dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : warn() .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule_apt_get_install () { # SYNTAX: $package
41 case $(dpkg -s "$1" | grep '^Status: ') in
42 ("Status: install ok installed");;
43 (*)
44 test ! -x /usr/bin/etckeeper ||
45 assert 'sudo etckeeper unclean'
46 sudo apt-get "$@";;
47 esac
48 }
49
50 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
51 export LANG=C
52 export LC_CTYPE=C
53 . /etc/profile
54 }
55
56 rule_apt_configure () {
57 mk_reg mod= own= /etc/apt/sources.list <<-EOF
58 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
59 EOF
60 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
61 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
62 EOF
63 mk_reg mod= own= /etc/apt/preferences <<-EOF
64 Package: *
65 Pin: release a=$vm_lsb_name
66 Pin-Priority: 170
67
68 Package: *
69 Pin: release a=$vm_lsb_name-backports
70 Pin-Priority: 200
71 EOF
72 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
73 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
74 EOF
75 }
76 rule_apticron_configure () {
77 rule apt_get_install apticron
78 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
79 EMAIL="admin@heureux-cyclage.org"
80 # DIFF_ONLY="1"
81 # LISTCHANGES_PROFILE="apticron"
82 # ALL_FQDNS="1"
83 # SYSTEM="foobar.example.com"
84 # IPADDRESSNUM="1"
85 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
86 # NOTIFY_HOLDS="0"
87 # NOTIFY_NEW="0"
88 # NOTIFY_NO_UPDATES="0"
89 # CUSTOM_SUBJECT=""
90 # CUSTOM_NO_UPDATES_SUBJECT=""
91 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
92 EOF
93 sudo service apticron restart
94 }
95 rule_boot_configure () {
96 warn "attention à n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 mk_dir mod=644 own=root:root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_etckeeper_configure () {
117 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
118 VCS=git
119 GIT_COMMIT_OPTIONS=""
120 AVOID_DAILY_AUTOCOMMITS=1
121 #AVOID_SPECIAL_FILE_WARNING=1
122 AVOID_COMMIT_BEFORE_INSTALL=1
123 HIGHLEVEL_PACKAGE_MANAGER=apt
124 LOWLEVEL_PACKAGE_MANAGER=dpkg
125 EOF
126 rule apt_get_install etckeeper
127 }
128 rule_filesystem_configure () {
129 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
130 # <file system> <mount point> <type> <options> <dump> <pass>
131 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
132 proc /proc proc defaults 0 0
133 sysfs /sys sysfs defaults 0 0
134 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
135 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
137 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
138 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
139 EOF
140 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
141 # <target name> <source device> <key file> <options>
142 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
143 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
146 EOF
147 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
148 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
149 vm.vfs_cache_pressure=50
150 EOF
151 }
152 rule_initramfs_configure () {
153 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
154 MODULES=most
155 BUSYBOX=y
156 KEYMAP=y
157 COMPRESS=gzip
158 DEVICE=eth0
159 EOF
160 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
161 alias eth0 xennet
162 alias scsi_hostadapter xenblk
163 EOF
164 mk_reg mod=644 own=root:root /etc/modules <<-EOF
165 sha1_generic
166 sha256_generic
167 sha512_generic
168 aes-x86_64
169 xts
170 # NOTE: pour Xen en mode HVM :
171 #modprobe xen-platform-pci
172 EOF
173 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
174 EOF
175 sudo sed -e '/^configure_networking /s/ &$//' \
176 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
177 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
178 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
179 ( while IFS= read -r line
180 do case $line in (*" RSA") return 0; break;; esac
181 done; return 1 ) ||
182 {
183 sudo rm -f \
184 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
185 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
186 sudo dropbearkey -t rsa -s 4096 -f \
187 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
188 }
189 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
190 mk_dir mod=640 own=root:root \
191 /etc/initramfs-tools/root \
192 /etc/initramfs-tools/root/.ssh
193 getent group sudo |
194 while IFS=: read -r group x x users
195 do while test -n "$users" && IFS=, read -r user users <<-EOF
196 $users
197 EOF
198 do eval local home\; home="~$user"
199 cat "$home"/etc/ssh/authorized_keys
200 done
201 done |
202 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
203 sudo rm -f \
204 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
205 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
206 /etc/initramfs-tools/root/.ssh/id_rsa
207 # NOTE: clefs générées par Debian
208 sudo update-initramfs -u
209 }
210 rule_locale_configure () {
211 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
212 fr_FR.UTF-8 UTF-8
213 EOF
214 sudo update-locale
215 }
216 rule_login_configure () {
217 grep -q '^hvc0$' /etc/securetty ||
218 mk_reg mod= own= --append /etc/securetty <<-EOF
219 hvc0
220 EOF
221 grep -q '^xvc0$' /etc/securetty ||
222 mk_reg mod= own= --append /etc/securetty <<-EOF
223 xvc0
224 EOF
225 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
226 # /etc/inittab: init(8) configuration.
