dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Modification : etc/aliases -> etc/postfix/aliases .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
50 ("Status: install ok installed");;
51 (*)
52 test ! -x /usr/bin/etckeeper ||
53 ! sudo etckeeper unclean ||
54 warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
55 sudo apt-get install "$@";;
56 esac
57 }
58
59 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
60 export LANG=C
61 export LC_CTYPE=C
62 . /etc/profile
63 }
64
65 rule_apt_configure () {
66 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
67 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
68 EOF
69 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
70 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
71 EOF
72 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
73 Package: *
74 Pin: release a=$vm_lsb_name
75 Pin-Priority: 170
76
77 Package: *
78 Pin: release a=$vm_lsb_name-backports
79 Pin-Priority: 200
80 EOF
81 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
82 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
83 EOF
84 sudo apt-get update
85 rule apt_get_install apticron
86 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
87 EMAIL="admin@$vm_domainname"
88 # DIFF_ONLY="1"
89 # LISTCHANGES_PROFILE="apticron"
90 # ALL_FQDNS="1"
91 # SYSTEM="foobar.example.com"
92 # IPADDRESSNUM="1"
93 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
94 # NOTIFY_HOLDS="0"
95 # NOTIFY_NEW="0"
96 # NOTIFY_NO_UPDATES="0"
97 # CUSTOM_SUBJECT=""
98 # CUSTOM_NO_UPDATES_SUBJECT=""
99 # CUSTOM_FROM="root@$vm_fqdn"
100 EOF
101 }
102 rule_boot_configure () {
103 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
104 rule apt_get_install grub-pc
105 sudo install -d -m 644 -o root -g root /boot/grub
106 rule apt_get_install linux-image-$vm_arch
107 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
108 GRUB_DEFAULT=0
109 GRUB_TIMEOUT=5
110 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
111 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
112 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
113 GRUB_DISABLE_RECOVERY="true"
114 #GRUB_PRELOAD_MODULES="lvm"
115 EOF
116 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
117 (hd0) /dev/xvda
118 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
119 EOF
120 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
121 rule initramfs_configure
122 }
123 rule_dovecot_configure () {
124 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
125 local hint="run vm_remote dovecot_key_send before"
126 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
127 sudo install -m 400 -o root -g root \
128 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
129 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
130 sudo install -d -m 770 -o root -g adm \
131 /etc/skel/etc/mail \
132 /etc/skel/etc/sieve
133 sudo install -d -m 1777 -o root -g root \
134 /var/lib/dovecot-control \
135 /var/lib/dovecot-index
136 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
137 auth_ssl_username_from_cert = yes
138 listen = *
139 log_timestamp = "%Y-%m-%d %H:%M:%S "
140 mail_debug = yes
141 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
142 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
143 # VOIR: http://wiki2.dovecot.org/Quota/FS
144 mail_plugins = \$mail_plugins quota
145 mail_privileged_group = mail
146 passdb {
147 args = /home/%u/etc/dovecot/passwd
148 driver = passwd-file
149 }
150 plugin {
151 quota = fs:user
152 recipient_delimiter = +
153 sieve = ~/etc/mail/filter.sieve
154 sieve_dir = ~/etc/mail/sieve
155 sieve_global_dir = /var/lib/dovecot/sieve/global/
156 sieve_max_script_size = 1M
157 sieve_quota_max_scripts = 0
158 sieve_quota_max_storage = 10M
159 sieve_user_log = ~/var/log/mail/sieve.log
160 }
161 protocol imap {
162 mail_plugins = \$mail_plugins imap_quota
163 }
164 protocol lda {
165 auth_socket_path = /var/run/dovecot/auth-master
166 hostname = $vm_domainname
167 info_log_path =
168 log_path =
169 mail_plugins = \$mail_plugins sieve
170 postmaster_address = contact+dovecot+lda@$vm_domainname
171 syslog_facility = mail
172 }
173 protocols = imap sieve
174 service auth {
175 user = root
176 unix_listener /var/spool/postfix/private/auth {
177 mode = 0660
178 user = postfix
179 group = postfix
180 }
181 }
182 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
183 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
184 ssl_cipher_list = AES256-SHA
185 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
186 ssl_verify_client_cert = yes
187 userdb {
188 driver = passwd
189 }
190 verbose_ssl = no
191 EOF
192 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
193 #!/bin/sh -efux
194 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
195 install -d -m 770 ~/etc/dovecot
196 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
197 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
198 _EOF
199 EOF
