2 set -e -f ${DRY_RUN:+-n} -u
5 do tool
=$
(readlink
"$tool")
11 rule_help
() { # SYNTAX: [--hidden]
12 local hidden
; [ ${1:+set} ] || hidden
=set
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
29 rule_git_configure
() {
32 git config
--replace branch.master.remote .
33 git config
--replace branch.master.merge refs
/remotes
/master
35 tool
=$
(cd "$tool"; cd -)
36 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
37 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/vm
43 git checkout
-f -B master remotes
/master
48 rule_apt_get_install
() { # SYNTAX: $package
49 sudo apt-get
install "$@"
52 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
58 rule_apt_configure
() {
59 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
60 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
62 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
63 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
65 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
67 Pin: release a=$vm_lsb_name
71 Pin: release a=$vm_lsb_name-backports
74 sudo
install -m 660 -o root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
75 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
78 rule apt_get_install apticron
79 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
80 EMAIL="admin@$vm_domainname"
82 # LISTCHANGES_PROFILE="apticron"
84 # SYSTEM="foobar.example.com"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
89 # NOTIFY_NO_UPDATES="0"
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
95 rule_boot_configure
() {
96 warn
"lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo
install -d -m 644 -o root
-g root
/boot
/grub
99 rule apt_get_install linux-image-
$vm_arch
100 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
109 sudo
install -m 644 -o root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
113 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
116 rule_dovecot_configure
() {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint
="run vm_remote dovecot_key_send before"
119 assert
"test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo
install -m 400 -o root
-g root \
121 "$tool"/var
/pub
/x509
/service
/imap
/crt
+crl.self-signed.pem \
122 /etc
/dovecot
/$vm_domainname/imap
/x509
/crt
+crl.self-signed.pem
123 sudo
install -d -m 770 -o root
-g adm \
126 sudo
install -d -m 1777 -o root
-g root \
127 /var
/lib
/dovecot-control \
128 /var
/lib
/dovecot-index
129 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/dovecot
/local.conf
<<-EOF
130 auth_ssl_username_from_cert = yes
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
140 args = /home/%u/etc/dovecot/passwd
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
155 mail_plugins = \$mail_plugins imap_quota
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
166 protocols = imap sieve
169 unix_listener /var/spool/postfix/private/auth {
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
185 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/dovecot-passwd
<<-EOF
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
193 sudo
install -m 664 -o root
-g root
/dev
/stdin
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
195 sudo service dovecot restart
197 rule_etckeeper_configure
() {
198 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
207 sudo
install -m 644 -o root
-g root \
208 "$tool"/etc
/etckeeper
/prompt.sh \
209 /etc
/etckeeper
/prompt.sh
210 rule apt_get_install etckeeper
212 rule_filesystem_configure
() {
213 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
214 # <file system> <mount point> <type> <options> <dump> <pass>
215 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
216 proc /proc proc defaults 0 0
217 sysfs /sys sysfs defaults 0 0
218 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
219 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
220 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
221 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
222 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
223 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
225 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
226 # <target name> <source device> <key file> <options>
227 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
228 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
229 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
230 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
232 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
233 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
234 vm.vfs_cache_pressure=50
237 rule_initramfs_configure
() {
238 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
245 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
247 alias scsi_hostadapter xenblk
249 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
255 # NOTE: pour Xen en mode HVM :
256 #modprobe xen-platform-pci
258 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
260 sudo
sed -e '/^configure_networking /s/ &$//' \
261 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
262 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
263 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
264 ( while IFS
= read -r line
265 do case $line in (*" RSA") return 0; break;; esac
269 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
270 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
271 sudo dropbearkey
-t rsa
-s 4096 -f \
272 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
274 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
275 sudo
install -d -m 640 -o root
-g root \
276 /etc
/initramfs-tools
/root \
277 /etc
/initramfs-tools
/root
/.
ssh
279 while IFS
=: read -r group x x users
280 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
283 do eval local home\
; home
="~$user"
284 cat "$home"/etc
/ssh
/authorized_keys
287 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
289 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
290 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
291 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
292 # NOTE: clefs générées par Debian
293 sudo update-initramfs
-u
295 rule_time_configure
() {
296 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/timezone
<<-EOF
299 sudo dpkg-reconfigure tzdata
302 rule_locale_configure
() {
303 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
308 rule_login_configure
() {
309 grep -q '^hvc0$' /etc
/securetty ||
310 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
311 $(cat /etc/securetty)
314 grep -q '^xvc0$' /etc
/securetty ||
315 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
316 $(cat /etc/securetty)
319 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
320 # /etc/inittab: init(8) configuration.
