dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : rule_user_configure : bash, screen, etckeeper .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_configure () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 local tool
31 tool=$(cd "$tool"; cd -)
32 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
33 )
34 }
35 rule_git_reset () {
36 (
37 cd "$tool"
38 git checkout -f -B master remotes/master
39 git clean -f -d -x
40 )
41 }
42
43 rule_apt_get_install () { # SYNTAX: $package
44 case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
45 ("Status: install ok installed");;
46 (*)
47 test ! -x /usr/bin/etckeeper ||
48 ! sudo etckeeper unclean ||
49 warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
50 sudo apt-get install "$@";;
51 esac
52 }
53
54 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
55 export LANG=C
56 export LC_CTYPE=C
57 . /etc/profile
58 }
59
60 rule_apt_configure () {
61 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list <<-EOF
62 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
63 EOF
64 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
65 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
66 EOF
67 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/preferences <<-EOF
68 Package: *
69 Pin: release a=$vm_lsb_name
70 Pin-Priority: 170
71
72 Package: *
73 Pin: release a=$vm_lsb_name-backports
74 Pin-Priority: 200
75 EOF
76 sudo install -m 660 -u root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
77 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
78 EOF
79 sudo apt-get update
80 rule apt_get_install apticron
81 sudo install -m 644 -u root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
82 EMAIL="admin@$vm_domainname"
83 # DIFF_ONLY="1"
84 # LISTCHANGES_PROFILE="apticron"
85 # ALL_FQDNS="1"
86 # SYSTEM="foobar.example.com"
87 # IPADDRESSNUM="1"
88 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
89 # NOTIFY_HOLDS="0"
90 # NOTIFY_NEW="0"
91 # NOTIFY_NO_UPDATES="0"
92 # CUSTOM_SUBJECT=""
93 # CUSTOM_NO_UPDATES_SUBJECT=""
94 # CUSTOM_FROM="root@$vm_fqdn"
95 EOF
96 }
97 rule_boot_configure () {
98 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
99 rule apt_get_install grub-pc
100 sudo install -d -m 644 -u root -g root /boot/grub
101 rule apt_get_install linux-image-$vm_arch
102 sudo install -m 644 -u root -g root /dev/stdin /etc/default/grub <<-EOF
103 GRUB_DEFAULT=0
104 GRUB_TIMEOUT=5
105 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
106 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
107 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
108 GRUB_DISABLE_RECOVERY="true"
109 #GRUB_PRELOAD_MODULES="lvm"
110 EOF
111 sudo install -m 644 -u root -g root /dev/stdin /boot/grub/device.map <<-EOF
112 (hd0) /dev/xvda
113 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
114 EOF
115 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
116 rule initramfs_configure
117 }
118 rule_dovecot_configure () {
119 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
120 local hint="run vm_remote dovecot_key_send before"
121 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
122 sudo install -m 400 -o root -g root \
123 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
124 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
125 sudo install -d -m 770 -o root -g adm \
126 /etc/skel/etc/mail \
127 /etc/skel/etc/sieve
128 sudo install -d -m 1777 -o root -g root \
129 /var/lib/dovecot-control \
130 /var/lib/dovecot-index
131 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
132 auth_ssl_username_from_cert = yes
133 listen = *
134 log_timestamp = "%Y-%m-%d %H:%M:%S "
135 mail_debug = yes
136 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
137 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
138 # VOIR: http://wiki2.dovecot.org/Quota/FS
139 mail_plugins = \$mail_plugins quota
