dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : tool=$(readlink "$tool") .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
50 ("Status: install ok installed");;
51 (*)
52 test ! -x /usr/bin/etckeeper ||
53 ! sudo etckeeper unclean ||
54 warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
55 sudo apt-get install "$@";;
56 esac
57 }
58
59 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
60 export LANG=C
61 export LC_CTYPE=C
62 . /etc/profile
63 }
64
65 rule_apt_configure () {
66 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
67 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
68 EOF
69 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
70 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
71 EOF
72 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
73 Package: *
74 Pin: release a=$vm_lsb_name
75 Pin-Priority: 170
76
77 Package: *
78 Pin: release a=$vm_lsb_name-backports
79 Pin-Priority: 200
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
82 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
83 EOF
84 sudo apt-get update
85 rule apt_get_install apticron
86 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
87 EMAIL="admin@$vm_domainname"
88 # DIFF_ONLY="1"
89 # LISTCHANGES_PROFILE="apticron"
90 # ALL_FQDNS="1"
91 # SYSTEM="foobar.example.com"
92 # IPADDRESSNUM="1"
93 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
94 # NOTIFY_HOLDS="0"
95 # NOTIFY_NEW="0"
96 # NOTIFY_NO_UPDATES="0"
97 # CUSTOM_SUBJECT=""
98 # CUSTOM_NO_UPDATES_SUBJECT=""
99 # CUSTOM_FROM="root@$vm_fqdn"
100 EOF
101 }
102 rule_boot_configure () {
103 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
104 rule apt_get_install grub-pc
105 sudo install -d -m 644 -o root -g root /boot/grub
106 rule apt_get_install linux-image-$vm_arch
107 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
108 GRUB_DEFAULT=0
109 GRUB_TIMEOUT=5
110 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
111 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
112 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
113 GRUB_DISABLE_RECOVERY="true"
114 #GRUB_PRELOAD_MODULES="lvm"
115 EOF
116 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
117 (hd0) /dev/xvda
118 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
119 EOF
120 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
121 rule initramfs_configure
122 }
123 rule_dovecot_configure () {
124 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
125 local hint="run vm_remote dovecot_key_send before"
126 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
127 sudo install -m 400 -o root -g root \
128 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
129 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
130 sudo install -d -m 770 -o root -g adm \
131 /etc/skel/etc/mail \
132 /etc/skel/etc/sieve
133 sudo install -d -m 1777 -o root -g root \
134 /var/lib/dovecot-control \
135 /var/lib/dovecot-index
136 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
137 auth_ssl_username_from_cert = yes
138 listen = *
139 log_timestamp = "%Y-%m-%d %H:%M:%S "
140 mail_debug = yes
141 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
142 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
143 # VOIR: http://wiki2.dovecot.org/Quota/FS
144 mail_plugins = \$mail_plugins quota
145 mail_privileged_group = mail
146 passdb {
147 args = /home/%u/etc/dovecot/passwd
148 driver = passwd-file
149 }
150 plugin {
151 quota = fs:user
152 recipient_delimiter = +
153 sieve = ~/etc/mail/filter.sieve
154 sieve_dir = ~/etc/mail/sieve
155 sieve_global_dir = /var/lib/dovecot/sieve/global/
156 sieve_max_script_size = 1M
157 sieve_quota_max_scripts = 0
158 sieve_quota_max_storage = 10M
159 sieve_user_log = ~/var/log/mail/sieve.log
160 }
161 protocol imap {
162 mail_plugins = \$mail_plugins imap_quota
163 }
164 protocol lda {
165 auth_socket_path = /var/run/dovecot/auth-master
166 hostname = $vm_domainname
167 info_log_path =
168 log_path =
169 mail_plugins = \$mail_plugins sieve
170 postmaster_address = contact+dovecot+lda@$vm_domainname
171 syslog_facility = mail
172 }
173 protocols = imap sieve
174 service auth {
175 user = root
176 unix_listener /var/spool/postfix/private/auth {
177 mode = 0660
178 user = postfix
179 group = postfix
180 }
181 }
182 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
183 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
184 ssl_cipher_list = AES256-SHA
185 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
186 ssl_verify_client_cert = yes
187 userdb {
188 driver = passwd
189 }
190 verbose_ssl = no
191 EOF
192 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
193 #!/bin/sh -efux
194 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
195 install -d -m 770 ~/etc/dovecot
196 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
197 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
