dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : condition finale de boucle while.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule__etckeeper_init () {
37 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
38 VCS=git
39 GIT_COMMIT_OPTIONS=""
40 AVOID_DAILY_AUTOCOMMITS=1
41 #AVOID_SPECIAL_FILE_WARNING=1
42 AVOID_COMMIT_BEFORE_INSTALL=1
43 HIGHLEVEL_PACKAGE_MANAGER=apt
44 LOWLEVEL_PACKAGE_MANAGER=dpkg
45 EOF
46 }
47 rule__locale_init () {
48 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
49 fr_FR.UTF-8 UTF-8
50 EOF
51 sudo update-locale
52 }
53 rule__network_init () {
54 mk_reg mod= own= /etc/hostname <<-EOF
55 $vm
56 EOF
57 grep -q " $vm\$" /etc/hosts ||
58 mk_reg mod= own= --append /etc/hosts <<-EOF
59 127.0.0.1 $vm_fqdn $vm
60 EOF
61 mk_reg mod= own= /etc/network/interfaces <<-EOF
62 auto lo
63 iface lo inet loopback
64
65 auto eth0=grenode
66 iface grenode inet static
67 address $vm_ipv4
68 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
69 network $vm_ipv4
70 broadcast $vm_ipv4
71 netmask 255.255.255.255
72 #mtu 1300
73 post-up ip address add $vm_ipv4/32 dev \$IFACE
74 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
75 EOF
76 }
77 rule__apt_init () {
78 mk_reg mod= own= /etc/apt/sources.list <<-EOF
79 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
80 EOF
81 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
82 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
83 EOF
84 mk_reg mod= own= /etc/apt/preferences <<-EOF
85 Package: *
86 Pin: release a=$vm_lsb_name
87 Pin-Priority: 170
88
89 Package: *
90 Pin: release a=$vm_lsb_name-backports
91 Pin-Priority: 200
92 EOF
93 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
94 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
95 EOF
96 }
97 rule__filesystem_init () {
98 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
99 # <file system> <mount point> <type> <options> <dump> <pass>
100 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
101 proc /proc proc defaults 0 0
102 sysfs /sys sysfs defaults 0 0
103 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
104 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
105 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
107 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
108 EOF
109 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
110 # <target name> <source device> <key file> <options>
111 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
112 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
113 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 EOF
116 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
117 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
118 vm.vfs_cache_pressure=50
119 EOF
120 }
121 rule__login_init () {
122 grep -q hvc0 /etc/securetty ||
123 mk_reg mod= own= --append /etc/securetty <<-EOF
124 hvc0
125 EOF
126 grep -q xvc0 /etc/securetty ||
127 mk_reg mod= own= --append /etc/securetty <<-EOF
128 xvc0
129 EOF
130 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
131 # /etc/inittab: init(8) configuration.
132
133 # The default runlevel.
134 id:2:initdefault:
135
136 # Boot-time system configuration/initialization script.
137 # This is run first except when booting in emergency (-b) mode.
138 si::sysinit:/etc/init.d/rcS
139
140 # What to do in single-user mode.
141 ~~:S:wait:/sbin/sulogin
142
143 # /etc/init.d executes the S and K scripts upon change
144 # of runlevel.
145 #
146 # Runlevel 0 is halt.
147 # Runlevel 1 is single-user.
148 # Runlevels 2-5 are multi-user.
149 # Runlevel 6 is reboot.
150
151 l0:0:wait:/etc/init.d/rc 0
152 l1:1:wait:/etc/init.d/rc 1
153 l2:2:wait:/etc/init.d/rc 2
154 l3:3:wait:/etc/init.d/rc 3
155 l4:4:wait:/etc/init.d/rc 4
156 l5:5:wait:/etc/init.d/rc 5
157 l6:6:wait:/etc/init.d/rc 6
158 # Normally not reached, but fallthrough in case of emergency.
159 z6:6:respawn:/sbin/sulogin
160
161 # What to do when CTRL-ALT-DEL is pressed.
162 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
163
164 # What to do when the power fails/returns.