140 mail_privileged_group = mail
141 passdb {
142 args = /home/%u/etc/dovecot/passwd
143 driver = passwd-file
144 }
145 plugin {
146 quota = fs:user
147 recipient_delimiter = +
148 sieve = ~/etc/mail/filter.sieve
149 sieve_dir = ~/etc/mail/sieve
150 sieve_global_dir = /var/lib/dovecot/sieve/global/
151 sieve_max_script_size = 1M
152 sieve_quota_max_scripts = 0
153 sieve_quota_max_storage = 10M
154 sieve_user_log = ~/var/log/mail/sieve.log
155 }
156 protocol imap {
157 mail_plugins = \$mail_plugins imap_quota
158 }
159 protocol lda {
160 auth_socket_path = /var/run/dovecot/auth-master
161 hostname = $vm_domainname
162 info_log_path =
163 log_path =
164 mail_plugins = \$mail_plugins sieve
165 postmaster_address = contact+dovecot+lda@$vm_domainname
166 syslog_facility = mail
167 }
168 protocols = imap sieve
169 service auth {
170 user = root
171 unix_listener /var/spool/postfix/private/auth {
172 mode = 0660
173 user = postfix
174 group = postfix
175 }
176 }
177 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
178 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
179 ssl_cipher_list = AES256-SHA
180 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
181 ssl_verify_client_cert = yes
182 userdb {
183 driver = passwd
184 }
185 verbose_ssl = no
186 EOF
187 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
188 #!/bin/sh -efux
189 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
190 install -d -m 770 ~/etc/dovecot
191 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
192 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
193 _EOF
194 EOF
195 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
196 EOF
197 sudo service dovecot restart
198 }
199 rule_etckeeper_configure () {
200 sudo install -m 644 -u root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
201 VCS=git
202 GIT_COMMIT_OPTIONS=""
203 AVOID_DAILY_AUTOCOMMITS=1
204 #AVOID_SPECIAL_FILE_WARNING=1
205 AVOID_COMMIT_BEFORE_INSTALL=1
206 HIGHLEVEL_PACKAGE_MANAGER=apt
207 LOWLEVEL_PACKAGE_MANAGER=dpkg
208 EOF
209 sudo install -m 644 -o root -g root \
210 etc/etckeeper/prompt.sh \
211 /etc/etckeeper/prompt.sh
212 rule apt_get_install etckeeper
213 }
214 rule_filesystem_configure () {
215 sudo install -m 644 -u root -g root /dev/stdin /etc/fstab <<-EOF
216 # <file system> <mount point> <type> <options> <dump> <pass>
217 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
218 proc /proc proc defaults 0 0
219 sysfs /sys sysfs defaults 0 0
220 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
221 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
222 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
223 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
224 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
225 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
226 EOF
227 sudo install -m 644 -u root -g root /dev/stdin /etc/crypttab <<-EOF
228 # <target name> <source device> <key file> <options>
229 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
230 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
231 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
232 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
233 EOF
234 sudo install -m 644 -u root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
235 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
236 vm.vfs_cache_pressure=50
237 EOF
238 }
239 rule_initramfs_configure () {
240 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
241 MODULES=most
242 BUSYBOX=y
243 KEYMAP=y
244 COMPRESS=gzip
245 DEVICE=eth0
246 EOF
247 sudo install -m 644 -u root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
248 alias eth0 xennet
249 alias scsi_hostadapter xenblk
250 EOF
251 sudo install -m 644 -u root -g root /dev/stdin /etc/modules <<-EOF
252 sha1_generic
253 sha256_generic
254 sha512_generic
255 aes-x86_64
256 xts