322 # The default runlevel.
325 # Boot-time system configuration/initialization script.
326 # This is run first except when booting in emergency (-b) mode.
327 si::sysinit:/etc/init.d/rcS
329 # What to do in single-user mode.
330 ~~:S:wait:/sbin/sulogin
332 # /etc/init.d executes the S and K scripts upon change
335 # Runlevel 0 is halt.
336 # Runlevel 1 is single-user.
337 # Runlevels 2-5 are multi-user.
338 # Runlevel 6 is reboot.
340 l0:0:wait:/etc/init.d/rc 0
341 l1:1:wait:/etc/init.d/rc 1
342 l2:2:wait:/etc/init.d/rc 2
343 l3:3:wait:/etc/init.d/rc 3
344 l4:4:wait:/etc/init.d/rc 4
345 l5:5:wait:/etc/init.d/rc 5
346 l6:6:wait:/etc/init.d/rc 6
347 # Normally not reached, but fallthrough in case of emergency.
348 z6:6:respawn:/sbin/sulogin
350 # What to do when CTRL-ALT-DEL is pressed.
351 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
353 # What to do when the power fails/returns.
354 pf::powerwait:/etc/init.d/powerfail start
355 pn::powerfailnow:/etc/init.d/powerfail now
356 po::powerokwait:/etc/init.d/powerfail stop
358 # Xen hypervisor console
359 hvc:2345:respawn:/sbin/getty 38400 hvc0
360 #xvc:2345:respawn:/sbin/getty 38400 xvc0
362 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
369 FTMP_FILE /var/log/btmp
371 HUSHLOGIN_FILE .hushlogin
372 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
373 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
374 # NOTE: met les sbin/ dans ENV_PATH ;
375 # - ça n'apporte aucune protection de ne pas les mettre ;
376 # - ça frustre de ne pas les trouver.
383 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
384 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
397 ENCRYPT_METHOD SHA512
399 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
400 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
401 $(cat /etc/pam.d/common-session)
402 session optional pam_umask.so
405 rule_mail_configure
() {
406 rule postfix_configure
407 rule postgrey_configure
408 rule procmail_configure
409 rule dovecot_configure
411 rule_network_configure
() {
412 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
415 grep -q " $vm\$" /etc
/hosts ||
416 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
418 127.0.0.1 $vm_fqdn $vm
420 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
422 iface lo inet loopback
425 iface grenode inet static
427 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
430 netmask 255.255.255.255
432 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
433 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
435 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
436 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
437 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
439 # --- soupirail.grenode.net ping statistics ---
440 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
441 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
442 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
443 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
444 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
446 # --- soupirail.grenode.net ping statistics ---
447 # 0 packets transmitted, 0 received, +1 errors
448 post-up ip address add $vm_ipv4/32 dev \$IFACE
449 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
452 rule_postfix_configure
() {
453 local hint
="run vm_remote postfix_key_send before"
454 assert
"test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
455 warn
"lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
456 rule apt_get_install postfix
457 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/postfix
/.gitignore
<<-EOF
460 sudo
install -d -m 770 -o root
-g root \
461 /etc
/postfix
/$vm_domainname/ \
462 /etc
/postfix
/$vm_domainname/smtp \
463 /etc
/postfix
/$vm_domainname/smtp
/x509 \
464 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
465 /etc
/postfix
/$vm_domainname/smtpd \
466 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
467 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
468 sudo
install -d -m 770 -o root
-g root \
469 /etc
/postfix
/$vm_domainname/ \
470 /etc
/postfix
/$vm_domainname/smtp \
471 /etc
/postfix
/$vm_domainname/smtp
/x509 \
472 /etc
/postfix
/$vm_domainname/smtp
/x509
/ca \
473 /etc
/postfix
/$vm_domainname/smtpd \
474 /etc
/postfix
/$vm_domainname/smtpd
/x509 \
475 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
477 ..