165 pf::powerwait:/etc/init.d/powerfail start
166 pn::powerfailnow:/etc/init.d/powerfail now
167 po::powerokwait:/etc/init.d/powerfail stop
168
169 # Xen hypervisor console
170 hvc:2345:respawn:/sbin/getty 38400 hvc0
171 #xvc:2345:respawn:/sbin/getty 38400 xvc0
172 EOF
173 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
174 MAIL_DIR /var/mail
175 FAILLOG_ENAB yes
176 LOG_UNKFAIL_ENAB no
177 LOG_OK_LOGINS no
178 SYSLOG_SU_ENAB yes
179 SYSLOG_SG_ENAB yes
180 FTMP_FILE /var/log/btmp
181 SU_NAME su
182 HUSHLOGIN_FILE .hushlogin
183 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
184 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # NOTE: met les sbin/ dans ENV_PATH ;
186 # - ça n'apporte aucune protection de ne pas les mettre ;
187 # - ça frustre de ne pas les trouver.
188 TTYGROUP tty
189 TTYPERM 0600
190 ERASECHAR 0177
191 KILLCHAR 025
192 UMASK 007
193 # NOTE: rwxrwx--- ;
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
196 PASS_MAX_DAYS 99999
197 PASS_MIN_DAYS 0
198 PASS_WARN_AGE 7
199 UID_MIN 1000
200 UID_MAX 60000
201 GID_MIN 1000
202 GID_MAX 60000
203 LOGIN_RETRIES 3
204 LOGIN_TIMEOUT 60
205 CHFN_RESTRICT rwh
206 DEFAULT_HOME yes
207 USERGROUPS_ENAB yes
208 ENCRYPT_METHOD SHA512
209 EOF
210 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
211 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
212 session optional pam_umask.so
213 EOF
214 }
215 rule__user_root_init () {
216 mk_dir mod=750 own=root:root /root/etc
217 mk_dir mod=750 own=root:root /root/etc/ssh
218 mk_dir mod=750 own=root:root /root/etc/gpg
219 mk_lnk etc/gpg /root/.gnupg
220 mk_lnk etc/ssh /root/.ssh
221 getent group sudo |
222 while test -n "$users" && IFS=: read -r group x x users
223 do while IFS=, read -r user users <<-EOF
224 $users
225 EOF
226 do eval local home\; home="~$user"
227 cat "$home"/etc/ssh/authorized_keys
228 done
229 done |
230 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
231 sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
232 }
233 rule__initramfs_init () {
234 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
235 MODULES=most
236 BUSYBOX=y
237 KEYMAP=y
238 COMPRESS=gzip
239 DEVICE=eth0
240 EOF
241 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
242 alias eth0 xennet
243 alias scsi_hostadapter xenblk
244 EOF
245 mk_reg mod=644 own=root:root /etc/modules <<-EOF
246 sha1_generic
247 sha256_generic
248 sha512_generic
249 aes-x86_64
250 xts
251 # NOTE: pour Xen en mode HVM :
252 #modprobe xen-platform-pci
253 EOF
254 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
255 EOF
256 sudo sed -e '/^configure_networking /s/ &$//' \
257 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
258 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
259 sudo rm -f \
260 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
261 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
262 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
263 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
264 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
265 ( while IFS= read -r line
266 do case $line in (*" RSA") return 0; break;; esac
267 done; return 1 ) ||
268 sudo dropbearkey -t rsa -s 4096 -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
270 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
271 ( while IFS= read -r line
272 do case $line in (*" DSA") return 0; break;; esac
273 done; return 1 ) ||
274 sudo dropbearkey -t dss -s 1024 -f \
275 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
276 mk_dir mod=640 own=root:root \
277 /etc/initramfs-tools/root \
278 /etc/initramfs-tools/root/.ssh
279 getent group sudo |
280 while IFS=: read -r group x x users
281 do while test -n "$users" && IFS=, read -r user users <<-EOF
282 $users
283 EOF
284 do eval local home\; home="~$user"
285 cat "$home"/etc/ssh/authorized_keys
286 done
287 done |
288 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
289 sudo rm -f \
290 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
291 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
292 /etc/initramfs-tools/root/.ssh/id_rsa
293 # NOTE: clefs générées par Debian
294 sudo update-initramfs -u
295 }
296 rule__boot_init () {
297 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
298 mk_dir mod=644 own=root:root /boot/grub
299 sudo apt-get install --reinstall linux-image-$vm_arch
300 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
301 GRUB_DEFAULT=0
302 GRUB_TIMEOUT=5
303 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