257 # NOTE: pour Xen en mode HVM :
258 #modprobe xen-platform-pci
259 EOF
260 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
261 EOF
262 sudo sed -e '/^configure_networking /s/ &$//' \
263 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
264 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
265 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
266 ( while IFS= read -r line
267 do case $line in (*" RSA") return 0; break;; esac
268 done; return 1 ) ||
269 {
270 sudo rm -f \
271 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
272 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
273 sudo dropbearkey -t rsa -s 4096 -f \
274 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
275 }
276 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
277 sudo install -d -m 640 -u root -g root \
278 /etc/initramfs-tools/root \
279 /etc/initramfs-tools/root/.ssh
280 getent group sudo |
281 while IFS=: read -r group x x users
282 do while test -n "$users" && IFS=, read -r user users <<-EOF
283 $users
284 EOF
285 do eval local home\; home="~$user"
286 cat "$home"/etc/ssh/authorized_keys
287 done
288 done |
289 sudo install -m 644 -u root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
290 sudo rm -f \
291 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
292 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
293 /etc/initramfs-tools/root/.ssh/id_rsa
294 # NOTE: clefs générées par Debian
295 sudo update-initramfs -u
296 }
297 rule_locale_configure () {
298 sudo install -m 644 -u root -g root /dev/stdin /etc/locale.gen <<-EOF
299 fr_FR.UTF-8 UTF-8
300 EOF
301 sudo update-locale
302 }
303 rule_login_configure () {
304 grep -q '^hvc0$' /etc/securetty ||
305 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
306 $(cat /etc/securetty)
307 hvc0
308 EOF
309 grep -q '^xvc0$' /etc/securetty ||
310 sudo install -m 644 -u root -g root /dev/stdin /etc/securetty <<-EOF
311 $(cat /etc/securetty)
312 xvc0
313 EOF
314 sudo install -m 644 -u root -g root /dev/stdin /etc/inittab <<-EOF
315 # /etc/inittab: init(8) configuration.
316
317 # The default runlevel.
318 id:2:initdefault:
319
320 # Boot-time system configuration/initialization script.
321 # This is run first except when booting in emergency (-b) mode.
322 si::sysinit:/etc/init.d/rcS
323
324 # What to do in single-user mode.
325 ~~:S:wait:/sbin/sulogin
326
327 # /etc/init.d executes the S and K scripts upon change
328 # of runlevel.
329 #
330 # Runlevel 0 is halt.
331 # Runlevel 1 is single-user.
332 # Runlevels 2-5 are multi-user.
333 # Runlevel 6 is reboot.
334
335 l0:0:wait:/etc/init.d/rc 0
336 l1:1:wait:/etc/init.d/rc 1
337 l2:2:wait:/etc/init.d/rc 2
338 l3:3:wait:/etc/init.d/rc 3
339 l4:4:wait:/etc/init.d/rc 4
340 l5:5:wait:/etc/init.d/rc 5
341 l6:6:wait:/etc/init.d/rc 6
342 # Normally not reached, but fallthrough in case of emergency.
343 z6:6:respawn:/sbin/sulogin
344
345 # What to do when CTRL-ALT-DEL is pressed.
346 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
347
348 # What to do when the power fails/returns.
349 pf::powerwait:/etc/init.d/powerfail start
350 pn::powerfailnow:/etc/init.d/powerfail now
351 po::powerokwait:/etc/init.d/powerfail stop
352
353 # Xen hypervisor console
354 hvc:2345:respawn:/sbin/getty 38400 hvc0
355 #xvc:2345:respawn:/sbin/getty 38400 xvc0
356 EOF
357 sudo install -m 644 -u root -g root /dev/stdin /etc/login.defs <<-EOF
358 MAIL_DIR /var/mail
359 FAILLOG_ENAB yes
360 LOG_UNKFAIL_ENAB no
361 LOG_OK_LOGINS no
362 SYSLOG_SU_ENAB yes
363 SYSLOG_SG_ENAB yes
364 FTMP_FILE /var/log/btmp
365 SU_NAME su
366 HUSHLOGIN_FILE .hushlogin
367 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
368 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
369 # NOTE: met les sbin/ dans ENV_PATH ;
370 # - ça n'apporte aucune protection de ne pas les mettre ;
371 # - ça frustre de ne pas les trouver.