200 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
201 EOF
202 sudo service dovecot restart
203 }
204 rule_etckeeper_configure () {
205 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
206 VCS=git
207 GIT_COMMIT_OPTIONS=""
208 AVOID_DAILY_AUTOCOMMITS=1
209 #AVOID_SPECIAL_FILE_WARNING=1
210 AVOID_COMMIT_BEFORE_INSTALL=1
211 HIGHLEVEL_PACKAGE_MANAGER=apt
212 LOWLEVEL_PACKAGE_MANAGER=dpkg
213 EOF
214 sudo install -m 644 -o root -g root \
215 "$tool"/etc/etckeeper/prompt.sh \
216 /etc/etckeeper/prompt.sh
217 rule apt_get_install etckeeper
218 }
219 rule_filesystem_configure () {
220 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
221 # <file system> <mount point> <type> <options> <dump> <pass>
222 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
223 proc /proc proc defaults 0 0
224 sysfs /sys sysfs defaults 0 0
225 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
226 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
227 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
228 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
229 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
230 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
231 EOF
232 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
233 # <target name> <source device> <key file> <options>
234 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
235 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
236 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
237 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
238 EOF
239 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
240 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
241 vm.vfs_cache_pressure=50
242 EOF
243 }
244 rule_initramfs_configure () {
245 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
246 MODULES=most
247 BUSYBOX=y
248 KEYMAP=y
249 COMPRESS=gzip
250 DEVICE=eth0
251 EOF
252 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
253 alias eth0 xennet
254 alias scsi_hostadapter xenblk
255 EOF
256 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
257 sha1_generic
258 sha256_generic
259 sha512_generic
260 aes-x86_64
261 xts
262 # NOTE: pour Xen en mode HVM :
263 #modprobe xen-platform-pci
264 EOF
265 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
266 EOF
267 sudo sed -e '/^configure_networking /s/ &$//' \
268 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
269 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
270 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
271 ( while IFS= read -r line
272 do case $line in (*" RSA") return 0; break;; esac
273 done; return 1 ) ||
274 {
275 sudo rm -f \
276 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
277 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
278 sudo dropbearkey -t rsa -s 4096 -f \
279 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
280 }
281 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
282 sudo install -d -m 640 -o root -g root \
283 /etc/initramfs-tools/root \
284 /etc/initramfs-tools/root/.ssh
285 getent group sudo |
286 while IFS=: read -r group x x users
287 do while test -n "$users" && IFS=, read -r user users <<-EOF
288 $users
289 EOF
290 do eval local home\; home="~$user"
291 cat "$home"/etc/ssh/authorized_keys
292 done
293 done |
294 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
295 sudo rm -f \
296 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
297 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
298 /etc/initramfs-tools/root/.ssh/id_rsa
299 # NOTE: clefs générées par Debian
300 sudo update-initramfs -u
301 }
302 rule_locale_configure () {
303 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
304 fr_FR.UTF-8 UTF-8
305 EOF
306 sudo update-locale
307 }
308 rule_login_configure () {
309 grep -q '^hvc0$' /etc/securetty ||
310 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
311 $(cat /etc/securetty)
312 hvc0
313 EOF
314 grep -q '^xvc0$' /etc/securetty ||
315 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
316 $(cat /etc/securetty)
317 xvc0
318 EOF
319 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
320 # /etc/inittab: init(8) configuration.
321
322 # The default runlevel.
323 id:2:initdefault:
324
325 # Boot-time system configuration/initialization script.
326 # This is run first except when booting in emergency (-b) mode.
327 si::sysinit:/etc/init.d/rcS
328
329 # What to do in single-user mode.
330 ~~:S:wait:/sbin/sulogin
331
332 # /etc/init.d executes the S and K scripts upon change
333 # of runlevel.
334 #
335 # Runlevel 0 is halt.
336 # Runlevel 1 is single-user.
337 # Runlevels 2-5 are multi-user.
338 # Runlevel 6 is reboot.
339
340 l0:0:wait:/etc/init.d/rc 0
341 l1:1:wait:/etc/init.d/rc 1
342 l2:2:wait:/etc/init.d/rc 2
343 l3:3:wait:/etc/init.d/rc 3
344 l4:4:wait:/etc/init.d/rc 4
345 l5:5:wait:/etc/init.d/rc 5
346 l6:6:wait:/etc/init.d/rc 6
347 # Normally not reached, but fallthrough in case of emergency.
348 z6:6:respawn:/sbin/sulogin
349
350 # What to do when CTRL-ALT-DEL is pressed.
351 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
352
353 # What to do when the power fails/returns.
354 pf::powerwait:/etc/init.d/powerfail start
355 pn::powerfailnow:/etc/init.d/powerfail now
356 po::powerokwait:/etc/init.d/powerfail stop
357
358 # Xen hypervisor console
359 hvc:2345:respawn:/sbin/getty 38400 hvc0
360 #xvc:2345:respawn:/sbin/getty 38400 xvc0
361 EOF
362 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
363 MAIL_DIR /var/mail
364 FAILLOG_ENAB yes
365 LOG_UNKFAIL_ENAB no
366 LOG_OK_LOGINS no
367 SYSLOG_SU_ENAB yes
368 SYSLOG_SG_ENAB yes
369 FTMP_FILE /var/log/btmp
370 SU_NAME su
371 HUSHLOGIN_FILE .hushlogin
372 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
373 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
374 # NOTE: met les sbin/ dans ENV_PATH ;
375 # - ça n'apporte aucune protection de ne pas les mettre ;
376 # - ça frustre de ne pas les trouver.
377 TTYGROUP tty
378 TTYPERM 0600
379 ERASECHAR 0177
380 KILLCHAR 025
381 UMASK 007
382 # NOTE: rwxrwx--- ;
383 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
384 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
385 PASS_MAX_DAYS 99999
386 PASS_MIN_DAYS 0
387 PASS_WARN_AGE 7
388 UID_MIN 1000
389 UID_MAX 60000
390 GID_MIN 1000
391 GID_MAX 60000
392 LOGIN_RETRIES 3
393 LOGIN_TIMEOUT 60
394 CHFN_RESTRICT rwh
395 DEFAULT_HOME yes
396 USERGROUPS_ENAB yes
397 ENCRYPT_METHOD SHA512
398 EOF
399 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
400 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
401 $(cat /etc/pam.d/common-session)
402 session optional pam_umask.so
403 EOF
404 }
405 rule_procmail_configure () {
406 rule apt_get_install procmail
407 sudo install -d -m 770 -o root -g adm \
408 /etc/skel/etc/mail \
409 /etc/skel/var/cache/mail \
410 /etc/skel/var/log/mail \
411 /etc/skel/var/mail
412 sudo install -m 660 -o root -g adm \
413 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
414 /etc/skel/etc/mail/delivery.procmailrc
415 }
416 rule_postgrey_configure () {
417 rule apt_get_install postgrey
418 sudo service postgrey restart
419 }
420 rule_postfix_configure () {
421 local hint="run vm_remote postfix_key_send before"
422 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
423 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
424 rule apt_get_install postfix
425 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
426 *.db
427 EOF
428 sudo install -d -m 770 -o root -g root \
429 /etc/postfix/$vm_domainname/ \
430 /etc/postfix/$vm_domainname/smtp \
431 /etc/postfix/$vm_domainname/smtp/x509 \
432 /etc/postfix/$vm_domainname/smtp/x509/ca \
433 /etc/postfix/$vm_domainname/smtpd \
434 /etc/postfix/$vm_domainname/smtpd/x509 \
435 /etc/postfix/$vm_domainname/smtpd/x509/ca
436 sudo install -d -m 770 -o root -g root \
437 /etc/postfix/$vm_domainname/ \
438 /etc/postfix/$vm_domainname/smtp \
439 /etc/postfix/$vm_domainname/smtp/x509 \
440 /etc/postfix/$vm_domainname/smtp/x509/ca \
441 /etc/postfix/$vm_domainname/smtpd \
442 /etc/postfix/$vm_domainname/smtpd/x509 \
443 /etc/postfix/$vm_domainname/smtpd/x509/ca
444 sudo ln -fns \
445 ../crt+crl.self-signed.pem \
446 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
447 sudo install -m 400 -o root -g root \
448 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
449 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
450 sudo install -m 400 -o root -g root \
451 var/pub/x509/service/smtpd/crt.pem \
452 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
453 sudo install -m 400 -o root -g root \
454 var/pub/x509/service/smtpd/crt+root.pem \
455 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
456 sudo install -m 400 -o root -g root \
457 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
458 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
459 sudo install -m 660 -o root -g root \
460 etc/postfix/$vm_domainname/header_checks \
461 /etc/postfix/$vm_domainname/header_checks
462 sudo install -m 664 -o root -g root \
463 etc/postfix/aliases \
464 /etc/postfix/aliases
465 sudo newaliases -oA/etc/postfix/aliases
466 cat /dev/stdin etc/postfix/main.cf <<-EOF |
467 mydomain = $vm_domainname
468 myorigin = \$mydomain
469 myhostname = $vm_hostname.\$mydomain
470 mail_name = \$myhostname
471 mydestination = $vm_hostname \$myhostname \$myorigin
472 EOF
473 sudo install -m 664 -o root -g root /dev/stdin \
474 /etc/postfix/main.cf
475 sudo install -m 664 -o root -g root \
476 etc/postfix/master.cf \
477 /etc/postfix/master.cf
478 sudo install -m 660 -o root -g root \
479 etc/postfix/$vm_domainname/smtp/x509/policy \
480 /etc/postfix/$vm_domainname/smtp/x509/policy
481 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
482 sudo install -m 660 -o root -g root \
483 etc/postfix/$vm_domainname/smtp/header_checks \
484 /etc/postfix/$vm_domainname/smtp/header_checks
485 sudo install -m 660 -o root -g root \
486 etc/postfix/$vm_domainname/smtpd/sender_access \
487 /etc/postfix/$vm_domainname/smtpd/sender_access
488 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
489 sudo install -m 660 -o root -g root \
490 etc/postfix/$vm_domainname/smtpd/client_blacklist \
491 /etc/postfix/$vm_domainname/smtpd/client_blacklist
492 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
493 sudo install -m 660 -o root -g root \
494 etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
495 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
496 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
497 sudo install -m 660 -o root -g root \
498 etc/postfix/$vm_domainname/transport \
499 /etc/postfix/$vm_domainname/transport
500 sudo postmap hash:/etc/postfix/$vm_domainname/transport
501 sudo install -m 660 -o root -g root \
502 etc/postfix/$vm_domainname/virtual_alias \
503 /etc/postfix/$vm_domainname/virtual_alias
504 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
505 sudo service postfix restart
506 }
507 rule_mail_configure () {
508 rule postfix_configure
509 rule postgrey_configure
510 rule procmail_configure
511 rule dovecot_configure
512 }
513 rule_network_configure () {
514 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
515 $vm
516 EOF
517 grep -q " $vm\$" /etc/hosts ||
518 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
519 $(cat /etc/hosts)
520 127.0.0.1 $vm_fqdn $vm
521 EOF
522 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
523 auto lo
524 iface lo inet loopback
525
526 auto eth0=grenode
527 iface grenode inet static
528 address $vm_ipv4
529 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
530 network $vm_ipv4
531 broadcast $vm_ipv4
532 netmask 255.255.255.255
533 mtu 1300
534 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
535 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
536 #
537 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
538 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
539 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
540 #
541 # --- soupirail.grenode.net ping statistics ---
542 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
543 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
544 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
545 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
546 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
547 #
548 # --- soupirail.grenode.net ping statistics ---
549 # 0 packets transmitted, 0 received, +1 errors
550 post-up ip address add $vm_ipv4/32 dev \$IFACE
551 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
552 EOF
553 }
554 rule_ssh_configure () {
555 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
556 ( while IFS= read -r line
557 do case $line in (*" RSA") return 0; break;; esac
558 done; return 1 ) ||
559 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
560 sudo rm -f \
561 /etc/ssh/ssh_host_dsa_key \
562 /etc/ssh/ssh_host_dsa_key.pub \
563 /etc/ssh/ssh_host_ecdsa_key \
564 /etc/ssh/ssh_host_ecdsa_key.pub
565 # NOTE: clefs générées par Debian
566 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
567 Port 22
568 ListenAddress $vm_ipv4
569 #ListenAddress ::
570 Protocol 2
571 Compression yes
572 HostKey /etc/ssh/ssh_host_rsa_key
573 UsePrivilegeSeparation yes
574 KeyRegenerationInterval 3600
575 ServerKeyBits 768
576 SyslogFacility AUTH
577 LogLevel INFO
578 LoginGraceTime 120
579 PermitRootLogin yes
580 StrictModes yes
581 RSAAuthentication yes
582 PubkeyAuthentication yes
583 AuthorizedKeysFile %h/etc/ssh/authorized_keys
584 IgnoreRhosts yes
585 RhostsRSAAuthentication no
586 HostbasedAuthentication no
587 IgnoreUserKnownHosts no
588 PermitEmptyPasswords no
589 ChallengeResponseAuthentication no
590 PasswordAuthentication no
591 KerberosAuthentication no
592 GSSAPIAuthentication no
593 X11Forwarding no
594 X11DisplayOffset 10
595 PrintMotd no
596 DebianBanner no
597 PrintLastLog yes
598 TCPKeepAlive yes
599 ClientAliveInterval 0
600 AcceptEnv LANG LC_*
601 Subsystem sftp /usr/lib/openssh/sftp-server
602 UsePAM yes
603 EOF
604 sudo service ssh restart
605 }
606 rule_user_admin_add () { # SYNTAX: $user
607 local user=$1
608 id "$user" >/dev/null ||
609 sudo adduser --disabled-password "$user"
610 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
611 eval local home\; home="~$user"
612 sudo adduser "$user" sudo
613 sudo install -m 640 -o root -g root \
614 "$tool"/var/pub/ssh/"$user".key \
615 "$home"/etc/ssh/authorized_keys
616 local key; local -; set +f
617 for key in "$tool"/var/pub/openpgp/*.key
618 do sudo -u "$user" gpg --import "$key"
619 done
620 rule user_admin_configure
621 }
622 rule_user_admin_configure () {
623 rule initramfs_configure
624 rule user_root_configure
625 }
626 rule_user_configure () {
627 sudo install -d -m 750 -o root -g adm \
628 /etc/skel/etc \
629 /etc/skel/etc/ssh
630 sudo install -d -m 770 -o root -g adm \
631 /etc/skel/etc/apache2 \
632 /etc/skel/var \
633 /etc/skel/var/log \
634 /etc/skel/var/cache \
635 /etc/skel/var/cache/ssh
636 sudo ln -fns etc/ssh /etc/skel/.ssh
637 sudo ln -fns etc/gpg /etc/skel/.gnupg
638 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
639 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
640 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
641 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
642 EOF
643 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
644 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
645 EOF
646 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
647 Defaults env_keep = " \\
648 EDITOR \\
649 GIT_AUTHOR_NAME \\
650 GIT_AUTHOR_EMAIL \\
651 GIT_COMMITTER_NAME \\
652 GIT_COMMITTER_EMAIL \\
653 "
654 EOF
655 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
656 #!/bin/sh -efu
657 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
658 sudo /bin/sh -e -f -u -c \
659 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
660 EOF
661 sudo install -m 644 -o root -g root \
662 etc/bash.bashrc \
663 /etc/bash.bashrc
664 sudo install -m 644 -o root -g root \
665 etc/screenrc \
666 /etc/screenrc
667 }
668 rule_user_root_configure () {
669 sudo install -d -m 750 -o root -g adm \
670 /root/etc \
671 /root/etc/ssh \
672 /root/etc/gpg
673 sudo ln -fns etc/gpg /root/.gnupg
674 sudo ln -fns etc/ssh /root/.ssh
675 getent group sudo |
676 while IFS=: read -r group x x users
677 do while test -n "$users" && IFS=, read -r user users <<-EOF
678 $users
679 EOF
680 do eval local home\; home="~$user"
681 cat "$home"/etc/ssh/authorized_keys
682 done
683 done |
684 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
685 local key; local -; set +f
686 for key in "$tool"/var/pub/openpgp/*.key
687 do sudo gpg --import "$key"
688 done
689 }
690 rule_configure () {
691 rule apt_configure
692 rule git_configure
693 rule etckeeper_configure
694 rule locale_configure
695 rule network_configure
696 rule filesystem_configure
697 rule login_configure
698 rule ssh_configure
699 rule user_root_configure
700 rule boot_configure
701 rule user_configure
702 }
703
704 rule_luks_key_change () {
705 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
706 }
707
708 rule=${1:-help}
709 ${1+shift}
710 case $rule in
711 (help);;
712 (*)
713 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
714 ;;
715 esac
716 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org