dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ajout : etc/etckeeper/update-ignore.d/02custom-ignore .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_configure () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 local tool
31 tool=$(cd "$tool"; cd -)
32 sudo ln -fns "$tool"/vm_hosted /usr/local/sbin/
33 )
34 }
35 rule_git_reset () {
36 (
37 cd "$tool"
38 git checkout -f -B master remotes/master
39 git clean -f -d -x
40 )
41 }
42
43 rule_apt_get_install () { # SYNTAX: $package
44 case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
45 ("Status: install ok installed");;
46 (*)
47 test ! -x /usr/bin/etckeeper ||
48 ! sudo etckeeper unclean ||
49 warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
50 sudo apt-get install "$@";;
51 esac
52 }
53
54 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
55 export LANG=C
56 export LC_CTYPE=C
57 . /etc/profile
58 }
59
60 rule_apt_configure () {
61 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list <<-EOF
62 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
63 EOF
64 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/$vm_lsb_name-backports.list <<-EOF
65 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
66 EOF
67 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/preferences <<-EOF
68 Package: *
69 Pin: release a=$vm_lsb_name
70 Pin-Priority: 170
71
72 Package: *
73 Pin: release a=$vm_lsb_name-backports
74 Pin-Priority: 200
75 EOF
76 sudo install -m 660 -o root -g root /dev/stdin /etc/apt/sources.list.d/openerp.list <<-EOF
77 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
78 EOF
79 sudo apt-get update
80 rule apt_get_install apticron
81 sudo install -m 644 -o root -g root /dev/stdin /etc/apticron/apticron.conf <<-EOF
82 EMAIL="admin@$vm_domainname"
83 # DIFF_ONLY="1"
84 # LISTCHANGES_PROFILE="apticron"
85 # ALL_FQDNS="1"
86 # SYSTEM="foobar.example.com"
87 # IPADDRESSNUM="1"
88 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
89 # NOTIFY_HOLDS="0"
90 # NOTIFY_NEW="0"
91 # NOTIFY_NO_UPDATES="0"
92 # CUSTOM_SUBJECT=""
93 # CUSTOM_NO_UPDATES_SUBJECT=""
94 # CUSTOM_FROM="root@$vm_fqdn"
95 EOF
96 }
97 rule_boot_configure () {
98 warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
99 rule apt_get_install grub-pc
100 sudo install -d -m 644 -o root -g root /boot/grub
101 rule apt_get_install linux-image-$vm_arch
102 sudo install -m 644 -o root -g root /dev/stdin /etc/default/grub <<-EOF
103 GRUB_DEFAULT=0
104 GRUB_TIMEOUT=5
105 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
106 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
107 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
108 GRUB_DISABLE_RECOVERY="true"
109 #GRUB_PRELOAD_MODULES="lvm"
110 EOF
111 sudo install -m 644 -o root -g root /dev/stdin /boot/grub/device.map <<-EOF
112 (hd0) /dev/xvda
113 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
114 EOF
115 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
116 rule initramfs_configure
117 }
118 rule_dovecot_configure () {
119 rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
120 local hint="run vm_remote dovecot_key_send before"
121 assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
122 sudo install -m 400 -o root -g root \
123 "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
124 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
125 sudo install -d -m 770 -o root -g adm \
126 /etc/skel/etc/mail \
127 /etc/skel/etc/sieve
128 sudo install -d -m 1777 -o root -g root \
129 /var/lib/dovecot-control \
130 /var/lib/dovecot-index
131 sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
132 auth_ssl_username_from_cert = yes
133 listen = *
134 log_timestamp = "%Y-%m-%d %H:%M:%S "
135 mail_debug = yes
136 mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
137 # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
138 # VOIR: http://wiki2.dovecot.org/Quota/FS
139 mail_plugins = \$mail_plugins quota
140 mail_privileged_group = mail
141 passdb {
