dépôts / lhc / ateliers.git / blob
? search:


dc86ddcc152591cd1fbd87f8261446edb9709878
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6 . "$tool"/lib/mk.sh
7
8 rule_help () { # SYNTAX: [--hidden]
9 local hidden; [ ${1:+set} ] || hidden=set
10 cat >&2 <<-EOF
11 DESCRIPTION:
12 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
13 _depuis_ la VM hébergée ($vm_fqdn) ;
14 il sert à la fois d'outil (aisément bidouillable)
15 et de documentation (préçise).
16 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
17 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
18 RULES:
19 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
20 ENVIRONMENT:
21 TRACE # affiche les commandes avant leur exécution
22 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
23 EOF
24 }
25
26 rule_git_config () {
27 (
28 cd "$tool"
29 git config --replace branch.master.remote .
30 git config --replace branch.master.merge refs/remotes/master
31 )
32 }
33 rule_git_reset () {
34 (
35 cd "$tool"
36 git checkout -f -B master remotes/master
37 git clean -f -d -x
38 )
39 }
40
41 rule_apt_get_install () { # SYNTAX: $package
42 case $(dpkg -s "$1" | grep '^Status: ') in
43 ("Status: install ok installed");;
44 (*)
45 test ! -x /usr/bin/etckeeper ||
46 assert 'sudo etckeeper unclean'
47 sudo apt-get "$@";;
48 esac
49 }
50
51 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
52 export LANG=C
53 export LC_CTYPE=C
54 . /etc/profile
55 }
56
57 rule_apt_configure () {
58 mk_reg mod= own= /etc/apt/sources.list <<-EOF
59 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
60 EOF
61 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
62 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
63 EOF
64 mk_reg mod= own= /etc/apt/preferences <<-EOF
65 Package: *
66 Pin: release a=$vm_lsb_name
67 Pin-Priority: 170
68
69 Package: *
70 Pin: release a=$vm_lsb_name-backports
71 Pin-Priority: 200
72 EOF
73 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
74 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
75 EOF
76 }
77 rule_apticron_configure () {
78 rule apt_get_install apticron
79 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
80 EMAIL="admin@heureux-cyclage.org"
81 # DIFF_ONLY="1"
82 # LISTCHANGES_PROFILE="apticron"
83 # ALL_FQDNS="1"
84 # SYSTEM="foobar.example.com"
85 # IPADDRESSNUM="1"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
87 # NOTIFY_HOLDS="0"
88 # NOTIFY_NEW="0"
89 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_SUBJECT=""
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
93 EOF
94 }
95 rule_boot_configure () {
96 warn "attention à n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 mk_dir mod=644 own=root:root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_etckeeper_configure () {
117 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
118 VCS=git
119 GIT_COMMIT_OPTIONS=""
120 AVOID_DAILY_AUTOCOMMITS=1
121 #AVOID_SPECIAL_FILE_WARNING=1
122 AVOID_COMMIT_BEFORE_INSTALL=1
123 HIGHLEVEL_PACKAGE_MANAGER=apt
124 LOWLEVEL_PACKAGE_MANAGER=dpkg
125 EOF
126 rule apt_get_install etckeeper
127 }
128 rule_filesystem_configure () {
129 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
130 # <file system> <mount point> <type> <options> <dump> <pass>
131 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
132 proc /proc proc defaults 0 0
133 sysfs /sys sysfs defaults 0 0
134 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
135 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
137 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
138 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
139 EOF
140 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
141 # <target name> <source device> <key file> <options>
142 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
143 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
146 EOF
147 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
148 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
149 vm.vfs_cache_pressure=50
150 EOF
151 }
152 rule_initramfs_configure () {
153 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