304 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
305 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
306 GRUB_DISABLE_RECOVERY="true"
307 #GRUB_PRELOAD_MODULES="lvm"
308 EOF
309 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
310 (hd0) /dev/xvda
311 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
312 EOF
313 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
314 rule__initramfs_init
315 }
316 rule_apticron_init () {
317 sudo apt-get install --reinstall apticron
318 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
319 EMAIL="admin@heureux-cyclage.org"
320 # DIFF_ONLY="1"
321 # LISTCHANGES_PROFILE="apticron"
322 # ALL_FQDNS="1"
323 # SYSTEM="foobar.example.com"
324 # IPADDRESSNUM="1"
325 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
326 # NOTIFY_HOLDS="0"
327 # NOTIFY_NEW="0"
328 # NOTIFY_NO_UPDATES="0"
329 # CUSTOM_SUBJECT=""
330 # CUSTOM_NO_UPDATES_SUBJECT=""
331 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
332 EOF
333 sudo service apticron restart
334 }
335 rule__bin_init () {
336 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
337 }
338 rule_init () {
339 rule__etckeeper_init
340 rule__locale_init
341 rule__network_init
342 rule__apt_init
343 rule__filesystem_init
344 rule__login_init
345 rule__user_root_init
346 rule__boot_init
347 rule__bin_init
348 }
349
350 rule_disk_key_change () {
351 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
352 }
353
354 rule_user_init () {
355 mk_dir mod=750 own="root:adm" /etc/skel/etc
356 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
357 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
358 mk_dir mod=700 own="root:adm" /etc/skel/var
359 mk_dir mod=700 own="root:adm" /etc/skel/var/log
360 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
361 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
362 mk_dir mod=700 own="root:adm" /etc/skel/tmp
363 mk_dir mod=700 own="root:adm" /etc/skel/tmp
364 mk_lnk etc/ssh /etc/skel/.ssh
365 mk_lnk etc/gpg /etc/skel/.gnupg
366 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
367 ( while IFS= read -r line
368 do case $line in (*" RSA") return 0; break;; esac
369 done; return 1 ) ||
370 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
371 sudo rm -f \
372 /etc/ssh/ssh_host_dsa_key \
373 /etc/ssh/ssh_host_dsa_key.pub \
374 /etc/ssh/ssh_host_ecdsa_key \
375 /etc/ssh/ssh_host_ecdsa_key.pub
376 # NOTE: clefs générées par Debian
377 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
378 Port 22
379 ListenAddress $vm_ipv4
380 #ListenAddress ::
381 Protocol 2
382 Compression yes
383 HostKey /etc/ssh/ssh_host_rsa_key
384 UsePrivilegeSeparation yes
385 KeyRegenerationInterval 3600
386 ServerKeyBits 768
387 SyslogFacility AUTH
388 LogLevel INFO
389 LoginGraceTime 120
390 PermitRootLogin yes
391 StrictModes yes
392 RSAAuthentication yes
393 PubkeyAuthentication yes
394 AuthorizedKeysFile %h/etc/ssh/authorized_keys
395 IgnoreRhosts yes
396 RhostsRSAAuthentication no
397 HostbasedAuthentication no
398 IgnoreUserKnownHosts no
399 PermitEmptyPasswords no
400 ChallengeResponseAuthentication no
401 PasswordAuthentication no
402 KerberosAuthentication no
403 GSSAPIAuthentication no
404 X11Forwarding no
405 X11DisplayOffset 10
406 PrintMotd no
407 DebianBanner no
408 PrintLastLog yes
409 TCPKeepAlive yes
410 ClientAliveInterval 0
411 AcceptEnv LANG LC_*
412 Subsystem sftp /usr/lib/openssh/sftp-server
413 UsePAM yes
414 EOF
415 sudo service ssh restart
416 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
417 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
418 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
419 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
420 EOF
421 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
422 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
423 EOF
424 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
425 Defaults env_keep = " \\
426 EDITOR \\
427 GIT_AUTHOR_NAME \\
428 GIT_AUTHOR_EMAIL \\
429 GIT_COMMITTER_NAME \\
430 GIT_COMMITTER_EMAIL \\
431 "
432 EOF
433 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
434 #!/bin/sh
435 sudo /bin/sh -e -f -u -c \
436 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
437 EOF
438 }
439 rule_user_admin_add () { # SYNTAX: $user
440 local user=$1
441 id "$user" >/dev/null ||
442 sudo adduser --disabled-password "$user"
443 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
444 eval local home\; home="~$user"