198 _EOF
199 EOF
200 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
201 EOF
202 sudo service dovecot restart
203 }
204 rule_etckeeper_configure () {
205 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
206 VCS=git
207 GIT_COMMIT_OPTIONS=""
208 AVOID_DAILY_AUTOCOMMITS=1
209 #AVOID_SPECIAL_FILE_WARNING=1
210 AVOID_COMMIT_BEFORE_INSTALL=1
211 HIGHLEVEL_PACKAGE_MANAGER=apt
212 LOWLEVEL_PACKAGE_MANAGER=dpkg
213 EOF
214 sudo install -m 644 -o root -g root \
215 etc/etckeeper/prompt.sh \
216 /etc/etckeeper/prompt.sh
217 sudo install -m 755 -o root -g root \
218 etc/etckeeper/update-ignore.d/02custom-ignore \
219 /etc/etckeeper/update-ignore.d/02custom-ignore
220 rule apt_get_install etckeeper
221 sudo etckeeper update-ignore -a
222 }
223 rule_filesystem_configure () {
224 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
225 # <file system> <mount point> <type> <options> <dump> <pass>
226 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
227 proc /proc proc defaults 0 0
228 sysfs /sys sysfs defaults 0 0
229 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
230 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
231 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
232 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
233 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
234 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
235 EOF
236 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
237 # <target name> <source device> <key file> <options>
238 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
239 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
240 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
241 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
242 EOF
243 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
244 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
245 vm.vfs_cache_pressure=50
246 EOF
247 }
248 rule_initramfs_configure () {
249 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
250 MODULES=most
251 BUSYBOX=y
252 KEYMAP=y
253 COMPRESS=gzip
254 DEVICE=eth0
255 EOF
256 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
257 alias eth0 xennet
258 alias scsi_hostadapter xenblk
259 EOF
260 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
261 sha1_generic
262 sha256_generic
263 sha512_generic
264 aes-x86_64
265 xts
266 # NOTE: pour Xen en mode HVM :
267 #modprobe xen-platform-pci
268 EOF
269 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
270 EOF
271 sudo sed -e '/^configure_networking /s/ &$//' \
272 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
273 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
274 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
275 ( while IFS= read -r line
276 do case $line in (*" RSA") return 0; break;; esac
277 done; return 1 ) ||
278 {
279 sudo rm -f \
280 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
281 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
282 sudo dropbearkey -t rsa -s 4096 -f \
283 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
284 }
285 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
286 sudo install -d -m 640 -o root -g root \
287 /etc/initramfs-tools/root \
288 /etc/initramfs-tools/root/.ssh
289 getent group sudo |
290 while IFS=: read -r group x x users
291 do while test -n "$users" && IFS=, read -r user users <<-EOF
292 $users
293 EOF
294 do eval local home\; home="~$user"
295 cat "$home"/etc/ssh/authorized_keys
296 done
297 done |
298 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
299 sudo rm -f \
300 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
301 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
302 /etc/initramfs-tools/root/.ssh/id_rsa
303 # NOTE: clefs générées par Debian
304 sudo update-initramfs -u
305 }
306 rule_locale_configure () {
307 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
308 fr_FR.UTF-8 UTF-8
309 EOF
310 sudo update-locale
311 }
312 rule_login_configure () {
313 grep -q '^hvc0$' /etc/securetty ||
314 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
315 $(cat /etc/securetty)
316 hvc0
317 EOF
318 grep -q '^xvc0$' /etc/securetty ||
319 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
320 $(cat /etc/securetty)
321 xvc0
322 EOF
323 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
324 # /etc/inittab: init(8) configuration.
325
326 # The default runlevel.
327 id:2:initdefault:
328
329 # Boot-time system configuration/initialization script.
330 # This is run first except when booting in emergency (-b) mode.
331 si::sysinit:/etc/init.d/rcS
332
333 # What to do in single-user mode.
334 ~~:S:wait:/sbin/sulogin
335
336 # /etc/init.d executes the S and K scripts upon change
337 # of runlevel.
338 #
339 # Runlevel 0 is halt.
340 # Runlevel 1 is single-user.
341 # Runlevels 2-5 are multi-user.
342 # Runlevel 6 is reboot.