227
228 # The default runlevel.
229 id:2:initdefault:
230
231 # Boot-time system configuration/initialization script.
232 # This is run first except when booting in emergency (-b) mode.
233 si::sysinit:/etc/init.d/rcS
234
235 # What to do in single-user mode.
236 ~~:S:wait:/sbin/sulogin
237
238 # /etc/init.d executes the S and K scripts upon change
239 # of runlevel.
240 #
241 # Runlevel 0 is halt.
242 # Runlevel 1 is single-user.
243 # Runlevels 2-5 are multi-user.
244 # Runlevel 6 is reboot.
245
246 l0:0:wait:/etc/init.d/rc 0
247 l1:1:wait:/etc/init.d/rc 1
248 l2:2:wait:/etc/init.d/rc 2
249 l3:3:wait:/etc/init.d/rc 3
250 l4:4:wait:/etc/init.d/rc 4
251 l5:5:wait:/etc/init.d/rc 5
252 l6:6:wait:/etc/init.d/rc 6
253 # Normally not reached, but fallthrough in case of emergency.
254 z6:6:respawn:/sbin/sulogin
255
256 # What to do when CTRL-ALT-DEL is pressed.
257 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
258
259 # What to do when the power fails/returns.
260 pf::powerwait:/etc/init.d/powerfail start
261 pn::powerfailnow:/etc/init.d/powerfail now
262 po::powerokwait:/etc/init.d/powerfail stop
263
264 # Xen hypervisor console
265 hvc:2345:respawn:/sbin/getty 38400 hvc0
266 #xvc:2345:respawn:/sbin/getty 38400 xvc0
267 EOF
268 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
269 MAIL_DIR /var/mail
270 FAILLOG_ENAB yes
271 LOG_UNKFAIL_ENAB no
272 LOG_OK_LOGINS no
273 SYSLOG_SU_ENAB yes
274 SYSLOG_SG_ENAB yes
275 FTMP_FILE /var/log/btmp
276 SU_NAME su
277 HUSHLOGIN_FILE .hushlogin
278 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
279 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
280 # NOTE: met les sbin/ dans ENV_PATH ;
281 # - ça n'apporte aucune protection de ne pas les mettre ;
282 # - ça frustre de ne pas les trouver.
283 TTYGROUP tty
284 TTYPERM 0600
285 ERASECHAR 0177
286 KILLCHAR 025
287 UMASK 007
288 # NOTE: rwxrwx--- ;
289 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
290 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
291 PASS_MAX_DAYS 99999
292 PASS_MIN_DAYS 0
293 PASS_WARN_AGE 7
294 UID_MIN 1000
295 UID_MAX 60000
296 GID_MIN 1000
297 GID_MAX 60000
298 LOGIN_RETRIES 3
299 LOGIN_TIMEOUT 60
300 CHFN_RESTRICT rwh
301 DEFAULT_HOME yes
302 USERGROUPS_ENAB yes
303 ENCRYPT_METHOD SHA512
304 EOF
305 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
306 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
307 session optional pam_umask.so
308 EOF
309 }
310 rule_network_configure () {
311 mk_reg mod= own= /etc/hostname <<-EOF
312 $vm
313 EOF
314 grep -q " $vm\$" /etc/hosts ||
315 mk_reg mod= own= --append /etc/hosts <<-EOF
316 127.0.0.1 $vm_fqdn $vm
317 EOF
318 mk_reg mod= own= /etc/network/interfaces <<-EOF
319 auto lo
320 iface lo inet loopback
321
322 auto eth0=grenode
323 iface grenode inet static
324 address $vm_ipv4
325 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
326 network $vm_ipv4
327 broadcast $vm_ipv4
328 netmask 255.255.255.255
329 #mtu 1300
330 post-up ip address add $vm_ipv4/32 dev \$IFACE
331 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
332 EOF
333 }
334 rule_user_configure () {
335 mk_dir mod=750 own="root:adm" /etc/skel/etc
336 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
337 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
338 mk_dir mod=700 own="root:adm" /etc/skel/var
339 mk_dir mod=700 own="root:adm" /etc/skel/var/log
340 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
341 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
342 mk_dir mod=700 own="root:adm" /etc/skel/tmp
343 mk_dir mod=700 own="root:adm" /etc/skel/tmp
344 mk_lnk etc/ssh /etc/skel/.ssh
345 mk_lnk etc/gpg /etc/skel/.gnupg
346 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
347 ( while IFS= read -r line
348 do case $line in (*" RSA") return 0; break;; esac
349 done; return 1 ) ||
350 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
351 sudo rm -f \
352 /etc/ssh/ssh_host_dsa_key \
353 /etc/ssh/ssh_host_dsa_key.pub \
354 /etc/ssh/ssh_host_ecdsa_key \
355 /etc/ssh/ssh_host_ecdsa_key.pub
356 # NOTE: clefs générées par Debian
357 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
358 Port 22
359 ListenAddress $vm_ipv4
360 #ListenAddress ::
361 Protocol 2
362 Compression yes
363 HostKey /etc/ssh/ssh_host_rsa_key
364 UsePrivilegeSeparation yes
365 KeyRegenerationInterval 3600
366 ServerKeyBits 768
367 SyslogFacility AUTH
368 LogLevel INFO
369 LoginGraceTime 120
370 PermitRootLogin yes
371 StrictModes yes
372 RSAAuthentication yes
373 PubkeyAuthentication yes
374 AuthorizedKeysFile %h/etc/ssh/authorized_keys
375 IgnoreRhosts yes
376 RhostsRSAAuthentication no
377 HostbasedAuthentication no
378 IgnoreUserKnownHosts no
379 PermitEmptyPasswords no
380 ChallengeResponseAuthentication no
381 PasswordAuthentication no
382 KerberosAuthentication no
383 GSSAPIAuthentication no
384 X11Forwarding no
385 X11DisplayOffset 10
386 PrintMotd no
387 DebianBanner no
388 PrintLastLog yes
389 TCPKeepAlive yes
390 ClientAliveInterval 0
391 AcceptEnv LANG LC_*
392 Subsystem sftp /usr/lib/openssh/sftp-server
393 UsePAM yes
394 EOF
395 sudo service ssh restart
396 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
397 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
398 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
399 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
400 EOF
401 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
402 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
403 EOF
404 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
405 Defaults env_keep = " \\
406 EDITOR \\
407 GIT_AUTHOR_NAME \\
408 GIT_AUTHOR_EMAIL \\
409 GIT_COMMITTER_NAME \\
410 GIT_COMMITTER_EMAIL \\
411 "
412 EOF
413 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
414 #!/bin/sh
415 sudo /bin/sh -e -f -u -c \
416 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
417 EOF
418 }
419 rule_user_root_configure () {
420 mk_dir mod=750 own=root:root /root/etc
421 mk_dir mod=750 own=root:root /root/etc/ssh
422 mk_dir mod=750 own=root:root /root/etc/gpg
423 mk_lnk etc/gpg /root/.gnupg
424 mk_lnk etc/ssh /root/.ssh
425 getent group sudo |
426 while IFS=: read -r group x x users
427 do while test -n "$users" && IFS=, read -r user users <<-EOF
428 $users
429 EOF
430 do eval local home\; home="~$user"
431 cat "$home"/etc/ssh/authorized_keys
432 done
433 done |
434 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
435 local key; local -; set +f
436 for key in "$tool"/var/pub/openpgp/*.key
437 do sudo gpg --import "$key"
438 done
439 }
440 rule_bin_configure () {
441 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
442 }
443 rule_configure () {
444 rule etckeeper_configure
445 rule locale_configure
446 rule network_configure
447 rule apt_configure
448 rule filesystem_configure
449 rule login_configure
450 rule user_root_configure
451 rule boot_configure
452 rule bin_configure
453 }
454
455 rule_disk_key_change () {
456 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
457 }
458
459 rule_user_admin_configure () {
460 rule initramfs_configure
461 rule user_root_configure
462 }
463 rule_user_admin_add () { # SYNTAX: $user
464 local user=$1
465 id "$user" >/dev/null ||
466 sudo adduser --disabled-password "$user"
467 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
468 eval local home\; home="~$user"
469 sudo adduser "$user" sudo
470 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
471 <"$tool"/var/pub/ssh/"$user".key
472 local key; local -; set +f
473 for key in "$tool"/var/pub/openpgp/*.key
474 do sudo -u "$user" gpg --import "$key"
475 done
476 rule user_admin_configure
477 }
478 rule_user_mail_format () {
479 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
480 mk_dir mod=770 own=root:adm /etc/skel/var/mail
481 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
482 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
483 # vim: ft=procmail
484
485 # NOTE: paramètres passés par postfix
486 SENDER=\$1
487 RECIPIENT=\$2
488 USER=\$3
489 EXTENSION=\$4
490 DOMAIN=\$5
491 ORIGINAL_RECIPIENT=\$6
492
493 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
494 MAILDIR="\$HOME/var/mail/"
495 DEFAULT="\$MAILDIR"
496 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
497 LOGFILE="/dev/null"
498 LOGABSTRACT=all
499 LOGABSTRACT
500 VERBOSE
501 SHELL=/bin/sh
502 SHELLMETAS=&|<>~;?*%{}
503
504 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
505 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
506 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
507
508 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
509 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
510 # NOTE: récupère l’adresse courriel dans le champ GECOS
511 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
512 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
513 :0
514 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
515
516 # DESCRIPTION: IMAP
517 #:0
518 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
519
520 # DESCRIPTION: UUCP
521 #:0
522 #| /usr/bin/uux \
523 # -I "\$HOME/etc/uucp/uucp.cfg" \
524 # --nouucico \
525 # --notification=error \
526 # --requestor "\$USER" \
527 # - "\$USER!rmail" "(\$USER)"
528 EOF
529 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
530 # /etc/postfix/main.cf
531 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
532
533 parent_domain_matches_subdomains =
534 #debug_peer_list
535 #fast_flush_domains
536 #mynetworks
537 #permit_mx_backup_networks
538 #qmqpd_authorized_clients
539 #smtpd_access_maps
540 mydomain = $vm_domainname
541 myorigin = \$mydomain
542 myhostname = $vm_hostname.\$mydomain
543 mail_name = \$myhostname
544 mydestination =
545 $vm_hostname
546 \$myhostname
547 \$myorigin
548 mynetworks =
549 127.0.0.0/8
550 #[::1]/128
551 inet_protocols = ipv4
552 # "all" to activate IPv6
553 inet_interfaces = all
554 permit_mx_backup_networks =
555
556 alias_database =
557 hash:/etc/aliases
558 # NOTE: fichier de hash contenant une table d’alias mail.
559 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
560 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
561 alias_maps =
562 hash:/etc/aliases
563 recipient_delimiter = +
564 # NOTE: séparateur entre le nom d’utilisateur
565 # et les extensions d’adresse (par défaut le signe +).
566 #virtual_alias_domains =
567 virtual_alias_maps =
568 hash:/etc/postfix/\$mydomain/virtual
569 # NOTE: do not specify virtual alias domain names in the main.cf
570 # mydestination or relay_domains configuration parameters.
571 #
572 # With a virtual alias domain, the Postfix SMTP server
573 # accepts mail for known-user@virtual-alias.domain, and
574 # rejects mail for unknown-user@virtual-alias.domain as
575 # undeliverable.
576 #relayhost =
577 relay_clientcerts =
578 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
579 relay_domains =
580 \$mydestination
581 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
582 # pas dans mydestination ou virtual_alias...
583
584 maximal_queue_lifetime = 5d
585
586 header_checks =
587 regexp:/etc/postfix/\$mydomain/header_checks
588 mime_header_checks =
589 nested_header_checks =
590 milter_header_checks =
591 body_checks =
592
593 #content_filter = amavisfeed:[127.0.0.1]:10024
594 #receive_override_options = no_address_mappings
595 # no_unknown_recipient_checks
596 # Do not try to reject unknown recipients (SMTP server only).
597 # This is typically specified AFTER an external content filter.
598 # no_address_mappings
599 # Disable canonical address mapping, virtual alias map expansion,
600 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
601 # This is typically specified BEFORE an external content filter (eg. amavis).
602 # no_header_body_checks
603 # Disable header/body_checks. This is typically specified AFTER an external content filter.
604 # no_milters
605 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
606 #local_header_rewrite_clients =
607 transport_maps =
608 hash:/etc/postfix/\$mydomain/transport_maps
609 mailbox_command =
610 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
611 mailbox_size_limit = 0
612 biff = no
613 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
614 append_dot_mydomain = no
615 # appending .domain is the MUA's job.
616
617 #tls_random_source =
618 # dev:/dev/urandom
619 # Non-blocking
620 #tls_random_reseed_period = 3600s
621 #tls_random_exchange_name =
622 # \${data_directory}/prng_exch
623 # NOTE: à ne pas mettre dans la cage chroot
624 #tls_random_bytes = 32
625 #tls_random_prng_update_period = 3600s
626 #tls_high_cipherlist = AES256-SHA
627 # NOTE: postconf(5) déconseille de changer ceci
628
629 #smtp_cname_overrides_servername = no
630 smtp_connect_timeout = 60s
631 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
632 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
633 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
634 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
635 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
636 # NOTE: déprécié en faveur de smtp_tls_policy_maps
637 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
638 smtp_tls_fingerprint_digest = sha1
639 smtp_tls_scert_verifydepth = 5
640 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
641 #smtp_tls_verify_cert_match = hostname
642 #smtp_tls_note_starttls_offer = yes
643 smtp_tls_loglevel = 1
644 smtp_tls_protocols = !SSLv2, !SSLv3
645 # Only allow TLSv*
646 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
647 #smtp_tls_session_cache_timeout = 3600s
648 smtp_tls_security_level = may
649 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
650 smtp_body_checks =
651 smtp_mime_header_checks =
652 smtp_nested_header_checks =
653
654 smtpd_starttls_timeout = 300s
655 smtpd_banner =
656 \$myhostname ESMTP \$mail_name (Debian/GNU)
657
658 # Restrictions
659 smtpd_helo_required = yes
660 strict_rfc821_envelopes = yes
661 smtpd_authorized_xclient_hosts = 127.0.0.1
662 # NOTE: utile pour tester les restrictions
663
664 smtpd_helo_restrictions =
665 reject_invalid_helo_hostname
666 reject_non_fqdn_helo_hostname
667 #reject_unknown_helo_hostname
668 # NOTE: pourrait pourtant être utile pour lutter contre le spam
669 permit
670
671 smtpd_sender_restrictions =
672 permit_mynetworks
673 permit_tls_clientcerts
674 permit_sasl_authenticated
675 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
676 check_sender_access hash:/etc/postfix/sender_blacklist
677 reject_unauth_pipelining
678 reject_non_fqdn_sender
679 #reject_unknown_sender_domain
680 # NOTE: temporaire
681 permit
682
683 smtpd_client_new_tls_session_rate_limit = 0
684 smtpd_client_event_limit_exceptions = \$mynetworks
685 smtpd_client_recipient_rate_limit = 0
686 smtpd_client_connection_count_limit = 50
687 smtpd_client_connection_rate_limit = 0
688 smtpd_client_message_rate_limit = 0
689 smtpd_client_port_logging = no
690
691 smtpd_client_restrictions =
692 check_client_access hash:/etc/postfix/client_blacklist
693
694 policy_time_limit = 3600
695 default_extra_recipient_limit = 5000
696 duplicate_filter_limit = 5000
697 smtpd_recipient_limit = 5000
698 smtpd_recipient_overshoot_limit = 5000
699 smtpd_recipient_restrictions =
700 reject_non_fqdn_recipient
701 #reject_invalid_hostname
702 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
703 # dans smtpd_helo_restrictions
704 reject_unknown_recipient_domain
705 #reject_non_fqdn_sender
706 # NOTE: dans smtpd_sender_restrictions
707 reject_unauth_pipelining
708 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
709 permit_mynetworks
710 permit_tls_clientcerts
711 permit_sasl_authenticated
712 reject_unauth_destination
713 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
714 # ou quelqu'un pour lequel on tient lieu de backup_mx
715 check_policy_service inet:127.0.0.1:10023
716 # NOTE: Postgrey (greylisting)
717 check_policy_service unix:private/spfcheck
718 permit_auth_destination
719 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
720 # (voir permit_auth_destination) ; sans doute redondant
721 reject
722 #check_relay_domains <- removed from postfix
723 #reject_unknown_sender_domain
724 # aurait probablement été mieux dans smtpd_sender_restrictions
725 #reject_rbl_client bl.spamcop.net
726 #reject_rbl_client list.dsbl.org
727 #reject_rbl_client zen.spamhaus.org
728 #reject_rbl_client dnsbl.sorbs.net
729
730 smtpd_data_restrictions =
731 reject_unauth_pipelining
732 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
733 permit
734
735 #smtpd_end_of_data_restrictions =
736
737 #smtpd_restriction_classes =
738
739 smtpd_error_sleep_time = 5
740 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
741
742 # SASL
743 smtpd_sasl_auth_enable = yes
744 smtpd_sasl_type = dovecot
745 smtpd_sasl_path = private/auth
746 smtpd_sasl_security_options = noanonymous
747 smtpd_sasl_domain = \$mydomain
748
749 # SMTPD TLS
750 smtpd_discard_ehlo_keywords = starttls
751 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
752 # se mangent une erreur en tentant un starttls
753 smtpd_tls_fingerprint_digest = sha1
754 # sha512 ?
755 smtpd_tls_mandatory_protocols = TLSv1
756 smtpd_tls_mandatory_ciphers = high
757 smtpd_tls_ciphers = high
758 # restrictif. s/high/medium/ ?
759 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
760 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
761 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
762 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
763 ##
764 #smtpd_tls_received_header = no
765 smtpd_tls_session_cache_database =
766 btree:/var/lib/postfix/smtpd_tls_session_cache
767 #smtpd_tls_session_cache_timeout = 3600s
768 smtpd_tls_security_level = may
769 # Postfix 2.3 and later
770 # encrypt
771 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
772 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
773 # SMTP server. Instead, this option should be used only on dedicated servers.
774 smtpd_tls_loglevel = 1
775 smtpd_tls_ccert_verifydepth = 5
776 smtpd_tls_auth_only = yes
777 # Pas d'AUTH SASL sans TLS
778 smtpd_tls_ask_ccert = no
779 smtpd_tls_req_ccert = no
780 #smtpd_tls_always_issue_session_ids = yes
781 smtpd_peername_lookup = yes
782 # Nécessaire pour postgrey, etc
783 smtpd_milters =
784 non_smtpd_milters =
785 line_length_limit = 2048
786 queue_minfree = 0
787 message_size_limit = 20480000
788 #smtpd_enforce_tls # NOTE: obsolète
789 #smtpd_use_tls # NOTE: obsolète
790 #smtpd_tls_cipherlist # NOTE: obsolète
791
792 readme_directory = no
793 #delay_warning_time = 4h
794 # NOTE: uncomment the previous line to generate "delayed mail" warnings
795 #debug_peer_level = 4
796 #debug_peer_list = .\$myhostname
797 EOF
798 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
799 auth_ssl_username_from_cert = yes
800 listen = *
801 log_timestamp = "%Y-%m-%d %H:%M:%S "
802 mail_debug = yes
803 mail_location = maildir:~/var/mail
804 mail_privileged_group = mail
805 passdb {
806 args = /home/%u/etc/dovecot/passwd
807 driver = passwd-file
808 }
809 protocols = imap
810 service auth {
811 unix_listener /var/spool/postfix/private/auth {
812 group = postfix
813 mode = 0660
814 user = postfix
815 }
816 user = root
817 }
818 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
819 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
820 ssl_cipher_list = AES256-SHA
821 ssl_key = </etc/dovecot/imap/tls/key.pem
822 ssl_verify_client_cert = yes
823 userdb {
824 driver = passwd
825 }
826 verbose_ssl = yes
827 protocol lda {
828 auth_socket_path = /var/run/dovecot/auth-master
829 hostname = $vm_domainname
830 info_log_path = /var/log/dovecot/lda/info.log
831 log_path = /var/log/dovecot/lda/error.log
832 mail_plugins = sieve
833 postmaster_address = contact+dovecot+lda@$vm_domainname
834 }
835 EOF
836 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
837 EOF
838 }
839 rule_mail_configure () {
840 sudo apt-get install postfix postgrey dovecot
841 }
842
843 rule=${1:-help}
844 ${1+shift}
845 case $rule in
846 (help);;
847 (*)
848 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
849 ;;
850 esac
851 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org