445 sudo adduser "$user" sudo
446 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
447 <"$tool"/var/pub/ssh/"$user".key
448 rule__initramfs_init
449 rule__user_root_init
450 sudo -u "$user" find "$tool"/var/pub/openpgp \
451 -type f -name '*.key' -exec gpg --import {} \;
452 }
453 rule_user_mail_format () {
454 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
455 mk_dir mod=770 own=root:adm /etc/skel/var/mail
456 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
457 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
458 # vim: ft=procmail
459
460 # NOTE: paramètres passés par postfix
461 SENDER=\$1
462 RECIPIENT=\$2
463 USER=\$3
464 EXTENSION=\$4
465 DOMAIN=\$5
466 ORIGINAL_RECIPIENT=\$6
467
468 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
469 MAILDIR="\$HOME/var/mail/"
470 DEFAULT="\$MAILDIR"
471 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
472 LOGFILE="/dev/null"
473 LOGABSTRACT=all
474 LOGABSTRACT
475 VERBOSE
476 SHELL=/bin/sh
477 SHELLMETAS=&|<>~;?*%{}
478
479 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
480 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
481 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
482
483 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
484 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
485 # NOTE: récupère l’adresse courriel dans le champ GECOS
486 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
487 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
488 :0
489 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
490
491 # DESCRIPTION: IMAP
492 #:0
493 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
494
495 # DESCRIPTION: UUCP
496 #:0
497 #| /usr/bin/uux \
498 # -I "\$HOME/etc/uucp/uucp.cfg" \
499 # --nouucico \
500 # --notification=error \
501 # --requestor "\$USER" \
502 # - "\$USER!rmail" "(\$USER)"
503 EOF
504 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
505 # /etc/postfix/main.cf
506 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
507
508 parent_domain_matches_subdomains =
509 #debug_peer_list
510 #fast_flush_domains
511 #mynetworks
512 #permit_mx_backup_networks
513 #qmqpd_authorized_clients
514 #smtpd_access_maps
515 mydomain = $vm_domainname
516 myorigin = \$mydomain
517 myhostname = $vm_hostname.\$mydomain
518 mail_name = \$myhostname
519 mydestination =
520 $vm_hostname
521 \$myhostname
522 \$myorigin
523 mynetworks =
524 127.0.0.0/8
525 #[::1]/128
526 inet_protocols = ipv4
527 # "all" to activate IPv6
528 inet_interfaces = all
529 permit_mx_backup_networks =
530
531 alias_database =
532 hash:/etc/aliases
533 # NOTE: fichier de hash contenant une table d’alias mail.
534 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
535 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
536 alias_maps =
537 hash:/etc/aliases
538 recipient_delimiter = +
539 # NOTE: séparateur entre le nom d’utilisateur
540 # et les extensions d’adresse (par défaut le signe +).
541 #virtual_alias_domains =
542 virtual_alias_maps =
543 hash:/etc/postfix/\$mydomain/virtual
544 # NOTE: do not specify virtual alias domain names in the main.cf
545 # mydestination or relay_domains configuration parameters.
546 #
547 # With a virtual alias domain, the Postfix SMTP server
548 # accepts mail for known-user@virtual-alias.domain, and
549 # rejects mail for unknown-user@virtual-alias.domain as
550 # undeliverable.
551 #relayhost =
552 relay_clientcerts =
553 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
554 relay_domains =
555 \$mydestination
556 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
557 # pas dans mydestination ou virtual_alias...
558
559 maximal_queue_lifetime = 5d
560
561 header_checks =
562 regexp:/etc/postfix/\$mydomain/header_checks
563 mime_header_checks =
564 nested_header_checks =
565 milter_header_checks =
566 body_checks =
567
568 #content_filter = amavisfeed:[127.0.0.1]:10024
569 #receive_override_options = no_address_mappings
570 # no_unknown_recipient_checks
571 # Do not try to reject unknown recipients (SMTP server only).
572 # This is typically specified AFTER an external content filter.
573 # no_address_mappings
574 # Disable canonical address mapping, virtual alias map expansion,
575 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
576 # This is typically specified BEFORE an external content filter (eg. amavis).
577 # no_header_body_checks
578 # Disable header/body_checks. This is typically specified AFTER an external content filter.
579 # no_milters
580 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
581 #local_header_rewrite_clients =
582 transport_maps =
583 hash:/etc/postfix/\$mydomain/transport_maps
584 mailbox_command =
585 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
586 mailbox_size_limit = 0
587 biff = no
588 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
589 append_dot_mydomain = no
590 # appending .domain is the MUA's job.
591
592 #tls_random_source =
593 # dev:/dev/urandom
594 # Non-blocking
595 #tls_random_reseed_period = 3600s
596 #tls_random_exchange_name =
597 # \${data_directory}/prng_exch
598 # NOTE: à ne pas mettre dans la cage chroot
599 #tls_random_bytes = 32
600 #tls_random_prng_update_period = 3600s
601 #tls_high_cipherlist = AES256-SHA
602 # NOTE: postconf(5) déconseille de changer ceci
603
604 #smtp_cname_overrides_servername = no
605 smtp_connect_timeout = 60s
606 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
607 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
608 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
609 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
610 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
611 # NOTE: déprécié en faveur de smtp_tls_policy_maps
612 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
613 smtp_tls_fingerprint_digest = sha1
614 smtp_tls_scert_verifydepth = 5
615 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
616 #smtp_tls_verify_cert_match = hostname
617 #smtp_tls_note_starttls_offer = yes
618 smtp_tls_loglevel = 1
619 smtp_tls_protocols = !SSLv2, !SSLv3
620 # Only allow TLSv*
621 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
622 #smtp_tls_session_cache_timeout = 3600s
623 smtp_tls_security_level = may
624 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
625 smtp_body_checks =
626 smtp_mime_header_checks =
627 smtp_nested_header_checks =
628
629 smtpd_starttls_timeout = 300s
630 smtpd_banner =
631 \$myhostname ESMTP \$mail_name (Debian/GNU)
632
633 # Restrictions
634 smtpd_helo_required = yes
635 strict_rfc821_envelopes = yes
636 smtpd_authorized_xclient_hosts = 127.0.0.1
637 # NOTE: utile pour tester les restrictions
638
639 smtpd_helo_restrictions =
640 reject_invalid_helo_hostname
641 reject_non_fqdn_helo_hostname
642 #reject_unknown_helo_hostname
643 # NOTE: pourrait pourtant être utile pour lutter contre le spam
644 permit
645
646 smtpd_sender_restrictions =
647 permit_mynetworks
648 permit_tls_clientcerts
649 permit_sasl_authenticated
650 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
651 check_sender_access hash:/etc/postfix/sender_blacklist
652 reject_unauth_pipelining
653 reject_non_fqdn_sender
654 #reject_unknown_sender_domain
655 # NOTE: temporaire
656 permit
657
658 smtpd_client_new_tls_session_rate_limit = 0
659 smtpd_client_event_limit_exceptions = \$mynetworks
660 smtpd_client_recipient_rate_limit = 0
661 smtpd_client_connection_count_limit = 50
662 smtpd_client_connection_rate_limit = 0
663 smtpd_client_message_rate_limit = 0
664 smtpd_client_port_logging = no
665
666 smtpd_client_restrictions =
667 check_client_access hash:/etc/postfix/client_blacklist
668
669 policy_time_limit = 3600
670 default_extra_recipient_limit = 5000
671 duplicate_filter_limit = 5000
672 smtpd_recipient_limit = 5000
673 smtpd_recipient_overshoot_limit = 5000
674 smtpd_recipient_restrictions =
675 reject_non_fqdn_recipient
676 #reject_invalid_hostname
677 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
678 # dans smtpd_helo_restrictions
679 reject_unknown_recipient_domain
680 #reject_non_fqdn_sender
681 # NOTE: dans smtpd_sender_restrictions
682 reject_unauth_pipelining
683 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
684 permit_mynetworks
685 permit_tls_clientcerts
686 permit_sasl_authenticated
687 reject_unauth_destination
688 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
689 # ou quelqu'un pour lequel on tient lieu de backup_mx
690 check_policy_service inet:127.0.0.1:10023
691 # NOTE: Postgrey (greylisting)
692 check_policy_service unix:private/spfcheck
693 permit_auth_destination
694 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
695 # (voir permit_auth_destination) ; sans doute redondant
696 reject
697 #check_relay_domains <- removed from postfix
698 #reject_unknown_sender_domain
699 # aurait probablement été mieux dans smtpd_sender_restrictions
700 #reject_rbl_client bl.spamcop.net
701 #reject_rbl_client list.dsbl.org
702 #reject_rbl_client zen.spamhaus.org
703 #reject_rbl_client dnsbl.sorbs.net
704
705 smtpd_data_restrictions =
706 reject_unauth_pipelining
707 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
708 permit
709
710 #smtpd_end_of_data_restrictions =
711
712 #smtpd_restriction_classes =
713
714 smtpd_error_sleep_time = 5
715 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
716
717 # SASL
718 smtpd_sasl_auth_enable = yes
719 smtpd_sasl_type = dovecot
720 smtpd_sasl_path = private/auth
721 smtpd_sasl_security_options = noanonymous
722 smtpd_sasl_domain = \$mydomain
723
724 # SMTPD TLS
725 smtpd_discard_ehlo_keywords = starttls
726 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
727 # se mangent une erreur en tentant un starttls
728 smtpd_tls_fingerprint_digest = sha1
729 # sha512 ?