/crt
+crl.self-signed.pem \
478 /etc
/postfix
/$vm_domainname/smtpd
/x509
/ca
/crt.pem
479 sudo
install -m 400 -o root
-g root \
480 "$tool"/var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
481 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
482 sudo
install -m 400 -o root
-g root \
483 "$tool"/var
/pub
/x509
/service
/smtpd
/crt.pem \
484 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt.pem
485 sudo
install -m 400 -o root
-g root \
486 "$tool"/var
/pub
/x509
/service
/smtpd
/crt
+root.pem \
487 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+root.pem
488 sudo
install -m 400 -o root
-g root \
489 "$tool"/var
/pub
/x509
/service
/smtpd
/crt
+crl.self-signed.pem \
490 /etc
/postfix
/$vm_domainname/smtpd
/x509
/crt
+crl.self-signed.pem
491 sudo
install -m 660 -o root
-g root \
492 "$tool"/etc
/postfix
/$vm_domainname/header_checks \
493 /etc
/postfix
/$vm_domainname/header_checks
494 sudo
install -m 664 -o root
-g root \
495 "$tool"/etc
/postfix
/aliases \
497 sudo newaliases
-oA/etc
/postfix
/aliases
498 cat /dev
/stdin
"$tool"/etc
/postfix
/main.cf
<<-EOF |
499 mydomain = $vm_domainname
500 myorigin = \$mydomain
501 myhostname = $vm_hostname.\$mydomain
502 mail_name = \$myhostname
503 mydestination = $vm_hostname \$myhostname \$myorigin
505 sudo
install -m 664 -o root
-g root
/dev
/stdin \
507 sudo
install -m 664 -o root
-g root \
508 "$tool"/etc
/postfix
/master.cf \
509 /etc
/postfix
/master.cf
510 sudo
install -m 660 -o root
-g root \
511 "$tool"/etc
/postfix
/$vm_domainname/smtp
/x509
/policy \
512 /etc
/postfix
/$vm_domainname/smtp
/x509
/policy
513 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtp
/x509
/policy
514 sudo
install -m 660 -o root
-g root \
515 "$tool"/etc
/postfix
/$vm_domainname/smtp
/header_checks \
516 /etc
/postfix
/$vm_domainname/smtp
/header_checks
517 sudo
install -m 660 -o root
-g root \
518 "$tool"/etc
/postfix
/$vm_domainname/smtpd
/sender_access \
519 /etc
/postfix
/$vm_domainname/smtpd
/sender_access
520 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/sender_access
521 sudo
install -m 660 -o root
-g root \
522 "$tool"/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist \
523 /etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
524 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/client_blacklist
525 sudo
install -m 660 -o root
-g root \
526 "$tool"/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts \
527 /etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
528 sudo postmap
hash:/etc
/postfix
/$vm_domainname/smtpd
/relay_clientcerts
529 sudo
install -m 660 -o root
-g root \
530 "$tool"/etc
/postfix
/$vm_domainname/transport \
531 /etc
/postfix
/$vm_domainname/transport
532 sudo postmap
hash:/etc
/postfix
/$vm_domainname/transport
533 sudo
install -m 660 -o root
-g root \
534 "$tool"/etc
/postfix
/$vm_domainname/virtual_alias \
535 /etc
/postfix
/$vm_domainname/virtual_alias
536 sudo postmap
hash:/etc
/postfix
/$vm_domainname/virtual_alias
537 sudo service postfix restart
539 rule_postgrey_configure
() {
540 rule apt_get_install postgrey
541 sudo service postgrey restart
543 rule_procmail_configure
() {
544 rule apt_get_install procmail
545 sudo
install -d -m 770 -o root
-g adm \
547 /etc
/skel
/var
/cache
/mail \
548 /etc
/skel
/var
/log
/mail \
550 sudo
install -m 660 -o root
-g adm \
551 "$tool"/etc
/skel
/etc
/mail
/delivery.procmailrc \
552 /etc
/skel
/etc
/mail
/delivery.procmailrc
554 rule_ssh_configure
() {
555 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
556 ( while IFS
= read -r line
557 do case $line in (*" RSA") return 0; break;; esac