142 args = /home/%u/etc/dovecot/passwd
143 driver = passwd-file
144 }
145 plugin {
146 quota = fs:user
147 recipient_delimiter = +
148 sieve = ~/etc/mail/filter.sieve
149 sieve_dir = ~/etc/mail/sieve
150 sieve_global_dir = /var/lib/dovecot/sieve/global/
151 sieve_max_script_size = 1M
152 sieve_quota_max_scripts = 0
153 sieve_quota_max_storage = 10M
154 sieve_user_log = ~/var/log/mail/sieve.log
155 }
156 protocol imap {
157 mail_plugins = \$mail_plugins imap_quota
158 }
159 protocol lda {
160 auth_socket_path = /var/run/dovecot/auth-master
161 hostname = $vm_domainname
162 info_log_path =
163 log_path =
164 mail_plugins = \$mail_plugins sieve
165 postmaster_address = contact+dovecot+lda@$vm_domainname
166 syslog_facility = mail
167 }
168 protocols = imap sieve
169 service auth {
170 user = root
171 unix_listener /var/spool/postfix/private/auth {
172 mode = 0660
173 user = postfix
174 group = postfix
175 }
176 }
177 ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
178 ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
179 ssl_cipher_list = AES256-SHA
180 ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
181 ssl_verify_client_cert = yes
182 userdb {
183 driver = passwd
184 }
185 verbose_ssl = no
186 EOF
187 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
188 #!/bin/sh -efux
189 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
190 install -d -m 770 ~/etc/dovecot
191 install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
192 \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
193 _EOF
194 EOF
195 sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
196 EOF
197 sudo service dovecot restart
198 }
199 rule_etckeeper_configure () {
200 sudo install -m 644 -o root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
201 VCS=git
202 GIT_COMMIT_OPTIONS=""
203 AVOID_DAILY_AUTOCOMMITS=1
204 #AVOID_SPECIAL_FILE_WARNING=1
205 AVOID_COMMIT_BEFORE_INSTALL=1
206 HIGHLEVEL_PACKAGE_MANAGER=apt
207 LOWLEVEL_PACKAGE_MANAGER=dpkg
208 EOF
209 sudo install -m 644 -o root -g root \
210 etc/etckeeper/prompt.sh \
211 /etc/etckeeper/prompt.sh
212 sudo install -m 755 -o root -g root \
213 etc/etckeeper/update-ignore.d/02custom-ignore \
214 /etc/etckeeper/update-ignore.d/02custom-ignore
215 rule apt_get_install etckeeper
216 sudo etckeeper update-ignore -a
217 }
218 rule_filesystem_configure () {
219 sudo install -m 644 -o root -g root /dev/stdin /etc/fstab <<-EOF
220 # <file system> <mount point> <type> <options> <dump> <pass>
221 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
222 proc /proc proc defaults 0 0
223 sysfs /sys sysfs defaults 0 0
224 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
225 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
226 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
227 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
228 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
229 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
230 EOF
231 sudo install -m 644 -o root -g root /dev/stdin /etc/crypttab <<-EOF
232 # <target name> <source device> <key file> <options>
233 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
234 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
235 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
236 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
237 EOF
238 sudo install -m 644 -o root -g root /dev/stdin /etc/sysctl.d/local-swap.conf <<-EOF
239 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
240 vm.vfs_cache_pressure=50
241 EOF
242 }
243 rule_initramfs_configure () {
244 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/initramfs.conf <<-EOF
245 MODULES=most
246 BUSYBOX=y
247 KEYMAP=y
248 COMPRESS=gzip
249 DEVICE=eth0
250 EOF
251 sudo install -m 644 -o root -g root /dev/stdin /etc/modprobe.d/xen-pv.conf <<-EOF
252 alias eth0 xennet
253 alias scsi_hostadapter xenblk
254 EOF
255 sudo install -m 644 -o root -g root /dev/stdin /etc/modules <<-EOF
256 sha1_generic