372 TTYGROUP tty
373 TTYPERM 0600
374 ERASECHAR 0177
375 KILLCHAR 025
376 UMASK 007
377 # NOTE: rwxrwx--- ;
378 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
379 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
380 PASS_MAX_DAYS 99999
381 PASS_MIN_DAYS 0
382 PASS_WARN_AGE 7
383 UID_MIN 1000
384 UID_MAX 60000
385 GID_MIN 1000
386 GID_MAX 60000
387 LOGIN_RETRIES 3
388 LOGIN_TIMEOUT 60
389 CHFN_RESTRICT rwh
390 DEFAULT_HOME yes
391 USERGROUPS_ENAB yes
392 ENCRYPT_METHOD SHA512
393 EOF
394 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
395 sudo install -m 644 -u root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
396 $(cat /etc/pam.d/common-session)
397 session optional pam_umask.so
398 EOF
399 }
400 rule_procmail_configure () {
401 rule apt_get_install procmail
402 sudo install -d -m 770 -o root -g adm \
403 /etc/skel/etc/mail \
404 /etc/skel/var/cache/mail \
405 /etc/skel/var/log/mail \
406 /etc/skel/var/mail
407 sudo install -m 660 -o root -g adm \
408 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
409 /etc/skel/etc/mail/delivery.procmailrc
410 }
411 rule_postgrey_configure () {
412 rule apt_get_install postgrey
413 sudo service postgrey restart
414 }
415 rule_postfix_configure () {
416 local hint="run vm_remote postfix_key_send before"
417 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
418 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
419 rule apt_get_install postfix
420 sudo install -d -m 770 -o root -g root \
421 /etc/postfix/$vm_domainname/ \
422 /etc/postfix/$vm_domainname/smtp \
423 /etc/postfix/$vm_domainname/smtp/x509 \
424 /etc/postfix/$vm_domainname/smtp/x509/ca \
425 /etc/postfix/$vm_domainname/smtpd \
426 /etc/postfix/$vm_domainname/smtpd/x509 \
427 /etc/postfix/$vm_domainname/smtpd/x509/ca
428 sudo install -d -m 770 -o root -g root \
429 /etc/postfix/$vm_domainname/ \
430 /etc/postfix/$vm_domainname/smtp \
431 /etc/postfix/$vm_domainname/smtp/x509 \
432 /etc/postfix/$vm_domainname/smtp/x509/ca \
433 /etc/postfix/$vm_domainname/smtpd \
434 /etc/postfix/$vm_domainname/smtpd/x509 \
435 /etc/postfix/$vm_domainname/smtpd/x509/ca
436 sudo ln -fns \
437 ../crt+crl.self-signed.pem \
438 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
439 sudo install -m 400 -o root -g root \
440 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
441 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
442 sudo install -m 400 -o root -g root \
443 var/pub/x509/service/smtpd/crt.pem \
444 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
445 sudo install -m 400 -o root -g root \
446 var/pub/x509/service/smtpd/crt+root.pem \
447 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
448 sudo install -m 400 -o root -g root \
449 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
450 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
451 sudo install -m 660 -o root -g root \
452 etc/postfix/$vm_domainname/header_checks \
453 /etc/postfix/$vm_domainname/header_checks
454 sudo install -m 664 -o root -g root \
455 etc/aliases \
456 /etc/aliases
457 sudo newaliases
458 cat /dev/stdin etc/postfix/main.cf <<-EOF |
459 mydomain = $vm_domainname
460 myorigin = \$mydomain
461 myhostname = $vm_hostname.\$mydomain
462 mail_name = \$myhostname
463 mydestination = $vm_hostname \$myhostname \$myorigin
464 EOF
465 sudo install -m 664 -o root -g root /dev/stdin \
466 /etc/postfix/main.cf
467 sudo install -m 664 -o root -g root \
468 etc/postfix/master.cf \
469 /etc/postfix/master.cf
470 sudo install -m 660 -o root -g root \
471 etc/postfix/$vm_domainname/smtp/x509/policy \
472 /etc/postfix/$vm_domainname/smtp/x509/policy
473 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
474 sudo install -m 660 -o root -g root \
475 etc/postfix/$vm_domainname/smtp/header_checks \
