mydomain/transport_maps
245 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
246 mailbox_size_limit = 0
248 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
249 append_dot_mydomain = no
250 # appending .domain is the MUA's job.
255 #tls_random_reseed_period = 3600s
256 #tls_random_exchange_name =
257 # \${data_directory}/prng_exch
258 # NOTE: à ne pas mettre dans la cage chroot
259 #tls_random_bytes = 32
260 #tls_random_prng_update_period = 3600s
261 #tls_high_cipherlist = AES256-SHA
262 # NOTE: postconf(5) déconseille de changer ceci
264 #smtp_cname_overrides_servername = no
265 smtp_connect_timeout = 60s
266 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
267 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
268 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
269 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
270 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
271 # NOTE: déprécié en faveur de smtp_tls_policy_maps
272 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
273 smtp_tls_fingerprint_digest = sha1
274 smtp_tls_scert_verifydepth = 5
275 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
276 #smtp_tls_verify_cert_match = hostname
277 #smtp_tls_note_starttls_offer = yes
278 smtp_tls_loglevel = 1
279 smtp_tls_protocols = !SSLv2, !SSLv3
281 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
282 #smtp_tls_session_cache_timeout = 3600s
283 smtp_tls_security_level = may
284 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
286 smtp_mime_header_checks =
287 smtp_nested_header_checks =
289 smtpd_starttls_timeout = 300s
291 \$myhostname ESMTP \$mail_name (Debian/GNU)
294 smtpd_helo_required = yes
295 strict_rfc821_envelopes = yes
296 smtpd_authorized_xclient_hosts = 127.0.0.1
297 # NOTE: utile pour tester les restrictions
299 smtpd_helo_restrictions =
300 reject_invalid_helo_hostname
301 reject_non_fqdn_helo_hostname
302 #reject_unknown_helo_hostname
303 # NOTE: pourrait pourtant être utile pour lutter contre le spam
306 smtpd_sender_restrictions =
308 permit_tls_clientcerts
309 permit_sasl_authenticated
310 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
311 check_sender_access hash:/etc/postfix/sender_blacklist
312 reject_unauth_pipelining
313 reject_non_fqdn_sender
314 #reject_unknown_sender_domain
318 smtpd_client_new_tls_session_rate_limit = 0
319 smtpd_client_event_limit_exceptions = \$mynetworks
320 smtpd_client_recipient_rate_limit = 0
321 smtpd_client_connection_count_limit = 50
322 smtpd_client_connection_rate_limit = 0
323 smtpd_client_message_rate_limit = 0
324 smtpd_client_port_logging = no
326 smtpd_client_restrictions =
327 check_client_access hash:/etc/postfix/client_blacklist
329 policy_time_limit = 3600
330 default_extra_recipient_limit = 5000
331 duplicate_filter_limit = 5000
332 smtpd_recipient_limit = 5000
333 smtpd_recipient_overshoot_limit = 5000
334 smtpd_recipient_restrictions =
335 reject_non_fqdn_recipient
336 #reject_invalid_hostname
337 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
338 # dans smtpd_helo_restrictions
339 reject_unknown_recipient_domain
340 #reject_non_fqdn_sender
341 # NOTE: dans smtpd_sender_restrictions
342 reject_unauth_pipelining
343 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
345 permit_tls_clientcerts
346 permit_sasl_authenticated
347 reject_unauth_destination
348 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
349 # ou quelqu'un pour lequel on tient lieu de backup_mx
350 check_policy_service inet:127.0.0.1:10023
351 # NOTE: Postgrey (greylisting)
352 check_policy_service unix:private/spfcheck
353 permit_auth_destination
354 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
355 # (voir permit_auth_destination) ; sans doute redondant
357 #check_relay_domains <- removed from postfix
358 #reject_unknown_sender_domain
359 # aurait probablement été mieux dans smtpd_sender_restrictions
360 #reject_rbl_client bl.spamcop.net
361 #reject_rbl_client list.dsbl.org
362 #reject_rbl_client zen.spamhaus.org
363 #reject_rbl_client dnsbl.sorbs.net
365 smtpd_data_restrictions =
366 reject_unauth_pipelining
367 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
370 #smtpd_end_of_data_restrictions =
372 #smtpd_restriction_classes =
374 smtpd_error_sleep_time = 5
375 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
378 smtpd_sasl_auth_enable = yes
379 smtpd_sasl_type = dovecot
380 smtpd_sasl_path = private/auth
381 smtpd_sasl_security_options = noanonymous
382 smtpd_sasl_domain = \$mydomain
385 smtpd_discard_ehlo_keywords = starttls
386 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
387 # se mangent une erreur en tentant un starttls
388 smtpd_tls_fingerprint_digest = sha1
390 smtpd_tls_mandatory_protocols = TLSv1
391 smtpd_tls_mandatory_ciphers = high
392 smtpd_tls_ciphers = high
393 # restrictif. s/high/medium/ ?