343
344 l0:0:wait:/etc/init.d/rc 0
345 l1:1:wait:/etc/init.d/rc 1
346 l2:2:wait:/etc/init.d/rc 2
347 l3:3:wait:/etc/init.d/rc 3
348 l4:4:wait:/etc/init.d/rc 4
349 l5:5:wait:/etc/init.d/rc 5
350 l6:6:wait:/etc/init.d/rc 6
351 # Normally not reached, but fallthrough in case of emergency.
352 z6:6:respawn:/sbin/sulogin
353
354 # What to do when CTRL-ALT-DEL is pressed.
355 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
356
357 # What to do when the power fails/returns.
358 pf::powerwait:/etc/init.d/powerfail start
359 pn::powerfailnow:/etc/init.d/powerfail now
360 po::powerokwait:/etc/init.d/powerfail stop
361
362 # Xen hypervisor console
363 hvc:2345:respawn:/sbin/getty 38400 hvc0
364 #xvc:2345:respawn:/sbin/getty 38400 xvc0
365 EOF
366 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
367 MAIL_DIR /var/mail
368 FAILLOG_ENAB yes
369 LOG_UNKFAIL_ENAB no
370 LOG_OK_LOGINS no
371 SYSLOG_SU_ENAB yes
372 SYSLOG_SG_ENAB yes
373 FTMP_FILE /var/log/btmp
374 SU_NAME su
375 HUSHLOGIN_FILE .hushlogin
376 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
377 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
378 # NOTE: met les sbin/ dans ENV_PATH ;
379 # - ça n'apporte aucune protection de ne pas les mettre ;
380 # - ça frustre de ne pas les trouver.
381 TTYGROUP tty
382 TTYPERM 0600
383 ERASECHAR 0177
384 KILLCHAR 025
385 UMASK 007
386 # NOTE: rwxrwx--- ;
387 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
388 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
389 PASS_MAX_DAYS 99999
390 PASS_MIN_DAYS 0
391 PASS_WARN_AGE 7
392 UID_MIN 1000
393 UID_MAX 60000
394 GID_MIN 1000
395 GID_MAX 60000
396 LOGIN_RETRIES 3
397 LOGIN_TIMEOUT 60
398 CHFN_RESTRICT rwh
399 DEFAULT_HOME yes
400 USERGROUPS_ENAB yes
401 ENCRYPT_METHOD SHA512
402 EOF
403 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
404 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
405 $(cat /etc/pam.d/common-session)
406 session optional pam_umask.so
407 EOF
408 }
409 rule_procmail_configure () {
410 rule apt_get_install procmail
411 sudo install -d -m 770 -o root -g adm \
412 /etc/skel/etc/mail \
413 /etc/skel/var/cache/mail \
414 /etc/skel/var/log/mail \
415 /etc/skel/var/mail
416 sudo install -m 660 -o root -g adm \
417 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
418 /etc/skel/etc/mail/delivery.procmailrc
419 }
420 rule_postgrey_configure () {
421 rule apt_get_install postgrey
422 sudo service postgrey restart
423 }
424 rule_postfix_configure () {
425 local hint="run vm_remote postfix_key_send before"
426 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
427 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
428 rule apt_get_install postfix
429 sudo install -d -m 770 -o root -g root \
430 /etc/postfix/$vm_domainname/ \
431 /etc/postfix/$vm_domainname/smtp \
432 /etc/postfix/$vm_domainname/smtp/x509 \
433 /etc/postfix/$vm_domainname/smtp/x509/ca \
434 /etc/postfix/$vm_domainname/smtpd \
435 /etc/postfix/$vm_domainname/smtpd/x509 \
436 /etc/postfix/$vm_domainname/smtpd/x509/ca
437 sudo install -d -m 770 -o root -g root \
438 /etc/postfix/$vm_domainname/ \
439 /etc/postfix/$vm_domainname/smtp \
440 /etc/postfix/$vm_domainname/smtp/x509 \
441 /etc/postfix/$vm_domainname/smtp/x509/ca \
442 /etc/postfix/$vm_domainname/smtpd \
443 /etc/postfix/$vm_domainname/smtpd/x509 \
444 /etc/postfix/$vm_domainname/smtpd/x509/ca
445 sudo ln -fns \
446 ../crt+crl.self-signed.pem \
447 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
448 sudo install -m 400 -o root -g root \
449 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
450 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
451 sudo install -m 400 -o root -g root \
452 var/pub/x509/service/smtpd/crt.pem \
453 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
454 sudo install -m 400 -o root -g root \
455 var/pub/x509/service/smtpd/crt+root.pem \
456 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
457 sudo install -m 400 -o root -g root \
458 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
459 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
460 sudo install -m 660 -o root -g root \
461 etc/postfix/$vm_domainname/header_checks \