559 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
561 /etc
/ssh
/ssh_host_dsa_key \
562 /etc
/ssh
/ssh_host_dsa_key.pub \
563 /etc
/ssh
/ssh_host_ecdsa_key \
564 /etc
/ssh
/ssh_host_ecdsa_key.pub
565 # NOTE: clefs générées par Debian
566 sudo
install -m 644 -o root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
568 ListenAddress $vm_ipv4
572 HostKey /etc/ssh/ssh_host_rsa_key
573 UsePrivilegeSeparation yes
574 KeyRegenerationInterval 3600
581 RSAAuthentication yes
582 PubkeyAuthentication yes
583 AuthorizedKeysFile %h/etc/ssh/authorized_keys
585 RhostsRSAAuthentication no
586 HostbasedAuthentication no
587 IgnoreUserKnownHosts no
588 PermitEmptyPasswords no
589 ChallengeResponseAuthentication no
590 PasswordAuthentication no
591 KerberosAuthentication no
592 GSSAPIAuthentication no
599 ClientAliveInterval 0
601 Subsystem sftp /usr/lib/openssh/sftp-server
604 sudo service
ssh restart
606 rule_user_admin_add
() { # SYNTAX: $user
608 id
"$user" >/dev
/null ||
609 sudo adduser
--disabled-password "$user"
610 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
611 eval local home\
; home
="~$user"
612 sudo adduser
"$user" sudo
613 sudo
install -m 640 -o root
-g root \
614 "$tool"/var
/pub
/ssh
/"$user".key \
615 "$home"/etc
/ssh
/authorized_keys
616 local key
; local -; set +f
617 for key
in "$tool"/var
/pub
/openpgp
/*.key
618 do sudo
-u "$user" gpg
--import "$key"
620 rule user_admin_configure
622 rule_user_admin_configure
() {
623 rule initramfs_configure
624 rule user_root_configure
626 rule_user_configure
() {
627 sudo
install -d -m 750 -o root
-g adm \
630 sudo
install -d -m 770 -o root
-g adm \
631 /etc
/skel
/etc
/apache2 \
634 /etc
/skel
/var
/cache \
635 /etc
/skel
/var
/cache
/ssh
636 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
637 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
638 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
639 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
640 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
641 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
643 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
644 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
646 sudo
install -m 640 -o root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
647 Defaults env_keep = " \\
651 GIT_COMMITTER_NAME \\
652 GIT_COMMITTER_EMAIL \\
655 sudo
install -m 755 -o root
-g root
/dev
/stdin
/usr
/local
/bin
/passwd-init
<<-EOF
657 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
658 sudo /bin/sh -e -f -u -c \
659 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
661 sudo
install -m 644 -o root
-g root \
662 "$tool"/etc
/bash.bashrc \
664 sudo
install -m 644 -o root
-g root \
665 "$tool"/etc
/screenrc \
668 rule_user_root_configure
() {
669 sudo
install -d -m 750 -o root
-g adm \
673 sudo
ln -fns etc
/gpg
/root
/.gnupg
674 sudo
ln -fns etc
/ssh /root
/.
ssh
676 while IFS
=: read -r group x x users
677 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
680 do eval local home\
; home
="~$user"
681 cat "$home"/etc
/ssh
/authorized_keys
684 sudo
install -m 640 -o root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
685 local key
; local -; set +f
686 for key
in "$tool"/var
/pub
/openpgp
/*.key
687 do sudo gpg
--import "$key"
693 rule etckeeper_configure
694 rule locale_configure
696 rule network_configure
697 rule filesystem_configure
701 rule user_root_configure
706 rule_luks_key_change
() {
707 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
715 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn