dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Polissage : vm_hosted : ordonne alphabétiquement les règles.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=$0
4 while test -L "$tool"
5 do tool=$(readlink "$tool")
6 done
7 tool=${tool%/*}
8 . "$tool"/lib/rule.sh
9 . "$tool"/etc/vm.sh
10
11 rule_help () { # SYNTAX: [--hidden]
12 local hidden; [ ${1:+set} ] || hidden=set
13 cat >&2 <<-EOF
14 DESCRIPTION:
15 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
16 _depuis_ la VM hébergée ($vm_fqdn) ;
17 il sert à la fois d'outil (aisément bidouillable)
18 et de documentation (préçise).
19 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
20 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
21 RULES:
22 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
23 ENVIRONMENT:
24 TRACE # affiche les commandes avant leur exécution
25 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
26 EOF
27 }
28
29 rule_git_configure () {
30 (
31 cd "$tool"
32 git config --replace branch.master.remote .
33 git config --replace branch.master.merge refs/remotes/master
34 local tool
35 tool=$(cd "$tool"; cd -)
36 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
37 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/vm
38 )
39 }
40 rule_git_reset () {
41 (
42 cd "$tool"
43 git checkout -f -B master remotes/master
44 git clean -f -d -x
45 )
46 }
47
48 rule_apt_get_install () { # SYNTAX: $package
49 sudo apt-get install "$@"
50 }
51
52 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
53 export LANG=C
54 export LC_CTYPE=C
55 . /etc/profile
56 }
57
58 rule_apt_configure () {
59 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
60 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
61 EOF
62 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
63 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
64 EOF
65 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
66 Package: *
67 Pin: release a=$vm_lsb_name
68 Pin-Priority: 170
69
70 Package: *
71 Pin: release a=$vm_lsb_name-backports
72 Pin-Priority: 200
73 EOF
74 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
75 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
76 EOF
77 sudo apt-get update
78 rule apt_get_install apticron
79 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
80 EMAIL="admin@$vm_domainname"
81 # DIFF_ONLY="1"
82 # LISTCHANGES_PROFILE="apticron"
83 # ALL_FQDNS="1"
84 # SYSTEM="foobar.example.com"
85 # IPADDRESSNUM="1"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
87 # NOTIFY_HOLDS="0"
88 # NOTIFY_NEW="0"
89 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_SUBJECT=""
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@$vm_fqdn"
93 EOF
94 }
95 rule_boot_configure () {
96 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 sudo install -d -m 644 -o root -g root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_dovecot_configure () {
117 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
118 local hint="run vm_remote dovecot_key_send before"
119 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
120 sudo install -m 400 -o root -g root \
121 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
122 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
123 sudo install -d -m 770 -o root -g adm \
124 /etc/skel/etc/mail \
125 /etc/skel/etc/sieve
126 sudo install -d -m 1777 -o root -g root \
127 /var/lib/dovecot-control \
128 /var/lib/dovecot-index
129 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
130 auth_ssl_username_from_cert = yes
131 listen = *
132 log_timestamp = "%Y-%m-%d %H:%M:%S "
133 mail_debug = yes
134 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
135 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
136 # VOIR: http://wiki2.dovecot.org/Quota/FS
137 mail_plugins = \$mail_plugins quota
138 mail_privileged_group = mail
139 passdb {
140 args = /home/%u/etc/dovecot/passwd
141 driver = passwd-file
142 }
143 plugin {
144 quota = fs:user
145 recipient_delimiter = +
146 sieve = ~/etc/mail/filter.sieve
147 sieve_dir = ~/etc/mail/sieve
148 sieve_global_dir = /var/lib/dovecot/sieve/global/
149 sieve_max_script_size = 1M
150 sieve_quota_max_scripts = 0
151 sieve_quota_max_storage = 10M
152 sieve_user_log = ~/var/log/mail/sieve.log
153 }
154 protocol imap {
155 mail_plugins = \$mail_plugins imap_quota
156 }
157 protocol lda {
158 auth_socket_path = /var/run/dovecot/auth-master
159 hostname = $vm_domainname
160 info_log_path =
161 log_path =
162 mail_plugins = \$mail_plugins sieve
163 postmaster_address = contact+dovecot+lda@$vm_domainname
164 syslog_facility = mail
165 }
166 protocols = imap sieve
167 service auth {
168 user = root
169 unix_listener /var/spool/postfix/private/auth {
170 mode = 0660
171 user = postfix
172 group = postfix
173 }
174 }
175 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
176 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
177 ssl_cipher_list = AES256-SHA
178 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
179 ssl_verify_client_cert = yes