257 sha256_generic
258 sha512_generic
259 aes-x86_64
260 xts
261 # NOTE: pour Xen en mode HVM :
262 #modprobe xen-platform-pci
263 EOF
264 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/modules <<-EOF
265 EOF
266 sudo sed -e '/^configure_networking /s/ &$//' \
267 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
268 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
269 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
270 ( while IFS= read -r line
271 do case $line in (*" RSA") return 0; break;; esac
272 done; return 1 ) ||
273 {
274 sudo rm -f \
275 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
276 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
277 sudo dropbearkey -t rsa -s 4096 -f \
278 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
279 }
280 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
281 sudo install -d -m 640 -o root -g root \
282 /etc/initramfs-tools/root \
283 /etc/initramfs-tools/root/.ssh
284 getent group sudo |
285 while IFS=: read -r group x x users
286 do while test -n "$users" && IFS=, read -r user users <<-EOF
287 $users
288 EOF
289 do eval local home\; home="~$user"
290 cat "$home"/etc/ssh/authorized_keys
291 done
292 done |
293 sudo install -m 644 -o root -g root /dev/stdin /etc/initramfs-tools/root/.ssh/authorized_keys
294 sudo rm -f \
295 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
296 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
297 /etc/initramfs-tools/root/.ssh/id_rsa
298 # NOTE: clefs générées par Debian
299 sudo update-initramfs -u
300 }
301 rule_locale_configure () {
302 sudo install -m 644 -o root -g root /dev/stdin /etc/locale.gen <<-EOF
303 fr_FR.UTF-8 UTF-8
304 EOF
305 sudo update-locale
306 }
307 rule_login_configure () {
308 grep -q '^hvc0$' /etc/securetty ||
309 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
310 $(cat /etc/securetty)
311 hvc0
312 EOF
313 grep -q '^xvc0$' /etc/securetty ||
314 sudo install -m 644 -o root -g root /dev/stdin /etc/securetty <<-EOF
315 $(cat /etc/securetty)
316 xvc0
317 EOF
318 sudo install -m 644 -o root -g root /dev/stdin /etc/inittab <<-EOF
319 # /etc/inittab: init(8) configuration.
320
321 # The default runlevel.
322 id:2:initdefault:
323
324 # Boot-time system configuration/initialization script.
325 # This is run first except when booting in emergency (-b) mode.
326 si::sysinit:/etc/init.d/rcS
327
328 # What to do in single-user mode.
329 ~~:S:wait:/sbin/sulogin
330
331 # /etc/init.d executes the S and K scripts upon change
332 # of runlevel.
333 #
334 # Runlevel 0 is halt.
335 # Runlevel 1 is single-user.
336 # Runlevels 2-5 are multi-user.
337 # Runlevel 6 is reboot.
338
339 l0:0:wait:/etc/init.d/rc 0
340 l1:1:wait:/etc/init.d/rc 1
341 l2:2:wait:/etc/init.d/rc 2
342 l3:3:wait:/etc/init.d/rc 3
343 l4:4:wait:/etc/init.d/rc 4
344 l5:5:wait:/etc/init.d/rc 5
345 l6:6:wait:/etc/init.d/rc 6
346 # Normally not reached, but fallthrough in case of emergency.
347 z6:6:respawn:/sbin/sulogin
348
349 # What to do when CTRL-ALT-DEL is pressed.
350 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
351
352 # What to do when the power fails/returns.
353 pf::powerwait:/etc/init.d/powerfail start
354 pn::powerfailnow:/etc/init.d/powerfail now
355 po::powerokwait:/etc/init.d/powerfail stop
356
357 # Xen hypervisor console
358 hvc:2345:respawn:/sbin/getty 38400 hvc0
359 #xvc:2345:respawn:/sbin/getty 38400 xvc0
360 EOF
361 sudo install -m 644 -o root -g root /dev/stdin /etc/login.defs <<-EOF
362 MAIL_DIR /var/mail
363 FAILLOG_ENAB yes
364 LOG_UNKFAIL_ENAB no
365 LOG_OK_LOGINS no
366 SYSLOG_SU_ENAB yes
367 SYSLOG_SG_ENAB yes
368 FTMP_FILE /var/log/btmp
369 SU_NAME su
370 HUSHLOGIN_FILE .hushlogin
371 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
372 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
373 # NOTE: met les sbin/ dans ENV_PATH ;
374 # - ça n'apporte aucune protection de ne pas les mettre ;
375 # - ça frustre de ne pas les trouver.
376 TTYGROUP tty
377 TTYPERM 0600
378 ERASECHAR 0177
379 KILLCHAR 025
380 UMASK 007
381 # NOTE: rwxrwx--- ;
382 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
383 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
384 PASS_MAX_DAYS 99999
385 PASS_MIN_DAYS 0
386 PASS_WARN_AGE 7
387 UID_MIN 1000
388 UID_MAX 60000
389 GID_MIN 1000
390 GID_MAX 60000
391 LOGIN_RETRIES 3
392 LOGIN_TIMEOUT 60
393 CHFN_RESTRICT rwh
394 DEFAULT_HOME yes
395 USERGROUPS_ENAB yes
396 ENCRYPT_METHOD SHA512
397 EOF
398 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
399 sudo install -m 644 -o root -g root /dev/stdin /etc/pam.d/common-session <<-EOF
400 $(cat /etc/pam.d/common-session)
401 session optional pam_umask.so
402 EOF
403 }
404 rule_procmail_configure () {
405 rule apt_get_install procmail
406 sudo install -d -m 770 -o root -g adm \
407 /etc/skel/etc/mail \
408 /etc/skel/var/cache/mail \
409 /etc/skel/var/log/mail \
410 /etc/skel/var/mail
411 sudo install -m 660 -o root -g adm \
412 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
413 /etc/skel/etc/mail/delivery.procmailrc
414 }
415 rule_postgrey_configure () {
416 rule apt_get_install postgrey
417 sudo service postgrey restart
418 }
419 rule_postfix_configure () {
420 local hint="run vm_remote postfix_key_send before"
421 assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
422 warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
423 rule apt_get_install postfix
424 sudo install -d -m 770 -o root -g root \
425 /etc/postfix/$vm_domainname/ \
426 /etc/postfix/$vm_domainname/smtp \
427 /etc/postfix/$vm_domainname/smtp/x509 \
428 /etc/postfix/$vm_domainname/smtp/x509/ca \
429 /etc/postfix/$vm_domainname/smtpd \
430 /etc/postfix/$vm_domainname/smtpd/x509 \
431 /etc/postfix/$vm_domainname/smtpd/x509/ca
432 sudo install -d -m 770 -o root -g root \
433 /etc/postfix/$vm_domainname/ \
434 /etc/postfix/$vm_domainname/smtp \
435 /etc/postfix/$vm_domainname/smtp/x509 \
436 /etc/postfix/$vm_domainname/smtp/x509/ca \
437 /etc/postfix/$vm_domainname/smtpd \
438 /etc/postfix/$vm_domainname/smtpd/x509 \
439 /etc/postfix/$vm_domainname/smtpd/x509/ca
440 sudo ln -fns \
441 ../crt+crl.self-signed.pem \
442 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
443 sudo install -m 400 -o root -g root \
444 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
445 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
446 sudo install -m 400 -o root -g root \
447 var/pub/x509/service/smtpd/crt.pem \
448 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
449 sudo install -m 400 -o root -g root \
450 var/pub/x509/service/smtpd/crt+root.pem \
451 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
452 sudo install -m 400 -o root -g root \
453 var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
454 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
455 sudo install -m 660 -o root -g root \
456 etc/postfix/$vm_domainname/header_checks \
457 /etc/postfix/$vm_domainname/header_checks
458 sudo install -m 664 -o root -g root \
459 etc/aliases \
460 /etc/aliases
461 sudo newaliases
462 cat /dev/stdin etc/postfix/main.cf <<-EOF |
463 mydomain = $vm_domainname
464 myorigin = \$mydomain
465 myhostname = $vm_hostname.\$mydomain
466 mail_name = \$myhostname
467 mydestination = $vm_hostname \$myhostname \$myorigin
468 EOF
469 sudo install -m 664 -o root -g root /dev/stdin \
470 /etc/postfix/main.cf
471 sudo install -m 664 -o root -g root \
472 etc/postfix/master.cf \
473 /etc/postfix/master.cf
474 sudo install -m 660 -o root -g root \
475 etc/postfix/$vm_domainname/smtp/x509/policy \
476 /etc/postfix/$vm_domainname/smtp/x509/policy
477 sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
478 sudo install -m 660 -o root -g root \
479 etc/postfix/$vm_domainname/smtp/header_checks \
480 /etc/postfix/$vm_domainname/smtp/header_checks
481 sudo install -m 660 -o root -g root \
482 etc/postfix/$vm_domainname/smtpd/sender_access \
483 /etc/postfix/$vm_domainname/smtpd/sender_access
484 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
485 sudo install -m 660 -o root -g root \
486 etc/postfix/$vm_domainname/smtpd/client_blacklist \
487 /etc/postfix/$vm_domainname/smtpd/client_blacklist
488 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
489 sudo install -m 660 -o root -g root \
490 etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
491 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
492 sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
493 sudo install -m 660 -o root -g root \
494 etc/postfix/$vm_domainname/transport \
495 /etc/postfix/$vm_domainname/transport
496 sudo postmap hash:/etc/postfix/$vm_domainname/transport
497 sudo install -m 660 -o root -g root \
498 etc/postfix/$vm_domainname/virtual_alias \
499 /etc/postfix/$vm_domainname/virtual_alias
500 sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
501 sudo service postfix restart
502 }
503 rule_mail_configure () {
504 rule postfix_configure
505 rule postgrey_configure
506 rule procmail_configure
507 rule dovecot_configure
508 }
509 rule_network_configure () {
510 sudo install -m 644 -o root -g root /dev/stdin /etc/hostname <<-EOF
511 $vm
512 EOF
513 grep -q " $vm\$" /etc/hosts ||
514 sudo install -m 644 -o root -g root /dev/stdin /etc/hosts <<-EOF
515 $(cat /etc/hosts)
516 127.0.0.1 $vm_fqdn $vm
517 EOF
518 sudo install -m 644 -o root -g root /dev/stdin /etc/network/interfaces <<-EOF
519 auto lo
520 iface lo inet loopback
521
522 auto eth0=grenode
523 iface grenode inet static
524 address $vm_ipv4
525 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
526 network $vm_ipv4
527 broadcast $vm_ipv4
528 netmask 255.255.255.255
529 mtu 1300
530 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
531 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
532 #
533 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
534 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
535 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
536 #
537 # --- soupirail.grenode.net ping statistics ---
538 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
539 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
540 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
541 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
542 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
543 #
544 # --- soupirail.grenode.net ping statistics ---
545 # 0 packets transmitted, 0 received, +1 errors
546 post-up ip address add $vm_ipv4/32 dev \$IFACE
547 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
548 EOF
549 }
550 rule_ssh_configure () {
551 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
552 ( while IFS= read -r line
553 do case $line in (*" RSA") return 0; break;; esac
554 done; return 1 ) ||
555 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
556 sudo rm -f \
557 /etc/ssh/ssh_host_dsa_key \
558 /etc/ssh/ssh_host_dsa_key.pub \
559 /etc/ssh/ssh_host_ecdsa_key \
560 /etc/ssh/ssh_host_ecdsa_key.pub
561 # NOTE: clefs générées par Debian
562 sudo install -m 644 -o root -g root /dev/stdin /etc/ssh/sshd_config <<-EOF
563 Port 22
564 ListenAddress $vm_ipv4
565 #ListenAddress ::
566 Protocol 2
567 Compression yes
568 HostKey /etc/ssh/ssh_host_rsa_key
569 UsePrivilegeSeparation yes
570 KeyRegenerationInterval 3600
571 ServerKeyBits 768
572 SyslogFacility AUTH
573 LogLevel INFO
574 LoginGraceTime 120
575 PermitRootLogin yes
576 StrictModes yes
577 RSAAuthentication yes
578 PubkeyAuthentication yes
579 AuthorizedKeysFile %h/etc/ssh/authorized_keys
580 IgnoreRhosts yes
581 RhostsRSAAuthentication no
582 HostbasedAuthentication no