462 /etc/postfix/$vm_domainname/header_checks
463 sudo install -m 664 -o root -g root \
464 etc/aliases \
465 /etc/aliases
466 sudo newaliases
467 cat /dev/stdin etc/postfix/main.cf <<-EOF |
468 mydomain = $vm_domainname
469 myorigin = \$mydomain
470 myhostname = $vm_hostname.\$mydomain
471 mail_name = \$myhostname
472 mydestination = $vm_hostname \$myhostname \$myorigin
473 EOF
474 sudo install -m 664 -o root -g root /dev/stdin \
475 /etc/postfix/main.cf
476 sudo install -m 664 -o root -g root \
477 etc/postfix/master.cf \
478 /etc/postfix/master.cf
479 sudo install -m 660 -o root -g root \
480 etc/postfix/$vm_domainname/smtp/x509/policy \
481 /etc/postfix/$vm_domainname/smtp/x509/policy
482 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
483 sudo install -m 660 -o root -g root \
484 etc/postfix/$vm_domainname/smtp/header_checks \
485 /etc/postfix/$vm_domainname/smtp/header_checks
486 sudo install -m 660 -o root -g root \
487 etc/postfix/$vm_domainname/smtpd/sender_access \
488 /etc/postfix/$vm_domainname/smtpd/sender_access
489 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
490 sudo install -m 660 -o root -g root \
491 etc/postfix/$vm_domainname/smtpd/client_blacklist \
492 /etc/postfix/$vm_domainname/smtpd/client_blacklist
493 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
494 sudo install -m 660 -o root -g root \
495 etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
496 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
497 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
498 sudo install -m 660 -o root -g root \
499 etc/postfix/$vm_domainname/transport \
500 /etc/postfix/$vm_domainname/transport
501 sudo postmap hash:/etc/postfix/$vm_domainname/transport
502 sudo install -m 660 -o root -g root \
503 etc/postfix/$vm_domainname/virtual_alias \
504 /etc/postfix/$vm_domainname/virtual_alias
505 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
506 sudo service postfix restart
507 }
508 rule_mail_configure () {
509 rule postfix_configure
510 rule postgrey_configure
511 rule procmail_configure
512 rule dovecot_configure
513 }
514 rule_network_configure () {
515 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
516 $vm
517 EOF
518 grep -q " $vm\$" /etc/hosts ||
519 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
520 $(cat /etc/hosts)
521 127.0.0.1 $vm_fqdn $vm
522 EOF
523 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
524 auto lo
525 iface lo inet loopback
526
527 auto eth0=grenode
528 iface grenode inet static
529 address $vm_ipv4
530 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
531 network $vm_ipv4
532 broadcast $vm_ipv4
533 netmask 255.255.255.255
534 mtu 1300
535 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
536 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
537 #
538 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
539 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
540 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
541 #
542 # --- soupirail.grenode.net ping statistics ---
543 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
544 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
545 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
546 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
547 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
548 #
549 # --- soupirail.grenode.net ping statistics ---
550 # 0 packets transmitted, 0 received, +1 errors
551 post-up ip address add $vm_ipv4/32 dev \$IFACE
552 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
553 EOF
554 }
555 rule_ssh_configure () {
556 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
557 ( while IFS= read -r line
558 do case $line in (*" RSA") return 0; break;; esac
559 done; return 1 ) ||
560 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
561 sudo rm -f \
562 /etc/ssh/ssh_host_dsa_key \
563 /etc/ssh/ssh_host_dsa_key.pub \
564 /etc/ssh/ssh_host_ecdsa_key \
565 /etc/ssh/ssh_host_ecdsa_key.pub
566 # NOTE: clefs générées par Debian
567 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
568 Port 22
569 ListenAddress $vm_ipv4
570 #ListenAddress ::
571 Protocol 2
