dépôts / lhc / ateliers.git / blob
? search:


9af76a9b2715bd41a32853865c498f995c0c45c9
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apt_configure () {
59 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
60 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
61 EOF
62 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
63 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
64 EOF
65 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
66 Package: *
67 Pin: release a=$vm_lsb_name
68 Pin-Priority: 170
69
70 Package: *
71 Pin: release a=$vm_lsb_name-backports
72 Pin-Priority: 200
73 EOF
74 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
75 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
76 EOF
77 sudo apt-get update
78 rule apt_get_install apticron
79 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
80 EMAIL="admin@$vm_domainname"
81 # DIFF_ONLY="1"
82 # LISTCHANGES_PROFILE="apticron"
83 # ALL_FQDNS="1"
84 # SYSTEM="foobar.example.com"
85 # IPADDRESSNUM="1"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
87 # NOTIFY_HOLDS="0"
88 # NOTIFY_NEW="0"
89 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_SUBJECT=""
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
93 EOF
94 }
95 rule_boot_configure () {
96 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo install -d -m 644 -o root -g root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_dovecot_configure () {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint="run vm_remote dovecot_key_send before"
119 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo install -m 400 -o root -g root \
121 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
122 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
123 sudo install -d -m 770 -o root -g adm \
124 /etc/skel/etc/mail \
125 /etc/skel/etc/sieve
126 sudo install -d -m 1777 -o root -g root \
127 /var/lib/dovecot-control \
128 /var/lib/dovecot-index
129 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
130 auth_ssl_username_from_cert = yes
131 listen = *
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
133 mail_debug = yes
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
139 passdb {
140 args = /home/%u/etc/dovecot/passwd
141 driver = passwd-file
142 }
143 plugin {
144 quota = fs:user
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
153 }
154 protocol imap {
155 mail_plugins = \$mail_plugins imap_quota
156 }
157 protocol lda {
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
160 info_log_path =
161 log_path =
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
165 }
166 protocols = imap sieve
167 service auth {
168 user = root
169 unix_listener /var/spool/postfix/private/auth {
170 mode = 0660
171 user = postfix
172 group = postfix
173 }
174 }
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
180 userdb {
181 driver = passwd
182 }
183 verbose_ssl = no
184 EOF
185 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
186 #!/bin/sh -efux
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
191 _EOF
192 EOF
193 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
194 EOF
195 sudo service dovecot restart
196 }
197 rule_etckeeper_configure () {
198 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
199 VCS=git
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
206 EOF
207 sudo install -m 644 -o root -g root \
208 "$tool"/etc/etckeeper/prompt.sh \
209 /etc/etckeeper/prompt.sh
210 rule apt_get_install etckeeper
211 }
212 rule_filesystem_configure () {
213 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
214 # <file system> <mount point> <type> <options> <dump> <pass>
215 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
216 proc /proc proc defaults 0 0
217 sysfs /sys sysfs defaults 0 0
218 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
219 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
220 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
221 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
222 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
223 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
224 EOF
225 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
226 # <target name> <source device> <key file> <options>
227 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
228 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
229 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
230 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
231 EOF
232 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
233 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
234 vm.vfs_cache_pressure=50
235 EOF
236 }
237 rule_initramfs_configure () {
238 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
239 MODULES=most
240 BUSYBOX=y
241 KEYMAP=y
242 COMPRESS=gzip
243 DEVICE=eth0
244 EOF
245 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
246 alias eth0 xennet
247 alias scsi_hostadapter xenblk
248 EOF
249 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
250 sha1_generic
251 sha256_generic
252 sha512_generic
253 aes-x86_64
254 xts
255 # NOTE: pour Xen en mode HVM :
256 #modprobe xen-platform-pci
257 EOF
258 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
259 EOF
260 sudo sed -e '/^configure_networking /s/ &$//' \
261 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
262 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
263 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
264 ( while IFS= read -r line
265 do case $line in (*" RSA") return 0; break;; esac
266 done; return 1 ) ||
267 {
268 sudo rm -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
270 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
271 sudo dropbearkey -t rsa -s 4096 -f \
272 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
273 }
274 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
275 sudo install -d -m 640 -o root -g root \
276 /etc/initramfs-tools/root \
277 /etc/initramfs-tools/root/.ssh
278 getent group sudo |
279 while IFS=: read -r group x x users
280 do while test -n "$users" && IFS=, read -r user users <<-EOF
281 $users
282 EOF
283 do eval local home\; home="~$user"
284 cat "$home"/etc/ssh/authorized_keys
285 done
286 done |
287 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
288 sudo rm -f \
289 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
290 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
291 /etc/initramfs-tools/root/.ssh/id_rsa
292 # NOTE: clefs générées par Debian
293 sudo update-initramfs -u
294 }
295 rule_time_configure () {
296 sudo install -m 644 -o root -g root /dev/stdin /etc/timezone <<-EOF
297 Europe/Paris
298 EOF
299 sudo dpkg-reconfigure tzdata
300 rule apt_get_install ntp
301 }
302 rule_locale_configure () {
303 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
304 fr_FR.UTF-8 UTF-8
305 EOF
306 sudo update-locale
307 }
308 rule_login_configure () {
309 grep -q '^hvc0$' /etc/securetty ||
310 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
311 $(cat /etc/securetty)
312 hvc0
313 EOF
314 grep -q '^xvc0$' /etc/securetty ||
315 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
316 $(cat /etc/securetty)
317 xvc0
318 EOF
319 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
320 # /etc/inittab: init(8) configuration.
321
322 # The default runlevel.
323 id:2:initdefault:
324
325 # Boot-time system configuration/initialization script.
326 # This is run first except when booting in emergency (-b) mode.
327 si::sysinit:/etc/init.d/rcS
328
329 # What to do in single-user mode.
330 ~~:S:wait:/sbin/sulogin
331
332 # /etc/init.d executes the S and K scripts upon change
333 # of runlevel.
334 #
335 # Runlevel 0 is halt.
336 # Runlevel 1 is single-user.
337 # Runlevels 2-5 are multi-user.
338 # Runlevel 6 is reboot.
339
340 l0:0:wait:/etc/init.d/rc 0
341 l1:1:wait:/etc/init.d/rc 1
342 l2:2:wait:/etc/init.d/rc 2
343 l3:3:wait:/etc/init.d/rc 3
344 l4:4:wait:/etc/init.d/rc 4
345 l5:5:wait:/etc/init.d/rc 5
346 l6:6:wait:/etc/init.d/rc 6
347 # Normally not reached, but fallthrough in case of emergency.
348 z6:6:respawn:/sbin/sulogin
349
350 # What to do when CTRL-ALT-DEL is pressed.
351 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
352
353 # What to do when the power fails/returns.
354 pf::powerwait:/etc/init.d/powerfail start
355 pn::powerfailnow:/etc/init.d/powerfail now
356 po::powerokwait:/etc/init.d/powerfail stop
357
358 # Xen hypervisor console
359 hvc:2345:respawn:/sbin/getty 38400 hvc0
360 #xvc:2345:respawn:/sbin/getty 38400 xvc0
361 EOF
362 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
363 MAIL_DIR /var/mail
364 FAILLOG_ENAB yes
365 LOG_UNKFAIL_ENAB no
366 LOG_OK_LOGINS no
367 SYSLOG_SU_ENAB yes
368 SYSLOG_SG_ENAB yes
369 FTMP_FILE /var/log/btmp
370 SU_NAME su
371 HUSHLOGIN_FILE .hushlogin
372 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
373 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
374 # NOTE: met les sbin/ dans ENV_PATH ;
375 # - ça n'apporte aucune protection de ne pas les mettre ;
376 # - ça frustre de ne pas les trouver.
377 TTYGROUP tty
378 TTYPERM 0600
379 ERASECHAR 0177
380 KILLCHAR 025
381 UMASK 007
382 # NOTE: rwxrwx--- ;
383 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
384 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
385 PASS_MAX_DAYS 99999
386 PASS_MIN_DAYS 0
387 PASS_WARN_AGE 7
388 UID_MIN 1000
389 UID_MAX 60000
390 GID_MIN 1000
391 GID_MAX 60000
392 LOGIN_RETRIES 3
393 LOGIN_TIMEOUT 60
394 CHFN_RESTRICT rwh
395 DEFAULT_HOME yes
396 USERGROUPS_ENAB yes
397 ENCRYPT_METHOD SHA512
398 EOF
399 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
400 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
401 $(cat /etc/pam.d/common-session)
402 session optional pam_umask.so
403 EOF
404 }
405 rule_mail_configure () {
406 rule postfix_configure
407 rule postgrey_configure
408 rule procmail_configure
409 rule dovecot_configure
410 }
411 rule_network_configure () {
412 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
413 $vm
414 EOF
415 grep -q " $vm\$" /etc/hosts ||
416 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
417 $(cat /etc/hosts)
418 127.0.0.1 $vm_fqdn $vm
419 EOF
420 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
421 auto lo
422 iface lo inet loopback
423
424 auto eth0=grenode
425 iface grenode inet static
426 address $vm_ipv4
427 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
428 network $vm_ipv4
429 broadcast $vm_ipv4
430 netmask 255.255.255.255
431 mtu 1300
432 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
433 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
434 #
435 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
436 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
437 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
438 #
439 # --- soupirail.grenode.net ping statistics ---
440 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
441 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
442 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
443 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
444 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
445 #
446 # --- soupirail.grenode.net ping statistics ---
447 # 0 packets transmitted, 0 received, +1 errors
448 post-up ip address add $vm_ipv4/32 dev \$IFACE
449 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
450 EOF
451 }
452 rule_postfix_configure () {
453 local hint="run vm_remote postfix_key_send before"
454 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
455 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
456 rule apt_get_install postfix
457 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
458 *.db
459 EOF
460 sudo install -d -m 770 -o root -g root \
461 /etc/postfix/$vm_domainname/ \
462 /etc/postfix/$vm_domainname/smtp \
463 /etc/postfix/$vm_domainname/smtp/x509 \
464 /etc/postfix/$vm_domainname/smtp/x509/ca \
465 /etc/postfix/$vm_domainname/smtpd \
466 /etc/postfix/$vm_domainname/smtpd/x509 \
467 /etc/postfix/$vm_domainname/smtpd/x509/ca
468 sudo install -d -m 770 -o root -g root \
469 /etc/postfix/$vm_domainname/ \
470 /etc/postfix/$vm_domainname/smtp \
471 /etc/postfix/$vm_domainname/smtp/x509 \
472 /etc/postfix/$vm_domainname/smtp/x509/ca \
473 /etc/postfix/$vm_domainname/smtpd \
474 /etc/postfix/$vm_domainname/smtpd/x509 \
475 /etc/postfix/$vm_domainname/smtpd/x509/ca
476 sudo ln -fns \
477 ../crt+crl.self-signed.pem \
478 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
479 sudo install -m 400 -o root -g root \
480 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
481 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
482 sudo install -m 400 -o root -g root \
483 "$tool"/var/pub/x509/service/smtpd/crt.pem \
484 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
485 sudo install -m 400 -o root -g root \
486 "$tool"/var/pub/x509/service/smtpd/crt+root.pem \
487 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
488 sudo install -m 400 -o root -g root \
489 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
490 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
491 sudo install -m 660 -o root -g root \
492 "$tool"/etc/postfix/$vm_domainname/header_checks \
493 /etc/postfix/$vm_domainname/header_checks
494 sudo install -m 664 -o root -g root \
495 "$tool"/etc/postfix/aliases \
496 /etc/postfix/aliases
497 sudo newaliases -oA/etc/postfix/aliases
498 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
499 mydomain = $vm_domainname
500 myorigin = \$mydomain
501 myhostname = $vm_hostname.\$mydomain
502 mail_name = \$myhostname
503 mydestination = $vm_hostname \$myhostname \$myorigin
504 EOF
505 sudo install -m 664 -o root -g root /dev/stdin \
506 /etc/postfix/main.cf
507 sudo install -m 664 -o root -g root \
508 "$tool"/etc/postfix/master.cf \
509 /etc/postfix/master.cf
510 sudo install -m 660 -o root -g root \
511 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
512 /etc/postfix/$vm_domainname/smtp/x509/policy
513 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
514 sudo install -m 660 -o root -g root \
515 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
516 /etc/postfix/$vm_domainname/smtp/header_checks
517 sudo install -m 660 -o root -g root \
518 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
519 /etc/postfix/$vm_domainname/smtpd/sender_access
520 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
521 sudo install -m 660 -o root -g root \
522 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
523 /etc/postfix/$vm_domainname/smtpd/client_blacklist
524 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
525 sudo install -m 660 -o root -g root \
526 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
527 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
528 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
529 sudo install -m 660 -o root -g root \
530 "$tool"/etc/postfix/$vm_domainname/transport \
531 /etc/postfix/$vm_domainname/transport
532 sudo postmap hash:/etc/postfix/$vm_domainname/transport
533 sudo install -m 660 -o root -g root \
534 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
535 /etc/postfix/$vm_domainname/virtual_alias
536 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
537 sudo service postfix restart
538 }
539 rule_postgrey_configure () {
540 rule apt_get_install postgrey
541 sudo service postgrey restart
542 }
543 rule_procmail_configure () {
544 rule apt_get_install procmail
545 sudo install -d -m 770 -o root -g adm \
546 /etc/skel/etc/mail \
547 /etc/skel/var/cache/mail \
548 /etc/skel/var/log/mail \
549 /etc/skel/var/mail
550 sudo install -m 660 -o root -g adm \
551 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
552 /etc/skel/etc/mail/delivery.procmailrc
553 }
554 rule_ssh_configure () {
555 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
556 ( while IFS= read -r line
557 do case $line in (*" RSA") return 0; break;; esac
558 done; return 1 ) ||
559 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
560 sudo rm -f \
561 /etc/ssh/ssh_host_dsa_key \
562 /etc/ssh/ssh_host_dsa_key.pub \
563 /etc/ssh/ssh_host_ecdsa_key \