154 MODULES=most
155 BUSYBOX=y
156 KEYMAP=y
157 COMPRESS=gzip
158 DEVICE=eth0
159 EOF
160 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
161 alias eth0 xennet
162 alias scsi_hostadapter xenblk
163 EOF
164 mk_reg mod=644 own=root:root /etc/modules <<-EOF
165 sha1_generic
166 sha256_generic
167 sha512_generic
168 aes-x86_64
169 xts
170 # NOTE: pour Xen en mode HVM :
171 #modprobe xen-platform-pci
172 EOF
173 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
174 EOF
175 sudo sed -e '/^configure_networking /s/ &$//' \
176 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
177 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
178 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
179 ( while IFS= read -r line
180 do case $line in (*" RSA") return 0; break;; esac
181 done; return 1 ) ||
182 {
183 sudo rm -f \
184 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
185 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
186 sudo dropbearkey -t rsa -s 4096 -f \
187 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
188 }
189 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
190 mk_dir mod=640 own=root:root \
191 /etc/initramfs-tools/root \
192 /etc/initramfs-tools/root/.ssh
193 getent group sudo |
194 while IFS=: read -r group x x users
195 do while test -n "$users" && IFS=, read -r user users <<-EOF
196 $users
197 EOF
198 do eval local home\; home="~$user"
199 cat "$home"/etc/ssh/authorized_keys
200 done
201 done |
202 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
203 sudo rm -f \
204 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
205 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
206 /etc/initramfs-tools/root/.ssh/id_rsa
207 # NOTE: clefs générées par Debian
208 sudo update-initramfs -u
209 }
210 rule_locale_configure () {
211 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
212 fr_FR.UTF-8 UTF-8
213 EOF
214 sudo update-locale
215 }
216 rule_login_configure () {
217 grep -q '^hvc0$' /etc/securetty ||
218 mk_reg mod= own= --append /etc/securetty <<-EOF
219 hvc0
220 EOF
221 grep -q '^xvc0$' /etc/securetty ||
222 mk_reg mod= own= --append /etc/securetty <<-EOF
223 xvc0
224 EOF
225 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
226 # /etc/inittab: init(8) configuration.
227
228 # The default runlevel.
229 id:2:initdefault:
230
231 # Boot-time system configuration/initialization script.
232 # This is run first except when booting in emergency (-b) mode.
233 si::sysinit:/etc/init.d/rcS
234
235 # What to do in single-user mode.
236 ~~:S:wait:/sbin/sulogin
237
238 # /etc/init.d executes the S and K scripts upon change
239 # of runlevel.
240 #
241 # Runlevel 0 is halt.
242 # Runlevel 1 is single-user.
243 # Runlevels 2-5 are multi-user.
244 # Runlevel 6 is reboot.
245
246 l0:0:wait:/etc/init.d/rc 0
247 l1:1:wait:/etc/init.d/rc 1
248 l2:2:wait:/etc/init.d/rc 2
249 l3:3:wait:/etc/init.d/rc 3
250 l4:4:wait:/etc/init.d/rc 4
251 l5:5:wait:/etc/init.d/rc 5
252 l6:6:wait:/etc/init.d/rc 6
253 # Normally not reached, but fallthrough in case of emergency.
254 z6:6:respawn:/sbin/sulogin
255
256 # What to do when CTRL-ALT-DEL is pressed.
257 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
258
259 # What to do when the power fails/returns.
260 pf::powerwait:/etc/init.d/powerfail start
261 pn::powerfailnow:/etc/init.d/powerfail now
262 po::powerokwait:/etc/init.d/powerfail stop
263
264 # Xen hypervisor console
265 hvc:2345:respawn:/sbin/getty 38400 hvc0
266 #xvc:2345:respawn:/sbin/getty 38400 xvc0
267 EOF
268 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
269 MAIL_DIR /var/mail
270 FAILLOG_ENAB yes
271 LOG_UNKFAIL_ENAB no
272 LOG_OK_LOGINS no
273 SYSLOG_SU_ENAB yes
274 SYSLOG_SG_ENAB yes
275 FTMP_FILE /var/log/btmp
276 SU_NAME su
277 HUSHLOGIN_FILE .hushlogin
278 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
279 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
280 # NOTE: met les sbin/ dans ENV_PATH ;
281 # - ça n'apporte aucune protection de ne pas les mettre ;
282 # - ça frustre de ne pas les trouver.