476 /etc/postfix/$vm_domainname/smtp/header_checks
477 sudo install -m 660 -o root -g root \
478 etc/postfix/$vm_domainname/smtpd/sender_access \
479 /etc/postfix/$vm_domainname/smtpd/sender_access
480 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
481 sudo install -m 660 -o root -g root \
482 etc/postfix/$vm_domainname/smtpd/client_blacklist \
483 /etc/postfix/$vm_domainname/smtpd/client_blacklist
484 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
485 sudo install -m 660 -o root -g root \
486 etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
487 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
488 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
489 sudo install -m 660 -o root -g root \
490 etc/postfix/$vm_domainname/transport \
491 /etc/postfix/$vm_domainname/transport
492 sudo postmap hash:/etc/postfix/$vm_domainname/transport
493 sudo install -m 660 -o root -g root \
494 etc/postfix/$vm_domainname/virtual_alias \
495 /etc/postfix/$vm_domainname/virtual_alias
496 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
497 sudo service postfix restart
498 }
499 rule_mail_configure () {
500 rule postfix_configure
501 rule postgrey_configure
502 rule procmail_configure
503 rule dovecot_configure
504 }
505 rule_network_configure () {
506 sudo install -m 644 -u root -g root /dev/stdin /etc/hostname <<-EOF
507 $vm
508 EOF
509 grep -q " $vm\$" /etc/hosts ||
510 sudo install -m 644 -u root -g root /dev/stdin /etc/hosts <<-EOF
511 $(cat /etc/hosts)
512 127.0.0.1 $vm_fqdn $vm
513 EOF
514 sudo install -m 644 -u root -g root /dev/stdin /etc/network/interfaces <<-EOF
515 auto lo
516 iface lo inet loopback
517
518 auto eth0=grenode
519 iface grenode inet static
520 address $vm_ipv4
521 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
522 network $vm_ipv4
523 broadcast $vm_ipv4
524 netmask 255.255.255.255
525 mtu 1300
526 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
527 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
528 #
529 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
530 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
531 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
532 #
533 # --- soupirail.grenode.net ping statistics ---
534 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
535 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
536 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
537 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
538 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
539 #
540 # --- soupirail.grenode.net ping statistics ---
541 # 0 packets transmitted, 0 received, +1 errors
542 post-up ip address add $vm_ipv4/32 dev \$IFACE
543 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
544 EOF
545 }
546 rule_ssh_configure () {
547 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
548 ( while IFS= read -r line
549 do case $line in (*" RSA") return 0; break;; esac
550 done; return 1 ) ||
551 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
552 sudo rm -f \
553 /etc/ssh/ssh_host_dsa_key \
554 /etc/ssh/ssh_host_dsa_key.pub \
555 /etc/ssh/ssh_host_ecdsa_key \
556 /etc/ssh/ssh_host_ecdsa_key.pub
557 # NOTE: clefs générées par Debian
558 sudo install -m 644 -u root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
559 Port 22
560 ListenAddress $vm_ipv4
561 #ListenAddress ::
562 Protocol 2
563 Compression yes
564 HostKey /etc/ssh/ssh_host_rsa_key
565 UsePrivilegeSeparation yes
566 KeyRegenerationInterval 3600
567 ServerKeyBits 768
568 SyslogFacility AUTH
569 LogLevel INFO
570 LoginGraceTime 120
571 PermitRootLogin yes
572 StrictModes yes
573 RSAAuthentication yes
574 PubkeyAuthentication yes
575 AuthorizedKeysFile %h/etc/ssh/authorized_keys
576 IgnoreRhosts yes
577 RhostsRSAAuthentication no