180 userdb {
181 driver = passwd
182 }
183 verbose_ssl = no
184 EOF
185 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
186 #!/bin/sh -efux
187 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
188 install -d -m 770 ~/etc/dovecot
189 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
190 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
191 _EOF
192 EOF
193 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
194 EOF
195 sudo service dovecot restart
196 }
197 rule_etckeeper_configure () {
198 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
199 VCS=git
200 GIT_COMMIT_OPTIONS=""
201 AVOID_DAILY_AUTOCOMMITS=1
202 #AVOID_SPECIAL_FILE_WARNING=1
203 AVOID_COMMIT_BEFORE_INSTALL=1
204 HIGHLEVEL_PACKAGE_MANAGER=apt
205 LOWLEVEL_PACKAGE_MANAGER=dpkg
206 EOF
207 sudo install -m 644 -o root -g root \
208 "$tool"/etc/etckeeper/prompt.sh \
209 /etc/etckeeper/prompt.sh
210 rule apt_get_install etckeeper
211 }
212 rule_filesystem_configure () {
213 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
214 # <file system> <mount point> <type> <options> <dump> <pass>
215 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
216 proc /proc proc defaults 0 0
217 sysfs /sys sysfs defaults 0 0
218 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
219 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
220 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
221 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
222 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
223 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
224 EOF
225 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
226 # <target name> <source device> <key file> <options>
227 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
228 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
229 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
230 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
231 EOF
232 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
233 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
234 vm.vfs_cache_pressure=50
235 EOF
236 }
237 rule_initramfs_configure () {
238 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
239 MODULES=most
240 BUSYBOX=y
241 KEYMAP=y
242 COMPRESS=gzip
243 DEVICE=eth0
244 EOF
245 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
246 alias eth0 xennet
247 alias scsi_hostadapter xenblk
248 EOF
249 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
250 sha1_generic
251 sha256_generic
252 sha512_generic
253 aes-x86_64
254 xts
255 # NOTE: pour Xen en mode HVM :
256 #modprobe xen-platform-pci
257 EOF
258 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
259 EOF
260 sudo sed -e '/^configure_networking /s/ &$//' \
261 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
262 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
263 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
264 ( while IFS= read -r line
265 do case $line in (*" RSA") return 0; break;; esac
266 done; return 1 ) ||
267 {
268 sudo rm -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
270 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
271 sudo dropbearkey -t rsa -s 4096 -f \
272 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
273 }
274 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
275 sudo install -d -m 640 -o root -g root \
276 /etc/initramfs-tools/root \
277 /etc/initramfs-tools/root/.ssh
278 getent group sudo |
279 while IFS=: read -r group x x users
280 do while test -n "$users" && IFS=, read -r user users <<-EOF
281 $users
282 EOF
283 do eval local home\; home="~$user"
284 cat "$home"/etc/ssh/authorized_keys
285 done
286 done |
287 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
288 sudo rm -f \
289 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
290 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
291 /etc/initramfs-tools/root/.ssh/id_rsa
292 # NOTE: clefs générées par Debian
293 sudo update-initramfs -u
294 }
295 rule_locale_configure () {
296 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
297 fr_FR.UTF-8 UTF-8
298 EOF
299 sudo update-locale
300 }
301 rule_login_configure () {
302 grep -q '^hvc0$' /etc/securetty ||
303 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
304 $(cat /etc/securetty)
305 hvc0
306 EOF
307 grep -q '^xvc0$' /etc/securetty ||
308 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
309 $(cat /etc/securetty)
310 xvc0
311 EOF
312 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
313 # /etc/inittab: init(8) configuration.
314
315 # The default runlevel.
316 id:2:initdefault:
317
318 # Boot-time system configuration/initialization script.
319 # This is run first except when booting in emergency (-b) mode.
320 si::sysinit:/etc/init.d/rcS
321
322 # What to do in single-user mode.
323 ~~:S:wait:/sbin/sulogin
324
325 # /etc/init.d executes the S and K scripts upon change
326 # of runlevel.
327 #
328 # Runlevel 0 is halt.
329 # Runlevel 1 is single-user.
330 # Runlevels 2-5 are multi-user.
331 # Runlevel 6 is reboot.
332
333 l0:0:wait:/etc/init.d/rc 0
334 l1:1:wait:/etc/init.d/rc 1
335 l2:2:wait:/etc/init.d/rc 2
336 l3:3:wait:/etc/init.d/rc 3
337 l4:4:wait:/etc/init.d/rc 4
338 l5:5:wait:/etc/init.d/rc 5
339 l6:6:wait:/etc/init.d/rc 6
340 # Normally not reached, but fallthrough in case of emergency.
341 z6:6:respawn:/sbin/sulogin
342
343 # What to do when CTRL-ALT-DEL is pressed.
344 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
345
346 # What to do when the power fails/returns.
347 pf::powerwait:/etc/init.d/powerfail start
348 pn::powerfailnow:/etc/init.d/powerfail now
349 po::powerokwait:/etc/init.d/powerfail stop
350
351 # Xen hypervisor console
352 hvc:2345:respawn:/sbin/getty 38400 hvc0
353 #xvc:2345:respawn:/sbin/getty 38400 xvc0
354 EOF
355 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
356 MAIL_DIR /var/mail
357 FAILLOG_ENAB yes
358 LOG_UNKFAIL_ENAB no
359 LOG_OK_LOGINS no
360 SYSLOG_SU_ENAB yes
361 SYSLOG_SG_ENAB yes
362 FTMP_FILE /var/log/btmp
363 SU_NAME su
364 HUSHLOGIN_FILE .hushlogin
365 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
366 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
367 # NOTE: met les sbin/ dans ENV_PATH ;
368 # - ça n'apporte aucune protection de ne pas les mettre ;
369 # - ça frustre de ne pas les trouver.
370 TTYGROUP tty
371 TTYPERM 0600
372 ERASECHAR 0177
373 KILLCHAR 025
374 UMASK 007
375 # NOTE: rwxrwx--- ;
376 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
377 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
378 PASS_MAX_DAYS 99999
379 PASS_MIN_DAYS 0
380 PASS_WARN_AGE 7
381 UID_MIN 1000
382 UID_MAX 60000
383 GID_MIN 1000
384 GID_MAX 60000
385 LOGIN_RETRIES 3
386 LOGIN_TIMEOUT 60
387 CHFN_RESTRICT rwh
388 DEFAULT_HOME yes
389 USERGROUPS_ENAB yes
390 ENCRYPT_METHOD SHA512
391 EOF
392 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
393 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
394 $(cat /etc/pam.d/common-session)
395 session optional pam_umask.so
396 EOF
397 }
398 rule_mail_configure () {
399 rule postfix_configure
400 rule postgrey_configure
401 rule procmail_configure
402 rule dovecot_configure
403 }
404 rule_network_configure () {
405 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
406 $vm
407 EOF
408 grep -q " $vm\$" /etc/hosts ||
409 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
410 $(cat /etc/hosts)
411 127.0.0.1 $vm_fqdn $vm
412 EOF
413 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
414 auto lo
415 iface lo inet loopback
416
417 auto eth0=grenode
418 iface grenode inet static
419 address $vm_ipv4
420 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
421 network $vm_ipv4
422 broadcast $vm_ipv4
423 netmask 255.255.255.255
424 mtu 1300
425 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
426 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
427 #
428 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
429 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
430 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
431 #
432 # --- soupirail.grenode.net ping statistics ---
433 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
434 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
435 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
436 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
437 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
438 #
439 # --- soupirail.grenode.net ping statistics ---
440 # 0 packets transmitted, 0 received, +1 errors
441 post-up ip address add $vm_ipv4/32 dev \$IFACE
442 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
443 EOF
444 }
445 rule_postfix_configure () {
446 local hint="run vm_remote postfix_key_send before"
447 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
448 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
449 rule apt_get_install postfix
450 sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF
451 *.db
452 EOF
453 sudo install -d -m 770 -o root -g root \
454 /etc/postfix/$vm_domainname/ \
455 /etc/postfix/$vm_domainname/smtp \
456 /etc/postfix/$vm_domainname/smtp/x509 \
457 /etc/postfix/$vm_domainname/smtp/x509/ca \
458 /etc/postfix/$vm_domainname/smtpd \
459 /etc/postfix/$vm_domainname/smtpd/x509 \
460 /etc/postfix/$vm_domainname/smtpd/x509/ca
461 sudo install -d -m 770 -o root -g root \
462 /etc/postfix/$vm_domainname/ \
463 /etc/postfix/$vm_domainname/smtp \
464 /etc/postfix/$vm_domainname/smtp/x509 \
465 /etc/postfix/$vm_domainname/smtp/x509/ca \
466 /etc/postfix/$vm_domainname/smtpd \
467 /etc/postfix/$vm_domainname/smtpd/x509 \
468 /etc/postfix/$vm_domainname/smtpd/x509/ca
469 sudo ln -fns \
470 ../crt+crl.self-signed.pem \
471 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
472 sudo install -m 400 -o root -g root \
473 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
474 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
475 sudo install -m 400 -o root -g root \
476 "$tool"/var/pub/x509/service/smtpd/crt.pem \
477 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
478 sudo install -m 400 -o root -g root \
479 "$tool"/var/pub/x509/service/smtpd/crt+root.pem \
480 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
481 sudo install -m 400 -o root -g root \
482 "$tool"/var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
483 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
484 sudo install -m 660 -o root -g root \
485 "$tool"/etc/postfix/$vm_domainname/header_checks \
486 /etc/postfix/$vm_domainname/header_checks
487 sudo install -m 664 -o root -g root \
488 "$tool"/etc/postfix/aliases \
489 /etc/postfix/aliases
490 sudo newaliases -oA/etc/postfix/aliases
491 cat /dev/stdin "$tool"/etc/postfix/main.cf <<-EOF |
492 mydomain = $vm_domainname
493 myorigin = \$mydomain
494 myhostname = $vm_hostname.\$mydomain
495 mail_name = \$myhostname
496 mydestination = $vm_hostname \$myhostname \$myorigin
497 EOF
498 sudo install -m 664 -o root -g root /dev/stdin \
499 /etc/postfix/main.cf
500 sudo install -m 664 -o root -g root \
501 "$tool"/etc/postfix/master.cf \
502 /etc/postfix/master.cf
503 sudo install -m 660 -o root -g root \
504 "$tool"/etc/postfix/$vm_domainname/smtp/x509/policy \
505 /etc/postfix/$vm_domainname/smtp/x509/policy
506 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
507 sudo install -m 660 -o root -g root \
508 "$tool"/etc/postfix/$vm_domainname/smtp/header_checks \
509 /etc/postfix/$vm_domainname/smtp/header_checks
510 sudo install -m 660 -o root -g root \
511 "$tool"/etc/postfix/$vm_domainname/smtpd/sender_access \
512 /etc/postfix/$vm_domainname/smtpd/sender_access
513 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
514 sudo install -m 660 -o root -g root \
515 "$tool"/etc/postfix/$vm_domainname/smtpd/client_blacklist \
516 /etc/postfix/$vm_domainname/smtpd/client_blacklist
517 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
518 sudo install -m 660 -o root -g root \
519 "$tool"/etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
520 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
521 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
522 sudo install -m 660 -o root -g root \
523 "$tool"/etc/postfix/$vm_domainname/transport \
524 /etc/postfix/$vm_domainname/transport
525 sudo postmap hash:/etc/postfix/$vm_domainname/transport
526 sudo install -m 660 -o root -g root \
527 "$tool"/etc/postfix/$vm_domainname/virtual_alias \
528 /etc/postfix/$vm_domainname/virtual_alias
529 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
530 sudo service postfix restart
531 }
532 rule_postgrey_configure () {
533 rule apt_get_install postgrey
534 sudo service postgrey restart
535 }
536 rule_procmail_configure () {
537 rule apt_get_install procmail
538 sudo install -d -m 770 -o root -g adm \
539 /etc/skel/etc/mail \
540 /etc/skel/var/cache/mail \
541 /etc/skel/var/log/mail \
542 /etc/skel/var/mail
543 sudo install -m 660 -o root -g adm \
544 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
545 /etc/skel/etc/mail/delivery.procmailrc
546 }
547 rule_ssh_configure () {
548 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
549 ( while IFS= read -r line
550 do case $line in (*" RSA") return 0; break;; esac
551 done; return 1 ) ||
552 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
553 sudo rm -f \
554 /etc/ssh/ssh_host_dsa_key \
555 /etc/ssh/ssh_host_dsa_key.pub \
556 /etc/ssh/ssh_host_ecdsa_key \
557 /etc/ssh/ssh_host_ecdsa_key.pub
558 # NOTE: clefs générées par Debian
559 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
560 Port 22
561 ListenAddress $vm_ipv4
562 #ListenAddress ::
563 Protocol 2
564 Compression yes
565 HostKey /etc/ssh/ssh_host_rsa_key
566 UsePrivilegeSeparation yes
567 KeyRegenerationInterval 3600
568 ServerKeyBits 768
569 SyslogFacility AUTH
570 LogLevel INFO
571 LoginGraceTime 120
572 PermitRootLogin yes
573 StrictModes yes
574 RSAAuthentication yes
575 PubkeyAuthentication yes
576 AuthorizedKeysFile %h/etc/ssh/authorized_keys
577 IgnoreRhosts yes
578 RhostsRSAAuthentication no
579 HostbasedAuthentication no
580 IgnoreUserKnownHosts no
581 PermitEmptyPasswords no
582 ChallengeResponseAuthentication no
583 PasswordAuthentication no
584 KerberosAuthentication no
585 GSSAPIAuthentication no
586 X11Forwarding no
587 X11DisplayOffset 10
588 PrintMotd no
589 DebianBanner no
590 PrintLastLog yes
591 TCPKeepAlive yes
592 ClientAliveInterval 0
593 AcceptEnv LANG LC_*
594 Subsystem sftp /usr/lib/openssh/sftp-server
595 UsePAM yes
596 EOF
597 sudo service ssh restart
598 }
599 rule_user_admin_add () { # SYNTAX: $user
600 local user=$1
601 id "$user" >/dev/null ||
602 sudo adduser --disabled-password "$user"
603 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
604 eval local home\; home="~$user"
605 sudo adduser "$user" sudo
606 sudo install -m 640 -o root -g root \
607 "$tool"/var/pub/ssh/"$user".key \
608 "$home"/etc/ssh/authorized_keys
609 local key; local -; set +f
610 for key in "$tool"/var/pub/openpgp/*.key
611 do sudo -u "$user" gpg --import "$key"
612 done
613 rule user_admin_configure
614 }
615 rule_user_admin_configure () {
616 rule initramfs_configure
617 rule user_root_configure
618 }
619 rule_user_configure () {
620 sudo install -d -m 750 -o root -g adm \
621 /etc/skel/etc \
622 /etc/skel/etc/ssh
623 sudo install -d -m 770 -o root -g adm \
624 /etc/skel/etc/apache2 \
625 /etc/skel/var \
626 /etc/skel/var/log \
627 /etc/skel/var/cache \
628 /etc/skel/var/cache/ssh
629 sudo ln -fns etc/ssh /etc/skel/.ssh
630 sudo ln -fns etc/gpg /etc/skel/.gnupg
631 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
632 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
633 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
634 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
635 EOF
636 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
637 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
638 EOF
639 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
640 Defaults env_keep = " \\
641 EDITOR \\
642 GIT_AUTHOR_NAME \\
643 GIT_AUTHOR_EMAIL \\
644 GIT_COMMITTER_NAME \\
645 GIT_COMMITTER_EMAIL \\
646 "
647 EOF
648 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
649 #!/bin/sh -efu
650 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
651 sudo /bin/sh -e -f -u -c \
652 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
653 EOF
654 sudo install -m 644 -o root -g root \
655 "$tool"/etc/bash.bashrc \
656 /etc/bash.bashrc
657 sudo install -m 644 -o root -g root \
658 "$tool"/etc/screenrc \
659 /etc/screenrc
660 }
661 rule_user_root_configure () {
662 sudo install -d -m 750 -o root -g adm \
663 /root/etc \
664 /root/etc/ssh \
665 /root/etc/gpg
666 sudo ln -fns etc/gpg /root/.gnupg
667 sudo ln -fns etc/ssh /root/.ssh
668 getent group sudo |
669 while IFS=: read -r group x x users
670 do while test -n "$users" && IFS=, read -r user users <<-EOF
671 $users
672 EOF
673 do eval local home\; home="~$user"
674 cat "$home"/etc/ssh/authorized_keys
675 done
676 done |
677 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
678 local key; local -; set +f
679 for key in "$tool"/var/pub/openpgp/*.key
680 do sudo gpg --import "$key"
681 done
682 }
683 rule_configure () {
684 rule apt_configure
685 rule git_configure
686 rule etckeeper_configure
687 rule locale_configure
688 rule network_configure
689 rule filesystem_configure
690 rule login_configure
691 rule ssh_configure
692 rule mail_configure
693 rule user_root_configure
694 rule boot_configure
695 rule user_configure
696 }
697
698 rule_luks_key_change () {
699 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
700 }
701
702 rule=${1:-help}
703 ${1+shift}
704 case $rule in
705 (help);;
706 (*)
707 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
708 ;;
709 esac
710 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org