283 TTYGROUP tty
284 TTYPERM 0600
285 ERASECHAR 0177
286 KILLCHAR 025
287 UMASK 007
288 # NOTE: rwxrwx--- ;
289 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
290 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
291 PASS_MAX_DAYS 99999
292 PASS_MIN_DAYS 0
293 PASS_WARN_AGE 7
294 UID_MIN 1000
295 UID_MAX 60000
296 GID_MIN 1000
297 GID_MAX 60000
298 LOGIN_RETRIES 3
299 LOGIN_TIMEOUT 60
300 CHFN_RESTRICT rwh
301 DEFAULT_HOME yes
302 USERGROUPS_ENAB yes
303 ENCRYPT_METHOD SHA512
304 EOF
305 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
306 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
307 session optional pam_umask.so
308 EOF
309 }
310 rule_network_configure () {
311 mk_reg mod= own= /etc/hostname <<-EOF
312 $vm
313 EOF
314 grep -q " $vm\$" /etc/hosts ||
315 mk_reg mod= own= --append /etc/hosts <<-EOF
316 127.0.0.1 $vm_fqdn $vm
317 EOF
318 mk_reg mod= own= /etc/network/interfaces <<-EOF
319 auto lo
320 iface lo inet loopback
321
322 auto eth0=grenode
323 iface grenode inet static
324 address $vm_ipv4
325 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
326 network $vm_ipv4
327 broadcast $vm_ipv4
328 netmask 255.255.255.255
329 mtu 1300
330 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
331 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
332 #
333 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
334 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
335 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
336 #
337 # --- soupirail.grenode.net ping statistics ---
338 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
339 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
340 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
341 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
342 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
343 #
344 # --- soupirail.grenode.net ping statistics ---
345 # 0 packets transmitted, 0 received, +1 errors
346 post-up ip address add $vm_ipv4/32 dev \$IFACE
347 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
348 EOF
349 }
350 rule_user_configure () {
351 mk_dir mod=750 own="root:adm" /etc/skel/etc
352 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
353 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
354 mk_dir mod=700 own="root:adm" /etc/skel/var
355 mk_dir mod=700 own="root:adm" /etc/skel/var/log
356 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
357 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
358 mk_dir mod=700 own="root:adm" /etc/skel/tmp
359 mk_dir mod=700 own="root:adm" /etc/skel/tmp
360 mk_lnk etc/ssh /etc/skel/.ssh
361 mk_lnk etc/gpg /etc/skel/.gnupg
362 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
363 ( while IFS= read -r line
364 do case $line in (*" RSA") return 0; break;; esac
365 done; return 1 ) ||
366 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
367 sudo rm -f \
368 /etc/ssh/ssh_host_dsa_key \
369 /etc/ssh/ssh_host_dsa_key.pub \
370 /etc/ssh/ssh_host_ecdsa_key \
371 /etc/ssh/ssh_host_ecdsa_key.pub
372 # NOTE: clefs générées par Debian
373 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
374 Port 22
375 ListenAddress $vm_ipv4
376 #ListenAddress ::
377 Protocol 2
378 Compression yes
379 HostKey /etc/ssh/ssh_host_rsa_key
380 UsePrivilegeSeparation yes
381 KeyRegenerationInterval 3600
382 ServerKeyBits 768
383 SyslogFacility AUTH
384 LogLevel INFO
385 LoginGraceTime 120
386 PermitRootLogin yes
387 StrictModes yes
388 RSAAuthentication yes
389 PubkeyAuthentication yes
390 AuthorizedKeysFile %h/etc/ssh/authorized_keys
391 IgnoreRhosts yes
392 RhostsRSAAuthentication no
393 HostbasedAuthentication no
394 IgnoreUserKnownHosts no
395 PermitEmptyPasswords no
396 ChallengeResponseAuthentication no
397 PasswordAuthentication no
398 KerberosAuthentication no
399 GSSAPIAuthentication no
400 X11Forwarding no
401 X11DisplayOffset 10
402 PrintMotd no
403 DebianBanner no
404 PrintLastLog yes
405 TCPKeepAlive yes
406 ClientAliveInterval 0
407 AcceptEnv LANG LC_*
408 Subsystem sftp /usr/lib/openssh/sftp-server
409 UsePAM yes
410 EOF
411 sudo service ssh restart
412 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
413 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
414 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
415 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
416 EOF
417 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
418 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
419 EOF
420 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
421 Defaults env_keep = " \\
422 EDITOR \\
423 GIT_AUTHOR_NAME \\
424 GIT_AUTHOR_EMAIL \\
425 GIT_COMMITTER_NAME \\
426 GIT_COMMITTER_EMAIL \\
427 "
428 EOF
429 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
430 #!/bin/sh
431 sudo /bin/sh -e -f -u -c \
432 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
433 EOF
434 }
435 rule_user_root_configure () {
436 mk_dir mod=750 own=root:root /root/etc
437 mk_dir mod=750 own=root:root /root/etc/ssh
438 mk_dir mod=750 own=root:root /root/etc/gpg
439 mk_lnk etc/gpg /root/.gnupg
440 mk_lnk etc/ssh /root/.ssh
441 getent group sudo |
442 while IFS=: read -r group x x users
443 do while test -n "$users" && IFS=, read -r user users <<-EOF
444 $users
445 EOF
446 do eval local home\; home="~$user"
447 cat "$home"/etc/ssh/authorized_keys
448 done
449 done |
450 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
451 local key; local -; set +f
452 for key in "$tool"/var/pub/openpgp/*.key
453 do sudo gpg --import "$key"
454 done
455 }
456 rule_bin_configure () {
457 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
458 }
459 rule_configure () {
460 rule etckeeper_configure
461 rule locale_configure
462 rule network_configure
463 rule apt_configure
464 rule filesystem_configure
465 rule login_configure
466 rule user_root_configure
467 rule boot_configure
468 rule apticron_configure
469 rule bin_configure
470 }
471
472 rule_luks_key_change () {
473 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
474 }
475
476 rule_user_admin_configure () {
477 rule initramfs_configure
478 rule user_root_configure
479 }
480 rule_user_admin_add () { # SYNTAX: $user
481 local user=$1
482 id "$user" >/dev/null ||
483 sudo adduser --disabled-password "$user"
484 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
485 eval local home\; home="~$user"
486 sudo adduser "$user" sudo
487 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
488 <"$tool"/var/pub/ssh/"$user".key
489 local key; local -; set +f
490 for key in "$tool"/var/pub/openpgp/*.key
491 do sudo -u "$user" gpg --import "$key"
492 done
493 rule user_admin_configure
494 }
495 rule_user_mail_format () {
496 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
497 mk_dir mod=770 own=root:adm /etc/skel/var/mail
498 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
499 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
500 # vim: ft=procmail
501
502 # NOTE: paramètres passés par postfix
503 SENDER=\$1
504 RECIPIENT=\$2
505 USER=\$3
506 EXTENSION=\$4
507 DOMAIN=\$5
508 ORIGINAL_RECIPIENT=\$6
509
510 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
511 MAILDIR="\$HOME/var/mail/"
512 DEFAULT="\$MAILDIR"
513 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
514 LOGFILE="/dev/null"
515 LOGABSTRACT=all
516 LOGABSTRACT
517 VERBOSE
518 SHELL=/bin/sh
519 SHELLMETAS=&|<>~;?*%{}
520
521 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
522 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
523 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
524
525 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
526 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
527 # NOTE: récupère l’adresse courriel dans le champ GECOS
528 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
529 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
530 :0
531 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
532
533 # DESCRIPTION: IMAP
534 #:0
535 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
536
537 # DESCRIPTION: UUCP
538 #:0
539 #| /usr/bin/uux \
540 # -I "\$HOME/etc/uucp/uucp.cfg" \
541 # --nouucico \
542 # --notification=error \
543 # --requestor "\$USER" \
544 # - "\$USER!rmail" "(\$USER)"
545 EOF
546 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
547 # /etc/postfix/main.cf
548 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
549
550 parent_domain_matches_subdomains =
551 #debug_peer_list
552 #fast_flush_domains
553 #mynetworks
554 #permit_mx_backup_networks
555 #qmqpd_authorized_clients
556 #smtpd_access_maps
557 mydomain = $vm_domainname
558 myorigin = \$mydomain
559 myhostname = $vm_hostname.\$mydomain
560 mail_name = \$myhostname
561 mydestination =
562 $vm_hostname
563 \$myhostname
564 \$myorigin
565 mynetworks =
566 127.0.0.0/8
567 #[::1]/128
568 inet_protocols = ipv4
569 # "all" to activate IPv6
570 inet_interfaces = all
571 permit_mx_backup_networks =
572
573 alias_database =
574 hash:/etc/aliases
575 # NOTE: fichier de hash contenant une table d’alias mail.
576 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
577 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
578 alias_maps =
579 hash:/etc/aliases
580 recipient_delimiter = +
581 # NOTE: séparateur entre le nom d’utilisateur
582 # et les extensions d’adresse (par défaut le signe +).
583 #virtual_alias_domains =
584 virtual_alias_maps =
585 hash:/etc/postfix/\$mydomain/virtual
586 # NOTE: do not specify virtual alias domain names in the main.cf
587 # mydestination or relay_domains configuration parameters.
588 #
589 # With a virtual alias domain, the Postfix SMTP server
590 # accepts mail for known-user@virtual-alias.domain, and
591 # rejects mail for unknown-user@virtual-alias.domain as
592 # undeliverable.
593 #relayhost =
594 relay_clientcerts =
595 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
596 relay_domains =
597 \$mydestination
598 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
599 # pas dans mydestination ou virtual_alias...
600
601 maximal_queue_lifetime = 5d
602
603 header_checks =
604 regexp:/etc/postfix/\$mydomain/header_checks
605 mime_header_checks =
606 nested_header_checks =
607 milter_header_checks =
608 body_checks =
609
610 #content_filter = amavisfeed:[127.0.0.1]:10024
611 #receive_override_options = no_address_mappings
612 # no_unknown_recipient_checks
613 # Do not try to reject unknown recipients (SMTP server only).
614 # This is typically specified AFTER an external content filter.
615 # no_address_mappings
616 # Disable canonical address mapping, virtual alias map expansion,
617 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
618 # This is typically specified BEFORE an external content filter (eg. amavis).
619 # no_header_body_checks
620 # Disable header/body_checks. This is typically specified AFTER an external content filter.
621 # no_milters
622 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
623 #local_header_rewrite_clients =
624 transport_maps =
625 hash:/etc/postfix/\$mydomain/transport_maps
626 mailbox_command =
627 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
628 mailbox_size_limit = 0
629 biff = no
630 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
631 append_dot_mydomain = no
632 # appending .domain is the MUA's job.
633
634 #tls_random_source =
635 # dev:/dev/urandom
636 # Non-blocking
637 #tls_random_reseed_period = 3600s
638 #tls_random_exchange_name =
639 # \${data_directory}/prng_exch
640 # NOTE: à ne pas mettre dans la cage chroot
641 #tls_random_bytes = 32
642 #tls_random_prng_update_period = 3600s
643 #tls_high_cipherlist = AES256-SHA
644 # NOTE: postconf(5) déconseille de changer ceci
645
646 #smtp_cname_overrides_servername = no
647 smtp_connect_timeout = 60s
648 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
649 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
650 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
651 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
652 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
653 # NOTE: déprécié en faveur de smtp_tls_policy_maps
654 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
655 smtp_tls_fingerprint_digest = sha1
656 smtp_tls_scert_verifydepth = 5
657 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
658 #smtp_tls_verify_cert_match = hostname
659 #smtp_tls_note_starttls_offer = yes
660 smtp_tls_loglevel = 1
661 smtp_tls_protocols = !SSLv2, !SSLv3
662 # Only allow TLSv*
663 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
664 #smtp_tls_session_cache_timeout = 3600s
665 smtp_tls_security_level = may
666 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
667 smtp_body_checks =
668 smtp_mime_header_checks =
669 smtp_nested_header_checks =
670
671 smtpd_starttls_timeout = 300s
672 smtpd_banner =
673 \$myhostname ESMTP \$mail_name (Debian/GNU)
674
675 # Restrictions
676 smtpd_helo_required = yes
677 strict_rfc821_envelopes = yes
678 smtpd_authorized_xclient_hosts = 127.0.0.1
679 # NOTE: utile pour tester les restrictions
680
681 smtpd_helo_restrictions =
682 reject_invalid_helo_hostname
683 reject_non_fqdn_helo_hostname
684 #reject_unknown_helo_hostname
685 # NOTE: pourrait pourtant être utile pour lutter contre le spam
686 permit
687
688 smtpd_sender_restrictions =
689 permit_mynetworks
690 permit_tls_clientcerts
691 permit_sasl_authenticated
692 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
693 check_sender_access hash:/etc/postfix/sender_blacklist
694 reject_unauth_pipelining
695 reject_non_fqdn_sender
696 #reject_unknown_sender_domain
697 # NOTE: temporaire
698 permit
699
700 smtpd_client_new_tls_session_rate_limit = 0
701 smtpd_client_event_limit_exceptions = \$mynetworks
702 smtpd_client_recipient_rate_limit = 0
703 smtpd_client_connection_count_limit = 50
704 smtpd_client_connection_rate_limit = 0
705 smtpd_client_message_rate_limit = 0
706 smtpd_client_port_logging = no
707
708 smtpd_client_restrictions =
709 check_client_access hash:/etc/postfix/client_blacklist
710
711 policy_time_limit = 3600
712 default_extra_recipient_limit = 5000
713 duplicate_filter_limit = 5000
714 smtpd_recipient_limit = 5000
715 smtpd_recipient_overshoot_limit = 5000
716 smtpd_recipient_restrictions =
717 reject_non_fqdn_recipient
718 #reject_invalid_hostname
719 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
720 # dans smtpd_helo_restrictions
721 reject_unknown_recipient_domain
722 #reject_non_fqdn_sender
723 # NOTE: dans smtpd_sender_restrictions
724 reject_unauth_pipelining
725 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
726 permit_mynetworks
727 permit_tls_clientcerts
728 permit_sasl_authenticated
729 reject_unauth_destination
730 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
731 # ou quelqu'un pour lequel on tient lieu de backup_mx
732 check_policy_service inet:127.0.0.1:10023
733 # NOTE: Postgrey (greylisting)
734 check_policy_service unix:private/spfcheck
735 permit_auth_destination
736 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
737 # (voir permit_auth_destination) ; sans doute redondant
738 reject
739 #check_relay_domains <- removed from postfix
740 #reject_unknown_sender_domain
741 # aurait probablement été mieux dans smtpd_sender_restrictions
742 #reject_rbl_client bl.spamcop.net
743 #reject_rbl_client list.dsbl.org
744 #reject_rbl_client zen.spamhaus.org
745 #reject_rbl_client dnsbl.sorbs.net
746
747 smtpd_data_restrictions =
748 reject_unauth_pipelining
749 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
750 permit
751
752 #smtpd_end_of_data_restrictions =
753
754 #smtpd_restriction_classes =
755
756 smtpd_error_sleep_time = 5
757 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
758
759 # SASL
760 smtpd_sasl_auth_enable = yes
761 smtpd_sasl_type = dovecot
762 smtpd_sasl_path = private/auth
763 smtpd_sasl_security_options = noanonymous
764 smtpd_sasl_domain = \$mydomain
765
766 # SMTPD TLS
767 smtpd_discard_ehlo_keywords = starttls
768 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
769 # se mangent une erreur en tentant un starttls
770 smtpd_tls_fingerprint_digest = sha1
771 # sha512 ?