394 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
395 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
396 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
397 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
399 #smtpd_tls_received_header = no
400 smtpd_tls_session_cache_database =
401 btree:/var/lib/postfix/smtpd_tls_session_cache
402 #smtpd_tls_session_cache_timeout = 3600s
403 smtpd_tls_security_level = may
404 # Postfix 2.3 and later
406 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
407 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
408 # SMTP server. Instead, this option should be used only on dedicated servers.
409 smtpd_tls_loglevel = 1
410 smtpd_tls_ccert_verifydepth = 5
411 smtpd_tls_auth_only = yes
412 # Pas d'AUTH SASL sans TLS
413 smtpd_tls_ask_ccert = no
414 smtpd_tls_req_ccert = no
415 #smtpd_tls_always_issue_session_ids = yes
416 smtpd_peername_lookup = yes
417 # Nécessaire pour postgrey, etc
420 line_length_limit = 2048
422 message_size_limit = 20480000
423 #smtpd_enforce_tls # NOTE: obsolète
424 #smtpd_use_tls # NOTE: obsolète
425 #smtpd_tls_cipherlist # NOTE: obsolète
427 readme_directory = no
428 #delay_warning_time = 4h
429 # NOTE: uncomment the previous line to generate "delayed mail" warnings
430 #debug_peer_level = 4
431 #debug_peer_list = .\$myhostname
433 mk_reg mod
=0664 own
=root
:root
/etc
/dovecot
/dovecot.conf
<<-EOF
434 auth_ssl_username_from_cert = yes
436 log_timestamp = "%Y-%m-%d %H:%M:%S "
438 mail_location = maildir:~/var/mail
439 mail_privileged_group = mail
441 args = /home/%u/etc/dovecot/passwd
446 unix_listener /var/spool/postfix/private/auth {
453 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
454 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
455 ssl_cipher_list = AES256-SHA
456 ssl_key = </etc/dovecot/imap/tls/key.pem
457 ssl_verify_client_cert = yes
463 auth_socket_path = /var/run/dovecot/auth-master
464 hostname = $vm_domainname
465 info_log_path = /var/log/dovecot/lda/info.log
466 log_path = /var/log/dovecot/lda/error.log
468 postmaster_address = contact+dovecot+lda@$vm_domainname
471 mk_reg mod
=0664 own
=root
:root
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
475 rule_mail_install
() {
476 sudo apt-get
install postfix postgrey dovecot
478 rule_user_format
() {
479 mk_dir mod
=0750 own
="root:adm" /etc
/skel
/etc
480 mk_dir mod
=0770 own
="root:adm" /etc
/skel
/etc
/apache2
481 mk_dir mod
=0770 own
="root:adm" /etc
/skel
/etc
/ssh
482 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/var
483 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/var
/log
484 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/var
/cache
485 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/var
/cache
/ssh
486 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/tmp
487 mk_dir mod
=0700 own
="root:adm" /etc
/skel
/tmp
488 mk_reg mod
=0664 own
=root
:root
/etc
/ssh
/sshd_config
<<-EOF
489 ListenAddress $vm_ipv4
494 HostKey /etc/ssh/ssh_host_rsa_key
495 UsePrivilegeSeparation yes
496 KeyRegenerationInterval 3600
503 RSAAuthentication yes
504 PubkeyAuthentication yes
505 AuthorizedKeysFile %h/etc/ssh/authorized_keys
507 RhostsRSAAuthentication no
508 HostbasedAuthentication no
509 IgnoreUserKnownHosts no
510 PermitEmptyPasswords no
511 ChallengeResponseAuthentication no
512 PasswordAuthentication no
513 KerberosAuthentication no
514 GSSAPIAuthentication no
521 ClientAliveInterval 0
523 Subsystem sftp /usr/lib/openssh/sftp-server
526 mk_reg mod
=0440 own
=root
:root
/etc
/sudoers.d
/passwd-init
<<-EOF
527 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \
528 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \
529 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
531 mk_reg mod
=0440 own
=root
:root
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
532 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
534 mk_reg mod
=0440 own
=root
:root
/etc
/sudoers.d
/env_keep
<<-EOF
535 Defaults env_keep = " \
540 GIT_COMMITTER_EMAIL \
543 mk_reg mod
=0555 own
=root
:root
/usr
/local
/sbin
/passwd-init
<<-EOF
545 sudo /bin/sh -e -f -u -c \
546 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
549 rule_kernel_init
() {
550 sudo apt-get
install --reinstall linux-image-
$vm_arch