583 IgnoreUserKnownHosts no
584 PermitEmptyPasswords no
585 ChallengeResponseAuthentication no
586 PasswordAuthentication no
587 KerberosAuthentication no
588 GSSAPIAuthentication no
589 X11Forwarding no
590 X11DisplayOffset 10
591 PrintMotd no
592 DebianBanner no
593 PrintLastLog yes
594 TCPKeepAlive yes
595 ClientAliveInterval 0
596 AcceptEnv LANG LC_*
597 Subsystem sftp /usr/lib/openssh/sftp-server
598 UsePAM yes
599 EOF
600 sudo service ssh restart
601 }
602 rule_user_admin_add () { # SYNTAX: $user
603 local user=$1
604 id "$user" >/dev/null ||
605 sudo adduser --disabled-password "$user"
606 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
607 eval local home\; home="~$user"
608 sudo adduser "$user" sudo
609 sudo install -m 640 -o root -g root \
610 "$tool"/var/pub/ssh/"$user".key \
611 "$home"/etc/ssh/authorized_keys
612 local key; local -; set +f
613 for key in "$tool"/var/pub/openpgp/*.key
614 do sudo -u "$user" gpg --import "$key"
615 done
616 rule user_admin_configure
617 }
618 rule_user_admin_configure () {
619 rule initramfs_configure
620 rule user_root_configure
621 }
622 rule_user_configure () {
623 sudo install -d -m 750 -o root -g adm \
624 /etc/skel/etc \
625 /etc/skel/etc/ssh
626 sudo install -d -m 770 -o root -g adm \
627 /etc/skel/etc/apache2 \
628 /etc/skel/var \
629 /etc/skel/var/log \
630 /etc/skel/var/cache \
631 /etc/skel/var/cache/ssh
632 sudo ln -fns etc/ssh /etc/skel/.ssh
633 sudo ln -fns etc/gpg /etc/skel/.gnupg
634 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
635 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
636 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
637 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
638 EOF
639 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/etckeeper-unclean <<-EOF
640 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
641 EOF
642 sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/env_keep <<-EOF
643 Defaults env_keep = " \\
644 EDITOR \\
645 GIT_AUTHOR_NAME \\
646 GIT_AUTHOR_EMAIL \\
647 GIT_COMMITTER_NAME \\
648 GIT_COMMITTER_EMAIL \\
649 "
650 EOF
651 sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
652 #!/bin/sh -efu
653 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
654 sudo /bin/sh -e -f -u -c \
655 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
656 EOF
657 sudo install -m 644 -o root -g root \
658 etc/bash.bashrc \
659 /etc/bash.bashrc
660 sudo install -m 644 -o root -g root \
661 etc/screenrc \
662 /etc/screenrc
663 }
664 rule_user_root_configure () {
665 sudo install -d -m 750 -o root -g adm \
666 /root/etc \
667 /root/etc/ssh \
668 /root/etc/gpg
669 sudo ln -fns etc/gpg /root/.gnupg
670 sudo ln -fns etc/ssh /root/.ssh
671 getent group sudo |
672 while IFS=: read -r group x x users
673 do while test -n "$users" && IFS=, read -r user users <<-EOF
674 $users
675 EOF
676 do eval local home\; home="~$user"
677 cat "$home"/etc/ssh/authorized_keys
678 done
679 done |
680 sudo install -m 640 -o root -g root /dev/stdin /root/etc/ssh/authorized_keys
681 local key; local -; set +f
682 for key in "$tool"/var/pub/openpgp/*.key
683 do sudo gpg --import "$key"
684 done
685 }
686 rule_configure () {
687 rule apt_configure
688 rule git_configure
689 rule etckeeper_configure
690 rule locale_configure
691 rule network_configure
692 rule filesystem_configure
693 rule login_configure
694 rule ssh_configure
695 rule user_root_configure
696 rule boot_configure
697 rule user_configure
698 }
699
700 rule_luks_key_change () {
701 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
702 }
703
704 rule=${1:-help}
705 ${1+shift}
706 case $rule in
707 (help);;
708 (*)
709 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
710 ;;
711 esac
712 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org