730 smtpd_tls_mandatory_protocols = TLSv1
731 smtpd_tls_mandatory_ciphers = high
732 smtpd_tls_ciphers = high
733 # restrictif. s/high/medium/ ?
734 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
735 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
736 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
737 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
738 ##
739 #smtpd_tls_received_header = no
740 smtpd_tls_session_cache_database =
741 btree:/var/lib/postfix/smtpd_tls_session_cache
742 #smtpd_tls_session_cache_timeout = 3600s
743 smtpd_tls_security_level = may
744 # Postfix 2.3 and later
745 # encrypt
746 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
747 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
748 # SMTP server. Instead, this option should be used only on dedicated servers.
749 smtpd_tls_loglevel = 1
750 smtpd_tls_ccert_verifydepth = 5
751 smtpd_tls_auth_only = yes
752 # Pas d'AUTH SASL sans TLS
753 smtpd_tls_ask_ccert = no
754 smtpd_tls_req_ccert = no
755 #smtpd_tls_always_issue_session_ids = yes
756 smtpd_peername_lookup = yes
757 # Nécessaire pour postgrey, etc
758 smtpd_milters =
759 non_smtpd_milters =
760 line_length_limit = 2048
761 queue_minfree = 0
762 message_size_limit = 20480000
763 #smtpd_enforce_tls # NOTE: obsolète
764 #smtpd_use_tls # NOTE: obsolète
765 #smtpd_tls_cipherlist # NOTE: obsolète
766
767 readme_directory = no
768 #delay_warning_time = 4h
769 # NOTE: uncomment the previous line to generate "delayed mail" warnings
770 #debug_peer_level = 4
771 #debug_peer_list = .\$myhostname
772 EOF
773 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
774 auth_ssl_username_from_cert = yes
775 listen = *
776 log_timestamp = "%Y-%m-%d %H:%M:%S "
777 mail_debug = yes
778 mail_location = maildir:~/var/mail
779 mail_privileged_group = mail
780 passdb {
781 args = /home/%u/etc/dovecot/passwd
782 driver = passwd-file
783 }
784 protocols = imap
785 service auth {
786 unix_listener /var/spool/postfix/private/auth {
787 group = postfix
788 mode = 0660
789 user = postfix
790 }
791 user = root
792 }
793 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
794 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
795 ssl_cipher_list = AES256-SHA
796 ssl_key = </etc/dovecot/imap/tls/key.pem
797 ssl_verify_client_cert = yes
798 userdb {
799 driver = passwd
800 }
801 verbose_ssl = yes
802 protocol lda {
803 auth_socket_path = /var/run/dovecot/auth-master
804 hostname = $vm_domainname
805 info_log_path = /var/log/dovecot/lda/info.log
806 log_path = /var/log/dovecot/lda/error.log
807 mail_plugins = sieve
808 postmaster_address = contact+dovecot+lda@$vm_domainname
809 }
810 EOF
811 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
812 EOF
813 }
814 rule_mail_install () {
815 sudo apt-get install postfix postgrey dovecot
816 }
817
818 rule=${1:-help}
819 ${1+shift}
820 case $rule in
821 (help);;
822 (*)
823 test "$(hostname --fqdn)" = "$vm_fqdn"
824 ${TRACE:+set -x}
825 ;;
826 esac
827 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org