772 smtpd_tls_mandatory_protocols = TLSv1
773 smtpd_tls_mandatory_ciphers = high
774 smtpd_tls_ciphers = high
775 # restrictif. s/high/medium/ ?
776 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
777 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
778 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
779 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
780 ##
781 #smtpd_tls_received_header = no
782 smtpd_tls_session_cache_database =
783 btree:/var/lib/postfix/smtpd_tls_session_cache
784 #smtpd_tls_session_cache_timeout = 3600s
785 smtpd_tls_security_level = may
786 # Postfix 2.3 and later
787 # encrypt
788 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
789 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
790 # SMTP server. Instead, this option should be used only on dedicated servers.
791 smtpd_tls_loglevel = 1
792 smtpd_tls_ccert_verifydepth = 5
793 smtpd_tls_auth_only = yes
794 # Pas d'AUTH SASL sans TLS
795 smtpd_tls_ask_ccert = no
796 smtpd_tls_req_ccert = no
797 #smtpd_tls_always_issue_session_ids = yes
798 smtpd_peername_lookup = yes
799 # Nécessaire pour postgrey, etc
800 smtpd_milters =
801 non_smtpd_milters =
802 line_length_limit = 2048
803 queue_minfree = 0
804 message_size_limit = 20480000
805 #smtpd_enforce_tls # NOTE: obsolète
806 #smtpd_use_tls # NOTE: obsolète
807 #smtpd_tls_cipherlist # NOTE: obsolète
808
809 readme_directory = no
810 #delay_warning_time = 4h
811 # NOTE: uncomment the previous line to generate "delayed mail" warnings
812 #debug_peer_level = 4
813 #debug_peer_list = .\$myhostname
814 EOF
815 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
816 auth_ssl_username_from_cert = yes
817 listen = *
818 log_timestamp = "%Y-%m-%d %H:%M:%S "
819 mail_debug = yes
820 mail_location = maildir:~/var/mail
821 mail_privileged_group = mail
822 passdb {
823 args = /home/%u/etc/dovecot/passwd
824 driver = passwd-file
825 }
826 protocols = imap
827 service auth {
828 unix_listener /var/spool/postfix/private/auth {
829 group = postfix
830 mode = 0660
831 user = postfix
832 }
833 user = root
834 }
835 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
836 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
837 ssl_cipher_list = AES256-SHA
838 ssl_key = </etc/dovecot/imap/tls/key.pem
839 ssl_verify_client_cert = yes
840 userdb {
841 driver = passwd
842 }
843 verbose_ssl = yes
844 protocol lda {
845 auth_socket_path = /var/run/dovecot/auth-master
846 hostname = $vm_domainname
847 info_log_path = /var/log/dovecot/lda/info.log
848 log_path = /var/log/dovecot/lda/error.log
849 mail_plugins = sieve
850 postmaster_address = contact+dovecot+lda@$vm_domainname
851 }
852 EOF
853 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
854 EOF
855 }
856 rule_mail_configure () {
857 sudo apt-get install postfix postgrey dovecot
858 }
859
860 rule=${1:-help}
861 ${1+shift}
862 case $rule in
863 (help);;
864 (*)
865 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
866 ;;
867 esac
868 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org