564 /etc/ssh/ssh_host_ecdsa_key.pub
565 # NOTE: clefs générées par Debian
566 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
567 Port 22
568 ListenAddress $vm_ipv4
569 #ListenAddress ::
570 Protocol 2
571 Compression yes
572 HostKey /etc/ssh/ssh_host_rsa_key
573 UsePrivilegeSeparation yes
574 KeyRegenerationInterval 3600
575 ServerKeyBits 768
576 SyslogFacility AUTH
577 LogLevel INFO
578 LoginGraceTime 120
579 PermitRootLogin yes
580 StrictModes yes
581 RSAAuthentication yes
582 PubkeyAuthentication yes
583 AuthorizedKeysFile %h/etc/ssh/authorized_keys
584 IgnoreRhosts yes
585 RhostsRSAAuthentication no
586 HostbasedAuthentication no
587 IgnoreUserKnownHosts no
588 PermitEmptyPasswords no
589 ChallengeResponseAuthentication no
590 PasswordAuthentication no
591 KerberosAuthentication no
592 GSSAPIAuthentication no
593 X11Forwarding no
594 X11DisplayOffset 10
595 PrintMotd no
596 DebianBanner no
597 PrintLastLog yes
598 TCPKeepAlive yes
599 ClientAliveInterval 0
600 AcceptEnv LANG LC_*
601 Subsystem sftp /usr/lib/openssh/sftp-server
602 UsePAM yes
603 EOF
604 sudo service ssh restart
605 }
606 rule_user_admin_add () { # SYNTAX: $user
607 local user=$1
608 id "$user" >/dev/null ||
609 sudo adduser --disabled-password "$user"
610 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
611 eval local home\; home="~$user"
612 sudo adduser "$user" sudo
613 sudo install -m 640 -o root -g root \
614 "$tool"/var/pub/ssh/"$user".key \
615 "$home"/etc/ssh/authorized_keys
616 local key; local -; set +f
617 for key in "$tool"/var/pub/openpgp/*.key
618 do sudo -u "$user" gpg --import "$key"
619 done
620 rule user_admin_configure
621 }
622 rule_user_admin_configure () {
623 rule initramfs_configure
624 rule user_root_configure
625 }
626 rule_user_configure () {
627 sudo install -d -m 750 -o root -g adm \
628 /etc/skel/etc \
629 /etc/skel/etc/ssh
630 sudo install -d -m 770 -o root -g adm \
631 /etc/skel/etc/apache2 \
632 /etc/skel/var \
633 /etc/skel/var/log \
634 /etc/skel/var/cache \
635 /etc/skel/var/cache/ssh
636 sudo ln -fns etc/ssh /etc/skel/.ssh
637 sudo ln -fns etc/gpg /etc/skel/.gnupg
638 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
639 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
640 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
641 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
642 EOF
643 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
644 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
645 EOF
646 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
647 Defaults env_keep = " \\
648 EDITOR \\
649 GIT_AUTHOR_NAME \\
650 GIT_AUTHOR_EMAIL \\
651 GIT_COMMITTER_NAME \\
652 GIT_COMMITTER_EMAIL \\
653 "
654 EOF
655 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
656 #!/bin/sh -efu
657 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
658 sudo /bin/sh -e -f -u -c \
659 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
660 EOF
661 sudo install -m 644 -o root -g root \
662 "$tool"/etc/bash.bashrc \
663 /etc/bash.bashrc
664 sudo install -m 644 -o root -g root \
665 "$tool"/etc/screenrc \
666 /etc/screenrc
667 }
668 rule_user_root_configure () {
669 sudo install -d -m 750 -o root -g adm \
670 /root/etc \
671 /root/etc/ssh \
672 /root/etc/gpg
673 sudo ln -fns etc/gpg /root/.gnupg
674 sudo ln -fns etc/ssh /root/.ssh
675 getent group sudo |
676 while IFS=: read -r group x x users
677 do while test -n "$users" && IFS=, read -r user users <<-EOF
678 $users
679 EOF
680 do eval local home\; home="~$user"
681 cat "$home"/etc/ssh/authorized_keys
682 done
683 done |
684 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
685 local key; local -; set +f
686 for key in "$tool"/var/pub/openpgp/*.key
687 do sudo gpg --import "$key"
688 done
689 }
690 rule_configure () {
691 rule apt_configure
692 rule git_configure
693 rule etckeeper_configure
694 rule locale_configure
695 rule time_configure
696 rule network_configure
697 rule filesystem_configure
698 rule login_configure
699 rule ssh_configure
700 rule mail_configure
701 rule user_root_configure
702 rule boot_configure
703 rule user_configure
704 }
705
706 rule_luks_key_change () {
707 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
708 }
709
710 rule=${1:-help}
711 ${1+shift}
712 case $rule in
713 (help);;
714 (*)
715 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
716 ;;
717 esac
718 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org