578 HostbasedAuthentication no
579 IgnoreUserKnownHosts no
580 PermitEmptyPasswords no
581 ChallengeResponseAuthentication no
582 PasswordAuthentication no
583 KerberosAuthentication no
584 GSSAPIAuthentication no
585 X11Forwarding no
586 X11DisplayOffset 10
587 PrintMotd no
588 DebianBanner no
589 PrintLastLog yes
590 TCPKeepAlive yes
591 ClientAliveInterval 0
592 AcceptEnv LANG LC_*
593 Subsystem sftp /usr/lib/openssh/sftp-server
594 UsePAM yes
595 EOF
596 sudo service ssh restart
597 }
598 rule_user_admin_add () { # SYNTAX: $user
599 local user=$1
600 id "$user" >/dev/null ||
601 sudo adduser --disabled-password "$user"
602 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
603 eval local home\; home="~$user"
604 sudo adduser "$user" sudo
605 sudo install -m 640 -o root -g root \
606 "$tool"/var/pub/ssh/"$user".key \
607 "$home"/etc/ssh/authorized_keys
608 local key; local -; set +f
609 for key in "$tool"/var/pub/openpgp/*.key
610 do sudo -u "$user" gpg --import "$key"
611 done
612 rule user_admin_configure
613 }
614 rule_user_admin_configure () {
615 rule initramfs_configure
616 rule user_root_configure
617 }
618 rule_user_configure () {
619 sudo install -d -m 750 -o root -g adm \
620 /etc/skel/etc \
621 /etc/skel/etc/ssh
622 sudo install -d -m 770 -o root -g adm \
623 /etc/skel/etc/apache2 \
624 /etc/skel/var \
625 /etc/skel/var/log \
626 /etc/skel/var/cache \
627 /etc/skel/var/cache/ssh
628 sudo ln -fns etc/ssh /etc/skel/.ssh
629 sudo ln -fns etc/gpg /etc/skel/.gnupg
630 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
631 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
632 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
633 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
634 EOF
635 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
636 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
637 EOF
638 sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
639 Defaults env_keep = " \\
640 EDITOR \\
641 GIT_AUTHOR_NAME \\
642 GIT_AUTHOR_EMAIL \\
643 GIT_COMMITTER_NAME \\
644 GIT_COMMITTER_EMAIL \\
645 "
646 EOF
647 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
648 #!/bin/sh -efu
649 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
650 sudo /bin/sh -e -f -u -c \
651 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
652 EOF
653 sudo install -m 644 -u root -g root \
654 etc/bash.bashrc \
655 /etc/bash.bashrc
656 sudo install -m 644 -o root -g root \
657 etc/screenrc \
658 /etc/screenrc
659 }
660 rule_user_root_configure () {
661 sudo install -d -m 750 -u root -g adm \
662 /root/etc \
663 /root/etc/ssh \
664 /root/etc/gpg
665 sudo ln -fns etc/gpg /root/.gnupg
666 sudo ln -fns etc/ssh /root/.ssh
667 getent group sudo |
668 while IFS=: read -r group x x users
669 do while test -n "$users" && IFS=, read -r user users <<-EOF
670 $users
671 EOF
672 do eval local home\; home="~$user"
673 cat "$home"/etc/ssh/authorized_keys
674 done
675 done |
676 sudo install -m 640 -u root -g root /dev/stdin /root/etc/ssh/authorized_keys
677 local key; local -; set +f
678 for key in "$tool"/var/pub/openpgp/*.key
679 do sudo gpg --import "$key"
680 done
681 }
682 rule_configure () {
683 rule apt_configure
684 rule git_configure
685 rule etckeeper_configure
686 rule locale_configure
687 rule network_configure
688 rule filesystem_configure
689 rule login_configure
690 rule ssh_configure
691 rule user_root_configure
692 rule boot_configure
693 rule user_configure
694 }
695
696 rule_luks_key_change () {
697 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
698 }
699
700 rule=${1:-help}
701 ${1+shift}
702 case $rule in
703 (help);;
704 (*)
705 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
706 ;;
707 esac
708 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org