572 Compression yes
573 HostKey /etc/ssh/ssh_host_rsa_key
574 UsePrivilegeSeparation yes
575 KeyRegenerationInterval 3600
576 ServerKeyBits 768
577 SyslogFacility AUTH
578 LogLevel INFO
579 LoginGraceTime 120
580 PermitRootLogin yes
581 StrictModes yes
582 RSAAuthentication yes
583 PubkeyAuthentication yes
584 AuthorizedKeysFile %h/etc/ssh/authorized_keys
585 IgnoreRhosts yes
586 RhostsRSAAuthentication no
587 HostbasedAuthentication no
588 IgnoreUserKnownHosts no
589 PermitEmptyPasswords no
590 ChallengeResponseAuthentication no
591 PasswordAuthentication no
592 KerberosAuthentication no
593 GSSAPIAuthentication no
594 X11Forwarding no
595 X11DisplayOffset 10
596 PrintMotd no
597 DebianBanner no
598 PrintLastLog yes
599 TCPKeepAlive yes
600 ClientAliveInterval 0
601 AcceptEnv LANG LC_*
602 Subsystem sftp /usr/lib/openssh/sftp-server
603 UsePAM yes
604 EOF
605 sudo service ssh restart
606 }
607 rule_user_admin_add () { # SYNTAX: $user
608 local user=$1
609 id "$user" >/dev/null ||
610 sudo adduser --disabled-password "$user"
611 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
612 eval local home\; home="~$user"
613 sudo adduser "$user" sudo
614 sudo install -m 640 -o root -g root \
615 "$tool"/var/pub/ssh/"$user".key \
616 "$home"/etc/ssh/authorized_keys
617 local key; local -; set +f
618 for key in "$tool"/var/pub/openpgp/*.key
619 do sudo -u "$user" gpg --import "$key"
620 done
621 rule user_admin_configure
622 }
623 rule_user_admin_configure () {
624 rule initramfs_configure
625 rule user_root_configure
626 }
627 rule_user_configure () {
628 sudo install -d -m 750 -o root -g adm \
629 /etc/skel/etc \
630 /etc/skel/etc/ssh
631 sudo install -d -m 770 -o root -g adm \
632 /etc/skel/etc/apache2 \
633 /etc/skel/var \
634 /etc/skel/var/log \
635 /etc/skel/var/cache \
636 /etc/skel/var/cache/ssh
637 sudo ln -fns etc/ssh /etc/skel/.ssh
638 sudo ln -fns etc/gpg /etc/skel/.gnupg
639 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
640 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
641 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
642 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
643 EOF
644 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
645 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
646 EOF
647 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
648 Defaults env_keep = " \\
649 EDITOR \\
650 GIT_AUTHOR_NAME \\
651 GIT_AUTHOR_EMAIL \\
652 GIT_COMMITTER_NAME \\
653 GIT_COMMITTER_EMAIL \\
654 "
655 EOF
656 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
657 #!/bin/sh -efu
658 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
659 sudo /bin/sh -e -f -u -c \
660 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
661 EOF
662 sudo install -m 644 -o root -g root \
663 etc/bash.bashrc \
664 /etc/bash.bashrc
665 sudo install -m 644 -o root -g root \
666 etc/screenrc \
667 /etc/screenrc
668 }
669 rule_user_root_configure () {
670 sudo install -d -m 750 -o root -g adm \
671 /root/etc \
672 /root/etc/ssh \
673 /root/etc/gpg
674 sudo ln -fns etc/gpg /root/.gnupg
675 sudo ln -fns etc/ssh /root/.ssh
676 getent group sudo |
677 while IFS=: read -r group x x users
678 do while test -n "$users" && IFS=, read -r user users <<-EOF
679 $users
680 EOF
681 do eval local home\; home="~$user"
682 cat "$home"/etc/ssh/authorized_keys
683 done
684 done |
685 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
686 local key; local -; set +f
687 for key in "$tool"/var/pub/openpgp/*.key
688 do sudo gpg --import "$key"
689 done
690 }
691 rule_configure () {
692 rule apt_configure
693 rule git_configure
694 rule etckeeper_configure
695 rule locale_configure
696 rule network_configure
697 rule filesystem_configure
698 rule login_configure
699 rule ssh_configure
700 rule user_root_configure
701 rule boot_configure
702 rule user_configure
703 }
704
705 rule_luks_key_change () {
706 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
707 }
708
709 rule=${1:-help}
710 ${1+shift}
711 case $rule in
712 (help);;
713 (*)
714 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
715 ;;
716 esac
717 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org